Briefs

Adversaries may mount OneDrive shares as network drives using net.exe or net1.exe to stage, access, or exfiltrate data through cloud-hosted WebDAV paths, potentially bypassing traditional file share monitoring.

Unauthenticated attackers can exploit a PHP code injection vulnerability in OpenCATS versions prior to commit 3002a29 by injecting malicious PHP code into the installer's AJAX endpoint, leading to arbitrary code execution.

OpenClaw before 2026.3.31 allows attackers with control over workspace configuration to inject malicious plugins by overriding the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable through workspace .env files, compromising plugin trust verification.

OpenEMR version 7.0.1 is vulnerable to an authentication brute force attack where attackers can bypass rate limiting by sending repeated login attempts, leading to potential unauthorized access.

OpenMRS Core versions 2.7.8 and earlier, as well as versions 2.8.0 through 2.8.5, contain a path traversal vulnerability in the ModuleResourcesServlet, allowing an unauthenticated attacker to read arbitrary files from the server filesystem by manipulating the URL.

OpenMRS is vulnerable to a Stored Velocity SSTI to RCE via ConceptReferenceRange, where the `ConceptReferenceRangeUtility.evaluateCriteria()` method evaluates database-stored criteria strings as Apache Velocity templates without a sandbox, allowing unrestricted Java reflection through template expressions, leading to persistent remote code execution and privilege escalation when a user with the `Manage Concepts` privilege stores a malicious Velocity template expression in a concept's reference range criteria field.

This analytic detects outbound SMB connections from internal hosts to external servers, potentially indicating lateral movement and credential theft attempts.

The detection identifies the modification of the Windows Registry key 'PONT_STRING' under Outlook Options by a process other than Outlook.exe, potentially indicating malware activity such as NotDoor.

CVE-2023-27351 is an improper authentication vulnerability in PaperCut NG/MF that allows remote attackers to bypass authentication via the SecurityRequestFilter class, leading to potential ransomware deployment.

CVE-2026-5166 is a path traversal vulnerability affecting TUBITAK BILGEM Software Technologies Research Institute Pardus Software Center before version 1.0.3, allowing attackers to bypass directory restrictions.

A path traversal vulnerability exists in WilliamCloudQi matlab-mcp-server up to version ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca, allowing a remote attacker to manipulate the scriptPath argument in the generate_matlab_code/execute_matlab_code function to access arbitrary files.

The Patreon OAuth provider in go-pkgz/auth and go-pkgz/auth/v2 maps every authenticated Patreon account to the same local user ID, leading to cross-account access, privilege confusion, and subscription-state leakage.

The Visual Studio Tools for Office (VSTO) add-ins can be abused by attackers to establish persistence in Microsoft Office applications by modifying registry keys.

Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.

phpMyFAQ is vulnerable to an unauthenticated 2FA brute-force attack via the `/admin/check` endpoint, allowing attackers to bypass two-factor authentication and gain administrative access.

phpMyFAQ version 4.1.1 and earlier is vulnerable to an unauthenticated FAQ permission bypass, allowing attackers to enumerate solution IDs and discover restricted FAQ titles due to missing permission filters in key functions.

A vulnerability in PhpSpreadsheet exists where a crafted XLSX file containing a large row number can cause excessive CPU consumption due to unbounded loop iterations, leading to a denial of service.

Attackers are increasingly abusing Cloudflare tunnels, created via the cloudflared client, for establishing stealthy command and control channels and evading network defenses by proxying traffic through Cloudflare's infrastructure.

This brief detects network connection events associated with the Cloudflared tool, used to create tunnels via Cloudflare, potentially for unauthorized access or exfiltration, by establishing outbound connections to Cloudflare Edge Servers.

The rule identifies potential attempts to execute a reverse shell using the netcat utility to execute Windows commands via Cmd.exe or Powershell.

This rule detects the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access by identifying specific command-line arguments and process names associated with credential dumping activities.

Detection of potential direct Kubelet access via process arguments in Linux containers, which could lead to enumeration, execution, or lateral movement within the Kubernetes cluster.

Detection of multiple nslookup.exe executions with explicit query types from a single host, potentially indicating command and control activity via DNS tunneling, where attackers abuse DNS for data infiltration or exfiltration.

Detects potential Kerberos relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host, indicating an attacker has captured and relayed Kerberos authentication material to execute code on behalf of the compromised system.

The rule identifies the creation or change of a Windows executable file over network shares, indicating potential lateral tool transfer via SMB, which adversaries may use to move tools between systems in a compromised environment.

Adversaries can abuse the Local Security Authority (LSA) authentication packages by modifying the Windows registry to achieve privilege escalation or persistence by executing binaries with SYSTEM privileges.

The rule identifies potential relay attacks against a machine account by detecting network share access events originating from a remote source IP but utilizing the target server's computer account, which may indicate an SMB relay attack.

Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.

Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing pre-populated persistence-related registry keys to establish persistence, which can evade traditional registry-based monitoring.

This rule detects registry modifications indicative of privilege escalation and persistence attempts by adversaries abusing port monitors and print processors to execute malicious DLLs with SYSTEM privileges on Windows systems.