Trend Micro

Multiple vulnerabilities in Trend Micro Apex One could allow an attacker to execute arbitrary code and escalate privileges on affected systems.

Trend Micro released a security advisory addressing vulnerabilities in Apex One (on-premise), Apex One as a service, and Trend Vision One Endpoint, prompting users to apply necessary updates to mitigate potential risks.

Multiple vulnerabilities exist in Trend Micro products, including TrendAI Apex One, potentially allowing authenticated attackers to tamper with files, distribute malicious code, or escalate privileges; CVE-2026-34926 is being actively exploited.

The EvilTokens phishing-as-a-service (PhaaS) platform sold on Telegram is capable of launching device code phishing attacks at scale, leveraging AI to generate convincing and personalized lures, enabling aspiring cybercriminals to bypass traditional security measures, including MFA.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.

Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.

This detection identifies the deletion of backup files by processes outside of the backup suite, specifically targeting Veritas and Veeam backups, which may indicate an attempt to prevent recovery from ransomware.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.

Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.