Date: 08/30/2024
Severity: Medium
Summary
"Remote Access Tool - Action1 Arbitrary Code Execution and Remote Sessions" addresses vulnerabilities in the Action1 remote access tool that allows for arbitrary code execution and unauthorized remote sessions. These security flaws enable attackers to execute malicious code on a target system or gain unauthorized remote access, potentially compromising the system and its data. The summary highlights the risks associated with these vulnerabilities and emphasizes the need for immediate security patches and updates to protect against exploitation.
Indicators of Compromise (IOC) List
ParentImage | '\action1_agent.exe' '\cmd.exe' '\powershell.exe' |
Image | '\Windows\Action1\package_downloads\' '\agent1_remote.exe' |
ParentCommandLine | '\Action1\scripts\Run_Command_' '\Action1\scripts\Run_PowerShell_' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (ResourceName = "Sysmon" AND eventtype = "1") AND parentimage in ("\action1_agent.exe","\cmd.exe","\powershell.exe") AND image in ("\Windows\Action1\package_downloads","\agent1_remote.exe") AND parentcommandline in ("\Action1\scripts\Run_Command_","\Action1\scripts\Run_PowerShell_") |
Detection Query 2 | (Technologygroup = "EDR" ) AND parentimage in ("\action1_agent.exe","\cmd.exe","\powershell.exe") AND image in ("\Windows\Action1\package_downloads","\agent1_remote.exe") AND parentcommandline in ("\Action1\scripts\Run_Command_","\Action1\scripts\Run_PowerShell_") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_action1_code_exec_and_remote_sessions.yml