- Home
- Correlation Rule Library
- Unauthorized Data Stream Exploit
Unauthorized Data Stream Exploit
Rule added on 30th May, 2024In this page
Rule type:
Correlation
Rule description:
Adversaries may attempt to manipulate data streams within a system, application, or a network to eavesdrop on communications, steal sensitive information, and exploit network vulnerabilities to achieve their malicious objectives.
Attack chain scenario: Malicious file upload -> Data stream tampering -> Data exfiltration
Impact:
It can be used by adversaries in the following ways:
- Data theft
- Unauthorized access to network resources
- System compromise
Data source:
Windows > Process Creation
Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.
Relevant MITRE ATT&CK techniques and tactics:
Tactic: TA0006- Credential Access, TA0007- Discovery
Technique: T1040- Network Sniffing
Criteria:
( ( FileName = ":" ) ) AND ( ( Process Name = "*wscript.exe" ) OR ( Process Name = "*wmic.exe" ) OR ( Process Name = "*rundll32.exe" ) OR ( Process Name = "*regedit.exe" ) OR ( Process Name = "*mshta.exe" ) OR ( Process Name = "*mavinject.exe" ) OR ( Process Name = "*forfiles.exe" ) OR ( Process Name = "*control.exe" ) OR ( Process Name = "*cscript.exe" )
Attackers may abuse legitimate Windows executables such as *rundll32.exe, *regedit.exe, *mshta.exe, *mavinject.exe and more to inject malicious codes in them and perform malicious activities on the system.
When to enable this rule:
Security standards (NIST CSF 2.0):
Enabling this rule will help you meet the security standards' requirements listed below:
This rule detects the creation of malware using steganography, which involves concealing malicious code or data within seemingly innocuous files such as images or documents.
PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected
When this rule is triggered, you're notified about the unauthorized stream exploits, which may be used for eavesdropping or data theft. This enables you to place strong security measures, such as implementing encryption to secure the data streams.
Next steps:
When this alert is triggered, the following measures can be implemented:
- Identification: Identify if the alert is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
- Response: Respond promptly by initiating an automated workflow to cease the malicious process.
- Implement strong encryption: Implement encryption techniques to prevent unauthorized access and tampering of data streams.
