Windows

Threat actors are leveraging Microsoft's ClickOnce technology, designed for simplified application deployment, as an attractive vector to spread malware, allowing for easy distribution, minimal user interaction, and installation without elevated privileges on Windows systems.

Threat actors are actively abusing Microsoft's ClickOnce technology, specifically targeting the `.application` and `.appref-ms` file types, to achieve stealthy initial access, execute malicious payloads within legitimate Microsoft processes like rundll32.exe and dfsvc.exe, and establish persistence through its built-in update mechanism, effectively bypassing traditional endpoint security controls.

Threat actors are actively leveraging Microsoft's ClickOnce technology, a legitimate application deployment mechanism, to distribute and execute malware by exploiting its user-friendly deployment process that bypasses administrative privilege requirements.

A local attacker can exploit CVE-2016-20095, an unquoted service path vulnerability in Matrix42 Remote Control Host version 3.20.0031, to achieve arbitrary code execution with SYSTEM privileges by placing a malicious executable named 'Program.exe' in the 'C:\Program Files\' directory, leading to privilege escalation when the vulnerable service starts.

An unquoted service path vulnerability, CVE-2016-20089, in Iperius Remote version 1.7.0 allows a local attacker to execute arbitrary code with SYSTEM privileges by placing a malicious executable in a specific directory when the legitimate service path contains spaces, enabling privilege escalation upon service restart or system reboot.

A vulnerability in the vim text editor allows a remote, unauthenticated attacker to perform a Denial of Service attack by exploiting a weakness to disrupt the service without requiring prior authentication.

Threat actors can abuse Microsoft's ClickOnce technology, which allows for simplified application distribution and installation with minimal user interaction and no administrative privileges, to easily spread malware and bypass traditional security controls through a 'click once' deployment.

CVE-2026-25865 describes an unquoted search path element vulnerability in Yandex Punto Switcher through version 4.5.0.583, allowing local attackers to execute arbitrary code by placing a malicious `RunDll32.exe` earlier in the system's PATH to hijack the application's insecure `WinExec` call, leading to arbitrary code execution with affected user privileges.

A remote, unauthenticated attacker may exploit a deserialization of untrusted data vulnerability (CVE-2026-8024) in ibaPDA (versions prior to 8.14.0) or ibaDatCoordinator (versions prior to 4.0.7) to gain full access to the affected systems, potentially leading to arbitrary code execution and system compromise.

Sophos X-Ops discovered that Hola Browser version 1.251.91.0 was distributed with an undeclared crypto-mining executable, me.exe, due to a supply chain compromise, leading to resource hijacking on affected Windows systems.

An unknown threat actor gained continuous administrative access to a senior finance executive's Microsoft Outlook mailbox at a global stock exchange for at least five months, deploying custom infostealers via scheduled tasks and exfiltrating sensitive emails through a Dropbox-based command and control channel after an initial lateral movement event.

CERT-FR has disclosed 31 vulnerabilities in various Microsoft Office products, including CVE-2026-44803 and CVE-2026-47635, which could allow remote code execution, privilege escalation, and data confidentiality compromise.

A critical remote code execution vulnerability, tracked as CVE-2026-44963, has been discovered in Veeam Backup & Replication versions prior to 12.3.2.4854, which could allow an unauthenticated attacker to execute arbitrary code on affected systems, leading to full compromise of the backup infrastructure and potential data exfiltration or destruction.

A remote, anonymous attacker can exploit a vulnerability in Notepad++ to execute arbitrary program code, potentially leading to system compromise.

The analytic detects ACL deletion on the domain root object in Active Directory by monitoring Windows Event Log Security event ID 5136, identifying significant AD changes with potentially high impact.

Detection of changes to the xp_cmdshell configuration in SQL Server, a feature often abused by attackers for privilege escalation and lateral movement by enabling execution of operating system commands.

Modification of critical SQL Server configuration options, such as 'Ad Hoc Distributed Queries', 'external scripts enabled', 'Ole Automation Procedures', 'clr enabled', and 'clr strict security', can enable attackers to perform Active Directory reconnaissance and execute arbitrary code, potentially leading to code execution or reconnaissance activities.

Detection of expand.exe being used to extract Microsoft Cabinet (CAB) archives, specifically when extracting to C:\ProgramData or similar staging locations, potentially indicating ingress tool transfer and payload staging by threat actors like APT37.

Detection of the Microsoft Software Licensing User Interface Tool (`slui.exe`) being executed with elevated privileges using the `-verb runas` parameter, indicating a potential privilege escalation attempt.

This analytic detects the issuance of a suspicious certificate with a Subject Alternative Name (SAN) using Active Directory Certificate Services (AD CS) and its immediate use for authentication, indicating potential exploitation of improperly configured certificate templates for privilege escalation.

This analytic detects when a process running with low or medium integrity spawns an elevated process with high or system integrity in suspicious locations, potentially indicating successful privilege escalation by a threat actor.

This analytic detects changes to the sIDHistory attribute of user or computer objects within the same domain using Windows Security Event Codes 4738 and 4742, which can be abused by adversaries to gain unauthorized access, maintain persistence, or escalate privileges by inheriting permissions from another account.

This analytic detects when an ACL is applied to an organizational unit (OU) to deny listing the objects residing in it; this activity, combined with modifying the owner of the OU, can hide Active Directory objects, even from domain administrators.

This analytic detects the addition of permissions required for a DCSync attack, specifically DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set, leveraging Windows Security Event Log 5136 to identify when these permissions are granted, which indicates potential preparation for replicating AD objects and exfiltrating sensitive data.

Detection of Active Directory user object ACL modifications that grant dangerous permissions, such as full control or the ability to modify permissions, potentially indicating privilege escalation or malicious activity.

This analytic identifies potential post-exploitation behaviors on a Windows system by monitoring multiple risk events and their associated MITRE ATT&CK tactics, indicating potential malicious actions following an initial compromise.

This analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected, leveraging Splunk's Risk data model to detect persistence, hiding malicious configurations, or erasing forensic evidence.

A cryptojacking campaign targets systems with high-performance GPUs using SEO poisoning and manipulated AI chatbot recommendations, distributing malware disguised as legitimate software utilities to establish persistence and evade detection before deploying GPU mining programs.

A critical deserialization of untrusted data vulnerability (CVE-2025-54539) exists in Apache ActiveMQ NMS AMQP Client <= v2.3.0, where an attacker controlling or impersonating an AMQP broker can send malicious serialized data that the client deserializes unsafely, allowing arbitrary code execution on the client system.

SocuSoft DVD Photo Slideshow Professional 8.07 is vulnerable to a stack-based buffer overflow (CVE-2018-25373) in the registration name field, allowing local attackers to execute arbitrary code by exploiting structured exception handling.

A buffer overflow vulnerability exists in 10-Strike Network Scanner 3.0, allowing attackers to bypass SafeSEH protections and execute arbitrary code by crafting a malicious payload in the host name or address field and triggering the vulnerability through the Trace route or System information functions.

10-Strike Network Inventory Explorer 8.54 contains a stack-based buffer overflow vulnerability in the registration key input field that allows local attackers to execute arbitrary code via SEH overwrite.

A local attacker can exploit vulnerabilities in Ivanti Secure Access Client to manipulate files or escalate privileges, potentially gaining elevated access to the system.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication using rundll32.exe.

A local exploit has been published for Lenovo LegionSpace 1.7.11.2, detailing an Unquoted Service Path vulnerability in the 'DAService', potentially leading to local privilege escalation.

CVE-2008-4250 is a buffer overflow vulnerability in the Microsoft Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request during path canonicalization.

A local attacker can exploit a vulnerability in Microsoft Azure Portal Windows Admin Center to gain administrator rights, potentially leading to unauthorized access and control over Azure resources.

Multiple vulnerabilities in Microsoft Defender and Microsoft Malware Protection Engine could allow an attacker to elevate privileges, execute arbitrary code, and cause a denial of service condition.

Claude HUD through version 0.0.12 is vulnerable to command injection (CVE-2026-47092) allowing a local attacker to execute arbitrary commands on a Windows system by manipulating the COMSPEC environment variable; this vulnerability has been patched in commit 234d9aa.

Kite 4.2.0.1 U1 contains an unquoted service path vulnerability (CVE-2020-37247) in the KiteService Windows service that allows local attackers to escalate privileges by placing a malicious executable in a directory due to the unquoted service path.

Syncplify.me Server! version 5.0.37 contains an unquoted service path vulnerability (CVE-2020-37230) in the SMWebRestServicev5 service, allowing a local attacker to escalate privileges by placing a malicious executable in the service path.

OKI sPSV Port Manager 1.0.41 contains an unquoted service path vulnerability in the sPSVOpLclSrv service, allowing local attackers to escalate privileges by inserting executable files into the unquoted path.

The Russian hacker group Secret Blizzard has evolved the Kazuar backdoor into a modular P2P botnet designed for persistence, stealth, and data collection, utilizing kernel, bridge, and worker modules for command and control and data exfiltration.

Detection of handle requests to the LSASS process with specific access masks commonly used by tools to dump memory, indicating potential credential access attempts.

A machine learning job has identified a parent process spawning one or more suspicious Windows processes exhibiting unusually high malicious probability scores, indicating potential defense evasion tactics like masquerading and LOLBins usage.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, indicating potential masquerading tactics for defense evasion.

A machine learning job has detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be suspicious given its user context by an unsupervised ML model, indicating potential defense evasion activity involving LOLbins.

This rule detects unusual process spawned by a parent process, potentially indicating malicious activity involving LOLbins by leveraging machine learning to identify anomalous process creation patterns that evade conventional search rules.

A machine learning job detects unusual Windows processes, potentially Living off the Land binaries, on hosts not commonly associated with malicious activity, indicating possible defense evasion attempts.

A remote code execution vulnerability exists in Remote Sunrise Helper for Windows version 2026.14, which can be exploited without authentication, as demonstrated by a public exploit published on Exploit-DB.

A local exploit has been published for Remote Sunrise Helper for Windows 2026.14, detailing an unauthenticated file/directory listing vulnerability. Successful exploitation allows unauthenticated attackers to list files and directories on the affected system.

Multiple vulnerabilities exist in Microsoft Windows products, enabling attackers to execute arbitrary code, escalate privileges, perform denial-of-service attacks, disclose information, or bypass security measures.

Multiple vulnerabilities in Microsoft developer tools and platforms could allow an attacker to achieve arbitrary code execution, data manipulation, privilege escalation, bypassing security measures, information disclosure, and denial of service.

Multiple vulnerabilities in Microsoft Azure and Windows Admin Center allow an attacker to escalate privileges, spoof information, and bypass security measures.

This rule identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory by detecting specific API calls (OpenProcess, OpenThread, ReadProcessMemory) targeting the 'lsass.exe' process.

Identifies the creation of a Windows service by an unusual client process, which can be leveraged to escalate privileges from administrator to SYSTEM by exploiting misconfigurations or vulnerabilities in the service creation process.

This rule detects the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary, which adversaries may leverage to escalate privileges and bypass access controls through token theft.

An adversary may attempt privilege escalation by masquerading as a known named pipe and manipulating a privileged process to connect to it on Windows systems.

This rule detects parent process spoofing used to create an elevated child process, specifically targeting privilege escalation to SYSTEM, where adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges on Windows systems.

Detects attempts to bypass User Account Control (UAC) by masquerading as a trusted Microsoft Windows directory, abusing a trailing-space in the path to execute code with elevated privileges.

Detects User Account Control (UAC) bypass attempts using eventvwr.exe to execute code with elevated permissions by identifying child processes of eventvwr.exe, excluding mmc.exe and WerFault.exe, which may indicate unauthorized privilege escalation.

Detects User Account Control (UAC) bypass attempts via the ICMLuaUtil Elevated COM interface, where attackers may attempt to stealthily execute code with elevated permissions, potentially leading to privilege escalation.

This rule detects potential privilege escalation attempts by exploiting CVE-2021-42278, which involves spoofing the samAccountName attribute to impersonate a domain controller and elevate privileges from a standard domain user to a domain administrator by identifying suspicious computer account name rename events where a machine account name is renamed to a user-like account name.

A privilege escalation attempt is detected through modification of the Windows directory (Windir) environment variable, a technique often combined with other vulnerabilities to elevate privileges by redirecting system processes.

Adversaries may escalate privileges by abusing named pipe impersonation, a technique often used with tools like Metasploit's meterpreter getsystem command, where a process writes to a named pipe to facilitate a SYSTEM-token handoff.

The rule detects a local successful logon event with Kerberos authentication from localhost, followed by service creation from the same LogonId, indicating a potential Kerberos relay attack for local privilege escalation to LocalSystem.

This rule detects potential exploitation of the InstallerTakeOver vulnerability (CVE-2021-41379), where successful exploitation allows an unprivileged user to escalate privileges to SYSTEM.

Detects modifications to Group Policy Object Attributes that grant privileges to user accounts or add users as local administrators, indicating potential privilege escalation attempts.

Detects the creation of a delegated Managed Service Account (dMSA) by an unusual subject account, potentially indicating an attempt to abuse weak permissions for privilege escalation in Active Directory.

Detection of modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account (dMSA) by an unusual subject account, which attackers can abuse to inherit permissions and elevate privileges in Active Directory.

The rule identifies the use of Windows Management Instrumentation StdRegProv (registry provider) to modify commonly abused registry locations for persistence by detecting registry changes made by WmiPrvSe.exe in specific registry paths.

Intel released security advisories addressing vulnerabilities in Display Virtualization for Windows OS driver software, Intel EMA software, AI Playground software, and Intel Vision software, requiring users to update to the latest versions.

CVE-2026-42896 describes an integer overflow vulnerability in the Windows DWM Core Library, allowing an authorized local attacker to elevate privileges.

CVE-2026-42825 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized, local attacker to elevate privileges.

CVE-2026-41088 is a vulnerability in Windows Ancillary Function Driver for WinSock that allows an authorized attacker to elevate privileges locally due to external control of file name or path.

CVE-2026-41086 describes an improper access control vulnerability in Windows Admin Center, allowing an authorized attacker to elevate privileges over a network.

CVE-2026-40420 is an improper access control vulnerability in Microsoft Office Click-To-Run allowing an authorized attacker to elevate privileges locally.

CVE-2026-40418 is a use-after-free vulnerability in Microsoft Office Click-To-Run that allows an authorized attacker to elevate privileges locally.

CVE-2026-40415 is a use-after-free vulnerability in Windows TCP/IP that allows an unauthorized attacker to execute code over a network.

A null pointer dereference vulnerability exists in Windows TCP/IP, allowing an unauthorized attacker on an adjacent network to cause a denial-of-service condition.

CVE-2026-40407 is a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver, enabling a locally authenticated attacker to escalate privileges on the system.

CVE-2026-40406 is a use-after-free vulnerability in Windows TCP/IP that allows an unauthorized attacker to disclose sensitive information over a network.

CVE-2026-40405 describes a null pointer dereference vulnerability in Windows TCP/IP, allowing an unauthenticated attacker to cause a denial of service over a network.

CVE-2026-40403 is a heap-based buffer overflow vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to execute arbitrary code, potentially leading to privilege escalation and code execution.

CVE-2026-40401 is a null pointer dereference vulnerability in Windows TCP/IP that allows a local, unauthorized attacker to cause a denial of service.

CVE-2026-40399 is a stack-based buffer overflow vulnerability in the Windows TCP/IP stack, allowing an authenticated local attacker to elevate privileges.

CVE-2026-40397 is an integer underflow vulnerability in the Windows Common Log File System (CLFS) driver that allows an authenticated attacker to escalate privileges locally.

CVE-2026-40382 is a use-after-free vulnerability in the Windows Telephony Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-40377 is a heap-based buffer overflow vulnerability in Windows Cryptographic Services, allowing an authorized local attacker to elevate privileges.

The rule detects the hijack of the Microsoft Compatibility Appraiser scheduled task to establish persistence with system integrity level, by monitoring CompatTelRunner.exe process execution and detecting unexpected child processes.

This rule detects a persistence mechanism that utilizes the NtSetValueKey native API to create a hidden (null terminated) registry key, evading detection from system utilities.

Attackers can modify the msDS-AllowedToDelegateTo attribute to KRBTGT, enabling persistent domain access by requesting Kerberos tickets for the KRBTGT service.

This rule detects attempts to establish persistence on Windows endpoints by abusing Microsoft Office add-ins through the creation of malicious files in Office startup directories.

Detects the creation of a hidden local user account by appending a dollar sign ($) to the account name, a technique used by attackers to persist on a system and evade standard account listing methods.

A heap-based buffer overflow vulnerability, identified as CVE-2026-40362, exists in Microsoft Office Excel, allowing an unauthenticated attacker with local access to execute arbitrary code.

CVE-2026-35424 is a denial-of-service vulnerability in the Windows Internet Key Exchange (IKE) Protocol caused by a missing release of memory after its effective lifetime, allowing an unauthenticated remote attacker to trigger a denial of service over a network.

CVE-2026-35421 is a heap-based buffer overflow vulnerability in Windows Graphics Device Interface (GDI) that allows an unauthorized attacker to execute arbitrary code locally with elevated privileges.

CVE-2026-35420 is a heap-based buffer overflow vulnerability in the Windows Kernel that allows an authorized local attacker to elevate privileges.

CVE-2026-35418 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver that allows an authorized local attacker to elevate privileges.

CVE-2026-35417 is a type confusion vulnerability in Windows Win32K - ICOMP that allows an authorized attacker to elevate privileges locally.

CVE-2026-35416 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, enabling a locally authorized attacker to escalate privileges.

CVE-2026-35415 is an integer overflow vulnerability in the Windows Storage Spaces Controller that allows a locally authorized attacker to elevate privileges.

CVE-2026-34351 is a race condition vulnerability in Windows TCP/IP that allows an authorized attacker to elevate privileges locally.

CVE-2026-34347 is a use-after-free vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges.

CVE-2026-34345 describes a race condition vulnerability in Windows Ancillary Function Driver for WinSock, allowing an authorized attacker to elevate privileges locally.

CVE-2026-34344 is a type confusion vulnerability in the Windows Ancillary Function Driver for WinSock, allowing an authorized local attacker to elevate privileges.

CVE-2026-34343 is a heap-based buffer overflow vulnerability in the Windows Application Identity (AppID) Subsystem that allows an authorized attacker to elevate privileges locally.

CVE-2026-34342 is a race condition vulnerability in Windows Print Spooler Components that allows an authorized attacker to elevate privileges locally.

CVE-2026-34341 is a double free vulnerability in the Windows Link-Layer Discovery Protocol (LLDP) that allows an authorized attacker to elevate privileges locally with a CVSS v3.1 score of 7.0.

CVE-2026-34340 is a use-after-free vulnerability in the Windows Projected File System that allows an authorized attacker to elevate privileges locally.

CVE-2026-34336 is a buffer over-read vulnerability in the Windows DWM Core Library, allowing a local, authenticated attacker to disclose sensitive information.

CVE-2026-34333 is a use-after-free vulnerability in the Windows Win32K - GRFX component that allows a locally authorized attacker to elevate privileges.

CVE-2026-34331 describes a race condition vulnerability in Windows Win32K - GRFX that allows an authorized attacker to elevate privileges locally due to improper synchronization when accessing shared resources.

CVE-2026-34330 is an integer overflow vulnerability in Windows Win32K - GRFX that allows a locally authenticated attacker to escalate privileges.

CVE-2026-33841 is a heap-based buffer overflow vulnerability in the Windows Kernel that allows a locally authorized attacker to elevate privileges.

CVE-2026-33840 is a use-after-free vulnerability in the Windows Win32K ICOMP component, allowing a locally authenticated attacker to elevate privileges.

CVE-2026-33839 is a race condition vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges.

CVE-2026-33838 is a double free vulnerability in Windows Message Queuing that allows a locally authorized attacker to elevate privileges.

CVE-2026-33837 is a heap-based buffer overflow vulnerability in the Windows TCP/IP stack that allows an authenticated local attacker to elevate privileges.

CVE-2026-33835 is a use-after-free vulnerability in the Windows Cloud Files Mini Filter Driver, allowing a local attacker to elevate privileges.

CVE-2026-33834 is an improper access control vulnerability in the Windows Event Logging Service, allowing a locally authenticated attacker to escalate privileges.

CVE-2026-32161 is a race condition vulnerability in the Windows Native WiFi Miniport Driver that allows an unauthorized attacker to execute code over an adjacent network.

Adversaries may achieve lateral movement by creating malicious files in remote Windows startup folders via RDP or SMB, leading to code execution upon system reboot or user logon.

This rule detects potential SharpRDP behavior, a tool used for authenticated command execution against a remote target via Remote Desktop Protocol (RDP) for lateral movement by identifying incoming RDP connections followed by RunMRU registry value modifications and subsequent process execution.

The rule detects execution of processes from the Remote Desktop Protocol (RDP) shared mountpoint tsclient on Windows hosts, which may indicate a lateral movement attempt.

This brief detects potential remote desktop shadowing activity by identifying modifications to the RDP Shadow registry or the execution of processes indicative of an active RDP shadowing session, which adversaries may abuse to spy on or control other users' RDP sessions.

Detection of Distributed Component Object Model (DCOM) abuse to execute commands remotely via the MMC20 Application COM object, potentially indicating lateral movement.

Detection of Distributed Component Object Model (DCOM) abuse to execute commands from a remote host via the HTA Application COM Object, potentially indicating lateral movement.

This rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.

Detects suspicious processes spawned by the Microsoft Exchange Server worker process (w3wp.exe), potentially indicating exploitation or web shell activity.

The rule detects the use of wmic.exe for shadow copy deletion on Windows endpoints, a common tactic used in ransomware or other destructive attacks to inhibit system recovery.

Detects the use of PowerShell to delete volume shadow copies, a tactic commonly employed by ransomware and other destructive attacks to hinder data recovery efforts.

The rule identifies the creation of files resembling ransomware notes via SMB, potentially indicating a remote ransomware attack on Windows systems.

Detection of a suspicious file rename operation following an incoming SMB connection, potentially indicating a remote ransomware attack via the SMB protocol, targeting Windows hosts.

Detection of attempts to delete or modify critical Windows boot files indicating a potential destructive attack to prevent system startup.

An anonymous remote attacker can exploit multiple vulnerabilities in 7-Zip to manipulate files or disclose sensitive information on Windows systems.

GhostLock is a proof-of-concept tool that abuses the Windows CreateFileW API to block access to files on local and SMB network shares, causing a denial-of-service condition.

A local attacker can exploit a vulnerability in Podman HyperV Machine to execute arbitrary program code with administrator privileges, leading to complete system compromise.

JDownloader's website was compromised on May 6-7, 2026, with download links repointed to malicious installers deploying a Remote Access Trojan on Windows and harmful shell commands on Linux. Users who installed from affected links should treat the system as fully compromised and perform a clean OS reinstall.

Argus Surveillance DVR 4.0 contains an unquoted service path vulnerability in the DVRWatchdog service (CVE-2021-47945), enabling local attackers to escalate privileges by placing a malicious executable in the Program Files directory to be executed as LocalSystem.

A malicious repository on Hugging Face, impersonating OpenAI's 'Privacy Filter' project, distributed information-stealing malware to Windows users by executing a PowerShell command that downloads and runs a Rust-based infostealer, which exfiltrates collected data to a command-and-control server.

A local attacker can exploit a vulnerability in Avast Antivirus and AVG Technologies Anti-Virus to escalate privileges on a Windows system.

WatchGuard Agent on Windows (version 1.25.02.0000 and prior) is vulnerable to multiple privilege escalation and denial-of-service vulnerabilities, potentially allowing local attackers to execute arbitrary code with SYSTEM privileges or cause a denial of service.

The ScarCruft APT group conducted a supply-chain attack targeting the Yanbian region by compromising a gaming platform, sqgame, used by ethnic Koreans, trojanizing Windows and Android games with the BirdCall backdoor for espionage activities since late 2024.

Adversaries may abuse Curl for Windows to download files or upload data to a remote URL for command and control or exfiltration purposes.

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.

Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.

This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.

Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.

Adversaries may abuse RDP files delivered via phishing from suspicious locations to gain unauthorized access to systems.

Adversaries may exploit Windows Server Update Services (WSUS) to execute PsExec for lateral movement within a network by abusing the trusted update mechanism to run signed binaries.

Detection of a Windows DNS record creation event (5137) with an ObjectDN attribute containing 'DC=wpad', which indicates a potential WPAD spoofing attack to enable privilege escalation and lateral movement.

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.

The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.

This rule detects potential Pass-the-Hash (PtH) attempts in Windows environments by monitoring successful authentications with specific user IDs (S-1-5-21-* or S-1-12-1-*) and the `seclogo` logon process, where attackers use stolen password hashes to authenticate and move laterally across systems without needing plaintext passwords.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

Detection of potential NTLM relay attacks targeting computer accounts by identifying authentication events originating from hosts other than the account's owner, indicating possible credential theft and misuse.

The rule identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different source IP, potentially indicating account takeover or use of stolen credentials from a new location.

Adversaries may use the `dsquery.exe` command-line utility to enumerate trust relationships for lateral movement in Windows multi-domain environments.

The rule detects the execution of the VScode portable binary with the tunnel command line option, potentially indicating an attempt to establish a remote tunnel session to Github or a remote VScode instance for unauthorized access and command and control.

Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.

A privilege escalation vulnerability exists in Norton Secure VPN during installation via the Microsoft Store (CVE-2025-58074), allowing a low-privilege user to replace files leading to arbitrary file deletion and potential elevation of privileges.

Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.

A local attacker can exploit an unpatched vulnerability in Microsoft Windows RPC to escalate privileges.

Alloksoft Video Joiner 4.6.1217 is vulnerable to a local buffer overflow (CVE-2018-25315) allowing attackers to execute arbitrary code via a crafted license name.

A vulnerability in Windows RPC architecture allows an attacker to create a fake RPC server and escalate their privileges to SYSTEM level, leveraging processes with impersonation privileges.

CVE-2026-32223 is an elevation of privilege vulnerability affecting the Windows USB Printing Stack (usbprint.sys), potentially allowing a local attacker to gain elevated privileges on a vulnerable system.

Multiple vulnerabilities in Microsoft Visual Studio, .NET Framework, .NET, PowerShell, and Visual Studio Code can be exploited by an attacker to disclose sensitive information, conduct spoofing attacks, cause a denial of service, or bypass security measures, potentially leading to arbitrary code execution.

This rule identifies attempts to open a remote desktop file from suspicious paths, indicative of adversaries abusing RDP files for initial access via phishing.

A remote attacker who has compromised the renderer process in Google Chrome on Windows prior to version 147.0.7727.101 can potentially perform a sandbox escape via a crafted HTML page due to an uninitialized use in accessibility, as tracked by CVE-2026-6311.

Digitally signed adware from Dragon Boss Solutions LLC deploys payloads with SYSTEM privileges to disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors.

Microsoft's April 2026 Patch Tuesday addresses 163 vulnerabilities, including 8 critical ones, ranging from Tampering to Remote Code Execution and Privilege Escalation, affecting various Microsoft products; it is recommended to apply patches immediately.

The WinMatrix agent by Simopro Technology suffers from a missing authentication vulnerability (CVE-2026-6348), enabling local authenticated attackers to execute arbitrary code with SYSTEM privileges on the local machine and all hosts within the agent's environment.

Barracuda RMM versions prior to 2025.2.2 are vulnerable to local privilege escalation, allowing attackers to gain SYSTEM privileges by exploiting overly permissive filesystem ACLs on the C:\Windows\Automation directory.

Git for Windows versions prior to 2.53.0.windows.3 are vulnerable to NTLM hash theft by attackers who can trick users into cloning malicious repositories or checking out malicious branches, leading to potential credential compromise.

CVE-2026-26177 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, allowing a local attacker to elevate privileges.

CVE-2026-26173 is a race condition vulnerability in the Windows Ancillary Function Driver for WinSock that allows a local attacker to elevate privileges.

CVE-2026-33104 is a race condition vulnerability in Windows Win32K - GRFX that allows an authorized local attacker to elevate privileges by exploiting concurrent execution using a shared resource with improper synchronization.

CVE-2026-32080 is a use-after-free vulnerability in the Windows WalletService, allowing a locally authorized attacker to elevate privileges.

CVE-2026-27911 is a race condition vulnerability in the Windows User Interface Core that allows a local attacker to elevate privileges due to improper synchronization when accessing shared resources.

CVE-2026-33827 is a race condition vulnerability in Windows TCP/IP that allows an attacker to execute arbitrary code over the network by exploiting improper synchronization during concurrent execution using shared resources.

CVE-2026-32076 is an out-of-bounds read vulnerability in the Windows Storage Spaces Controller that allows an authorized local attacker to elevate privileges.

CVE-2026-32068 is a race condition vulnerability in the Windows SSDP Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-26151 is a spoofing vulnerability in Windows Remote Desktop due to an insufficient UI warning for dangerous operations, allowing an unauthorized attacker to perform spoofing over a network.

CVE-2026-32160 describes a race condition vulnerability in Windows Push Notifications that allows a locally authorized attacker to elevate privileges.

CVE-2026-32158 is a race condition vulnerability in Windows Push Notifications that allows an authorized attacker to elevate privileges locally due to improper synchronization when using shared resources.

CVE-2026-26172 is a race condition vulnerability in Windows Push Notifications, allowing a locally authenticated attacker to elevate privileges.

CVE-2026-27927 is a race condition vulnerability in the Windows Projected File System that allows an authorized attacker to escalate privileges locally.

CVE-2026-27929 is a time-of-check time-of-use (TOCTOU) race condition in Windows LUAFV that allows an authorized local attacker to elevate privileges.

CVE-2026-27912 describes an improper authorization vulnerability in Windows Kerberos, enabling an attacker on an adjacent network with valid credentials to elevate privileges.

CVE-2026-32149 is a vulnerability in Windows Hyper-V due to improper input validation, which allows an authorized, local attacker to execute arbitrary code.

CVE-2026-27913 describes an improper input validation vulnerability in Windows BitLocker that allows a local attacker to bypass security features.

An improper input validation vulnerability (CVE-2026-26143) in Microsoft PowerShell allows an unauthorized local attacker to bypass security features.

CVE-2026-27914 is an improper access control vulnerability in Microsoft Management Console that allows a locally authorized attacker to elevate privileges.

A double free vulnerability in the Windows IKE Extension, tracked as CVE-2026-33824, allows an unauthenticated remote attacker to execute arbitrary code over the network.

CVE-2026-33101 is a use-after-free vulnerability in the Windows Print Spooler Components that allows an authenticated local attacker to elevate privileges.

A use-after-free vulnerability, CVE-2026-33099, in the Windows Ancillary Function Driver for WinSock, enables a locally authenticated attacker to elevate privileges on the system.

CVE-2026-33098 is a use-after-free vulnerability in the Windows Container Isolation FS Filter Driver that allows a locally authorized attacker to elevate privileges.

An unauthenticated, remote attacker can exploit an out-of-bounds read vulnerability (CVE-2026-33096) in Windows HTTP.sys to cause a denial-of-service condition.

CVE-2026-32195 is a stack-based buffer overflow vulnerability in the Windows Kernel that allows an authorized attacker to elevate privileges locally.

CVE-2026-32164 is a race condition vulnerability in Windows User Interface Core that allows a locally authorized attacker to elevate privileges.

CVE-2026-32155 is a use-after-free vulnerability in the Desktop Window Manager that allows an authorized attacker to escalate privileges locally on a Windows system.

CVE-2026-32153 is a use-after-free vulnerability in Microsoft Windows Speech that allows a locally authorized attacker to elevate privileges.

A use-after-free vulnerability, CVE-2026-32078, exists in the Windows Projected File System, allowing a locally authenticated attacker to escalate privileges.

CVE-2026-32071 is a null pointer dereference vulnerability in the Windows Local Security Authority Subsystem Service (LSASS), allowing an unauthorized network attacker to cause a denial-of-service condition.

CVE-2026-27926 is a race condition vulnerability in the Windows Cloud Files Mini Filter Driver that allows a local attacker to elevate privileges.

CVE-2026-27917 is a use-after-free vulnerability in the Windows WFP NDIS Lightweight Filter Driver (wfplwfs.sys) that allows a locally authorized attacker to elevate privileges.

CVE-2026-27916 is a use-after-free vulnerability in Windows Universal Plug and Play (UPnP) Device Host that allows an authorized attacker to elevate privileges locally.

CVE-2026-27910 describes a local privilege escalation vulnerability in Windows Installer due to improper handling of insufficient permissions, allowing an authorized attacker to gain elevated privileges.

CVE-2026-27909 is a use-after-free vulnerability in the Microsoft Windows Search Component that allows a locally authorized attacker to escalate privileges.

A use-after-free vulnerability, CVE-2026-27908, exists in the Windows TDI Translation Driver (tdx.sys), allowing a locally authenticated attacker to elevate privileges.

CVE-2026-26182 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, allowing a locally authorized attacker to elevate privileges.

CVE-2026-26181 is a use-after-free vulnerability in the Microsoft Brokering File System that enables a locally authenticated attacker to escalate privileges on the system.

CVE-2026-26179 is a double free vulnerability in the Windows Kernel, allowing a locally authenticated attacker to elevate privileges on the system.

CVE-2026-26163 is a double free vulnerability in the Windows Kernel, allowing an authorized attacker to elevate privileges locally with a CVSS v3.1 score of 7.8.

CVE-2026-26153 is an out-of-bounds read vulnerability in the Windows Encrypting File System (EFS) that allows an authorized local attacker to elevate privileges.

CVE-2026-26152 is an insecure storage of sensitive information vulnerability in Windows Cryptographic Services that allows a local, authorized attacker to elevate privileges.

CVE-2026-32183 is a command injection vulnerability in the Windows Snipping Tool that allows a local attacker to execute arbitrary code.

CVE-2026-32222 is an untrusted pointer dereference vulnerability in the Windows Win32K ICOMP component, allowing a local attacker to escalate privileges.

CVE-2026-32156 is a use-after-free vulnerability in the Windows Universal Plug and Play (UPnP) Device Host service that allows an unauthorized attacker to execute code locally.

CVE-2026-26183 allows a locally authenticated attacker to escalate privileges due to improper access control within the Windows RPC API.

CVE-2026-26174 is a race condition vulnerability in Windows Server Update Service that allows an authorized attacker to elevate privileges locally.

CVE-2026-33100 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock, allowing a locally authorized attacker to elevate privileges.

CVE-2026-32224 is a use-after-free vulnerability in the Windows Server Update Service that allows a locally authenticated attacker to elevate privileges.

CVE-2026-32219 is a double free vulnerability in the Microsoft Brokering File System, allowing an authorized attacker to escalate privileges locally on a vulnerable Windows system.

CVE-2026-32165 is a use-after-free vulnerability in Windows User Interface Core that allows a locally authenticated attacker to elevate privileges.

CVE-2026-32162 allows an unauthorized attacker to achieve local privilege escalation in Windows COM by exploiting the acceptance of extraneous untrusted data with trusted data.

CVE-2026-32159 is a race condition vulnerability in Windows Push Notifications, allowing a local attacker with low privileges to elevate privileges by exploiting concurrent execution using a shared resource with improper synchronization.

CVE-2026-32091 is a race condition vulnerability in the Microsoft Brokering File System, allowing an unauthenticated local attacker to escalate privileges.

CVE-2026-32087 is a heap-based buffer overflow vulnerability in the Function Discovery Service (fdwsd.dll) that allows an authorized local attacker to elevate privileges on a Windows system.

A use-after-free vulnerability, CVE-2026-32070, exists in the Windows Common Log File System (CLFS) driver, enabling a locally authenticated attacker to escalate privileges on a vulnerable system.

CVE-2026-27920 is a local privilege escalation vulnerability in the Windows Universal Plug and Play (UPnP) Device Host due to an untrusted pointer dereference.

CVE-2026-27918 is a race condition vulnerability in Windows Shell, allowing a local attacker to elevate privileges due to improper synchronization when accessing shared resources.

CVE-2026-26184 is a buffer over-read vulnerability in the Windows Projected File System (ProjFS) that allows a local attacker to elevate privileges.

CVE-2026-26178 is an integer size truncation vulnerability in the Windows Advanced Rasterization Platform (WARP) that allows an unauthorized attacker to elevate privileges locally.

CVE-2026-26176 is a heap-based buffer overflow vulnerability in the Windows Client Side Caching driver (csc.sys), which allows an authorized attacker to elevate privileges locally.

CVE-2026-26159 allows a local attacker to escalate privileges on Windows systems due to a missing authentication check in the Remote Desktop Licensing Service (RDLS).

Easy Video to iPod Converter 1.6.20 is vulnerable to a local buffer overflow in the user registration field, allowing a local attacker to overwrite the structured exception handler (SEH) by providing a crafted payload exceeding 996 bytes in the username field, potentially leading to arbitrary code execution with user privileges.

RGui 3.5.0 contains a local buffer overflow vulnerability in the GUI preferences dialog that allows attackers to bypass DEP protections through structured exception handling exploitation, leading to arbitrary code execution.

Podman Desktop versions prior to 1.26.2 expose an unauthenticated HTTP server, allowing remote attackers to trigger denial-of-service conditions by exhausting resources and extract sensitive information through verbose error responses.

CVE-2025-14821 in libssh allows local man-in-the-middle attacks, SSH downgrade attacks, and trusted host manipulation due to insecure default configuration loading from a world-writable directory on Windows.

CVE-2025-65115 is a remote code execution vulnerability affecting multiple versions of JP1/IT Desktop Management and related products on Windows, potentially allowing attackers to execute arbitrary code on vulnerable systems.

Detects the execution of headless browsers from suspicious parent processes with arguments indicative of scripted retrieval, bypassing application control policies and restrictions on direct download tools.

River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability allowing local attackers to execute arbitrary code by providing a malicious string in the Lame_enc.dll field.

R i386 version 3.5.0 is susceptible to a local buffer overflow in the GUI Preferences dialog, allowing a local attacker to overwrite the structured exception handler (SEH) by supplying a malicious string to the 'Language for menus and messages' field, leading to arbitrary code execution.

AIRBUS PSS TETRA Connectivity Server version 7.0 on Windows Server is vulnerable to incorrect default permissions, allowing local privilege escalation to SYSTEM by placing a malicious file in a specific directory.

A use-after-free vulnerability exists in the `powerMonitor` module of Electron applications on Windows and macOS. When the native `PowerMonitor` object is garbage-collected, dangling references are retained by OS-level resources. Subsequent session-change events on Windows or system shutdowns on macOS may dereference freed memory, potentially leading to a crash or memory corruption.

The DeepLoad malware steals credentials, installs malicious browser extensions, spreads via USB drives, and is being distributed via ClickFix campaigns using PowerShell loaders.

Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.

HCL BigFix Platform is vulnerable to insecure permissions on private cryptographic keys, where keys on a Windows host may have overly permissive file system permissions, potentially leading to unauthorized access and privilege escalation.

Lakeside SysTrack Agent 11 before 11.2.1.28 is vulnerable to a race condition that allows for local privilege escalation to SYSTEM, as tracked by CVE-2026-35099.

Multiple vulnerabilities in 7-Zip allow an attacker to execute arbitrary program code with the privileges of the service, potentially leading to system compromise.

A vulnerability exists in vcpkg versions prior to 3.6.1#3, where Windows builds of OpenSSL set openssldir to a path on the build machine, making that path vulnerable to attack on customer machines.

CVE-2026-3991 is an elevation of privilege vulnerability in Symantec Data Loss Prevention (DLP) Windows Endpoint that could allow a local attacker to gain elevated access to resources.

X-NetStat Pro 5.63 contains a local buffer overflow vulnerability (CVE-2019-25637) allowing local attackers to execute arbitrary code by overwriting the EIP register.

AIDA64 Business 5.99.4900 is vulnerable to a local Structured Exception Handling (SEH) buffer overflow (CVE-2019-25631) allowing attackers to execute arbitrary code by overwriting SEH pointers with malicious shellcode.

FlexHEX 2.71 is vulnerable to a local buffer overflow in the Stream Name field, allowing local attackers to execute arbitrary code via a structured exception handler (SEH) overflow.

A shellcode loader dubbed 'Lucky Pasta' employs JIT decryption, string obfuscation, dynamic library loading, fiber-based execution, and AES instruction patching to evade AV detection, retrieving shellcode via HTTP/HTTPS and executing it on Windows systems.

JetAudio jetCast Server 2.0 is vulnerable to a stack-based buffer overflow in the Log Directory configuration, enabling local attackers to overwrite structured exception handling pointers and execute arbitrary code.

Detection of DNS queries to known remote monitoring and management (RMM) domains originating from non-browser processes on Windows systems indicates potential abuse of legitimate software for command and control.

Lavavo CD Ripper 4.20 is vulnerable to a structured exception handling (SEH) buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious string in the License Activation Name field leading to arbitrary code execution and a bind shell.

Admin Express 1.2.5.485 is susceptible to a local structured exception handling buffer overflow vulnerability, enabling local attackers to execute arbitrary code via a crafted payload in the Folder Path field of the System Compare feature.

RegPwnBOF exploits a registry symlink race condition in the Windows Accessibility ATConfig mechanism, enabling a normal user to write arbitrary values to protected HKLM registry keys for persistence and privilege escalation.

A trojanized EmEditor installer was distributed through a trusted source, delivering an infostealer, highlighting how attackers exploit legitimate software distribution channels to bypass user trust and security controls.

A phishing technique, potentially still viable due to incomplete patching, allows attackers to obtain NetNTLM hashes from archive extraction on Windows systems (CVE-2025-59284).

This brief covers offensive techniques to bypass Credential Guard, a Windows security feature designed to protect credentials, and provides detection strategies for these bypass attempts.

The StealthyWMIExec.py script facilitates lateral movement via WMI, potentially evading standard detection mechanisms by employing stealthy techniques.