Vendor

SolarWinds

4 briefs RSS

Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

Detects suspicious behavior related to SolarWinds Web Help Desk, specifically the loading of untrusted native modules (DLLs) or the spawning of suspicious child processes (cmd, PowerShell, rundll32) by the Java process, potentially indicating exploitation of deserialization vulnerabilities CVE-2025-40536 and CVE-2025-40551.

Web Help Desk solarwinds webhelpdesk deserialization cve-2025-40536 cve-2025-40551 remote code execution initial access

2r 1t 2c May 12, 2026

low advisory

Account Discovery Command via SYSTEM Account

3 rules 3 TTPs

The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.

Elastic Defend +5 discovery privilege-escalation windows

3r 3t Jan 9, 2024

medium advisory

Suspicious SolarWinds Child Process Execution

2 rules 2 TTPs

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

Elastic Defend +3 supply-chain execution solarwinds

2r 2t Jan 3, 2024

medium advisory

SolarWinds Process Disabling Services via Registry Modification

2 rules 3 TTPs

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

Microsoft Defender XDR +1 solarwinds defense-evasion registry-modification supply-chain

2r 3t Jan 3, 2024