Product
Unusual Child Process Execution from Linux Web Servers
2 rules 4 TTPsThis rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.
Suspicious Command Execution via Web Server on Linux
2 rules 3 TTPsIdentifies suspicious command executions via a web server on Linux systems, which may suggest a vulnerability and remote shell access.
Keycloak OIDC Implicit Flow Bypass Vulnerability (CVE-2026-7571)
2 rules 1 TTP 1 CVECVE-2026-7571 describes a vulnerability in Keycloak where a low-privilege user can bypass security controls intended to disable the implicit flow in OpenID Connect (OIDC) clients by manipulating client data during session restart, potentially exposing access tokens.
CVE-2026-7507: Keycloak Session Fixation Vulnerability in Login Actions Endpoints
2 rules 1 TTP 1 CVEA session fixation vulnerability in Keycloak's /login-actions/restart endpoint allows an unauthenticated attacker to hijack a user's session by crafting a malicious link that resets the authentication flow, potentially leading to account takeover.
Keycloak Open Redirect Vulnerability (CVE-2026-7504)
2 rules 1 TTP 1 CVEA vulnerability in Keycloak's URL validation allows attackers to redirect users to unauthorized URLs by exploiting discrepancies in the handling of the user-info component within URLs, potentially leading to sensitive information exposure.
Keycloak Security Bypass Vulnerability
2 rules 1 TTPAn authenticated remote attacker can exploit a vulnerability in Keycloak to bypass security measures.
Keycloak Vulnerability Allows Arbitrary Email Sending
2 rules 1 TTPAn anonymous, remote attacker can exploit a vulnerability in Keycloak to send arbitrary emails, potentially leading to phishing or social engineering attacks.