Briefs

Detection of PowerShell execution initiated via Crowdstrike Real Time Response (RTR) 'runscript' command, potentially indicating malicious actors leveraging compromised Crowdstrike Dashboard access to execute commands on remote hosts using encoded commands.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.

A command injection vulnerability in the `_extractLLM()` function of the evolver application allows remote attackers to execute arbitrary shell commands by injecting shell metacharacters into the `corpus` parameter, leading to potential system compromise.

GitPython versions 3.1.30 through 3.1.46 are vulnerable to command injection by passing attacker-controlled kwargs into `Repo.clone_from()`, `Remote.fetch()`, `Remote.pull()`, or `Remote.push()`, leading to arbitrary command execution due to bypassed safety checks.

Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.

A path traversal vulnerability exists in the prepare_kaggle_dataset function of kaggle-mcp up to version 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d, allowing remote attackers to access arbitrary files by manipulating the competition_id argument.

Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.

CoreDNS is vulnerable to a denial-of-service attack where processing oversized DNS-over-HTTPS GET requests exhausts resources prior to returning an error.

This analytic detects instances where a process loads a file from a remote share path, potentially indicating execution, defense evasion, or lateral movement by attackers loading code from attacker-controlled infrastructure.

The default error handler in FlightPHP core writes the full exception message, exception code, and stack trace directly into the HTTP 500 response, disclosing sensitive information such as internal paths, secrets, and application structure.

A path traversal vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.

Lemur versions before 1.9.0 are vulnerable to LDAP filter injection, where an authenticated LDAP user can inject LDAP filter metacharacters through the username field to manipulate group membership queries and escalate their privileges to administrator.

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.

CVE-2026-41676 is a buffer overflow vulnerability in rust-openssl's Deriver::derive and PkeyCtxRef::derive functions when used with OpenSSL 1.1.1, potentially leading to denial of service or arbitrary code execution.

Exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2, is detected by identifying malicious multipart/form-data POST requests with WebKitFormBoundary targeting Struts .action upload endpoints, followed by JSP web shell creation in Tomcat's webapps directories, indicating remote code execution.

Detection of runc init child processes with root effective user and non-root login user ID, indicating potential container privilege escalation.

Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.

This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.

Detection of GitHub repository archiving or unarchiving events, which could indicate malicious activity such as persistence, impact, or defense impairment.

The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.

This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

Detection of a user pausing audit log event streaming in GitHub Enterprise, potentially indicating an attempt to evade detection by disabling the audit trail.

Detects the creation or modification of Kubernetes Roles or ClusterRoles that grant high-risk permissions, such as wildcard access or RBAC escalation verbs, potentially leading to privilege escalation or unauthorized access within the cluster.

Attackers establish persistence by installing a malicious VBA template in Microsoft Outlook, triggering scripts upon application startup by modifying the VBAProject.OTM file, detected by monitoring for unauthorized file modifications.

Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.

Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.

This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.

Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.