Briefs

Adversaries may delete events in Azure Kubernetes to evade detection, which this rule detects via the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.

Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.

The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from the internet, a common initial access vector, by monitoring network connections to TCP port 135 and filtering known internal IP ranges.

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

macOS Mojave beta's new privacy controls can be bypassed by exploiting the entitlements of trusted applications like QuickTime Player via AppleScript to access the webcam and microphone without user consent.

A vulnerability in gitoxide's `gix_submodule::File::update()` allows arbitrary command execution via a crafted `.gitmodules` file by incorrectly validating the source of the `update` command, enabling an attacker to inject malicious commands after a submodule has been initialized.

GoBGP version 4.4.0 is vulnerable to a remote denial-of-service attack where a malformed BGP UPDATE message triggers a nil pointer dereference, crashing the GoBGP process.

A denial-of-service vulnerability exists in the twisted.names module, where an unauthenticated attacker can send a crafted TCP DNS packet with deeply chained compression pointers, causing the Twisted reactor to hang while processing recursive lookups and effectively freezing the server.

This detection identifies attempts to jailbreak M365 Copilot by impersonating roles, adopting unrestricted personas, or mimicking malicious AI systems to bypass safety controls, searching exported eDiscovery prompt logs for roleplay keywords and categorizing prompts into impersonation types to detect persona injection attacks.

This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.

Detection of user activity originating from an IP address identified as an anonymous proxy, potentially indicating unauthorized access, privilege escalation, or persistence within an Azure Active Directory environment.

Note Mark is vulnerable to arbitrary file write via path traversal in asset names, leading to remote code execution by overwriting system binaries such as /bin/bash.

A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.

Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.

Successful AWS console logins without multi-factor authentication can indicate compromised credentials, misconfigured security settings, or unauthorized access attempts.

An unauthorized actor removes a Conditional Access policy in Azure, potentially weakening the organization's security posture and enabling privilege escalation or credential access.

Attackers may halt or disable security services on Linux systems to evade defenses, maintain persistence, or disrupt operations, detected through the use of utilities like 'systemctl', 'service', and 'chkconfig'.

The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.

Adversaries may attempt to disable Windows EventLog autologger sessions via registry modification to evade detection and prevent security monitoring of early boot activities and system events.

The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.

This rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker may have compromised an account by brute-forcing login attempts across multiple users.

Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.

The execution of a Linux shell process from a Java JAR application following an incoming network connection may indicate reverse shell activity.

The rust-zserio package is vulnerable to unbounded memory allocation when deserializing arrays, strings, or bytes (blob) types, allowing an attacker to cause a denial-of-service by providing a crafted data file with a large size value.

A denial-of-service vulnerability exists in rustls-webpki versions prior to 0.103.13 and between 0.104.0-alpha.1 and 0.104.0-alpha.7 due to a panic in `bit_string_flags()` when processing a malformed CRL BIT STRING, triggered when CRL checking is enabled and an attacker provides a crafted CRL.

SUSE Harvester's Rancher integration mechanism is vulnerable to a man-in-the-middle attack due to insecure TLS options, potentially leading to denial of service.

An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.

Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.

An untrusted driver loaded by the Windows kernel may indicate an attempt to bypass code signing policies and execute unsigned or self-signed kernel code, potentially leading to defense evasion.