https://feed.craftedsignal.io/vendors/solarwinds/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 09 Jan 2024 14:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/Tue, 09 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.This detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as whoami.exe and net1.exe. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.

Attack Chain

1. An attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.
2. The attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.
3. The attacker executes whoami.exe or net1.exe via the SYSTEM account to enumerate user accounts and gather system information.
4. The whoami.exe or net1.exe process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.
5. The attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.
6. The attacker may use net1.exe to query domain information.
7. The attacker leverages the gained information to identify valuable targets within the network.
8. The final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.

Impact

A successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.

Recommendation

• Deploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.
• Enable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.
• Investigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.
• If the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.
• Review and harden web application security to prevent initial access and privilege escalation.

]]>lowadvisorydiscoveryprivilege-escalationwindowshttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.This detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.

Attack Chain

1. Initial compromise of the SolarWinds software supply chain (T1195.002).
2. Malicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
3. The compromised SolarWinds process spawns a suspicious child process.
4. The child process executes a malicious command or binary, attempting to evade detection.
5. The child process leverages Native APIs (T1106) to perform privileged actions.
6. Lateral movement or data exfiltration may occur from the compromised host.

Impact

A successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.

Recommendation

• Deploy the Sigma rule Suspicious SolarWinds Child Process - CommandLine to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
• Deploy the Sigma rule Suspicious SolarWinds Child Process - Executable to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
• Enable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.
• Review and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the “false_positives” section in the rule description.

]]>mediumadvisorysupply-chainexecutionsolarwindshttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.This threat brief focuses on the detection of SolarWinds processes attempting to disable services by modifying their registry start type. This activity is associated with defense evasion tactics, potentially linked to initial access via supply chain compromise, similar to the SUNBURST campaign. The behavior involves SolarWinds binaries, such as SolarWinds.BusinessLayerHost*.exe and NetFlowService*.exe, manipulating registry entries related to service start configurations. This technique can be used to impair or disable security tools and services, allowing attackers to operate more freely within a compromised environment.

Attack Chain

1. Initial compromise of the SolarWinds Orion platform, potentially through a supply chain attack.
2. Deployment of a malicious module or payload within the SolarWinds environment.
3. Execution of a SolarWinds process, such as SolarWinds.BusinessLayerHost*.exe.
4. The SolarWinds process modifies the registry to change the start type of a service.
5. The registry modification targets the HKLM\SYSTEM\ControlSet*\Services\*\Start path.
6. The Start value is set to “4” or “0x00000004”, which disables the targeted service.
7. Disabling critical security services allows the attacker to evade detection and further compromise the system.
8. Attacker achieves persistence and performs lateral movement, exfiltrating data or deploying ransomware.

Impact

Successful exploitation can lead to the disabling of critical security services, such as antivirus, endpoint detection and response (EDR) agents, or other monitoring tools. This can significantly reduce the visibility of malicious activity within the network, potentially leading to data breaches, ransomware deployment, or other severe security incidents. The SolarWinds supply chain compromise affected numerous organizations globally, underscoring the potential impact of this type of attack.

Recommendation

• Deploy the Sigma rule SolarWinds Process Disabling Services via Registry to your SIEM to detect registry modifications by SolarWinds processes aimed at disabling services.
• Enable Sysmon registry event logging to provide the necessary data for the Sigma rule to function effectively.
• Review and harden access controls for SolarWinds processes to restrict their ability to modify critical system settings.
• Investigate any alerts generated by the Sigma rule, focusing on the affected service and the timeline of events surrounding the registry modification.
• Utilize threat intelligence platforms to stay informed about known SolarWinds-related attack patterns and indicators of compromise (IOCs).
• Monitor endpoints for unusual behavior by SolarWinds processes, including network connections, file modifications, and process creations.

]]>mediumadvisorysolarwindsdefense-evasionregistry-modificationsupply-chain