Monitor File Modification and Configuration Strings: Since attackers need to modify the SCNotification.exe.config file to execute this attack, monitoring for changes to this file can provide an early warning. Additionally, the presence of the "AppDomainManagerType" string in the configuration file should be scrutinized, as it is used in AppDomainManager injection attacks. Security teams should investigate any unexpected occurrences of this string in SCNotification.exe.config.
By implementing these defensive measures and adapting them to the specific capabilities of their SIEM or EDR solutions, organizations can enhance their ability to detect and respond to session hijacking attacks via the CcmExec service.
Published: 2024-03-28T13:00:00