Splunk — CraftedSignal Threat Feed

Potential Evasion via Windows Filtering Platform Blocking Security Software

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

The Windows Filtering Platform (WFP) provides APIs and system services for network filtering and packet processing. Attackers can abuse WFP by creating malicious rules to block endpoint security processes, hindering their ability to send telemetry. This can be achieved by tools like Shutter, EDRSilencer, and Nighthawk. This detection rule identifies patterns of blocked network events linked to security software processes, signaling potential evasion tactics. The rule specifically looks for blocked network events linked to processes associated with known security software, aiming to detect and alert on attempts to disable or modify security tools. This behavior is especially concerning as it allows attackers to operate with reduced visibility.

Attack Chain

Attacker gains initial access to the target system (e.g., via compromised credentials or exploiting a vulnerability).
The attacker escalates privileges to gain administrative rights, necessary to interact with the Windows Filtering Platform.
The attacker uses a tool or script (e.g., leveraging the netsh command or custom WFP API calls) to create a new WFP filter.
The WFP filter is configured to block network traffic originating from specific processes associated with endpoint security software (e.g., elastic-agent.exe, sysmon.exe).
The system begins blocking network communication from the targeted security software.
The attacker executes malicious commands or malware on the system, knowing that security telemetry will be suppressed.
The attacker moves laterally within the network, repeating the WFP filter deployment on other systems to further impair defenses.
The attacker achieves their final objective, such as data exfiltration or ransomware deployment, with reduced risk of detection.

Impact

A successful attack using WFP to impair defenses can lead to a significant reduction in the effectiveness of endpoint security solutions. This can result in delayed detection of malicious activities, increased dwell time for attackers, and ultimately, a higher likelihood of successful data breaches or ransomware attacks. With endpoint telemetry blocked, organizations may remain unaware of the ongoing compromise until significant damage has occurred. The number of affected systems can vary depending on the attacker’s scope and objectives.

Recommendation

Enable and review Windows Audit Filtering Platform Connection and Packet Drop events to populate the logs required for the provided EQL rule (logs-system.security*, logs-windows.forwarded*, winlogbeat-*).
Deploy the provided EQL rule to your SIEM to detect suspicious WFP modifications and tune for your environment.
Investigate any alerts generated by the EQL rule, focusing on identifying the specific processes being blocked and the source of the WFP rule modifications.
Regularly review and audit WFP rules to identify any unauthorized or suspicious entries.
Implement strict access controls and monitoring for systems authorized to modify WFP rules.

Detection of Wevtutil.exe Used to Disable Event Logs

hello@craftedsignal.io — Thu, 04 Jan 2024 16:30:00 +0000

Attackers, particularly ransomware groups, often disable or manipulate event logs to cover their tracks and hinder forensic investigations. This activity typically occurs post-compromise as part of an attacker’s defense evasion strategy. The use of wevtutil.exe, a legitimate Windows command-line utility, makes this technique challenging to detect without specific monitoring. Ransomware actors disable logging to operate undetected, making it difficult for security teams to trace malicious activities and respond effectively. This can prolong the dwell time of the attacker within the environment and increase the potential for widespread damage, data exfiltration, or system encryption.

Attack Chain

Initial access is gained through typical methods like phishing or exploiting public-facing vulnerabilities.
The attacker executes code on the compromised system, achieving initial foothold.
Privilege escalation techniques are employed to gain elevated permissions (e.g., using exploits, token manipulation).
The attacker uses wevtutil.exe with specific commands to disable or clear event logs. Example commands include wevtutil.exe sl false or wevtutil.exe set-log /enabled:false.
The attacker disables specific event channels to remove evidence of their activity.
Persistence mechanisms are established to maintain access across reboots (e.g., creating scheduled tasks, modifying registry keys).
Lateral movement is initiated to compromise additional systems within the network using tools like PsExec or SMB shares.
The final objective, such as ransomware deployment or data exfiltration, is executed, with logging disabled to minimize the chances of detection.

Impact

Successful disabling of event logs allows attackers to operate undetected, hindering forensic investigations and incident response efforts. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage to affected organizations. Ransomware groups frequently use this technique to maximize the impact of their attacks, resulting in data encryption, exfiltration, and significant financial losses.

Recommendation

Enable Sysmon process creation logging (Event ID 1) to detect the execution of wevtutil.exe with suspicious parameters.
Deploy the Sigma rules provided below to your SIEM to detect specific command-line arguments used to disable event logs.
Monitor Windows Event Log Security (4688) for process creation events of wevtutil.exe with arguments related to disabling or clearing logs.
Investigate any instances where wevtutil.exe is executed with parameters like sl or set-log and /e:false or /enabled:false in the command line, as highlighted in the provided Sigma rules.

PowerShell P/Invoke Process Injection API Chain Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 18:23:00 +0000

This detection identifies PowerShell scripts leveraging the P/Invoke (Platform Invoke) technology to perform process injection. P/Invoke allows managed code (like PowerShell) to call unmanaged functions exported from DLLs, including critical Windows API functions. Attackers use this to inject malicious code into legitimate processes for evasion and persistence. The detection focuses on identifying specific API chains commonly used in process injection techniques, such as allocating memory in a target process (VirtualAlloc), writing malicious code into the allocated memory (WriteProcessMemory), and executing the injected code (CreateRemoteThread). This activity is often associated with malware deployment, privilege escalation, and defense evasion. The detection logic is designed to identify these API chains either at the compile phase using Add-Type or during the execution phase, alerting on suspicious PowerShell behavior.

Attack Chain

Attacker gains initial access to the system, potentially through phishing or exploiting a vulnerability.
PowerShell is invoked to execute a malicious script.
The PowerShell script uses Add-Type and DllImport to declare external functions from Windows DLLs, including kernel32.dll and ntdll.dll.
The script uses functions such as OpenProcess to gain a handle to a target process.
VirtualAllocEx is called to allocate memory within the target process.
WriteProcessMemory is used to write malicious code into the allocated memory region of the target process.
CreateRemoteThread is called to create a new thread within the target process, pointing to the injected code.
The injected code executes within the context of the target process, achieving code execution and potential privilege escalation.

Impact

Successful process injection allows attackers to execute arbitrary code within the context of a trusted process, bypassing security controls and potentially gaining elevated privileges. This can lead to data theft, system compromise, or further propagation within the network. The use of PowerShell and P/Invoke makes detection more challenging, as the activity can blend in with legitimate system administration tasks. A successful attack could lead to the deployment of a VIP Keylogger or other malware, as noted in the provided references.

Recommendation

Enable PowerShell Script Block Logging (Event ID 4104) to provide the necessary data for detection (data_source).
Deploy the Sigma rule PowerShell PInvoke Process Injection to your SIEM and tune the rule to your environment (rules).
Investigate any alerts generated by the Sigma rule, focusing on the specific API chains identified in the detection section of the rule.
Review PowerShell execution policies and restrict the execution of unsigned scripts to reduce the attack surface.

Suspicious PowerShell Script Using Cryptography Namespace

hello@craftedsignal.io — Wed, 03 Jan 2024 18:00:00 +0000

This threat brief focuses on detecting suspicious PowerShell activity involving the System.Security.Cryptography namespace, excluding common hashing algorithms like SHA and MD5. The detection leverages Windows PowerShell Script Block Logging (EventCode 4104) to identify scripts using cryptographic functions. This is significant because malware often uses cryptography to decrypt or decode additional malicious payloads, which can lead to further code execution, privilege escalation, or persistence within the compromised environment. The technique is commonly used by malware families like AsyncRAT, XWorm, and VIP Keylogger. Defenders should investigate the parent process of such scripts, the decrypted data, network connections established by the script, and the user context in which the script is executed.

Attack Chain

An attacker gains initial access to a system, possibly through phishing or exploiting a vulnerability.
The attacker executes a PowerShell script on the compromised system.
The PowerShell script utilizes the System.Security.Cryptography namespace to perform cryptographic operations.
The script decrypts or decodes a malicious payload (e.g., a second-stage executable or configuration file).
The decrypted payload is written to disk or loaded directly into memory.
The attacker executes the decrypted payload, potentially establishing persistence via registry keys or scheduled tasks.
The malware leverages the established persistence mechanism for long-term access.
The attacker performs malicious actions such as data exfiltration, lateral movement, or remote command execution.

Impact

Successful exploitation allows attackers to bypass security measures by hiding malicious code within encrypted payloads. This can lead to data theft, system compromise, and further propagation within the network. Malware families like AsyncRAT, XWorm, and VIP Keylogger use this technique to maintain persistence and perform malicious activities undetected. The impact can range from individual workstation compromise to large-scale data breaches depending on the attacker’s objectives and the compromised system’s role within the organization.

Recommendation

Enable PowerShell Script Block Logging on all endpoints to generate the necessary logs (EventCode 4104) for detection.
Deploy the Sigma rule Detect Suspicious PowerShell Cryptography Namespace Usage to your SIEM to detect the described activity.
Investigate any alerts generated by the Sigma rule by examining the parent process, decrypted data, network connections, and the user executing the script.
Review and tune the Sigma rule Detect Suspicious PowerShell Cryptography Namespace Usage based on your environment’s specific needs and known-good PowerShell usage to reduce false positives.
Implement application control policies to restrict the execution of unsigned or untrusted PowerShell scripts.

Non-Firefox Process Accessing Firefox Profile Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 15:22:32 +0000

This detection focuses on identifying unauthorized access to Firefox profile directories. The Firefox profile directory stores sensitive user data, including login credentials, browsing history, and cookies. When a non-Firefox process accesses this directory, it could be an indicator of malicious activity, such as a Remote Access Trojan (RAT) or other malware attempting to steal user information. The analytic leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This is relevant because successful credential theft can lead to account compromise, data breaches, and further propagation of malware within the network. The threat encompasses a broad range of malware families, including stealers (Azorult, RedLine Stealer, 0bj3ctivity Stealer), RATs (Remcos, Quasar RAT, Warzone RAT), keyloggers (Snake Keylogger, VIP Keylogger), and other malware like DarkGate, NjRAT, AgentTesla, and Lokibot. The activity has been observed in campaigns such as CISA AA23-347A and the 3CX Supply Chain Attack.

Attack Chain

The user executes a malicious file, potentially delivered via phishing or drive-by download (not covered in source).
The malicious file executes and establishes persistence on the system.
The malware attempts to access the Firefox profile directory, located at *\AppData\Roaming\Mozilla\Firefox\Profiles*.
Windows Security Event 4663 is generated, logging the access attempt to the Firefox profile directory.
The malware reads sensitive data, such as login credentials, cookies, and browsing history, from the profile directory.
The stolen data is exfiltrated to a command-and-control (C2) server.
The attacker uses the stolen credentials to gain unauthorized access to user accounts and sensitive systems.

Impact

Successful exploitation and credential theft can lead to a wide range of negative outcomes, including unauthorized access to sensitive data, financial fraud, and further compromise of systems within the organization. The impact can range from individual user account compromise to large-scale data breaches affecting thousands of users. Industries heavily reliant on web-based applications and sensitive user data, such as finance, healthcare, and e-commerce, are particularly vulnerable. The consequences include financial losses, reputational damage, and legal liabilities.

Recommendation

Enable “Audit Object Access” in Group Policy and configure it to log both success and failure events for object access to activate the underlying log source required for this detection.
Deploy the provided Sigma rule to your SIEM to detect non-Firefox processes accessing Firefox profile directories.
Investigate any alerts generated by the Sigma rule, paying close attention to the ProcessName and ObjectName to identify potentially malicious processes and the specific profile data being accessed.
Review and update your organization’s security policies to restrict unauthorized access to sensitive user data.

Windows Time-Based Evasion via Choice Exec

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This brief focuses on the detection of choice.exe being used within batch files as a time-delay tactic, a technique notably employed by the SnakeKeylogger malware. The analysis leverages data from Endpoint Detection and Response (EDR) agents, scrutinizing process names and command-line executions. This behavior is significant because it suggests the implementation of time-based evasion techniques designed to circumvent detection mechanisms. Successful evasion could enable attackers to execute malicious code covertly, remove incriminating files, and establish persistent access on compromised systems. The use of choice.exe for such purposes warrants immediate investigation by security operations center (SOC) analysts due to the potential for significant system compromise and data exfiltration.

Attack Chain

The attacker gains initial access via an unknown vector.
A batch script is executed on the target system.
The batch script uses choice.exe with the /T and /N parameters to introduce a time delay. The /T parameter specifies a timeout period, and the /N parameter suppresses the display of choices.
This delay allows the malware to evade time-sensitive detection mechanisms.
After the delay, the script executes further commands, potentially downloading and executing a payload.
The payload executes, installing a keylogger such as SnakeKeylogger or 0bj3ctivity Stealer.
The keylogger captures sensitive information such as keystrokes and clipboard data.
The stolen data is exfiltrated to a remote server.

Impact

Compromised systems can lead to data theft, intellectual property loss, and financial fraud. SnakeKeylogger and similar malware have been used to steal credentials and sensitive information from various targets. Successful exploitation could result in significant financial losses, reputational damage, and legal liabilities. The number of victims and the extent of the damage depend on the attacker’s objectives and the compromised systems’ value.

Recommendation

Deploy the Sigma rule Detect Choice.exe Time Delay to your SIEM to detect the use of choice.exe with time-delay parameters (log source: process_creation).
Enable Sysmon process creation logging (Event ID 1) to capture the necessary process execution data for the Sigma rule.
Investigate any instances of choice.exe being used with the /T and /N parameters to determine if it is part of a malicious script.
Block the execution of unsigned or untrusted batch scripts to prevent the initial execution of the malicious code.
Monitor endpoint activity for suspicious processes and network connections originating from systems where choice.exe has been detected.

Windows Service Security Descriptor Tampering via sc.exe

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This analytic detects changes in a service’s security descriptor where a new deny ACE (Access Control Entry) has been added using sc.exe. The sc.exe utility is a command-line tool used for managing Windows services. Adversaries can use sc.exe with the sdset flag to modify the security descriptor of a service, adding a deny ACE to specific groups (e.g., Authenticated Users, Built-in Administrators, System). This can lead to privilege escalation by preventing legitimate administrators or services from managing the tampered service. The Sophos Glupteba report highlights similar techniques used for defense evasion. This activity is related to MITRE ATT&CK T1564.

Attack Chain

The adversary gains initial access to the target system.
The adversary identifies a target service with desirable characteristics for manipulation.
The adversary executes sc.exe with the sdset command to modify the service’s security descriptor.
The sdset command includes a new deny ACE targeting specific groups like “Authenticated Users” (IU), “Built-in Administrators” (BA), or “SYSTEM” (SY).
The new ACE denies specific permissions (e.g., service start, stop, modify) to the targeted groups.
Legitimate administrators or services are now unable to manage the tampered service due to the deny ACE.
The adversary escalates privileges by exploiting the now-unmanaged service or disabling security products.

Impact

Successful exploitation allows adversaries to hinder or disable critical security services and gain persistence on the compromised endpoint. By adding deny ACEs to service security descriptors, attackers can effectively blind defenses, prevent remediation efforts, and potentially escalate privileges by abusing the tampered service. This can lead to full system compromise and data exfiltration.

Recommendation

Enable process creation logging with command line arguments via Sysmon or Windows Event Logging (Security 4688) to capture sc.exe executions.
Deploy the Sigma rule Detect Suspicious sc.exe sdset Execution to identify suspicious sc.exe commands modifying service security descriptors.
Investigate any detected instances of sc.exe modifying service security descriptors, especially those targeting sensitive services or using the “sdset” command with deny ACEs.
Tune the Sigma rule by adding legitimate applications (e.g., McAfee products) to the filter list to reduce false positives.

Suspicious MSIExec Remote Download

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

The detection focuses on identifying instances where msiexec.exe is used with an HTTP or HTTPS URL in the command line. This behavior is indicative of an attempt to download and execute potentially malicious software from a remote server. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant as it may indicate an attempt to download and execute potentially malicious software from a remote server. If confirmed malicious, this could lead to unauthorized code execution, system compromise, or further malware deployment within the network. The activity is often used to bypass traditional security controls.

Attack Chain

An attacker gains initial access through various means, such as phishing or exploiting a software vulnerability.
The attacker leverages msiexec.exe, a legitimate Windows utility, to download a malicious MSI package from a remote HTTP or HTTPS server.
The command line includes a URL pointing to a malicious MSI file hosted on a compromised or attacker-controlled server.
msiexec.exe downloads the MSI package to the victim’s machine.
The MSI package is executed, potentially installing malware, creating new files, or modifying system settings.
The installed malware establishes persistence through registry keys or scheduled tasks.
The malware initiates command and control (C2) communication to receive further instructions.
The attacker performs actions on the objective such as data exfiltration or lateral movement within the compromised network.

Impact

Successful exploitation can lead to unauthorized code execution, system compromise, or further malware deployment within the network. The use of msiexec.exe for remote downloads can bypass traditional security controls, allowing attackers to deliver and execute malicious payloads undetected. The dfirreport.com article references data exfiltration following exploitation via MSIExec.

Recommendation

Enable Sysmon process-creation logging to activate the rules below, capturing command-line details (Sysmon EventID 1).
Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Monitor network traffic for connections originating from msiexec.exe to external HTTP/HTTPS URLs (Network Visibility Module Flow Data).
Investigate any instances of msiexec.exe executing with command-line arguments containing HTTP or HTTPS URLs.
Filter false positives by destination or parent process as needed based on your environment.

Suspicious Child Processes Spawned by WScript or CScript

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.

Attack Chain

A user (unknowingly or through social engineering) executes a malicious script.
The malicious script is interpreted by either wscript.exe or cscript.exe.
The script executes a LOLBIN such as regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe.
The LOLBIN executes further commands or downloads additional payloads. Certutil.exe may be used to decode and install malicious binaries.
The attacker gains control over the compromised system.
The attacker uses the compromised system as a pivot for lateral movement.
The attacker attempts to escalate privileges and establish persistence.
The attacker may exfiltrate data or deploy ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.

Recommendation

Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.
Deploy the Sigma rule Suspicious Child Processes Spawned by WScript or CScript to your SIEM to detect suspicious child processes. Tune the rule based on your environment’s baseline activity, filtering out any legitimate use cases.
Investigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.
Monitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.
Block execution of the LOLBINs (regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe) if they are not required in your environment.

Attrib.exe Used to Hide Files and Directories

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This threat brief focuses on the abuse of the native Windows utility attrib.exe to hide files and directories. Attackers use this technique to conceal malicious payloads, tools, or command-and-control infrastructure from both users and security software. By setting the hidden attribute (+h flag), attackers make it more difficult to detect their presence and maintain persistence on compromised systems. This activity is typically observed post-exploitation and can be indicative of more advanced persistent threats. The detection specifically looks for attrib.exe command-line arguments including the “+h” flag. While legitimate uses of attrib.exe exist, the use of the ‘+h’ flag, particularly in sensitive directories, should be investigated.

Attack Chain

The attacker gains initial access to the system, often through phishing, exploiting a vulnerability, or compromised credentials.
The attacker executes arbitrary code on the compromised system.
The attacker uploads or creates malicious files (e.g., backdoors, scripts) on the system.
The attacker uses attrib.exe with the “+h” flag to hide these malicious files and directories, evading detection. Example: attrib +h C:\Windows\Temp\evil.exe
The attacker may also hide associated log files or other artifacts to further conceal their activities.
The attacker establishes persistence, ensuring continued access even after system reboots.
The attacker moves laterally within the network, compromising additional systems and escalating privileges.
The attacker achieves their objective, which may include data theft, ransomware deployment, or espionage.

Impact

Successful exploitation allows attackers to hide malicious files and directories, hindering incident response and forensic investigations. This can lead to prolonged periods of undetected malicious activity, increasing the risk of data breaches, financial loss, and reputational damage. The consequences can range from minor disruptions to significant operational impact, depending on the attacker’s objectives and the scope of the compromise.

Recommendation

Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious usage of attrib.exe with the ‘+h’ flag.
Enable process-creation logging with command-line arguments on Windows endpoints to ensure the detection rules can be effectively applied (Sysmon Event ID 1 or Windows Event Log Security 4688).
Investigate any alerts generated by the Sigma rules, paying close attention to the parent processes and the context in which attrib.exe is being executed.
Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized file modifications, including attribute changes.

MSIExec Spawning Discovery Commands

hello@craftedsignal.io — Wed, 03 Jan 2024 14:30:00 +0000

This detection focuses on identifying suspicious behavior where msiexec.exe, a legitimate Windows utility for installing, uninstalling, and configuring software, is used to spawn multiple discovery commands. This activity is often associated with attackers attempting to gather system information, enumerate the network, and identify potential targets for lateral movement. The technique is typically observed post-compromise, after initial access has been achieved through other means. This behavior matters to defenders as it is a key indicator of malicious activity and potential privilege escalation or data exfiltration attempts. The detection leverages Endpoint Detection and Response (EDR) data, specifically process creation events, to identify instances where msiexec.exe is the parent process of common discovery tools.

Attack Chain

An attacker gains initial access to the system through a vulnerability, phishing, or other means.
The attacker leverages msiexec.exe to execute discovery commands.
msiexec.exe spawns processes such as ipconfig.exe, net.exe, systeminfo.exe, or wmic.exe to gather network configuration, user information, and system details.
The attacker uses commands within cmd.exe or powershell.exe to execute the discovery commands. For example, cmd.exe /c ipconfig /all or powershell.exe Get-NetIPConfiguration.
The attacker filters the output of these commands to identify valuable information such as domain names, user accounts, and system architecture.
The attacker uses the gathered information to identify potential targets for lateral movement and privilege escalation.
The attacker attempts to move laterally to other systems using stolen credentials or exploits.

Impact

Successful exploitation of this technique can lead to a comprehensive understanding of the compromised environment. Attackers can leverage gathered information to escalate privileges, move laterally to other systems, and ultimately exfiltrate sensitive data or deploy ransomware. The impact could range from a single compromised workstation to a complete network breach, depending on the scope of the attacker’s activity.

Recommendation

Enable process monitoring and command-line logging on all endpoints to capture the necessary data for detection.
Deploy the Sigma rule MSIExec Spawning Discovery Commands to your SIEM and tune it to your environment.
Investigate any instances of msiexec.exe spawning multiple discovery commands, as this behavior is unusual in normal system operations.
Implement least privilege principles to limit the impact of compromised accounts and prevent lateral movement.

Suspicious Process Accessing Browser Password Store

hello@craftedsignal.io — Wed, 03 Jan 2024 14:22:00 +0000

This threat brief focuses on detecting unauthorized access to browser password stores, a technique commonly employed by credential-stealing malware such as Snake Keylogger. These attackers aim to exfiltrate sensitive information, including stored credentials and browsing history, by accessing browser user data profiles. This activity is detected by monitoring Windows Security Event logs (EventCode 4663) and comparing process access patterns against an expected list of browser applications via the browser_app_list lookup table. The detection identifies processes that are not recognized as legitimate browser applications but are attempting to access browser user data. This technique has been observed in trojan stealers, where credential access is a key component of their information-gathering strategy. This method allows defenders to quickly pivot and discover potentially malicious processes on the system, such as credential stealers.

Attack Chain

A user downloads and executes a malicious file, often disguised as a legitimate application or document.
The malicious file executes, dropping a stealer component into the system.
The stealer process initiates an attempt to access browser user data profiles.
Windows generates a Security Event Log (EventCode 4663) when the stealer attempts to access a browser data file.
The detection analytic identifies processes accessing the browser data folder not present in the browser_app_list lookup file.
The stealer process reads sensitive information, such as usernames, passwords, and browsing history, from the accessed files.
The collected data is staged for exfiltration, potentially compressed or encrypted.
The stolen credentials and information are exfiltrated to a command-and-control server.

Impact

Successful exploitation leads to the theft of user credentials, potentially granting attackers unauthorized access to sensitive accounts and systems. This can result in data breaches, financial loss, and reputational damage. The Snake Keylogger, for example, is known to target credentials, potentially impacting a wide range of users and organizations. Other stealers like Meduza Stealer, 0bj3ctivity Stealer, and BlankGrabber Stealer also utilize similar techniques, showing the widespread impact. The impact spans across various sectors, as credential theft is a generic attack applicable to almost any environment.

Recommendation

Enable Windows Security Event Logging, specifically event code 4663, with auditing enabled for both success and failure events, to capture object access attempts (reference: search description).
Populate and maintain the browser_app_list lookup table with known and allowed browser processes and their associated paths (reference: search description).
Deploy the provided Sigma rule to your SIEM to detect anomalous processes accessing browser password stores, and tune it for your specific environment (reference: rules).
Investigate any alerts generated by the Sigma rule to identify potentially compromised systems and user accounts (reference: rules).

Windows Remote Desktop Network Bruteforce Attempt

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. It detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity. This activity can lead to account compromise and potential ransomware deployment.

Attack Chain

The attacker scans the network to identify systems with open RDP ports (TCP 3389).
The attacker initiates multiple RDP connection attempts to a target host, using a list of common usernames and passwords or compromised credentials.
The firewall logs each connection attempt, recording the source and destination IPs, ports, and timestamps.
Sysmon logs the network connections with Event ID 3.
The attacker continues to attempt connections, typically exceeding 10 attempts within an hour.
Upon successful authentication, the attacker gains unauthorized access to the target system.
The attacker may then install malware, move laterally, or exfiltrate sensitive data.
The attacker might deploy ransomware like SamSam or Ryuk, as referenced in external reports.

Impact

Successful RDP brute force attacks can lead to unauthorized access to systems, data breaches, malware infections, and ransomware deployment. Compromised systems can be used as a staging point for further attacks within the network. The references indicate that ransomware attacks have been delivered using RDP brute-force techniques.

Recommendation

Ensure network traffic data is populating the Network_Traffic data model to enable the provided search query.
Deploy the Sigma rule RDP Bruteforce via Network Traffic to detect brute force attempts based on network connection patterns.
Adjust the count and duration thresholds in the detection query to tune the sensitivity for your environment.
Investigate source IPs identified by the detection rule as potential attackers.
Monitor Sysmon EventID 3 for network connections to detect RDP brute-force attempts.
Review the referenced Zscaler and ReliaQuest articles for additional context and mitigation strategies.

Windows Netsh Tool Used for Firewall Discovery

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection focuses on identifying instances where the netsh.exe utility is used to query firewall configurations on a Windows system. While netsh.exe is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.

Attack Chain

An attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.
The attacker executes netsh.exe with specific commands to enumerate firewall rules and configurations (e.g., netsh firewall show state, netsh firewall show config).
The netsh.exe process retrieves the requested firewall information from the Windows operating system.
The collected firewall information is parsed to identify potential weaknesses or misconfigurations.
The attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.
The attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.
The attacker attempts to exfiltrate sensitive data or deploy ransomware.

Impact

Successful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network’s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.

Recommendation

Deploy the Sigma rule Detect Suspicious Netsh Firewall Discovery to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.
Enable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.
Investigate any identified instances of netsh.exe being used to query firewall settings, especially when initiated from unusual processes or user accounts.
Monitor parent-child process relationships to identify suspicious process spawning, as highlighted by the Processes.parent_process_name field.
Review firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.

Windows Files and Dirs Access Rights Modification via Icacls

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic detects the modification of file and directory security permissions through command-line tools like icacls.exe, cacls.exe, and xcacls.exe. These tools are legitimate Windows utilities but are often abused by threat actors, including APT groups and coinminer scripts, to evade detection, maintain persistence, and hinder incident response. The detection focuses on command-line arguments indicating modifications to access rights (e.g., granting full control or modifying permissions). Detecting this activity is crucial as it can lead to unauthorized access, data exfiltration, and system compromise, ultimately impeding remediation efforts and prolonging the attacker’s presence on the compromised system. The detection leverages endpoint detection and response (EDR) data focusing on process execution and command-line analysis.

Attack Chain

Initial Access: The attacker gains initial access to the system through methods such as phishing, exploiting vulnerabilities, or compromised credentials.
Privilege Escalation: The attacker escalates privileges to obtain necessary permissions for modifying file and directory access rights. This can be achieved through exploiting system vulnerabilities or using stolen credentials with elevated privileges.
Tool Deployment: The attacker deploys or utilizes existing system tools like icacls.exe, cacls.exe, or xcacls.exe to modify access control lists (ACLs) on files and directories.
Access Rights Modification: The attacker uses the deployed tools to modify the ACLs of critical system files or directories, potentially granting themselves full control or restricting access for legitimate users and security software. Specific command-line arguments like *:R*, *:W*, *:F*, *:C*, *:N*, */P*, and */E* are used to manipulate access rights.
Defense Evasion: By modifying access rights, the attacker attempts to evade detection by security software and hinders incident response efforts by restricting access to forensic data or security tools.
Persistence: The attacker establishes persistence by modifying the access rights of startup scripts or registry keys, ensuring that their malicious code executes even after system reboots.
Lateral Movement: The attacker uses the modified access rights to access files and directories on other systems within the network, facilitating lateral movement and further compromise.
Impact: The attacker achieves their final objective, such as data exfiltration, system disruption, or deploying ransomware, by leveraging the modified access rights to access and manipulate sensitive data or critical system resources.

Impact

Successful exploitation allows attackers to persist on the system, evade detection, and potentially move laterally within the network. Modification of file and directory permissions can hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment. The impact ranges from data theft to complete system compromise and denial of service. This activity is often associated with APT groups and coinminer operations.

Recommendation

Enable Sysmon process creation logging (Event ID 1) to capture the execution of icacls.exe, cacls.exe, and xcacls.exe.
Deploy the Sigma rule “Detect Suspicious Icacls Usage” to your SIEM to identify instances of access right modifications via icacls.exe, cacls.exe, and xcacls.exe.
Investigate any instances where these tools are used to modify access rights, especially when command-line arguments include *:R*, *:W*, *:F*, *:C*, *:N*, */P*, and */E*.
Monitor Windows Event Log Security (4688) for process creation events to correlate with Sysmon data.

Unauthorized Access to Chrome Local State File

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting unauthorized access to the Chrome ‘Local State’ file, a critical component of the Chrome browser that stores settings and, more importantly, the encrypted master key used to protect saved passwords. The ‘Local State’ file is typically accessed only by the Chrome browser itself. When other processes attempt to read this file, it’s a strong indicator of malicious activity, potentially involving credential theft or reconnaissance by malware such as RedLine Stealer. This analytic leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. Detecting and responding to this activity is crucial for preventing attackers from gaining access to sensitive user credentials stored within the Chrome browser.

Attack Chain

The attacker gains initial access to the system, often through phishing or exploitation of a software vulnerability (not specified in this advisory).
Malware is deployed on the victim machine (e.g., RedLine Stealer).
The malware attempts to locate the Chrome ‘Local State’ file, typically found at *\\AppData\\Local\\Google\\Chrome\\User Data\\Local State.
The malware process accesses the ‘Local State’ file, triggering a Windows Security Event 4663.
The malware extracts the encrypted master key from the ‘Local State’ file.
The malware decrypts the master key using attacker-controlled methods.
The decrypted master key is used to decrypt saved passwords stored by Chrome.
The stolen credentials are exfiltrated to the attacker’s command and control server.

Impact

Successful exploitation allows attackers to steal user credentials stored in the Chrome browser. This can lead to unauthorized access to email accounts, social media profiles, banking websites, and other sensitive online services. The impact could range from identity theft and financial fraud to corporate espionage and data breaches. The number of potential victims depends on the number of systems compromised and the extent of Chrome usage on those systems.

Recommendation

Enable “Audit Object Access” in Group Policy and configure auditing for both “Success” and “Failure” events to ensure Windows Security Event 4663 is generated for file access, as described in the “how_to_implement” section.
Deploy the Sigma rule “Detect Chrome Local State File Access by Non-Chrome Processes” to your SIEM to detect unauthorized access attempts (see “rules” section). Tune the rule’s filter list to reduce false positives related to legitimate software uninstallers.
Investigate any alerts generated by the Sigma rule, focusing on identifying the process name and path involved in accessing the ‘Local State’ file, as described in the rule’s description.
Consider implementing network egress filtering to prevent exfiltration of stolen credentials to known malicious command and control servers.

Suspicious Process Execution from Unusual File Paths

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief addresses the tactic of executing processes from suspicious file paths within Windows environments, a common technique used by adversaries to bypass security controls and execute malicious code without requiring elevated privileges. This activity is often observed in post-exploitation scenarios, where attackers have already gained initial access and are attempting to establish persistence or escalate their privileges. Attackers often leverage these unconventional locations to avoid detection by traditional security solutions that rely on whitelisting or reputation-based analysis. The detection focuses on identifying processes running from paths like \Windows\Fonts\, \Users\Public\, \Windows\Debug\, and others, as these are not typically associated with legitimate software execution. This technique has been associated with malware families like AsyncRAT, RedLine Stealer, and LockBit Ransomware.

Attack Chain

Initial access is gained through phishing, exploitation of a vulnerability, or other means.
The attacker uploads or creates a malicious executable or script (e.g., PowerShell script) in a suspicious directory such as C:\Windows\Fonts\.
The attacker uses a dropper or loader to execute the malicious file. This can be achieved through various methods, including command-line execution or scheduled tasks.
The malicious process begins execution from the unusual file path.
The process performs malicious activities, such as downloading additional payloads, establishing command and control (C2) communication, or conducting reconnaissance.
The attacker leverages the compromised process to escalate privileges or move laterally within the network.
Data exfiltration or encryption may occur, depending on the attacker’s objectives.
The attacker attempts to maintain persistence by creating scheduled tasks or modifying registry keys to ensure the malicious process restarts upon system reboot.

Impact

Successful execution of malicious code from unusual file paths can lead to a variety of negative impacts, including system compromise, data theft, and ransomware infection. Organizations may experience data breaches, financial losses, and reputational damage. The references indicate this technique is associated with various malware families, including information stealers, remote access trojans (RATs), and ransomware, affecting numerous organizations across different sectors.

Recommendation

Enable process creation logging (Event ID 4688 or Sysmon Event ID 1) to capture process execution events, including the process path, command line, and parent process information to enable the rules below.
Deploy the Sigma rule “Suspicious Process Executing from Common Non-Executable Paths” to your SIEM to detect processes running from unusual file paths. Tune the rule to filter out any legitimate exceptions in your environment.
Investigate any alerts generated by the Sigma rule, paying close attention to the process name, command line, and parent process.
Implement application control policies to restrict the execution of unauthorized software in your environment.
Monitor network traffic for suspicious outbound connections originating from processes running from unusual file paths.

Schtasks Run Task On Demand

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This analytic detects the execution of Windows Scheduled Tasks on demand using the schtasks.exe utility. The detection focuses on identifying schtasks.exe being executed with the run command, which is often used by adversaries to force the execution of previously created scheduled tasks. This activity is significant because attackers frequently leverage scheduled tasks for persistent access, privilege escalation, or lateral movement within a compromised network. Detecting this behavior can help defenders identify and respond to malicious activity before it leads to further compromise. The technique has been associated with various threat actors and malware families including Qakbot, XMRig, and Medusa Ransomware as well as campaigns such as CISA AA22-257A and Industroyer2.

Attack Chain

An attacker gains initial access to the system through various means (e.g., exploiting a vulnerability, phishing).
The attacker establishes persistence by creating a new scheduled task using schtasks.exe.
The attacker uses schtasks.exe with the run command to trigger the malicious scheduled task on demand.
The scheduled task executes a malicious payload, such as a script or executable.
The payload may perform various malicious actions, such as downloading additional malware, escalating privileges, or gathering sensitive information.
The attacker moves laterally to other systems on the network by creating and running scheduled tasks remotely.
The attacker attempts to disable security controls or evade detection by modifying existing scheduled tasks.
The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or system disruption.

Impact

Successful exploitation can lead to persistent access, lateral movement, and privilege escalation within the compromised environment. Attackers can use this technique to maintain a foothold on the system, spread malware to other systems on the network, and ultimately achieve their objectives, such as data theft, ransomware deployment, or disruption of critical services.

Recommendation

Deploy the provided Sigma rule to your SIEM to detect the execution of schtasks.exe with the run command, tuning it to exclude known legitimate uses.
Investigate any detected instances of schtasks.exe execution with the run command to determine if they are malicious.
Monitor process execution data for unusual or unexpected processes being launched by scheduled tasks.
Implement strict access controls and regularly review and audit scheduled tasks to prevent unauthorized modifications or creations.
Enable Sysmon process-creation logging (Event ID 1) to capture detailed information about process executions, including command-line arguments.

Regsvr32 Silent and Install Parameter DLL Loading

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on the abuse of regsvr32.exe, a legitimate Microsoft Windows utility, to load and execute malicious DLLs. Attackers, including those using Remote Access Trojans (RATs) like Remcos and njRAT, leverage regsvr32.exe with the /s (silent) parameter and the DLLInstall function call. The activity is observed by analyzing process command-line arguments and parent process details from Endpoint Detection and Response (EDR) agents. This technique allows attackers to bypass application whitelisting and execute arbitrary code, maintain persistence, and compromise the system further. The detection described was published in splunk-escu on 2026-05-04.

Attack Chain

An attacker gains initial access via an unknown vector (e.g., phishing, exploit).
The attacker deploys a malicious DLL on the compromised system.
The attacker executes regsvr32.exe with the /s (silent) parameter and the DLLInstall function, for example: regsvr32.exe /s /i:DLLInstall .
Regsvr32.exe loads the specified DLL.
The DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.
The attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.
The attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.
The attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.

Impact

Successful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.

Recommendation

Deploy the Sigma rule Regsvr32 Silent and Install Param Dll Loading to detect instances of regsvr32.exe being used with the /s and /i parameters.
Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.
Investigate any instances of regsvr32.exe execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.
Implement application control policies to restrict the execution of regsvr32.exe or other LOLBins from untrusted locations.

Outbound SMB Traffic Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies outbound Server Message Block (SMB) traffic from internal hosts to external servers. The activity is identified by monitoring network traffic for SMB requests directed towards the Internet, an unusual occurrence in standard operations. This analytic is crucial for Security Operations Centers (SOCs) as it can signal an attacker’s attempt to retrieve credential hashes via compromised internal systems, a critical step in lateral movement and privilege escalation. The source mentions specific relevance to “Hidden Cobra Malware”, “DHS Report TA18-074A”, and “NOBELIUM Group”, suggesting possible connections to these threat actors or campaigns.

Attack Chain

An internal host is compromised through an initial access vector (e.g., phishing, exploit).
The attacker attempts to enumerate network resources accessible from the compromised host.
The attacker leverages SMB to connect to external servers, typically on ports 139 or 445.
The SMB connection attempts to authenticate or negotiate with the external server.
The attacker may attempt to exploit vulnerabilities in the SMB protocol or server.
The attacker captures or relays credential hashes transmitted over the SMB connection.
The attacker uses the captured credentials to move laterally to other systems or escalate privileges.
The attacker achieves their final objective, such as data exfiltration or system compromise.

Impact

Successful exploitation of outbound SMB traffic can lead to unauthorized access to sensitive data and full system compromise. Lateral movement and privilege escalation are key goals. Confirmed malicious SMB traffic could enable attackers to move through the network, potentially impacting numerous systems and leading to significant data breaches. While the number of victims isn’t specified, the detection’s relevance to known threat actors suggests potentially widespread impact.

Recommendation

Deploy the Sigma rule Outbound SMB Traffic Detected to your SIEM and tune it for your environment, using the provided positive and negative test cases to ensure accurate detection.
Investigate and block any detected outbound SMB connections that are not explicitly authorized by legitimate business needs (reference detect_outbound_smb_traffic_filter macro in the original search).
Implement network segmentation to restrict internal hosts from directly accessing external SMB services.
Enforce strong password policies and multi-factor authentication to mitigate the impact of credential theft.
Categorize internal CIDR blocks as internal in your asset management system to reduce false positives (reference “known_false_positives” section).
Consider blocking external communications of all SMB versions and related protocols at the network boundary.

Non-Chrome Process Accessing Chrome Login Data

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting unauthorized access to Chrome’s “Login Data” file, a local SQLite database that stores user credentials. Attackers, after gaining initial access to a Windows system, may attempt to steal these credentials by directly accessing and parsing this file. The “Login Data” file contains sensitive information, including usernames, passwords, and URLs. The technique is commonly associated with credential-stealing malware families like RedLine Stealer, DarkGate, and others listed below. Successful exploitation allows attackers to harvest credentials for lateral movement and further compromise. This detection is based on Windows Security Event logs, specifically event ID 4663, which records attempts to access objects like files.

Attack Chain

The attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
The attacker executes a malicious executable or script on the compromised system.
The malicious process attempts to access the Chrome “Login Data” file, typically located at *\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.
Windows Security Event Log generates an event with EventCode 4663, recording the file access attempt.
The attacker’s process reads the “Login Data” SQLite database.
The attacker extracts and potentially decrypts stored usernames and passwords from the “Login Data” file.
The attacker uses the stolen credentials for lateral movement within the network.
The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Compromised Chrome “Login Data” files can lead to widespread credential theft, granting attackers unauthorized access to numerous online accounts. Depending on the user’s browsing habits and password reuse, this can include access to sensitive corporate resources, financial accounts, and personal email. The impact can range from financial loss to significant data breaches and reputational damage. The references section in the original source mentions Redline Stealer which is used in various attacks, indicating a potentially large number of victims across different sectors.

Recommendation

Enable “Audit Object Access” in Group Policy and configure auditing for both “Success” and “Failure” events to generate Windows Security Event 4663, as described in the “how_to_implement” section.
Deploy the Sigma rule Chrome Login Data Accessed by Non-Browser Process to your SIEM and tune the process_path filter to exclude legitimate software in your environment.
Investigate any alerts generated by the Chrome Login Data Accessed by Non-Browser Process Sigma rule to determine if credential theft has occurred and remediate any affected accounts.

Suspicious DNS Queries to Telegram API by Non-Telegram Processes

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This alert identifies systems querying the Telegram API domain (api.telegram.org) using processes other than the legitimate Telegram application. Threat actors frequently leverage Telegram bots for C2, due to their ease of use, encryption, and widespread availability. Malware can use these bots to receive commands, exfiltrate data, or perform other malicious activities. Detecting DNS queries for Telegram’s API from unexpected processes can uncover compromised systems or unauthorized use of Telegram for covert communication. The detection focuses on non-standard Telegram clients resolving the api.telegram.org domain to filter out legitimate Telegram application traffic and focus on suspicious processes.

Attack Chain

A user inadvertently downloads and executes a malicious payload (e.g., via phishing or drive-by download).
The malware establishes persistence on the system (e.g., via registry keys or scheduled tasks).
The malware initiates a DNS query to resolve api.telegram.org to identify the Telegram API server IP address.
The malware establishes a communication channel with a Telegram bot controlled by the attacker using the resolved IP address.
The attacker sends commands to the bot, which are relayed to the compromised system.
The malware executes the received commands, potentially including data exfiltration or further malicious actions.
The malware exfiltrates sensitive data to the attacker via the Telegram bot.
The attacker maintains persistent access and control over the compromised system via the Telegram bot.

Impact

Compromised systems can be remotely controlled by attackers, leading to data theft, system disruption, or further propagation of malware within the network. The use of Telegram bots enables covert communication, making it difficult to detect malicious activity using traditional methods. Multiple threat actors employ Telegram-based C2, including those associated with information stealers, keyloggers, and crypto-mining malware. A successful attack can lead to significant data breaches and financial losses.

Recommendation

Deploy the Sigma rule Detect Suspicious Telegram DNS Queries to your SIEM to identify processes making DNS queries to the Telegram API (api.telegram.org) other than the legitimate Telegram application.
Investigate any alerts generated by the Sigma rule by examining the process execution history, network connections, and related system activity.
Block the domain api.telegram.org at the DNS resolver or firewall to prevent compromised systems from communicating with Telegram bots, unless legitimate business use requires it.
Enable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events on endpoints.
Update Sysmon to at least version 6.0.4 to ensure comprehensive DNS event logging.

Non-Chrome Process Accessing Chrome Default Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This alert detects non-Chrome processes accessing the Chrome user data directory, a common tactic used by malware and threat actors to steal sensitive information. This activity is detected using Windows Security Event logs, specifically event ID 4663. The Chrome default folder contains sensitive user data, including login credentials, browsing history, and cookies. This makes it a prime target for attackers aiming to harvest credentials or gain access to user accounts. The detection is designed to identify unauthorized access attempts by processes not typically associated with Chrome. This behavior is often linked to Remote Access Trojans (RATs), trojans, and advanced persistent threats (APTs) like FIN7, known for their focus on financial theft and data breaches.

Attack Chain

Malware gains initial access to the system, potentially through phishing or exploiting a software vulnerability.
The malware establishes persistence on the system.
The malware identifies the location of the Chrome user data directory.
The malware attempts to access files within the Chrome user data directory, triggering Windows Security Event 4663.
The malware copies or exfiltrates sensitive data from the Chrome directory, such as login credentials and cookies.
The malware may use stolen credentials to access other systems or services.
The attacker uses compromised accounts to perform unauthorized actions or move laterally within the network.

Impact

A successful attack can result in the theft of sensitive user data, including login credentials, browsing history, and cookies. This data can be used to compromise user accounts, steal financial information, or gain unauthorized access to other systems and services. Multiple analytic stories relate this behavior to credential stealers, RATs, and APTs. Victims may experience financial losses, identity theft, or reputational damage.

Recommendation

Enable “Audit Object Access” in Group Policy and configure auditing for both success and failure events as described in the “how_to_implement” section to ensure Event ID 4663 is captured.
Deploy the Sigma rule Non Chrome Process Accessing Chrome Default Dir to your SIEM to detect unauthorized access attempts to Chrome user data directories.
Investigate any alerts generated by this rule, focusing on the ProcessName and ObjectName to understand the context of the access as noted in the search query.

Logon Script Registry Modification for Persistence and Privilege Escalation

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This brief focuses on the malicious modification of the UserInitMprLogonScript registry entry, a tactic frequently employed by attackers to achieve persistence and escalate privileges on compromised systems. This technique involves altering the registry to ensure that malicious payloads are automatically executed each time the system boots, enabling attackers to maintain persistent access and potentially gain elevated privileges. The original Splunk analytic was published on 2026-04-29 and leverages the Endpoint.Registry data model, making it crucial to have adequate data ingestion from systems monitoring registry events. This technique is attractive to both APT groups and malware operators because it provides a reliable mechanism to automatically execute code within a targeted environment.

Attack Chain

An attacker gains initial access to the system through methods such as exploiting vulnerabilities or using compromised credentials.
The attacker elevates privileges to gain sufficient access to modify the registry.
The attacker modifies the UserInitMprLogonScript registry key under HKCU or HKLM.
The registry_value_data is changed to point to a malicious script or executable.
The system is rebooted, or a user logs in.
The operating system executes the script or executable specified in the modified UserInitMprLogonScript registry entry.
The malicious payload executes, allowing the attacker to establish persistence, install malware, or perform other malicious actions.

Impact

Successful exploitation allows attackers to establish persistent access to the compromised system. This can lead to data exfiltration, further compromise of the network, or the deployment of ransomware. The modification of the UserInitMprLogonScript registry entry can be used to execute malicious code every time a user logs in, making it difficult to eradicate the attacker’s presence without proper detection and remediation. This technique enables adversaries to maintain long-term control over the affected system.

Recommendation

Enable Sysmon EventID 13 (registry events) with appropriate filtering to monitor changes to the UserInitMprLogonScript registry key (data_source).
Deploy the Sigma rule Logon Script Registry Modification to your SIEM and tune for your environment.
Investigate any modifications to the UserInitMprLogonScript registry key for unexpected executables or scripts.
Correlate suspicious registry modifications with other endpoint activity, such as network connections or process creation, to identify potential malicious behavior.

Braodo Stealer Screen Capture in TEMP Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Braodo stealer malware is known for capturing screenshots of a victim’s desktop as part of its data theft activities. This malware, often distributed through malicious campaigns, targets sensitive information by creating image files of the user’s active screen. These screenshots are typically saved in directories that are easily accessible and commonly used by malware, such as temporary folders. This technique allows attackers to gather credentials, financial information, or other confidential data displayed on the screen. The stealer has been observed in campaigns originating from Vietnam, targeting users in the United States with malware, fraud, and dropshipping schemes. Detecting and responding to these types of screen capture attempts is crucial for preventing sensitive data from being compromised and exfiltrated.

Attack Chain

The user unknowingly downloads and executes a malicious file, potentially delivered through a phishing email or drive-by download.
The Braodo stealer malware is executed on the victim’s system.
The malware begins capturing screenshots of the victim’s desktop using Windows APIs.
The screenshots are saved as .png, .jpg, or .bmp files.
The files are saved in the user’s TEMP directory (e.g., C:\Users\\AppData\Local\Temp\).
The malware may compress or encrypt the captured screenshots.
The malware exfiltrates the captured data to a command-and-control server.
The attacker gains access to sensitive information displayed on the victim’s screen, such as credentials or financial data, and uses it for malicious purposes.

Impact

Successful exploitation can lead to the theft of sensitive information, including credentials, financial data, and personally identifiable information (PII). This can result in financial loss, identity theft, and reputational damage for the victim. The Braodo stealer has been observed targeting users in the United States, indicating a broad scope of potential victims. The malware’s ability to capture screenshots allows attackers to bypass multi-factor authentication and other security measures that rely on information displayed on the screen.

Recommendation

Enable Sysmon Event ID 11 (FileCreate) logging to monitor file creation events on endpoints (required for the Sigma rules below).
Deploy the provided Sigma rule Detect Screen Capture Files Created in TEMP Directory to identify potential screen capture activity in temporary directories.
Investigate any alerts generated by the Sigma rule, focusing on processes creating image files in the TEMP directory.
Review and update endpoint security policies to prevent the execution of malware from temporary directories.
Monitor network traffic for suspicious outbound connections from processes creating screen capture files (T1071).

Suspicious PowerShell Reconnaissance via WMI Queries

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This brief focuses on detecting reconnaissance activities performed through PowerShell using WMI queries. Adversaries often use WMI to gather detailed information about a compromised system, including hardware specifications, operating system details, and installed software. This information can be used to plan further attacks, such as privilege escalation or lateral movement. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify specific WMI queries that target system information classes like Win32_Bios, Win32_OperatingSystem, Win32_Processor and others. Identifying this behavior early can help defenders disrupt attack chains before significant damage occurs. The analytic is based on the detection logic from the Splunk Security Content project as of April 2026.

Attack Chain

An attacker gains initial access to the target system, potentially through phishing or exploiting a software vulnerability.
The attacker executes a PowerShell script, either directly or via a command-line interpreter like cmd.exe.
The PowerShell script uses the Get-WmiObject cmdlet or a direct WMI query with SELECT to query system information.
Specific WMI classes are targeted, including Win32_Bios, Win32_OperatingSystem, Win32_Processor, Win32_ComputerSystem, Win32_PnPEntity, Win32_ShadowCopy, Win32_DiskDrive, Win32_PhysicalMemory, Win32_BaseBoard, and Win32_DisplayConfiguration.
The script collects the data returned by the WMI queries.
The gathered information is used to profile the system and identify potential vulnerabilities or weaknesses.
The attacker uses the gathered information to plan subsequent stages of the attack, like lateral movement or privilege escalation.
The attacker executes further commands based on the gathered information.

Impact

Successful reconnaissance can provide attackers with a comprehensive understanding of the target environment, enabling them to tailor their attacks for maximum impact. This can lead to successful privilege escalation, lateral movement, data exfiltration, or ransomware deployment. Organizations that fail to detect and prevent reconnaissance activities are at a higher risk of experiencing significant data breaches and financial losses. The Maze ransomware group, Industroyer2, and LockBit ransomware have been observed using similar reconnaissance techniques.

Recommendation

Enable PowerShell Script Block Logging on all endpoints to capture the necessary data for detection (PowerShell Script Block Logging 4104).
Deploy the Sigma rule Detect Suspicious WMI Reconnaissance via PowerShell to identify PowerShell scripts querying sensitive WMI classes.
Investigate any alerts generated by the Sigma rule, focusing on the user and process context to determine potential malicious intent.
Review and tune the Recon Using WMI Class detection filter (recon_using_wmi_class_filter) to reduce false positives in your environment.

Large ICMP Traffic Detection

hello@craftedsignal.io — Tue, 02 Jan 2024 10:00:00 +0000

This detection focuses on identifying anomalous ICMP (Internet Control Message Protocol) traffic indicative of malicious activity. ICMP is typically used for network diagnostics but can be abused for covert communication, data exfiltration, or command-and-control (C2) by threat actors. This analytic identifies ICMP traffic exceeding 1,000 bytes directed toward external IP addresses, filtering out internal networks. The detection logic leverages the Network_Traffic data model. Validated malicious instances may signal ICMP tunneling, unauthorized data transfer, or compromised endpoints. The data sources for this analytic include Palo Alto Network Traffic and Cisco Secure Access Firewall logs.

Attack Chain

An attacker compromises a host within the network.
The compromised host initiates ICMP traffic to an external IP address.
The ICMP traffic exceeds 1000 bytes, evading default network monitoring thresholds.
The attacker uses ICMP to tunnel data, bypassing normal data transfer protocols.
The compromised host uses ICMP for command and control, receiving instructions from the external attacker.
The attacker establishes a covert communication channel using ICMP, masking their activity within normal network traffic.
Sensitive data is exfiltrated via ICMP packets to the attacker-controlled external server.

Impact

Successful exploitation through large ICMP traffic can lead to data breaches, unauthorized access to internal resources, and the establishment of persistent command and control within the network. ICMP tunneling can bypass traditional security measures, allowing attackers to operate undetected. The impact of successful exploitation includes the potential compromise of sensitive data, disruption of network services, and financial loss.

Recommendation

Deploy the Sigma rule Detect Large ICMP Traffic to your SIEM and tune the byte threshold (currently 1000 bytes) based on your network baseline to minimize false positives.
Investigate any alerts generated by the Detect Large ICMP Traffic rule, focusing on the source and destination IPs involved.
Examine network traffic logs for patterns indicative of ICMP tunneling or covert communication channels, using the provided data sources.
Utilize the provided search View the detection results to review related events and potential lateral movement.
Implement the provided search View risk events to look at risk factors for the involved assets.

Detection of IIS HTTP Logging Disabled via AppCmd.exe

hello@craftedsignal.io — Mon, 01 Jan 2024 00:00:00 +0000

This detection identifies the use of AppCmd.exe to disable HTTP logging on Internet Information Services (IIS) servers. The technique is significant as adversaries can use it to erase traces of their malicious activities. The detection focuses on process execution events logged by Endpoint Detection and Response (EDR) agents. By disabling HTTP logging, attackers can operate undetected, making it difficult to trace their actions and respond effectively to intrusions. The references indicate this technique has been observed in campaigns attributed to threat actors like OilRig, where IIS backdoors are used.

Attack Chain

Initial access to the system via exploitation of a vulnerability or compromised credentials.
Attacker gains a foothold on the IIS server.
The attacker executes appcmd.exe to modify IIS settings.
appcmd.exe is executed with parameters to disable HTTP logging, such as httplogging or dontlog:true.
The command modifies the IIS configuration, preventing HTTP request logs from being recorded.
The attacker performs malicious actions on the compromised server (e.g., web shell deployment, data theft).
With HTTP logging disabled, the attacker’s activities are not recorded in standard IIS logs, hindering forensic analysis.
The attacker maintains persistence and continues to exploit the compromised system.

Impact

Successful execution of this attack can lead to a significant reduction in visibility into attacker activities on IIS servers. The lack of HTTP logs hinders incident response efforts, making it difficult to identify the scope and nature of the compromise. This could lead to prolonged attacker presence, further data exfiltration, or deployment of malicious software. This technique is a common step to evade defenses.

Recommendation

Deploy the Sigma rule Detect IIS HTTP Logging Disabled via AppCmd.exe to your SIEM and tune for your environment.
Enable Sysmon process creation logging (Event ID 1) to capture command-line arguments of appcmd.exe.
Monitor process execution events for appcmd.exe with command-line arguments related to httplogging or dontlog:true.
Investigate any instances of appcmd.exe being executed by non-administrator accounts or unusual parent processes.
Review IIS configuration regularly for any unauthorized changes to HTTP logging settings.