Windows

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.

Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.

This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.

Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.

Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.

Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.

Detection of a Windows DNS record creation event (5137) with an ObjectDN attribute containing 'DC=wpad', which indicates a potential WPAD spoofing attack to enable privilege escalation and lateral movement.

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.

The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

Detection of potential NTLM relay attacks targeting computer accounts by identifying authentication events originating from hosts other than the account's owner, indicating possible credential theft and misuse.

The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.

Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.

The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.

Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.

A privilege escalation vulnerability exists in Norton Secure VPN during installation via the Microsoft Store (CVE-2025-58074), allowing a low-privilege user to replace files leading to arbitrary file deletion and potential elevation of privileges.

Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.

A local attacker can exploit an unpatched vulnerability in Microsoft Windows RPC to escalate privileges.

Alloksoft Video Joiner 4.6.1217 is vulnerable to a local buffer overflow (CVE-2018-25315) allowing attackers to execute arbitrary code via a crafted license name.

A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.

CVE-2026-32223 is an elevation of privilege vulnerability affecting the Windows USB Printing Stack (usbprint.sys), potentially allowing a local attacker to gain elevated privileges on a vulnerable system.

Multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code can be exploited by an attacker to disclose sensitive information, conduct spoofing attacks, cause a denial of service, or bypass security measures, potentially leading to arbitrary code execution.

This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.

A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.

Digitally signed adware from Dragon Boss Solutions LLC deploys payloads with SYSTEM privileges to disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors.

Microsoft's April 2026 Patch Tuesday addresses 163 vulnerabilities, including 8 critical ones, ranging from Tampering to Remote Code Execution and Privilege Escalation, affecting various Microsoft products; it is recommended to apply patches immediately.

The WinMatrix agent by Simopro Technology suffers from a missing authentication vulnerability (CVE-2026-6348), enabling local authenticated attackers to execute arbitrary code with SYSTEM privileges on the local machine and all hosts within the agent's environment.

Barracuda RMM versions prior to 2025.2.2 are vulnerable to local privilege escalation, allowing attackers to gain SYSTEM privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory.

Git for Windows versions prior to 2.53.0.windows.3 are vulnerable to NTLM hash theft by attackers who can trick users into cloning malicious repositories or checking out malicious branches, leading to potential credential compromise.

CVE-2026-26177 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, allowing a local attacker to elevate privileges.

CVE-2026-26173 is a race condition vulnerability in the Windows Ancillary Function Driver for WinSock that allows a local attacker to elevate privileges.

CVE-2026-33104 is a race condition vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges by exploiting concurrent execution using a shared resource with improper synchronization.

CVE-2026-32080 is a use-after-free vulnerability in the Windows WalletService, allowing a locally authorized attacker to elevate privileges.

CVE-2026-27911 is a race condition vulnerability in the Windows User Interface Core that allows a local attacker to elevate privileges due to improper synchronization when accessing shared resources.

CVE-2026-33827 is a race condition vulnerability in Windows TCP/IP that allows an attacker to execute arbitrary code over the network by exploiting improper synchronization during concurrent execution using shared resources.

CVE-2026-32076 is an out-of-bounds read vulnerability in the Windows Storage Spaces Controller that allows an authorized local attacker to elevate privileges.

CVE-2026-32068 is a race condition vulnerability in the Windows SSDP Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.

CVE-2026-32160 describes a race condition vulnerability in Windows Push Notifications that allows a locally authorized attacker to elevate privileges.

CVE-2026-32158 is a race condition vulnerability in Windows Push Notifications that allows an authorized attacker to elevate privileges locally due to improper synchronization when using shared resources.

CVE-2026-26172 is a race condition vulnerability in Windows Push Notifications, allowing a locally authenticated attacker to elevate privileges.

CVE-2026-27927 is a race condition vulnerability in the Windows Projected File System that allows an authorized attacker to escalate privileges locally.

CVE-2026-27929 is a time-of-check time-of-use (TOCTOU) race condition in Windows LUAFV that allows an authorized local attacker to elevate privileges.

CVE-2026-27912 describes an improper authorization vulnerability in Windows Kerberos, enabling an attacker on an adjacent network with valid credentials to elevate privileges.

CVE-2026-32149 is a vulnerability in Windows Hyper-V due to improper input validation, which allows an authorized, local attacker to execute arbitrary code.

CVE-2026-27913 describes an improper input validation vulnerability in Windows BitLocker that allows a local attacker to bypass security features.

An improper input validation vulnerability (CVE-2026-26143) in Microsoft PowerShell allows an unauthorized local attacker to bypass security features.

CVE-2026-27914 is an improper access control vulnerability in Microsoft Management Console that allows a locally authorized attacker to elevate privileges.

A double free vulnerability in the Windows IKE Extension, tracked as CVE-2026-33824, allows an unauthenticated remote attacker to execute arbitrary code over the network.

CVE-2026-33101 is a use-after-free vulnerability in the Windows Print Spooler Components that allows an authenticated local attacker to elevate privileges.

A use-after-free vulnerability, CVE-2026-33099, in the Windows Ancillary Function Driver for WinSock, enables a locally authenticated attacker to elevate privileges on the system.

CVE-2026-33098 is a use-after-free vulnerability in the Windows Container Isolation FS Filter Driver that allows a locally authorized attacker to elevate privileges.

An unauthenticated, remote attacker can exploit an out-of-bounds read vulnerability (CVE-2026-33096) in Windows HTTP.sys to cause a denial-of-service condition.

CVE-2026-32195 is a stack-based buffer overflow vulnerability in the Windows Kernel that allows an authorized attacker to elevate privileges locally.

CVE-2026-32164 is a race condition vulnerability in Windows User Interface Core that allows a locally authorized attacker to elevate privileges.

CVE-2026-32155 is a use-after-free vulnerability in the Desktop Window Manager that allows an authorized attacker to escalate privileges locally on a Windows system.

CVE-2026-32153 is a use-after-free vulnerability in Microsoft Windows Speech that allows a locally authorized attacker to elevate privileges.

A use-after-free vulnerability, CVE-2026-32078, exists in the Windows Projected File System, allowing a locally authenticated attacker to escalate privileges.

CVE-2026-32071 is a null pointer dereference vulnerability in the Windows Local Security Authority Subsystem Service (LSASS), allowing an unauthorized network attacker to cause a denial-of-service condition.

CVE-2026-27926 is a race condition vulnerability in the Windows Cloud Files Mini Filter Driver that allows a local attacker to elevate privileges.

CVE-2026-27917 is a use-after-free vulnerability in the Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) that allows a locally authorized attacker to elevate privileges.

CVE-2026-27916 is a use-after-free vulnerability in Windows Universal Plug and Play (UPnP) Device Host that allows an authorized attacker to elevate privileges locally.

CVE-2026-27910 describes a local privilege escalation vulnerability in Windows Installer due to improper handling of insufficient permissions, allowing an authorized attacker to gain elevated privileges.

CVE-2026-27909 is a use-after-free vulnerability in the Microsoft Windows Search Component that allows a locally authorized attacker to escalate privileges.

A use-after-free vulnerability, CVE-2026-27908, exists in the Windows TDI Translation Driver (tdx.sys), allowing a locally authenticated attacker to elevate privileges.

CVE-2026-26182 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, allowing a locally authorized attacker to elevate privileges.

CVE-2026-26181 is a use-after-free vulnerability in the Microsoft Brokering File System that enables a locally authenticated attacker to escalate privileges on the system.

CVE-2026-26179 is a double free vulnerability in the Windows Kernel, allowing a locally authenticated attacker to elevate privileges on the system.

CVE-2026-26163 is a double free vulnerability in the Windows Kernel, allowing an authorized attacker to elevate privileges locally with a CVSS v3.1 score of 7.8.

CVE-2026-26153 is an out-of-bounds read vulnerability in the Windows Encrypting File System (EFS) that allows an authorized local attacker to elevate privileges.

CVE-2026-26152 is an insecure storage of sensitive information vulnerability in Windows Cryptographic Services that allows a local, authorized attacker to elevate privileges.

CVE-2026-32183 is a command injection vulnerability in the Windows Snipping Tool that allows a local attacker to execute arbitrary code.

CVE-2026-32222 is an untrusted pointer dereference vulnerability in the Windows Win32K ICOMP component, allowing a local attacker to escalate privileges.

CVE-2026-32156 is a use-after-free vulnerability in the Windows Universal Plug and Play (UPnP) Device Host service that allows an unauthorized attacker to execute code locally.

CVE-2026-26183 allows a locally authenticated attacker to escalate privileges due to improper access control within the Windows RPC API.

CVE-2026-26174 is a race condition vulnerability in Windows Server Update Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-33100 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, allowing a locally authorized attacker to elevate privileges.

CVE-2026-32224 is a use-after-free vulnerability in the Windows Server Update Service that allows a locally authenticated attacker to elevate privileges.

CVE-2026-32219 is a double free vulnerability in the Microsoft Brokering File System, allowing an authorized attacker to escalate privileges locally on a vulnerable Windows system.

CVE-2026-32165 is a use-after-free vulnerability in Windows User Interface Core that allows a locally authenticated attacker to elevate privileges.

CVE-2026-32162 allows an unauthorized attacker to achieve local privilege escalation in Windows COM by exploiting the acceptance of extraneous untrusted data with trusted data.

CVE-2026-32159 is a race condition vulnerability in Windows Push Notifications, allowing a local attacker with low privileges to elevate privileges by exploiting concurrent execution using a shared resource with improper synchronization.

CVE-2026-32091 is a race condition vulnerability in the Microsoft Brokering File System, allowing an unauthenticated local attacker to escalate privileges.

CVE-2026-32087 is a heap-based buffer overflow vulnerability in the Function Discovery Service (fdwsd.dll) that allows an authorized local attacker to elevate privileges on a Windows system.

A use-after-free vulnerability, CVE-2026-32070, exists in the Windows Common Log File System (CLFS) driver, enabling a locally authenticated attacker to escalate privileges on a vulnerable system.

CVE-2026-27920 is a local privilege escalation vulnerability in the Windows Universal Plug and Play (UPnP) Device Host due to an untrusted pointer dereference.

CVE-2026-27918 is a race condition vulnerability in Windows Shell, allowing a local attacker to elevate privileges due to improper synchronization when accessing shared resources.

CVE-2026-26184 is a buffer over-read vulnerability in the Windows Projected File System (ProjFS) that allows a local attacker to elevate privileges.

CVE-2026-26178 is an integer size truncation vulnerability in the Windows Advanced Rasterization Platform (WARP) that allows an unauthorized attacker to elevate privileges locally.

CVE-2026-26176 is a heap-based buffer overflow vulnerability in the Windows Client Side Caching driver (csc.sys), which allows an authorized attacker to elevate privileges locally.

CVE-2026-26159 allows a local attacker to escalate privileges on Windows systems due to a missing authentication check in the Remote Desktop Licensing Service (RDLS).

Easy Video to iPod Converter 1.6.20 is vulnerable to a local buffer overflow in the user registration field, allowing a local attacker to overwrite the structured exception handler (SEH) by providing a crafted payload exceeding 996 bytes in the username field, potentially leading to arbitrary code execution with user privileges.

RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation, leading to arbitrary code execution.

Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.

CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.

CVE-2025-65115 is a remote code execution vulnerability affecting multiple versions of JP1/IT Desktop Management and related products on Windows, potentially allowing attackers to execute arbitrary code on vulnerable systems.

Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.

River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability allowing local attackers to execute arbitrary code by providing a malicious string in the Lame_enc.dll field.

R i386 version 3.5.0 is susceptible to a local buffer overflow in the GUI Preferences dialog, allowing a local attacker to overwrite the structured exception handler (SEH) by supplying a malicious string to the 'Language for menus and messages' field, leading to arbitrary code execution.

AIRBUS PSS TETRA Connectivity Server version 7.0 on Windows Server is vulnerable to incorrect default permissions, allowing local privilege escalation to SYSTEM by placing a malicious file in a specific directory.

A use-after-free vulnerability exists in the `powerMonitor` module of Electron applications on Windows and macOS. When the native `PowerMonitor` object is garbage-collected, dangling references are retained by OS-level resources. Subsequent session-change events on Windows or system shutdowns on macOS may dereference freed memory, potentially leading to a crash or memory corruption.

The DeepLoad malware steals credentials, installs malicious browser extensions, spreads via USB drives, and is being distributed via ClickFix campaigns using PowerShell loaders.

Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.

HCL BigFix Platform is vulnerable to insecure permissions on private cryptographic keys, where keys on a Windows host may have overly permissive file system permissions, potentially leading to unauthorized access and privilege escalation.

Lakeside SysTrack Agent 11 before 11.2.1.28 is vulnerable to a race condition that allows for local privilege escalation to SYSTEM, as tracked by CVE-2026-35099.

Multiple vulnerabilities in 7-Zip allow an attacker to execute arbitrary program code with the privileges of the service, potentially leading to system compromise.

A vulnerability exists in vcpkg versions prior to 3.6.1#3, where Windows builds of OpenSSL set openssldir to a path on the build machine, making that path vulnerable to attack on customer machines.

CVE-2026-3991 is an elevation of privilege vulnerability in Symantec Data Loss Prevention (DLP) Windows Endpoint that could allow a local attacker to gain elevated access to resources.

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability (CVE-2019-25637) allowing local attackers to execute arbitrary code by overwriting the EIP register.

AIDA64 Business 5.99.4900 is vulnerable to a local Structured Exception Handling (SEH) buffer overflow (CVE-2019-25631) allowing attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode.

FlexHEX 2.71 is vulnerable to a local buffer overflow in the Stream Name field, allowing local attackers to execute arbitrary code via a structured exception handler (SEH) overflow.

A shellcode loader dubbed 'Lucky Pasta' employs JIT decryption, string obfuscation, dynamic library loading, fiber-based execution, and AES instruction patching to evade AV detection, retrieving shellcode via HTTP/HTTPS and executing it on Windows systems.

JetAudio jetCast Server 2.0 is vulnerable to a stack-based buffer overflow in the Log Directory configuration, enabling local attackers to overwrite structured exception handling pointers and execute arbitrary code.

Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.

Lavavo CD Ripper 4.20 is vulnerable to a structured exception handling (SEH) buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field leading to arbitrary code execution and a bind shell.

Admin Express 1.2.5.485 is susceptible to a local structured exception handling buffer overflow vulnerability, enabling local attackers to execute arbitrary code via a crafted payload in the Folder Path field of the System Compare feature.

RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

This brief covers offensive techniques to bypass Credential Guard, a Windows security feature designed to protect credentials, and provides detection strategies for these bypass attempts.

The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.

The GlassWorm campaign has been observed deploying a Wave 3 Windows payload, indicating ongoing malicious activity targeting Windows systems.

Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.

RegPwn is a now-fixed local privilege escalation vulnerability in Windows that allowed an attacker to gain elevated privileges.

The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.

Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.

Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.

Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.

Attackers can leverage sqlcmd.exe or PowerShell commands like Invoke-Sqlcmd to access Veeam credentials stored in MSSQL databases, potentially targeting backups for destructive operations such as ransomware attacks.

Attackers with Backup Operator privileges may abuse wbadmin.exe to access the NTDS.dit file, enabling credential dumping and domain compromise.

Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.

Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.

Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.

Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.

Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.

Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.

Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.

Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.

Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.

A machine learning model detected a parent process spawning a cluster of suspicious Windows processes with high malicious probability scores, potentially indicating LOLBins usage and defense evasion.

A Windows account, usually a service account, exhibiting a sudden shift in logon type patterns may indicate account compromise and lateral movement.

Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.

An expired or revoked driver being loaded on a Windows system may indicate an attempt to gain code execution in kernel mode or abuse revoked certificates for malicious purposes, potentially leading to privilege escalation or defense evasion.

Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.

Adversaries may use vaultcmd.exe to list credentials stored in the Windows Credential Manager to gain unauthorized access to saved usernames and passwords, potentially in preparation for lateral movement.

This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.

Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.

Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.

This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.

This rule detects potential exploitation of unquoted service path vulnerabilities, where adversaries may escalate privileges by placing a malicious executable in a higher-level directory within the path of an unquoted service executable.

Attackers are using Windows script interpreters (cscript.exe or wscript.exe) to download executable files from remote locations to deliver second-stage payloads or download tools.

Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.

Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.

Attackers modify the Microsoft Office 'Office Test' Registry key to achieve persistence by specifying a malicious DLL that executes upon application startup.

Attackers can modify the msPKIAccountCredentials attribute in Active Directory user objects to abuse credential roaming, potentially overwriting files for privilege escalation, by injecting malicious credential objects.

Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.

Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.

Detection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.

Attackers can enable full user-mode dumps system-wide via registry modification to facilitate LSASS credential dumping, allowing extraction of credentials from process memory without deploying malware.

Detects the execution of `gpresult.exe` with arguments `/z`, `/v`, `/r`, or `/x` on Windows systems, which attackers may use during reconnaissance to enumerate Group Policy Objects and identify opportunities for privilege escalation or lateral movement.

This rule identifies the installation of potentially malicious browser extensions, which adversaries can leverage for persistence and unauthorized activity by monitoring file creation events in common browser extension directories on Windows systems.

The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.

Adversaries can achieve persistence by abusing the Background Intelligent Transfer Service (BITS) SetNotifyCmdLine method to execute a program after a job finishes, leading to arbitrary code execution and system compromise.

This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.

The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.

Detection of a user account initiating the Active Directory replication process for the first time, potentially indicating a DCSync attack for credential theft and domain compromise.

This brief details a detection strategy for rare SMB connections originating from internal networks to the internet, potentially indicating NTLM credential theft via rogue UNC path injection.

This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.

Anomalous NewCredentials logon events triggered by uncommon processes may indicate access token manipulation for privilege escalation.

A machine learning job detected a user accessing an uncommon group name for privileged operations, potentially indicating privilege escalation or unauthorized account manipulation on a Windows system.

Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.

Detects attempts to export sensitive Windows registry hives (SAM/SECURITY) using reg.exe, potentially leading to credential compromise.

A machine learning job has detected an unusually high number of processes started within a single Remote Desktop Protocol (RDP) session, potentially indicating lateral movement activity.

Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.

A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.

Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.

This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.

The ProblemChild machine learning model has detected a user with suspicious Windows processes exhibiting unusually high malicious probability scores, potentially indicating defense evasion via masquerading or LOLbins.

This rule detects potential ransomware behavior by identifying the creation of multiple files with the same name over SMB by the SYSTEM account, potentially indicating remote execution of ransomware dropping note files.

This rule detects unauthorized access to sensitive Active Directory object attributes such as unixUserPassword, ms-PKI-AccountCredentials, and msPKI-CredentialRoamingTokens, potentially leading to credential theft and privilege escalation.

This detection identifies the creation of new Windows services with suspicious command values, often used for privilege escalation and persistence by malicious actors.

Adversaries may use the `nltest.exe` command-line utility to enumerate domain trusts and gain insight into trust relationships to facilitate lateral movement within a Microsoft Windows NT Domain.

This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.

This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.

Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.

Adversaries may coerce local NTLM authentication over HTTP via WebDAV named-pipe paths (Print Spooler, SRVSVC), then relay credentials to elevate privileges.

This rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker may have compromised an account by brute-forcing login attempts across multiple users.

The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.

An attacker abuses the Secondary Logon service (seclogon.dll) to gain unauthorized access to the LSASS process, potentially leaking credentials.

This detection rule identifies attempts to establish persistence on Windows systems by creating scheduled jobs in the Windows Tasks directory, excluding known legitimate jobs.

Detection of access attempts to the LSASS handle, indicating potential credential dumping by monitoring API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting lsass.exe.

This rule identifies potential timestomping behavior on Windows systems where the creation time of executable files in sensitive system directories is modified, potentially to blend malicious executables with legitimate system files and evade detection.

Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.

Attackers with access to IIS web servers may use the AppCmd command-line tool to dump sensitive configuration data, including application pool credentials, potentially leading to lateral movement and privilege escalation.

Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.

Attackers abuse the Application Compatibility Shim functionality in Windows to establish persistence and achieve arbitrary code execution by installing malicious shim databases, which this detection identifies through monitoring registry changes.

Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.

This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.

The execution of `wevtutil.exe` with parameters to disable event logs is a tactic commonly employed by ransomware to evade detection and hinder forensic investigations, leading to a significant reduction in visibility for defenders.

This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.

Attackers bypass User Account Control (UAC) by hijacking the DiskCleanup Scheduled Task to stealthily execute code with elevated permissions on Windows systems.

Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.

Attackers establish persistence by installing a malicious VBA template in Microsoft Outlook, triggering scripts upon application startup by modifying the VBAProject.OTM file, detected by monitoring for unauthorized file modifications.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

This analytic identifies the use of Distributed Component Object Model (DCOM) to execute commands on a remote host, specifically when launched via ShellBrowserWindow or ShellWindows Application COM objects, indicating potential lateral movement by an attacker.

The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.

Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.

A machine learning job detected an RDP session initiated at an unusual time or day, potentially indicating lateral movement activity within a network.

Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.

Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.

Detection of InstallUtil.exe making outbound network connections, which can indicate adversaries leveraging it to execute code and evade detection by proxying execution through a trusted system binary.

Attackers may attempt credential theft by launching browsers (Chrome, Edge) with remote debugging, headless automation, or minimal arguments from an unusual parent process on Windows systems.

This rule detects potential command and control activity where Internet Explorer (iexplore.exe) is started via the Component Object Model (COM) and makes unusual network connections, indicating adversaries might exploit Internet Explorer via COM to evade detection and bypass host-based firewall restrictions.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.

This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\Users\ and C:\ProgramData\.

Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.

Detection of suspicious LSASS handle access via DuplicateHandle from an unknown call trace module, indicating a potential attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access.

Detection of the assignment of the SeEnableDelegationPrivilege user right to a principal can indicate potential Active Directory compromise and privilege elevation by attackers.

Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.

This rule detects the creation of the default Mimikatz MemSSP credential log file, mimilsa.log, which is created after the misc::memssp module injects a malicious Security Support Provider into LSASS, potentially capturing credentials from subsequent logons.

This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.

This rule identifies the use of bcdedit.exe to modify boot configuration data, which may be indicative of a destructive attack or ransomware activity aimed at inhibiting system recovery by disabling error recovery or ignoring boot failures.

Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.

Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.

Adversaries may delete Windows backup catalogs and system state backups using wbadmin.exe to inhibit system recovery, often as part of ransomware or other destructive attacks.

Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.

Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.

The analytic detects the execution of msiexec.exe with an HTTP or HTTPS URL, which indicates an attempt to download and execute potentially malicious software from a remote server, leading to potential unauthorized code execution, system compromise, or malware deployment.

This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.

An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.

A machine learning job detected an unusual increase in special privilege usage events on Windows, such as privileged operations and service calls, potentially indicating unauthorized privileged access and privilege escalation attempts.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

Detects remote access to the registry, potentially dumping credential data from the Security Account Manager (SAM) registry hive, indicating preparation for credential access and privilege elevation.

This rule detects potential NTLM relay attacks against computer accounts by identifying coercion attempts followed by authentication events originating from a different host, indicating that an attacker has captured and relayed the server's computer account hash to execute code on behalf of the compromised system.

This analytic identifies suspicious programs such as script interpreters, rundll32, or MSBuild being executed shortly after user logon, indicating potential persistence mechanisms abusing the registry run keys.

This rule detects command and control (C2) communications that use common web services to hide malicious activity on Windows hosts by identifying network connections to commonly abused web services from processes outside of known legitimate program locations, indicating potential exfiltration or C2 activity blended with legitimate traffic.

Adversaries abuse the Console Window Host (conhost.exe) with the `--headless` argument to proxy execution of malicious commands, evading detection by blending in with legitimate Windows software.

Detection of attrib.exe being used with the +h flag to hide files and directories on Windows systems, a technique used by attackers for defense evasion and persistence.

This rule detects the modification of the msDS-KeyCredentialLink attribute in an Active Directory Computer or User Object, which could indicate an attacker is creating shadow credentials to gain persistent and stealthy access.

Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

This rule identifies script engines creating files or the creation of script files in the Windows Startup folder, a persistence technique used by adversaries to automatically execute scripts upon user login.

Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.

Detection of msiexec.exe spawning discovery commands indicating potential reconnaissance activity by attackers for system information gathering and lateral movement.

Detection of non-browser processes accessing browser user data folders, a tactic used by malware such as Snake Keylogger to steal credentials and sensitive information.

This rule identifies attempts to create new users on Windows systems using net.exe, a common tactic used by attackers to increase access or establish persistence.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

This detection identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped unsigned DLL, which indicates an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed process.

Adversaries may establish persistence by writing malicious files to the Windows Startup folder, allowing them to automatically execute upon user logon; this detection identifies suspicious processes creating files in these locations.

This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.

Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

This rule identifies the execution of a file that was created by the virtual system process, potentially indicating lateral movement via network file shares in Windows environments.

The rule identifies the execution of a file created by the virtual system process, potentially indicating lateral movement via network file shares, by detecting a sequence of file creation/modification followed by process execution, excluding trusted vendors.

This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.

Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

This rule identifies process execution from suspicious default Windows directories, which adversaries may abuse to hide malware in trusted paths to evade defenses.

This rule detects a network logon followed by Windows service creation with the same LogonId on a Windows host, which could indicate lateral movement or persistence by adversaries.

Detection of processes executed via Windows Management Instrumentation (WMI) on a remote host indicating potential adversary lateral movement.

Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.

Adversaries may enable and use Windows Subsystem for Linux (WSL) using the Microsoft Dism utility to evade detection on Windows systems by running Linux applications and tools.

The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.

Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.