Potential Windows Session Hijacking via CcmExec
This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an attacker attempt to hijack/impersonate a Windows user session.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/04/17"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12This detection rule identifies when 'SCNotification.exe' loads an untrusted DLL, which is a potential indicator of an
13attacker attempt to hijack/impersonate a Windows user session.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Potential Windows Session Hijacking via CcmExec"
20references = [
21 "https://cloud.google.com/blog/topics/threat-intelligence/windows-session-hijacking-via-ccmexec",
22 "https://mayfly277.github.io/posts/SCCM-LAB-part0x3/#impersonate-users---revshell-connected-users"
23]
24risk_score = 47
25rule_id = "e7357fec-6e9c-41b9-b93d-6e4fc40c7d47"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "eql"
30
31query = '''
32library where host.os.type == "windows" and process.name : "SCNotification.exe" and
33 (dll.Ext.relative_file_creation_time < 86400 or dll.Ext.relative_file_name_modify_time <= 500) and dll.code_signature.status != "trusted"
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1574"
41name = "Hijack Execution Flow"
42reference = "https://attack.mitre.org/techniques/T1574/"
43
44
45[rule.threat.tactic]
46id = "TA0005"
47name = "Defense Evasion"
48reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
Over the last several years, the security community has witnessed an uptick in System Center Configuration Manager (SCCM)-related attacks. From extracting network access account (NAA) credentials t...
Read More -
On the previous post (SCCM LAB part 0x2) we have done SCCM exploitation with a low privilege user. On this part we will exploit SCCM with an admin access on one vm.
Read More
Related rules
- Host Files System Changes via Windows Subsystem for Linux
- Incoming DCOM Lateral Movement with MMC
- InstallUtil Process Making Network Connections
- MsBuild Making Network Connections
- Mshta Making Network Connections