Briefs

A crash was identified in Apple's Security framework due to an uninitialized pointer in the SecError function, leading to the dereference of an invalid memory address.

Detection of attrib.exe being used with the +h flag to hide files and directories on Windows systems, a technique used by attackers for defense evasion and persistence.

This rule detects the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object, which could indicate an attacker is creating shadow credentials to gain persistent and stealthy access.

The threat brief details the detection of NetExec (formerly CrackMapExec), a post-exploitation tool used for Active Directory penetration testing and network enumeration, often employed by threat actors for lateral movement and credential harvesting.

Threat actors may delete Azure AD Hybrid Health AD FS service instances after using them to spoof AD FS signing logs for defense evasion.

This detection identifies a statistically significant (10% or greater) increase in successful sign-ins to Azure Active Directory, potentially indicating credential compromise or account takeover attempts.

Detects the creation of a service principal in Azure, which could indicate potential attacker activity for lateral movement or persistence.

Detects unauthorized or malicious modifications to Privileged Identity Management (PIM) settings within Azure environments, potentially leading to privilege escalation, persistence, and stealthy access by attackers.

This brief outlines a method to detect malicious use of Python one-liners employing base64 decoding to execute obfuscated payloads, a common tactic for evading traditional security measures.

Detection of an excessive number of Global Administrator accounts assigned within an Azure tenant, indicating potential privilege escalation or compromised accounts.

Detection of changes to self-hosted runner configurations in GitHub environments can indicate potential impact, discovery, collection, persistence, privilege escalation, initial access, or stealth activities.

The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.

The rule detects network connection attempts to the Kubernetes Kubelet API ports 10250 and 10255 on internal IP ranges from Linux hosts, indicating potential lateral movement within container and cluster environments.

An attacker may create new cron files in cron directories to establish persistence on a Linux system, potentially leading to privilege escalation and arbitrary code execution.

Detection of msiexec.exe spawning discovery commands indicating potential reconnaissance activity by attackers for system information gathering and lateral movement.

This rule detects command-line activity indicative of credential access across multiple cloud platforms (GCP, Azure, AWS, GitHub, DigitalOcean, Oracle, Kubernetes), looking for specific commands used to print or access tokens and credentials, flagging hosts where multiple cloud targets are accessed within a five-minute window, suggesting potential credential harvesting activity.

Nginx-UI version 2.3.4 and earlier is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated users to access internal services by manipulating cluster node configurations.

A Firefox zero-day exploit was used to target Mac users, resulting in the installation of the OSX.NetWire.A malware, which establishes persistence and communicates with a command and control server.

This rule detects network events indicative of RDP traffic originating from the internet, which poses a significant security risk due to its frequent exploitation as an initial access or backdoor vector.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.

Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.

This rule identifies script engines creating files or the creation of script files in the Windows Startup folder, a persistence technique used by adversaries to automatically execute scripts upon user login.

Attackers may attempt to disable system restore via registry modifications through the command line to prevent recovery after malicious activity.

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

An attacker modifies the Windows registry to disable Windows Defender Controlled Folder Access, a defense evasion technique that weakens protections against unauthorized access and ransomware.

Adversaries may clear Windows event logs using `wevtutil.exe` to remove evidence of their activity and hinder forensic investigations.

Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.

An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.

Zebra and zcashd disagree on a consensus rule for V5+ transparent spends related to SIGHASH_SINGLE handling when the input index has no corresponding output, leading to a consensus split where Zebra accepts invalid blocks rejected by zcashd.