https://feed.craftedsignal.io/vendors/zoho-corporation-private-limited/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 24 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/Wed, 24 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.Attackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.

Attack Chain

1. Initial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.
2. Tool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.
3. Persistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.
4. Command and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.
5. Lateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.
6. Data Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.
7. Cleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.

Impact

Compromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.

Recommendation

• Deploy the process creation rule to detect the execution of RMM tools on endpoints based on process.name and process.code_signature.subject_name criteria in the query.
• Enable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.
• Investigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.

]]>mediumadvisoryremote-accessrmmcommand-and-controlpersistencehttps://feed.craftedsignal.io/briefs/2024-01-remote-execution-via-file-shares/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remote-execution-via-file-shares/This rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.This detection identifies lateral movement via network file shares by detecting the execution of a file that was recently created by the virtual system process (PID 4), commonly associated with file share operations. Adversaries may leverage network shares to distribute malicious payloads or tools across the network to compromise additional hosts. This technique allows attackers to execute code remotely, expanding their foothold within the environment. The rule focuses on Windows systems and monitors for newly created executable files (e.g., .exe, .scr, .pif, .com) that are then executed. Exceptions are made for known legitimate software vendors and specific file paths to reduce false positives.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker uploads a malicious executable (e.g., malware, custom tool) to a network file share. The file creation event is attributed to PID 4.
3. A user or automated process on a remote system accesses the file share.
4. The malicious executable is copied or accessed from the network share onto the remote system.
5. The user, either intentionally or through deception, executes the malicious executable.
6. The executed file initiates malicious activities on the remote system.
7. The attacker achieves code execution on the remote system.
8. The attacker uses this foothold for further lateral movement, data exfiltration, or other malicious objectives.

Impact

Successful exploitation through remote execution via file shares can lead to widespread compromise across the network. Attackers can gain unauthorized access to sensitive data, install backdoors, or deploy ransomware. The impact ranges from data breaches and financial losses to significant disruption of business operations. The severity of the impact depends on the attacker’s objectives and the extent of their lateral movement within the environment.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect suspicious executions of files created by PID 4 on Windows systems.
• Review and restrict write access to network shares to minimize the risk of unauthorized file uploads.
• Monitor file creation events (event.type in (“creation”, “change”)) on network shares for unusual activity using file integrity monitoring tools.
• Investigate any alerts generated by the Sigma rule by examining the process execution chain and associated network connections.
• Enrich process creation events (category: process_creation) with code signature information to validate the legitimacy of executed files.
• Use osquery to retrieve the files’ SHA-256 hash values using the PowerShell Get-FileHash cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.

]]>mediumadvisorylateral-movementfile-sharewindowshttps://feed.craftedsignal.io/briefs/2024-01-remote-execution-file-shares/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-remote-execution-file-shares/The rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.This detection rule identifies a specific sequence of events that may indicate lateral movement within a Windows environment. The rule focuses on scenarios where a file is created or modified by the System process (PID 4), which is then subsequently executed. This behavior is often associated with attackers leveraging network file shares to distribute malicious tools or payloads across multiple systems. The rule aims to detect this activity while excluding legitimate software installations or updates by filtering out processes signed by trusted vendors such as Veeam, Elasticsearch, CrowdStrike, and Microsoft. This exclusion is designed to reduce false positives and focus on potentially malicious activity. The rule is designed for data generated by Elastic Defend.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker uploads a malicious executable (e.g., EXE, SCR, PIF, COM) to a network file share accessible to other systems. The file’s header starts with 4d5a.
3. The System process (PID 4) creates or modifies the malicious executable on the target system via the network share. This can happen through normal network file operations.
4. The attacker uses lateral movement techniques, such as exploiting SMB/Windows Admin Shares, to remotely trigger the execution of the malicious executable on the target system.
5. The malicious executable begins to execute, initiating attacker-controlled code on the target system.
6. The process attempts to establish command and control (C2) communication with an external server.
7. The attacker uses the compromised system to further propagate within the network, potentially deploying additional malicious tools or escalating privileges.
8. The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation can lead to widespread compromise of systems within the network. Attackers can leverage compromised systems for data theft, deployment of ransomware, or other malicious activities. The impact can range from business disruption and data loss to significant financial damage and reputational harm. Even with trusted vendor exclusions, a determined adversary could still bypass protections, potentially leading to the compromise of critical infrastructure.

Recommendation

• Deploy the provided Sigma rule to your SIEM to detect remote execution via file shares, and tune exclusions for your specific environment.
• Enable Elastic Defend to generate the necessary process and file events for the Sigma rule to function effectively (see logs-endpoint.events.process-*, logs-endpoint.events.file-* in index).
• Review and restrict write access to network shares to minimize the risk of unauthorized file uploads (see “Review the privileges needed to write to the network share”).
• Investigate any alerts triggered by the Sigma rule to determine the legitimacy of the activity and take appropriate remediation steps.
• Implement file integrity monitoring (FIM) on network shares to detect unauthorized file modifications or additions.
• Use threat intelligence platforms to enrich file hash values and identify known malicious files.

]]>mediumadvisorylateral-movementfile-shareswindows