Briefs

An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.

Detection of registry modifications related to AppCert DLLs, a persistence mechanism where malicious DLLs are loaded by every process using common API functions.

Modification of the AppInit DLLs registry keys on Windows systems allows attackers to execute code in every process that loads user32.dll, establishing persistence and potentially escalating privileges.

Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.

This rule detects remote file copy attempts to hidden network shares, which may indicate lateral movement or data staging activity, by identifying suspicious file copy operations using command-line tools like cmd.exe and powershell.exe focused on hidden share patterns.

The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.

Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.

The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.

This rule detects the execution of renamed utilities with a single-character process name, differing from the original filename, a common technique used by adversaries for staging, executing temporary utilities, or bypassing security detections.

Detects DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains from non-browser processes, potentially indicating unauthorized remote access or command and control activity.

A SQL injection vulnerability exists in Rucio's FilterEngine.create_postgres_query, affecting versions 1.30.0 to before 35.8.5, 36.0.0 to before 38.5.5, 39.0.0 to before 39.4.2, and 40.0.0 to before 40.1.1, allowing any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database via the DID search endpoint when the postgres_meta plugin is enabled, potentially leading to data modification, remote code execution, and credential theft.

The rust-openssl crate is vulnerable to a stack-based buffer overflow (CVE-2026-41681) where the `EVP_DigestFinal()` function writes beyond the allocated buffer, potentially corrupting the stack, affecting versions >= 0.10.39 and < 0.10.78.

The `X509Ref::ocsp_responders` function in rust-openssl versions 0.9.7 to 0.10.78 returns OCSP responder URLs from a certificate's AIA extension without proper UTF-8 validation, leading to undefined behavior when processing certificates with non-UTF-8 OCSP URLs.

S3-Proxy is vulnerable to an authentication bypass due to inconsistent handling of percent-encoded slashes between the authentication middleware and bucket handler, allowing unauthorized access to protected resources.

Detects the creation of scheduled tasks within a Group Policy Object (GPO) by monitoring for the creation of the ScheduledTasks.xml file in the SYSVOL share, potentially indicating malicious persistence.

Detection of scheduled task creation by Windows scripting engines like cscript.exe, wscript.exe, or powershell.exe, used by adversaries to establish persistence on compromised systems.

Detection of the use of schtasks.exe to disable scheduled tasks, a common tactic used by adversaries like IcedID to disable security applications and evade detection, potentially leading to persistence and further system compromise.

Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.

Scramble versions 0.13.2 through 0.13.21 are vulnerable to remote code execution due to the evaluation of user-controlled input in validation rules during documentation generation, potentially allowing attackers to execute arbitrary PHP code.

The rule identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege, which can be used by adversaries to debug and modify other processes to escalate privileges and bypass access controls.

A server-side request forgery (SSRF) vulnerability exists in AlejandroArciniegas' mcp-data-vis due to improper handling of HTTP requests, potentially allowing remote attackers to make arbitrary requests through the vulnerable server.

Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.

The Signal K server's WebSocket login endpoint lacks rate limiting, allowing attackers to bypass HTTP rate limiting by opening a WebSocket connection and attempting unlimited password guesses.

Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

Attackers modify registry run keys or startup keys to achieve persistence by referencing a program that executes when a user logs in or the system boots.

Detection of PowerShell commands used to import AppLocker XML policies, potentially indicating an attempt to bypass security controls, as observed with Azorult malware.

An AWS EC2 CreateKeyPair event triggered by a new principal originating from a network autonomous system (AS) organization not associated with major cloud providers, indicating potential unauthorized access or persistence activity.

The AWS STS GetSessionToken API is being misused to create temporary tokens for lateral movement and privilege escalation within AWS environments by potentially compromised IAM users.

Detection of Azure AD and cloud management modules installation via PowerShell Script Block Logging, potentially indicating reconnaissance, privilege escalation, or persistence operations by adversaries.