Content Release Notes
2025.02.10
Summary of Changes
Totals: 90 added / 329 modified
Intelligence: 16 added / 0 modified
Detections: 59 added / 287 modified
Threats: 8 added / 0 modified
Attack Scripts: 7 added / 41 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- Possible Sysinternals DLL Side Loading
- Sysinternals DLL Side Loading
- CVE-2025-21293 Privilege Escalation
- Performance Monitor Added
- Suspicious WMI DLL Load
- CVE-2025-21293 - Active Directory Domain Services Elevation of Privilege
- Metasploit Weekly Wrap-Up 01/31/25
- Poshito Telegram C2
- DiscordGO - Discord C2
- RatChatPT Agent
- Non-Browser Communication with OpenAI API
- RatChatPT
- CVE-2025-0411 - 7zip MOTW Bypass (Explorer)
- Binary Executed within 7zip
- CVE-2025-0411 - 7zip MOTW Bypass
- Metasploit Weekly Wrap-Up 01/24/2025
- Ivanti Remote Command Execution
- Possible PoshC2 FComm File
- PoshC2 Service Creation
- PoshC2 Activity
- PoshC2 - Elevation to System and Hashdump
SnapAttack Community
- Crazy Evil Gang Targets Crypto with StealC, AMOS, and Angel Drainer Malware
- BeyondTrust Zero-Day Breach Exposes 17 SaaS Customers via Compromised API Key
- Meta Confirms Zero-Click WhatsApp Spyware Attack Targeting 90 Journalists, Activists
- Malvertising Scam Uses Fake Google Ads to Hijack Microsoft Advertising Accounts
- TeamViewer Patches High-Severity Vulnerability in Windows Applications
- Unpatched PHP Voyager Flaws Leave Servers Open to One-Click RCE Exploits
- New Aquabotv3 botnet malware targets Mitel command injection flaw
- Laravel admin package Voyager vulnerable to one-click RCE flaw
- Mirai Variant ‘Aquabot’ Exploits Mitel Device Flaws
- Hackers exploit critical unpatched flaw in Zyxel CPE devices
- Critical Cacti Security Flaw (CVE-2025-22604) Enables Remote Code Execution
- Hackers exploiting flaws in SimpleHelp RMM to breach networks
- MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks
- Cisco: Critical Meeting Management Bug Requires Urgent Patch
Atomic Red Team
- Copy Safari BinaryCookies files using AppleScript
- Copy Apple Notes database files using AppleScript
- Copy Keychain using cat utility
- Detect Virtualization Environment using sysctl (hw.model)
- Detect Virtualization Environment using system_profiler
- Check if System Integrity Protection is enabled
Microsoft Sentinel
Sigma Community Rules
Splunk
- O365 SharePoint Suspicious Search Behavior
- O365 Multiple OS Vendors Authenticating From User
- Windows System Remote Discovery With Query
- Windows Sensitive Group Discovery With Net
- Windows Office Product Spawned Child Process For Download
- Windows Office Product Spawned Rundll32 With No DLL
- Windows Office Product Dropped Cab or Inf File
- Windows User Disabled Via Net
- Windows Office Product Spawned MSDT
- Windows Password Policy Discovery with Net
- Windows Registry Entries Restored Via Reg
- Windows Set Account Password Policy To Unlimited Via Net
- Windows Network Connection Discovery Via Net
- Windows File and Directory Permissions Enable Inheritance
- Windows Excessive Service Stop Attempt
- Windows Cmdline Tool Execution From Non-Shell Process
- Windows Remote Management Execute Shell
- Windows Suspicious Child Process Spawned From WebServer
- Windows Office Product Spawned Uncommon Process
- Windows User Deletion Via Net
- Windows Registry Entries Exported Via Reg
- Windows List ENV Variables Via SET Command From Uncommon Parent
- Windows Office Product Dropped Uncommon File
- Windows Attempt To Stop Security Service
- Windows File and Directory Enable ReadOnly Permissions
- Windows New Default File Association Value Set
- Windows Account Access Removal via Logoff Exec
- Windows Sensitive Registry Hive Dump Via CommandLine
- Windows Service Stop Attempt
- Windows File and Directory Permissions Remove Inheritance
- Windows Create Local Administrator Account Via Net
- Windows Excessive Usage Of Net App
- Potential System Network Configuration Discovery Activity
- Windows Office Product Spawned Control
- Windows Group Discovery Via Net
- Windows Network Share Interaction Via Net
- Windows HTTP Network Communication From MSIExec
- Windows User Discovery Via Net
- Windows Office Product Loaded MSHTML Module
- Windows DNS Query Request by Telegram Bot API
- Windows Obfuscated Files or Information via RAR SFX
- Windows Office Product Loading VBE7 DLL
- Windows Office Product Loading Taskschd DLL
- Linux Auditd Private Keys and Certificate Enumeration
- Windows Powershell Logoff User via Quser
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
- WinPwn - UAC Bypass DiskCleanup technique
- WinPwn - itm4nprivesc
- WinPwn - winPEAS
- WinPwn - GPOAudit
- WinPwn - RBCD-Check
- WinPwn - Kill the event log services for stealth
- WinPwn - DomainPasswordSpray Attacks
- WinPwn - Dotnetsearch
- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
- Detect Virtualization Environment via ioreg
- WinPwn - Loot local Credentials - lazagne
- WinPwn - Loot local Credentials - Wifi Credentials
- WinPwn - MS17-10
- WinPwn - SessionGopher
- WinPwn - GeneralRecon
- WinPwn - passhunt
- WinPwn - UAC Magic
- WinPwn - powershellsensitive
- WinPwn - generaldomaininfo
- WinPwn - GPORemoteAccessPolicy
- WinPwn - Loot local Credentials - powerhell kittie
- WinPwn - DotNet
- WinPwn - Powersploits privesc checks
- WinPwn - Kerberoasting
- WinPwn - Morerecon
- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
- WinPwn - shareenumeration
- WinPwn - printercheck
- WinPwn - sensitivefiles
- WinPwn - General privesc checks
- WinPwn - powerSQL
- WinPwn - Snaffler
- WinPwn - Loot local Credentials - Safetykatz
- WinPwn - UAC Bypass ccmstp technique
- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
- WinPwn - bluekeep
- WinPwn - BrowserPwn
- WinPwn - Loot local Credentials - mimi-kittenz
- WinPwn - spoolvulnscan
- WinPwn - Reflectively load Mimik@tz into memory
- WinPwn - fruit
Chronicle Detection Rules
LOLDrivers
- Malicious Driver Load By Name
- Vulnerable Driver Load Despite HVCI (sha1)
- Malicious Driver Load Despite HVCI (md5)
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (md5)
- Vulnerable Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (sha1)
- Vulnerable Driver Load By Name
- Malicious Driver Load (sha256)
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load (sha1)
- Malicious Driver Load (md5)
- Vulnerable Driver Load (sha256)
Microsoft Sentinel
- Potential Password Spray Attack
- User Sign in from different countries
- Exchange workflow MailItemsAccessed operation anomaly
- Illumio Enforcement Change Analytic Rule
- Semperis DSP Zerologon vulnerability
- Semperis DSP Recent sIDHistory changes on AD objects
- Semperis DSP Mimikatz's DCShadow Alert
- Illumio VEN Offline Detection Rule
- Illumio VEN Clone Detection Rule
- Semperis DSP Operations Critical Notifications
- Semperis DSP Well-known privileged SIDs in sIDHistory
- Semperis DSP RBAC Changes
- Illumio VEN Deactivated Detection Rule
- Semperis DSP Failed Logons
- Illumio VEN Suspend Detection Rule
- Illumio Firewall Tampering Analytic Rule
- Semperis DSP Kerberos krbtgt account with old password
- NetClean ProActive Incidents
- Azure Storage File Create and Delete
- User agent search for log4j exploitation attempt
Sigma Community Rules
- Kernel Memory Dump Via LiveKD
- Sysmon Driver Altitude Change
- Kubernetes Events Deleted
- Windows Defender Service Disabled - Registry
- OpenCanary - NTP Monlist Request
- OpenCanary - MySQL Login Attempt
- Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
- Potential KamiKakaBot Activity - Winlogon Shell Persistence
- Network Connection Initiated By PowerShell Process
- CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
- Container With A hostPath Mount Created
- OpenCanary - MSSQL Login Attempt Via SQLAuth
- OpenCanary - VNC Connection Attempt
- Renamed NirCmd.EXE Execution
- OpenCanary - GIT Clone Request
- Remote Access Tool - Team Viewer Session Started On Linux Host
- Potential KamiKakaBot Activity - Lure Document Execution
- New Kubernetes Service Account Created
- Suspicious Network Connection to IP Lookup Service APIs
- RBAC Permission Enumeration Attempt
- Dfsvc.EXE Network Connection To Non-Local IPs
- Privileged Container Deployed
- Add Port Monitor Persistence in Registry
- OpenCanary - HTTP GET Request
- EVTX Created In Uncommon Location
- OpenCanary - HTTP POST Login Attempt
- Potentially Suspicious CMD Shell Output Redirect
- OpenCanary - MSSQL Login Attempt Via Windows Authentication
- Displaying Hidden Files Feature Disabled
- OpenCanary - HTTPPROXY Login Attempt
- OpenCanary - REDIS Action Command Attempt
- Suspicious Response File Execution Via Odbcconf.EXE
- ServiceDll Hijack
- OpenCanary - SSH Login Attempt
- Remote Access Tool - Team Viewer Session Started On MacOS Host
- Potential Remote Command Execution In Pod Container
- Disable Windows Event Logging Via Registry
- OpenCanary - SIP Request
- Registry Persistence via Service in Safe Mode
- Rundll32 Execution With Uncommon DLL Extension
- MaxMpxCt Registry Value Changed
- Creation Of Pod In System Namespace
- Deployment Deleted From Kubernetes Cluster
- OpenCanary - SSH New Connection Attempt
- OpenCanary - TFTP Request
- Suspicious Command Patterns In Scheduled Task Creation
- Loaded Module Enumeration Via Tasklist.EXE
- OpenCanary - FTP Login Attempt
- Service Binary in User Controlled Folder
- Remote Access Tool - Team Viewer Session Started On Windows Host
- Kubernetes Secrets Enumeration
- OpenCanary - SNMP OID Request
- OpenCanary - Telnet Login Attempt
- Change Winevt Channel Access Permission Via Registry
- Register New IFiltre For Persistence
- OpenCanary - SMB File Open Request
- Potential Sidecar Injection Into Running Deployment
- New TimeProviders Registered With Uncommon DLL Name
- WCE wceaux.dll Access
- Potential CVE-2023-27997 Exploitation Indicators
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
- Kapeka Backdoor Configuration Persistence
- Potential Exploitation Attempt Of Undocumented WindowsServer RCE
- Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- Potential CSharp Streamer RAT Loading .NET Executable Image
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- Kapeka Backdoor Scheduled Task Creation
- Qakbot Uninstaller Execution
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- Kapeka Backdoor Persistence Activity
- Suspicious Computer Account Name Change CVE-2021-42287
- CVE-2023-46747 Exploitation Activity - Webserver
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
- CVE-2023-46747 Exploitation Activity - Proxy
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
- Renamed Powershell Under Powershell Channel
- ScreenConnect User Database Modification - Security
- Kapeka Backdoor Autorun Persistence
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- Forest Blizzard APT - JavaScript Constrained File Creation
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
- Suspicious Set Value of MSDT in Registry (CVE-2022-30190)
- Forest Blizzard APT - Process Creation Activity
- Potential APT FIN7 Exploitation Activity
- Forest Blizzard APT - File Creation Activity
- Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- Forest Blizzard APT - Custom Protocol Handler Creation
- File Creation Related To RAT Clients
- Potential Raspberry Robin CPL Execution Activity
- Potential OWASSRF Exploitation Attempt - Proxy
- Potential BlackByte Ransomware Activity
- DLL Names Used By SVR For GraphicalProton Backdoor
- Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
- Potential Raspberry Robin Registry Set Internet Settings ZoneMap
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
- ScreenConnect - SlashAndGrab Exploitation Indicators
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
- Failed Code Integrity Checks
- Kapeka Backdoor Loaded Via Rundll32.EXE
- Potential Kapeka Decrypted Backdoor Indicator
- CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- CVE-2024-50623 Exploitation Attempt - Cleo
- Potential Raspberry Robin Aclui Dll SideLoading
- CVE-2023-4966 Potential Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
- Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
- ScreenConnect User Database Modification
- Kapeka Backdoor Execution Via RunDLL32.EXE
- OWASSRF Exploitation Attempt Using Public POC - Proxy
- ManageEngine Endpoint Central Dctask64.EXE Potential Abuse
- HackTool - Dumpert Process Dumper Execution
- Privileged User Has Been Created
- Renamed ZOHO Dctask64 Execution
Splunk
- System User Discovery With Query
- Windows Service Execution RemCom
- ASL AWS Network Access Control List Created with All Open Ports
- Windows Process With NetExec Command Line Parameters
- Windows Registry Dotnet ETW Disabled Via ENV Variable
- Windows New EventLog ChannelAccess Registry Value Set
- ASL AWS EC2 Snapshot Shared Externally
- ASL AWS Disable Bucket Versioning
- Windows New Deny Permission Set On Service SD Via Sc.EXE
- Windows Detect Network Scanner Behavior
- Windows SubInAcl Execution
- ASL AWS Detect Users creating keys with encrypt policy without MFA
- Microsoft Intune DeviceManagementConfigurationPolicies
- Microsoft Intune Device Health Scripts
- Windows New Service Security Descriptor Set Via Sc.EXE
- ASL AWS SAML Update identity provider
- Azure AD AzureHound UserAgent Detected
- ASL AWS UpdateLoginProfile
- ASL AWS Credential Access GetPasswordData
- ASL AWS IAM Assume Role Policy Brute Force
- ASL AWS Create Access Key
- ASL AWS Credential Access RDS Password reset
- Windows Impair Defenses Disable Auto Logger Session
- O365 Service Principal Privilege Escalation
- ASL AWS Create Policy Version to allow all resources
- Azure AD Service Principal Privilege Escalation
- Azure AD Service Principal Enumeration
- ASL AWS IAM AccessDenied Discovery Events
- Windows CertUtil Download With URL Argument
- Windows New Custom Security Descriptor Set On EventLog Channel
- Microsoft Intune Manual Device Management
- Microsoft Intune Mobile Apps
- ASL AWS Network Access Control List Deleted
- Windows ScManager Security Descriptor Tampering Via Sc.EXE
- ASL AWS Defense Evasion PutBucketLifecycle
- Suspicious Process File Path
- Detect New Open S3 Buckets over AWS CLI
- Detect S3 access from a new IP
- Creation of Shadow Copy with wmic and powershell
- Detect suspicious DNS TXT records using pretrained model in DSDL
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- Detect Password Spray Attempts
- Nishang PowershellTCPOneLine
- Windows Impair Defense Add Xml Applocker Rules
- PingID Mismatch Auth Source and Verification Response
- Kubernetes Anomalous Outbound Network Activity from Process
- Wermgr Process Spawned CMD Or Powershell Process
- Batch File Write to System32
- PowerShell - Connect To Internet With Hidden Window
- Kubernetes newly seen UDP edge
- Remote Process Instantiation via WMI and PowerShell
- Detect Outbound SMB Traffic
- Exploit Public Facing Application via Apache Commons Text
- Common Ransomware Extensions
- Kubernetes Anomalous Inbound Network Activity from Process
- Windows Exchange Autodiscover SSRF Abuse
- Kubernetes Anomalous Traffic on Network Edge
- Any Powershell DownloadString
- Windows Powershell RemoteSigned File
- W3WP Spawning Shell
- ASL AWS Defense Evasion Update Cloudtrail
- Microsoft Defender Incident Alerts
- Detect hosts connecting to dynamic domain providers
- PowerShell Start-BitsTransfer
- Kubernetes Shell Running on Worker Node
- Malicious PowerShell Process With Obfuscation Techniques
- Email Attachments With Lots Of Spaces
- Kubernetes Process Running From New Path
- Kubernetes Shell Running on Worker Node with CPU Activity
- SMB Traffic Spike - MLTK
- Windows PaperCut NG Spawn Shell
- Windows System File on Disk
- Windows RunMRU Command Execution
- Shim Database Installation With Suspicious Parameters
- Disable Defender Submit Samples Consent Feature
- Create or delete windows shares using net exe
- Detect DGA domains using pretrained model in DSDL
- Microsoft Defender ATP Alerts
- Modify ACL permission To Files Or Folder
- Remote Process Instantiation via DCOM and PowerShell
- Any Powershell DownloadFile
- Malicious PowerShell Process - Encoded Command
- Kubernetes Previously Unseen Container Image Name
- Detect Excessive Account Lockouts From Endpoint
- Windows ESX Admins Group Creation via Net
- Kubernetes newly seen TCP edge
- Azure AD Authentication Failed During MFA Challenge
- Malicious PowerShell Process - Execution Policy Bypass
- Powershell Disable Security Monitoring
- Suspicious Email Attachment Extensions
- Kubernetes Previously Unseen Process
- DNS Query Length Outliers - MLTK
- Remote Process Instantiation via WinRM and PowerShell
- Detection of tools built by NirSoft
- Windows Raw Access To Master Boot Record Drive
- Windows Drivers Loaded by Signature
- Windows Process Injection With Public Source Path
- Windows Raw Access To Disk Volume Partition
- Linux Auditd Sudo Or Su Execution
- Linux Auditd Clipboard Data Copy
- Linux Auditd Preload Hijack Library Calls
- Linux Auditd Find Ssh Private Keys
- Linux Auditd Virtual Disk File And Directory Discovery
- Linux Auditd File And Directory Discovery
- Linux Auditd Hardware Addition Swapoff
- Linux Auditd Kernel Module Enumeration
- Linux Auditd Hidden Files And Directories Creation
- Linux Auditd Stop Services
- Linux Auditd Find Credentials From Password Stores
- Linux Auditd Database File And Directory Discovery
- Linux Auditd Unload Module Via Modprobe
- Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File
- Linux Auditd Data Destruction Command
- Linux Auditd Data Transfer Size Limits Via Split
- Linux Auditd Find Credentials From Password Managers
- Linux Auditd File Permission Modification Via Chmod
- Linux Auditd Setuid Using Setcap Utility
- Linux Auditd Install Kernel Module Using Modprobe Utility
- Linux Auditd File Permissions Modification Via Chattr
- Linux Auditd Insert Kernel Module Using Insmod Utility
- Linux Auditd Change File Owner To Root
- Powershell Processing Stream Of Data
- PowerShell Loading DotNET into Memory via Reflection
- Powershell Remove Windows Defender Directory
- Windows Domain Admin Impersonation Indicator
- Get DomainPolicy with Powershell Script Block
- Kerberos Pre-Authentication Flag Disabled in UserAccountControl
- Windows PowerSploit GPP Discovery
- PowerShell Start or Stop Service
- Windows File Share Discovery With Powerview
- Detect Mimikatz With PowerShell Script Block Logging
- Detect Empire with PowerShell Script Block Logging
2025.01.27
Summary of Changes
Totals: 110 added / 36 modified
Intelligence: 72 added / 0 modified
Detections: 28 added / 34 modified
Threats: 4 added / 0 modified
Attack Scripts: 6 added / 1 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- SonicWall Learns From Microsoft About Potentially Exploited Zero-Day
- Major Cybersecurity Vendors' Credentials Found on Dark Web
- Conduent confirms cybersecurity incident behind recent outage
- China Hackers Compromised VPN Service Provider in Supply-Chain Attack
- Possible SCCM Exploitation
- PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software Installers
- Several Swiss municipalities and banks hit by cyberattack
- Belsen Group Leaks 15,000+ FortiGate Firewall Configurations
- CVE-2024-43468 - SCCM Unauthenticated SQL injection
- Russian Disinformation Targets German Election Campaign, Says Think-Tank
- DoNot Team Linked to New Tanzeem Android Malware Targeting Intelligence Collection
- HPE’s sensitive data exposed in alleged IntelBroker hack
- CVE-2024-49138 - Common Log File System Driver Elevation of Privilege
- Treasury sanctions North Korea over remote IT worker schemes
- GDPR complaints filed against TikTok, Temu for sending user data to China
- Hackers Hide Malware in Images to Deploy VIP Keylogger and 0bj3ctivity Stealer
- Pumakit – A Sophisticated Linux Rootkit Attack Critical Infrastructure
- Russian Cyberspies Caught Spear-Phishing with QR Codes, WhatsApp Groups
- Metasploit Wrap-Up 01/17/2025
- Lazarus Group Targets Web3 Developers with Fake LinkedIn Profiles in Operation 99
- Label giant Avery says website hacked to steal credit cards
- Fortinet firewalls hit with new zero-day attack, older data leak
- US, Japan, South Korea Warn of Rising North Korean Crypto Hacking Threats
- Microsoft Patches Trio of Exploited Windows Hyper-V Zero-Days
- DOJ confirms FBI operation that mass-deleted Chinese malware from thousands of US computers
- Ransomware abuses Amazon AWS feature to encrypt S3 buckets
- Patch Tuesday - January 2025
- A new campaign is likely targeting a zero
- New Ransomware Group Uses AI to Develop Nefarious Tools
- Ako Ransomware Abusing Windows API Calls To Detect Infected System Locations
- Mock Trust Discovery UAC Bypass
- Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners
- Fancy Bear spotted using real Kazak government documents in spearpishing campaign
- Mock Trusted Directory UAC Bypass via MMC
- Possible Mock Trusted Directory UAC Bypass (File Event)
- Mock Trusted Directories UAC Bypass
- Pro-Russian disinformation makes its Bluesky debut
- Russia Carves Out Commercial Surveillance Success
- Banshee macOS Malware Expands Targeting
- Phishing texts trick Apple iMessage users into disabling protection
- EarlyCascade Process Injection
- EarlyCascade Process Injection
- RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
- PowerSchool Reportedly Pays Ransom to Prevent Student Data Leak
- GFI KerioControl Firewall Vulnerability Exploited in the Wild
- Russian bots boosted NATO critic ahead of Croatian election, researchers say
- Quant trader accused of stealing code
SnapAttack Community
- Hackers use Windows RID hijacking to create hidden admin account
- QNAP fixes six Rsync vulnerabilities in NAS backup, recovery app
- CISA: Ivanti Vulns Chained Together in Cyberattack Onslaught
- CISA: Hackers still exploiting older Ivanti bugs to breach networks
- SonicWall warns of SMA1000 RCE flaw exploited in zero-day attacks
- Stealthy 'Magic Packet' malware targets Juniper VPN gateways
- Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits
- Black 'Magic' Targets Enterprise Juniper Routers With Backdoor
- Telegram captcha tricks you into running malicious PowerShell scripts
- 7-Zip fixes bug that bypasses Windows MoTW security warnings, patch now
- CERT-UA Warns of Cyber Scams Using Fake AnyDesk Requests for Fraudulent Security Audits
- Unsecured Tunneling Protocols Expose 4.2 Million Hosts, Including VPNs and Routers
- Critical Flaws in WGS-804HPT Switches Enable RCE and Network Exploitation
- Vulnerabilities in SimpleHelp Remote Access Software May Lead to System Compromise
- New UEFI Secure Boot flaw exposes systems to bootkits, patch now
- Millions of Internet Hosts Vulnerable to Attacks Due to Tunneling Protocol Flaws
- Hackers leak configs and VPN credentials for 15,000 FortiGate devices
- MikroTik botnet uses misconfigured SPF DNS records to spread malware
- Over 660,000 Rsync servers exposed to code execution attacks
- CISA: Second BeyondTrust Vulnerability Added to KEV Catalog
- Google Cloud Researchers Uncover Flaws in Rsync File Synchronization Tool
- Fortinet Confirms New Zero-Day Exploitation
- 3 Actively Exploited Zero-Day Flaws Patched in Microsoft's Latest Security Update
- Critical SimpleHelp Flaws Allow File Theft, Privilege Escalation, and RCE Attacks
- Microsoft Rings in 2025 With Record Security Update
- Adobe: Critical Code Execution Flaws in Photoshop
- Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks
- Fortinet warns of auth bypass zero-day exploited to hijack firewalls
- Russian-Linked Hackers Target Kazakhstan in Espionage Campaign with HATVIBE Malware
- CISA Adds Second BeyondTrust Flaw to KEV Catalog Amid Active Attacks
- Cloud Attackers Exploit Max-Critical Aviatrix RCE Flaw
- Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners
- Threat Actors Exploit a Critical Ivanti RCE Bug, Again
Atomic Red Team
- Steal Chrome v127+ cookies via Remote Debugging (Windows)
- Discover System Language with WMIC
- Web Server Wordlist Scan
- Discover System Language with Powershell
Microsoft Sentinel
Sigma Community Rules
Splunk
- ASL AWS Credential Access GetPasswordData
- Microsoft Intune Mobile Apps
- ASL AWS Create Policy Version to allow all resources
- ASL AWS EC2 Snapshot Shared Externally
- Azure AD Service Principal Enumeration
- ASL AWS Network Access Control List Created with All Open Ports
- ASL AWS Defense Evasion PutBucketLifecycle
- ASL AWS Disable Bucket Versioning
- Microsoft Intune DeviceManagementConfigurationPolicies
- Azure AD Service Principal Privilege Escalation
- O365 Service Principal Privilege Escalation
- ASL AWS Credential Access RDS Password reset
- Microsoft Intune Manual Device Management
- ASL AWS Create Access Key
- Microsoft Intune Device Health Scripts
- ASL AWS UpdateLoginProfile
- ASL AWS IAM AccessDenied Discovery Events
- ASL AWS IAM Assume Role Policy Brute Force
- Azure AD AzureHound UserAgent Detected
- ASL AWS SAML Update identity provider
- ASL AWS Network Access Control List Deleted
- ASL AWS Detect Users creating keys with encrypt policy without MFA
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Atomic Red Team
LOLDrivers
- Vulnerable Driver Load By Name
- Vulnerable Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load (sha256)
- Malicious Driver Load (sha256)
- Malicious Driver Load Despite HVCI (md5)
- Vulnerable Driver Load (md5)
- Vulnerable Driver Load (sha1)
- Vulnerable Driver Load Despite HVCI (md5)
- Malicious Driver Load (sha1)
- Malicious Driver Load By Name
- Malicious Driver Load Despite HVCI (sha256)
- Vulnerable Driver Load Despite HVCI (sha1)
- Malicious Driver Load Despite HVCI (sha1)
- Malicious Driver Load (md5)
Microsoft Sentinel
- Sentinel One - Agent uninstalled from multiple hosts
- Execution of software vulnerable to webp buffer overflow of CVE-2023-4863
Sigma Community Rules
- Exploit Framework User Agent
- Potentially Suspicious Volume Shadow Copy Vsstrace.dll Load
- Shell Execution via Rsync - Linux
- Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
Splunk
- ASL AWS Concurrent Sessions From Different Ips
- ASL AWS Defense Evasion Update Cloudtrail
- ASL AWS IAM Delete Policy
- ASL AWS IAM Failure Group Deletion
- ASL AWS Defense Evasion Stop Logging Cloudtrail
- ASL AWS Defense Evasion Delete CloudWatch Log Group
- ASL AWS Multi-Factor Authentication Disabled
- ASL AWS Defense Evasion Impair Security Services
- ASL AWS Defense Evasion Delete Cloudtrail
- ASL AWS ECR Container Upload Outside Business Hours
- ASL AWS IAM Successful Group Deletion
- ASL AWS New MFA Method Registered For User
- ASL AWS ECR Container Upload Unknown User
2025.01.13
Summary of Changes
Totals: 107 added / 2245 modified
Intelligence: 86 added / 0 modified
Detections: 15 added / 2244 modified
Threats: 3 added / 0 modified
Attack Scripts: 3 added / 0 modified
Collections: 0 added / 1 modified
Content Added
SnapAttack Subscribers (subscribers only)
- LDAPNightmare Denial of Service
- Russian ISP confirms Ukrainian hackers "destroyed" its network
- Gravy Analytics Hacked – Attackers Allegedly Claiming 17TB Data Stolen
- Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product
- Possible LDAP Nightmare Request
- Possible LDAPNightmare DsrGetDcNameEx2
- LDAPNightmare - CVE-2024-49113
- Japan authorities raise alarm over China-linked cyberattacks
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
- UN aviation agency confirms recruitment database security breach
- CISA warns of critical Oracle, Mitel flaws exploited in attacks
- CVE-2025-0282: Ivanti Connect Secure zero-day exploited in the wild
- Chinese hackers also breached Charter and Windstream networks
- EagerBee Backdoor Takes Flight Against Mideast Targets
- Taiwan investigating Chinese vessel over damage to undersea cable
- Cybercriminals Target Ethereum Developers with Fake Hardhat npm Packages
- PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps
- New HIPAA Security Rules Pull No Punches
- U.S. sanctions take aim at Chinese company said to aid hackers’ massive botnet
- Atos mostly denies Space Bears' ransomware claims
- How fake news campaigns could push Syria back to civil war – DW – 01
- Block Defender with DNS NRPT
- Possible DNS Redirection
- US Arrests Army Soldier Over AT&T, Verizon Hacking
- Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT
- NTT Docomo: Japan's largest mobile carrier reports system glitch due to cyberattack, ET Telecom
- Block Defender with Name Resolution Policy Table (NRPT)
- Chinese hackers access U.S. Treasury Department workstations, obtain unclassified documents
- US sanctions Russian group over AI-generated election disinformation
- LDAPNightmare: SafeBreach Labs Publishes First Proof-of-Concept Exploit for CVE-2024-49112
- New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites
- WDAC Policy Created
- Malicious WDAC Policy Upload
- Suspicious BeyondTrust Child Process
- Fake Zoom Meeting Links Lead to Million-Dollar Cryptocurrency Heist
- AT&T and Verizon Declare Networks Secure After Salt Typhoon Attacks
- Customer data from 800,000 electric cars and owners exposed online
- Hackers Hijacked 16 Chrome Extensions to Inject Malicious Code
- Cyber Attack on Italy's Foreign Ministry, Airports Claimed by Pro-Russian Hacker Group
- Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks
- CRONTRAP QEMU Linux VM Backdoor
SnapAttack Community
- Banshee macOS Malware Expands Targeting
- Banshee 2.0 Malware Steals Apple's Encryption to Hide on Macs
- Banshee stealer evades detection using Apple XProtect encryption algo
- Major Vulnerabilities Patched in SonicWall, Palo Alto Expedition, and Aviatrix Controllers
- US Treasury hack linked to Silk Typhoon Chinese state hackers
- GFI KerioControl Firewall Vulnerability Exploited in the Wild
- SonicWall Patches Authentication Bypass Vulnerabilities in Firewalls
- Palo Alto Networks Patches High-Severity Vulnerability in Retired Migration Tool
- Exploitation of New Ivanti VPN Zero-Day Linked to Chinese Cyberspies
- Ivanti warns of new Connect Secure flaw used in zero-day attacks
- Ivanti Warns of New Zero-Day Attacks Hitting Connect Secure Product
- SonicWall urges admins to patch exploitable SSLVPN bug immediately
- Hackers exploit KerioControl firewall flaw to steal admin CSRF tokens
- Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques
- CISA Warns of Mitel MiCollab Vulnerabilities Exploited in Attacks
- Chrome 131, Firefox 134 Updates Patch High-Severity Vulnerabilities
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks
- CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation
- New Mirai botnet targets industrial routers with zero-day exploits
- CISA warns of critical Oracle, Mitel flaws exploited in attacks
- Dell, HPE, MediaTek Patch Vulnerabilities in Their Products
- New EAGERBEE Variant Targets ISPs and Governments with Advanced Backdoor Capabilities
- EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets
- Chinese hackers also breached Charter and Windstream networks
- Eagerbee backdoor deployed against Middle Eastern govt orgs, ISPs
- Wallet Drainer Malware Used to Steal $500 Million in Cryptocurrency in 2024
- Code Execution Flaw Found in Nuclei Vulnerability Scanner
- Nuclei flaw bypasses template signature checks to execute code
- Thousands of Buggy BeyondTrust Systems Remain Exposed
- FireScam Android Malware Packs Infostealer, Spyware Capabilities
- Exploit Code Published for Potentially Dangerous Windows LDAP Vulnerability
- LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers
- Unpatched Active Directory Flaw Can Crash Any Microsoft Server
- New DoubleClickjacking attack exploits double-clicks to hijack accounts
- Chinese Hackers Accessed US Treasury Workstations in ‘Major’ Cybersecurity Incident
- US Treasury Department breached through remote support platform
- Hackers exploit Four-Faith router flaw to open reverse shells
- Microsoft issues urgent dev warning to update .NET installer link
- Palo Alto Networks Patches Firewall Zero-Day Exploited for DoS Attacks
- Four-Faith Industrial Router Vulnerability Exploited in Attacks
- Several Chrome Extensions Compromised in Supply Chain Attack
- 15,000+ Four-Faith Routers Exposed to New Exploit Due to Default Credentials
- Hackers exploit DoS flaw to disable Palo Alto Networks firewalls
- Cloud Atlas Deploys VBCloud Malware: Over 80% of Targets Found in Russia
- Apache warns of critical flaws in MINA, HugeGraph, Traffic Control
- New 'OtterCookie' malware used to backdoor devs in fake job offers
- Cl0p Ransomware Group to Name Over 60 Victims of Cleo Attack
- Iran's Charming Kitten Deploys BellaCPP: A New C++ Variant of BellaCiao Malware
- New botnet exploits vulnerabilities in NVRs, TP-Link routers
- Researchers Uncover PyPI Packages Stealing Keystrokes and Hijacking Social Accounts
- Adobe Patches ColdFusion Flaw at High Risk of Exploitation
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
- Adobe warns of critical ColdFusion bug with PoC exploit code
- Sophos Patches Critical Firewall Vulnerabilities
- Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service
- How to Protect Your Environment from the NTLM Vulnerability
Atomic Red Team
Microsoft Sentinel
- Knox Application Privilege Escalation or Change
- Knox Peripheral Access Detection with Mic
- Knox Peripheral Access Detection with Camera
- Knox Password Lockout
- Knox Security Log Full
- Knox Suspicious URL Accessed Events
Sigma Community Rules
Splunk
Content Updated
SnapAttack Subscribers (subscribers only)
SnapAttack Community
Chronicle Detection Rules
- Scarab Ransomware Part 1
- Citrix Netscaler Attack Cve201919781
- Possible Shim Database Persistence Via Sdbinstexe
- Apt28 Zekapabzebrocycannon Implant Sysmonfirewallproxy Part2
- Mshta Spwaned By Svchost As Seen In Lethalhta Sysmon
- Lokibot Trojan Behavior Sysmon
- Detect Crackmapexec Mimikatz Module Footprint On A Victim Machine
- Data Exfiltration Attempt Via Bitsadmin
- Cve20201350 Sigred Windows Dns Dos Exploit Nslookup Cli
- Backdoor Detection On Sql Servers
- New Run Key Pointing To Suspicious Folder
- Strike Network Inventory Explorer Unquoted Service Path
- Draytek Preauth Remote Root Rce
- Mustangpanda Covid19 Campaing
- Fireeye Red Team Tool Adpasshunt Via Cmdline
- Remote Execution Via Sql Extended Stored Procedure Xp Cmdshell
- Data Seondbin Ransomware Detector Sysmon Behavior
- Emotet Process Creation
- Admin User Rdp
- Wmi Event Subscription
- Usage Of Sysinternals Tools
- Lojack Doubleagent Communication
- The Gocgle Malicious Campaign
- Suspicious Powershell Parameter Substring
- A Webshell Ensiko With Ransomware Capabilities
- Dridex Process Pattern
- Suspicious Msiexec Directory
- Psexec Process Has Terminated
- Avg Antivirus Avast Antivirus Dll Search Order Hijacking And Potential Abuses
- Suspicious Rundll32 Activity
- Microsoft Office Product Spawning Windows Shell
- Suspicious Powershell Invocation Based On Parent Process
- Psexe Renamed Sysinternals Tool
- Possible System Owneruser Discovery Sysmonwindows Logs
- Yispecter Malware Detection
- Quarkspwdump Dump File
- Amadey Botnet Detection Ta505
- Webshell Detection With Sysmon Logs
- Password Stealer Pwdfetcher Detector Sysmon
- Winrm Configuration Detector
- Monero Mining Detector
- Adwind Rat Jrat Part 1
- Malicious Base64 Encoded Powershell Keywords In Command Lines
- Wmi Persistence Command Line Event Consumer
- Ad Privileged Users Or Groups Reconnaissance
- Execution In Outlook Temp Folder
- Crypto Miner User Agent
- Zombieboy Cryptomining Worm Sysmon
- Using Rasman Remote Access Connection Manager Windows Service To Register Dll
- Suspicious Rdp Redirect Using Tscon
- Anomalous Invocation Of Cmdexe
- Account Tampering Suspicious Failed Logon Reasons
- Vulnerable Netlogon Secure Channel Connection Allowed
- Scanner Poc For Cve20190708 Rdp Rce Vuln
- Combination Of Wevtutil And Fsutil To Avoid Forensics Analysis
- Darkgate Cryptocurrency Mining And Ransomware Campaign Sysmon
- Logon Scripts Userinitmprlogonscript
- Abusing Windows Telemetry Compattelrunnerexeaudit Rule
- Process Dump Via Comsvcs Dll
- Suspicious Certutil Command
- Klist Purge
- Snatch Ransomware Sysmon Behaviour
- Wannacry Ransomware
- Flash Player Update From Suspicious Location
- Detecting Phishing Domains Proxy
- Netntlm Downgrade Attack Part 1
- Trickbot Behaviour Privilege Escalation Attack
- Detect When A Process Tries To Allow Execution Of Malicious Email Attachments
- Possible New Cobalt Strike Dropper
- Vbsbased Malware Infection
- Zoom And Microsoft Malware Attacks Detection
- Zebrocy Tool Apt28 Sysmon
- Sans Posterknown Normalfind Evil Sysmon Behaviour
- Apt33 Remcos Sysmon Behavior Historic Indicators
- Remote Access To Ssh Ftp Sftp Applications
- Dns Txt Answer With Possible Execution Strings
- Empire User Agents Proxy
- Amadey Botnet Detection Ta505 Part 1
- Ryuk Ransomware
- Fireeye Red Team Tool Modified Impacket Wmiexec Via Cmdline
- Suspicious Schtasks Creation Possible Windows 0Day Lpe Aka Polarbear By Sandboxescaper
- Ryuk Ransomware Sysmon
- Windows Powershell User Agent
- Suspicious Parent Of Cscexe
- Abusing Azure Browser Sso
- Apt40 Dropbox Tool User Agent
- Program Executions In Suspicious Folders
- Netwalker Ransomware Detection
- Lazarus Attack Variant
- Backup Catalog Deleted
- Suspicious Driver Load From Temp
- Certutil Activity Via Proxy
- System File Execution Location Anomaly
- Malware User Agent
- Powershell Downloadfile
- Secure Deletion With Sdelete
- Password Dumper Remote Thread In Lsass
- Office Macro Starts Cmd
- Notepadexe Dll Search Order Hijackingsysmon
- Abusing Managebdewsf
- Data Exfiltration Detection With Htran
- Apt29 Part 1
- Encoded Frombase64String
- Suspicious Commandline Escape
- Persistence Of Ryuk Ransomware
- Malicious Service Installations
- Roma225 Campaign Sysmon
- Crypt32Dll Nsa Vulnerability Cve20200601
- Apt28 Zekapab Zebrocy Implant Sysmon Firewall Proxy
- Detect Windows Password Policy Changes
- Existing Service Modified Detector Sysmon Behavior
- Ryuk Ransomware Hash Detected
- Detection Of Com Hijacking
- Oilrig
- Registry Persistence Via Explorer Run Key
- Powershell Dll Attacks Detection
- Psexec Execution
- Gelup Malware Detector Sysmon Behavior
- Swisyn Malware Detector Sysmon Behavior August 2019
- Nemty Ransomware Lolbins Abuse
- Cve20201350 Dns Remote Code Exploit Sigred Via Cmdline
- Possible Usage Of Physmem2Profit For Lsass Dump
- Oilirgs Rdat Backdoor Sysmon Detection
- Sysmon State And Configuration Changed
- Whoami Execution Part 1
- Suspicious Encoded Powershell Command Line
- Formbook Malware Sysmon
- Uac Bypass Via Sdclt
- Scarab Ransomware
- Abusing Attribexe To Change File Attributes
- Suspicious Reconnaissance Activity Sysmon
- Fireeye Red Team Tool Modified Impacket Smbexec Via Cmdline
- Apt10 Behavior
- Office Starup Folder Persistance
- Unusual Searchprotocolhost Child Process Via Cmdline
- Detects Local User Creation
- Netwire Rat Detection Via Wscript
- Fallout Rig Ek Delivers Raccoon Stealer
- Active Directory As A C2 Command Control
- Suspicious Curl Usage
- Possible Abusing Ads
- Suspicious Scheduled Task
- Cobaltstrike Malleable Onedrive Browsing Traffic Profile
- Unusual Solarwinds Child Process Via Cmdline
- Cactustorch Remote Thread Creation
- Olympic Destroyer Detector
- Ryuk Ransomware Detector Sysmon Behavior
- Using Bashexe In Windows
- Oilrig Neuron Sysmon Behavior
- Activity Related To Ntdsdit Domain Hash Retrieval
- Suspicious Dns Query With B64 Encoded String
- Code42 Server Dll Search Order Hijack
- Unauthenticated File Read In Cisco Asa Cisco Firepower Cve20203452 Via Web
- Rid Hijacking
- Sharprdp Execution
- Powershell Download Sysmon
- Netexe Execution
- File Creation Time Changed Via Powershell
- Fireeye Red Team Tool G2Js Suspicious Process Tree
- Renamed Zoho Dctask64
- Hworm And Njrat Ratbackdoor Sysmon
- Psexec Service Start
- Password Dumper Activity On Lsass
- Emotet Through Word Document Sysmon Behavior