Briefs

This rule detects lateral movement in AWS environments originating from Kubernetes service accounts by identifying instances where credentials obtained for a service account are used for multiple distinct AWS control-plane actions, potentially indicating unauthorized access.

Detection of an AWS Simple Email Service (SES) identity deletion event, potentially indicating an adversary attempting to cover their tracks after malicious activity.

An adversary may convert a guest user account to a member account in Azure Active Directory to elevate privileges and gain persistent access to resources.

Detects when a user successfully resets their own password in Azure Active Directory, which may indicate malicious activity or account compromise.

An unauthenticated attacker can exhaust server memory by sending unbounded WebSocket continuation frames in Bandit-fronted applications, leading to a denial of service.

Adversaries abuse the Console Window Host (conhost.exe) with the `--headless` argument to proxy execution of malicious commands, evading detection by blending in with legitimate Windows software.

This analytic detects the usage of the Azure CLI to interact with user accounts, such as creating or deleting a user, potentially indicating malicious activity aimed at maintaining persistence and evading detection within an Entra ID environment.

Detection of a user being assigned the 'User Access Administrator' role, which grants the ability to manage all Azure Subscriptions, potentially leading to privilege escalation and unauthorized access.

This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.

This brief outlines the detection of the ConvertTo-AADIntBackdoor command execution via PowerShell Script Block Logging, a technique used to create a backdoor in federated Azure AD domains by modifying federation settings and allowing attackers to control the authentication process.

This analytic identifies suspicious programs such as script interpreters, rundll32, or MSBuild being executed shortly after user logon, indicating potential persistence mechanisms abusing the registry run keys.

This brief outlines a method for generically detecting ransomware on macOS by monitoring file I/O events and identifying the rapid creation of encrypted files by untrusted processes, as proposed by Objective-See.

The Lazarus group's macloader malware (OSX.AppleJeus.C) uses a launch daemon for persistence and executes downloaded payloads directly from memory, communicating with a C2 server to retrieve second-stage payloads, posing a significant threat due to its fileless execution and potential for repurposing.

A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.

CVE-2017-7149 is a vulnerability in macOS High Sierra (10.13) where the password for an encrypted APFS volume is stored as plain text in the password hint, potentially allowing a local attacker to gain unauthorized access.

A vulnerability in Microsoft Office for Mac allows malicious code to escape the application's sandbox and achieve persistence by abusing a faulty regex for temporary files.

This rule detects nsenter executions that target a PID with a namespace target flag, a common pattern used to attach to the host init namespace from a container or session and run with host context, potentially escalating privileges.

Attackers use proxy infrastructure to mask their origin when using stolen Okta credentials, and this rule correlates the first occurrence of an Okta user session started via a proxy with subsequent Okta security alerts for the same user.

This rule detects potential NTLM relay attacks against computer accounts by identifying coercion attempts followed by authentication events originating from a different host, indicating that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.

Detects remote access to the registry, potentially dumping credential data from the Security Account Manager (SAM) registry hive, indicating preparation for credential access and privilege elevation.

This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

A SQL injection vulnerability exists in SourceCodester Hotel Management System 1.0 in the /index.php/reservation/check component due to improper sanitization of the room_type parameter, allowing a remote attacker to execute arbitrary SQL commands.

A machine learning job detected an unusual increase in special privilege usage events on Windows, such as privileged operations and service calls, potentially indicating unauthorized privileged access and privilege escalation attempts.

An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.

Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.

This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.

This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.

This threat brief covers the detection of suspicious processes modifying sensitive files on Linux systems, potentially indicating malicious attempts to persist, escalate privileges, or disrupt system operations.

The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.