Potential Windows Session Hijacking via CcmExec
This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an attacker attempt to hijack/impersonate a Windows user session.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/17"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an
11attacker attempt to hijack/impersonate a Windows user session.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Potential Windows Session Hijacking via CcmExec"
18references = [
19 "https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec",
20 "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users",
21]
22risk_score = 47
23rule_id = "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Defense Evasion",
30 "Data Source: Elastic Defend",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36library where host.os.type == "windows" and process.name : "SCNotification.exe" and
37 (dll.Ext.relative_file_creation_time < 86400 or dll.Ext.relative_file_name_modify_time <= 500) and dll.code_signature.status != "trusted"
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1574"
45name = "Hijack Execution Flow"
46reference = "https://attack.mitre.org/techniques/T1574/"
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials t...
Read More -
On the previous post (SCCM LAB part 0x2) we have done SCCM exploitation with a low privilege user. On this part we will exploit SCCM with an admin access on one vm.
Read More
Related rules
- Delayed Execution via Ping
- Expired or Revoked Driver Loaded
- Potential Masquerading as Business App Installer
- Potential Remote File Execution via MSIEXEC
- Remote XSL Script Execution via COM