{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pdq.com-corporation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["powershell","execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Lenovo","PDQ.com Corporation","Dell Technologies Inc.","Chocolatey Software, Inc","Docker Inc"],"content_html":"\u003cp\u003eAttackers can leverage the PowerShell engine without directly executing \u003ccode\u003epowershell.exe\u003c/code\u003e. This technique, often referred to as \u0026ldquo;PowerShell without PowerShell,\u0026rdquo; involves using the underlying System.Management.Automation namespace. This approach allows attackers to bypass application allowlisting and PowerShell security features, operating more stealthily within a compromised environment. This technique makes detection more challenging, as standard PowerShell execution logs might not capture the activity. The activity is detected by monitoring which processes load the System.Management.Automation.dll or System.Management.Automation.ni.dll libraries. This activity can legitimately happen where vendors have their own PowerShell implementations that are shipped with some products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a custom tool or script on the target system. This tool is designed to interact with the System.Management.Automation namespace directly.\u003c/li\u003e\n\u003cli\u003eThe custom tool loads the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e library into its process space.\u003c/li\u003e\n\u003cli\u003eThe tool uses the loaded PowerShell engine to execute malicious commands or scripts without invoking \u003ccode\u003epowershell.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, such as gathering system information or network configurations, using PowerShell commands.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally within the network, leveraging the PowerShell engine to execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eThe attacker installs malware or backdoors using the PowerShell engine to maintain persistence within the compromised environment.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or causes damage to the system, completing the objectives of the attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging \u0026ldquo;PowerShell without PowerShell\u0026rdquo; can lead to significant compromise of Windows systems. Attackers can bypass traditional security measures, potentially leading to data theft, system disruption, or the installation of persistent malware. The technique\u0026rsquo;s stealthy nature can prolong the time to detection, increasing the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious PowerShell Engine ImageLoad\u003c/code\u003e to your SIEM to detect when the \u003ccode\u003eSystem.Management.Automation.dll\u003c/code\u003e or \u003ccode\u003eSystem.Management.Automation.ni.dll\u003c/code\u003e libraries are loaded by unexpected processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process execution chain (parent process tree) for unknown processes.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection and response (EDR) solutions like Elastic Defend to provide visibility into process behavior and library loading events, activating the \u003ccode\u003eprocess_creation\u003c/code\u003e and \u003ccode\u003eimage_load\u003c/code\u003e log sources.\u003c/li\u003e\n\u003cli\u003eReview and tune exclusions to the Sigma rule based on legitimate vendor applications to reduce false positives.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-suspicious-powershell-imageload/","summary":"This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.","title":"Suspicious PowerShell Engine ImageLoad","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-powershell-imageload/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","file-share","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam Software Group GmbH","Elasticsearch, Inc.","PDQ.com Corporation","CrowdStrike, Inc.","Microsoft","ZOHO Corporation Private Limited","BeyondTrust Corporation","CyberArk Software Ltd","Sophos Ltd","AO Kaspersky Lab","Anthropic, PBC","Adobe Inc.","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection identifies lateral movement via network file shares by detecting the execution of a file that was recently created by the virtual system process (PID 4), commonly associated with file share operations. Adversaries may leverage network shares to distribute malicious payloads or tools across the network to compromise additional hosts. This technique allows attackers to execute code remotely, expanding their foothold within the environment. The rule focuses on Windows systems and monitors for newly created executable files (e.g., .exe, .scr, .pif, .com) that are then executed. Exceptions are made for known legitimate software vendors and specific file paths to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., malware, custom tool) to a network file share. The file creation event is attributed to PID 4.\u003c/li\u003e\n\u003cli\u003eA user or automated process on a remote system accesses the file share.\u003c/li\u003e\n\u003cli\u003eThe malicious executable is copied or accessed from the network share onto the remote system.\u003c/li\u003e\n\u003cli\u003eThe user, either intentionally or through deception, executes the malicious executable.\u003c/li\u003e\n\u003cli\u003eThe executed file initiates malicious activities on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this foothold for further lateral movement, data exfiltration, or other malicious objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation through remote execution via file shares can lead to widespread compromise across the network. Attackers can gain unauthorized access to sensitive data, install backdoors, or deploy ransomware. The impact ranges from data breaches and financial losses to significant disruption of business operations. The severity of the impact depends on the attacker\u0026rsquo;s objectives and the extent of their lateral movement within the environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect suspicious executions of files created by PID 4 on Windows systems.\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file uploads.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events (event.type in (\u0026ldquo;creation\u0026rdquo;, \u0026ldquo;change\u0026rdquo;)) on network shares for unusual activity using file integrity monitoring tools.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the process execution chain and associated network connections.\u003c/li\u003e\n\u003cli\u003eEnrich process creation events (category: process_creation) with code signature information to validate the legitimacy of executed files.\u003c/li\u003e\n\u003cli\u003eUse osquery to retrieve the files\u0026rsquo; SHA-256 hash values using the PowerShell \u003ccode\u003eGet-FileHash\u003c/code\u003e cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-execution-via-file-shares/","summary":"This rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.","title":"Remote Execution via File Shares","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-execution-via-file-shares/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lateral-movement","file-shares","windows"],"_cs_type":"advisory","_cs_vendors":["Veeam Software Group GmbH","Elasticsearch, Inc.","PDQ.com Corporation","CrowdStrike, Inc.","Microsoft","ZOHO Corporation Private Limited","BeyondTrust Corporation","CyberArk Software Ltd","Sophos Ltd","AO Kaspersky Lab","Anthropic, PBC","Adobe Inc.","Netwrix Corporation"],"content_html":"\u003cp\u003eThis detection rule identifies a specific sequence of events that may indicate lateral movement within a Windows environment. The rule focuses on scenarios where a file is created or modified by the \u003ccode\u003eSystem\u003c/code\u003e process (PID 4), which is then subsequently executed. This behavior is often associated with attackers leveraging network file shares to distribute malicious tools or payloads across multiple systems. The rule aims to detect this activity while excluding legitimate software installations or updates by filtering out processes signed by trusted vendors such as Veeam, Elasticsearch, CrowdStrike, and Microsoft. This exclusion is designed to reduce false positives and focus on potentially malicious activity. The rule is designed for data generated by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads a malicious executable (e.g., EXE, SCR, PIF, COM) to a network file share accessible to other systems. The file\u0026rsquo;s header starts with \u003ccode\u003e4d5a\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSystem\u003c/code\u003e process (PID 4) creates or modifies the malicious executable on the target system via the network share. This can happen through normal network file operations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses lateral movement techniques, such as exploiting SMB/Windows Admin Shares, to remotely trigger the execution of the malicious executable on the target system.\u003c/li\u003e\n\u003cli\u003eThe malicious executable begins to execute, initiating attacker-controlled code on the target system.\u003c/li\u003e\n\u003cli\u003eThe process attempts to establish command and control (C2) communication with an external server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system to further propagate within the network, potentially deploying additional malicious tools or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to widespread compromise of systems within the network. Attackers can leverage compromised systems for data theft, deployment of ransomware, or other malicious activities. The impact can range from business disruption and data loss to significant financial damage and reputational harm. Even with trusted vendor exclusions, a determined adversary could still bypass protections, potentially leading to the compromise of critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect remote execution via file shares, and tune exclusions for your specific environment.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend to generate the necessary process and file events for the Sigma rule to function effectively (see \u003ccode\u003elogs-endpoint.events.process-*\u003c/code\u003e, \u003ccode\u003elogs-endpoint.events.file-*\u003c/code\u003e in \u003ccode\u003eindex\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eReview and restrict write access to network shares to minimize the risk of unauthorized file uploads (see \u0026ldquo;Review the privileges needed to write to the network share\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine the legitimacy of the activity and take appropriate remediation steps.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on network shares to detect unauthorized file modifications or additions.\u003c/li\u003e\n\u003cli\u003eUse threat intelligence platforms to enrich file hash values and identify known malicious files.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-remote-execution-file-shares/","summary":"The rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.","title":"Remote Execution via File Shares","url":"https://feed.craftedsignal.io/briefs/2024-01-remote-execution-file-shares/"}],"language":"en","title":"CraftedSignal Threat Feed — PDQ.com Corporation","version":"https://jsonfeed.org/version/1.1"}