Briefs

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short time frame, potentially indicating account compromise or unauthorized access.

This rule detects the execution of PowerShell, PowerShell ISE, or Cmd spawned from Windows Script Host or MSHTA, indicating potential abuse of scripting interpreters to execute malicious commands or scripts on Windows systems.

A SQL injection vulnerability exists in LiteLLM versions 1.81.16 to prior to 1.83.7 allowing an unauthenticated attacker to inject SQL queries via a crafted 'Authorization' header, potentially leading to unauthorized data access or modification.

The OpenC3 COSMOS Script Runner widget allows authenticated users to bypass API permissions checks and execute administrative actions by running specially crafted Python and Ruby scripts, leading to data manipulation and privilege escalation.

An attacker may deploy a pod within the kube-system namespace in Kubernetes to mimic legitimate system pods and evade detection.

A server-side template injection vulnerability in LiteLLM versions 1.80.5 to before 1.83.7 allows authenticated users to execute arbitrary code within the LiteLLM Proxy process via a crafted prompt template, potentially exposing sensitive information and enabling command execution on the host.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

This rule detects potential exploitation of Foxmail client to gain initial access and execute malicious code by monitoring for Foxmail client spawning child processes with arguments pointing to user-profile AppData paths or remote shares, indicating exploitation of a Foxmail vulnerability through a malicious email.

Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.

NornicDB versions prior to 1.0.42-hotfix have an improper network binding vulnerability in its Bolt server, allowing unauthorized remote access because the `--address` CLI flag is not correctly plumbed through to the Bolt server config, causing the Bolt listener to always bind to the wildcard address and expose the database with default credentials.

Attackers can modify SSH certificate configurations in GitHub organizations to gain unauthorized access, persist in the environment, escalate privileges, and operate stealthily.

Adversaries use MemProcFS, a memory forensics tool, to mount memory dumps as virtual file systems and extract sensitive information like credentials from LSASS or registry hives.

Micronaut's `TimeConverterRegistrar` has an unbounded `formattersCache` that allows memory exhaustion via a crafted `Accept-Language` header, where an unauthenticated attacker can crash the JVM by sending requests with novel locale tags to `@Format`-annotated endpoints, growing the cache until heap memory is exhausted, affecting Micronaut applications with `micronaut-context` versions 4.3.0 and above, up to but not including 4.10.22.

Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.

The loading of an untrusted DLL by the Azure AD Connect Authentication Agent, potentially indicating credential access attempts via the Pass-through Authentication service, is detected by this rule.

A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity where threat actors may manipulate user accounts to gain higher access rights or persist within the environment.

Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.

An attacker modifies Bitbucket global SSH settings to potentially enable unauthorized access and lateral movement.

An attacker may add a new route to an AWS route table, potentially redirecting network traffic for malicious purposes such as defense impairment or data exfiltration.

go-zserio versions prior to 0.9.1 are vulnerable to unbounded memory allocation when deserializing data, potentially leading to denial of service.

An adversary modifies Kubernetes admission controller configurations to achieve persistence, escalate privileges, or gain unauthorized access to credentials within the cluster.

An administrator or privileged user disables critical security features within a GitHub organization or repository, potentially leading to increased risk of unauthorized access, data breaches, and persistent compromise.

The rule identifies when a user is added to the admin group on macOS systems, potentially indicating privilege escalation activity, and requires Jamf Protect for data ingestion into Elastic.

Detection of attempted HTTP proxy use on an OpenCanary node, indicating potential reconnaissance or lateral movement by an attacker attempting to proxy another page.

The OpenCanary Telnet Login Attempt detection identifies unauthorized login attempts to a Telnet service monitored by an OpenCanary node, indicating potential reconnaissance or intrusion attempts targeting the network.

Detection of new Network ACL entries in AWS CloudTrail logs can indicate potential defense impairment or the opening of new attack vectors within an AWS account by an adversary.

This rule identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values, often observed during malware installation.

Detects successful Microsoft 365 portal logins from a country and region the user has not previously authenticated from in a specific time window, potentially indicating unauthorized access attempts by analyzing login events and user location patterns.

The 'env' command is used to invoke a shell on Linux systems, potentially bypassing restricted environments or escalating privileges to execute arbitrary commands.

Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.