Briefs

The Auth0.js SDK versions 8.11.0 to 9.32.0 improperly returns user profile information when provided a crafted invalid ID token, potentially bypassing access controls relying on Auth0 Actions.

Detection of AWS CloudTrail being disabled, deleted, or updated by an adversary to impair defenses and evade detection.

An attacker may add an authentication method to a compromised Azure account for persistent access, which can be detected by monitoring changes to authentication methods in Azure audit logs.

A server-side request forgery (SSRF) vulnerability exists in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63, allowing a remote attacker to manipulate the 'baseurl' argument in the 'fetch' function of the AI Proxy Middleware component to make arbitrary HTTP requests.

This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.

This rule detects potential PowerShell HackTool scripts by identifying script block content containing known offensive-tool author handles or attribution strings, indicative of attackers using public tooling with minimal modifications.

Ech0's OAuth redirect URI validation ignores the path component, allowing attackers to craft malicious redirect URIs for exchange-code theft and potential account takeover.

A vulnerability in GitPython versions prior to 3.1.47 allows for command execution during repository cloning by manipulating the `multi_options` parameter to inject malicious Git configurations, such as `core.hooksPath`, leading to the execution of attacker-controlled hooks.

CVE-2025-47405 is a memory corruption vulnerability in Qualcomm products related to processing camera sensor input/output control codes with invalid output buffers, potentially leading to arbitrary code execution.

Detection of successful PutKeyPolicy calls on AWS KMS keys to identify potential privilege escalation or unauthorized access by adversaries modifying key policies to decrypt or exfiltrate data.

CVE-2026-34293 is an unspecified vulnerability affecting a Microsoft product, for which details are currently unavailable, posing a potential risk to affected systems.

A logic error in Admidio's two-factor authentication reset inverts the authorization check, allowing non-admin users to remove other users' TOTP, including administrators, reducing their security to password-only authentication in versions 5.0.8 and earlier.

Detection of unauthorized access or privilege escalation attempts within Azure environments due to invalid or missing Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for Privileged Identity Management (PIM).

CVE-2026-31613 is an out-of-bounds read vulnerability in the SMB client when parsing symlink error responses, requiring patching to prevent potential information disclosure or denial-of-service.

This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.

The ProblemChild machine learning model has detected a user with suspicious Windows processes exhibiting unusually high malicious probability scores, potentially indicating defense evasion via masquerading or LOLbins.

The Form Maker by 10Web WordPress plugin is vulnerable to SQL Injection via the 'inputs' parameter in versions up to 1.15.42, allowing unauthenticated attackers to extract sensitive information from the database.

This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.

An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.

This rule detects unauthorized access to sensitive Active Directory object attributes such as unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens, potentially leading to credential theft and privilege escalation.

Cisco Catalyst SD-WAN Manager contains an information disclosure vulnerability (CVE-2026-20133) that could allow remote attackers to view sensitive information on affected systems, requiring immediate patching or mitigation.

This brief covers the detection of NetExec, a post-exploitation and lateral movement tool, through monitoring for unique file creation patterns associated with its execution and file extraction in Windows environments.

An Okta end-user reports potentially suspicious activity on their account, indicating possible compromise or unauthorized access.

This detection identifies the creation of new Windows services with suspicious command values, often used for privilege escalation and persistence by malicious actors.

Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.

This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.

PhpSpreadsheet is vulnerable to a denial-of-service attack by crafting a SpreadsheetML XML file with an excessively large row index, which exhausts server CPU resources due to unbounded iteration.

This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.

Adversaries may delete events in Azure Kubernetes to evade detection, which this rule detects via the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.

Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.