Briefs

The use of S3 Browser to create IAM users or access keys in AWS environments indicates a potential privilege escalation, persistence, or initial access attempt by threat actors leveraging a known cloud administration tool.

An adversary modifies the AWS Identity Center identity provider configuration, potentially leading to persistent access and privilege escalation through user impersonation.

Attackers can impair defenses by modifying or deleting findings and insights within AWS SecurityHub using API calls such as BatchUpdateFindings, DeleteInsight, UpdateFindings, and UpdateInsight.

Detection of a service principal removal in Azure, potentially indicating malicious activity or an attempt to remove evidence of a compromise.

Detects execution of container runtime CLI tools (ctr, crictl, nerdctl) with arguments indicating container creation, command execution inside existing containers, image manipulation, or host filesystem mounting, potentially leading to privileged container creation and unauthorized access to sensitive data.

This brief focuses on detecting Remote Procedure Call (RPC) traffic originating from internal networks and reaching the public internet, which is indicative of potential initial access or backdoor activity.

This rule detects Kubernetes pod exec API calls using curl or wget to fetch HTTPS URLs, potentially indicating malicious activity such as staging tools or exfiltrating data.

This rule identifies potentially unsecured Elasticsearch nodes that lack TLS and/or authentication and are accepting inbound network connections, which could allow adversaries to gain initial access, exfiltrate data, or disrupt services.

A PowerShell command attempting to remove the Windows Defender directory is detected via PowerShell Script Block Logging, potentially indicating an attacker's attempt to disable endpoint protection for further malicious activities.

Attackers may disable Event Tracing for Windows (ETW) for the .NET Framework by modifying the ETWEnabled registry value, allowing them to evade endpoint detection and response (EDR) tools and hide malicious activity.

Adversaries may perform reconnaissance in a Kubernetes environment by rapidly querying multiple resource types to map the environment and identify potential privilege escalation paths.

Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.

Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.

The analytic detects the use of `dism.exe` to remove Windows Defender, potentially allowing adversaries to evade detection and carry out further malicious actions.

Detection of Azure application URI modifications that can be indicative of malicious activity, such as using dangling URIs, non-HTTPS URIs, wildcard domains, or URIs pointing to uncontrolled domains, potentially leading to initial access, stealth, persistence, credential access, and privilege escalation.

The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.

Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.

This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.

The rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.

This rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.

This rule detects suspicious execution of Microsoft Office applications launching Office Add-Ins from unusual paths or with atypical parent processes, potentially indicating an attempt to gain initial access via a malicious phishing campaign.

Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.

This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.

Adversaries may establish persistence by writing malicious files to the Windows Startup folder, allowing them to automatically execute upon user logon; this detection identifies suspicious processes creating files in these locations.

This detection identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped unsigned DLL, which indicates an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed process.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

This rule identifies attempts to create new users on Windows systems using net.exe, a common tactic used by attackers to increase access or establish persistence.

Zoom's macOS client contains a local privilege escalation vulnerability that allows an unprivileged attacker to gain root privileges by subverting the runwithroot script, due to the insecure use of the deprecated AuthorizationExecuteWithPrivileges API.