Windows

The Iranian APT group Screening Serpens targeted the tech and defense sectors in the U.S., Israel, and the UAE between February and April 2026, deploying six new RAT variants from the MiniUpdate and MiniJunk V2 malware families, using tailored social engineering lures and AppDomainManager hijacking.

CVE-2008-4250 is a buffer overflow vulnerability in the Microsoft Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request during path canonicalization.

Detection of handle requests to the LSASS process with specific access masks commonly used by tools to dump memory, indicating potential credential access attempts.

Multiple vulnerabilities exist in Microsoft Windows products, enabling attackers to execute arbitrary code, escalate privileges, perform denial-of-service attacks, disclose information, or bypass security measures.

Multiple vulnerabilities in Microsoft developer tools and platforms could allow an attacker to achieve arbitrary code execution, data manipulation, privilege escalation, bypassing security measures, information disclosure, and denial of service.

Adversaries may escalate privileges by abusing named pipe impersonation, a technique often used with tools like Metasploit's meterpreter getsystem command, where a process writes to a named pipe to facilitate a SYSTEM-token handoff.

Detects modifications to Group Policy Object Attributes that grant privileges to user accounts or add users as local administrators, indicating potential privilege escalation attempts.

Adversaries may modify or replace Windows accessibility binaries (e.g., sethc.exe, utilman.exe) to execute malicious commands or establish persistence mechanisms before a user logs in, potentially leading to elevated privileges and unauthorized access.

This rule detects potential SharpRDP behavior, a tool used for authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for lateral movement by identifying incoming RDP connections followed by RunMRU registry value modifications and subsequent process execution.

Detection of Distributed Component Object Model (DCOM) abuse to execute commands remotely via the MMC20 Application COM object, potentially indicating lateral movement.

Detection of Distributed Component Object Model (DCOM) abuse to execute commands from a remote host via the HTA Application COM Object, potentially indicating lateral movement.

This rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.

Detects the use of PowerShell to delete volume shadow copies, a tactic commonly employed by ransomware and other destructive attacks to hinder data recovery efforts.

GhostLock is a proof-of-concept tool that abuses the Windows CreateFileW API to block access to files on local and SMB network shares, causing a denial-of-service condition.

A critical unauthenticated remote code execution vulnerability (CVE-2026-22679) in Weaver E-cology office automation software is being actively exploited to execute system commands and reconnaissance activities on affected servers.

The APT37 group (ScarCruft) is distributing an Android version of the BirdCall backdoor via a supply-chain attack targeting a Chinese video game platform, sqgame[.]net, to collect sensitive information from users.

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.

Trigona ransomware is using a custom data exfiltration tool named 'uploader_client.exe' to steal data from compromised environments, enhancing speed and evasion.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.

Adversaries use WMIC.exe to enumerate running services on remote devices, potentially identifying valuable targets or misconfigured systems.

The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.

Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.

Adversaries modify Windows Registry Classes keys to establish persistence by executing malicious code when specific file types are opened or actions are performed, potentially leading to privilege escalation and persistent access.

This brief details the use of obfuscated IP addresses within download commands, often employed to evade detection by hiding the true destination of malicious downloads.

Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.

Attackers bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in to execute code with elevated permissions, potentially leading to system compromise.

Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.

The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.

Adversaries may attempt to disable Windows EventLog autologger sessions via registry modification to evade detection and prevent security monitoring of early boot activities and system events.

An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.

This rule identifies potential timestomping behavior on Windows systems where the creation time of executable files in sensitive system directories is modified, potentially to blend malicious executables with legitimate system files and evade detection.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

This analytic detects instances where a process loads a file from a remote share path, potentially indicating execution, defense evasion, or lateral movement by attackers loading code from attacker-controlled infrastructure.

Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.

This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.

This analytic detects modifications to the Windows registry, specifically targeting the 'DisableRegistryTools' key, which is a common tactic used by malware for persistence and defense evasion by preventing the removal of malicious entries.

This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\Users\ and C:\ProgramData\.

Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.

This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.

Adversaries disable crucial scheduled tasks, such as those related to BitLocker, Windows Defender, System Restore and Windows Update, using schtasks.exe to disrupt services and potentially facilitate data destruction or ransomware deployment.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.

Attackers modify the Windows registry to disable the Folder Options feature, preventing users from showing hidden files and file extensions, commonly used by malware to conceal malicious files and deceive users with fake file extensions.

Attackers may disable AutoLogger sessions by modifying specific registry values to evade detection and prevent security monitoring of early boot activities and system events, a technique observed in intrusions involving IcedID and XingLocker ransomware.

Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.

This rule detects attempts to execute content from remote WebDAV shares, where attackers may abuse WebDAV paths, public tunnels, or host@port UNC paths to execute tools or scripts, reducing local staging on the victim's file system.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.

The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.

Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.

Attackers disable Windows System Restore by modifying specific registry keys to hinder recovery efforts after malicious activity.

Attackers disable Windows SmartScreen protection by modifying specific registry keys to evade detection and facilitate malware deployment.

Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.

Attackers modify the Windows registry to disable Task Manager, preventing users from terminating malicious processes and allowing persistence.

This detection identifies instances where a Windows Firewall rule has been modified, potentially indicating an attempt to weaken security policies and allow malicious traffic or prevent legitimate communications.

Detection of Windows Firewall rule deletion events (Event ID 4948) indicating potential attacker attempts to bypass security controls or malware disabling protections for persistence and command-and-control.

An attacker disables Windows AutoLogger sessions by modifying specific registry values to evade defenses and blind EDR and log ingest tools.

Adversaries may clear the global object access auditing policy using `auditpol.exe` with the `/resourceSACL` flag and either `/clear` or `/remove` arguments to evade detection by removing audit configurations.

Adversaries may disable Windows audit policies using the legacy auditpol.exe utility to evade detection by limiting the data available for security monitoring and incident response.

The execution of `auditpol.exe` with the `/clear` or `/remove` command-line arguments indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits, potentially leading to full machine compromise or lateral movement.

This rule detects modifications to scheduled tasks by user accounts, excluding system activity and machine accounts, which adversaries can exploit for persistence by modifying them to execute malicious code.

This rule detects changes to uncommon registry persistence keys on Windows systems that are not commonly used or modified by legitimate programs, which could indicate an adversary's attempt to persist in a stealthy manner by modifying registry keys for persistence, ensuring malicious code executes on startup or during specific events.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

Adversaries may execute script interpreters such as cscript, wscript, mshta, or powershell from suspicious directories accessible via environment variables to evade detection and execute malicious scripts.

The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

This threat involves the suspicious copying of files from or to Windows system directories (System32, SysWOW64, WinSxS) using command-line tools, often employed by attackers to relocate LOLBINs for defense evasion.

Adversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.

The rule identifies a process running with a non-SYSTEM account that enables the SeDebugPrivilege privilege, which can be used by adversaries to debug and modify other processes to escalate privileges and bypass access controls.

Detects the creation of scheduled tasks within a Group Policy Object (GPO) by monitoring for the creation of the ScheduledTasks.xml file in the SYSVOL share, potentially indicating malicious persistence.

The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.

This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.

Attackers are abusing the legitimate Windows Print.exe utility to copy sensitive files like NTDS.DIT and SAM in order to extract credentials, enabling local or remote credential access.

Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.

Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.

An unusual process is enumerating built-in Windows privileged local groups membership, such as Administrators or Remote Desktop users, potentially revealing targets for credential compromise and post-exploitation activities.

Detection of netsh.exe execution by unusual processes indicative of potential malicious activity, including persistence and network configuration changes by threat actors.

The use of command-line tools like ping.exe or arp.exe with obfuscated IP addresses (hex, octal, etc.) in the command line can indicate reconnaissance activity or attempts to evade security controls by masking the true destination.

Adversaries delete or disable critical scheduled tasks, such as those related to system restore, Windows Defender, BitLocker, Windows Backup, or Windows Update, to disrupt operations and potentially conduct data destructive activities.

Adversaries delete critical scheduled tasks, such as those related to BitLocker, ExploitGuard, System Restore, Windows Defender, and Windows Update, to disrupt security measures and enable data destruction.

Attackers disable the Antimalware Scan Interface (AMSI) by modifying the Windows registry value 'AmsiEnable' to '0x00000000' to evade detection, commonly employed by ransomware, RATs, and APTs.

Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.

This rule detects PowerShell loading the Task Scheduler COM DLL followed by an outbound RPC network connection, potentially indicating lateral movement or remote discovery via scheduled tasks.

Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider by modifying registry keys associated with the W32Time service.

Attackers abuse the Application Shim functionality in Windows by using `sdbinst.exe` with malicious arguments to achieve persistence and execute arbitrary code within legitimate Windows processes.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

This analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems, where adversaries often use these paths to evade detection and maintain persistence, potentially leading to unauthorized code execution, privilege escalation, or persistence within the environment.

This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.

The rule detects attempts to reset potentially privileged account passwords remotely, a tactic used by adversaries to maintain access, evade password policies, and preserve compromised credentials.

The Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.

This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.

Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.

The WScript or CScript Dropper technique involves using cscript.exe or wscript.exe to write malicious script files (js, jse, vba, vbe, vbs, wsf, wsh) to suspicious locations on a Windows system for later execution.

Detection of rapid creation and deletion of scheduled tasks on Windows, indicating potential malicious activity abusing the task scheduler for execution and cleanup.

Adversaries may create scheduled tasks on Windows systems to establish persistence, move laterally, or escalate privileges, and this detection identifies such activity by monitoring Windows event logs for scheduled task creation events, excluding known benign tasks and those created by system accounts.

Detection of remote registry access by an account with SeBackupPrivilege, potentially indicating credential exfiltration attempts via SAM registry hive dumping.

Mshta.exe spawning a suspicious child process, such as cmd.exe or powershell.exe, indicates potential adversarial activity leveraging Mshta to execute malicious scripts and evade detection on Windows systems.

Attackers may attempt to masquerade as the Service Host process `svchost.exe` by executing from non-standard paths to evade detection and blend in with normal system activity.

Detection of renamed COMSVCS.DLL being loaded by rundll32.exe, potentially used to dump LSASS memory for credential access while evading command-line detection.

The detection rule identifies a potential credential access attempt via the trusted developer utility MSBuild by detecting instances where it loads DLLs associated with Windows credential management, specifically vaultcli.dll or SAMLib.DLL, which is often used for credential dumping.

Adversaries may abuse the msiexec.exe utility to proxy the execution of malicious DLL payloads, bypassing application control and other defenses.

The rule detects attempts to modify the WDigest security provider in the registry to force the user's password to be stored in clear text in memory, which could lead to credential dumping.

This rule detects handle requests for LSASS object access with specific access masks (0x1fffff, 0x1010, 0x120089, 0x1F3FFF) indicative of memory dumping, commonly employed by tools like SharpDump, Procdump, Mimikatz, and Comsvcs to extract credentials from the LSASS process on Windows systems.

The rule identifies process creation with alternate credentials, which can be used for privilege escalation, by detecting successful logins via the Secondary Logon service (seclogon) from a local source IP address (::1), followed by process creation using the same TargetLogonId.

PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.