Palo Alto Networks — CraftedSignal Threat Feed

Expanding Detection Beyond Endpoints to Counter Evolving Threats

hello@craftedsignal.io — Fri, 01 May 2026 23:13:22 +0000

The 2026 Unit 42 Global Incident Response Report highlights that threat actors are moving 4x faster to exfiltration than in 2025, exploiting blind spots due to an over-reliance on endpoint data. The proliferation of cloud services, microservices, and remote users has expanded the attack surface beyond what any single tool can monitor. Unit 42 found that in 75% of incidents, critical evidence was present in logs but wasn’t accessible or operationalized, allowing attackers to exploit the gaps. Organizations need to evolve their SOCs to ingest and correlate telemetry across their entire IT landscape, including IAM, cloud assets, OT/IoT, and AI workloads. Unit 42 recommends a single-pane-of-glass strategy powered by an AI-driven SOC platform like Cortex XSIAM to combat these threats.

Attack Chain

Initial Access via Cloud Misconfiguration: The attacker gains initial access through a misconfigured cloud service access key.
Cloud Console Manipulation: The attacker manipulates the cloud console to hide their tracks from endpoint detection.
Pivot to Cloud-Hosted Server: From the cloud console, the attacker pivots to a cloud-hosted server to begin discovery.
Credential Theft (Covert C2): The attacker utilizes DNS tunneling to a cloud storage location for C2 communication and steals credentials to use legitimate applications.
Lateral Movement: The attacker moves laterally using the stolen credentials, triggering impossible travel alerts across SaaS apps.
Rogue Asset Introduction: The attacker introduces a rogue device into the network, bypassing traditional endpoint security measures.
Persistence: The attacker maintains persistence through the rogue device, using it for covert movement and access.
Data Exfiltration: The attacker exfiltrates sensitive data, taking advantage of the gaps in security visibility.

Impact

Organizations are increasingly vulnerable to rapid data exfiltration due to the expanded attack surface and reliance on endpoint-centric security. The inability to correlate telemetry across diverse IT zones allows attackers to operate undetected, leading to significant data breaches, financial losses, and reputational damage. Unit 42’s research shows that attackers are moving 4x faster to exfiltration, exacerbating the impact of successful intrusions. The attacks target cloud environments, identity systems, and networks, creating a complex threat landscape for security teams to navigate.

Recommendation

Ingest and correlate telemetry from all IT zones (IAM, cloud, OT/IoT, AI workloads) into a single repository, as described in the overview, to eliminate data silos and gain holistic visibility.
Implement User and Entity Behavior Analytics (UEBA) as mentioned in the overview, to detect anomalous behavior indicative of compromised credentials by using a centralized workbench.
Deploy Cortex XSIAM, as discussed in the overview, to leverage AI-driven alert stitching, ML-based incident scoring, and UEBA for automated detection, investigation, and response.
Implement continuous network monitoring and external attack surface management to detect and manage rogue assets, as highlighted in the attack chain.
Evaluate your current visibility through a formal assessment as recommended in the conclusion, to identify gaps in security coverage.

Hickory DNS Recursor Cache Poisoning via Sibling Zone Delegation

hello@craftedsignal.io — Thu, 30 Apr 2026 18:10:58 +0000

The Hickory DNS project’s experimental hickory-recursor crate, now integrated into hickory-resolver under the recursor feature, contains a vulnerability in its DNS record cache (DnsLru). The cache stores records based on the record’s name and type, rather than the originating query. This design flaw allows for cross-zone cache poisoning because the cache_response() function chains ANSWER, AUTHORITY, and ADDITIONAL sections into a single record iterator during insertion. The bailiwick filter uses the zone context of the NS pool that serviced the lookup, leading to improper validation of records from sibling zones. This issue affects all published versions of the experimental hickory-recursor crate prior to its integration into hickory-resolver 0.26.0. Users of the hickory-dns binary configured with the recursor feature are affected.

Attack Chain

Attacker registers the domain attacker.poc. and sets up a malicious nameserver.
Hickory DNS server queries the nameserver for attacker.poc. to build its NS pool.
The attacker’s nameserver responds with an AUTHORITY section that includes a malicious record delegating a sibling zone, such as victim.poc., to ns.evil.poc..
The Hickory DNS server’s bailiwick check incorrectly validates the malicious victim.poc. NS ns.evil.poc. record because victim.poc. is a subdomain of the parent zone poc..
The malicious NS record for victim.poc. is stored in the cache, keyed by (victim.poc., NS).
A client queries the Hickory DNS server for a name within the victim.poc. zone.
Hickory DNS server builds its NS pool for victim.poc. using the poisoned cache entry, directing queries to ns.evil.poc..
The attacker’s nameserver now receives queries intended for the legitimate victim.poc. nameserver, allowing the attacker to intercept and manipulate DNS resolution.

Impact

Successful exploitation of this vulnerability allows an attacker to redirect DNS queries for a target domain to an attacker-controlled nameserver. This can lead to various malicious activities, including phishing attacks, man-in-the-middle attacks, and the distribution of malware. The vulnerability affects any system using Hickory DNS with the recursor feature enabled, potentially impacting a wide range of users relying on the resolver for DNS resolution. If the targeted domain is critical for service delivery (e.g., email, web), the impact could be significant.

Recommendation

Upgrade to hickory-resolver version 0.26.0 or later with the recursor feature enabled to address the vulnerability as described in the advisory (https://github.com/advisories/GHSA-83hf-93m4-rgwq).
If upgrading is not immediately feasible, disable the recursor feature in hickory-dns to prevent exploitation.
Implement monitoring for unexpected NS record changes, focusing on AUTHORITY sections of DNS responses, using a custom rule based on your environment and typical DNS configurations.

Persistence via Windows Installer (Msiexec)

hello@craftedsignal.io — Thu, 05 Sep 2024 14:17:05 +0000

The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).