Briefs

An attacker may modify the Bitbucket audit log configuration to impair security monitoring and evade detection.

A pre-authentication DQL injection vulnerability in Dgraph's `/mutate` endpoint, when ACL is disabled, allows attackers to exfiltrate the entire database by crafting a malicious `cond` field in an upsert mutation.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

Detects successful Microsoft 365 portal logins from impossible travel locations, defined as logins originating from two different countries within a short timeframe, potentially indicating account compromise or unauthorized access.

A path traversal vulnerability exists in the `fetch` command of `@evomap/evolver` due to insufficient validation of the `--out` flag, allowing attackers to write files to arbitrary locations on the filesystem, potentially leading to overwriting critical system files and privilege escalation.

Detection of the disabling of GitHub secret scanning at the business or repository level, potentially increasing the risk of exposed credentials and secrets.

Compromised EC2 instances may be leveraged to exfiltrate and misuse AWS Instance Metadata Service (IMDS) credentials to perform actions outside of the expected AWS Simple Systems Manager (SSM) service, indicating potential lateral movement or data exfiltration.

Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.

This detection identifies processes accessing the Windows Recall directory, a feature that takes screenshots every few seconds, and due to initial security shortcomings, could be exploited by malware to steal sensitive data.

This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.

The GrimResource technique leverages a stored XSS vulnerability in apds.dll to achieve arbitrary code execution within a signed mmc.exe process by delivering a malicious .msc file.

The netbox-data-flows plugin is vulnerable to stored cross-site scripting (XSS). An authenticated user with permissions to create or edit ObjectAlias objects can inject arbitrary HTML/JavaScript into the alias name. This payload is then rendered unescaped in DataFlow table views, leading to XSS when another user views the affected page. Successful exploitation can result in session theft, privileged action execution, and data exfiltration.

CVE-2025-49010 is a critical stack buffer overflow vulnerability within the GET RESPONSE function of OpenSC, potentially leading to arbitrary code execution.

CVE-2025-66215 is a critical stack buffer overflow vulnerability within the OpenSC project, specifically affecting the `card-oberthur` component, potentially leading to arbitrary code execution.

Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.

A denial-of-service vulnerability exists in the russh crate, where a malicious client can crash any russh-based server implementing keyboard-interactive authentication by sending a crafted SSH_MSG_USERAUTH_INFO_RESPONSE message with a large response count, leading to excessive memory allocation and an out-of-memory crash without requiring any credentials.

A high-severity authentication bypass vulnerability exists in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy; Traefik fails to sanitize the `X-Forwarded-Prefix` header, allowing attackers to spoof a trusted prefix value and gain unauthorized access to protected backend routes.

The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.

Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

An authenticated remote attacker can exploit a vulnerability in Grafana to execute arbitrary code, potentially leading to system compromise and data exfiltration.

Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.

Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.

Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

A missing authorization vulnerability in SimpleHelp (CVE-2024-57726) allows low-privileged technicians to create API keys with excessive permissions, potentially escalating privileges to the server admin role.

CVE-2024-57728 is a path traversal vulnerability in SimpleHelp that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file, potentially leading to arbitrary code execution.

CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.

Multiple vulnerabilities in Roundcube allow an attacker to perform a cross-site scripting attack and disclose confidential information.

A path traversal vulnerability in Samsung MagicINFO 9 Server could allow an attacker to write arbitrary files with system privileges, potentially leading to code execution or system compromise.

An unauthorized actor modifies an Azure Conditional Access policy, potentially leading to privilege escalation, credential access, persistence, or defense impairment.