Briefs

The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.

Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.

This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.

The rule detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to container escape and privilege escalation.

A machine learning job detected an RDP session initiated at an unusual time or day, potentially indicating lateral movement activity within a network.

Detection of stale accounts in Azure Privileged Identity Management (PIM) through the 'staleSignInAlertIncident' event, indicating potential compromised or unused privileged accounts.

Detection of multiple device token hashes and source IPs for a single Okta session, indicating potential session hijacking and unauthorized access to Okta resources.

An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.

Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.

An adversary with sufficient privileges in Azure Active Directory may attempt to retrieve BitLocker keys to decrypt drives for lateral movement or data exfiltration.

An attacker may attempt to add a user to a high-privilege Azure AD role, such as Global Administrator or Device Administrator, to establish persistence, gain initial access, escalate privileges, or operate stealthily within the compromised environment.

Detection of Azure Privileged Identity Management (PIM) elevation approvals or denials, which, if unexpected, may indicate unauthorized privilege escalation or malicious activity within an Azure environment.

Detection of adversaries disabling HTTP logging on IIS servers using AppCmd.exe, potentially evading detection by removing evidence of their actions.

Detection of Azure Privileged Identity Management (PIM) roles being activated without requiring multi-factor authentication, potentially leading to unauthorized privilege escalation and persistence.

Detection of manual disablement of IEEE 802.1X (dot1x) on a Cisco network device interface, potentially allowing unauthorized network access and lateral movement.

Detection of 'no logging message' command usage on Cisco ASA devices, potentially indicating an adversary suppressing security-critical log events to evade detection.

Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.

Detection of the 'wevtutil.exe' command-line utility being used to disable event logs, a common tactic employed by ransomware actors to evade detection and hinder forensic analysis on compromised Windows systems.

FUXA 1.2.8 and earlier is vulnerable to an authentication bypass vulnerability (CVE-2025-69985) that allows remote command execution by exploiting the /api/runscript endpoint with a crafted JavaScript payload.

The rule detects when a Kubernetes Role or ClusterRole is patched or updated to grant wildcard verbs and resources, effectively granting cluster-admin-like privileges, which is often a deliberate privilege expansion and could indicate malicious activity.

Analysis of Mac malware from 2016 including KeRanger ransomware, Keydnap backdoor and credential stealer, and the Eleanor PHP-based backdoor, highlighting their infection vectors and persistence mechanisms.

This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.

The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.

Detection of suspicious Windows processes using DNS queries to determine the external IP address, potentially indicating reconnaissance or preparation for command and control activity.

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.

This brief covers the detection of adversaries disabling Windows Defender services by modifying specific registry keys to set the 'Start' value to '0x00000004', indicating an attempt to evade detection and maintain persistence.

The rule detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities, allowing attackers to inject malicious sidecars, block security tooling, or exfiltrate pod specifications.

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.

This rule identifies suspicious SAML activity in AWS, such as AssumeRoleWithSAML and UpdateSAMLProvider events, which could indicate an attacker gaining backdoor access, escalating privileges, or establishing persistence.

Attackers disable Windows Defender SpyNet reporting by modifying specific registry keys, preventing telemetry data from being sent and allowing malicious activities to go undetected.