{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/microsoft/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2025-62157"}],"_cs_exploited":false,"_cs_products":["argo-workflows"],"_cs_severities":["high"],"_cs_tags":["argo-workflows","credential-access","kubernetes"],"_cs_type":"advisory","_cs_vendors":["Argoproj","Google","Microsoft"],"content_html":"\u003cp\u003eArgo Workflows, a Kubernetes-native workflow engine, is vulnerable to credential exposure. Specifically, versions 4.0.0 through 4.0.4 inadvertently log artifact repository credentials in plaintext during artifact operations. This includes sensitive data like S3 Access Keys, Secret Keys, Session Tokens, Server-Side Customer Keys, OSS Access Keys, Secret Keys, Security Tokens, and GCS Service Account Keys. The vulnerability stems from the logging driver passing the entire ArtifactDriver struct to the structured logger. Any user with read access to workflow pod logs can extract these credentials, creating a significant security risk. This is an incomplete fix of CVE-2025-62157.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains read access to Kubernetes pod logs within the Argo Workflows namespace. This could be achieved through compromised credentials, misconfigured RBAC policies, or other Kubernetes vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a workflow that utilizes artifact storage, such as S3 or GCS.\u003c/li\u003e\n\u003cli\u003eThe workflow executes an artifact operation (upload or download).\u003c/li\u003e\n\u003cli\u003eArgo Workflows logs the entire ArtifactDriver struct, including the plaintext credentials, into the pod logs.\u003c/li\u003e\n\u003cli\u003eThe attacker queries the pod logs using \u003ccode\u003ekubectl\u003c/code\u003e or other Kubernetes tooling. For example: \u003ccode\u003ekubectl -n argo logs \u0026quot;cred-leak-test\u0026quot; -c wait\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the plaintext credentials (e.g., S3 Access Key and Secret Key) from the log output.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to access the artifact repository (e.g., S3 bucket) and potentially steal data or perform other unauthorized actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthorized access to artifact repositories used by Argo Workflows. This can lead to data breaches, as sensitive data stored in S3 buckets, GCS buckets, or other storage solutions can be exposed. The impact is especially severe if the compromised credentials have broad permissions or if the artifact repository contains highly sensitive data. This affects Argo Workflows versions 4.0.0, 4.0.1, 4.0.2, 4.0.3, and 4.0.4.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Argo Workflows to version 4.0.5 or later to remediate the vulnerability (CVE-2026-42295).\u003c/li\u003e\n\u003cli\u003eReview and restrict Kubernetes RBAC permissions to limit access to pod logs, following the principle of least privilege.\u003c/li\u003e\n\u003cli\u003eImplement log monitoring and alerting for unusual access patterns to Kubernetes pod logs.\u003c/li\u003e\n\u003cli\u003eRotate any potentially exposed artifact repository credentials (S3 access keys, GCS service account keys, etc.) if Argo Workflows versions 4.0.0-4.0.4 were in use.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T20:12:01Z","date_published":"2026-05-04T20:12:01Z","id":"/briefs/2024-01-09-argo-cred-leak/","summary":"Argo Workflows versions 4.0.0 to 4.0.4 log artifact repository credentials in plaintext, allowing users with read access to pod logs to extract sensitive information such as S3 access keys and GCS service account keys.","title":"Argo Workflows Credentials Exposed in Pod Logs","url":"https://feed.craftedsignal.io/briefs/2024-01-09-argo-cred-leak/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender for Office 365"],"_cs_severities":["high"],"_cs_tags":["phishing","credential-theft","AiTM","token-compromise"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Cloudflare","Paubox"],"content_html":"\u003cp\u003eBetween April 14 and 16, 2026, Microsoft Defender Research observed a sophisticated, large-scale phishing campaign targeting over 35,000 users across more than 13,000 organizations in 26 countries, predominantly in the United States (92%). The campaign, which did not focus on a single vertical, impacted a range of industries, with Healthcare \u0026amp; life sciences (19%), Financial services (18%), Professional services (11%), and Technology \u0026amp; software (11%) being the most affected. Attackers employed code of conduct-themed lures delivered via emails that appeared as internal compliance or regulatory communications. The campaign utilized a multi-step attack chain, including CAPTCHA challenges and intermediate staging pages, to reinforce legitimacy and filter out automated defenses, ultimately leading to an adversary-in-the-middle (AiTM) phishing flow.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with phishing emails posing as internal compliance communications, using subjects like \u0026ldquo;Internal case log issued under conduct policy\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe emails contain a PDF attachment (e.g., \u0026ldquo;Awareness Case Log File – Tuesday 14th, April 2026.pdf\u0026rdquo;) that claims a \u0026ldquo;code of conduct review\u0026rdquo; has been initiated.\u003c/li\u003e\n\u003cli\u003eRecipients are instructed to click a “Review Case Materials” link within the PDF.\u003c/li\u003e\n\u003cli\u003eClicking the link redirects the user to one of the attacker-controlled domains (e.g., acceptable-use-policy-calendly[.]de).\u003c/li\u003e\n\u003cli\u003eThe landing page displays a Cloudflare CAPTCHA to validate the user and impede automated analysis.\u003c/li\u003e\n\u003cli\u003eAfter CAPTCHA completion, the user is redirected to an intermediate site that informs them the requested documentation is encrypted and requires account authentication.\u003c/li\u003e\n\u003cli\u003eThe user is presented with a legitimate-looking sign-in experience, part of an AiTM phishing flow.\u003c/li\u003e\n\u003cli\u003eThe attackers proxy the authentication session in real time and capture authentication tokens, granting immediate account access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign resulted in the compromise of authentication tokens, enabling attackers to gain unauthorized access to user accounts and bypass multifactor authentication. With more than 35,000 users targeted across over 13,000 organizations, the potential for widespread data breaches, financial fraud, and further malicious activities is significant. The targeting of sectors like Healthcare and Financial Services indicates a focus on high-value targets with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEducate users about phishing lures, especially those using social engineering tactics and enterprise-style HTML templates.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious PDF Opening via Uncommon Applications\u0026rdquo; to identify unusual PDF execution paths, based on the \u0026lsquo;file_event\u0026rsquo; log source.\u003c/li\u003e\n\u003cli\u003eConfigure email security settings in Microsoft Defender for Office 365 to filter out phishing emails effectively.\u003c/li\u003e\n\u003cli\u003eEnable network protection to leverage SmartScreen as a host-based web proxy.\u003c/li\u003e\n\u003cli\u003eBlock access to the attacker-controlled domains, such as acceptable-use-policy-calendly[.]de, at the DNS resolver level.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T15:00:00Z","date_published":"2026-05-04T15:00:00Z","id":"/briefs/2026-05-aitm-phishing/","summary":"A widespread phishing campaign utilized 'code of conduct' lures, a multi-step attack chain, and legitimate email services to distribute authenticated messages from attacker-controlled domains, ultimately leading to adversary-in-the-middle (AiTM) token compromise, primarily targeting US-based organizations.","title":"Multi-Stage 'Code of Conduct' Phishing Campaign Leads to AiTM Token Compromise","url":"https://feed.craftedsignal.io/briefs/2026-05-aitm-phishing/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Intune Management Extension","Azure AD Connect Health Agent","Windows Defender Advanced Threat Protection"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","powershell","obfuscation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently employ PowerShell obfuscation techniques to evade detection and hinder analysis. These techniques involve encoding, encrypting, or compressing PowerShell scripts to mask their true intent. This detection identifies PowerShell script blocks exhibiting high entropy and non-uniform character distributions, statistical characteristics often associated with obfuscated content. The rule specifically targets script blocks longer than 1000 characters with entropy bits \u0026gt;= 5.5 and surprisal standard deviation \u0026gt; 0.7. This detection is designed to highlight potentially malicious PowerShell activity that warrants further investigation by security analysts and incident responders. This rule was created by Elastic and last updated on May 4, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system (e.g., via phishing or exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages PowerShell, a built-in Windows scripting language, to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe attacker uses obfuscation techniques (encoding, encryption, compression) to disguise the PowerShell script\u0026rsquo;s true intent.\u003c/li\u003e\n\u003cli\u003eThe obfuscated script is executed, bypassing basic signature-based detections.\u003c/li\u003e\n\u003cli\u003eThe script may download and execute additional payloads or establish persistence.\u003c/li\u003e\n\u003cli\u003eThe script performs malicious actions such as data exfiltration, lateral movement, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using obfuscated PowerShell can lead to various negative impacts, including data breaches, system compromise, and disruption of services. The low severity reflects the need for further analysis to confirm malicious intent, given potential false positives from legitimate encoded scripts. While the exact number of affected systems and sectors is unknown, the widespread use of PowerShell makes this a potentially significant threat across many organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to generate the necessary events (4104) as outlined in the setup instructions: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003ehttps://ela.st/powershell-logging-setup\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the thresholds (\u003ccode\u003epowershell.file.script_block_length\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_entropy_bits\u003c/code\u003e, \u003ccode\u003epowershell.file.script_block_surprisal_stdev\u003c/code\u003e) based on your environment\u0026rsquo;s baseline.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule, focusing on execution context (\u003ccode\u003euser.name\u003c/code\u003e, \u003ccode\u003ehost.name\u003c/code\u003e), script provenance (\u003ccode\u003efile.path\u003c/code\u003e), and reconstructed script content (\u003ccode\u003epowershell.file.script_block_text\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section for detailed triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:49:36Z","date_published":"2026-05-04T14:49:36Z","id":"/briefs/2026-06-high-entropy-powershell/","summary":"This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.","title":"Potential PowerShell Obfuscated Script via High Entropy","url":"https://feed.craftedsignal.io/briefs/2026-06-high-entropy-powershell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon Registry Events","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["port-forwarding","registry-modification","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e) with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet to modify the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a new port forwarding rule by creating a new subkey under \u003ccode\u003ev4tov4\\\u003c/code\u003e with specific settings for the local port, remote address, and remote port.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eListenAddress\u003c/code\u003e, \u003ccode\u003eListenPort\u003c/code\u003e, \u003ccode\u003eConnectAddress\u003c/code\u003e, and \u003ccode\u003eConnectPort\u003c/code\u003e values within the new subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation and activation of the port forwarding rule using \u003ccode\u003enetsh interface portproxy show v4tov4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys, enabling detection of malicious port forwarding rule additions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Port Forwarding Rule Addition via Registry Modification\u0026rdquo; to your SIEM to detect suspicious registry modifications related to port forwarding.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-port-forwarding-registry/","summary":"An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.","title":"Windows Port Forwarding Rule Addition via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-port-forwarding-registry/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Zoom.exe, potentially indicating an attempt to evade detection or exploit vulnerabilities within the Zoom application. The rule focuses on detecting instances where command interpreters like cmd.exe, PowerShell, or PowerShell ISE are launched as child processes of Zoom. This behavior can be indicative of an attacker attempting to execute malicious commands or scripts within the context of the Zoom application, potentially escalating privileges or gaining unauthorized access to system resources. It\u0026rsquo;s crucial for defenders to investigate such occurrences, as they may signify ongoing exploitation or malicious activity leveraging Zoom as an initial access vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches the Zoom application (Zoom.exe).\u003c/li\u003e\n\u003cli\u003eA vulnerability in Zoom is exploited, or the user is socially engineered into running a malicious command.\u003c/li\u003e\n\u003cli\u003eZoom.exe spawns a child process, such as cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes commands or scripts, potentially downloading or executing malware.\u003c/li\u003e\n\u003cli\u003eThe malicious script or command performs reconnaissance activities on the system.\u003c/li\u003e\n\u003cli\u003eThe script establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement and data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could allow attackers to execute arbitrary commands, escalate privileges, and compromise the affected system. Depending on the user\u0026rsquo;s privileges, attackers could gain access to sensitive data, install malware, or pivot to other systems on the network. The impact ranges from data breaches to complete system compromise, potentially affecting all users within the organization who utilize the Zoom application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Zoom Child Process\u0026rdquo; to your SIEM to detect command interpreters spawned by Zoom.exe. Tune the rule for your environment to minimize false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture detailed information about process executions, which is essential for the Sigma rule above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the command-line arguments and network connections of the spawned processes.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for process creation events related to Zoom.exe and its child processes to identify suspicious behavior.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of unauthorized processes within the Zoom application context.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-suspicious-zoom-child-process/","summary":"A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.","title":"Suspicious Zoom Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-11-suspicious-zoom-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","Sysmon","Crowdstrike","SentinelOne Cloud Funnel","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["powershell","malware","execution"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the execution of PowerShell with suspicious argument values on Windows systems. This behavior is frequently associated with malware installation and other malicious activities. PowerShell is a powerful scripting language, and adversaries often exploit its capabilities to execute malicious scripts, download payloads, and obfuscate commands. The rule focuses on detecting patterns such as encoded commands, suspicious downloads (e.g., using WebClient or Invoke-WebRequest), and various obfuscation techniques used to evade detection. The rule is designed to work with various data sources, including Elastic Defend, Windows Security Event Logs, Sysmon, and third-party EDR solutions like CrowdStrike, Microsoft Defender XDR, and SentinelOne, enhancing its applicability across different environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker uses PowerShell to download a malicious payload from a remote server using commands like \u003ccode\u003eDownloadFile\u003c/code\u003e or \u003ccode\u003eDownloadString\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload is often encoded or obfuscated to evade detection. Common techniques include Base64 encoding, character manipulation, and compression.\u003c/li\u003e\n\u003cli\u003ePowerShell is then used to decode or deobfuscate the payload using methods like \u003ccode\u003e[Convert]::FromBase64String\u003c/code\u003e or \u003ccode\u003e[char[]](...) -join ''\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe deobfuscated payload is executed directly in memory using techniques like \u003ccode\u003eiex\u003c/code\u003e (Invoke-Expression) or \u003ccode\u003eReflection.Assembly.Load\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed payload performs malicious actions, such as installing malware, establishing persistence, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use techniques like \u003ccode\u003eWebClient\u003c/code\u003e to download files from a remote URL.\u003c/li\u003e\n\u003cli\u003eCommands like \u003ccode\u003enslookup -q=txt\u003c/code\u003e are used for command and control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to malware installation, data theft, system compromise, and further propagation of the attack within the network. The detection of suspicious PowerShell arguments helps to identify and prevent these malicious activities before significant damage can occur. Without proper detection, attackers can maintain persistence, escalate privileges, and compromise sensitive data. The rule helps defenders identify and respond to these threats quickly, minimizing the impact of potential attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious PowerShell activity.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging with command line arguments to ensure the necessary data is captured for the Sigma rules to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules to determine the legitimacy of the PowerShell activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eContinuously tune the Sigma rules based on your environment to reduce false positives and improve detection accuracy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-susp-powershell-args/","summary":"This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.","title":"Suspicious Windows PowerShell Arguments Detected","url":"https://feed.craftedsignal.io/briefs/2024-09-susp-powershell-args/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to Subject Interface Package (SIP) providers, a critical component of the Windows cryptographic system responsible for validating file signatures. Attackers may attempt to subvert trust controls by modifying SIP providers, allowing them to bypass signature validation checks and potentially inject malicious code into trusted processes. This activity is a form of defense evasion, allowing unauthorized code execution. The rule focuses on detecting suspicious registry changes associated with SIP providers, while excluding known benign processes to minimize false positives. The rule is designed for data generated by Elastic Defend, but also supports third-party data sources like CrowdStrike, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Sysmon. This activity is related to MITRE ATT\u0026amp;CK technique T1553.003 (SIP and Trust Provider Hijacking).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry keys associated with SIP providers, specifically targeting \u003ccode\u003eCryptSIPDllPutSignedDataMsg\u003c/code\u003e and \u003ccode\u003eTrust\\\\FinalPolicy\u003c/code\u003e locations.\u003c/li\u003e\n\u003cli\u003eThe attacker changes the \u003ccode\u003eDll\u003c/code\u003e value within these registry keys to point to a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe system, upon attempting to validate a file signature, loads the malicious DLL instead of the legitimate SIP provider.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code, potentially injecting it into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the injected code to further compromise the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of SIP providers allows attackers to bypass signature validation checks, leading to the execution of unsigned or malicious code. This can compromise the integrity of the system, leading to data breaches, system instability, or further propagation of malware within the network. The impact can range from individual workstation compromise to widespread organizational damage, depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect SIP Provider Modification via Registry\u003c/code\u003e to your SIEM and tune it for your environment to detect suspicious registry modifications related to SIP providers.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rules, focusing on the process responsible for the registry change and the DLL being loaded, as described in the rule\u0026rsquo;s triage section.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted code.\u003c/li\u003e\n\u003cli\u003eMonitor the registry paths listed in the Sigma rules for unexpected changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-sip-provider-modification/","summary":"This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.","title":"SIP Provider Modification for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-sip-provider-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis detection identifies the modification of Discretionary Access Control Lists (DACLs) for Windows services using the \u003ccode\u003esc.exe\u003c/code\u003e utility. Attackers can leverage this technique to deny access to a service, making it unmanageable or hiding it from system administrators and users. The detection rule focuses on identifying instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument, specifically targeting the denial of access for key user groups such as IU, SU, BA, SY, and WD. This activity is indicative of a defense evasion attempt aimed at hindering security tools or preventing remediation. The rule is designed for data generated by Elastic Defend, but also supports integrations with third-party data sources like CrowdStrike, Microsoft Defender XDR, and SentinelOne Cloud Funnel, offering broad coverage for detecting this malicious behavior across diverse environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to gain necessary permissions to modify service configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esc.exe\u003c/code\u003e with the \u003ccode\u003esdset\u003c/code\u003e command to modify the DACL of a targeted service.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esdset\u003c/code\u003e command arguments specify the new security descriptor, denying access to specific user groups (e.g., IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eThe service becomes inaccessible to the targeted user groups, potentially disrupting legitimate operations or security tools.\u003c/li\u003e\n\u003cli\u003eThe attacker may repeat this process for multiple services to further impair system functionality or evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled or hidden services to maintain persistence or carry out other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of service DACLs can lead to a denial-of-service condition for legitimate users and system administrators. This can impair the functionality of critical security tools, hinder incident response efforts, and provide attackers with a persistent foothold on the compromised system. The hiding of services can also prevent users from identifying and removing malicious services. While the number of victims is not specified in the source, organizations across various sectors are potentially vulnerable to this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eService DACL Modification via sc.exe\u003c/code\u003e to your SIEM to detect this specific behavior.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003esc.exe\u003c/code\u003e is used with the \u003ccode\u003esdset\u003c/code\u003e argument and access denial flags, focusing on the targeted user groups (IU, SU, BA, SY, WD).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitor for unauthorized attempts to modify service configurations.\u003c/li\u003e\n\u003cli\u003eRegularly audit service permissions to identify and remediate any unauthorized changes.\u003c/li\u003e\n\u003cli\u003eReview and update endpoint protection policies to prevent similar threats in the future, ensuring that all systems are equipped with the latest security patches and configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-service-dacl-modification/","summary":"Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.","title":"Service DACL Modification via sc.exe","url":"https://feed.craftedsignal.io/briefs/2024-07-service-dacl-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Sysmon","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike Falcon"],"_cs_severities":["medium"],"_cs_tags":["initial-access","rdp","phishing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly using malicious Remote Desktop Protocol (RDP) files to gain initial access to systems. These RDP files, often delivered via spearphishing attachments, contain connection settings that, when opened, can compromise a system. This technique allows adversaries to bypass traditional security measures by leveraging a legitimate tool (mstsc.exe) with a malicious configuration file. The observed activity involves opening RDP files from suspicious locations like Downloads, temporary folders (AppData\\Local\\Temp), and Outlook content cache (INetCache\\Content.Outlook). This campaign has been observed as recently as October 2024, where Midnight Blizzard conducted large-scale spear-phishing using RDP files. Defenders should monitor for the execution of mstsc.exe with RDP files from untrusted locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a spearphishing email containing a malicious RDP file as an attachment.\u003c/li\u003e\n\u003cli\u003eThe victim receives the email and, lured by social engineering, downloads the attached RDP file to a local directory, often the Downloads folder.\u003c/li\u003e\n\u003cli\u003eThe victim double-clicks the RDP file, initiating the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e reads the connection settings from the RDP file, which may include malicious configurations such as altered gateway settings or credential theft mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emstsc.exe\u003c/code\u003e attempts to establish a remote desktop connection based on the RDP file\u0026rsquo;s settings.\u003c/li\u003e\n\u003cli\u003eIf the connection is successful, the attacker gains unauthorized access to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform reconnaissance, move laterally, and escalate privileges within the compromised network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or establishing persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using malicious RDP files can lead to unauthorized access to sensitive systems and data. The consequences range from data breaches and financial loss to complete system compromise and disruption of operations. The Microsoft Security blog reported a large-scale spear-phishing campaign utilizing RDP files as recently as October 2024. The targets may be across various sectors, with potentially widespread impact depending on the attacker\u0026rsquo;s objectives and the scope of the compromised network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRemote Desktop File Opened from Suspicious Path\u003c/code\u003e to your SIEM and tune for your environment, focusing on the specified file paths and \u003ccode\u003emstsc.exe\u003c/code\u003e execution.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to capture the execution of \u003ccode\u003emstsc.exe\u003c/code\u003e and the paths of the RDP files being opened.\u003c/li\u003e\n\u003cli\u003eEducate users on the risks associated with opening RDP files from untrusted sources, particularly those received as email attachments.\u003c/li\u003e\n\u003cli\u003eImplement strict email filtering to block or quarantine emails with RDP attachments from external sources.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual RDP traffic originating from systems where suspicious RDP files were executed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-11-rdp-file-attachment/","summary":"Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.","title":"Remote Desktop File Opened from Suspicious Path","url":"https://feed.craftedsignal.io/briefs/2024-11-rdp-file-attachment/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Server Update Services"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","wsus","psexec","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential abuse of Windows Server Update Services (WSUS) for lateral movement by executing PsExec. WSUS is designed to manage updates for Microsoft products, ensuring only signed binaries are executed. Attackers can exploit this by using WSUS to distribute and execute Microsoft-signed tools like PsExec, which can then be used to move laterally within the network. This technique leverages the trust relationship inherent in WSUS to bypass security controls. The rule focuses on detecting suspicious processes initiated by \u003ccode\u003ewuauclt.exe\u003c/code\u003e (the Windows Update client) executing PsExec from the SoftwareDistribution Download Install directories. Defenders should monitor WSUS activity and PsExec executions to detect and respond to this potential threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the WSUS server or performs a man-in-the-middle attack to spoof WSUS.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised WSUS server to approve a malicious update containing PsExec.\u003c/li\u003e\n\u003cli\u003eThe WSUS client (\u003ccode\u003ewuauclt.exe\u003c/code\u003e) on targeted machines downloads the \u0026ldquo;approved\u0026rdquo; update from the WSUS server, placing PsExec in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe WSUS client executes PsExec.\u003c/li\u003e\n\u003cli\u003ePsExec is used to execute commands or transfer files to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised systems to gather credentials or move laterally to other high-value targets.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve lateral movement within the network, leading to the compromise of additional systems and sensitive data. This can result in data breaches, financial loss, and reputational damage. The scope of impact depends on the level of access achieved by the attacker and the value of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eWSUS PsExec Execution\u003c/code\u003e to detect potential WSUS abuse involving PsExec execution.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to gain visibility into process executions, as referenced in the \u003ca href=\"https://ela.st/sysmon-event-1-setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and logging for WSUS activities to detect unauthorized changes or updates.\u003c/li\u003e\n\u003cli\u003eInvestigate and remove any unauthorized binaries found in the \u003ccode\u003eC:\\Windows\\SoftwareDistribution\\Download\\Install\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eReview and restrict the accounts authorized to manage WSUS to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-wsus-psexec/","summary":"Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.","title":"Potential WSUS Abuse for Lateral Movement via PsExec","url":"https://feed.craftedsignal.io/briefs/2024-07-wsus-psexec/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel","CrowdStrike"],"_cs_severities":["low"],"_cs_tags":["defense evasion","impact","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe Sysinternals SDelete utility is a legitimate tool developed by Microsoft for securely deleting files by overwriting and renaming them multiple times. While intended for secure data disposal, adversaries can abuse SDelete to remove forensic artifacts, destroy evidence of their activities, and impede data recovery efforts after a successful ransomware attack or data theft. This activity can be used as a post-exploitation technique. This detection rule focuses on identifying file name patterns indicative of SDelete\u0026rsquo;s operation, specifically detecting files with names resembling \u0026ldquo;*AAA.AAA\u0026rdquo;. The rule is designed to work with various endpoint detection and response solutions, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and CrowdStrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain the necessary permissions to delete files.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or utilizes an existing copy of the SDelete utility.\u003c/li\u003e\n\u003cli\u003eThe attacker executes SDelete against targeted files or directories.\u003c/li\u003e\n\u003cli\u003eSDelete overwrites the targeted file(s) multiple times with random data.\u003c/li\u003e\n\u003cli\u003eSDelete renames the file(s) multiple times, often with patterns such as \u0026ldquo;*AAA.AAA\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eSDelete deletes the file(s) making recovery difficult.\u003c/li\u003e\n\u003cli\u003eThe attacker removes SDelete or any associated tools to further cover their tracks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can result in the permanent deletion of crucial forensic artifacts, log files, or even critical data. This can severely hinder incident response efforts, making it challenging to identify the scope of the attack, the attacker\u0026rsquo;s methods, and the compromised assets. The number of victims and affected sectors depends on the scale of the initial breach and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Secure File Deletion via SDelete Utility\u0026rdquo; detection rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule, focusing on the process execution chain and identifying the user account involved.\u003c/li\u003e\n\u003cli\u003eReview the privileges assigned to the user account to ensure the least privilege principle is followed.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to enhance visibility into file creation events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-28-sdelete-filename-rename/","summary":"This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.","title":"Potential Secure File Deletion via SDelete Utility","url":"https://feed.craftedsignal.io/briefs/2024-01-28-sdelete-filename-rename/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Installer"],"_cs_severities":["low"],"_cs_tags":["msiexec","remote-file-execution","initial-access","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Citrix"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a built-in Windows component used for installing, modifying, and removing software. Adversaries may abuse msiexec.exe to launch local or network accessible MSI files, bypassing security controls and potentially leading to initial access or defense evasion. This activity is often part of a broader attack chain, used to deliver and execute malicious payloads. The detection rule provided by Elastic identifies suspicious msiexec.exe activity by monitoring process starts, network connections, and child processes. It filters out known benign signatures and paths to highlight potential misuse. This detection is designed to work with Elastic Defend data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via phishing (T1566) or other means to execute commands on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses msiexec.exe with the \u003ccode\u003e/V\u003c/code\u003e parameter to initiate the installation of a remote MSI package. This allows the attacker to bypass typical execution restrictions.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe attempts a network connection (T1105) to retrieve the remote MSI package from a malicious server.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process to handle the installation of the downloaded MSI package.\u003c/li\u003e\n\u003cli\u003eThe spawned child process executes malicious code embedded within the MSI package.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as installing malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised system for further lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the installation of malware, unauthorized access to sensitive data, and further compromise of the affected system and network. While this specific rule has a low risk score, it can be an early indicator of more serious attacks. It is crucial to investigate any alerts generated by this rule to determine the full scope and impact of the potential compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to your SIEM to detect suspicious usage of \u003ccode\u003emsiexec.exe\u003c/code\u003e to install remote packages. Tune the rule for your environment by adding exceptions for legitimate software installation processes.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and network connection logging on Windows endpoints to provide the necessary data for the Sigma rule to function effectively (Data Source: Elastic Defend).\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;Possible investigation steps\u0026rdquo; section in the Elastic rule\u0026rsquo;s documentation to investigate potential false positives and legitimate uses of \u003ccode\u003emsiexec.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications, including potentially malicious MSI packages.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-msiexec-remote-install/","summary":"The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.","title":"Potential Remote File Execution via MSIEXEC","url":"https://feed.craftedsignal.io/briefs/2026-05-msiexec-remote-install/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","threat-detection","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePass-the-Hash (PtH) is a technique where attackers leverage stolen password hashes to authenticate and move laterally within a Windows environment, bypassing standard system access controls. Instead of needing the plaintext password, adversaries use a hash of the password to authenticate to a remote service or server. This detection rule focuses on identifying potential PtH attempts by monitoring for successful logins using specific user IDs (S-1-5-21-* or S-1-12-1-*) and the \u003ccode\u003eseclogo\u003c/code\u003e logon process, which is commonly associated with credential theft and misuse. The rule aims to detect anomalous authentication patterns indicating that an attacker is using PtH to gain unauthorized access to systems. This is important because successful PtH attacks can lead to widespread compromise of sensitive data and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker dumps password hashes from the compromised system using tools like Mimikatz.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen password hash to authenticate to the target system using the \u003ccode\u003eseclogo\u003c/code\u003e logon process.\u003c/li\u003e\n\u003cli\u003eWindows validates the hash, granting the attacker access without requiring the plaintext password.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully authenticates with the stolen credentials and a user ID matching the pattern S-1-5-21-* or S-1-12-1-*.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to move laterally to other systems or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Pass-the-Hash attacks can lead to significant damage, including unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Organizations can experience financial losses, reputational damage, and operational disruptions. While the specific number of victims is not stated, PtH is a common technique used in many breaches, potentially affecting any organization that relies on Windows authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Logon to generate the necessary Windows Security Event Logs as referenced in the setup instructions \u003ca href=\"https://ela.st/audit-logon\"\u003ehttps://ela.st/audit-logon\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to your SIEM to detect potential Pass-the-Hash attempts. Tune the rule to account for legitimate uses of the \u003ccode\u003eseclogo\u003c/code\u003e logon process.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on correlating the successful authentication events with other security logs to identify any lateral movement or access to sensitive systems.\u003c/li\u003e\n\u003cli\u003eReview and update access controls and permissions for the affected accounts to ensure they adhere to the principle of least privilege after an incident, as detailed in the Response and Remediation section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-potential-pth/","summary":"This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.","title":"Potential Pass-the-Hash (PtH) Attempt Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-potential-pth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","ntlm","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis rule detects a specific defense evasion technique where an attacker modifies the Windows registry to force a system to use the less secure NTLMv1 authentication protocol. This is known as a NetNTLMv1 downgrade attack. The registry modification involves changing the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value, which controls the authentication level. Attackers with local administrator privileges can perform this modification to weaken the authentication mechanism, making it easier to intercept and crack credentials. The rule is designed to detect this activity by monitoring registry events from various sources, including Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, Sysmon, and Crowdstrike. It is important to monitor for this activity as it can lead to credential theft and further compromise of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local administrator privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a registry editor or command-line tool (e.g., \u003ccode\u003ereg.exe\u003c/code\u003e, PowerShell) to modify the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value in the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to one of the following registry paths: \u003ccode\u003eHKLM\\System\\CurrentControlSet\\Control\\Lsa\\LmCompatibilityLevel\u003c/code\u003e or \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e value to \u0026ldquo;0\u0026rdquo;, \u0026ldquo;1\u0026rdquo;, or \u0026ldquo;2\u0026rdquo; (or their hexadecimal equivalents \u0026ldquo;0x00000000\u0026rdquo;, \u0026ldquo;0x00000001\u0026rdquo;, \u0026ldquo;0x00000002\u0026rdquo;). These values force the system to use NTLMv1.\u003c/li\u003e\n\u003cli\u003eThe system now uses NTLMv1 for authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a man-in-the-middle attack to capture NTLMv1 authentication traffic using tools like Responder or Inveigh.\u003c/li\u003e\n\u003cli\u003eThe captured NTLMv1 hashes are cracked using brute-force or dictionary attacks, revealing the user\u0026rsquo;s credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to network resources or other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful NetNTLMv1 downgrade attack can lead to the compromise of user credentials, enabling attackers to move laterally within the network, access sensitive data, and potentially escalate privileges. The impact can range from data breaches to complete system compromise, depending on the attacker\u0026rsquo;s objectives and the compromised user\u0026rsquo;s privileges.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential NetNTLMv1 Downgrade Attack\u0026rdquo; to detect registry modifications setting \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to insecure values (0, 1, 2) within the specified registry paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to ensure the necessary data is available for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview registry event logs for unauthorized modifications of \u003ccode\u003eLmCompatibilityLevel\u003c/code\u003e to confirm legitimate administrative actions.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit local administrator privileges and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eMonitor the references URL for updates on recommended security configurations related to NTLM authentication.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-netntlmv1-downgrade/","summary":"This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.","title":"Potential NetNTLMv1 Downgrade Attack via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-netntlmv1-downgrade/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Filtering Platform","elastic-agent","elastic-endpoint"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows-filtering-platform","endpoint-security"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Bitdefender","VMware Carbon Black","Comodo","Vectra AI","Cybereason","Cylance","Elastic","ESET","Broadcom","Fortinet","Kaspersky","Malwarebytes","McAfee","Qualys","SentinelOne","Sophos","Symantec","Trend Micro","BeyondTrust","CrowdStrike","Splunk","Tanium"],"content_html":"\u003cp\u003eThe Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., leveraging the \u003ccode\u003enetsh\u003c/code\u003e command or custom WFP API calls) to create a new WFP filter.\u003c/li\u003e\n\u003cli\u003eThe WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., \u003ccode\u003eelastic-agent.exe\u003c/code\u003e, \u003ccode\u003esysmon.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe system begins blocking network communication from the targeted security software.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker\u0026rsquo;s scope and objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).\u003c/li\u003e\n\u003cli\u003eDeploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit WFP rules to identify any unauthorized or suspicious entries.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems authorized to modify WFP rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-wfp-evasion/","summary":"Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.","title":"Potential Evasion via Windows Filtering Platform Blocking Security Software","url":"https://feed.craftedsignal.io/briefs/2026-05-wfp-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["WinWord.exe","EXPLORER.EXE","w3wp.exe","DISM.EXE","Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","dll-side-loading","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies instances of Windows trusted programs such as WinWord.exe, EXPLORER.EXE, w3wp.exe, and DISM.EXE executing from unusual paths or after being renamed, which may indicate DLL side-loading. DLL side-loading is a defense evasion technique where a malicious DLL is placed in the same directory as a legitimate executable. When the executable runs, it may load the malicious DLL instead of the legitimate one, allowing the attacker to execute arbitrary code within the context of the trusted process. The detection logic focuses on process executions that deviate from standard installation paths. The targeted processes are commonly used and often whitelisted, making this a potent technique for adversaries to bypass security controls.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a trusted Windows program vulnerable to DLL side-loading (WinWord.exe, EXPLORER.EXE, w3wp.exe, or DISM.EXE).\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious DLL into a directory where the trusted program is expected to load DLLs from, often alongside a renamed or copied version of the legitimate executable.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker renames the trusted program and places it in a non-standard path.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the renamed or moved trusted program from the non-standard path.\u003c/li\u003e\n\u003cli\u003eThe trusted program loads the malicious DLL due to DLL search order hijacking.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the trusted process.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence, elevates privileges, or performs other malicious activities, potentially evading detection due to the trusted process context.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DLL side-loading attack allows the attacker to execute arbitrary code within the context of a trusted Microsoft process. This can lead to privilege escalation, persistence, and further compromise of the system. Since the malicious code is running within a trusted process, it can bypass application whitelisting and other security controls, making it difficult to detect. This can lead to data theft, system disruption, or the installation of malware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; to your SIEM to detect suspicious executions of trusted programs from non-standard paths or with modifications.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for the Sigma rule to function correctly.\u003c/li\u003e\n\u003cli\u003eReview and tune the exclusion paths in the Sigma rule to avoid false positives from legitimate software updates, custom enterprise applications, or virtual environments.\u003c/li\u003e\n\u003cli\u003eMonitor process execution paths using the Sigma rule \u0026ldquo;Potential DLL Side-Loading via Trusted Microsoft Programs\u0026rdquo; and investigate any deviations from standard installation paths.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-dll-side-loading/","summary":"This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.","title":"Potential DLL Side-Loading via Trusted Microsoft Programs","url":"https://feed.craftedsignal.io/briefs/2026-05-dll-side-loading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["credential-access","persistence","active-directory","dcsync"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute within Active Directory (AD) objects that grant DCSync-related permissions to a user or computer account. This technique allows attackers to create a persistent backdoor, enabling them to re-obtain access to user and computer account hashes. The modification involves assigning specific GUIDs that represent replication rights (\u003ccode\u003e1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, \u003ccode\u003e1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, \u003ccode\u003e89e95b76-444d-4c62-991a-0facbeda640c\u003c/code\u003e) to an account\u0026rsquo;s security descriptor. This allows the attacker to then use DCSync to retrieve credentials from the domain, effectively bypassing normal authentication mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to modify Active Directory objects (e.g., Domain Admin).\u003c/li\u003e\n\u003cli\u003eThe attacker uses AD management tools (PowerShell, ADSI Edit, etc.) to target a specific user or computer account.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute of the targeted account.\u003c/li\u003e\n\u003cli\u003eThe attacker grants replication rights to the targeted account by adding specific Access Control Entries (ACEs) containing the GUIDs \u003ccode\u003e1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, \u003ccode\u003e1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, and \u003ccode\u003e89e95b76-444d-4c62-991a-0facbeda640c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the DCSync technique, impersonating a domain controller, to request password hashes.\u003c/li\u003e\n\u003cli\u003eThe Active Directory server, believing the request is legitimate due to the granted replication rights, provides the attacker with the requested credential information.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains password hashes for domain users and computers.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to compromise the entire Active Directory domain by gaining access to sensitive credential data. This could lead to complete control over the network, including access to critical systems, sensitive data, and the ability to disrupt business operations. The modification of security descriptors creates a persistent backdoor that can be used repeatedly to harvest credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Directory Service Changes to generate the necessary event logs for detection (\u003ca href=\"https://ela.st/audit-directory-service-changes)\"\u003ehttps://ela.st/audit-directory-service-changes)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unauthorized modifications to the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute. Tune the rule to exclude legitimate administrative accounts or scripts that may perform authorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs (event code 5136) for changes to the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute and investigate any unexpected modifications, focusing on the presence of DCSync-related GUIDs.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Active Directory permissions, focusing on accounts with replication rights, to ensure they are legitimate and necessary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-dcsync-backdoor/","summary":"Attackers can modify Active Directory object security descriptors to grant DCSync rights to unauthorized accounts, creating a backdoor to extract credential data.","title":"Potential Active Directory Replication Account Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-05-dcsync-backdoor/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike FDR"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","persistence","registry-modification"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe LocalAccountTokenFilterPolicy is a Windows registry setting that, when enabled (set to 1), allows remote connections from local members of the Administrators group to be granted full high-integrity tokens during negotiation. This bypasses User Account Control (UAC) restrictions, allowing for elevated privileges remotely. Attackers may modify this registry setting to facilitate lateral movement within a network. This rule detects modifications to this specific registry setting, alerting on potential unauthorized changes that could lead to defense evasion and privilege escalation. The modification of this policy has been observed being leveraged in conjunction with pass-the-hash attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system through an exploit, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains local administrator credentials on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the LocalAccountTokenFilterPolicy registry key to a value of 1. This is done to allow remote connections from local administrator accounts to receive high-integrity tokens. The registry key is typically located at \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a \u0026ldquo;pass the hash\u0026rdquo; attack (T1550.002) using the compromised local administrator credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network using the \u0026ldquo;pass the hash\u0026rdquo; technique and the modified LocalAccountTokenFilterPolicy.\u003c/li\u003e\n\u003cli\u003eDue to the LocalAccountTokenFilterPolicy being enabled, the remote connection from the local administrator account receives a full high-integrity token.\u003c/li\u003e\n\u003cli\u003eThe attacker bypasses UAC on the remote system, gaining elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the remote system, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the LocalAccountTokenFilterPolicy allows attackers to bypass User Account Control (UAC) and gain elevated privileges on remote systems, potentially leading to unauthorized access to sensitive data, lateral movement across the network, and the deployment of ransomware. The overall impact can include data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e to your SIEM and tune for your environment to detect unauthorized modifications to the LocalAccountTokenFilterPolicy registry key.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the registry, which is required for the \u003ccode\u003eLocal Account TokenFilter Policy Enabled\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview the processes excluded in the rule query and ensure they are legitimate and necessary to prevent false positives.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\u003c/code\u003e path, specifically looking for changes to the value data.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-02-local-account-token-filter-policy-disabled/","summary":"Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.","title":"Local Account TokenFilter Policy Modification for Defense Evasion and Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-02-local-account-token-filter-policy-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["low"],"_cs_tags":["discovery","domain-trust","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003edsquery.exe\u003c/code\u003e utility is a command-line tool in Windows used to query Active Directory. Attackers may leverage \u003ccode\u003edsquery.exe\u003c/code\u003e to discover domain trust relationships within a Windows environment, mapping out potential lateral movement paths. This discovery is often an early stage in reconnaissance, before an attacker attempts to move laterally to other systems. This activity can be detected across various endpoint detection platforms including Elastic Defend, CrowdStrike, Microsoft Defender XDR, and SentinelOne. This activity is not inherently malicious, as administrators also use it for legitimate purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target environment.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to enumerate domain trusts.\u003c/li\u003e\n\u003cli\u003eThe command execution is logged by endpoint detection and response (EDR) solutions or Windows Security Event Logs.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the \u003ccode\u003edsquery.exe\u003c/code\u003e command to identify trusted domains and their attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered trust information to plan lateral movement strategies.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems within the trusted domains using stolen credentials or other exploits.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of domain trusts enables attackers to map out the Active Directory environment and identify potential pathways for lateral movement. While the enumeration itself is low impact, it facilitates subsequent actions like credential theft, privilege escalation, and data exfiltration. This can lead to widespread compromise across the organization, impacting numerous systems and sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Enumerating Domain Trusts via DSQUERY.EXE\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any execution of \u003ccode\u003edsquery.exe\u003c/code\u003e with the argument \u003ccode\u003eobjectClass=trustedDomain\u003c/code\u003e to identify potentially malicious activity.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003edsquery.exe\u003c/code\u003e to detect suspicious command-line arguments and execution patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-domain-trust-discovery/","summary":"Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.","title":"Enumerating Domain Trusts via DSQUERY.EXE","url":"https://feed.craftedsignal.io/briefs/2026-05-domain-trust-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Sysmon","Visual Studio Code"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","vscode","remote-access-tools","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","GitHub","Elastic"],"content_html":"\u003cp\u003eThis detection focuses on identifying the misuse of Visual Studio Code\u0026rsquo;s (VScode) remote tunnel feature to establish unauthorized access or control over systems. While the VScode remote tunnel feature is designed to allow developers to connect to remote environments seamlessly, attackers can abuse this functionality for malicious purposes. The rule specifically looks for the execution of the VScode portable binary with the \u0026ldquo;tunnel\u0026rdquo; command-line option, which is indicative of an attempt to establish a remote tunnel session to either GitHub or a remote VScode instance. Successful exploitation can lead to command and control capabilities, allowing attackers to remotely manage and compromise the affected system. The rule aims to detect this suspicious behavior by monitoring process execution and command-line arguments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker downloads a portable version of Visual Studio Code (VScode) onto the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the VScode binary with the \u003ccode\u003etunnel\u003c/code\u003e command-line argument to initiate a remote tunnel session.\u003c/li\u003e\n\u003cli\u003eThe attacker specifies additional arguments such as \u003ccode\u003e--accept-server-license-terms\u003c/code\u003e to bypass license agreement prompts.\u003c/li\u003e\n\u003cli\u003eThe VScode tunnel attempts to establish a connection to a remote server, potentially a GitHub repository or a remote VScode instance controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eIf successful, the tunnel creates a persistent connection, allowing the attacker to execute commands and transfer files.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established tunnel to remotely access the compromised system, enabling them to perform malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access through the established tunnel, allowing for long-term command and control of the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish a persistent command and control channel, enabling them to remotely manage the compromised system. This can lead to data theft, deployment of ransomware, or further lateral movement within the network. While the number of potential victims and specific sectors targeted are not explicitly stated, the widespread use of VScode makes a wide range of organizations vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Attempt to Establish VScode Remote Tunnel\u0026rdquo; rule to detect suspicious VScode tunnel activity in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the rule, focusing on the command-line arguments and process behaviors to confirm malicious intent.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from VScode processes for unusual or unauthorized connections to external servers.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate uses of VScode\u0026rsquo;s tunnel feature by authorized developers to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-09-vscode-tunnel/","summary":"The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.","title":"Detection of VScode Remote Tunneling for Command and Control","url":"https://feed.craftedsignal.io/briefs/2024-09-vscode-tunnel/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["execution","command-shell","rundll32"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers commonly abuse RunDLL32, a legitimate Windows utility, to execute malicious code by hosting it within DLLs. This technique allows adversaries to launch command shells like cmd.exe or PowerShell, effectively bypassing traditional security controls. Defenders should be aware of this technique because it provides a stealthy way for attackers to execute arbitrary commands, potentially leading to further compromise of the system. This activity is detected by monitoring for command shells initiated by RunDLL32, while excluding known benign patterns to reduce false positives. The detection rule was last updated on 2026/05/04 and supports multiple data sources, including Elastic Defend, Microsoft Defender XDR, and Sysmon.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eThe attacker uses RunDLL32.exe to execute a malicious DLL.\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe loads the specified DLL into memory.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL contains code to execute a command shell (cmd.exe or powershell.exe).\u003c/li\u003e\n\u003cli\u003eRunDLL32.exe spawns a command shell process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the command shell to execute commands for reconnaissance.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the command shell to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the command shell to perform lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the compromised system. While the rule is rated \u0026ldquo;low\u0026rdquo; severity, this initial access can lead to credential access (T1552) and further lateral movement within the network. Attackers can potentially gain full control of the system, leading to data theft, system disruption, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Command Shell Activity Started via RunDLL32\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to provide the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eReview the process details of RunDLL32.exe to confirm the parent-child relationship with the command shell, helping to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring for rundll32.exe and related processes to detect similar activities in the future and improve response times.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-rundll32-cmd-shell/","summary":"This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.","title":"Command Shell Activity Started via RunDLL32","url":"https://feed.craftedsignal.io/briefs/2026-05-rundll32-cmd-shell/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","code-signing","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may attempt to subvert trust controls by disabling or modifying the code signing policy. This allows them to execute unsigned or self-signed malicious code. This can be achieved by modifying boot configuration data (BCD) settings using the built-in bcdedit.exe utility on Windows. Disabling Driver Signature Enforcement (DSE) allows the loading of untrusted drivers, which can compromise system integrity. The rule identifies commands that can disable the Driver Signature Enforcement feature. The scope of the targeting is broad, as it can affect any Windows system where an attacker gains sufficient privileges to modify the BCD settings. This activity is detected by analyzing process execution events for specific command-line arguments used with bcdedit.exe. The detection rule was last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains administrative privileges on a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments to disable driver signature enforcement. Example: \u003ccode\u003ebcdedit.exe /set testsigning on\u003c/code\u003e or \u003ccode\u003ebcdedit.exe /set nointegritychecks on\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ebcdedit.exe\u003c/code\u003e modifies the Boot Configuration Data (BCD) store.\u003c/li\u003e\n\u003cli\u003eThe system is restarted to apply the changes made to the BCD.\u003c/li\u003e\n\u003cli\u003eThe attacker loads an unsigned or self-signed malicious driver.\u003c/li\u003e\n\u003cli\u003eThe malicious driver executes with kernel-level privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities such as installing rootkits, bypassing security controls, or stealing sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence by ensuring the malicious driver is loaded on subsequent system reboots.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the code signing policy can lead to the execution of unsigned or self-signed malicious code, which can compromise the integrity and security of the system. Attackers can install rootkits, bypass security controls, or steal sensitive data. The impact can range from individual system compromise to broader network-wide attacks, depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Code Signing Policy Modification Through Built-in Tools\u0026rdquo; to your SIEM to detect the execution of \u003ccode\u003ebcdedit.exe\u003c/code\u003e with arguments used to disable code signing (process.args).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments on Windows systems to ensure the Sigma rule can capture the relevant events (logsource).\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of code signing policy modification, as this activity is typically not legitimate and can indicate malicious activity. The rule \u003ccode\u003eFirst Time Seen Driver Loaded - df0fd41e-5590-4965-ad5e-cd079ec22fa9\u003c/code\u003e can be used to detect suspicious drivers loaded into the system after the command was executed.\u003c/li\u003e\n\u003cli\u003eEnsure that Driver Signature Enforcement is enabled on all systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-01-09-code-signing-policy-modification/","summary":"Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.","title":"Code Signing Policy Modification Through Built-in Tools","url":"https://feed.craftedsignal.io/briefs/2024-01-09-code-signing-policy-modification/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-58074"}],"_cs_exploited":false,"_cs_products":["Norton Secure VPN"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","vulnerability"],"_cs_type":"advisory","_cs_vendors":["NortonLifeLock","Microsoft"],"content_html":"\u003cp\u003eCVE-2025-58074 describes a privilege escalation vulnerability affecting Norton Secure VPN when installed through the Microsoft Store. A low-privilege local user can exploit this vulnerability by manipulating files during the installation process. Successful exploitation can lead to arbitrary file deletion and, more critically, elevation of privileges on the affected system. This vulnerability poses a significant risk as it could allow an attacker to gain unauthorized access and control over a system. The vulnerability was reported by Talos and assigned a CVSS v3.1 score of 8.8 (HIGH).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privilege user initiates the installation of Norton Secure VPN from the Microsoft Store.\u003c/li\u003e\n\u003cli\u003eDuring the installation process, the user leverages their limited privileges to identify a directory or file that will be created/modified by the installer.\u003c/li\u003e\n\u003cli\u003eThe user replaces a legitimate file or creates a junction point/mount point to a protected system directory.\u003c/li\u003e\n\u003cli\u003eThe installer, running with elevated privileges, attempts to write data to the replaced file or the target of the junction/mount point.\u003c/li\u003e\n\u003cli\u003eDue to the replaced file or manipulated directory, the installer inadvertently deletes arbitrary files in a protected location or writes malicious content to a privileged location.\u003c/li\u003e\n\u003cli\u003eThis malicious file or manipulated registry key is then executed or utilized by a privileged process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-58074 allows a low-privilege user to escalate their privileges to SYSTEM. This could lead to complete compromise of the affected system, including unauthorized access to sensitive data, installation of malware, and modification of system configurations. The impact is significant, as it bypasses standard security controls and allows for persistent and potentially undetectable access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for suspicious file modifications during software installations, especially those originating from the Microsoft Store. Use the \u0026ldquo;Detect Suspicious File Replacement During Installation\u0026rdquo; Sigma rule to detect file replacements in common installation directories.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies to limit the ability of low-privilege users to modify system files or directories.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Detect Insecure Junction Point Creation\u0026rdquo; Sigma rule, which identifies the creation of junction points by non-administrator users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:16:28Z","date_published":"2026-05-04T14:16:28Z","id":"/briefs/2026-05-norton-privesc/","summary":"A privilege escalation vulnerability exists in Norton Secure VPN during installation via the Microsoft Store (CVE-2025-58074), allowing a low-privilege user to replace files leading to arbitrary file deletion and potential elevation of privileges.","title":"Norton Secure VPN Privilege Escalation Vulnerability (CVE-2025-58074)","url":"https://feed.craftedsignal.io/briefs/2026-05-norton-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-37555"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","microsoft","cve-2026-37555"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 3, 2026, Microsoft published initial information regarding CVE-2026-37555. The advisory indicates a vulnerability exists within a Microsoft product. Due to the limited information available at this time, the specific product affected and the nature of the vulnerability are unknown. Defenders should monitor Microsoft\u0026rsquo;s security update guide for further details as they become available. This initial brief serves as an early notification, and will be updated when more information is released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, a detailed attack chain cannot be constructed at this time. The following steps are a generalized potential attack chain that may be relevant depending on the specific vulnerability details released by Microsoft.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Microsoft product exposed to the network or internet.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload targeting the specific vulnerability (details unknown).\u003c/li\u003e\n\u003cli\u003eAttacker delivers the payload to the vulnerable product, potentially through a network connection or file upload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable product processes the malicious payload, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the system, potentially achieving remote code execution.\u003c/li\u003e\n\u003cli\u003eAttacker establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eAttacker performs lateral movement within the network to compromise additional systems.\u003c/li\u003e\n\u003cli\u003eAttacker achieves their objective, such as data exfiltration or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe potential impact of CVE-2026-37555 is currently unknown. Depending on the nature of the vulnerability, successful exploitation could lead to remote code execution, information disclosure, denial of service, or other adverse effects. Organizations should monitor for updates from Microsoft and prioritize patching affected systems as soon as a patch is released.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-37555\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-37555\u003c/a\u003e) for updated information on CVE-2026-37555.\u003c/li\u003e\n\u003cli\u003eWhen the affected product is announced, deploy the Sigma rules below to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T07:52:20Z","date_published":"2026-05-03T07:52:20Z","id":"/briefs/2024-01-cve-2026-37555/","summary":"CVE-2026-37555 is a vulnerability affecting a Microsoft product, requiring further investigation upon patch release.","title":"Microsoft Product Vulnerability CVE-2026-37555","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-37555/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-30656"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 3, 2026, Microsoft published a security update guide entry for CVE-2026-30656. At this time, no details regarding the nature of the vulnerability, affected products, or potential impact are available. Defenders should monitor Microsoft\u0026rsquo;s security resources for updates and apply patches as they become available. Due to the limited information, creating targeted detections is currently not possible. More information is required to understand the potential attack vectors and develop effective mitigations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the lack of details regarding CVE-2026-30656, a specific attack chain cannot be outlined at this time. The steps below represent a generic exploitation scenario:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Attacker identifies a vulnerable system exposed to the network.\u003c/li\u003e\n\u003cli\u003eExploitation: Attacker leverages CVE-2026-30656 to execute arbitrary code.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: Attacker escalates privileges to gain higher-level access.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Attacker moves laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003ePersistence: Attacker establishes persistent access to the compromised systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: Attacker exfiltrates sensitive data from the compromised network.\u003c/li\u003e\n\u003cli\u003eImpact: Attacker achieves their objective, such as data theft or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-30656 is currently unknown. Depending on the affected product and the nature of the vulnerability, successful exploitation could lead to a range of outcomes, including remote code execution, denial of service, or information disclosure. Without further details, the potential damage is difficult to assess, but defenders should prioritize monitoring for updates from Microsoft and promptly apply any released patches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-30656\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-30656\u003c/a\u003e) for updates and technical details regarding CVE-2026-30656.\u003c/li\u003e\n\u003cli\u003eWhen details are released, prioritize patching affected systems based on their criticality and exposure.\u003c/li\u003e\n\u003cli\u003eReview existing security controls and incident response plans to ensure they are adequate for addressing potential exploitation attempts targeting Microsoft products.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-03T07:52:20Z","date_published":"2026-05-03T07:52:20Z","id":"/briefs/2024-01-cve-2026-30656-info-published/","summary":"Microsoft published information regarding CVE-2026-30656, but the details of the vulnerability are not available.","title":"Microsoft CVE-2026-30656 Information Published","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-30656-info-published/"},{"_cs_actors":["TeamPCP"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["@bitwarden/cli (2026.4.0)","@cap-js/sqlite (2.2.2)","@cap-js/postgres (2.2.2)","@cap-js/db-service (2.10.1)","mbt (1.2.48)","SAP Cloud Application Programming (CAP) Model","checkmarx/kics"],"_cs_severities":["high"],"_cs_tags":["npm","supply-chain","credential-theft","github"],"_cs_type":"threat","_cs_vendors":["npm","GitHub","SAP","Bitwarden","Checkmarx","Microsoft"],"content_html":"\u003cp\u003eThe npm ecosystem is experiencing a surge in sophisticated supply chain attacks following the Shai-Hulud worm in September 2025. Attackers, including TeamPCP, are actively compromising npm packages to gain access to sensitive information and establish persistence within CI/CD pipelines. The attacks have evolved to include wormable propagation, infrastructure-level persistence, and multi-stage payloads designed to evade detection. In April 2026, two campaigns were observed: one included the string \u0026ldquo;Shai-Hulud: The Third Coming,\u0026rdquo; and the other, dubbed \u0026ldquo;Mini Shai-Hulud,\u0026rdquo; targeted the SAP developer ecosystem. The compromised packages are often part of SAP\u0026rsquo;s Cloud Application Programming (CAP) Model and multitarget application (MTA) build toolchain, increasing the likelihood of impacting enterprise developers and CI/CD pipelines with access to cloud credentials and GitHub tokens.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Compromise: Attackers compromise legitimate npm packages, such as @cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt, by injecting malicious code.\u003c/li\u003e\n\u003cli\u003eMalicious Code Injection: Compromised packages receive two new files: setup.mjs and execution.js, along with a modified package.json containing a \u0026ldquo;preinstall\u0026rdquo; hook.\u003c/li\u003e\n\u003cli\u003eExecution of setup.mjs: During the \u003ccode\u003enpm install\u003c/code\u003e process, the preinstall hook executes setup.mjs, which detects the host OS and architecture.\u003c/li\u003e\n\u003cli\u003eBun Runtime Download and Execution: setup.mjs downloads the Bun JavaScript runtime (v1.3.13) from GitHub releases and extracts it to a temporary directory.\u003c/li\u003e\n\u003cli\u003eExecution of execution.js: The Bun runtime executes execution.js, a large (11.7 MB) obfuscated credential stealer and propagation framework.\u003c/li\u003e\n\u003cli\u003eCredential Harvesting: execution.js harvests GitHub tokens, npm tokens, environment variables, GitHub Actions secrets, AWS STS identity, Azure Key Vault secrets, GCP Secret Manager values, and Kubernetes service account tokens. It also targets Claude and MCP configuration files and Electrum wallets.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The collected data is compressed, encrypted, and exfiltrated to freshly created public GitHub repositories with randomized names and descriptions.\u003c/li\u003e\n\u003cli\u003ePropagation: The malware searches for commits containing the keyword \u0026ldquo;OhNoWhatsGoingOnWithGitHub,\u0026rdquo; decodes matching commit messages as a token dead-drop, recovers stolen GitHub tokens, and uses them to spread the malware to other packages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised npm packages can lead to the theft of sensitive credentials, including cloud provider credentials, GitHub tokens, and CI/CD secrets. Successful attacks can result in unauthorized access to cloud infrastructure, code repositories, and deployment pipelines. The Mini Shai-Hulud campaign targeted packages with approximately 570,000 weekly downloads, potentially impacting a large number of SAP developers and enterprise environments. The attackers use stolen credentials to further propagate the malware, increasing the scale and scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRotate npm tokens and GitHub Personal Access Tokens (PATs) immediately if any affected packages were installed (refer to the list of affected packages in the IOC table).\u003c/li\u003e\n\u003cli\u003eMonitor npm install processes for unexpected execution of \u003ccode\u003enode setup.mjs\u003c/code\u003e (see Attack Chain).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Suspicious Bun Process Execution\u0026rdquo; to identify potential execution of the Bun runtime from temporary directories.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for unusual processes connecting to \u003ccode\u003eapi.github[.]com/search/commits?q=OhNoWhatsGoingOnWithGitHub\u003c/code\u003e (see IOCs) to detect potential C2 activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Github Commit By Claude Email\u0026rdquo; to identify commits authored with the email \u003ccode\u003eclaude@users.noreply.github.com\u003c/code\u003e to detect malicious commits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T00:10:33Z","date_published":"2026-05-02T00:10:33Z","id":"/briefs/2026-05-npm-supply-chain/","summary":"Threat actors are compromising npm packages, including those targeting SAP developers, to steal credentials, embed themselves in CI/CD pipelines, and deploy multi-stage payloads using techniques like wormable propagation and covert C2 channels on GitHub.","title":"Increased npm Supply Chain Attacks Targeting SAP Developers","url":"https://feed.craftedsignal.io/briefs/2026-05-npm-supply-chain/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-41526"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn May 1, 2026, Microsoft published information regarding CVE-2026-41526, a vulnerability affecting an unspecified Microsoft product. At the time of initial publication, detailed information regarding the nature of the vulnerability, its potential impact, and affected products was limited, requiring security professionals to monitor Microsoft\u0026rsquo;s Security Update Guide for further details. Defenders should prioritize investigation of this CVE once specific product and exploitation details become available to assess organizational risk and deploy appropriate mitigations. This brief will be updated as more information is released.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (Hypothetical):\u003c/strong\u003e An attacker identifies a vulnerable Microsoft product exposed to the internet.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation (Hypothetical):\u003c/strong\u003e The attacker leverages CVE-2026-41526 to execute arbitrary code on the target system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Hypothetical):\u003c/strong\u003e The attacker escalates privileges to gain SYSTEM level access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence (Hypothetical):\u003c/strong\u003e The attacker establishes persistence using methods such as creating a new service or modifying existing registry keys.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Hypothetical):\u003c/strong\u003e The attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration (Hypothetical):\u003c/strong\u003e The attacker exfiltrates sensitive data from the compromised network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Hypothetical):\u003c/strong\u003e The attacker achieves their final objective, such as deploying ransomware or stealing intellectual property.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-41526 is currently unknown due to lack of details, but successful exploitation could lead to complete system compromise, data breach, or denial of service. The scope of impact depends on the affected product and its role within the organization\u0026rsquo;s infrastructure. Further analysis will be required upon release of detailed information by Microsoft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41526\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41526\u003c/a\u003e) for updates and detailed information regarding CVE-2026-41526.\u003c/li\u003e\n\u003cli\u003eIdentify potential attack vectors based on the affected Microsoft product and deploy appropriate detection rules when information is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T07:35:47Z","date_published":"2026-05-01T07:35:47Z","id":"/briefs/2024-01-cve-2026-41526/","summary":"CVE-2026-41526 is a vulnerability affecting an unspecified Microsoft product, requiring further investigation upon patch release for exploitation details.","title":"Microsoft Product Vulnerability CVE-2026-41526","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-41526/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2026-0967"}],"_cs_exploited":false,"_cs_products":["libssh"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","libssh","CVE-2026-0967","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-0967 is a denial-of-service (DoS) vulnerability affecting libssh, a library implementing the SSH protocol. The root cause lies in the inefficient processing of regular expressions within the library\u0026rsquo;s code. An attacker could exploit this vulnerability by sending specially crafted input that triggers excessive resource consumption during regular expression matching, leading to a denial of service. Successful exploitation could potentially enable defense evasion by overwhelming security controls and negatively impacting the availability of systems relying on the vulnerable libssh library. The vulnerability affects both Linux and Windows platforms where libssh is used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a service or application utilizing a vulnerable version of libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string designed to trigger inefficient regular expression processing within libssh.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted input to the vulnerable service via a network connection (e.g., SSH).\u003c/li\u003e\n\u003cli\u003eThe libssh library attempts to process the malicious input using its regular expression engine.\u003c/li\u003e\n\u003cli\u003eThe inefficient regular expression causes excessive CPU consumption or memory allocation.\u003c/li\u003e\n\u003cli\u003eThe vulnerable service becomes unresponsive due to resource exhaustion, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eSubsequent legitimate requests to the service are blocked or delayed, further exacerbating the impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-0967 can result in a denial-of-service condition, rendering affected services or applications unavailable. The impact scope depends on the role of the affected system. For example, a critical server becoming unavailable could disrupt business operations. While the number of potential victims is unknown, any system utilizing a vulnerable version of libssh is susceptible. The defense evasion aspect could allow attackers to bypass security controls during the DoS.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify systems using libssh and determine the installed version.\u003c/li\u003e\n\u003cli\u003eApply available patches or updates for libssh to remediate CVE-2026-0967 as released by Microsoft.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Libssh Regex Processing\u0026rdquo; to monitor for potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor CPU and memory usage on systems running libssh for unusual spikes, which may indicate a DoS attack.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on services using libssh to mitigate the impact of DoS attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T07:16:39Z","date_published":"2026-05-01T07:16:39Z","id":"/briefs/2024-01-libssh-dos/","summary":"CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.","title":"Libssh Denial-of-Service Vulnerability via Inefficient Regular Expression Processing (CVE-2026-0967)","url":"https://feed.craftedsignal.io/briefs/2024-01-libssh-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7359"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","chromium","edge","chrome","cve-2026-7359"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7359 describes a use-after-free vulnerability present in ANGLE (Almost Native Graphics Layer Engine), a crucial component of the Chromium open-source project. This vulnerability impacts applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the provided source does not give specific exploitation details, use-after-free vulnerabilities can allow for arbitrary code execution. Google Chrome has already addressed this vulnerability, and Microsoft Edge has incorporated the fix from Chromium. This vulnerability matters to defenders because successful exploitation could lead to compromise of the browser and potentially the underlying system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page containing JavaScript code that leverages a flaw in ANGLE\u0026rsquo;s memory management.\u003c/li\u003e\n\u003cli\u003eA user visits the malicious web page through Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code triggers the use-after-free vulnerability by freeing a memory object in ANGLE and then attempting to access it again.\u003c/li\u003e\n\u003cli\u003eThis memory corruption leads to a controlled crash or allows the attacker to overwrite memory with arbitrary data.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the memory overwrite to inject malicious code into the browser process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes within the context of the browser, granting the attacker access to user data, cookies, and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use this access to perform actions on behalf of the user, such as stealing credentials, installing malware, or spreading the attack to other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution on the user\u0026rsquo;s system, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit of CVE-2026-7359 could allow an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, data theft, and potentially full system compromise. The scope of impact is broad, affecting any user who visits a malicious webpage while using a vulnerable version of Chrome or Edge. Since Chrome and Edge are widely used, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WebGL Usage\u003c/code\u003e to identify potential exploitation attempts targeting ANGLE via WebGL.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests (cs-uri-query) that may be related to the exploitation of CVE-2026-7359.\u003c/li\u003e\n\u003cli\u003eEnsure that all Chrome and Edge installations are updated to the latest versions to patch CVE-2026-7359.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:40Z","date_published":"2026-05-01T02:21:40Z","id":"/briefs/2026-05-chromium-use-after-free/","summary":"A use-after-free vulnerability in the ANGLE graphics engine within Chromium (CVE-2026-7359) allows for potential exploitation in Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in ANGLE (CVE-2026-7359)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7339"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["webrtc","heap-overflow","code-execution","cve-2026-7339"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7339 is a critical heap buffer overflow vulnerability affecting the WebRTC (Web Real-Time Communication) component in Google Chrome and Microsoft Edge (Chromium-based). This vulnerability stems from improper memory management within WebRTC, potentially allowing a remote attacker to execute arbitrary code by crafting malicious web content. As Microsoft Edge ingests Chromium, it is also vulnerable. Users of Chrome and Edge are affected. Defenders should apply available patches promptly to mitigate potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious website designed to trigger the WebRTC vulnerability.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious website using a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe website uses JavaScript to initiate a WebRTC session.\u003c/li\u003e\n\u003cli\u003eThe crafted WebRTC data triggers a heap buffer overflow during memory allocation within the WebRTC component.\u003c/li\u003e\n\u003cli\u003eThe overflow overwrites adjacent memory regions on the heap.\u003c/li\u003e\n\u003cli\u003eThe attacker carefully crafts the overflow data to overwrite critical program data or function pointers.\u003c/li\u003e\n\u003cli\u003eThe corrupted data leads to arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the user\u0026rsquo;s browser and potentially the underlying system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7339 can lead to arbitrary code execution, allowing an attacker to potentially install malware, steal sensitive information, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability could impact a large number of users across various sectors, including individuals, businesses, and government organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge (Chromium-based) to patch CVE-2026-7339.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WebRTC Heap Overflow Attempt\u0026rdquo; to identify potential exploitation attempts targeting CVE-2026-7339.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual requests or patterns associated with WebRTC usage that could indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-webrtc-overflow/","summary":"A heap buffer overflow vulnerability exists in the WebRTC component of Google Chrome and Microsoft Edge (Chromium-based), potentially leading to code execution.","title":"CVE-2026-7339: Heap Buffer Overflow in WebRTC","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-webrtc-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7355"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","chromium","cve-2026-7355","browser"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7355 is a critical use-after-free vulnerability residing in the Media component of the Chromium browser engine. This vulnerability affects Google Chrome and Microsoft Edge, as Edge incorporates Chromium. A use-after-free vulnerability occurs when an application attempts to use memory after it has been freed, which can lead to crashes, arbitrary code execution, or other unexpected behavior. Successful exploitation could allow an attacker to execute arbitrary code within the context of the browser. This vulnerability was reported and patched by the Chromium project.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage containing specially crafted media content.\u003c/li\u003e\n\u003cli\u003eA user opens the malicious webpage in a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to process the malicious media content, triggering the use-after-free vulnerability in the Media component.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code attempts to access a freed memory region.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the memory region due to the use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the controlled memory region.\u003c/li\u003e\n\u003cli\u003eThe browser executes the attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the browser process, potentially leading to system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7355 can lead to arbitrary code execution within the context of the browser process. An attacker could potentially gain control of the user\u0026rsquo;s system, steal sensitive information, or install malware. Given the widespread use of Chrome and Edge, a successful exploit could impact a large number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7355.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chromium Use-After-Free in Media Component\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging to capture events related to potential exploitation attempts, facilitating detection rule functionality.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-uaf/","summary":"CVE-2026-7355 is a use-after-free vulnerability in the Media component of Chromium, affecting Google Chrome and Microsoft Edge, potentially allowing for arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in Media Component (CVE-2026-7355)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-uaf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7357"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chromium","edge","chrome"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7357 is a critical use-after-free vulnerability residing within the GPU component of the Chromium rendering engine. This flaw directly impacts Google Chrome and, due to Microsoft Edge\u0026rsquo;s reliance on Chromium, also affects Edge users. A remote attacker could potentially exploit this vulnerability to execute arbitrary code on a targeted system. The vulnerability stems from improper memory management within the GPU processing routines. While the specific exploitation details are not provided in this brief, successful exploitation generally involves crafting malicious web content to trigger the vulnerability during GPU operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing JavaScript that triggers specific GPU functions.\u003c/li\u003e\n\u003cli\u003eUser visits the malicious website using Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s rendering engine processes the malicious JavaScript, leading to the allocation and subsequent freeing of a memory region in the GPU component.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s JavaScript code then attempts to access the previously freed memory region, triggering the use-after-free vulnerability.\u003c/li\u003e\n\u003cli\u003eBy manipulating the memory layout, the attacker can overwrite the freed memory with controlled data.\u003c/li\u003e\n\u003cli\u003eThe overwritten memory is later accessed by the GPU, leading to the execution of attacker-controlled code.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to escalate privileges or perform other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7357 can lead to arbitrary code execution on the victim\u0026rsquo;s machine. The attacker could potentially install malware, steal sensitive data, or take control of the affected system. Given the widespread use of Chrome and Edge, this vulnerability poses a significant risk to a large number of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7357.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge to address CVE-2026-7357.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious WebAssembly Execution\u0026rdquo; to identify potential exploitation attempts involving WebAssembly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-use-after-free/","summary":"CVE-2026-7357 is a use-after-free vulnerability in the GPU component of Chromium that also affects Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7357)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-7333"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chromium","gpu","cve-2026-7333","remote code execution"],"_cs_type":"threat","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7333 is a critical use-after-free vulnerability residing in the GPU component of the Chromium browser engine. This flaw allows an attacker to potentially corrupt memory and execute arbitrary code in the context of the browser process. As Microsoft Edge is built upon the Chromium engine, it is also susceptible to this vulnerability. Public details are limited, but exploitation likely involves crafting malicious web content that triggers the use-after-free condition within the GPU processing routines. This vulnerability poses a significant threat as it could allow attackers to compromise user systems simply by visiting a malicious website.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious HTML page containing JavaScript that interacts with the GPU functionality of the browser.\u003c/li\u003e\n\u003cli\u003eThe user visits the malicious page via a phishing email or drive-by download.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code triggers the use-after-free vulnerability in the Chromium GPU component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to corrupt memory allocated for GPU processing.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates memory to gain control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into the browser process.\u003c/li\u003e\n\u003cli\u003eThe injected code executes with the privileges of the browser process, allowing the attacker to perform actions such as stealing cookies, credentials, or installing malware.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the compromised system and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-7333 could allow an attacker to execute arbitrary code on a user\u0026rsquo;s system. This could lead to the theft of sensitive information, installation of malware, or complete system compromise. Given the widespread use of Chromium-based browsers such as Chrome and Edge, this vulnerability has the potential to affect millions of users. The impact is considered critical due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7333.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious GPU Process Creation\u0026rdquo; to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to detect suspicious processes spawned by the browser (logsource: process_creation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-03-chromium-use-after-free/","summary":"CVE-2026-7333 is a use-after-free vulnerability in the GPU component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in GPU Component (CVE-2026-7333)","url":"https://feed.craftedsignal.io/briefs/2024-01-03-chromium-use-after-free/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-7348"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","vulnerability","browser"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7348 is a critical use-after-free vulnerability residing within the Codecs component of the Chromium browser engine. This vulnerability affects applications that utilize the Chromium engine, most notably Google Chrome and Microsoft Edge. While the specific details of the vulnerability are documented in Google Chrome Releases, the underlying issue stems from improper memory management within the Codecs library. Successful exploitation could allow an attacker to execute arbitrary code within the context of the affected browser, potentially leading to data theft, system compromise, or other malicious activities. This vulnerability requires immediate attention from organizations utilizing Chrome or Edge.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page containing specially crafted media content designed to trigger the use-after-free condition in the Codecs library.\u003c/li\u003e\n\u003cli\u003eThe user visits the malicious web page using Google Chrome or Microsoft Edge.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to process the malicious media content, triggering the vulnerable code path within the Codecs library.\u003c/li\u003e\n\u003cli\u003eThe use-after-free condition is triggered when the browser attempts to access memory that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the use-after-free condition to corrupt memory and gain control of program execution.\u003c/li\u003e\n\u003cli\u003eThe attacker injects and executes arbitrary code within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data, such as cookies, credentials, or browsing history.\u003c/li\u003e\n\u003cli\u003eThe attacker potentially escalates privileges or installs malware on the user\u0026rsquo;s system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7348 allows an attacker to execute arbitrary code within the context of the affected browser (Chrome or Edge). This can lead to sensitive information disclosure, such as credentials or browsing history. The attacker could potentially gain full control of the user\u0026rsquo;s system. Given the widespread use of Chromium-based browsers, a successful exploit could impact a significant number of users across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Google Chrome to the latest version that addresses this vulnerability; refer to \u003ca href=\"https://chromereleases.googleblog.com/2025\"\u003eGoogle Chrome Releases\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure Microsoft Edge is updated to the latest version incorporating the Chromium security patch.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Chromium Codecs Use-After-Free Exploit Attempt\u0026rdquo; to identify potential exploitation attempts via webserver logs.\u003c/li\u003e\n\u003cli\u003eEnable webserver logging to capture HTTP requests, which is required for the provided Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-cve-2026-7348/","summary":"CVE-2026-7348 is a use-after-free vulnerability in the Codecs component of Chromium, affecting Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in Codecs (CVE-2026-7348)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7348/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7349"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["high"],"_cs_tags":["use-after-free","browser","chromium"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7349 is a use-after-free vulnerability found in the Cast component of the Chromium browser engine. This vulnerability affects Google Chrome and, by extension, Microsoft Edge, as Edge is built upon Chromium. Use-after-free vulnerabilities can allow an attacker to execute arbitrary code or cause a denial-of-service. While the original report comes from Chrome, the nature of Chromium\u0026rsquo;s shared codebase means that other Chromium-based browsers are also vulnerable. Successful exploitation of this vulnerability could lead to code execution within the context of the browser process. Defenders need to prioritize patching and monitoring for unusual browser behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage designed to trigger the use-after-free vulnerability in the Cast component.\u003c/li\u003e\n\u003cli\u003eThe user visits the malicious webpage using a vulnerable version of Chrome or Edge.\u003c/li\u003e\n\u003cli\u003eThe Cast component attempts to access a freed memory location.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the use-after-free condition to corrupt memory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a function pointer or other critical data structure in memory.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the corrupted function pointer or data structure.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker could potentially escalate privileges or perform other malicious activities, such as installing malware or stealing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7349 could allow an attacker to execute arbitrary code within the context of the browser, potentially leading to data theft, malware installation, or further system compromise. Given the widespread use of Chrome and Edge, this vulnerability has a significant impact. The specific number of potential victims is dependent on the speed of patching, but could potentially affect millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7349.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor browser process execution for unexpected code loading or memory access patterns using process creation logs.\u003c/li\u003e\n\u003cli\u003eImplement memory protection techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to mitigate the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chrome-cve-2026-7349/","summary":"CVE-2026-7349 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge.","title":"Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7349)","url":"https://feed.craftedsignal.io/briefs/2024-01-chrome-cve-2026-7349/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7338"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["use-after-free","chrome","edge","cve-2026-7338","remote code execution"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7338 is a critical use-after-free vulnerability residing within the Cast component of the Chromium browser engine. Google Chrome and Microsoft Edge (Chromium-based) are both affected by this flaw. While the provided source does not specify the exact vulnerable versions, it indicates that Microsoft Edge ingests Chromium, and thus is affected by vulnerabilities addressed in Chromium releases. Successful exploitation of this vulnerability could lead to arbitrary code execution in the context of the user running the browser. This poses a significant risk, as attackers could potentially gain control of the user\u0026rsquo;s system. Defenders should prioritize patching affected browsers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious webpage or injects malicious code into a legitimate website that utilizes the Cast functionality.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious website or interacts with the compromised legitimate website using an affected browser (Chrome or Edge).\u003c/li\u003e\n\u003cli\u003eThe malicious webpage triggers the use-after-free vulnerability in the Cast component.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to access memory that has already been freed.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites the freed memory with attacker-controlled data.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the memory layout to redirect program execution.\u003c/li\u003e\n\u003cli\u003eThe browser attempts to execute code from the attacker-controlled memory location.\u003c/li\u003e\n\u003cli\u003eThis results in arbitrary code execution within the context of the browser process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7338 allows an attacker to execute arbitrary code on a victim\u0026rsquo;s machine. This can lead to complete system compromise, data theft, installation of malware, or other malicious activities. Given the widespread use of Chromium-based browsers like Chrome and Edge, this vulnerability has the potential to impact a large number of users across various sectors. The severity is critical due to the potential for remote code execution.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome to address CVE-2026-7338 as detailed in Google Chrome Releases.\u003c/li\u003e\n\u003cli\u003eApply the latest security updates for Microsoft Edge (Chromium-based) to address CVE-2026-7338, ensuring the ingested Chromium version contains the fix.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential exploitation attempts targeting the Cast component.\u003c/li\u003e\n\u003cli\u003eEnable enhanced browser security features, such as sandboxing and site isolation, to limit the impact of potential exploits.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2024-01-chromium-cve-2026-7338/","summary":"CVE-2026-7338 is a use-after-free vulnerability in the Cast component of Chromium, affecting Google Chrome and Microsoft Edge, potentially leading to arbitrary code execution.","title":"Chromium Use-After-Free Vulnerability in Cast (CVE-2026-7338)","url":"https://feed.craftedsignal.io/briefs/2024-01-chromium-cve-2026-7338/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-7353"}],"_cs_exploited":false,"_cs_products":["Chrome","Edge"],"_cs_severities":["critical"],"_cs_tags":["heap overflow","chromium","cve-2026-7353"],"_cs_type":"advisory","_cs_vendors":["Google","Microsoft"],"content_html":"\u003cp\u003eCVE-2026-7353 is a critical heap buffer overflow vulnerability residing within the Skia graphics library, a core component of the Chromium open-source project. This vulnerability impacts applications that utilize Chromium, including Google Chrome and Microsoft Edge. While the specific details of exploitation are not provided in this brief, the nature of a heap buffer overflow suggests a high potential for arbitrary code execution. Successful exploitation could allow an attacker to gain control of the affected browser process. Given the widespread use of Chromium-based browsers, this vulnerability poses a significant risk to a large user base. Defenders should prioritize patching and consider implementing mitigations to detect and prevent potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious web page or injects malicious content into a trusted website.\u003c/li\u003e\n\u003cli\u003eThe victim visits the malicious web page or interacts with the injected content using a Chromium-based browser (Chrome or Edge).\u003c/li\u003e\n\u003cli\u003eThe browser\u0026rsquo;s rendering engine, utilizing the Skia library, processes the malicious content, triggering the heap buffer overflow in Skia.\u003c/li\u003e\n\u003cli\u003eThe overflow allows the attacker to overwrite adjacent memory regions in the heap.\u003c/li\u003e\n\u003cli\u003eBy carefully crafting the overflowed data, the attacker can overwrite critical data structures within the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the execution flow by overwriting function pointers or other control data.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code within the context of the browser process.\u003c/li\u003e\n\u003cli\u003eThe attacker could then perform actions such as installing malware, stealing sensitive data, or further compromising the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7353 allows for arbitrary code execution within the context of the affected browser process. This can lead to a complete compromise of the user\u0026rsquo;s browser session, potentially enabling the attacker to steal credentials, inject malicious code into other websites, or install malware on the victim\u0026rsquo;s system. Given the widespread use of Chrome and Edge, the potential impact is significant, affecting potentially millions of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security updates for Google Chrome and Microsoft Edge to patch CVE-2026-7353.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential exploitation attempts based on suspicious process execution originating from the browser (see \u0026ldquo;Detect Suspicious Process Creation from Browser\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eEnable enhanced browser security features such as site isolation to mitigate the impact of successful exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T02:21:27Z","date_published":"2026-05-01T02:21:27Z","id":"/briefs/2026-05-chromium-heap-overflow/","summary":"CVE-2026-7353 is a heap buffer overflow vulnerability in the Skia graphics library used by Chromium, affecting both Google Chrome and Microsoft Edge.","title":"Chromium Heap Buffer Overflow Vulnerability (CVE-2026-7353)","url":"https://feed.craftedsignal.io/briefs/2026-05-chromium-heap-overflow/"},{"_cs_actors":["Storm-1747"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender"],"_cs_severities":["high"],"_cs_tags":["email","phishing","credential-theft","Tycoon2FA","BEC"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn the first quarter of 2026, Microsoft Threat Intelligence observed a significant rise in email-based phishing threats, totaling approximately 8.3 billion. This increase was driven by surges in QR code phishing (more than doubling over the period), CAPTCHA-gated phishing, and credential phishing attacks. Microsoft\u0026rsquo;s Digital Crime Unit successfully disrupted the Tycoon2FA phishing-as-a-service (PhaaS) platform in early March, leading to a 15% reduction in associated email volume. However, threat actors adapted by shifting hosting providers and domain registration patterns. Business email compromise (BEC) also remained a prevalent threat, with approximately 10.7 million attacks recorded during the quarter, often characterized by low-effort, generic outreach messages. Microsoft Defender Research has also noted the emergence of AI-enabled device code phishing campaigns.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Email Delivery:\u003c/strong\u003e Attackers send phishing emails impersonating legitimate services or organizations. These emails may contain links, QR codes, or HTML attachments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVictim Interaction:\u003c/strong\u003e The victim opens the email and clicks on a malicious link or scans a QR code, redirecting them to a phishing page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePhishing Page Redirection:\u003c/strong\u003e The phishing page mimics a legitimate login portal, such as Microsoft 365 or other enterprise applications.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The victim enters their username and password on the phishing page, which are then captured by the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass (AiTM):\u003c/strong\u003e For attacks using adversary-in-the-middle (AiTM) techniques (like those facilitated by Tycoon2FA), the attacker intercepts the MFA code and uses it to authenticate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise:\u003c/strong\u003e With the stolen credentials and MFA code (if applicable), the attacker gains unauthorized access to the victim\u0026rsquo;s account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Data Theft:\u003c/strong\u003e The attacker uses the compromised account to access sensitive data, send further phishing emails, or move laterally within the organization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eBusiness Email Compromise:\u003c/strong\u003e In BEC attacks, attackers use compromised accounts or spoofed email addresses to send fraudulent invoices or requests for wire transfers.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe observed email threats in Q1 2026 led to a high risk of credential compromise, financial loss through BEC attacks, and potential data breaches across various sectors. Although the total number of victims is not specified, the billions of phishing attempts indicate a widespread impact. Microsoft\u0026rsquo;s disruption of Tycoon2FA temporarily reduced phishing volumes by 15%, demonstrating the potential for proactive intervention to mitigate these threats. However, threat actors are quickly adapting their techniques, indicating the need for continued vigilance and enhanced security measures. The 10.7 million BEC attacks alone represent a significant financial threat to businesses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Tycoon2FA Phishing Attempts\u0026rdquo; Sigma rule to identify email campaigns associated with the Tycoon2FA platform.\u003c/li\u003e\n\u003cli\u003eEnable Microsoft Defender detections to improve detection of phishing emails and malicious payloads.\u003c/li\u003e\n\u003cli\u003eMonitor email traffic for suspicious domain registrations, particularly those using newer generic top-level domains (TLDs) such as .DIGITAL, .BUSINESS, .CONTRACTORS, .CEO, and .COMPANY, and the resurgence of .RU registrations, to identify potential Tycoon2FA infrastructure shifts.\u003c/li\u003e\n\u003cli\u003eEducate users about the dangers of QR code phishing and CAPTCHA-gated attacks, emphasizing the importance of verifying the legitimacy of login pages and email senders, to reduce the effectiveness of phishing campaigns (T1566).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T15:00:00Z","date_published":"2026-04-30T15:00:00Z","id":"/briefs/2026-05-email-phishing-trends/","summary":"In Q1 2026, email threats increased, including credential phishing, QR code phishing, and CAPTCHA-gated campaigns, with Microsoft's disruption of the Tycoon2FA phishing platform leading to a 15% volume decrease and shifts in threat actor tactics; BEC activity remained prevalent at 10.7 million attacks.","title":"Q1 2026 Email Threat Landscape: Rise in Phishing Techniques and Tycoon2FA Disruption","url":"https://feed.craftedsignal.io/briefs/2026-05-email-phishing-trends/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Windows","Microsoft 365","Google Workspace"],"_cs_severities":["high"],"_cs_tags":["clickfix","malware","social-engineering","rat","infostealer","castleloader","netsupport"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe BackgroundFix campaign is a social engineering scheme using fake \u0026ldquo;remove your photo background\u0026rdquo; services to deliver malware. Victims are lured to malicious sites mimicking legitimate image editing tools. The sites feature fake upload interfaces, progress bars, and download buttons to appear authentic. This campaign delivers a multi-stage payload, starting with CastleLoader. CastleLoader then drops NetSupport RAT, enabling remote access for the attackers, and CastleStealer, a custom .NET stealer designed to exfiltrate browser credentials, wallet extension data, and Telegram session files. This campaign appears to be active, with multiple domains sharing the same template.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eVictim searches for an online background removal tool and lands on a malicious BackgroundFix site.\u003c/li\u003e\n\u003cli\u003eThe victim uploads an image to the fake website.\u003c/li\u003e\n\u003cli\u003eAfter clicking a checkbox, the site instructs the victim to copy a command to their clipboard.\u003c/li\u003e\n\u003cli\u003eThe copied command executes \u003ccode\u003efinger.exe\u003c/code\u003e to query \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003efinger.exe\u003c/code\u003e retrieves a batch script from the C2 server.\u003c/li\u003e\n\u003cli\u003eThe batch script executes commands to download and execute further payloads.\u003c/li\u003e\n\u003cli\u003eCastleLoader is deployed, subsequently dropping NetSupport RAT and CastleStealer.\u003c/li\u003e\n\u003cli\u003eNetSupport RAT grants the attacker remote access, while CastleStealer exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks result in the installation of NetSupport RAT, granting attackers remote control over the compromised system. Additionally, CastleStealer exfiltrates sensitive information such as browser credentials, wallet extension data, and Telegram session files. This stolen data can be used for further malicious activities, including financial fraud, identity theft, and unauthorized access to sensitive accounts. The active nature of the campaign and the use of multiple domains suggest a broad targeting scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003efinger.exe\u003c/code\u003e with command-line arguments pointing to external domains (IOC: \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of \u003ccode\u003efinger.exe\u003c/code\u003e to identify potential initial access attempts.\u003c/li\u003e\n\u003cli\u003eBlock the C2 domain \u003ccode\u003echeeshomireciple[.]com\u003c/code\u003e at the DNS resolver to prevent initial payload delivery.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for NetSupport RAT C2 communications on port 688 to detect compromised systems (IOCs: \u003ccode\u003eporonto[.]com:688\u003c/code\u003e, \u003ccode\u003egiovettiadv[.]com:688\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T13:00:00Z","date_published":"2026-04-30T13:00:00Z","id":"/briefs/2026-04-clickfix-backgroundfix/","summary":"The 'BackgroundFix' ClickFix campaign uses social engineering to trick victims into downloading malware disguised as a free image-editing tool, leading to the deployment of CastleLoader, NetSupport RAT for remote access, and CastleStealer for credential theft.","title":"ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer","url":"https://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2025-14510"}],"_cs_exploited":false,"_cs_products":["OPTIMAX 6.1","OPTIMAX 6.2","OPTIMAX 6.3","OPTIMAX 6.4","Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["authentication bypass","ics","vulnerability"],"_cs_type":"advisory","_cs_vendors":["ABB","Microsoft"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2025-14510, affects ABB Ability OPTIMAX versions that utilize Azure Active Directory (Azure AD) for Single-Sign On (SSO) authentication. This flaw stems from an incorrect implementation of the authentication algorithm, potentially allowing attackers to bypass the Azure AD authentication mechanism and gain unauthorized access to the OPTIMAX system. The affected versions include ABB Ability OPTIMAX 6.1 and 6.2 (all versions), 6.3 versions prior to 6.3.1-251120, and 6.4 versions prior to 6.4.1-251120. Successful exploitation could lead to significant disruption in energy, water, and wastewater sectors. The vulnerability was reported to CISA by ABB PSIRT.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an ABB Ability OPTIMAX installation using Azure AD SSO with a vulnerable version (6.1, 6.2, 6.3 \u0026lt; 6.3.1-251120, or 6.4 \u0026lt; 6.4.1-251120).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious authentication request, exploiting the incorrect implementation of the authentication algorithm (CWE-303).\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses the expected Azure AD authentication checks within OPTIMAX.\u003c/li\u003e\n\u003cli\u003eOPTIMAX incorrectly validates the attacker\u0026rsquo;s session, granting them access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages their unauthorized access to gain control over OPTIMAX functionalities.\u003c/li\u003e\n\u003cli\u003eThe attacker can then modify control parameters, manipulate data, or disrupt operations within the connected industrial processes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-14510 enables unauthorized access to ABB Ability OPTIMAX systems, potentially leading to severe consequences in critical infrastructure sectors such as energy, water, and wastewater. An attacker could manipulate industrial processes, disrupt critical services, or cause significant financial and operational damage. Given the widespread deployment of ABB Ability OPTIMAX systems globally, a successful campaign exploiting this vulnerability could have far-reaching impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update ABB Ability OPTIMAX to fixed versions (6.3.1-251120 and later) to remediate CVE-2025-14510.\u003c/li\u003e\n\u003cli\u003eRefer to ABB PSIRT security advisory 9AKK108472A1331 for detailed mitigation steps and recommendations.\u003c/li\u003e\n\u003cli\u003eMinimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as per CISA\u0026rsquo;s recommended practices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-optimax-auth-bypass/","summary":"CVE-2025-14510 allows an attacker to bypass Azure Active Directory Single-Sign On authentication in vulnerable ABB Ability OPTIMAX versions, potentially granting unauthorized access to critical infrastructure systems.","title":"ABB Ability OPTIMAX Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows RPC"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","windows","unpatched-vulnerability"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAn unpatched vulnerability exists within the Microsoft Windows Remote Procedure Call (RPC) service. This vulnerability allows a local attacker to escalate their privileges on a vulnerable system. The specific details of the vulnerability are not disclosed, but successful exploitation would allow an attacker to perform actions with elevated permissions, potentially leading to complete system compromise. This poses a significant risk to systems where unauthorized users have local access. Defenders should prioritize detection and mitigation strategies to address this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to a Windows system through some method.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the presence of the unpatched Windows RPC vulnerability.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious RPC request designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe malicious RPC request is sent to the Windows RPC service.\u003c/li\u003e\n\u003cli\u003eThe Windows RPC service processes the request, triggering the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe vulnerability allows the attacker to execute code with elevated privileges (e.g., SYSTEM).\u003c/li\u003e\n\u003cli\u003eAttacker leverages elevated privileges to install malware, modify system configurations, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eAttacker establishes persistent access and expands their control over the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to escalate their privileges to SYSTEM. This allows the attacker to perform any action on the system, including installing malware, creating new accounts with administrative privileges, accessing sensitive data, and disrupting system operations. The impact is critical, as a successful attack can lead to complete system compromise and potential data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation monitoring to detect suspicious processes spawned by the RPC service (see rules below).\u003c/li\u003e\n\u003cli\u003eMonitor for unusual registry modifications that might indicate privilege escalation attempts (see rules below).\u003c/li\u003e\n\u003cli\u003eContinuously monitor Microsoft\u0026rsquo;s security advisories for a patch addressing this Windows RPC vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T11:16:31Z","date_published":"2026-04-30T11:16:31Z","id":"/briefs/2026-05-windows-rpc-privesc/","summary":"A local attacker can exploit an unpatched vulnerability in Microsoft Windows RPC to escalate privileges.","title":"Unpatched Microsoft Windows RPC Vulnerability Allows Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-windows-rpc-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-34978"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["path traversal","cups","cve-2026-34978","file write"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-34978 is a path traversal vulnerability affecting OpenPrinting CUPS, a modular printing system that allows a computer to act as a print server. The vulnerability exists within the RSS notify-recipient-uri functionality, which improperly validates file paths. By crafting a malicious URI, an attacker can write files outside the intended CacheDir/rss directory. This can lead to the overwriting of critical system files, such as job.cache, potentially disrupting print services and, in some scenarios, leading to arbitrary code execution. This vulnerability was disclosed by Microsoft and requires immediate attention from system administrators to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious RSS notify-recipient-uri containing a path traversal sequence (e.g., \u0026ldquo;../\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe crafted URI is submitted to the CUPS server through a print job request or a configuration setting.\u003c/li\u003e\n\u003cli\u003eCUPS processes the URI and attempts to write a file to the specified location.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the file is written outside the intended CacheDir/rss directory.\u003c/li\u003e\n\u003cli\u003eThe attacker overwrites a critical file, such as job.cache, with malicious content.\u003c/li\u003e\n\u003cli\u003eThe CUPS server attempts to access the overwritten file.\u003c/li\u003e\n\u003cli\u003eIf job.cache is successfully overwritten, the attacker can gain control of the print queue or cause a denial of service by corrupting the print system\u0026rsquo;s state.\u003c/li\u003e\n\u003cli\u003eIn a more advanced scenario, the attacker could potentially achieve arbitrary code execution by overwriting other binaries or configuration files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34978 can lead to denial of service by corrupting the printing system state. By overwriting critical CUPS files, an attacker can disrupt printing services. In more critical scenarios, the vulnerability could be leveraged to achieve arbitrary code execution, potentially allowing the attacker to gain complete control over the affected system. The scope of the impact is dependent on the permissions of the CUPS process and the specific files that are overwritten.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by OpenPrinting to address CVE-2026-34978.\u003c/li\u003e\n\u003cli\u003eMonitor CUPS server logs for suspicious activity related to file writes outside the CacheDir/rss directory. Consider deploying the provided Sigma rule \u003ccode\u003eDetect CUPS Path Traversal File Write\u003c/code\u003e to identify such attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation on any user-supplied data that is used to construct file paths within CUPS.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit CUPS configuration settings to ensure that they are secure and do not allow for path traversal vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:46:41Z","date_published":"2026-04-30T08:46:41Z","id":"/briefs/2026-05-cups-path-traversal/","summary":"CVE-2026-34978 is a path traversal vulnerability in OpenPrinting CUPS that allows writing files outside the CacheDir/rss directory, potentially overwriting the job.cache file.","title":"OpenPrinting CUPS Path Traversal Vulnerability (CVE-2026-34978)","url":"https://feed.craftedsignal.io/briefs/2026-05-cups-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-5778"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["integer-underflow","memory-corruption","cve"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-5778 is a critical security vulnerability affecting an unspecified Microsoft product. This vulnerability stems from an integer underflow within the ChaCha decryption process. While the specific product affected is not detailed in the initial advisory, the vulnerability\u0026rsquo;s nature suggests a potential impact on any Microsoft software utilizing ChaCha for encryption or decryption purposes. Successful exploitation of this vulnerability could lead to out-of-bounds memory access, potentially allowing attackers to execute arbitrary code or cause a denial-of-service condition. This vulnerability highlights the importance of secure coding practices and rigorous testing in cryptographic implementations. Defenders should monitor for updates and apply patches as soon as they become available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious input designed to trigger the ChaCha decryption routine within the vulnerable Microsoft product.\u003c/li\u003e\n\u003cli\u003eThe malicious input exploits a weakness in the bounds checking logic related to the ChaCha algorithm.\u003c/li\u003e\n\u003cli\u003eDuring the decryption process, a specially crafted integer value underflows.\u003c/li\u003e\n\u003cli\u003eThis integer underflow results in an incorrect memory address calculation.\u003c/li\u003e\n\u003cli\u003eThe incorrect memory address calculation leads to an out-of-bounds memory access.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds access allows the attacker to read sensitive data or overwrite memory locations.\u003c/li\u003e\n\u003cli\u003eBy overwriting critical memory locations, the attacker can potentially inject and execute arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5778 can have severe consequences, including arbitrary code execution and denial of service. The impact will vary depending on the affected product and the specific context of the vulnerability. If exploited, this vulnerability could allow an attacker to gain complete control of a system or disrupt its availability, leading to significant data loss, system compromise, and reputational damage. The lack of specific victim and sector information makes assessing the scope difficult, but all organizations using Microsoft products should consider this a high-priority vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Microsoft\u0026rsquo;s security update guide for specific product advisories related to CVE-2026-5778 and apply patches immediately upon release.\u003c/li\u003e\n\u003cli\u003eImplement runtime memory protection mechanisms to detect and prevent out-of-bounds memory access attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect suspicious processes that may be exploiting this vulnerability via memory access patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:43:55Z","date_published":"2026-04-30T08:43:55Z","id":"/briefs/2024-01-chacha-integer-underflow/","summary":"CVE-2026-5778 is an integer underflow vulnerability in the ChaCha decrypt path of an unspecified Microsoft product, leading to an out-of-bounds access issue.","title":"CVE-2026-5778 Integer Underflow in ChaCha Decryption Leads to Out-of-Bounds Access","url":"https://feed.craftedsignal.io/briefs/2024-01-chacha-integer-underflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32283"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","tls","crypto/tls"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-32283 describes a vulnerability within the crypto/tls component related to the processing of TLS 1.3 KeyUpdate records. The core issue stems from the lack of proper authentication for these KeyUpdate records. An attacker exploiting this flaw can send unauthenticated KeyUpdate records to a vulnerable server. The server, upon processing these records, may retain connections persistently or enter a denial-of-service (DoS) state due to resource exhaustion. This vulnerability poses a significant risk to systems relying on TLS 1.3 for secure communication. While the specific vulnerable products are not detailed in the source, the report does mention Microsoft as the affected vendor. Defenders must identify and patch the vulnerable crypto/tls implementations to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker establishes a TLS 1.3 connection with a vulnerable server.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious TLS 1.3 KeyUpdate record without proper authentication.\u003c/li\u003e\n\u003cli\u003eAttacker sends the unauthenticated KeyUpdate record to the target server over the established TLS connection.\u003c/li\u003e\n\u003cli\u003eThe vulnerable crypto/tls implementation on the server processes the malformed KeyUpdate record.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, the server\u0026rsquo;s connection state becomes inconsistent.\u003c/li\u003e\n\u003cli\u003eThe server retains the connection persistently due to the invalid state.\u003c/li\u003e\n\u003cli\u003eAttacker repeats steps 2-6 to exhaust server resources with numerous persistent connections.\u003c/li\u003e\n\u003cli\u003eThe server enters a denial-of-service (DoS) condition, becoming unresponsive to legitimate requests.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32283 can lead to a denial-of-service condition, rendering affected servers unavailable. The number of affected victims will vary based on the deployment of vulnerable crypto/tls implementations. Services relying on TLS 1.3 for secure communication are at risk. If the attack succeeds, legitimate users will be unable to access the affected services, potentially causing significant disruption and financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify all systems using the crypto/tls component from Microsoft to determine if they are vulnerable to CVE-2026-32283.\u003c/li\u003e\n\u003cli\u003eApply the security updates released by Microsoft to patch CVE-2026-32283 on all affected systems as soon as they are available, according to the Microsoft Security Update Guide.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious TLS KeyUpdate records, focusing on malformed or unauthenticated packets using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:43:55Z","date_published":"2026-04-30T08:43:55Z","id":"/briefs/2026-04-tls-keyupdate-dos/","summary":"CVE-2026-32283 is a vulnerability in crypto/tls that allows unauthenticated TLS 1.3 KeyUpdate records, leading to persistent connection retention and a denial-of-service condition.","title":"CVE-2026-32283 Unauthenticated TLS 1.3 KeyUpdate DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-tls-keyupdate-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-28388"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-28388","denial-of-service","certificate revocation list"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-28388 is a newly disclosed vulnerability affecting a Microsoft product related to the processing of Delta Certificate Revocation Lists (CRLs). This vulnerability is classified as a NULL Pointer Dereference, a type of error that can occur when a program attempts to access a memory location through a null pointer. While the specific product and its versions affected remain undisclosed in the initial advisory, the potential impact could be significant for systems that rely on CRLs for certificate validation. Successful exploitation of this vulnerability could lead to a denial-of-service condition. Defenders should monitor Microsoft\u0026rsquo;s updates for further details and apply patches promptly when available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eGiven the limited information, we can infer a general attack chain based on typical NULL pointer dereference exploitation:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Delta CRL.\u003c/li\u003e\n\u003cli\u003eThe affected Microsoft product attempts to process this CRL.\u003c/li\u003e\n\u003cli\u003eDuring processing, the software encounters a null pointer due to a parsing error or unexpected structure within the malicious CRL.\u003c/li\u003e\n\u003cli\u003eThe software attempts to dereference this null pointer, causing an exception.\u003c/li\u003e\n\u003cli\u003eThe exception leads to a crash of the affected service or application.\u003c/li\u003e\n\u003cli\u003eRepeated crashes of the service result in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploitation of CVE-2026-28388 could result in a denial-of-service condition. The absence of details regarding affected products and specific exploitation vectors limits a complete impact assessment. Systems that heavily rely on CRL validation, such as those in Public Key Infrastructure (PKI) environments, are potentially more vulnerable. The lack of specific victim data makes it difficult to estimate the potential scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Microsoft\u0026rsquo;s Security Update Guide for updates regarding affected products and available patches for CVE-2026-28388.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect anomalies in CRL traffic that could be indicative of malicious CRLs being distributed, focusing on unusual CRL sizes or frequent requests for the same CRL.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect potential crashes related to CRL processing. Review and tune the rule for your specific environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T08:43:55Z","date_published":"2026-04-30T08:43:55Z","id":"/briefs/2024-01-cve-2026-28388/","summary":"CVE-2026-28388 is a NULL Pointer Dereference vulnerability in an unspecified Microsoft product when processing a Delta CRL, potentially leading to a denial-of-service condition.","title":"CVE-2026-28388 NULL Pointer Dereference in Delta CRL Processing","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-28388/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4,"id":"CVE-2026-32777"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["informational"],"_cs_tags":["cve-2026-32777","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 30, 2026, Microsoft released a security update guide entry for CVE-2026-32777. At the time of this publication, the vulnerability details, affected products, and potential attack vectors remain undisclosed. This early notification serves as an alert for security teams to prepare for future announcements and potential patching efforts. Due to the lack of specifics, organizations should monitor Microsoft\u0026rsquo;s security update guide for further details and prioritize updates accordingly once more information becomes available. The impact of this vulnerability is currently unknown, pending further details from Microsoft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the lack of available information, it is not possible to define an attack chain at this time. Once details regarding the vulnerability and potential exploitation methods are released by Microsoft, the following attack chain will be updated.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-32777 is currently unknown. Awaiting further details from Microsoft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center for updates regarding CVE-2026-32777.\u003c/li\u003e\n\u003cli\u003ePrepare patching procedures for Microsoft products in the event of a critical vulnerability announcement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-32777/","summary":"Microsoft has published information regarding CVE-2026-32777, but no further details regarding the vulnerability or its exploitation are currently available.","title":"Microsoft Published Information on CVE-2026-32777","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-32777/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4,"id":"CVE-2026-32776"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 30, 2026, Microsoft published initial information regarding CVE-2026-32776. At this time, specific details about the vulnerability, its potential impact, and affected products are not readily available without enabling JavaScript on the Microsoft Security Response Center page. This lack of immediate information presents a challenge for defenders, as it limits the ability to proactively assess and mitigate potential risks associated with this CVE. Further analysis will be required once the vulnerability details are fully disclosed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, a specific attack chain cannot be constructed at this time.\nDetailed steps will be added following the release of comprehensive vulnerability information by Microsoft.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe potential impact of CVE-2026-32776 remains unknown at this time due to the limited details released by Microsoft. Once the vulnerability details are available, the potential impact can be assessed, including the scope of affected systems, potential data breaches, and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center for updated information on CVE-2026-32776.\u003c/li\u003e\n\u003cli\u003eOnce details are available, assess the impact on your environment and prioritize patching (CVE-2026-32776).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-32776/","summary":"Microsoft published information regarding CVE-2026-32776, however, further details require JavaScript to be enabled, limiting the actionable intelligence at this time.","title":"Microsoft Published Information on CVE-2026-32776","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-32776/"},{"_cs_actors":[],"_cs_cves":[{"cvss":2.9,"id":"CVE-2026-32778"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 30, 2026, Microsoft published an advisory for CVE-2026-32778.\nAt the time of publication, there are no details available regarding the specifics of this vulnerability.\nThis brief serves as an initial notification to detection engineering teams to monitor for updates to the CVE and prepare for potential exploitation attempts.\nAs Microsoft releases further information, this brief will be updated with relevant details and detection strategies.\nThe lack of information prevents detailed analysis, but proactive monitoring is crucial.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the absence of vulnerability details, a specific attack chain cannot be constructed at this time.\nA typical software vulnerability exploitation attack chain might include the following steps, but these are purely hypothetical and may not apply to CVE-2026-32778:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker identifies a vulnerable service or application related to CVE-2026-32778.\u003c/li\u003e\n\u003cli\u003eExploitation: The attacker sends a crafted request to trigger the vulnerability, potentially involving malformed data or specific API calls.\u003c/li\u003e\n\u003cli\u003eCode Execution: Successful exploitation allows the attacker to execute arbitrary code on the target system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating a scheduled task or modifying registry keys.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker attempts to elevate privileges to gain SYSTEM or Administrator access.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker moves laterally to other systems on the network, using techniques like Pass-the-Hash or credential dumping.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-32778 is currently unknown. Depending on the affected component and the nature of the vulnerability, successful exploitation could lead to a range of outcomes, including remote code execution, denial of service, information disclosure, or privilege escalation. The number of potential victims and affected sectors cannot be determined until more information is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Microsoft\u0026rsquo;s Security Update Guide for updates to CVE-2026-32778 (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32778\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32778\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eReview existing security controls and logging configurations to ensure adequate visibility into system activity.\u003c/li\u003e\n\u003cli\u003eOnce details of CVE-2026-32778 become available, prioritize patching and implement appropriate detection measures based on the specific vulnerability characteristics.\u003c/li\u003e\n\u003cli\u003eConsider deploying generic rules that look for exploitation attempts (see example Sigma rules below) and tune them once more info is available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-32778/","summary":"Microsoft published information regarding vulnerability CVE-2026-32778, but no details regarding the vulnerability are available at this time.","title":"Microsoft CVE-2026-32778 Vulnerability Published","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-32778/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-34073"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["certificate validation","man-in-the-middle","dns name constraint","tls","cve-2026-34073"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-34073 describes a security vulnerability related to incomplete DNS name constraint enforcement affecting an unspecified Microsoft product. The vulnerability lies in the improper validation of peer names against DNS name constraints during certificate validation. An attacker could potentially exploit this flaw to bypass security checks and impersonate legitimate servers or services. Further details regarding the specific affected products and exploitation scenarios are currently unavailable but are anticipated to be released by Microsoft. Defenders should closely monitor Microsoft\u0026rsquo;s official communication channels for updates and guidance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eAs the vulnerability details are limited, the following attack chain is based on a generalized understanding of how incomplete DNS name constraint enforcement could be exploited.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious certificate with a DNS name that is designed to bypass the incomplete constraint enforcement.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a rogue server or service using the crafted certificate.\u003c/li\u003e\n\u003cli\u003eA client application (potentially within the Microsoft ecosystem) attempts to establish a secure connection with the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eDuring the TLS handshake, the client application receives the malicious certificate.\u003c/li\u003e\n\u003cli\u003eDue to the incomplete DNS name constraint enforcement, the client application incorrectly validates the certificate as trusted.\u003c/li\u003e\n\u003cli\u003eA secure connection is established between the client and the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or manipulates data transmitted over the \u0026ldquo;secure\u0026rdquo; connection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34073 could allow an attacker to perform man-in-the-middle attacks, intercept sensitive data, or impersonate legitimate services. The specific impact depends on the affected product and the context in which the vulnerability is exploited. Given the potential for widespread impact within Microsoft environments, this vulnerability is considered high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Microsoft\u0026rsquo;s Security Update Guide for specific product advisories and patches related to CVE-2026-34073 (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34073)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-34073)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy any available patches or workarounds as soon as they are released by Microsoft to mitigate the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect anomalous TLS certificate exchanges that may indicate exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-34073/","summary":"CVE-2026-34073 is a vulnerability in unspecified Microsoft products due to incomplete DNS name constraint enforcement on peer names, potentially leading to certificate validation bypass.","title":"CVE-2026-34073: Incomplete DNS Name Constraint Enforcement Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-34073/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.3,"id":"CVE-2026-1005"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","cryptography","memory corruption","aes-gcm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-1005 describes an integer underflow vulnerability within a Microsoft product\u0026rsquo;s implementation of AES-GCM, CCM, and ARIA-GCM decryption algorithms. This flaw allows an attacker to trigger an out-of-bounds memory access. While the specific product affected is not detailed in the provided source, the vulnerability lies within the cryptographic functions used for data decryption, indicating a potential impact on confidentiality and integrity. Successful exploitation could allow an attacker to execute arbitrary code or disclose sensitive information. Given the widespread use of these encryption algorithms, this vulnerability poses a significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a system utilizing the vulnerable Microsoft product and its AES-GCM/CCM/ARIA-GCM decryption implementation.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious input designed to trigger the integer underflow during the decryption process.\u003c/li\u003e\n\u003cli\u003eThe crafted input is sent to the vulnerable system for decryption. This could be via a network protocol, file processing, or other data ingestion method.\u003c/li\u003e\n\u003cli\u003eThe vulnerable decryption routine processes the input, leading to an integer underflow.\u003c/li\u003e\n\u003cli\u003eThe integer underflow results in an out-of-bounds memory access during the decryption operation.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds memory access allows the attacker to read sensitive data from memory locations outside the intended buffer.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker leverages the out-of-bounds write to overwrite critical data structures or executable code within the process\u0026rsquo;s memory space.\u003c/li\u003e\n\u003cli\u003eIf code is overwritten, the attacker gains arbitrary code execution within the context of the vulnerable process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-1005 could lead to unauthorized information disclosure, allowing attackers to steal sensitive data that was intended to be protected by encryption. In a more severe scenario, the vulnerability can be leveraged for arbitrary code execution, enabling attackers to gain control over the affected system. The lack of specific product information makes it difficult to quantify the exact number of potential victims, but the vulnerability\u0026rsquo;s presence in widely used cryptographic functions implies a broad impact across various sectors and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for unexpected memory access patterns in processes performing AES-GCM/CCM/ARIA-GCM decryption, using a host-based intrusion detection system (HIDS).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Potential Exploitation of CVE-2026-1005\u0026rdquo; to identify suspicious processes that might be exploiting the vulnerability.\u003c/li\u003e\n\u003cli\u003eApply any available patches or updates released by Microsoft to address CVE-2026-1005 as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T07:46:18Z","date_published":"2026-04-30T07:46:18Z","id":"/briefs/2024-01-cve-2026-1005/","summary":"CVE-2026-1005 is an integer underflow vulnerability in a Microsoft product that leads to out-of-bounds memory access during AES-GCM/CCM/ARIA-GCM decryption processes, potentially allowing for code execution or information disclosure.","title":"CVE-2026-1005 Integer Underflow in AES-GCM/CCM/ARIA-GCM Decryption","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-1005/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender","FortiGate","komari-agent"],"_cs_severities":["high"],"_cs_tags":["komari","backdoor","nssm","github","rat","reverse shell"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Fortinet","GitHub"],"content_html":"\u003cp\u003eHuntress discovered threat actors leveraging the Komari monitoring agent as a SYSTEM-level backdoor within a partner environment. Komari, a Go-based project on GitHub with over 4,000 stars, is designed as a remote-control and monitoring tool. This incident marks a publicly documented case of Komari being abused in a real-world intrusion. The attackers compromised VPN credentials to gain initial access before deploying the Komari agent as a persistent backdoor. Komari inherently functions as a command-and-control (C2) channel, with features enabled by default. The threat actor installed Komari as a Windows service named \u0026ldquo;Windows Update Service\u0026rdquo; using NSSM, directly from the official GitHub repository, which avoided the need for attacker-controlled staging infrastructure. The initial discovery occurred on April 16, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker establishes an SSLVPN session on a FortiGate device from IP address 45.153.34[.]132, authenticating as a legitimate user, [User 1].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e After establishing the VPN connection, the attacker\u0026rsquo;s workstation, identified as VM8514, begins enumerating the internal network from the tunnel IP 10.212.134[.]200.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Using Impacket\u0026rsquo;s smbexec.py, the attacker enables Remote Desktop Protocol (RDP) on the target workstation, [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Access:\u003c/strong\u003e The attacker establishes an interactive RDP session to [REDACTED-WRKSTN].\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence - Service Creation:\u003c/strong\u003e The attacker uses the Non-Sucking Service Manager (NSSM) to install the Komari agent as a persistent Windows service named \u0026ldquo;Windows Update Service\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Download:\u003c/strong\u003e The Komari agent is downloaded from raw.githubusercontent[.]com/komari-monitor/komari-agent using a PowerShell one-liner executed directly on the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The Komari agent establishes a persistent WebSocket connection to its server, allowing the attacker to execute arbitrary commands (PowerShell/sh) and initiate interactive PTY reverse shell sessions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMaintain Access \u0026amp; Execute:\u003c/strong\u003e The attacker maintains SYSTEM-level access via the persistent Komari agent, enabling ongoing remote command execution and control over the compromised workstation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis attack demonstrates how readily available monitoring tools can be weaponized for malicious purposes. A single compromised account led to the establishment of a SYSTEM-level backdoor on a critical workstation. This could result in data exfiltration, further lateral movement within the network, and potentially ransomware deployment. Microsoft Defender quarantined an earlier registry hive dumping attempt, preventing further data compromise. The number of affected organizations is currently unknown, but any organization using the Komari agent without proper security controls is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor FortiGate logs for SSLVPN sessions originating from suspicious IP addresses (45.153.34[.]132) and unusual ASN\u0026rsquo;s (ASN 51396) to detect potentially compromised credentials.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Detect Komari Agent Installation via PowerShell\u0026rdquo; to identify installations of the Komari agent.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003enssm.exe\u003c/code\u003e installing a service named \u0026ldquo;Windows Update Service\u0026rdquo; to detect suspicious service installations.\u003c/li\u003e\n\u003cli\u003eBlock the domain raw.githubusercontent[.]com at the DNS resolver or web proxy to prevent the downloading of malicious tools and payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T00:00:00Z","date_published":"2026-04-30T00:00:00Z","id":"/briefs/2026-04-komari-red/","summary":"Threat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.","title":"Komari Agent Abused as SYSTEM-Level Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-04-komari-red/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.3,"id":"CVE-2025-68146"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["TOCTOU","symlink","filelock","CVE-2025-68146","race condition"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2025-68146 is a security vulnerability residing within the filelock library, a widely used Python library for file locking. The vulnerability stems from a Time-of-Check Time-of-Use (TOCTOU) race condition that occurs during the creation of lock files. This weakness can be exploited by a local attacker to perform symlink attacks. By carefully manipulating the file system, an attacker can potentially redirect the lock creation process to a file location they control. This is a locally exploitable vulnerability with potential for privilege escalation and unauthorized access, but requires local access to the vulnerable system. The advisory was published on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial local access to the system.\u003c/li\u003e\n\u003cli\u003eAttacker identifies an application utilizing the vulnerable filelock library for file locking operations.\u003c/li\u003e\n\u003cli\u003eAttacker creates a symbolic link (symlink) pointing the expected lock file path to a file location under their control.\u003c/li\u003e\n\u003cli\u003eThe vulnerable application attempts to create a lock file at the expected location.\u003c/li\u003e\n\u003cli\u003eDue to the TOCTOU race condition, between the time the application checks for the existence of the lock file and the time it attempts to create it, the symlink is followed.\u003c/li\u003e\n\u003cli\u003eThe lock file is created in the attacker-controlled location instead of the intended secure location.\u003c/li\u003e\n\u003cli\u003eThe application continues execution, believing it has exclusive access, while the attacker can potentially modify or access the protected resource.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2025-68146 allows an attacker to manipulate file locking mechanisms, potentially leading to unauthorized modification or access to sensitive files. This can lead to data corruption, privilege escalation, or denial of service. The vulnerability requires local access, limiting the scope of potential attacks, but can be a critical issue in multi-user environments or systems with sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or updates provided by the vendor (Microsoft) to address CVE-2025-68146 when they become available.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring to detect unauthorized modifications to critical files and directories.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect suspicious symlink creation attempts that might indicate exploitation of this TOCTOU vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T07:50:36Z","date_published":"2026-04-29T07:50:36Z","id":"/briefs/2024-05-filelock-symlink/","summary":"CVE-2025-68146 describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the filelock library that could allow for symlink attacks during lock file creation, potentially leading to unauthorized file access or modification.","title":"CVE-2025-68146 filelock TOCTOU Race Condition Enables Symlink Attacks","url":"https://feed.craftedsignal.io/briefs/2024-05-filelock-symlink/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-41898"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["rust-openssl","memory-leak","tls","cve"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-41898 is a security vulnerability affecting the rust-openssl library. The vulnerability stems from a failure to properly validate the length of data returned by callbacks during Pre-Shared Key (PSK) and cookie generation processes within OpenSSL. This oversight can lead to OpenSSL inadvertently exposing adjacent memory regions to a remote network peer. While the exact scope of impact is not detailed in the initial advisory, the potential for memory leakage raises concerns about sensitive information disclosure. Defenders should closely monitor applications utilizing rust-openssl for anomalous behavior indicative of exploitation attempts. The Microsoft Security Response Center published information regarding this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA client initiates a TLS handshake with a server using rust-openssl.\u003c/li\u003e\n\u003cli\u003eThe server requests PSK or initiates a cookie exchange as part of the TLS handshake.\u003c/li\u003e\n\u003cli\u003erust-openssl triggers a callback function to generate the PSK or cookie data.\u003c/li\u003e\n\u003cli\u003eThe callback function returns data with a length that is not properly validated by rust-openssl.\u003c/li\u003e\n\u003cli\u003eDue to the unchecked length, OpenSSL reads beyond the intended buffer boundary.\u003c/li\u003e\n\u003cli\u003eOpenSSL copies the over-read memory region into the response sent to the client.\u003c/li\u003e\n\u003cli\u003eThe client receives the response containing the leaked memory.\u003c/li\u003e\n\u003cli\u003eThe client can then analyze the leaked memory for sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41898 can lead to the leakage of sensitive information from the server\u0026rsquo;s memory. This information could include cryptographic keys, session data, or other confidential data. The extent of the leak depends on the amount of memory that is read beyond the intended buffer. The vulnerability could affect any application or service that uses rust-openssl for TLS communication and relies on PSK or cookie generation. The number of potential victims is currently unknown, but it would depend on the adoption rate of rust-openssl in security-sensitive applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for unusually large TLS handshake responses, which may indicate an attempt to trigger the memory leak.\u003c/li\u003e\n\u003cli\u003eImplement robust input validation for callback functions used in PSK and cookie generation within rust-openssl.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided to detect potential exploitation attempts based on anomalous network connection patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T07:33:41Z","date_published":"2026-04-29T07:33:41Z","id":"/briefs/2026-04-rust-openssl-leak/","summary":"CVE-2026-41898 describes a vulnerability in rust-openssl where unchecked callback-returned length in PSK and cookie generation can cause OpenSSL to leak adjacent memory to a network peer.","title":"rust-openssl Memory Leak via Unchecked Callback Length (CVE-2026-41898)","url":"https://feed.craftedsignal.io/briefs/2026-04-rust-openssl-leak/"},{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31622"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["nfc","bounds-check-failure","cve-2026-31622"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31622 involves a failure to perform adequate bounds checking of the NFC-A cascade depth in the SDD response handler. This vulnerability within Microsoft\u0026rsquo;s NFC component could be exploited by a specially crafted NFC transmission that provides an unexpected cascade depth value, potentially leading to a denial-of-service condition or other unspecified impact. Due to the nature of NFC vulnerabilities, an attacker needs to be in close physical proximity to the targeted device. The vulnerability was reported publicly and assigned a CVE in April 2026. Defenders should prioritize applying relevant patches from Microsoft to mitigate potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker positions themselves within NFC communication range of the target device.\u003c/li\u003e\n\u003cli\u003eAttacker initiates an NFC communication session with the target device.\u003c/li\u003e\n\u003cli\u003eAttacker sends an NFC-A SDD (Single Device Detection) request.\u003c/li\u003e\n\u003cli\u003eThe target device\u0026rsquo;s NFC controller begins processing the SDD request.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious SDD response with an invalid cascade depth.\u003c/li\u003e\n\u003cli\u003eThe NFC controller fails to properly validate the cascade depth value.\u003c/li\u003e\n\u003cli\u003eThe improper cascade depth value leads to a buffer overflow or out-of-bounds read.\u003c/li\u003e\n\u003cli\u003eThe vulnerability is triggered, potentially resulting in a denial-of-service or other unspecified impact.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31622 could lead to a denial-of-service condition on the targeted device. While the specific consequences are not detailed, this type of vulnerability could potentially be leveraged for more severe impacts. Given the proximity requirement for NFC attacks, the risk is somewhat mitigated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor systems for unexpected NFC activity, focusing on devices that frequently interact with NFC transmissions.\u003c/li\u003e\n\u003cli\u003eApply the security update released by Microsoft to patch CVE-2026-31622 once available.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential exploits originating from compromised devices utilizing NFC.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect potential exploitation attempts related to unusual NFC activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T07:28:13Z","date_published":"2026-04-26T07:28:13Z","id":"/briefs/2024-05-nfc-bounds-check-failure/","summary":"CVE-2026-31622 describes a vulnerability related to an NFC bounds check issue, specifically a failure to properly validate NFC-A cascade depth in the SDD response handler within Microsoft products, potentially leading to unexpected behavior or security compromise.","title":"CVE-2026-31622 NFC-A Cascade Depth Bounds Check Failure","url":"https://feed.craftedsignal.io/briefs/2024-05-nfc-bounds-check-failure/"},{"_cs_actors":[],"_cs_cves":[{"cvss":5.5,"id":"CVE-2026-23398"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["icmp","denial-of-service","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-23398 describes a NULL pointer dereference vulnerability within the \u003ccode\u003eicmp_tag_validation()\u003c/code\u003e function related to the ICMP protocol. This vulnerability, disclosed by the Microsoft Security Response Center, could be exploited by a remote attacker to trigger a denial-of-service condition on a vulnerable system. The exact mechanism involves sending crafted ICMP packets that lead to the dereferencing of a NULL pointer, causing the system to crash or become unresponsive. While specific exploitation details are not available in the provided source, the nature of the vulnerability suggests that systems processing ICMP traffic are potentially at risk. Defenders should prioritize patching systems to prevent exploitation and implement network monitoring to detect potentially malicious ICMP traffic.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious ICMP packet specifically designed to trigger the NULL pointer dereference in \u003ccode\u003eicmp_tag_validation()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted ICMP packet to the target system.\u003c/li\u003e\n\u003cli\u003eThe target system\u0026rsquo;s network stack receives the ICMP packet and processes it.\u003c/li\u003e\n\u003cli\u003eDuring ICMP packet processing, the \u003ccode\u003eicmp_tag_validation()\u003c/code\u003e function is called to validate specific fields within the packet.\u003c/li\u003e\n\u003cli\u003eThe crafted ICMP packet causes \u003ccode\u003eicmp_tag_validation()\u003c/code\u003e to attempt to dereference a NULL pointer.\u003c/li\u003e\n\u003cli\u003eThe NULL pointer dereference causes the affected system to crash, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe system becomes unresponsive, impacting availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-23398 can lead to a denial-of-service condition on the targeted system. This means the system becomes unavailable to legitimate users, potentially disrupting services and network operations. The extent of the impact depends on the role of the affected system within the network. Critical infrastructure servers or network devices are most likely to be targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch released by Microsoft to remediate CVE-2026-23398 to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious ICMP packets that could be indicative of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious ICMP Traffic\u003c/code\u003e to identify potentially malicious ICMP packets based on size and frequency.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-26T07:14:39Z","date_published":"2026-04-26T07:14:39Z","id":"/briefs/2024-01-cve-2026-23398/","summary":"CVE-2026-23398 is a vulnerability related to a NULL pointer dereference in the ICMP protocol, potentially leading to a denial-of-service condition in affected Microsoft products.","title":"CVE-2026-23398 ICMP NULL Pointer Dereference","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-23398/"},{"_cs_actors":[],"_cs_cves":[{"cvss":2.9,"id":"CVE-2026-41080"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["CVE-2026-41080","vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-41080, has been reported in a Microsoft product. At this time, detailed information regarding the specific product affected, the nature of the vulnerability, and potential exploitation methods remains undisclosed. The lack of specifics makes it difficult to assess the immediate risk and develop targeted defenses, but the identification of a CVE by Microsoft warrants monitoring for further updates and potential exploitation attempts. Defenders should prepare for the release of more detailed information and corresponding patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Due to the lack of information, the initial access vector is unknown. This could potentially range from remote code execution vulnerabilities to privilege escalation flaws.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation:\u003c/strong\u003e The specific method of exploiting CVE-2026-41080 is unknown. It could involve sending a specially crafted request or file to the affected product.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (If Applicable):\u003c/strong\u003e Depending on the vulnerability type, attackers might attempt to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion (If Applicable):\u003c/strong\u003e Attackers may attempt to evade detection by disabling security features or masking their activities.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (If Applicable):\u003c/strong\u003e If the initial exploitation leads to a foothold on the network, attackers might move laterally to compromise other systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control (If Applicable):\u003c/strong\u003e Attackers may establish command and control channels to remotely control compromised systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The final impact is currently unknown but could range from data theft to system compromise and denial of service, depending on the nature of the vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe potential impact of CVE-2026-41080 is currently undetermined due to the limited information available. Successful exploitation could lead to a range of outcomes, including unauthorized access, data breaches, or denial of service. Organizations should monitor for updates and apply patches as soon as they become available to mitigate potential risks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41080\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41080\u003c/a\u003e) for updated information and patch releases related to CVE-2026-41080.\u003c/li\u003e\n\u003cli\u003eImplement a proactive patch management strategy to rapidly deploy security updates once they are released for the affected Microsoft product.\u003c/li\u003e\n\u003cli\u003eEnable and review relevant logging sources (process creation, network connection, file events) to detect potential exploitation attempts related to this vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy generic detection rules (see examples below) and tune them to your environment to identify suspicious activity that could be related to exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-25T07:25:03Z","date_published":"2026-04-25T07:25:03Z","id":"/briefs/2024-01-cve-2026-41080/","summary":"CVE-2026-41080 is a vulnerability affecting a Microsoft product; the specific product, impact, and exploitation details are currently undisclosed.","title":"Microsoft Product Vulnerability CVE-2026-41080","url":"https://feed.craftedsignal.io/briefs/2024-01-cve-2026-41080/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["high"],"_cs_tags":["oauth","device-code","phishing","initial-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eIn early April 2026, Arctic Wolf observed a widespread phishing campaign that abused the OAuth device code flow. This campaign targeted organizations across multiple regions and sectors, mirroring the \u0026ldquo;Riding the Rails\u0026rdquo; campaign observed by Huntress in late March. The attackers exploited the device code grant type in the OAuth 2.0 authorization framework to obtain access tokens. By tricking users into entering a code on a legitimate Microsoft login page, attackers bypassed traditional MFA controls. Defenders should be aware of this evolving technique and implement detection strategies focused on anomalous application registrations and device code flow activity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a phishing email to the victim, impersonating a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe email contains a link that redirects the victim to a fake application authorization page.\u003c/li\u003e\n\u003cli\u003eThe fake page prompts the victim to enter a device code.\u003c/li\u003e\n\u003cli\u003eUnbeknownst to the victim, the device code is associated with a malicious OAuth application controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe victim is redirected to a legitimate Microsoft login page, where they enter the provided code and authenticate.\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the malicious application receives an access token.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the access token to access the victim\u0026rsquo;s account and sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may then perform actions such as reading emails, accessing files, or initiating further malicious activity within the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis OAuth device code phishing campaign affected numerous organizations across multiple sectors and regions in early April 2026. Successful attacks grant threat actors unauthorized access to user accounts, potentially leading to data exfiltration, financial fraud, and further compromise of internal systems. Due to the nature of OAuth, attackers can maintain persistent access even after password changes, posing a significant long-term risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Azure AD sign-in logs for device code flow usage to identify suspicious authentications (logsource: azuread, category: authentication).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect suspicious application registrations in Azure AD (logsource: o365, category: configuration).\u003c/li\u003e\n\u003cli\u003eEducate users on the risks of device code phishing and how to identify malicious authorization requests.\u003c/li\u003e\n\u003cli\u003eRegularly audit OAuth applications authorized within your environment and revoke access for any suspicious or unused applications.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to anomalous OAuth application activity promptly.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T19:52:35Z","date_published":"2026-04-24T19:52:35Z","id":"/briefs/2026-05-oauth-device-code-phishing/","summary":"In early April 2026, Arctic Wolf tracked a large-scale device code phishing campaign across multiple regions and sectors where threat actors abused OAuth device code flow to trick victims into providing authentication codes.","title":"Large-Scale OAuth Device Code Phishing Campaign Observed in April 2026","url":"https://feed.craftedsignal.io/briefs/2026-05-oauth-device-code-phishing/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-39361"},{"cvss":8.5,"id":"CVE-2026-39974"},{"cvss":7.8,"id":"CVE-2026-32168"},{"cvss":8.8,"id":"CVE-2026-32171"},{"cvss":7.8,"id":"CVE-2026-32192"}],"_cs_exploited":false,"_cs_products":["Azure","Microsoft 365 Copilot","Dynamics 365","Power Apps"],"_cs_severities":["high"],"_cs_tags":["cloud","privilege-escalation","code-execution","spoofing"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMultiple vulnerabilities have been reported affecting Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps. Successful exploitation of these vulnerabilities could enable attackers to perform a variety of malicious actions, including escalating their privileges within the affected systems, executing arbitrary code to gain further control, and conducting spoofing attacks to deceive users or bypass security measures. The full details regarding specific vulnerability types and exploitation methods are currently unavailable, but the breadth of affected products indicates a potentially widespread impact across cloud-based Microsoft services. Defenders should prioritize monitoring for suspicious activity indicative of exploitation attempts targeting these services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eSince the advisory lacks specifics, we will describe a generalized attack chain based on the potential vulnerabilities:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to a target environment, possibly through compromised credentials or a separate vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker exploits a vulnerability within one of the Microsoft cloud products (Azure, Microsoft 365 Copilot, Dynamics 365, or Power Apps) to elevate their privileges to a higher level, potentially gaining administrative rights.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection:\u003c/strong\u003e Leveraging the escalated privileges, the attacker injects malicious code into a vulnerable component of the cloud service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e The injected code is executed, allowing the attacker to perform arbitrary actions within the context of the compromised service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker uses the compromised service as a pivot point to move laterally within the cloud environment, targeting other resources and services.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Manipulation:\u003c/strong\u003e Once established within the environment, the attacker exfiltrates sensitive data or manipulates data for malicious purposes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSpoofing Attacks:\u003c/strong\u003e The attacker leverages the compromised environment to launch spoofing attacks, potentially targeting other users or systems with phishing emails or other deceptive tactics.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence within the cloud environment to maintain access even after the initial vulnerability is patched.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could have significant consequences, including unauthorized access to sensitive data, disruption of critical business processes, and financial losses. The number of potential victims is substantial, given the widespread use of Microsoft cloud services across various sectors. A successful attack could result in data breaches, service outages, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor logs from Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps for suspicious activity indicative of privilege escalation, code execution, and spoofing attacks.\u003c/li\u003e\n\u003cli\u003eEnable and review audit logs within the affected Microsoft cloud services to identify anomalous user behavior and potential security breaches.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them for your specific environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eFollow Microsoft\u0026rsquo;s official security advisories and apply any available patches or mitigations as soon as they are released.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T09:09:09Z","date_published":"2026-04-24T09:09:09Z","id":"/briefs/2026-04-microsoft-cloud-vulns/","summary":"Multiple vulnerabilities in Microsoft Azure, Microsoft 365 Copilot, Microsoft Dynamics 365, and Microsoft Power Apps could allow an attacker to escalate privileges, execute arbitrary code, and conduct spoofing attacks.","title":"Multiple Vulnerabilities in Microsoft Cloud Products Allow Privilege Escalation and Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-microsoft-cloud-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","rpc","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eKaspersky researchers discovered a critical vulnerability in the Windows Remote Procedure Call (RPC) architecture, dubbed PhantomRPC, that enables local privilege escalation. The flaw allows an attacker to create a rogue RPC server and, by exploiting existing processes with impersonation privileges (such as those running as Local Service or Network Service), elevate their own permissions to SYSTEM. The vulnerability resides in the architectural design of RPC itself, making it potentially exploitable across all Windows versions. The researcher has demonstrated five different exploitation paths escalating privileges from various local or network service contexts. This issue has been disclosed to Microsoft, but a patch has not yet been released. Due to the fundamental nature of the vulnerability, the number of potential attack vectors is effectively unlimited.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system with low privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a service running with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e, such as Local Service or Network Service.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious RPC server application designed to exploit the PhantomRPC vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a connection from the target service (e.g., Group Policy Client service) to the attacker\u0026rsquo;s malicious RPC server via ALPC.\u003c/li\u003e\n\u003cli\u003eThe malicious RPC server uses \u003ccode\u003eRpcImpersonateClient\u003c/code\u003e API to impersonate the SYSTEM account.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious RPC server executes code within the security context of the SYSTEM account.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to perform arbitrary actions, such as installing malware, creating new accounts, or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of PhantomRPC allows a low-privileged attacker to gain complete control over the affected system by escalating privileges to SYSTEM. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The vulnerability affects all Windows versions and given the number of potential attack vectors, it poses a significant risk to a large number of systems. While the exact number of potential victims remains unknown, the widespread use of RPC in Windows makes this a highly critical issue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for the creation of suspicious ALPC ports, especially those targeting services with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e. Use the Sigma rule \u003ccode\u003eDetect Suspicious ALPC Port Creation\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor for processes calling the \u003ccode\u003eRpcImpersonateClient\u003c/code\u003e API, especially those originating from unusual or untrusted processes. Use the Sigma rule \u003ccode\u003eDetect RpcImpersonateClient API Call from Unusual Process\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eRestrict access to services with \u003ccode\u003eSeImpersonatePrivilege\u003c/code\u003e where possible, limiting the potential attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-24T08:00:12Z","date_published":"2026-04-24T08:00:12Z","id":"/briefs/2026-04-phantom-rpc-privesc/","summary":"A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.","title":"PhantomRPC: Windows RPC Privilege Escalation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-phantom-rpc-privesc/"},{"_cs_actors":["Trigona"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","AnyDesk","Mimikatz","PowerRun"],"_cs_severities":["high"],"_cs_tags":["trigona","ransomware","data exfiltration","custom tool"],"_cs_type":"threat","_cs_vendors":["Microsoft","Nirsoft","AnyDesk"],"content_html":"\u003cp\u003eTrigona ransomware, initially launched in October 2022, has been observed using a custom command-line tool named \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate data from compromised environments. This shift, observed in March 2026, suggests an effort to avoid detection by security solutions that commonly flag publicly available tools like Rclone and MegaSync. Symantec researchers believe this indicates a strategic investment in proprietary malware to maintain a lower profile during critical phases of attacks. The custom tool supports five simultaneous connections per file for faster data exfiltration via parallel uploads, rotates TCP connections after 2GB of traffic to evade monitoring, offers options for selective file type exfiltration, and utilizes an authentication key to restrict access to stolen data. Despite disruptions in October 2023, Trigona has resumed operations, incorporating additional techniques like installing the Huorong Network Security Suite tool HRSword and disabling security products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eInstallation of the Huorong Network Security Suite tool HRSword as a kernel driver service.\u003c/li\u003e\n\u003cli\u003eDeployment of tools such as PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd to disable security-related products by leveraging vulnerable kernel drivers to terminate endpoint protection processes.\u003c/li\u003e\n\u003cli\u003eExecution of utilities with PowerRun to launch apps, executables, and scripts with elevated privileges, bypassing user-mode protections.\u003c/li\u003e\n\u003cli\u003eDeployment of AnyDesk for direct remote access to the breached systems.\u003c/li\u003e\n\u003cli\u003eExecution of Mimikatz and Nirsoft utilities for credential theft and password recovery operations.\u003c/li\u003e\n\u003cli\u003eUse of the custom \u0026ldquo;uploader_client.exe\u0026rdquo; to exfiltrate valuable documents such as invoices and PDFs from network drives via parallel uploads, rotating TCP connections to evade monitoring, and using an authentication key to restrict data access.\u003c/li\u003e\n\u003cli\u003eFinal stage involving the deployment of Trigona ransomware, demanding ransom payment in Monero cryptocurrency.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Trigona ransomware attacks result in significant data theft and encryption, disrupting business operations and causing financial losses. The group has demonstrated the capability to resume operations even after suffering disruptions, indicating a persistent threat. Observed data exfiltration has included high-value documents such as invoices and PDFs, demonstrating a targeted approach to data theft. Victims face potential regulatory penalties, reputational damage, and recovery costs associated with restoring systems and data. The number of victims and specific financial impact varies per campaign, but the potential for severe disruption and financial strain is consistent.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u0026ldquo;uploader_client.exe\u0026rdquo; with command-line arguments indicative of data exfiltration (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect connections to unusual or hardcoded server addresses used by the \u0026ldquo;uploader_client.exe\u0026rdquo; exfiltration tool (see IOC table).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection rules to identify the installation of Huorong Network Security Suite (HRSword) as a kernel driver service and tools like PCHunter, Gmer, YDark, WKTools, DumpGuard, and StpProcessMonitorByovd.\u003c/li\u003e\n\u003cli\u003eMonitor for processes launched via PowerRun, especially if followed by credential dumping or remote access tool execution.\u003c/li\u003e\n\u003cli\u003eReview AnyDesk usage for unusual connections or after-hours access, as this tool is used for remote access.\u003c/li\u003e\n\u003cli\u003eEnable robust logging for credential access attempts and password recovery activity associated with Mimikatz and Nirsoft tools.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T19:02:17Z","date_published":"2026-04-23T19:02:17Z","id":"/briefs/2026-05-trigona-custom-exfil/","summary":"Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.","title":"Trigona Ransomware Employing Custom Data Exfiltration Tool","url":"https://feed.craftedsignal.io/briefs/2026-05-trigona-custom-exfil/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.9,"id":"CVE-2026-22005"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["CVE-2026-22005","vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 23, 2026, Microsoft published a security advisory for CVE-2026-22005. The advisory indicates a vulnerability exists within a Microsoft product; however, the initial information released provides minimal details. The Microsoft Security Response Center (MSRC) update guide confirms the existence of the CVE but lacks specifics regarding the affected product, the nature of the vulnerability (e.g., remote code execution, denial of service), the attack vector, and potential mitigations. Further investigation is required to understand the scope and severity of this vulnerability. Defenders should monitor for updates from Microsoft and analyze their environment for potentially affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, a specific attack chain cannot be constructed. However, a general attack chain based on typical software vulnerabilities can be inferred and should be refined as more information becomes available:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e Attacker identifies a system running the vulnerable Microsoft product. (Specific method unknown pending vulnerability details)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation:\u003c/strong\u003e The attacker exploits CVE-2026-22005 by sending a specially crafted request or input to the vulnerable service. (Specific exploit details unknown)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Execution:\u003c/strong\u003e Successful exploitation leads to the execution of attacker-controlled code on the target system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker attempts to escalate privileges to gain higher-level access to the system. (Techniques vary depending on the vulnerability and system configuration)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems within the network, compromising additional assets. (Using techniques like pass-the-hash or exploiting other vulnerabilities)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms to maintain access to the compromised systems. (e.g., creating new user accounts, installing backdoors, or modifying system startup scripts)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Ransomware Deployment:\u003c/strong\u003e Depending on the attacker\u0026rsquo;s objectives, they may exfiltrate sensitive data or deploy ransomware to encrypt the system and demand a ransom payment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-22005 is currently unknown due to the lack of details provided by Microsoft. Depending on the affected product and the nature of the vulnerability, successful exploitation could lead to remote code execution, denial of service, information disclosure, or other adverse effects. The potential number of victims and affected sectors will depend on the prevalence of the vulnerable product within organizations. A successful attack could result in significant data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (MSRC) page for updates regarding CVE-2026-22005 and any associated KB articles.\u003c/li\u003e\n\u003cli\u003eOnce the affected product is identified, prioritize patching based on the severity of the vulnerability and the criticality of the affected systems.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the potential impact of a successful exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the generic process creation Sigma rule below to detect suspicious processes spawned by unusual parent processes, indicative of potential exploitation activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T08:03:14Z","date_published":"2026-04-23T08:03:14Z","id":"/briefs/2026-04-cve-2026-22005/","summary":"CVE-2026-22005 is a newly published vulnerability affecting a Microsoft product, requiring further investigation to determine the specific product, attack vector, and potential impact.","title":"Microsoft Product Vulnerability CVE-2026-22005","url":"https://feed.craftedsignal.io/briefs/2026-04-cve-2026-22005/"},{"_cs_actors":[],"_cs_cves":[{"cvss":4.9,"id":"CVE-2026-22004"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["cve-2026-22004","vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 23, 2026, Microsoft published an advisory regarding CVE-2026-22004.\nHowever, the advisory lacks specific details about the nature of the vulnerability, its potential impact, or affected products.\nWithout further information, it is challenging to determine the scope and severity of this vulnerability.\nDefenders should monitor Microsoft\u0026rsquo;s update guide and other security resources for additional details.\nThis brief serves as an initial notification to track and prepare for further information on CVE-2026-22004.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the lack of information about CVE-2026-22004, it is impossible to provide a detailed attack chain at this time. As a placeholder:\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eExecution: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003ePersistence: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eCredential Access: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eDiscovery: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eCollection: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eCommand and Control: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eExfiltration: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003cli\u003eImpact: Unknown, awaiting details from Microsoft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe impact of CVE-2026-22004 is currently unknown.\nWithout specific details about the vulnerability, it is impossible to assess potential damage, affected sectors, or the consequences of successful exploitation.\nOrganizations should monitor for updates and prepare to assess their exposure once more information is available.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-22004\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-22004\u003c/a\u003e) for updated information on CVE-2026-22004.\u003c/li\u003e\n\u003cli\u003eDeploy the generic placeholder Sigma rule to detect unusual process execution and network connections in your environment, and tune for your environment.\u003c/li\u003e\n\u003cli\u003eWhen Microsoft releases more information, analyze the details and deploy relevant detection rules and IOCs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:54:45Z","date_published":"2026-04-23T07:54:45Z","id":"/briefs/2024-05-cve-2026-22004/","summary":"Microsoft has released information regarding the vulnerability CVE-2026-22004, but details about the vulnerability and its exploitation are currently unavailable.","title":"Microsoft Discloses Information Regarding CVE-2026-22004","url":"https://feed.craftedsignal.io/briefs/2024-05-cve-2026-22004/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["cve","vulnerability","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 23, 2026, Microsoft released a security advisory indicating the existence of CVE-2026-35236.\nAt the time of the advisory, no details were provided regarding the nature of the vulnerability,\naffected products, potential impact, or mitigation strategies. This lack of information makes it\ndifficult to assess the immediate risk, but the existence of a CVE ID suggests the potential for\nfuture exploitation. Defenders should monitor for updates from Microsoft regarding CVE-2026-35236\nand prepare to implement patches or mitigations as they become available. The absence of specific\ninformation at this stage necessitates a proactive monitoring approach to detect any potential exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Disclosure:\u003c/strong\u003e Microsoft publishes the CVE ID CVE-2026-35236 without any details.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInformation Gathering (Attacker):\u003c/strong\u003e Attackers monitor Microsoft\u0026rsquo;s channels and other sources for further information on CVE-2026-35236.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Analysis (Attacker):\u003c/strong\u003e Once details are released (hypothetically), attackers analyze the vulnerability to develop an exploit.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploit Development (Attacker):\u003c/strong\u003e An exploit is created, potentially leveraging publicly available tools or custom-developed code.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget Selection (Attacker):\u003c/strong\u003e Attackers identify vulnerable systems based on the (currently unknown) affected product.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Attempt (Attacker):\u003c/strong\u003e The exploit is deployed against the target system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (Attacker):\u003c/strong\u003e (Hypothetical) If the initial exploit doesn\u0026rsquo;t provide sufficient privileges, further steps are taken to escalate privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Attacker):\u003c/strong\u003e (Hypothetical) Depending on the vulnerability, the impact could range from remote code execution to denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe current impact is unknown due to the lack of information about the vulnerability associated with CVE-2026-35236.\nIf the vulnerability is severe and widely exploitable, successful attacks could lead to data breaches, system compromise,\nor denial of service. The number of potential victims and affected sectors will depend on the affected product and its deployment scope.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eContinuously monitor the Microsoft Security Response Center for updates regarding CVE-2026-35236 (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35236)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35236)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eOnce Microsoft releases details on CVE-2026-35236, prioritize patching or implementing recommended mitigations.\u003c/li\u003e\n\u003cli\u003eDeploy generic detection rules to identify exploitation attempts based on unusual network activity or suspicious process creation.\u003c/li\u003e\n\u003cli\u003eReview existing security controls and ensure they are up-to-date to protect against potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:47:28Z","date_published":"2026-04-23T07:47:28Z","id":"/briefs/2024-05-cve-2026-35236-info-published/","summary":"Microsoft has published information regarding CVE-2026-35236, but no details about the vulnerability or its exploitation are currently available.","title":"Microsoft CVE-2026-35236 Information Published","url":"https://feed.craftedsignal.io/briefs/2024-05-cve-2026-35236-info-published/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31478"}],"_cs_exploited":false,"_cs_products":["ksmbd"],"_cs_severities":["high"],"_cs_tags":["cve","ksmbd","smb","memory-corruption"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCVE-2026-31478 is a security vulnerability within Microsoft\u0026rsquo;s ksmbd, a kernel-based SMB server. The vulnerability arises from an error in the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function where a hardcoded value for \u003ccode\u003ehdr2_len\u003c/code\u003e is used instead of calculating it dynamically using \u003ccode\u003eoffsetof()\u003c/code\u003e. While specific exploitation details are not provided in the source, the incorrect buffer calculation could lead to memory corruption or other unexpected behavior, potentially allowing a remote attacker to cause a denial-of-service condition or, in a more severe scenario, execute arbitrary code on the affected system. The vulnerability was disclosed on 2026-04-23 as part of a Microsoft Security Update.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eDue to the limited information available, the following attack chain is based on the potential exploitation of a memory corruption vulnerability resulting from an incorrect buffer length calculation.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable ksmbd server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SMBv2 request specifically designed to trigger the flawed \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eWhen the \u003ccode\u003esmb2_calc_max_out_buf_len()\u003c/code\u003e function is called to calculate the maximum output buffer length for the response to the malicious request, it uses an incorrect value for \u003ccode\u003ehdr2_len\u003c/code\u003e due to the hardcoded value.\u003c/li\u003e\n\u003cli\u003eThis incorrect calculation leads to the allocation of an undersized buffer.\u003c/li\u003e\n\u003cli\u003eThe server attempts to write data exceeding the allocated buffer size into the undersized buffer.\u003c/li\u003e\n\u003cli\u003eThis buffer overflow corrupts adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eDepending on the corrupted data, the server may crash (denial-of-service), or the attacker may gain control of execution flow (remote code execution).\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary code on the server, potentially leading to data exfiltration, system compromise, or further lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31478 can lead to a denial-of-service condition, disrupting file sharing services provided by the ksmbd server. In a more severe scenario, an attacker could achieve remote code execution, allowing them to gain control of the affected system. This could lead to data breaches, system compromise, and further propagation of malicious activity within the network. The impact will vary depending on the privileges of the ksmbd service account and the data stored on the affected system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-31478 on all systems running vulnerable versions of ksmbd (Microsoft Security Update Guide).\u003c/li\u003e\n\u003cli\u003eEnable SMB auditing to detect suspicious SMB activity, which could be indicative of exploitation attempts (Windows event logs).\u003c/li\u003e\n\u003cli\u003eDeploy network intrusion detection systems (IDS) to monitor SMB traffic for anomalous patterns associated with exploit attempts (Network traffic).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:33:28Z","date_published":"2026-04-23T07:33:28Z","id":"/briefs/2024-01-ksmbd-cve-2026-31478/","summary":"CVE-2026-31478 is a vulnerability in Microsoft's ksmbd implementation related to incorrect calculation of maximum output buffer length, potentially leading to a denial-of-service or remote code execution.","title":"CVE-2026-31478 Vulnerability in Microsoft ksmbd","url":"https://feed.craftedsignal.io/briefs/2024-01-ksmbd-cve-2026-31478/"},{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-34303"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","cve","microsoft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAt this time, only a placeholder entry for CVE-2026-34303 exists in the Microsoft Security Response Center update guide. The entry indicates a vulnerability exists within a Microsoft product, but specifics regarding the affected product, the nature of the vulnerability, and potential impact are not yet available. Defenders should monitor the MSRC page for CVE-2026-34303 for updates. As Microsoft releases further information, this brief will be updated with specific details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eBecause the vulnerability details are not yet public, a detailed attack chain cannot be constructed. Placeholder steps are included below for demonstration purposes and will need to be updated when more information is available from Microsoft.\u003c/p\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an unspecified vector.\u003c/li\u003e\n\u003cli\u003eExploitation of CVE-2026-34303 occurs, leading to arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eLateral movement is initiated to other systems within the network.\u003c/li\u003e\n\u003cli\u003eCredential access techniques are employed to gain further privileges.\u003c/li\u003e\n\u003cli\u003eInternal reconnaissance is conducted to identify valuable data.\u003c/li\u003e\n\u003cli\u003eData exfiltration commences, transferring sensitive information to an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to cover their tracks by deleting logs and other evidence of their presence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe potential impact of CVE-2026-34303 is currently unknown. Depending on the affected product and the nature of the vulnerability, successful exploitation could lead to arbitrary code execution, denial of service, information disclosure, or other adverse outcomes. The severity and scope of the impact will become clearer once Microsoft releases additional details about the vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor the Microsoft Security Response Center page for CVE-2026-34303 and subscribe to updates.\u003c/li\u003e\n\u003cli\u003eWhen details of CVE-2026-34303 become available, identify affected systems within your environment.\u003c/li\u003e\n\u003cli\u003eDevelop and deploy detections based on observed exploit activity, referring to updated threat intelligence.\u003c/li\u003e\n\u003cli\u003eApply the patch released by Microsoft as soon as it becomes available to remediate CVE-2026-34303.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:27:47Z","date_published":"2026-04-23T07:27:47Z","id":"/briefs/2026-04-msrc-placeholder/","summary":"CVE-2026-34303 is a vulnerability affecting an unspecified Microsoft product, requiring further investigation upon disclosure of details.","title":"CVE-2026-34303 Affecting Microsoft Products","url":"https://feed.craftedsignal.io/briefs/2026-04-msrc-placeholder/"},{"_cs_actors":[],"_cs_cves":[{"id":"CVE-2026-31507"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-31507","double-free","memory corruption","denial of service"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eOn April 23, 2026, Microsoft published a security update guide addressing CVE-2026-31507, a double-free vulnerability residing in the net/smc (Sockets Multiplexing Controller) module of the Linux kernel. The vulnerability stems from a flaw in how the \u003ccode\u003etee()\u003c/code\u003e function handles the duplication of splice pipe buffers. Specifically, when \u003ccode\u003etee()\u003c/code\u003e duplicates a splice pipe buffer associated with the \u003ccode\u003esmc_spd_priv\u003c/code\u003e structure, it can lead to a double-free condition. This flaw could allow a local attacker to trigger memory corruption or a denial-of-service condition. While specific exploitation details are currently lacking, the nature of double-free vulnerabilities makes them a critical concern for system stability and security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA local attacker gains access to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious program that interacts with the net/smc module.\u003c/li\u003e\n\u003cli\u003eThe program triggers the \u003ccode\u003etee()\u003c/code\u003e function to duplicate a splice pipe buffer related to \u003ccode\u003esmc_spd_priv\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the same memory region associated with \u003ccode\u003esmc_spd_priv\u003c/code\u003e is freed twice.\u003c/li\u003e\n\u003cli\u003eThe double-free corrupts the heap metadata.\u003c/li\u003e\n\u003cli\u003eSubsequent memory allocations may lead to arbitrary code execution or denial-of-service.\u003c/li\u003e\n\u003cli\u003eThe attacker could leverage the memory corruption to escalate privileges.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation results in system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-31507 can lead to memory corruption, potentially enabling arbitrary code execution and privilege escalation. A more likely outcome is a denial-of-service condition, where the system becomes unstable or crashes due to heap corruption. The vulnerability affects systems utilizing the affected net/smc module. While the number of potential victims is unknown, the wide deployment of the Linux kernel makes this a significant concern.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch provided by Microsoft that addresses CVE-2026-31507 to mitigate the double-free vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual \u003ccode\u003etee()\u003c/code\u003e function calls within the \u003ccode\u003enet/smc\u003c/code\u003e module using a process creation rule with relevant command-line arguments and process ancestry.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T07:27:47Z","date_published":"2026-04-23T07:27:47Z","id":"/briefs/2024-05-cve-2026-31507/","summary":"CVE-2026-31507 is a double-free vulnerability in the net/smc module that occurs when the tee() function duplicates a splice pipe buffer, potentially leading to memory corruption and denial of service.","title":"CVE-2026-31507 Double-Free Vulnerability in net/smc","url":"https://feed.craftedsignal.io/briefs/2024-05-cve-2026-31507/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Entra ID"],"_cs_severities":["high"],"_cs_tags":["azure","entra_id","credential_access","brute_force"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis alert identifies a surge in failed Microsoft Entra ID sign-in attempts (error code 50053) due to account lockouts, suggesting potential brute-force attacks. Attackers often employ password spraying, credential stuffing, or automated guessing to compromise accounts. This detection uses a threshold-based approach to identify coordinated campaigns targeting multiple users. The Entra ID Smart Lockout feature triggers error code 50053, utilizing IP-based tracking to differentiate between \u0026ldquo;familiar\u0026rdquo; and \u0026ldquo;unfamiliar\u0026rdquo; locations, with lockouts primarily originating from unfamiliar IPs. Successful exploitation can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker attempts to gain access to Entra ID accounts using compromised or guessed credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePassword Spraying/Credential Stuffing:\u003c/strong\u003e The attacker performs password spraying attacks by attempting common passwords across multiple accounts, or credential stuffing attacks by using lists of breached credentials obtained from other sources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Failure:\u003c/strong\u003e The sign-in attempts fail due to incorrect credentials, resulting in authentication failure events in Entra ID sign-in logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSmart Lockout Triggered:\u003c/strong\u003e Entra ID\u0026rsquo;s Smart Lockout feature detects the repeated failed sign-in attempts from unfamiliar IPs, triggering account lockouts and generating error code 50053.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Lockout:\u003c/strong\u003e The target user accounts are locked out, preventing legitimate users from accessing their accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Enumeration:\u003c/strong\u003e Prior to the lockouts, the attacker may perform username enumeration, resulting in error code 50034 (user not found) in the sign-in logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass Attempt (if applicable):\u003c/strong\u003e If MFA is not enforced or bypassed, the attacker may attempt to gain access using single-factor authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Compromise (if successful):\u003c/strong\u003e If the attacker successfully guesses the password before lockout or bypasses MFA, the account is compromised, allowing unauthorized access to resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful brute-force attack against Entra ID can lead to widespread account compromise. This could result in unauthorized access to sensitive data, business disruption, and potential financial loss. An attacker could leverage compromised accounts to move laterally within the network, escalate privileges, and exfiltrate data. This attack can affect any organization using Microsoft Entra ID for identity and access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Entra ID Excessive Account Lockouts Detected\u0026rdquo; to your SIEM to detect high counts of failed sign-in attempts resulting in account lockouts.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rule by pivoting to the raw logs in Discover or Timeline using the provided query and focusing on \u003ccode\u003eevent.dataset: \u0026quot;azure.signinlogs\u0026quot; and azure.signinlogs.properties.status.error_code: 50053\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eBlock suspicious source IPs identified in the investigation using Conditional Access named locations to prevent further brute-force attempts.\u003c/li\u003e\n\u003cli\u003eImplement Conditional Access policies to block legacy authentication protocols like IMAP, SMTP, and POP, which are often targeted in password spraying attacks.\u003c/li\u003e\n\u003cli\u003eReview and enhance Conditional Access policies to ensure comprehensive MFA coverage and prevent MFA bypass attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T18:43:05Z","date_published":"2026-04-22T18:43:05Z","id":"/briefs/2024-01-30-entra-id-lockouts/","summary":"A high volume of failed Microsoft Entra ID sign-in attempts resulting in account lockouts indicates potential brute-force attacks, such as password spraying or credential stuffing, targeting user accounts.","title":"Entra ID Excessive Account Lockouts Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-30-entra-id-lockouts/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AWS IAM","GitHub Actions"],"_cs_severities":["high"],"_cs_tags":["cloud","aws","github","credential-theft","initial-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["Amazon","Microsoft","Google"],"content_html":"\u003cp\u003eThis threat involves the unauthorized use of AWS credentials stolen from GitHub Actions secrets. Attackers exfiltrate these credentials and use them from their own infrastructure, bypassing the intended CI/CD environment. The activity is detected by observing AWS access keys appearing in CloudTrail logs originating from both legitimate GitHub Actions runners (identified by Microsoft ASN or the \u003ccode\u003egithub-actions\u003c/code\u003e user agent string) and suspicious infrastructure outside the expected CI/CD provider ASNs (Amazon, Google, Microsoft). This indicates a breach of GitHub repository or organization secrets, leading to potential unauthorized access and control over AWS resources. This activity can begin with compromised Github accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to a GitHub repository or organization with AWS credentials stored as secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the AWS access key ID and secret access key, either manually or through automated means, such as modifying a GitHub Action workflow to expose the secrets.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the stolen AWS credentials on their own infrastructure, using tools like the AWS CLI or boto3.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to AWS using the stolen credentials. This generates CloudTrail logs with the attacker\u0026rsquo;s source IP address and ASN.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as calling \u003ccode\u003ests:GetCallerIdentity\u003c/code\u003e, \u003ccode\u003eListBuckets\u003c/code\u003e, \u003ccode\u003eDescribeInstances\u003c/code\u003e, or \u003ccode\u003eListUsers\u003c/code\u003e, to understand the AWS environment and identify potential targets.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges or move laterally within the AWS environment by exploiting the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker may create, modify, or delete AWS resources, such as EC2 instances, S3 buckets, or IAM roles, depending on the permissions associated with the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to unauthorized access to AWS resources, potentially resulting in data breaches, service disruptions, or financial losses. The impact depends on the permissions associated with the stolen AWS credentials. A single compromised credential could expose sensitive data, disrupt critical services, or allow attackers to deploy malicious infrastructure within the victim\u0026rsquo;s AWS environment. Identifying and responding to this threat quickly is vital to minimize damages.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure\u0026rdquo; to your SIEM and tune for your environment to detect suspicious usage patterns.\u003c/li\u003e\n\u003cli\u003eRotate the compromised AWS access key in IAM immediately and update the corresponding GitHub repository/organization secret as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement OIDC-based authentication (\u003ccode\u003eaws-actions/configure-aws-credentials\u003c/code\u003e with \u003ccode\u003erole-to-assume\u003c/code\u003e) instead of long-lived access keys as mentioned in the rule documentation.\u003c/li\u003e\n\u003cli\u003eIf using OIDC, add IP condition policies to the IAM role trust policy to restrict \u003ccode\u003eAssumeRoleWithWebIdentity\u003c/code\u003e to known GitHub runner IP ranges, based on the information in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T17:45:55Z","date_published":"2026-04-22T17:45:55Z","id":"/briefs/2024-01-aws-github-actions-credential-theft/","summary":"Attackers are stealing AWS credentials configured as GitHub Actions secrets and using them from non-CI/CD infrastructure, indicating potential credential theft and unauthorized access to AWS resources.","title":"AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-github-actions-credential-theft/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["SharePoint"],"_cs_severities":["medium"],"_cs_tags":["web-shell","persistence","windows"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers frequently deploy web shells to maintain persistence and execute arbitrary commands on compromised web servers. This rule identifies the creation of ASPX files, commonly used in Windows environments, within directories typically targeted for web shell deployment. The rule focuses on the \u0026ldquo;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026rdquo; path, a common location for web server extensions and potential web shell placements. By excluding legitimate processes such as msiexec.exe and psconfigui.exe, the rule aims to detect suspicious ASPX file creation events indicative of malicious activity. The detection logic helps defenders identify potential web shell installations, allowing for timely response and remediation to prevent further compromise. This activity has been observed in exploitation attempts targeting SharePoint servers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system, potentially through exploiting a vulnerability in a web application or service running on the server (e.g., SharePoint).\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised web application to upload a malicious ASPX file to a directory within the web server\u0026rsquo;s file system, specifically targeting locations like \u0026ldquo;?:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe uploaded ASPX file contains malicious code designed to provide the attacker with remote access and control over the server.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers the execution of the ASPX file by sending a request to the web server, which processes the ASPX file and executes the embedded malicious code.\u003c/li\u003e\n\u003cli\u003eThe web shell allows the attacker to execute arbitrary commands on the server, potentially escalating privileges and moving laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the web shell to establish persistence on the compromised server, ensuring continued access even after the initial vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the web shell to exfiltrate sensitive data from the server or to deploy additional malware and tools.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful web shell deployment can lead to complete compromise of the affected server, potentially impacting numerous organizations. Attackers can use web shells to execute arbitrary code, steal sensitive data, and establish persistent access to internal networks. The impact includes data breaches, financial losses, and reputational damage. Successful exploitation of SharePoint vulnerabilities leading to web shell deployment has been observed in the wild.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Web Shell ASPX File Creation in Common Directories\u0026rdquo; to detect suspicious ASPX file creation events, filtering out legitimate processes to reduce false positives.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) to capture file creation events on Windows systems, which is a data source for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u0026ldquo;Web Shell ASPX File Creation in Common Directories\u0026rdquo; by examining the file path, creating process, and network activity around the time of the event.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting ASPX files in common web server directories, as referenced in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-12-14T14:30:00Z","date_published":"2024-12-14T14:30:00Z","id":"/briefs/2024-12-potential-web-shell-aspx-file-creation/","summary":"The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.","title":"Potential Web Shell ASPX File Creation","url":"https://feed.craftedsignal.io/briefs/2024-12-potential-web-shell-aspx-file-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","execution","lateral-movement","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003ePowercat is a PowerShell script that functions similarly to the traditional Netcat utility, allowing for network communication using TCP and UDP. Attackers can use Powercat to establish reverse shells, transfer files, and perform port scanning within a compromised environment. This activity is often employed during post-exploitation phases to maintain access and propagate further into the network. Defenders should be aware of PowerShell scripts invoking Powercat, especially in environments…\u003c/p\u003e\n","date_modified":"2024-11-04T14:27:00Z","date_published":"2024-11-04T14:27:00Z","id":"/briefs/2024-11-powercat-detection/","summary":"Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.","title":"Powercat PowerShell Implementation Detection","url":"https://feed.craftedsignal.io/briefs/2024-11-powercat-detection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","windows","active directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a user being added to an Active Directory (AD) group by the SYSTEM account (S-1-5-18). This behavior is significant because it can indicate an attacker who has successfully achieved SYSTEM level privileges on a domain controller. Attackers typically obtain SYSTEM privileges by exploiting vulnerabilities in the domain controller, or by abusing default group privileges such as those assigned to Server Operators. Once SYSTEM access is achieved, the attacker can then attempt to pivot to a domain account. This allows them to gain persistent access and control over the AD environment. Successful exploitation enables attackers to perform actions with the privileges of the compromised account, leading to potential data breaches, system compromise, and further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the network through various means, such as phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker exploits a vulnerability or misconfiguration on a system within the network to achieve local administrator or SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDomain Controller Compromise:\u003c/strong\u003e The attacker uses their elevated privileges to target a domain controller, exploiting vulnerabilities or weak configurations to gain SYSTEM access on the domain controller itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGroup Modification:\u003c/strong\u003e Once the attacker has SYSTEM privileges on a domain controller, they use this access to add a user account to a privileged Active Directory group. This is done by modifying the group membership using tools native to the operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e By adding a user account to a privileged group, the attacker ensures they have persistent access to the domain, even if their initial access method is discovered and blocked.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With the newly acquired group membership, the attacker can now move laterally within the network, accessing resources and systems that were previously inaccessible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Impact:\u003c/strong\u003e The attacker leverages their access to locate and exfiltrate sensitive data, or to disrupt critical business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a wide range of negative consequences, including data breaches, system compromise, and disruption of critical business operations. Attackers can use the compromised account to access sensitive data, modify system configurations, or even deploy ransomware. The scope of impact depends on the permissions and privileges associated with the compromised account and the targeted resources. Furthermore, the incident can damage the organization\u0026rsquo;s reputation and result in regulatory fines and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Security Group Management\u0026rdquo; to generate the necessary events for detection as detailed in the \u003ca href=\"https://ela.st/audit-security-group-management\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential Active Directory group modifications by the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any event with event code 4728 where the SubjectUserSid is \u0026ldquo;S-1-5-18\u0026rdquo; as described in the \u003ca href=\"#overview\"\u003eoverview\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide outlined in the rule description for triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T23:59:00Z","date_published":"2024-11-02T23:59:00Z","id":"/briefs/2024-11-ad-group-modification-by-system/","summary":"Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.","title":"Active Directory Group Modification by SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-11-ad-group-modification-by-system/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Defend","Windows Defender Application Control","Crowdstrike FDR","Sysmon"],"_cs_severities":["high"],"_cs_tags":["wdac","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers are increasingly targeting Windows Defender Application Control (WDAC) to disable or weaken endpoint defenses. By crafting malicious WDAC policies, adversaries can block legitimate security software and evade detection. This technique involves creating WDAC policy files (.p7b or .cip) in protected system directories using unauthorized processes. The activity often occurs when attackers have already gained a foothold in the system and are attempting to solidify their position. Successful deployment of a malicious WDAC policy can significantly hinder incident response and allow malware to operate undetected. This tactic has gained traction since late 2024, with offensive tools like Krueger demonstrating the potential for weaponizing WDAC against EDR solutions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the system through methods such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access, which is required to modify WDAC policies.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Creation:\u003c/strong\u003e The attacker crafts a malicious WDAC policy using tools or scripts. This policy is designed to block specific security products or processes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eStaging:\u003c/strong\u003e The malicious policy is staged in a temporary location on the system, often within user-writable directories.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Placement:\u003c/strong\u003e The attacker moves the malicious WDAC policy file (.p7b or .cip) to a protected system directory, such as \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e or \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e. The tool used may be a Living-off-the-Land Binary (LOLBin) or a custom .NET assembly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eActivation:\u003c/strong\u003e The attacker triggers the activation of the new WDAC policy, which often requires a system reboot or the use of a service control utility.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e Once the policy is active, the targeted security products are blocked, allowing the attacker to operate with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Objectives:\u003c/strong\u003e With defenses weakened, the attacker can move laterally within the network, exfiltrate data, or achieve other objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack targeting WDAC can severely impair an organization\u0026rsquo;s ability to detect and respond to threats. By blocking security software, attackers can operate with impunity, leading to data breaches, financial losses, and reputational damage. Observed damage includes disabled endpoint detection and response (EDR) solutions, allowing ransomware and other malware to execute without interference. The scope of impact can range from individual workstations to entire domains, depending on the breadth of the WDAC policy deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;WDAC Policy File by an Unusual Process\u0026rdquo; Sigma rule to your SIEM to detect unauthorized WDAC policy modifications.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events with extensions .p7b and .cip in \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\\u003c/code\u003e and \u003ccode\u003eC:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\\u003c/code\u003e directories, specifically filtering for processes other than \u003ccode\u003epoqexec.exe\u003c/code\u003e, \u003ccode\u003eTiWorker.exe\u003c/code\u003e, and \u003ccode\u003eomadmclient.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 11 (File Create) logging to capture file creation events and provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies on WDAC policy directories to prevent unauthorized modification.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-wdac-policy-evasion/","summary":"Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.","title":"WDAC Policy File Creation by Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-11-wdac-policy-evasion/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure AD Connect Authentication Agent"],"_cs_severities":["high"],"_cs_tags":["credential-access","dll-side-loading","azure-ad-connect"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Azure AD Connect Authentication Agent facilitates pass-through authentication (PTA) in hybrid environments. Attackers may attempt to load malicious DLLs into the \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process to intercept or persist credentials. This involves placing an untrusted DLL in a location where the service will load it, such as a directory with weak permissions or through DLL side-loading. Successful exploitation allows attackers to capture user credentials as they are processed by the PTA service, potentially leading to domain compromise. This activity specifically targets systems utilizing Azure AD Connect with PTA enabled. Defenders should monitor for unexpected DLL loads by the Azure AD Connect Authentication Agent to identify and prevent credential access attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system hosting the Azure AD Connect Authentication Agent.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a location where they can place a malicious DLL that the \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process will load, such as a directory with weak permissions or a location susceptible to DLL side-loading.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious DLL (e.g., \u003ccode\u003eevil.dll\u003c/code\u003e) into the identified location.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process is started or restarted.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e process loads the malicious DLL (\u003ccode\u003eevil.dll\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe malicious DLL intercepts or captures credentials as they are processed by the PTA service.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the captured credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen credentials to gain unauthorized access to other systems or resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept credentials handled by the Azure AD Connect Authentication Agent. This can lead to the compromise of user accounts and the ability to move laterally within the environment. Organizations using Azure AD Connect with Pass-through Authentication are at risk. The impact includes potential data breaches, unauthorized access to sensitive information, and domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eUntrusted DLL Loaded by Azure AD Connect Authentication Agent\u003c/code\u003e to detect the loading of untrusted DLLs by the Azure AD Connect Authentication Agent service in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eAzureADConnectAuthenticationAgentService.exe\u003c/code\u003e loading DLLs outside of the standard Microsoft directories, as defined in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 7 (Image Loaded) logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eRestrict write access to the Azure AD Connect Authentication Agent directories to prevent unauthorized DLL placement.\u003c/li\u003e\n\u003cli\u003eReview administrative access to the PTA host to prevent unauthorized modifications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T12:00:00Z","date_published":"2024-11-02T12:00:00Z","id":"/briefs/2024-11-azureadconnect-dll-load/","summary":"The loading of an untrusted DLL by the Azure AD Connect Authentication Agent, potentially indicating credential access attempts via the Pass-through Authentication service, is detected by this rule.","title":"Untrusted DLL Loaded by Azure AD Connect Authentication Agent","url":"https://feed.craftedsignal.io/briefs/2024-11-azureadconnect-dll-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon","Windows Installer"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","msiexec"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft"],"content_html":"\u003cp\u003eAdversaries may abuse the Windows Installer service (msiexec.exe) to proxy the execution of malicious payloads, effectively bypassing application control and other security mechanisms. This technique, known as \u0026ldquo;Msiexec\u0026rdquo; proxy execution (T1218.007), involves using msiexec.exe to execute malicious DLLs or scripts. The detection focuses on identifying child processes spawned by MsiExec, particularly those exhibiting network activity. This behavior is atypical for legitimate software installations and updates, making it a strong indicator of potential malicious use. Defenders should be aware of this technique as it allows attackers to blend in with legitimate system processes. The Elastic detection rule, updated on 2026-05-04, aims to identify this suspicious activity across multiple data sources including Elastic Defend, Sysmon, and SentinelOne.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the system through an exploit or social engineering.\u003c/li\u003e\n\u003cli\u003eAttacker leverages msiexec.exe to execute a malicious MSI package with a \u003ccode\u003e/v\u003c/code\u003e parameter, commonly used to pass verbose logging options, potentially hiding malicious commands.\u003c/li\u003e\n\u003cli\u003eThe malicious MSI package contains custom actions that execute arbitrary code.\u003c/li\u003e\n\u003cli\u003eMsiexec.exe spawns a child process (e.g., powershell.exe, cmd.exe, or another executable) to carry out malicious actions.\u003c/li\u003e\n\u003cli\u003eThe child process establishes a network connection to an external server or performs DNS lookups, possibly for command and control (C2) communication or to download additional payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the network connection to download and execute further tools or scripts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective could be data exfiltration, ransomware deployment, or persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass application control and execute arbitrary code on the system. This can lead to malware installation, data theft, or complete system compromise. While the exact number of victims is not specified in the provided source, the technique can be applied across various sectors. The impact can range from individual workstation compromises to large-scale breaches affecting entire organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMsiExec Child Process with Unusual Executable and Network Connection\u003c/code\u003e to detect suspicious msiexec.exe child processes initiating network connections based on unusual executable paths.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and network connection logging (Event ID 3) to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process tree, command-line arguments, and network destinations.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate software installations and automated deployment tools that use MsiExec and require network access to minimize false positives, as detailed in the \u0026ldquo;False positive analysis\u0026rdquo; section of the source material.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-10-26T12:00:00Z","date_published":"2024-10-26T12:00:00Z","id":"/briefs/2024-10-msiexec-network-connection/","summary":"Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.","title":"MsiExec Child Process Spawning Network Connections for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-10-msiexec-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Adobe Acrobat Update Task","Sure Click","Secure Access Client","CtxsDPS.exe","Openvpn-gui.exe","Veeam Endpoint Backup","Cisco Secure Client","Concentr.exe","Receiver","AnalyticsSrv.exe","Redirector.exe","Download Navigator","Jabra Direct","Vmware Workstation","Eset Security","iTunes","Keepassxc.exe","Globalprotect","Pdf24.exe","Vmware Tools","Teams"],"_cs_severities":["medium"],"_cs_tags":["persistence","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Adobe","HP","Intel","Acronis","Java","Citrix","OpenVPN","Veeam","Cisco","Epson","Jabra","VMware","ESET","iTunes","KeePassXC","Palo Alto Networks","PDF24"],"content_html":"\u003cp\u003eThe Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages msiexec.exe to create a new scheduled task using the \u003ccode\u003eschtasks.exe\u003c/code\u003e command, setting it to execute a malicious script or binary.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses msiexec.exe in conjunction with \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell to modify registry keys under \u003ccode\u003eHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e or \u003ccode\u003eHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u003c/code\u003e, adding a pointer to their malicious executable.\u003c/li\u003e\n\u003cli\u003eThe created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.\u003c/li\u003e\n\u003cli\u003eThe system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.\u003c/li\u003e\n\u003cli\u003eThe malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for msiexec.exe spawning \u003ccode\u003eschtasks.exe\u003c/code\u003e or \u003ccode\u003ereg.exe\u003c/code\u003e to create scheduled tasks or modify registry run keys (reference: rules in this brief).\u003c/li\u003e\n\u003cli\u003eImplement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eReview and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.\u003c/li\u003e\n\u003cli\u003eEnable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == \u0026ldquo;file\u0026rdquo; and file.path \u0026hellip; and event.category == \u0026ldquo;registry\u0026rdquo; and registry.path \u0026hellip; in the rule query).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-09-05T14:17:05Z","date_published":"2024-09-05T14:17:05Z","id":"/briefs/2024-09-msiexec-persistence/","summary":"Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.","title":"Persistence via Windows Installer (Msiexec)","url":"https://feed.craftedsignal.io/briefs/2024-09-msiexec-persistence/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","hide-artifacts","alternate-data-stream"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies the creation or execution of Alternate Data Streams (ADS) within the root directory of a volume on Windows systems. Attackers leverage this technique to conceal malicious tools or data, as ADSs created in this manner are not easily discoverable by standard system utilities. This method allows for the persistence and execution of malware while evading typical detection mechanisms. This rule is designed for data generated by Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel, providing broad coverage across different endpoint security solutions. Monitoring for ADS activity at the volume root is crucial to identify potential defense evasion attempts and hidden malicious payloads.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a script or program (e.g., PowerShell) to create a hidden ADS at the root of a volume (e.g., \u003ccode\u003eC:\\:evil.exe\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe ADS is populated with malicious code, such as a reverse shell or malware payload.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a command-line tool or script to execute the hidden ADS file. For example: \u003ccode\u003ewmic process call create \u0026quot;cmd.exe /c start C:\\:evil.exe\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious code within the ADS executes, allowing the attacker to perform unauthorized actions, such as data exfiltration or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the hidden ADS to maintain persistence on the system, ensuring continued access even after reboots.\u003c/li\u003e\n\u003cli\u003eThe attacker further leverages the compromised system to move laterally within the network, compromising additional systems and escalating privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to hide malicious tools and maintain persistence on compromised systems. The creation of ADSs at the volume root directory makes it difficult for administrators and security tools to detect the presence of malware. This can lead to prolonged compromise, data breaches, and significant disruption of business operations. The rule has a risk score of 47, and a medium severity is applied.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect ADS creation and execution at the volume root directory.\u003c/li\u003e\n\u003cli\u003eEnable logging for file creation events (Sysmon Event ID 11) and process creation events (Sysmon Event ID 1) for enhanced visibility into ADS activity.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the Sigma rules to determine the legitimacy of ADS creation or execution, focusing on processes and file paths that match the \u003ccode\u003e[A-Z]:\\\\:.+\u003c/code\u003e regex pattern in the rule query.\u003c/li\u003e\n\u003cli\u003eRegularly scan systems for hidden ADS files using specialized tools to uncover any potential malicious files.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized applications and prevent the creation of malicious ADSs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-08T12:00:00Z","date_published":"2024-07-08T12:00:00Z","id":"/briefs/2024-07-root-dir-ads-creation/","summary":"Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.","title":"Alternate Data Stream Creation/Execution at Volume Root Directory","url":"https://feed.craftedsignal.io/briefs/2024-07-root-dir-ads-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Veeam Backup"],"_cs_severities":["medium"],"_cs_tags":["veeam","credential-access","mssql","windows","ransomware"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Veeam"],"content_html":"\u003cp\u003eAttackers are increasingly targeting backup infrastructure to maximize the impact of ransomware and data exfiltration attacks. Veeam, a popular backup and disaster recovery solution, stores credentials for backup operations in MSSQL databases. An attacker who gains access to these databases may attempt to use tools like \u003ccode\u003esqlcmd.exe\u003c/code\u003e or PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to extract and decrypt these credentials. This tactic allows the attacker to compromise the backups themselves, preventing recovery and increasing pressure on the victim. This activity has been observed in real-world incidents, such as those involving the Diavol ransomware. Defenders should monitor for suspicious command-line activity targeting Veeam credentials within MSSQL environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the target environment is gained through methods such as phishing or exploiting a vulnerability in a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance to identify the location of the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains valid credentials or exploits a vulnerability to gain access to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003esqlcmd.exe\u003c/code\u003e or uses PowerShell commands (e.g., \u003ccode\u003eInvoke-Sqlcmd\u003c/code\u003e) to query the \u003ccode\u003e[VeeamBackup].[dbo].[Credentials]\u003c/code\u003e table.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the encrypted Veeam credentials from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker decrypts the Veeam credentials using custom scripts or tools, potentially leveraging the Veeam backup server itself.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised Veeam credentials to access and delete or encrypt backup data.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys ransomware on the remaining systems, knowing that recovery from backups is now impossible.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful compromise of Veeam credentials can have devastating consequences. Attackers can encrypt or delete backup data, making recovery impossible and significantly increasing the impact of ransomware attacks. This can lead to prolonged downtime, data loss, financial losses, and reputational damage. Organizations relying on Veeam for backup and recovery should prioritize monitoring and securing their Veeam infrastructure to prevent credential access and backup compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture command-line activity, specifically \u003ccode\u003esqlcmd.exe\u003c/code\u003e and PowerShell.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Veeam Credential Access Command\u0026rdquo; to detect suspicious command executions targeting Veeam credentials in MSSQL databases.\u003c/li\u003e\n\u003cli\u003eReview and restrict access controls to the Veeam MSSQL database, ensuring only authorized personnel and services have access.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual login activity and failed login attempts to the Veeam MSSQL database server.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all accounts with access to Veeam infrastructure.\u003c/li\u003e\n\u003cli\u003eRegularly audit Veeam backup configurations and logs to identify any unauthorized modifications or access attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-veeam-credential-access/","summary":"Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.","title":"Potential Veeam Credential Access via SQL Commands","url":"https://feed.craftedsignal.io/briefs/2024-07-veeam-credential-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["credential-access","pass-the-hash","ntlm-relay","powershell"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts containing artifacts indicative of NTLM relay or pass-the-hash (PtH) attacks. These techniques allow attackers to authenticate to systems without needing plaintext passwords, enabling lateral movement and privilege escalation. The rule focuses on identifying specific byte sequences and strings within PowerShell script blocks that suggest NTLM/SMB negotiation and credential access attempts. This detection helps defenders identify and respond to potential credential theft and abuse within their Windows environments. The rule is based on observed techniques used in various publicly available tools such as Invoke-TheHash, Check-LocalAdminHash, and PoshC2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script on the compromised system. This script could be directly executed or obfuscated to evade initial detection.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script attempts to perform NTLM relay or pass-the-hash attacks by utilizing specific byte sequences related to NTLM/SMB negotiation, such as \u003ccode\u003eNTLMSSPNegotiate\u003c/code\u003e or \u003ccode\u003e0x4e,0x54,0x4c,0x4d,0x53,0x53,0x50\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may utilize tools like Invoke-WMIExec or Invoke-SMBExec to execute commands on remote systems using the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to other systems on the network using the relayed credentials or password hashes.\u003c/li\u003e\n\u003cli\u003eSuccessful authentication allows the attacker to move laterally, accessing sensitive data or escalating privileges on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker may deploy additional payloads or establish persistence mechanisms for continued access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful pass-the-hash or NTLM relay attack can grant an attacker unauthorized access to sensitive systems and data within the network. This can lead to data breaches, financial loss, or disruption of critical services. The impact could range from compromising a few systems to gaining domain administrator privileges, depending on the attacker\u0026rsquo;s goals and the network\u0026rsquo;s security posture. Organizations can experience significant financial and reputational damage due to data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the necessary data for this detection. Refer to the setup instructions in the rule documentation for configuration details.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetecting Potential PowerShell Pass-the-Hash/Relay Scripts\u003c/code\u003e to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule to determine the scope and impact of the potential attack. Refer to the triage and analysis section in the rule documentation for guidance on investigation steps.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit the impact of lateral movement.\u003c/li\u003e\n\u003cli\u003eMonitor authentication events (event codes 4624, 4625, 4648) for suspicious activity, such as NTLM authentication from unexpected source IPs or to unusual target systems, as described in the rule\u0026rsquo;s investigation notes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T12:00:00Z","date_published":"2024-07-03T12:00:00Z","id":"/briefs/2024-07-powershell-pth-relay/","summary":"This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.","title":"Detecting Potential PowerShell Pass-the-Hash/Relay Scripts","url":"https://feed.craftedsignal.io/briefs/2024-07-powershell-pth-relay/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["System Center Configuration Manager"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","dll-hijacking","sccm"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may attempt to hijack Windows user sessions by exploiting Microsoft\u0026rsquo;s System Center Configuration Manager (SCCM). This involves loading malicious DLLs into \u003ccode\u003eSCNotification.exe\u003c/code\u003e, a process responsible for user notifications within the SCCM framework. The vulnerability arises when \u003ccode\u003eSCNotification.exe\u003c/code\u003e loads untrusted DLLs, potentially impersonating a user session. This activity is often characterized by recent DLL file creation or modification, coupled with the DLL lacking a trusted code signature. The references indicate this technique has been discussed publicly, raising awareness and the potential for increased exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system.\u003c/li\u003e\n\u003cli\u003eAttacker places a malicious DLL on the system. This DLL may be disguised to appear legitimate.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the system to cause \u003ccode\u003eSCNotification.exe\u003c/code\u003e to load the malicious DLL. This may involve modifying registry keys or file paths.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eSCNotification.exe\u003c/code\u003e loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes within the context of the \u003ccode\u003eSCNotification.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the hijacked process to impersonate a user session.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to user accounts and data.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions under the guise of the compromised user, such as data exfiltration or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, privilege escalation, and further compromise of the network. Victims could experience data breaches, financial loss, or reputational damage. The impact depends on the extent of access gained by the attacker and the sensitivity of the data accessed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Windows Session Hijacking via CcmExec\u0026rdquo; to your SIEM to detect suspicious DLL loads by \u003ccode\u003eSCNotification.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts triggered by the Sigma rule, focusing on DLLs with recent file creation times or modifications (DLL timestamps) and untrusted signatures.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized DLLs from being loaded by \u003ccode\u003eSCNotification.exe\u003c/code\u003e as described in the remediation steps in the note section.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eSCNotification.exe\u003c/code\u003e and related processes.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to enhance visibility into process execution events, which activates the Sigma rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-sccm-dll-hijacking/","summary":"Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.","title":"Potential Windows Session Hijacking via CcmExec","url":"https://feed.craftedsignal.io/briefs/2024-07-sccm-dll-hijacking/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike FDR","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["credential-access","windows","wbadmin","ntds.dit"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies the execution of \u003ccode\u003ewbadmin.exe\u003c/code\u003e with arguments indicative of an attempt to access and dump the NTDS.dit file from a Windows domain controller. Attackers with sufficient privileges, specifically those belonging to groups like Backup Operators, can abuse the legitimate \u003ccode\u003ewbadmin.exe\u003c/code\u003e utility to create a backup of the Active Directory database (NTDS.dit). This file contains sensitive credential information, and once obtained, attackers can extract password hashes and compromise the entire domain. This activity is often part of a larger attack aimed at gaining persistent access and control over the network. The Elastic detection rule was published on 2024-06-05 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network. This may be achieved through phishing, exploiting vulnerabilities, or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain membership in the Backup Operators group or a similar privileged group capable of running backups.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewbadmin.exe\u003c/code\u003e with the \u003ccode\u003erecovery\u003c/code\u003e argument, targeting the NTDS.dit file. The command line includes parameters to create a system state backup.\u003c/li\u003e\n\u003cli\u003eWbadmin creates a backup of the system state, including the NTDS.dit file, in a specified location.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the NTDS.dit file from the backup location to a separate location for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools such as \u003ccode\u003entdsutil.exe\u003c/code\u003e or \u003ccode\u003esecretsdump.py\u003c/code\u003e to extract password hashes from the NTDS.dit file.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the password hashes or uses them in pass-the-hash attacks to gain access to other systems and resources within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance and persistence, allowing them to control critical systems and data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to dump credentials from the NTDS.dit file, leading to complete compromise of the Active Directory domain. This enables them to move laterally, access sensitive data, and establish persistent control over the environment. The impact can include data breaches, ransomware deployment, and long-term disruption of business operations. The medium risk score indicates that while the attack requires specific privileges, the consequences are significant if successful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line arguments to detect \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution as described in the Attack Chain (Data Source: Windows Security Event Logs, Sysmon).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious \u003ccode\u003ewbadmin.exe\u003c/code\u003e execution with NTDS.dit related arguments in your SIEM (Rule: NTDS Dump via Wbadmin).\u003c/li\u003e\n\u003cli\u003eMonitor and restrict membership in privileged groups like Backup Operators to minimize the risk of abuse (Reference: \u003ca href=\"https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\"\u003ehttps://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate backup schedules or disaster recovery processes to reduce false positives (False positive analysis).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-ntds-dump-wbadmin/","summary":"Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.","title":"NTDS Dump via Wbadmin","url":"https://feed.craftedsignal.io/briefs/2024-07-ntds-dump-wbadmin/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Management Console File","Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["execution","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers may exploit Microsoft Management Console (MMC) by executing .msc files from non-standard directories to bypass security controls. This technique can be used for initial access and execution. This detection focuses on identifying the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from paths outside the typical system directories, which are generally considered trusted. By monitoring process executions and filtering out known legitimate paths, analysts can identify potentially malicious activity related to the misuse of MMC. The rule aims to detect deviations from standard administrative practices that could indicate unauthorized access or command execution via malicious or compromised \u003ccode\u003e.msc\u003c/code\u003e files. The detection logic specifically excludes executions from common directories like \u003ccode\u003eSystem32\u003c/code\u003e, \u003ccode\u003eSysWOW64\u003c/code\u003e, and \u003ccode\u003eProgram Files\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unspecified method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious \u003ccode\u003e.msc\u003c/code\u003e file in an unusual or untrusted directory (e.g., \u003ccode\u003eC:\\Users\\Public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emmc.exe\u003c/code\u003e with the malicious \u003ccode\u003e.msc\u003c/code\u003e file as an argument from the untrusted path.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emmc.exe\u003c/code\u003e processes the \u003ccode\u003e.msc\u003c/code\u003e file, potentially executing embedded commands or scripts.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003e.msc\u003c/code\u003e file performs unauthorized actions on the system, such as modifying system settings or executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the execution context of \u003ccode\u003emmc.exe\u003c/code\u003e to bypass security controls and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may establish persistence by creating a scheduled task or modifying registry keys to execute the malicious \u003ccode\u003e.msc\u003c/code\u003e file automatically.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access, command execution, and privilege escalation, potentially compromising the entire system. While specific victim counts or sector targeting are not available, the technique is applicable across various Windows environments. The use of a trusted system binary like \u003ccode\u003emmc.exe\u003c/code\u003e for malicious purposes can evade traditional security measures, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eMicrosoft Management Console File from Unusual Path\u003c/code\u003e to detect the execution of \u003ccode\u003emmc.exe\u003c/code\u003e with \u003ccode\u003e.msc\u003c/code\u003e files from untrusted paths.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command-line arguments to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the origin and content of the \u003ccode\u003e.msc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eConsider implementing application control policies to restrict the execution of \u003ccode\u003e.msc\u003c/code\u003e files to authorized directories only.\u003c/li\u003e\n\u003cli\u003eReview and audit the use of MMC in the environment to identify any legitimate use cases that might trigger false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-mmc-untrusted-path/","summary":"Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.","title":"Microsoft Management Console File Execution from Unusual Path","url":"https://feed.craftedsignal.io/briefs/2024-07-mmc-untrusted-path/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Elastic Endgame","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThe DNS Global Query Block List (GQBL) is a Windows security feature designed to prevent the resolution of specific DNS names, commonly exploited in attacks like WPAD spoofing. Attackers who have obtained elevated privileges, such as DNSAdmin, can modify or disable this list to bypass security controls. This allows exploitation of hosts running WPAD with default settings. The modification of the GQBL can be used for privilege escalation and lateral movement within a network. This rule detects changes to the registry values associated with the GQBL, specifically \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; and \u0026ldquo;GlobalQueryBlockList.\u0026rdquo; This activity could indicate an attacker attempting to weaken defenses to facilitate further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, possibly through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain DNSAdmin rights.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u0026ldquo;EnableGlobalQueryBlockList\u0026rdquo; registry value to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000,\u0026rdquo; effectively disabling the GQBL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the \u0026ldquo;GlobalQueryBlockList\u0026rdquo; registry value to remove \u0026ldquo;wpad\u0026rdquo; from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the disabled GQBL to conduct WPAD spoofing attacks, redirecting network traffic to attacker-controlled servers.\u003c/li\u003e\n\u003cli\u003eThe attacker captures user credentials transmitted during WPAD authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured credentials to move laterally to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or disabling of the DNS Global Query Block List can lead to WPAD spoofing attacks, credential theft, lateral movement, and ultimately, complete compromise of the network. Attackers can leverage this technique to gain unauthorized access to sensitive data or systems. The impact includes potential data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Modification of DNS Global Query Block List\u003c/code\u003e to your SIEM to detect unauthorized changes to the GQBL configuration.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary events for the Sigma rule to function (reference the logsource in the rule).\u003c/li\u003e\n\u003cli\u003eReview and restrict DNSAdmin privileges to only necessary accounts to minimize the attack surface (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual DNS queries or WPAD-related activity, correlating with registry modification events (reference: Attack Chain step 5).\u003c/li\u003e\n\u003cli\u003eRegularly audit registry settings related to DNS configuration, including the GQBL, to identify unauthorized modifications (reference: Attack Chain steps 3 \u0026amp; 4).\u003c/li\u003e\n\u003cli\u003eUpdate security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List (reference: Impact section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-03T10:00:00Z","date_published":"2024-07-03T10:00:00Z","id":"/briefs/2024-07-dns-gqbl-modified/","summary":"Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.","title":"DNS Global Query Block List Modified or Disabled","url":"https://feed.craftedsignal.io/briefs/2024-07-dns-gqbl-modified/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Endpoint Defense","Windows Defender Advanced Threat Protection","Symantec Endpoint Protection","Endpoint Security","AVDefender","Optics","Padvish AV"],"_cs_severities":["high"],"_cs_tags":["credential-access","regback","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Sophos","Microsoft","Trend Micro","Symantec","Bitdefender","N-able Technologies","Cylance","McAfee","Padvish"],"content_html":"\u003cp\u003eThis detection identifies suspicious attempts to access registry backup hives (SAM, SECURITY, and SYSTEM) located in the \u003ccode\u003eRegBack\u003c/code\u003e folder on Windows systems. These hives contain sensitive credential material, making them attractive targets for attackers seeking to compromise system security. The detection logic focuses on file access events, specifically successful file opens, while excluding known benign processes such as \u003ccode\u003etaskhostw.exe\u003c/code\u003e and various AV/EDR solutions (SophosScanCoordinator.exe, MsSense.exe, ccSvcHst.exe, etc.) to minimize false positives. The rule is designed to provide defenders with high-fidelity alerts when unauthorized access to these critical registry hives is detected. The scope includes any Windows system where endpoint file access logging is enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to access the \u003ccode\u003eSAM\u003c/code\u003e, \u003ccode\u003eSECURITY\u003c/code\u003e, or \u003ccode\u003eSYSTEM\u003c/code\u003e registry hives located in the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a tool or script to open one or more of these registry hives. This could involve using built-in Windows utilities, scripting languages, or custom-developed tools.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully opens the \u003ccode\u003eSAM\u003c/code\u003e and \u003ccode\u003eSYSTEM\u003c/code\u003e hives, they can extract user account credentials, including usernames, password hashes, and other sensitive information. The \u003ccode\u003eSECURITY\u003c/code\u003e hive is also useful.\u003c/li\u003e\n\u003cli\u003eThe attacker may stage the registry hive files by copying them to a different location on the system for further analysis or exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker uses credential dumping tools (e.g., Mimikatz, secretsdump.py) or custom scripts to extract credentials from the staged registry hives.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the extracted credentials to escalate privileges, move laterally within the network, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe final objective is typically to gain unauthorized access to critical systems, steal sensitive data, or establish long-term persistence within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to the compromise of user account credentials, enabling attackers to escalate privileges, move laterally within the network, and gain unauthorized access to sensitive data. The impact can range from data breaches and financial losses to reputational damage and disruption of critical business operations. The number of victims can vary depending on the scope of the attacker\u0026rsquo;s activities and the security posture of the targeted organization. Sectors commonly targeted include finance, healthcare, government, and critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable file access monitoring for the \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e directory to capture file open events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegistry Hive Access via RegBack\u003c/code\u003e to your SIEM and tune the exclusions based on your environment.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eprocess_creation\u003c/code\u003e events for unusual processes accessing files in \u003ccode\u003eC:\\\\Windows\\\\System32\\\\config\\\\RegBack\\\\\u003c/code\u003e, using the rule \u003ccode\u003eSuspicious Process Accessing RegBack Hives\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging and file creation to activate the rules above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-07-02T12:00:00Z","date_published":"2024-07-02T12:00:00Z","id":"/briefs/2024-07-regback-hive-access/","summary":"This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.","title":"Suspicious Registry Hive Access via RegBack","url":"https://feed.craftedsignal.io/briefs/2024-07-regback-hive-access/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","conditional-access","policy-modification","attack.privilege-escalation","attack.credential-access","attack.persistence","attack.defense-impairment","attack.t1548","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCompromised or malicious actors may attempt to modify Azure Conditional Access (CA) policies to weaken security controls, elevate privileges, or establish persistence within the Azure environment. Conditional Access policies are critical for enforcing organizational security standards, and unauthorized changes can have significant security implications. This activity is detected through Azure Audit Logs by monitoring for \u0026ldquo;Update conditional access policy\u0026rdquo; events. Defenders should investigate any modifications to Conditional Access policies to ensure they are legitimate and align with security best practices. Detecting and responding to unauthorized CA policy modifications is crucial for maintaining the integrity and security of the Azure environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access through compromised credentials or other means (not specified in source).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages existing privileges or exploits vulnerabilities to gain sufficient permissions to modify Conditional Access policies (e.g., through a compromised Global Administrator account).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Enumeration:\u003c/strong\u003e The attacker enumerates existing Conditional Access policies to identify targets for modification using tools like Azure PowerShell or the Azure portal.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePolicy Modification:\u003c/strong\u003e The attacker modifies a Conditional Access policy, for example, by weakening MFA requirements, excluding specific users or groups from the policy, or disabling the policy altogether.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e By weakening or disabling Conditional Access policies, the attacker establishes a persistent foothold in the environment, allowing them to bypass security controls and maintain unauthorized access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e With weakened MFA or other access controls, the attacker gains easier access to sensitive credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Impairment:\u003c/strong\u003e The modification of CA policies impairs the organization\u0026rsquo;s defense mechanisms, making it easier for the attacker to perform malicious activities undetected.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of Conditional Access policies can lead to significant security breaches, including unauthorized access to sensitive data, privilege escalation, and persistent compromise of the Azure environment. The number of affected users and resources depends on the scope of the modified policies. Organizations may experience data loss, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;CA Policy Updated by Non Approved Actor\u0026rdquo; Sigma rule to your SIEM to detect unauthorized modifications to Conditional Access policies within your Azure environment.\u003c/li\u003e\n\u003cli\u003eReview the \u003ccode\u003eproperties.message\u003c/code\u003e field in the Azure Audit Logs for \u0026ldquo;Update conditional access policy\u0026rdquo; events and compare \u0026ldquo;old\u0026rdquo; vs \u0026ldquo;new\u0026rdquo; values to understand the nature of the changes.\u003c/li\u003e\n\u003cli\u003eImplement strict role-based access control (RBAC) to limit the number of users who can modify Conditional Access policies.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule and verify whether the user identity, user agent, and/or hostname should be making changes in your environment.\u003c/li\u003e\n\u003cli\u003eEnable multi-factor authentication (MFA) for all users, especially those with administrative privileges, to reduce the risk of credential compromise (related to attack.credential-access tag).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-29T12:00:00Z","date_published":"2024-05-29T12:00:00Z","id":"/briefs/2024-05-29-azure-ca-policy-update/","summary":"An unauthorized actor modifies an Azure Conditional Access policy, potentially leading to privilege escalation, credential access, persistence, or defense impairment.","title":"Unauthorized Modification of Azure Conditional Access Policy","url":"https://feed.craftedsignal.io/briefs/2024-05-29-azure-ca-policy-update/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["attack.credential-access","attack.persistence","attack.privilege-escalation","attack.defense-impairment","attack.t1556"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe addition of a new root certificate authority (CA) in Azure Active Directory (Azure AD) to support certificate-based authentication (CBA) can be a sign of malicious activity. While CBA offers passwordless authentication benefits, attackers can abuse it to establish persistent access, escalate privileges, or evade detection. An attacker with sufficient privileges in the Azure AD tenant can add a rogue CA, enabling them to authenticate as any user within the directory, even without their password. This bypasses multi-factor authentication (MFA) and grants unauthorized access to sensitive resources and data. Defenders should monitor Azure AD audit logs for unexpected modifications to the \u003ccode\u003eTrustedCAsForPasswordlessAuth\u003c/code\u003e setting, as this could indicate a compromised administrator account or an insider threat attempting to establish a backdoor.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eCompromise an Azure AD administrator account with sufficient privileges to modify tenant-wide settings. This may be achieved through phishing, credential stuffing, or exploiting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the Azure portal or uses PowerShell cmdlets to interact with Azure AD.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to add a new, attacker-controlled root certificate authority to the \u003ccode\u003eTrustedCAsForPasswordlessAuth\u003c/code\u003e setting. This involves modifying the Company Information object.\u003c/li\u003e\n\u003cli\u003eThe attacker generates or obtains a certificate signed by the newly added root CA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the certificate to authenticate to Azure AD as a targeted user, bypassing password requirements and multi-factor authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the targeted user\u0026rsquo;s resources, such as email, files, and applications.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Azure AD tenant by impersonating highly privileged users or roles.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the Azure AD tenant, even if the compromised administrator account is remediated.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to complete compromise of the Azure AD tenant, including access to sensitive data, applications, and resources. Attackers can use the compromised tenant to move laterally to other systems, exfiltrate data, or disrupt business operations. The number of potential victims is dependent on the size of the Azure AD tenant. Organizations across all sectors are at risk, especially those heavily reliant on Azure AD for identity and access management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;New Root Certificate Authority Added\u0026rdquo; to your SIEM to detect unauthorized modifications to the \u003ccode\u003eTrustedCAsForPasswordlessAuth\u003c/code\u003e setting (rule).\u003c/li\u003e\n\u003cli\u003eReview Azure AD audit logs regularly for suspicious activity related to the \u0026ldquo;Set Company Information\u0026rdquo; operation (logsource).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure AD accounts, including administrators, but understand that CBA can bypass it.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the number of accounts with permissions to modify tenant-wide settings.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of certificates signed by unknown or untrusted CAs to authenticate to Azure AD.\u003c/li\u003e\n\u003cli\u003eConsult the SpecterOps and Goodworkaround articles for more information on certificate-based authentication abuse in Azure AD (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-08T18:22:00Z","date_published":"2024-05-08T18:22:00Z","id":"/briefs/2024-05-azuread-root-ca-add/","summary":"An attacker may add a new root certificate authority to an Azure AD tenant to support certificate-based authentication for persistence, privilege escalation, or defense evasion.","title":"Azure AD Root Certificate Authority Added for Passwordless Authentication","url":"https://feed.craftedsignal.io/briefs/2024-05-azuread-root-ca-add/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Integrated DNS (ADIDNS)"],"_cs_severities":["high"],"_cs_tags":["credential-access","adidns","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eActive Directory Integrated DNS (ADIDNS) stores DNS zones as Active Directory objects, which, while providing access control and replication benefits, introduces security issues. A significant concern is the creation of wildcard records due to the default permission allowing any authenticated user to create DNS-named records. By exploiting this, attackers can establish wildcard records to redirect traffic for domain names lacking explicit DNS records, effectively positioning themselves as an adversary-in-the-middle. This manipulation of ADIDNS can lead to credential interception or relay attacks, similar to LLMNR/NBNS spoofing. This poses a high risk to organizations relying on ADIDNS for domain consistency and secure name resolution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the domain.\u003c/li\u003e\n\u003cli\u003eAttacker leverages existing privileges to create a wildcard DNS record (A record) within an ADIDNS zone.\u003c/li\u003e\n\u003cli\u003eThe wildcard record is created with a DN like \u003ccode\u003eDC=*,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com\u003c/code\u003e, where \u003ccode\u003eDC=*\u003c/code\u003e signifies the wildcard. Event ID 5137 is generated.\u003c/li\u003e\n\u003cli\u003eThe wildcard record points to a malicious server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eA client attempts to resolve a domain name that does not have an explicit DNS record.\u003c/li\u003e\n\u003cli\u003eDue to the wildcard record, the DNS query resolves to the attacker\u0026rsquo;s malicious server.\u003c/li\u003e\n\u003cli\u003eThe client connects to the attacker\u0026rsquo;s server, potentially exposing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or relays the client\u0026rsquo;s traffic, gaining unauthorized access or control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain control over systems within the affected domain. The impact includes unauthorized access to sensitive data, lateral movement within the network, and potential compromise of critical domain services. This can affect any organization using Active Directory Integrated DNS, leading to widespread disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary Windows Security Event Logs (5137) for detecting ADIDNS wildcard record creation as described in the \u003ca href=\"https://ela.st/audit-directory-service-changes\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADIDNS Poisoning via Wildcard Record Creation\u0026rdquo; to detect the creation of wildcard DNS records in ADIDNS based on Windows Event ID 5137.\u003c/li\u003e\n\u003cli\u003eReview and restrict ADIDNS permissions for DNS zones to limit wildcard-creation opportunities, focusing on authenticated-user create-child rights.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on \u003ccode\u003ewinlog.event_data.ObjectDN\u003c/code\u003e, \u003ccode\u003euser.name\u003c/code\u003e, and the originating session as outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:58:00Z","date_published":"2024-05-03T14:58:00Z","id":"/briefs/2024-05-adidns-wildcard/","summary":"Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.","title":"Potential ADIDNS Poisoning via Wildcard Record Creation","url":"https://feed.craftedsignal.io/briefs/2024-05-adidns-wildcard/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Copilot","Cursor","GPT4All","Jan","LM Studio","Ollama","Windsurf","bunx","codex","claude","deno","gemini-cli","genaiscript","grok","koboldcpp","llama-cli","llama-server","npx","pnpm","qwen","textgen","yarn","Confluence Data Center"],"_cs_severities":["medium"],"_cs_tags":["genai","command and control","macos","network connection"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","Atlassian","GitHub"],"content_html":"\u003cp\u003eThis threat brief addresses the risk of GenAI tools on macOS connecting to unusual domains, which may indicate a compromised state. Attackers can exploit GenAI tools through prompt injection, malicious MCP (Model Context Protocol) servers, or poisoned plugins to establish command-and-control (C2) channels or exfiltrate sensitive data. Given the network access capabilities of AI agents, adversaries may manipulate them to beacon to external servers, download malicious payloads, or transmit harvested credentials and documents. The Elastic detection rule \u003ccode\u003e9050506c-df6d-4bdf-bc82-fcad0ef1e8c1\u003c/code\u003e focuses on identifying such anomalous network connections originating from a predefined list of GenAI processes, excluding known legitimate domains. The rule has been actively maintained since its creation on December 4, 2025, with its latest update on April 29, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary compromises a GenAI tool on a macOS system through prompt injection, malicious MCP servers, or poisoned plugins.\u003c/li\u003e\n\u003cli\u003eThe compromised GenAI tool is configured to connect to an attacker-controlled domain for C2.\u003c/li\u003e\n\u003cli\u003eThe GenAI process initiates a network connection attempt to the unusual domain using standard web protocols (HTTP/HTTPS).\u003c/li\u003e\n\u003cli\u003eThe macOS system\u0026rsquo;s network stack resolves the attacker\u0026rsquo;s domain to its corresponding IP address.\u003c/li\u003e\n\u003cli\u003eThe GenAI process sends data to the attacker-controlled domain, potentially including sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands to the compromised GenAI tool.\u003c/li\u003e\n\u003cli\u003eThe GenAI tool executes the commands, potentially leading to further compromise or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised GenAI tools can lead to data exfiltration, unauthorized access to sensitive information, and the establishment of persistent C2 channels within an organization\u0026rsquo;s network. The impact ranges from the loss of intellectual property and customer data to the potential disruption of business operations. The risk is amplified if the GenAI tool has access to internal systems or sensitive data stores, allowing attackers to pivot and escalate their attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;GenAI Process Connecting to Unusual Domain\u0026rdquo; to your SIEM and tune for your environment (see rule below).\u003c/li\u003e\n\u003cli\u003eEnable process creation and network connection logging on macOS endpoints to collect the data required for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine the legitimacy of the domain and the GenAI process\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eBlock any identified malicious domains at the network level (see query in the provided source).\u003c/li\u003e\n\u003cli\u003eReview the GenAI tool\u0026rsquo;s configuration for unauthorized MCP servers, plugins, or extensions that initiated the connection.\u003c/li\u003e\n\u003cli\u003eRegularly update the list of allowed domains in the Sigma rule\u0026rsquo;s filter to account for legitimate updates to GenAI tool infrastructure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T14:22:30Z","date_published":"2024-05-02T14:22:30Z","id":"/briefs/2024-05-genai-unusual-domain/","summary":"This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.","title":"GenAI Process Connection to Unusual Domain on macOS","url":"https://feed.craftedsignal.io/briefs/2024-05-genai-unusual-domain/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Active Directory"],"_cs_severities":["medium"],"_cs_tags":["azure","certificate-based-authentication","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCertificate-Based Authentication (CBA) in Azure Active Directory allows users and services to authenticate using digital certificates instead of passwords. While intended to enhance security, misconfiguration or malicious use of CBA can lead to significant security risks. Attackers can exploit CBA to gain unauthorized access, establish persistent footholds, and escalate privileges within the Azure environment. This involves manipulating authentication policies to favor or require certificate authentication, potentially bypassing other security controls. Detection of CBA enablement is crucial as it can be a precursor to more sophisticated attacks targeting cloud resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Azure AD account with sufficient privileges to modify authentication policies (e.g., Global Administrator).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the Azure AD authentication methods policy to enable certificate-based authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker registers a certificate authority (CA) in Azure AD, which will be used to issue certificates for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts or compromises a certificate that is trusted by the registered CA.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the crafted certificate to authenticate to Azure AD, bypassing traditional password-based authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly gained access to provision new resources, modify existing configurations, or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating service principals or applications that authenticate using certificates, allowing them to maintain access even if the initial account is compromised.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CBA can lead to full compromise of an Azure AD tenant. Attackers can gain access to sensitive data, disrupt services, and deploy malicious applications. The lack of multi-factor authentication on certificate-based logins significantly increases the risk of unauthorized access. The impact can range from data breaches and financial losses to complete operational shutdown, depending on the scope of the compromised resources.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect when certificate-based authentication is enabled in Azure AD (\u003ccode\u003eAuthentication Methods Policy Update\u003c/code\u003e in Audit Logs).\u003c/li\u003e\n\u003cli\u003eMonitor Azure AD audit logs for modifications to authentication methods policies, paying close attention to changes related to certificate-based authentication.\u003c/li\u003e\n\u003cli\u003eImplement strong certificate management practices, including proper key storage, certificate revocation, and monitoring of certificate usage.\u003c/li\u003e\n\u003cli\u003eInvestigate any unexpected changes to Azure AD authentication policies or the registration of new certificate authorities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T14:30:00Z","date_published":"2024-04-29T14:30:00Z","id":"/briefs/2024-04-azure-ad-cba-enabled/","summary":"Enabling certificate-based authentication (CBA) in Azure Active Directory can be abused by attackers to establish persistence, escalate privileges, and impair defenses.","title":"Azure AD Certificate-Based Authentication Enabled","url":"https://feed.craftedsignal.io/briefs/2024-04-azure-ad-cba-enabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","Elastic Endgame","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","registry-modification","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eNetwork Level Authentication (NLA) is a security feature in Windows that requires users to authenticate before establishing a full RDP session, adding an extra layer of protection against unauthorized access. Attackers might attempt to disable NLA to gain access to the Windows sign-in screen without proper authentication. This tactic can facilitate the deployment of persistence mechanisms, such as leveraging Accessibility Features like Sticky Keys, or enable unauthorized remote access. This brief addresses the registry modifications associated with disabling NLA and provides detection strategies to identify such attempts. The references indicate that this technique is used in conjunction with other attacks for lateral movement within a compromised network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the system is gained (potentially via compromised credentials or vulnerability exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to modify system-level settings.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the registry key \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\UserAuthentication\u003c/code\u003e to disable NLA.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUserAuthentication\u003c/code\u003e value is set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish an RDP connection to the compromised system.\u003c/li\u003e\n\u003cli\u003eDue to the disabled NLA, the attacker bypasses the initial authentication screen.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages accessibility features (e.g., Sticky Keys) for persistence or further exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of NLA allows attackers to bypass authentication and gain unauthorized access to systems via RDP. This can lead to data theft, malware installation, or further lateral movement within the network. While the exact number of victims and sectors targeted are unspecified, the potential impact includes significant data breaches and system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process-creation and registry event logging to detect the registry modifications (Elastic Defend, Elastic Endgame, Microsoft Defender XDR, SentinelOne, Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided to detect attempts to modify the \u003ccode\u003eUserAuthentication\u003c/code\u003e registry key (Sysmon Registry Events).\u003c/li\u003e\n\u003cli\u003eReview and harden RDP configurations across the environment to prevent unauthorized access (Microsoft documentation).\u003c/li\u003e\n\u003cli\u003eMonitor endpoint security policies to detect unauthorized registry modifications (Endpoint Security Policies).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-disable-nla/","summary":"Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.","title":"Network-Level Authentication (NLA) Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-disable-nla/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure"],"_cs_severities":["high"],"_cs_tags":["azure","identity-protection","suspicious-browser"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u0026ldquo;suspiciousBrowser\u0026rdquo; risk event in Azure Identity Protection signals unusual sign-in patterns indicative of potential account compromise or other malicious activity. This alert is triggered when the same browser is used to access multiple tenants from different countries, which is an atypical behavior for legitimate users. This type of activity could be caused by malware, credential theft, or an attacker attempting to blend in with normal user behavior after gaining unauthorized access. This detection is important for defenders because it can highlight early stages of an attack, potentially preventing lateral movement, data exfiltration, or other damaging actions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a user\u0026rsquo;s credentials through phishing, malware, or other means (T1566, T1190).\u003c/li\u003e\n\u003cli\u003eThe attacker configures a browser with the stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the same browser to attempt sign-ins to multiple Azure tenants from different geographical locations, attempting to blend in with typical user activity.\u003c/li\u003e\n\u003cli\u003eAzure Identity Protection detects the \u0026ldquo;suspiciousBrowser\u0026rdquo; risk event based on the anomalous sign-in activity.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker may gain access to sensitive data and resources within the targeted tenants.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised accounts to escalate privileges and move laterally within the organization (T1078, T1068).\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploy ransomware (T1003, T1486).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting suspicious browser activity can lead to unauthorized access to multiple Azure tenants, potentially impacting numerous organizations. The compromise of user accounts can result in data breaches, financial losses, and reputational damage. The scope of the impact depends on the level of access granted to the compromised accounts and the sensitivity of the data stored within the targeted tenants.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect \u0026ldquo;suspiciousBrowser\u0026rdquo; risk events in your Azure environment and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate sessions flagged by this detection in the context of other sign-ins from the same user to identify false positives.\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) to mitigate the impact of compromised credentials.\u003c/li\u003e\n\u003cli\u003eMonitor user sign-in activity for unusual patterns, such as sign-ins from multiple geographical locations within a short period.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-31-suspicious-azure-browser/","summary":"A suspicious browser activity alert indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser, potentially indicating compromised credentials or other malicious activity.","title":"Azure Identity Protection Suspicious Browser Activity","url":"https://feed.craftedsignal.io/briefs/2024-01-31-suspicious-azure-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure Firewall"],"_cs_severities":["medium"],"_cs_tags":["azure","firewall","defense-impairment"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe modification or deletion of Azure Firewall rule collections (Application, NAT, and Network) can indicate malicious activity within an Azure environment. Threat actors may target these rules to bypass security controls, allowing unauthorized network traffic, enabling data exfiltration, or facilitating lateral movement. Monitoring these changes is crucial for maintaining the integrity of network security policies and detecting potential breaches. This activity directly impacts an organization\u0026rsquo;s ability to enforce its security posture, potentially exposing sensitive resources to unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the Azure environment, potentially through compromised credentials or a vulnerability in an application.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Azure Firewall resources to identify rule collections (Application, NAT, and Network) that can be modified or deleted.\u003c/li\u003e\n\u003cli\u003eThe attacker uses valid Azure credentials or exploits a misconfiguration to authenticate to the Azure Resource Manager API.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to modify the target rule collection, potentially altering allowed ports, IP addresses, or protocols.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a request to delete an entire rule collection, effectively disabling its associated security controls.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the request to the Azure Resource Manager API, executing the change to the firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe modified or deleted rule collection now allows unauthorized traffic to bypass the firewall, potentially enabling lateral movement or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the newly opened network paths to achieve their final objective, such as deploying ransomware or accessing sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification or deletion of Azure Firewall rule collections can have significant consequences. Unauthorized traffic could bypass security controls, enabling data exfiltration, lateral movement, or the deployment of malware. This could lead to data breaches, service disruptions, and financial losses. The impact depends on the scope of the modified or deleted rule collection and the resources it protects.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Azure Firewall Rule Collection Modified or Deleted\u0026rdquo; to your SIEM and tune for your environment to detect unauthorized changes to firewall configurations.\u003c/li\u003e\n\u003cli\u003eReview Azure Activity Logs for any events matching the \u003ccode\u003eoperationName\u003c/code\u003e values specified in the Sigma rule to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Azure accounts, especially those with permissions to manage firewall resources, to reduce the risk of credential compromise.\u003c/li\u003e\n\u003cli\u003eRegularly audit Azure role-based access control (RBAC) assignments to ensure the principle of least privilege is followed and that only authorized users have permissions to modify firewall configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-azure-firewall-rule-collection-modification/","summary":"An attacker may modify or delete Azure Firewall rule collections (Application, NAT, and Network) to impair defenses and potentially enable malicious traffic.","title":"Azure Firewall Rule Collection Modification or Deletion","url":"https://feed.craftedsignal.io/briefs/2024-01-azure-firewall-rule-collection-modification/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Web Service"],"_cs_severities":["medium"],"_cs_tags":["active-directory","enumeration","adws","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. This attack involves loading Active Directory related modules and establishing network connections to the ADWS dedicated TCP port 9389. The goal is to gather information about the domain, user accounts, and permissions, which can be used for lateral movement, privilege escalation, and data exfiltration. Detection focuses on identifying suspicious processes loading \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e or \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e and then connecting to the ADWS port.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance tool or script (e.g., PowerShell) on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool loads Active Directory related modules such as \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e and \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool attempts to establish a network connection to the ADWS service on TCP port 9389, the dedicated port for ADWS.\u003c/li\u003e\n\u003cli\u003eThe tool queries ADWS to retrieve information about domain users (T1087.002), groups (T1069.002), systems (T1018), and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain detailed knowledge of the Active Directory environment. This information can be used to identify high-value targets, compromise privileged accounts, move laterally within the network, and ultimately achieve their objectives, which could include data theft, ransomware deployment, or disruption of services. The impact can range from data breaches to complete compromise of the Active Directory domain, depending on the attacker\u0026rsquo;s goals and the level of access they achieve.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Suspicious Library Loading\u0026rdquo; to detect processes loading AD-related DLLs (e.g., \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e, \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Network Connection\u0026rdquo; to monitor for network connections to destination port 9389 from unusual processes.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative tools or scripts that load Active Directory-related modules and connect to the ADWS port as described in the \u0026ldquo;False positive analysis\u0026rdquo; section of the original rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T00:00:00Z","date_published":"2024-01-31T00:00:00Z","id":"/briefs/2024-01-adws-enumeration/","summary":"Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.","title":"Potential Enumeration via Active Directory Web Service","url":"https://feed.craftedsignal.io/briefs/2024-01-adws-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["high"],"_cs_tags":["credential-access","netsh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to extract Wi-Fi passwords stored on a compromised system. By leveraging \u003ccode\u003enetsh\u003c/code\u003e, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct \u003ccode\u003enetsh\u003c/code\u003e to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor \u003ccode\u003enetsh\u003c/code\u003e command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available wireless profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target wireless profile from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e again, this time specifying the target profile and requesting the key to be displayed in cleartext using the \u003ccode\u003ekey=clear\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNetsh.exe\u003c/code\u003e retrieves the Wi-Fi password from the Windows Wireless LAN service.\u003c/li\u003e\n\u003cli\u003eThe password is displayed in the command output, which the attacker captures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Wi-Fi password to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform lateral movement and access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization\u0026rsquo;s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify suspicious \u003ccode\u003enetsh.exe\u003c/code\u003e commands in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003enetsh.exe\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e on systems where it is not required, using application control solutions.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wireless-creds-dumping/","summary":"Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.","title":"Wireless Credential Dumping via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can try to cover their tracks by clearing the PowerShell console history on Windows systems. PowerShell offers multiple ways to log commands, including the built-in history and the command history managed by the PSReadLine module. This activity is often part of post-compromise behavior aimed at evading detection and forensic analysis. This rule detects the execution of specific commands that clear the built-in PowerShell logs or delete the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file. The rule focuses on PowerShell activity and covers scenarios where commands like Clear-History, Remove-Item, rm, and Set-PSReadlineOption are used to manipulate command history.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is gained through an unspecified method, potentially exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes PowerShell (powershell.exe, pwsh.exe, or powershell_ise.exe) to perform reconnaissance and other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to clear the PowerShell command history using the \u003ccode\u003eClear-History\u003c/code\u003e cmdlet.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker attempts to remove the \u003ccode\u003eConsoleHost_history.txt\u003c/code\u003e file using \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e, which stores the PSReadLine command history.\u003c/li\u003e\n\u003cli\u003eAnother method involves using the \u003ccode\u003eSet-PSReadlineOption\u003c/code\u003e cmdlet with the \u003ccode\u003eSaveNothing\u003c/code\u003e parameter to prevent the saving of future command history.\u003c/li\u003e\n\u003cli\u003eThe attacker may leverage other tools and techniques to further obscure their activities and maintain persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems within the network to increase their impact.\u003c/li\u003e\n\u003cli\u003eThe final objective is data exfiltration, deployment of ransomware, or other malicious activities, all while attempting to evade detection by clearing logs and command history.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful clearing of console history hinders forensic investigations and incident response efforts. If command history is cleared, administrators will have difficulty reconstructing the attacker\u0026rsquo;s actions and identifying the extent of the compromise. This can lead to prolonged incident response times, increased damage, and potential for further exploitation of the compromised systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Clearing PowerShell History\u003c/code\u003e to your SIEM to detect the use of \u003ccode\u003eClear-History\u003c/code\u003e cmdlet, potentially indicating an attempt to remove command history.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Removal of PowerShell History File\u003c/code\u003e to detect the use of \u003ccode\u003eRemove-Item\u003c/code\u003e or \u003ccode\u003erm\u003c/code\u003e command against the PowerShell history file.\u003c/li\u003e\n\u003cli\u003eEnable PowerShell logging and auditing policies to ensure adequate visibility into PowerShell activity as described in the \u003ca href=\"https://ela.st/audit-process-creation\"\u003esetup instructions\u003c/a\u003e to improve detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-clearing-console-history/","summary":"Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.","title":"Windows Console History Clearing","url":"https://feed.craftedsignal.io/briefs/2024-01-30-clearing-console-history/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers often attempt to modify file or directory ownership to bypass access controls and gain unauthorized access to sensitive data or system resources. This involves altering permissions associated with critical files or directories, granting broader access to accounts under attacker control or resetting permissions to default values which might be more permissive. This defense evasion technique can be used to establish persistence, escalate privileges, or exfiltrate data without triggering standard security alerts. The common tools used include \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e, typically targeting files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an existing compromised account or vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003etakeown.exe /f \u0026lt;file\u0026gt;\u003c/code\u003e to take ownership of a target file or directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /reset\u003c/code\u003e to reset the ACL of the file or directory.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uses \u003ccode\u003eicacls.exe \u0026lt;file\u0026gt; /grant Everyone:F\u003c/code\u003e to grant full control to everyone, weakening security.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the contents of the file, such as injecting malicious code or configuration changes.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified file for persistence, such as a modified system DLL loaded at boot.\u003c/li\u003e\n\u003cli\u003eThe system executes the malicious code when the compromised file is accessed or executed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as maintaining persistence, escalating privileges, or executing arbitrary commands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising file and directory permissions can lead to significant security breaches. Successful attacks can allow unauthorized access to sensitive data, system instability, or the execution of malicious code with elevated privileges. This can affect any Windows environment where file permissions are improperly managed, with potential for widespread system compromise and data exfiltration. The impact is most severe on systems containing sensitive data or critical infrastructure components.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003eicacls.exe\u003c/code\u003e and \u003ccode\u003etakeown.exe\u003c/code\u003e with suspicious arguments targeting system files (e.g., \u003ccode\u003eC:\\Windows\\*\u003c/code\u003e) to detect potential permission modification attempts using the provided Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Windows Security Auditing for file system changes to capture events related to permission modifications and ownership changes.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM and tune for your environment, specifically focusing on processes modifying permissions on files within the \u003ccode\u003eC:\\Windows\\\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rules, focusing on the process execution chain and the target files being modified.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-system-file-ownership-change/","summary":"Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.","title":"System File Ownership Change for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-system-file-ownership-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["attack.execution","attack.t1047"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may leverage the Windows Management Instrumentation Command-line (WMIC) tool for reconnaissance activities within a network. Specifically, WMIC can be used to query and retrieve information about services running on remote systems. By executing WMIC commands with the \u0026lsquo;service\u0026rsquo; parameter, adversaries can identify the presence and status of specific services, potentially revealing vulnerable or misconfigured systems. This information can then be used to guide further exploitation attempts. WMIC is a built-in Windows utility, making its activity blend with legitimate system administration tasks, increasing the difficulty of detection. This activity is a component of the broader T1047 technique (Windows Management Instrumentation).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a compromised system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes WMIC.exe from the command line.\u003c/li\u003e\n\u003cli\u003eWMIC.exe is invoked with the \u003ccode\u003eservice\u003c/code\u003e parameter to query service information.\u003c/li\u003e\n\u003cli\u003eThe command includes a target IP address or hostname to query a remote system.\u003c/li\u003e\n\u003cli\u003eThe command attempts to retrieve service names and status information (e.g., \u003ccode\u003ewmic /node:\u0026quot;192.168.1.100\u0026quot; service get name, state\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWMIC attempts to connect to the remote host via RPC. An error message is generated if the remote host is unreachable: \u0026ldquo;Node - (provided IP or default) ERROR Description =The RPC server is unavailable\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eIf the target service is not running, a \u0026ldquo;No instance(s) Available\u0026rdquo; message may be displayed.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from WMIC to identify running services of interest for further exploitation or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful service reconnaissance allows attackers to map potential attack vectors within a network. By identifying specific services running on remote systems, attackers can prioritize targets for exploitation based on known vulnerabilities or misconfigurations. This can lead to unauthorized access, data breaches, and system compromise. While the reconnaissance itself does not directly cause harm, it provides crucial information that enables subsequent malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious WMIC Service Enumeration\u003c/code\u003e to your SIEM to identify potential service reconnaissance attempts via WMIC (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eWMIC.exe\u003c/code\u003e executions containing the \u003ccode\u003eservice\u003c/code\u003e parameter using endpoint detection and response (EDR) solutions (logsource: process_creation, product: windows).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of WMIC in your environment, as it is a common tool for both legitimate administration and malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wmic-service-recon/","summary":"Adversaries use WMIC.exe to enumerate running services on remote devices, potentially identifying valuable targets or misconfigured systems.","title":"Service Reconnaissance via WMIC.exe","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wmic-service-recon/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","netsh","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When \u003ccode\u003enetsh.exe\u003c/code\u003e is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated \u003ccode\u003enetsh.exe\u003c/code\u003e. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious DLL to be used as a Netsh Helper DLL.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system administrator or a scheduled task executes \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e loads and executes the malicious DLL, granting the attacker code execution.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the malicious Netsh Helper DLL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications under the \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e path for suspicious DLL additions using the \u0026ldquo;Netsh Helper DLL Registry Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-netsh-helper-dll/","summary":"Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.","title":"Netsh Helper DLL Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/"}],"language":"en","next_url":"/vendors/microsoft/page/2/feed.json","title":"CraftedSignal Threat Feed — Microsoft","version":"https://jsonfeed.org/version/1.1"}