heroui logo

Potential Windows Session Hijacking via CcmExec

Elastic Detection Rules

View Source
Summary
This detection rule targets the loading of untrusted DLLs by 'SCNotification.exe', a process associated with Microsoft's System Center Configuration Manager (CcmExec). The rule is significant as it can indicate malicious activity aimed at hijacking Windows user sessions. By monitoring the system for instances where SCNotification.exe loads DLLs that are either newly created (within 24 hours) or modified recently, and are marked as untrusted, this rule helps identify potential session hijacking attempts. The associated rule triggers alerts whenever these conditions are met, prompting immediate investigation steps aimed at confirming the legitimacy of the actions performed by SCNotification.exe and mitigating any possible threats. The recommended investigation approach includes verifying process details, examining DLL file attributes, analyzing code signatures, checking user activity, and correlating with other security events. Additionally, the rule provides insights on identifying false positives, which may arise during legitimate software updates or system maintenance operations, and suggests response tactics including isolating affected systems and implementing application whitelisting to safeguard against unauthorized actions in the future. Overall, this rule serves as a crucial component in threat detection focusing on session integrity within Windows environments.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • File
  • Image
ATT&CK Techniques
  • T1574
Created: 2024-04-17