Briefs

This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.

This rule identifies process execution from suspicious default Windows directories, which adversaries may abuse to hide malware in trusted paths to evade defenses.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

This analytic detects suspicious modifications to system firewall rules to allow execution of applications from notable and potentially malicious file paths, indicating an attempt to bypass firewall restrictions for malicious code execution.

This detection identifies instances where a Windows Firewall rule is added by monitoring Event ID 4946 in the Windows Security Event Log, potentially indicating unauthorized changes or malicious activity such as attackers allowing traffic for backdoors or persistence mechanisms.

Detection of Windows Firewall rule deletion events (Event ID 4948) indicating potential attacker attempts to bypass security controls or malware disabling protections for persistence and command-and-control.

This detection identifies instances where a Windows Firewall rule has been modified, potentially indicating an attempt to weaken security policies and allow malicious traffic or prevent legitimate communications.

The Windows guest account, typically restricted, can be enabled via `net.exe` for malicious activities like malware installation or data theft, potentially indicating persistence, defense evasion, privilege escalation or initial access.

Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.

The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.

Detects the execution of known Potato-family privilege escalation tools on Windows systems, which are used to escalate privileges from restricted contexts to SYSTEM by exploiting Windows token impersonation and privilege abuse.

Adversaries may use PowerShell with specific commands to disable HTTP logging on Windows systems to evade detection and hinder forensic investigations.

Attackers may delete a scheduled task's Security Descriptor (SD) from the registry to remove evidence of the task for defense evasion.

Attackers modify the Windows registry to disable Task Manager, preventing users from terminating malicious processes and allowing persistence.

This detection identifies potential RDP brute force attacks by monitoring network traffic for RDP application activity by detecting source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window.

The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.

Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.

The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.

Detection of a Windows service being disabled via Event ID 7040, a common tactic used by adversaries to evade defenses and maintain control over compromised systems.

Attackers disable Windows SmartScreen protection by modifying specific registry keys to evade detection and facilitate malware deployment.

Attackers use PowerShell to query the Windows registry's Uninstall key to discover installed software and identify potential vulnerabilities for exploitation.

Adversaries may enable and use Windows Subsystem for Linux (WSL) using the Microsoft Dism utility to evade detection on Windows systems by running Linux applications and tools.

Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.

Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.

The WindShift APT group is targeting Middle Eastern governments with a first-stage macOS implant called OSX.WindTail, abusing custom URL schemes for initial infection and establishing persistence via login items, while decrypting embedded strings to identify file extensions of interest.

This brief documents the detection of the WinPEAS PowerShell script execution on Windows systems, a tool commonly used for identifying privilege escalation paths by identifying specific function names used within the script.

Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.

Highland Software's Custom Role Manager plugin for WordPress, versions 1.0.0 and earlier, contains a privilege escalation vulnerability (CVE-2026-7106) that allows authenticated users with subscriber-level access to modify user roles due to insufficient authorization checks in the hscrm_save_user_roles() function.

Xerte Online Toolkits 3.15 and earlier are vulnerable to relative path traversal, allowing attackers to move files and potentially achieve remote code execution.

The xmldom package is vulnerable to XML injection. The package serializes DocumentType node fields (internalSubset, publicId, systemId) verbatim without any escaping or validation. When these fields are set programmatically to attacker-controlled strings, XMLSerializer.serializeToString can produce output where the DOCTYPE declaration is terminated early and arbitrary markup appears outside it. To address this applications that pass untrusted data to createDocumentType() or write untrusted values directly to a DocumentType node's publicId, systemId, or internalSubset properties should audit all serializeToString() call sites and add the option.