Briefs

This rule detects suspicious processes, such as copy utilities or scripting tools, accessing sensitive identity files on Linux systems, including Kubernetes tokens, cloud CLI configurations, and root SSH keys, indicating potential credential theft.

Attackers may execute malicious code from unusual file paths such as Windows fonts or debug directories to evade defenses and gain unauthorized access, as detected by endpoint detection and response (EDR) agents.

Detection of a process attempting to terminate the Lsass.exe process, indicating a potential attempt to perform credential dumping, privilege escalation, or evasion of security policies.

Adversaries may execute script interpreters such as cscript, wscript, mshta, or powershell from suspicious directories accessible via environment variables to evade detection and execute malicious scripts.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

This rule identifies potentially suspicious processes, excluding those signed by Microsoft, making Server Message Block (SMB) network connections over port 445, which could indicate lateral movement attempts.

This rule detects SMTP traffic on TCP port 26, an alternative to the standard port 25 that the BadPatch malware family has used for command and control of Windows systems.

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

This rule detects the execution of privilege escalation helpers under the root effective user, when initiated by a non-root user with a suspicious parent process, indicating potential privilege escalation attempts.

The rule identifies the use of sc.exe to create, modify, or start services on remote hosts, potentially indicating lateral movement by adversaries.

This rule detects suspicious use of whoami.exe to display user, group, and privileges information for the user who is currently logged on to the local system, potentially indicating post-compromise discovery activity.

This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.

A command injection vulnerability (CVE-2026-7096) exists in the Tenda HG3 2.0 300003070 router, allowing remote attackers to execute arbitrary OS commands by manipulating the 'fmgpon_loid' argument in the 'formgponConf' function of the '/boaform/admin/formgponConf' file due to insufficient input validation.

A server-side template injection vulnerability exists in Thymeleaf versions up to 3.1.4.RELEASE due to improper neutralization of specific constructs, allowing the execution of potentially dangerous expressions in sandboxed contexts if unsanitized variables are passed to the template engine.

A remote OS command injection vulnerability exists in Totolink A8000RU version 7.1cu.643_b20200521 via manipulation of the 'proto' argument in the /cgi-bin/cstecgi.cgi CGI handler, potentially leading to complete system compromise.

Traccar GPS Tracking System 6.11.1 is vulnerable to Cross-Site WebSocket Hijacking (CSWSH), enabling attackers to steal sensitive GPS data by exploiting a lack of origin validation.

This threat brief details a UAC bypass technique leveraging the Internet Explorer Add-On Installer (ieinstal.exe) and Component Object Model (COM) to execute arbitrary code with elevated privileges.

Detection of non-Chrome processes accessing the Chrome 'Local State' file, potentially leading to extraction of the master key used for decrypting saved passwords.

An unauthorized actor created a new Conditional Access policy in Azure AD, potentially leading to privilege escalation and unauthorized access.

Detection of a failed attempt to invite an external guest user by an Azure user lacking the necessary permissions, potentially indicating privilege escalation or malicious insider activity.

This rule detects changes to uncommon registry persistence keys on Windows systems that are not commonly used or modified by legitimate programs, which could indicate an adversary's attempt to persist in a stealthy manner by modifying registry keys for persistence, ensuring malicious code executes on startup or during specific events.

This analytic detects unexpected shutdowns of the Linux auditd daemon, potentially indicating attempts to disable security monitoring and evade detection by attackers.

An attacker attempts to access unsecured Outlook credentials stored in the Windows registry, potentially leading to unauthorized access to email accounts and sensitive information.

Detection of assigned but unused privileged roles in Azure's Privileged Identity Management (PIM) service, indicating potential misconfiguration, license overuse, or dormant privileged access that could be exploited.

The detection rule identifies cmd.exe instances spawned by uncommon parent processes, such as lsass.exe, csrss.exe, or regsvr32.exe, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection.

Detection of processes modifying the Windows services registry key directly, potentially indicating stealthy persistence attempts via abnormal service creation or modification.

An unusual process connecting to a container runtime Unix socket like Docker or Containerd can indicate an attacker attempting to bypass Kubernetes security measures for container manipulation.

This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.

Adversaries may leverage unusual system utilities such as Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe to execute code and evade detection, as identified by network connections originating from these processes.

This rule identifies unusual Windows processes connecting to domains using known free SSL certificates such as Let's Encrypt, which adversaries may use to conceal command and control traffic.