Briefs

The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.

Ech0 is vulnerable to Server-Side Request Forgery (SSRF) via the `fetchPeerConnectInfo` function, which uses `httpUtil.SendRequest` without SSRF protection, allowing authenticated users to make the server request arbitrary URLs, including internal/cloud metadata endpoints.

Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.

A machine learning job has detected unusually high variance of RDP session duration, potentially indicating lateral movement and session persistence by threat actors.

Poorly chosen performance metrics can significantly impair a SOC's ability to detect and respond to threats, leading to ineffective security operations and potential compromise.

This analytic identifies excessive ICMP traffic to external IP addresses exceeding 1,000 bytes, potentially indicating command and control activity, data exfiltration, or covert communication channels.

This brief discusses the use of Apple's Endpoint Security Framework in macOS 10.15 and later for user-mode process monitoring, offering improved capabilities over the older OpenBSM subsystem.

A critical vulnerability, CVE-2025-62373, exists in Pipecat's LivekitFrameSerializer where the deserialize() method uses Python's pickle.loads() on WebSocket data without validation, allowing a malicious WebSocket client to execute arbitrary code on the Pipecat server if LivekitFrameSerializer is explicitly enabled.

PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.

Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.

Detection of suspicious child processes spawned by Microsoft Outlook, indicative of spear phishing and malicious file execution leading to potential initial access and further exploitation.

The rule identifies process creation with alternate credentials, which can be used for privilege escalation, by detecting successful logins via the Secondary Logon service (seclogon) from a local source IP address (::1), followed by process creation using the same TargetLogonId.

Adversaries may abuse Xwizard, a Windows system binary, to execute Component Object Model (COM) objects created in the registry to evade defensive countermeasures by proxying execution through a legitimate system tool.

A denial-of-service vulnerability exists in Zebra's block discovery pipeline, allowing an unauthenticated remote attacker to permanently halt all new block discovery on a targeted node by exploiting weaknesses in the gossip, syncer, and download subsystems.

Detects copy operations of Active Directory Domain Database (ntds.dit) or Security Account Manager (SAM) files, potentially exposing sensitive hashed credentials on Windows systems.

This analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers, allowing adversaries to evade detection by removing evidence of their actions.

OSX/MaMi is a macOS malware that hijacks DNS settings and installs a malicious certificate into the system keychain to intercept network traffic, while also possessing capabilities for taking screenshots, simulating mouse events, persisting as a launch item, downloading and uploading files, and executing commands.

An implant installer for HackingTeam's RCS implant uses Apple's native OS X encryption scheme and a custom packer to deliver a persistent implant, indicating a potential resurgence of the group and an evolution in their techniques for macOS malware.