https://feed.craftedsignal.io/vendors/pella-corporation/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 14:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-remote-service-install/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remote-service-install/This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.This detection rule identifies a potential lateral movement technique where an attacker establishes a network logon to a Windows system and subsequently installs a service using the same LogonId. This behavior is flagged as suspicious because it deviates from typical administrative practices and can indicate unauthorized access and persistence within the network. The rule is designed to filter out common legitimate services and administrative activities, focusing on anomalies that could signify malicious intent. This detection is crucial for defenders as it can uncover attackers attempting to move laterally and establish persistent access.

Attack Chain

1. An attacker gains initial access to a network via compromised credentials or exploiting a vulnerability.
2. The attacker performs network reconnaissance to identify target systems for lateral movement.
3. Using valid credentials or pass-the-hash techniques, the attacker authenticates to a remote Windows host over the network (e.g., SMB).
4. The attacker attempts to install a new service on the remote host, potentially using tools like sc.exe or PowerShell.
5. The service installation event is logged with a specific LogonId that matches the earlier network logon event, indicating a relationship between the two activities.
6. The newly installed service is configured to execute a malicious payload or establish a reverse shell.
7. The attacker uses the service to execute commands or deploy further malicious tools on the compromised host.
8. The attacker achieves persistence and lateral movement within the network, enabling further compromise and data exfiltration.

Impact

A successful attack using this technique can lead to widespread compromise of systems within a network. Attackers can use the newly installed service to execute arbitrary code, install malware, or move laterally to other systems. This can result in data theft, system disruption, or ransomware deployment. The impact can be significant, potentially affecting numerous systems and causing substantial financial and reputational damage.

Recommendation

• Enable Windows Security Event Logs with necessary auditing policies, specifically Audit Logon and Audit Security System Extension, to capture relevant logon and service installation events.
• Deploy the provided Sigma rules to your SIEM to detect suspicious remote service installations based on matching LogonIds from network logons.
• Investigate any alerts generated by the Sigma rules, focusing on unusual service file paths and user accounts.
• Review the list of excluded service file paths in the Sigma rules and customize them based on your environment’s known legitimate services.
• Monitor network connections for suspicious SMB activity, particularly connections originating from unusual or untrusted sources.
• Implement multi-factor authentication (MFA) to reduce the risk of credential theft and unauthorized network access.

]]>mediumadvisorylateral-movementpersistencewindowshttps://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/Tue, 02 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remote-service-execution/Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.This detection rule identifies the remote execution of Windows services over Remote Procedure Call (RPC), a technique often employed for lateral movement within a network. The rule focuses on correlating network connections initiated by services.exe with subsequent child process creation events. While this activity can be a legitimate function of administrators using remote management tools, it also represents a potential attack vector. The rule aims to strike a balance between detecting malicious activity and minimizing false positives arising from routine administrative tasks. The detection logic is based on identifying network connections to services.exe followed by the creation of child processes that are not commonly associated with legitimate service management. The rule requires the use of Elastic Defend or Sysmon for adequate logging coverage.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker attempts to move laterally to other systems.
3. The attacker establishes a connection to the target system’s services.exe process over RPC using a high port (>= 49152).
4. The attacker uses the established RPC connection to create or start a new service on the remote system.
5. The services.exe process on the remote system spawns a child process related to the newly created or started service.
6. This new process executes the attacker’s payload, potentially granting further access or executing malicious commands.
7. The attacker leverages the newly executed service for persistent access or further lateral movement.

Impact

A successful attack could result in unauthorized access to sensitive data, disruption of critical services, or the deployment of ransomware. Lateral movement allows attackers to compromise multiple systems within the network, escalating the impact of the initial breach. Due to the nature of the technique, it can be challenging to distinguish between legitimate administrative activity and malicious actions, leading to delayed detection and increased dwell time for attackers.

Recommendation

• Deploy the provided Sigma rules to your SIEM and tune the filters for known-good executables in your environment to reduce false positives.
• Enable Sysmon process-creation (Event ID 1) and network connection (Event ID 3) logging to ensure the required data for the Sigma rules is available.
• Investigate any alerts triggered by these rules, focusing on the parent process and network connection details associated with the spawned child process.
• Consider excluding known remote management tools from triggering the detection by adding exceptions based on process.executable or process.args in the Sigma rules.
• Monitor the network for unusual RPC activity, especially connections to services.exe from unexpected source IPs.

]]>mediumadvisorylateral-movementexecutionwindows