Briefs

This rule detects the creation of scheduled tasks on Windows systems by non-system accounts, a common technique used by adversaries for persistence, lateral movement, and privilege escalation.

Mshta.exe spawning a suspicious child process, such as cmd.exe or powershell.exe, indicates potential adversarial activity leveraging Mshta to execute malicious scripts and evade detection on Windows systems.

The analytic detects the execution of renamed instances of msbuild.exe, a legitimate tool abused by attackers to execute malicious code while evading detection, potentially leading to system compromise, data exfiltration, or lateral movement.

Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.

The rule detects suspicious loading of the Remote Desktop Services ActiveX Client (mstscax.dll) from unusual locations, potentially indicating RDP lateral movement on Windows systems.

Detection of remote registry access by an account with SeBackupPrivilege, potentially indicating credential exfiltration attempts via SAM registry hive dumping.

Detection of cmd.exe being spawned by svchost.exe, which is an unusual behavior indicative of potential masquerading or privilege escalation attempts on Windows systems.

The rule identifies suspicious usage of unshare to manipulate system namespaces, which can be utilized to escalate privileges or escape container security boundaries.

The `unshare` command is used to create new namespaces in Linux, which can be exploited to break out of containers or elevate privileges by creating namespaces that bypass security controls.

Detection of wevtutil.exe being used with parameters to clear event logs, indicating potential attempts to evade detection and hinder forensic investigations by adversaries.

Detection of the Sysmon filter driver being unloaded via `fltMC.exe`, which can blind security monitoring and allow malicious actions to go undetected.

A server-side request forgery vulnerability exists in TencentCloudBase CloudBase-MCP up to version 2.17.0, allowing remote attackers to manipulate the `req.body.url` argument in the `openUrl` function of `mcp/src/interactive-server.ts` to conduct SSRF attacks.

A remote buffer overflow vulnerability exists in Tenda F456 version 1.0.0.5 via manipulation of the 'page' argument in the fromDhcpListClient function of the /goform/DhcpListClient component, potentially leading to arbitrary code execution.

A stack-based buffer overflow vulnerability exists in the Tenda FH1202 router, specifically in the WrlExtraSet function, allowing remote attackers to execute arbitrary code by manipulating the 'Go' argument in a request to /goform/WrlExtraSet.

Detection of unauthorized guest user invitations within an Azure Active Directory tenant, indicating potential privilege escalation, persistence, or initial access attempts.

A suspicious child process of the Windows virtual system process is detected, potentially indicating code injection and defense evasion.

A machine learning job detects a rare process writing data to an external device, potentially indicating data exfiltration masked by benign-looking processes.

Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.

Vvveb versions before 1.0.8.2 are vulnerable to authenticated remote code execution (RCE), enabling low-privilege users to execute arbitrary code by uploading a malicious .htaccess file and subsequently uploading PHP code with a mapped extension, resulting in unauthenticated RCE upon file access.

WeKan before 8.35 is vulnerable to server-side request forgery (SSRF), allowing attackers with integration modification privileges to set webhook URLs to internal network addresses, leading to unauthorized HTTP POST requests and potential comment manipulation.

This rule identifies potential password guessing/brute force activity from a single source IP targeting multiple Windows accounts with 'admin' in the username, indicating an attempt to compromise privileged accounts.

Detection of `auditpol.exe` execution with arguments to modify the audit policy security descriptor, indicative of defense evasion by adversaries aiming to limit audit logging.

Attackers obfuscate commands in Windows by dynamically constructing them using substrings extracted from environment variables, a technique observed in malware families such as Cobalt Strike and Meterpreter.

An attacker modifies the Windows registry to disable the Windows Defender Firewall and Network Protection settings, potentially weakening the system's security posture and increasing vulnerability to further attacks.

An attacker modifies the Windows Registry to disable Windows Defender Potentially Unwanted Application (PUA) protection, increasing the risk of malware installation and system compromise.

Detection of modifications to the Windows registry that change the Windows Defender Quick Scan Interval, potentially impairing its ability to detect malware promptly.

This analytic detects modifications to the Windows Registry to set Windows Defender SmartScreen level to 'Warn', which can reduce user suspicion and increase the risk of malware execution.

Attackers attempt to clear Windows event logs to evade detection and remove forensic evidence of their activities.

Detection of Hypervisor-protected Code Integrity (HVCI) being disabled by modifying specific Windows registry keys, potentially allowing the execution of malicious kernel-mode code.

Adversaries may use the Windows file system utility, fsutil.exe, with the fsinfo drives command to enumerate attached peripheral devices and gain information about a compromised system.