ThreatPulse — April 19, 2026 | 10 threats, personalised for Ethan Andrews
ThreatPulse — April 19, 2026
Personalised for Ethan Andrews | Detection Engineer | Detection: KQL
10
Items
6
Critical
4
High
10
CISA KEV
48/100
CVSS 10.0
EPSS 94.4%
huntress.com
CISA KEVCRITICALYOUR STACKKQLCVE-2021-44228
Analysis
```json
{
"summary": "CVE-2021-44228 (Log4Shell) is a critical remote code execution vulnerability in Apache Log4j that allows unauthenticated attackers to execute arbitrary code through JNDI injection via specially crafted log messages. Detection focuses on identifying exploitation attempts through suspicious process execution, network connections to LDAP/RMI services, and characteristic log4j error patterns in application logs.",
"attack_techniques": [
"T1190",
"T1059",
"T1105",
"T1071"
],
"detection_query": "let timeframe = 7d; let suspiciousJndiPatterns = dynamic(['${jndi:', '${${jndi:', 'jndi:ldap', 'jndi:rmi', 'jndi:nis', 'jndi:cos']); let ldapRmiPorts = dynamic([389, 636, 1099, 1098]); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any ('java', 'tomcat', 'jboss', 'log4j') | where ProcessCommandLine matches regex @'(?i)(jndi|ldap|rmi|marshalsec)' | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName, FolderPath), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName has_any ('java.exe', 'javaw.exe', 'tomcat', 'jboss') | where RemotePort in (ldapRmiPorts) or RemoteUrl has_any ('ldap://', 'rmi://') | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine), (CloudAppEvents | where Timestamp > ago(timeframe) | where ObjectName has_any suspiciousJndiPatterns or RawEventData has_any suspiciousJndiPatterns | project Timestamp, AccountDisplayName, ObjectName, RawEventData, AppName) | project-away RawEventData | limit 1000",
"sigma_category": "process_creation",
"affected_products": [
"Apache Log4j",
"Java",
"Apache Tomcat",
"JBoss",
"Spring Boot",
"Elasticsearch",
"Kafka",
"Solr",
"Minecraft",
"VMware vCenter",
"Cisco products"
],
"detection_logic": "Detects Log4Shell exploitation by identifying: (1) Java processes executing with JNDI-related command-line arguments or suspicious log4j references; (2) Java processes initiating network connections to LDAP (389/636) or RMI (1099/1098) ports; (3) Cloud application events containing JNDI injection patterns (${jndi:, jndi:ldap, jndi:rmi). Correlates process creation, network activity, and cloud audit logs to identify exploitation chains.",
"false_positive_notes": "Legitimate Java applications using JNDI for directory services (Active Directory, LDAP authentication) may trigger alerts; whitelist known internal LDAP/RMI services and trusted application
Source: huntress.com
48/100
CVSS 9.8
EPSS 93.4%
huntress.com
CISA KEVCRITICALYOUR STACKKQLCVE-2023-23397
Summary
CVE-2023-23397 is a critical Outlook vulnerability (CVSS 9.8) that allows remote attackers to extract NTLM credential hashes without user interaction by sending specially crafted calendar invitations. Detection focuses on identifying suspicious Outlook process behavior, NTLM authentication attempts to external hosts, and anomalous network connections initiated by Outlook.
Detection Query (KQL)let SuspiciousOutlookProcesses = dynamic(['outlook.exe', 'msaccess.exe', 'winword.exe']); let NTLMPorts = dynamic([445, 139]); union (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessFileName has_any (SuspiciousOutlookProcesses) | where ProcessCommandLine has_any (@'\calendar', @'\invite', @'\ics') | project Timestamp, DeviceId, DeviceName, ProcessFileName, ProcessCommandLine, AccountName, ProcessId), (DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName has_any (SuspiciousOutlookProcesses) | where RemotePort in (NTLMPorts) or Protocol =~ 'NTLM' | where RemoteIPType == 'Public' | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, Protocol, InitiatingProcessCommandLine, AccountName), (DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName has_any (SuspiciousOutlookProcesses) | where RemoteUrl has_any (@'.local', @'.internal') or RemoteIP matches regex @'^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)' | where ActionType == 'ConnectionSuccess' | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, AccountName) | summarize EventCount = count() by DeviceId, DeviceName, AccountName, bin(Timestamp, 1h) | where EventCount > 5Detection Logic
Detects CVE-2023-23397 exploitation by identifying Outlook processes with suspicious calendar/invite-related command lines, NTLM authentication attempts to external or internal network resources initiated by Outlook, and anomalous network connections from Outlook to non-standard destinations. Aggregates events to identify patterns of credential hash extraction attempts.
Affected ProductsMicrosoft Outlook, Microsoft Exchange, Office 365
ATT&CK TechniquesT1187, T1040, T1557
False Positive NotesLegitimate calendar sharing, meeting invitations, and internal network authentication are common in enterprise environments. Tune by excluding known internal domains, trusted calendar servers, and expected NTLM authentication patterns. Consider allowlisting legitimate Outlook add-ins and calendar synchronization services. Monitor for baseline activity patterns per user/device before alerting.
Source: huntress.com
48/100
CVSS 9.8
EPSS 91.9%
wiz.io
CISA KEVCRITICALYOUR STACKKQLCVE-2023-21554CVE-2023-28252
Analysis
```json
{
"summary": "Detects exploitation attempts of CVE-2023-28252 (Windows EoP) and CVE-2023-21554 (RCE) vulnerabilities from April 2023 Patch Tuesday through process creation patterns, suspicious file operations, and network indicators associated with known exploit techniques. This query identifies suspicious process execution, privilege escalation attempts, and remote code execution indicators on unpatched Windows systems.",
"attack_techniques": ["T1548.002", "T1059.001", "T1190"],
"detection_query": "let timeframe = 7d; let cve_28252_indicators = dynamic(['consent.exe', 'dllhost.exe', 'rundll32.exe', 'powershell.exe', 'cmd.exe']); let cve_21554_indicators = dynamic(['msiexec.exe', 'regsvcs.exe', 'regasm.exe', 'InstallUtil.exe']); let suspicious_paths = dynamic(['\\\\temp\\\\', '\\\\appdata\\\\', '\\\\programdata\\\\', '\\\\windows\\\\tasks\\\\']); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (cve_21554_indicators) or FileName in (cve_21554_indicators) | where ProcessCommandLine matches regex @'(?i)(http|ftp|\\\\\\\\|msi|dll|exe)' | project Timestamp, DeviceId, DeviceName, ProcessId, FileName, ProcessCommandLine, AccountName, ProcessIntegrityLevel, ProcessTokenElevation), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where FileName in (cve_28252_indicators) | where ProcessTokenElevation == 'TokenElevationTypeFull' or ProcessIntegrityLevel == 'High' | where FolderPath has_any (suspicious_paths) | project Timestamp, DeviceId, DeviceName, ProcessId, FileName, FolderPath, ProcessCommandLine, AccountName, ProcessTokenElevation), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any (suspicious_paths) | where FileName matches regex @'(?i)\\.(dll|exe|sys|scr)$' | where ActionType in ('FileCreated', 'FileModified') | project Timestamp, DeviceId, DeviceName, FileName, FolderPath, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (cve_21554_indicators) or InitiatingProcessFileName in (cve_28252_indicators) | where RemoteIPType == 'Public' | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, Protocol) | summarize EventCount = count() by DeviceId, DeviceName, bin(Timestamp, 1h) | where EventCount > 2 | limit 1000",
"sigma_category": "process_creation",
"affected_products": ["Windows 10", "Windows 11", "Windows Server 2019", "Windows Server 2022", "Office 365"],
"detection_logic": "Correlates CVE-2023-28252 E
Source: wiz.io
46/100
CVSS 9.8
EPSS 75.7%
huntress.com
CISA KEVCRITICALYOUR STACKKQLCVE-2025-59287
Analysis
```json
{
"summary": "CVE-2025-59287 is a critical remote code execution vulnerability in Windows Server Update Services (WSUS) with a CVSS score of 9.8 that allows unauthenticated attackers to execute arbitrary code. Detection focuses on identifying suspicious process execution, network connections, and file modifications originating from WSUS-related processes and services.",
"attack_techniques": [
"T1190",
"T1133",
"T1059"
],
"detection_query": "let wsus_processes = dynamic(['WsusService.exe', 'wsusservice.exe', 'WsusUtil.exe', 'wsusutil.exe', 'UpdateServicesStartup.exe', 'updateservicesstartup.exe']); let wsus_paths = dynamic(['\\\\Program Files\\\\Update Services', '\\\\Program Files (x86)\\\\Update Services', '\\\\Windows\\\\System32\\\\wsus']); union (DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in (wsus_processes) or FolderPath has_any (wsus_paths) | where ActionType in ('ProcessCreated', 'ProcessModified') | project Timestamp, DeviceId, DeviceName, ProcessId, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, FolderPath), (DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in (wsus_processes) or InitiatingProcessFolderPath has_any (wsus_paths) | where ActionType == 'ConnectionSuccess' and RemoteIPType == 'Public' | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, Protocol, InitiatingProcessCommandLine), (DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in (wsus_processes) or FolderPath has_any (wsus_paths) | where ActionType in ('FileCreated', 'FileModified') and (FileName has_any ('.exe', '.dll', '.ps1', '.bat', '.cmd', '.vbs') or FolderPath has_any ('\\\\Temp', '\\\\AppData', '\\\\ProgramData')) | project Timestamp, DeviceId, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine) | limit 1000",
"sigma_category": "process_creation",
"affected_products": [
"Windows Server Update Services",
"Windows Server 2016",
"Windows Server 2019",
"Windows Server 2022"
],
"detection_logic": "Monitor for suspicious process creation, network connections, and file modifications initiated by WSUS-related processes (WsusService.exe, WsusUtil.exe, etc.) or originating from WSUS installation directories. Flag instances where WSUS spawns unexpected child processes, establishes outbound connections to public IPs, or creates executable files in temporary or user-writable directories. Cross-correlate process, network, and file events to identify exploitation chains.",
"false_positive_notes": "Legitimate WSUS administrative tools and updates may trigger alerts; whitelist known WSUS management utilities and
Source: huntress.com
46/100
CVSS 8.8
EPSS 93.6%
wiz.io
CISA KEVHIGHYOUR STACKKQLCVE-2023-5217CVE-2023-4863
Analysis
```json
{
"summary": "CVE-2023-4863 and CVE-2023-5217 are critical remote code execution vulnerabilities in libwebp and libvpx media libraries with 8.8 CVSS and 93.6% EPSS actively exploited in the wild. Detection focuses on identifying exploitation attempts through malicious media file processing, suspicious child processes from media applications, and network indicators associated with known exploit infrastructure.",
"attack_techniques": [
"T1203",
"T1566.001",
"T1566.002",
"T1204.001"
],
"detection_query": "let timeframe = 7d; let webp_vpx_processes = dynamic(['chrome.exe', 'msedge.exe', 'firefox.exe', 'outlook.exe', 'winword.exe', 'excel.exe', 'powerpnt.exe']); let suspicious_child_processes = dynamic(['cmd.exe', 'powershell.exe', 'rundll32.exe', 'regsvcs.exe', 'certutil.exe', 'mshta.exe', 'wscript.exe', 'cscript.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (webp_vpx_processes) | where FileName in (suspicious_child_processes) | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, ProcessId, AccountName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (webp_vpx_processes) | where (FileName endswith '.webp' or FileName endswith '.vp8' or FileName endswith '.vp9') | where ActionType in ('FileCreated', 'FileModified') | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, FileSize, SHA256), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (webp_vpx_processes) | where RemoteIPType == 'Public' | where RemotePort in (80, 443, 8080, 8443) | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, Protocol), (SecurityEvent | where TimeGenerated > ago(timeframe) | where EventID in (4688, 4689) | where ParentImage has_any (webp_vpx_processes) | where NewProcessName has_any (suspicious_child_processes) | project TimeGenerated, Computer, ParentImage, NewProcessName, CommandLine, SubjectUserName) | limit 1000",
"sigma_category": "process_creation",
"affected_products": [
"Google Chrome",
"Microsoft Edge",
"Mozilla Firefox",
"Microsoft Outlook",
"Microsoft Office (Word, Excel, PowerPoint)",
"Cisco products",
"Docker",
"VMware products",
"Python applications using libwebp/libvpx"
],
"detection_logic": "Monitor for suspicious child process creation from known media processing applications (Chrome, Edge, Firefox, Office) that handle webp/vp
Source: wiz.io
45/100
CVSS 8.3
EPSS 94.1%
cloudblog.withgoogle.com
CISA KEVHIGHYOUR STACKKQLCVE-2025-2783CVE-2025-23006CVE-2025-61882
Analysis
```json
{
"summary": "Google Threat Intelligence tracked 90 zero-day vulnerabilities exploited in-the-wild during 2025, with 48% targeting enterprise technologies including Azure, Windows, Office365, Chrome, Cisco, Docker, VMware, and Python ecosystems. Detection should focus on exploitation indicators across process execution, network communications, and file modifications associated with the 22 listed CVEs.",
"attack_techniques": [
"T1190",
"T1203",
"T1566",
"T1059",
"T1053",
"T1547",
"T1548",
"T1005",
"T1041"
],
"detection_query": "let CVEList = dynamic(['CVE-2025-2783', 'CVE-2025-23006', 'CVE-2025-61882', 'CVE-2025-0282', 'CVE-2023-33106', 'CVE-2025-21042', 'CVE-2025-48543', 'CVE-2025-14174', 'CVE-2021-37973', 'CVE-2024-0519', 'CVE-2025-40602', 'CVE-2025-8088', 'CVE-2023-6345', 'CVE-2023-2136', 'CVE-2025-21590', 'CVE-2025-27038', 'CVE-2025-43300', 'CVE-2025-6558', 'CVE-2025-38352', 'CVE-2025-5419', 'CVE-2025-61884', 'CVE-2025-21043']); let timeframe = ago(30d); union (DeviceProcessEvents | where Timestamp > timeframe | where ProcessCommandLine has_any ('powershell', 'cmd.exe', 'wscript', 'cscript', 'rundll32', 'regsvcs', 'certutil') or InitiatingProcessFileName in~ ('chrome.exe', 'firefox.exe', 'iexplore.exe') | where ProcessIntegrityLevel has 'High' or ProcessTokenElevation has 'Full'), (DeviceNetworkEvents | where Timestamp > timeframe | where RemoteIPType == 'Public' and InitiatingProcessFileName in~ ('chrome.exe', 'firefox.exe', 'iexplore.exe', 'outlook.exe', 'winword.exe', 'excel.exe') | where RemotePort in (443, 8443, 4443, 9443)), (DeviceFileEvents | where Timestamp > timeframe | where ActionType in ('FileCreated', 'FileModified') and (FolderPath has_any ('\\\\AppData\\\\', '\\\\Temp\\\\', '\\\\Windows\\\\Temp') or FileName has_any ('.ps1', '.vbs', '.js', '.bat', '.cmd', '.exe', '.dll', '.scr'))), (SecurityEvent | where TimeGenerated > timeframe | where EventID in (4688, 4689, 4703, 4704) and (CommandLine has_any ('powershell', 'cmd.exe', 'wscript') or ParentProcessName in~ ('chrome.exe',
Source: cloudblog.withgoogle.com
44/100
CVSS 7.8
EPSS 94.1%
fortinet.com
CISA KEVHIGHYOUR STACKKQLCVE-2018-0802
Analysis
```json
{
"summary": "XWorm RAT campaign leverages multi-language phishing emails with malicious Excel attachments exploiting CVE-2018-0802, followed by HTA execution and fileless .NET techniques for remote code execution. Detection focuses on identifying suspicious Excel process behavior, HTA execution chains, and .NET runtime abuse patterns indicative of this campaign.",
"attack_techniques": [
"T1566.001",
"T1203",
"T1218.005",
"T1059.003",
"T1140",
"T1106"
],
"detection_query": "let timeframe = 7d; let suspiciousHTA = dynamic(['mshta.exe', 'mshta']); let suspiciousDotNet = dynamic(['csc.exe', 'vbc.exe', 'ngen.exe', 'jit.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where (InitiatingProcessFileName has_any ('excel.exe', 'winword.exe') and (FileName has_any suspiciousHTA or FileName has_any suspiciousDotNet or ProcessCommandLine has_any ('powershell', 'cmd.exe', 'rundll32.exe'))) or (FileName has_any suspiciousHTA and ProcessCommandLine has_any ('.hta', 'http', 'file://')) or (FileName has_any suspiciousDotNet and ProcessCommandLine matches regex @'(?i)(csc|vbc).*\\.(cs|vb)' and ProcessCommandLine has_any ('System.Net', 'WebClient', 'HttpClient')) | project Timestamp, DeviceId, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, ProcessId, AccountName, FolderPath), (DeviceFileEvents | where Timestamp > ago(timeframe) | where (InitiatingProcessFileName has_any ('excel.exe', 'winword.exe') and (FileName endswith '.hta' or FileName endswith '.exe' or FileName endswith '.dll')) or (FileName endswith '.hta' and FolderPath has_any ('temp', 'appdata', 'programdata')) | project Timestamp, DeviceId, DeviceName, FileName, FolderPath, InitiatingProcessFileName, ActionType, FileSize), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName has_any ('mshta.exe', 'csc.exe', 'vbc.exe', 'ngen.exe', 'dotnet.exe') and (RemoteUrl has_any ('http://', 'https://') or RemoteIPType == 'Public') | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort, ActionType) | summarize EventCount = count() by DeviceId, DeviceName, bin(Timestamp, 1h) | where EventCount > 2 | limit 1000",
"sigma_category": "process_creation",
"affected_products": [
"Microsoft Office 365",
"Microsoft Excel",
"Windows",
".NET Framework",
"Azure"
],
"detection_logic": "Detects XWorm campaign indicators by identifying process
Source: fortinet.com
44/100
CVSS 7.8
EPSS 94.4%
fortinet.com
CISA KEVHIGHYOUR STACKKQLCVE-2017-11882
Analysis
```json
{
"summary": "This detection identifies a phishing campaign distributing Remcos RAT through malicious Word documents exploiting CVE-2017-11882, leveraging fileless in-memory execution techniques. The query detects suspicious Office process behavior, macro execution, and network indicators associated with Remcos command-and-control communications.",
"attack_techniques": [
"T1566.001",
"T1566.002",
"T1203",
"T1559.002",
"T1204.002",
"T1059.005",
"T1071.001"
],
"detection_query": "let timeframe = 7d; let remcos_indicators = dynamic(['remcos', 'remcos.exe', 'remcos.dll']); let office_processes = dynamic(['winword.exe', 'excel.exe', 'powerpnt.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (office_processes) | where (ProcessCommandLine has_any ('powershell', 'cmd', 'cscript', 'wscript', 'mshta') or FileName in (remcos_indicators)) | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine, FileName, ProcessId), (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (office_processes) or InitiatingProcessFileName has_any (remcos_indicators) | where RemoteIPType == 'Public' | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl, Protocol), (DeviceFileEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in (office_processes) | where (FileName endswith '.tmp' or FileName endswith '.dat' or FolderPath has 'AppData\\Local\\Temp') | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, ActionType) | summarize EventCount = count(), UniqueDevices = dcount(DeviceName), UniqueUsers = dcount(AccountName), EventTypes = make_set(ActionType), FileNames = make_set(FileName) by bin(Timestamp, 1h), DeviceName | where EventCount > 2 | limit 1000",
"sigma_category": "process_creation",
"affected_products": [
"Microsoft Office 365",
"Microsoft Word",
"Windows",
"Microsoft Defender for Endpoint"
],
"detection_logic": "Detects Office applications (Word, Excel, PowerPoint) spawning suspicious child processes (PowerShell, CMD, script interpreters) or creating temporary files in AppData, combined with outbound network connections to public IPs from Office processes. Correlates process creation, file operations, and network events within a 1-hour window to identify fileless RAT execution patterns consistent with Remcos delivery via malicious templates.",
"false_positive_notes": "Legitimate Office macro usage, Windows Update processes, antivirus scanning of Office files, and authorized remote desktop tools may trigger alerts. Tune by excluding known-good macro-enabled templates, internal network destinations, and trusted security software. Consider allowlisting specific internal IP ranges and known-good Office add-ins that
Source: fortinet.com
43/100
CVSS 10.0
EPSS 94.4%
thedfirreport.com
CISA KEVCRITICALKQLCVE-2023-46604
Summary
This detection identifies exploitation of CVE-2023-46604 in Apache ActiveMQ servers, which allows remote code execution through malicious serialized class types in OpenWire protocol messages. The query detects suspicious network connections to ActiveMQ ports combined with process execution patterns consistent with Java-based RCE and subsequent ransomware deployment.
Detection Query (KQL)let timeframe = 7d; let activemq_ports = dynamic([61616, 5672, 8161]); let suspicious_processes = dynamic(['cmd.exe', 'powershell.exe', 'certutil.exe', 'bitsadmin.exe', 'wmic.exe', 'rundll32.exe']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemotePort in (activemq_ports) or RemoteUrl has 'activemq' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempt') | project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any ('java', 'Spring') or FileName in (suspicious_processes) | where FolderPath has_any ('temp', 'appdata', 'windows\system32', 'programdata') | project Timestamp, DeviceId, DeviceName, FileName, ProcessCommandLine, ProcessId, AccountName, FolderPath) | join kind=inner (DeviceNetworkEvents | where Timestamp > ago(timeframe) and RemotePort in (activemq_ports)) on DeviceId | where Timestamp1 >= Timestamp and Timestamp1 <= Timestamp + 5m | project Timestamp, DeviceName, RemoteIP, RemotePort, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName | limit 1000
Detection Logic
Correlates inbound network connections to ActiveMQ default ports (61616, 5672, 8161) with subsequent suspicious process execution (cmd.exe, powershell.exe, certutil, bitsadmin, wmic, rundll32) within a 5-minute window on the same device. Identifies Java processes with Spring framework references combined with command-line execution patterns typical of post-exploitation activity and ransomware deployment.
Affected ProductsApache ActiveMQ, Windows, Java Runtime Environment
ATT&CK TechniquesT1190, T1059, T1486, T1570
False Positive NotesLegitimate ActiveMQ administrative tools and monitoring solutions may trigger alerts; whitelist known management IPs and scheduled maintenance windows. Java application servers running Spring framework in normal operations may generate false positives; baseline expected process execution patterns per environment. Filter out internal ActiveMQ cluster communication between trusted nodes. Tune RemotePort detection to exclude non-standard ActiveMQ deployments in your environment.
Source: thedfirreport.com
43/100
CVSS 10.0
EPSS 94.4%
wiz.io
CISA KEVCRITICALKQLCVE-2024-50603
Summary
CVE-2024-50603 is an unauthenticated remote code execution vulnerability in Aviatrix Controller with a CVSS score of 10.0 that enables privilege escalation in AWS control planes. Detection focuses on identifying exploitation attempts targeting Aviatrix Controller endpoints and subsequent suspicious process execution or network activity from affected systems.
Detection Query (KQL)let timeframe = 7d; let aviatrix_ports = dynamic([443, 8443]); let aviatrix_paths = dynamic(['/api/', '/v1/', '/controller']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemotePort in (aviatrix_ports) or RemoteUrl has_any (aviatrix_paths) | where ActionType == 'ConnectionSuccess' or ActionType == 'ConnectionAttempt' | project Timestamp, DeviceId, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any ('curl', 'wget', 'powershell', 'python') and (ProcessCommandLine contains 'aviatrix' or ProcessCommandLine matches regex @'(?i)(controller|api)') | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessIntegrityLevel == 'System' and AccountName != 'SYSTEM' | where ProcessCreationTime > ago(1h) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, AccountName, ProcessIntegrityLevel) | summarize EventCount = count(), UniqueDevices = dcount(DeviceId), ProcessNames = make_set(FileName), CommandLines = make_set(ProcessCommandLine) by DeviceName, RemoteIP | where EventCount > 3 or ProcessNames has_any ('cmd.exe', 'powershell.exe', 'bash') | limit 1000
Detection Logic
Monitor for network connections to Aviatrix Controller endpoints (ports 443, 8443) with API path patterns, correlate with suspicious process execution (elevated privileges, command shells, scripting tools) on the same device within short time windows, and identify anomalous outbound connections or privilege escalation attempts post-exploitation.
Affected ProductsAviatrix Controller, AWS, Azure, Docker, VMware
ATT&CK TechniquesT1190, T1133, T4765
False Positive NotesLegitimate administrative tools (curl, wget, PowerShell) connecting to Aviatrix for maintenance; scheduled API calls from monitoring/automation systems; normal system processes running with elevated privileges; filter by known Aviatrix management IPs and service accounts; tune based on organizational baseline of Aviatrix API usage patterns.
Source: wiz.io
ThreatPulse — Automated Threat Intelligence
Unsubscribe |
Update Preferences
Don't miss what's next. Subscribe to Ethan Andrews: