{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/n-able/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Cloud Endpoint","AutomationManagerAgent"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","powershell","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Trend Micro","N-able"],"content_html":"\u003cp\u003eAttackers frequently disable PowerShell Script Block Logging to evade detection and hide malicious activities on compromised systems. By modifying the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e registry value to \u0026lsquo;0\u0026rsquo; or \u0026lsquo;0x00000000\u0026rsquo;, adversaries can significantly reduce the visibility into their PowerShell-based attacks. This technique is particularly effective when followed by script-driven activity, making it harder for security teams to identify and respond to threats. This behavior has been observed across multiple environments, including those utilizing endpoint detection and response solutions such as Elastic Defend, Microsoft Defender XDR, SentinelOne, and CrowdStrike. The rule was last updated on 2026-05-04 and is designed to detect these specific registry modifications.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker may attempt to escalate privileges to gain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker modifies the registry to disable PowerShell Script Block Logging by setting \u003ccode\u003eHKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging\u003c/code\u003e to 0 or 0x00000000 using \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes malicious PowerShell scripts, leveraging the disabled logging to avoid detection. These scripts may be used for reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence using various techniques, such as creating scheduled tasks or modifying registry keys to ensure continued access to the system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control:\u003c/strong\u003e The attacker establishes a command and control channel to communicate with the compromised system and issue further instructions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker moves laterally to other systems on the network, compromising additional assets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker achieves their final objective, such as data theft, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful disabling of PowerShell Script Block Logging can severely hinder incident response efforts, allowing attackers to operate undetected for extended periods. Organizations may experience data breaches, financial losses, and reputational damage. The impact can be widespread as attackers leverage compromised systems for lateral movement and further exploitation. The loss of PowerShell logging can blind security teams, making it difficult to reconstruct attacker actions and contain the breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e to your SIEM to detect registry modifications that disable PowerShell Script Block Logging.\u003c/li\u003e\n\u003cli\u003eMonitor registry events for changes to the \u003ccode\u003eEnableScriptBlockLogging\u003c/code\u003e value, focusing on events with \u003ccode\u003eregistry.data.strings\u003c/code\u003e set to \u0026ldquo;0\u0026rdquo; or \u0026ldquo;0x00000000\u0026rdquo; (see rule \u003ccode\u003ePowerShell_Script_Block_Logging_Disabled\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture the necessary data for the Sigma rules to function effectively (see references).\u003c/li\u003e\n\u003cli\u003eReview and harden PowerShell execution policies to prevent unauthorized script execution (related to tactic TA0005).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can modify registry settings related to PowerShell logging (related to tactic TA0005).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-09-disable-powershell-scriptblock-logging/","summary":"Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.","title":"PowerShell Script Block Logging Disabled via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-09-disable-powershell-scriptblock-logging/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["TeamViewer","LogMeIn","AnyDesk","ScreenConnect","ConnectWise","Splashtop","Zoho","RustDesk","n-able","Kaseya","BeyondTrust","Tailscale","JumpCloud","VNC","Datto","Auvik","SyncroMSP","Pulseway","NinjaOne","Liongard","Naverisk","Panorama9","Tactical RMM","MeshCentral","ISL Online","Goverlan","Iperius","Remotix","Mikogo","Action1","Elastic"],"content_html":"\u003cp\u003eThis detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or leverages an existing RMM tool on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).\u003c/li\u003e\n\u003cli\u003eThe compromised host establishes a connection to the resolved IP address associated with the RMM domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DNS Queries to Known RMM Domains from Non-Browser Processes\u0026rdquo; to your SIEM and tune the RMM domain list for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eCorrelate with other alerts to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eReview process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-dns-non-browser/","summary":"Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.","title":"Suspicious DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/"}],"language":"en","title":"CraftedSignal Threat Feed — N-Able","version":"https://jsonfeed.org/version/1.1"}