T1083 File and Directory Discovery Mappings

Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of File and Directory Discovery attacks. This integrated solution improves CrowdStrike Falcon, enabling it to detect and mitigate cyber threats earlier in the kill chain, with minimal impact on system performance. File and Directory Discovery attacks involve adversaries attempting to map or enumerate files, directories, or system resources to identify sensitive information or potential targets for further exploitation. These activities often form the basis for lateral movement, privilege escalation, or data exfiltration. Intel TDT plays a crucial role in detecting these types of attacks by providing deep, real-time telemetry on program execution, memory access, and control flow. This telemetry allows for the rapid identification of suspicious behaviors, such as abnormal access to or enumeration of files and directories, which may indicate an ongoing discovery attack. Additionally, CAMS offloads the performance-intensive task of memory scanning from the CPU to the Intel Integrated GPU, ensuring faster and more efficient detection of malicious activities without degrading system performance. CAMS helps identify suspicious behaviors, such as unauthorized access attempts to sensitive file locations or attempts to probe the file system for valuable assets.

CVE 2019-11510 Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.

CVE-2019-19781 is exploited through directory traversal, allowing an unauthenticated attacker to execute arbitrary code on affected Citrix Netscaler Application Delivery Control (ADC).

This Remote Code Execution (RCE) vulnerability is exploited by an unauthenticated attacker via a crafted request can inject custom PHP code through the EmailTemplates because of missing input validation. This vulnerability has been exploited by threat actors to gain initial access to AWS accounts by injecting custom PHP code through the SugarCRM email templates module. Attackers leveraged misconfigurations to expand their access, obtaining long-term AWS access keys from compromised EC2 instances. They used tools like Pacu and Scout Suite to explore AWS services such as EC2, IAM, RDS, and S3, and gathered account information via AWS Organizations and Cost and Usage services. The attackers moved laterally by creating RDS snapshots and new EC2 instances, modifying security groups, and attempting to escalate privileges by logging in as the Root user. They also employed defense evasion techniques, including deploying resources in non-standard regions and intermittently stopping EC2 instances to avoid detection and minimize costs. The exploit in question is actively being used to compromise hosts by installing a PHP-based web shell. It involves an authentication bypass against the "/index.php" endpoint of the targeted service. Once bypassed, the attacker obtains a cookie and sends a secondary POST request to "/cache/images/sweet.phar" to upload a small PNG-encoded file containing PHP code. This file acts as a web shell, allowing the execution of commands specified in the base64-encoded query argument "c". For example, a request like 'POST /cache/images/sweet.phar?c="L2Jpbi9pZA=="' would execute the command "/bin/id" with the same permissions as the web service's user.