Briefs

Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.

This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.

Multiple vulnerabilities in Insyde UEFI Firmware allow a local attacker to execute arbitrary code with administrator privileges.

Adversaries may embed a malicious command in an MSC file in order to trick victims into executing malicious commands, leading to initial access and execution of arbitrary code.

Detection of suspicious processes spawned by JetBrains TeamCity indicates potential exploitation of remote code execution vulnerabilities, with attackers using command interpreters and system binaries for malicious purposes.

Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.

An attacker may add a new root certificate authority to an Azure AD tenant to support certificate-based authentication for persistence, privilege escalation, or defense evasion.

An SSH connection attempt to an OpenCanary node indicates a potential adversary probing for vulnerable services or attempting unauthorized access within a network.

The phpseclib library has a vulnerability affecting prime number generation and primality testing, impacting versions >= 0.1.1 and < 1.0.23, >= 2.0.0 and < 2.0.47, and >= 3.0.0 and < 3.0.36, potentially leading to insecure cryptographic operations.

A remote, authenticated attacker can exploit a vulnerability in OpenSSL to perform a denial-of-service attack and disclose information.

A local privilege escalation vulnerability exists in Windows 11 24H2, Windows 11 25H2, and Windows Server 2022 23H2 due to improper handling of untrusted pointers in HTTP.sys via strcat truncation.

A vulnerability exists in phpseclib when loading untrusted ASN1 files, potentially leading to an OID amplification denial-of-service (DoS) in the ASN1::decodeOID() function.

The Sync Service's ConfigMap-backed provider in Argo Workflows performs zero authorization checks on all CRUD operations, allowing any authenticated user to create, read, update, and delete Kubernetes ConfigMaps containing synchronization limits, potentially leading to denial of service, workflow disruption, information disclosure, or arbitrary ConfigMap manipulation in Argo Workflows versions v4.0.0 to v4.0.4.

Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.

Detects potential credential decryption operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library, indicating potential credential access attempts to target backups as part of destructive operations.

An administrator has disabled the GitHub push protection feature, potentially allowing secrets and other sensitive information to be pushed to repositories.

Multiple vulnerabilities in GStreamer allow a remote, anonymous attacker to cause a denial-of-service condition or execute arbitrary code.

Multiple vulnerabilities in GStreamer could be exploited by a remote, anonymous attacker to execute arbitrary code or cause a denial of service condition.

Detects instances where an SSH service on an OpenCanary node has had a login attempt, indicating potential reconnaissance, privilege escalation, or lateral movement.

This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.

Dgraph versions prior to 25.3.3 expose the admin token via the `/debug/vars` endpoint, allowing unauthenticated attackers to bypass authentication and gain administrative access.

An adversary may delete Kubernetes events to evade detection and hide malicious activity within a Kubernetes environment by removing audit logs.

A server-side request forgery (SSRF) vulnerability in Monetr's Lunch Flow integration allows authenticated users on self-hosted instances to send HTTP GET requests to arbitrary URLs, potentially exposing sensitive information.

A crafted payload can force memory allocations of up to 16 GB, leading to a denial-of-service condition in applications using the Zserio serialization framework, including those within the automotive Navigation Data Standard (NDS).

This brief details detection of anomalous activity within the Okta Admin Console, potentially indicating privilege escalation, persistence, defense evasion, or initial access attempts by malicious actors.

A machine learning job has detected potential data exfiltration activity to an unusual geographical region, specifically by region name, indicating exfiltration over command and control channels.

A machine learning job has detected an unusually high file size shared by a remote host, indicating potential lateral movement as attackers bundle data into a single large file transfer to evade detection when exfiltrating valuable information.

A remote, authenticated attacker can exploit a vulnerability in Grafana to escalate privileges.

Enabling certificate-based authentication (CBA) in Azure Active Directory can be abused by attackers to establish persistence, escalate privileges, and impair defenses.

An adversary with administrative privileges may delete global secret scanning rules in Bitbucket to impair defenses and exfiltrate sensitive data without detection.