ThreatPulse — April 19, 2026 | 10 threats, personalised for Demo User
ThreatPulse — April 19, 2026
Personalised for Demo User | Soc Analyst | Detection: KQL
10
Items
0
Critical
4
High
0
CISA KEV
40/100
CVSS 8.8
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6581
Analysis
# THREAT BRIEFING: CVE-2026-6581 H3C Magic B1 Buffer Overflow
## SUMMARY
A critical remote buffer overflow vulnerability (CVE-2026-6581, CVSS 8.8) exists in H3C Magic B1 wireless controllers up to firmware 100R004, exploitable via the SetMobileAPInfoById function in /goform/aspForm. Public exploits are available and the vendor has not responded to disclosure, creating immediate risk for organizations using affected devices.
## TRIAGE
**CRITICAL** — Remote unauthenticated code execution with public exploits available. Immediate inventory and patching required. Prioritize any H3C Magic B1 devices exposed to untrusted networks.
## DETECTION
## MITRE
- **T1190** — Exploit Public-Facing Application (remote code execution via web interface)
- **T1499** — Endpoint Denial of Service (buffer overflow potential impact)
- **T1021.001** — Remote Services: RDP (lateral movement post-exploitation)
## ACTION
1. **Immediate:** Query network for H3C Magic B1 devices (search DHCP logs, ARP tables, device inventory for "H3C" or "Magic B1" hostnames/MAC prefixes).
2. **Within 24h:** Isolate any identified devices to management VLAN only; block /goform/aspForm endpoint at perimeter firewall.
3. **Within 48h:** Contact H3C for firmware patches or apply vendor mitigations; if unavailable, schedule replacement or decommissioning.
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "/goform/aspForm" or RemoteUrl has "SetMobileAPInfoById"
| where ActionType in ("ConnectionSuccess", "ConnectionAttempted", "ConnectionFailed")
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, ActionType
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("/goform/aspForm", "SetMobileAPInfoById", "param") or FolderPath has "h3c" or FolderPath has "magic"
| where ActionType in ("ProcessCreated", "ProcessModified")
| project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName, FolderPath
| limit 1000
SecurityEvent
| where TimeGenerated > ago(7d)
| where Activity has_any ("aspForm", "SetMobileAPInfoById") or CommandLine has_any ("buffer", "overflow", "param manipulation")
| where EventID in (4688, 4689)
| project TimeGenerated, Computer, CommandLine, Account, ProcessId, ParentProcessName
| limit 1000
Source: nvd.nist.gov
38/100
CVSS 8.8
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6563
Summary
CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies, and file access to vulnerable endpoints on H3C devices or management interfaces.
Detection Query (KQL)let timeframe = 7d; let h3c_indicators = dynamic(['SetAPWifiorLedInfoById', 'aspForm', 'param', 'Magic B1']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any ('goform/aspForm', '/goform/') or RemoteUrl matches regex @'(?i).*SetAPWifiorLedInfoById.*' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempted', 'ConnectionFailed') | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any ('goform', 'aspForm') | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any ('goform', 'aspForm') or FileName has_any (h3c_indicators) | where ActionType in ('FileCreated', 'FileModified', 'FileDeleted') | project Timestamp, DeviceName, FolderPath, FileName, ActionType, AccountName) | summarize EventCount = count() by Timestamp, DeviceName, RemoteIP, ProcessCommandLine, FileName | where EventCount > 0 | limit 1000
Detection Logic
Monitor for exploitation attempts by detecting network connections to vulnerable /goform/aspForm endpoints with SetAPWifiorLedInfoById function calls, unusual process execution with buffer overflow payloads in command lines, and suspicious file modifications in web application directories. Cross-correlate network events with process and file activity to identify attack chains.
Affected ProductsH3C Magic B1, H3C Magic B1 up to 100R004
ATT&CK TechniquesT1190, T1133, T1071
False Positive NotesLegitimate administrative access to H3C device management interfaces, routine firmware updates or configuration changes via /goform/ endpoints, and normal web application file operations may trigger alerts. Whitelist known management IPs, scheduled maintenance windows, and authenticated administrative accounts. Filter out internal network scanning and vulnerability assessment tools that may probe these endpoints.
Source: nvd.nist.gov
38/100
CVSS 8.8
EPSS 0.0%
nvd.nist.gov
HIGHKQLCVE-2026-6560
Summary
CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.
Detection Query (KQL)let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000
Detection Logic
Monitor for HTTP requests containing Edit_BasicSSID, aspForm, or goform path indicators targeting H3C devices. Correlate with subsequent suspicious process creation, command execution, or unexpected network connections from affected devices. Focus on remote connection attempts to H3C management interfaces and buffer overflow exploitation patterns in request payloads.
Affected ProductsH3C Magic B0, H3C Magic B0 100R002
ATT&CK TechniquesT1190, T1133, T1071
False Positive NotesLegitimate H3C device management traffic and administrative configuration changes may trigger alerts; whitelist known H3C management IPs and scheduled maintenance windows. Filter out normal device firmware update processes and authenticated administrative sessions. Exclude internal network scanning and vulnerability assessment tools that may probe H3C devices.
Source: nvd.nist.gov
22/100
CVSS 0.0
EPSS 0.0%
unit42.paloaltonetworks.com
KQLCVE-2023-33538
Analysis
A Deep Dive Into Attempted Exploitation of CVE-2023-33538 CVEs: CVE-2023-33538 CVSS: 0.0 | EPSS: 0.0% | Priority: 2.5/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/ CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware. The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42 .
Source: unit42.paloaltonetworks.com
20/100
CVSS 7.8
EPSS 0.0%
picussecurity.com
HIGHKQLCVE-2026-33825
Analysis
# SOC BRIEFING: CVE-2026-33825 (BlueHammer) – Windows Defender LPE Zero-Day
## SUMMARY
A zero-day local privilege escalation vulnerability in Microsoft Defender (CVE-2026-33825) was publicly disclosed on April 7, 2026, with a working exploit ("BlueHammer") released before a patch was available. Unprivileged users can exploit this to gain SYSTEM-level access on fully patched Windows 10/11 systems, creating immediate risk for lateral movement and persistence.
## TRIAGE
**Severity: CRITICAL**
Immediate investigation priority. This is an unpatched zero-day with public exploit code and CVSS 7.8. Any evidence of exploitation grants attackers full system compromise.
---
## DETECTION
**Query 1: Detect suspicious Defender process spawning with elevated token elevation**
**Query 2: Detect unprivileged process creating child processes with SYSTEM integrity**
**Query 3: Detect Defender-related file or registry modifications by non-SYSTEM accounts**
---
## MITRE ATT&CK
- **T1548.004** – Abuse Elevation Control Mechanism: Elevated Execution with Prompt (Privilege Escalation)
- **T1134.003** – Access Token Manipulation: Make and Impersonate Token (Defense Evasion)
- **T1547.001** – Boot or Logon Autostart Execution: Registry Run Keys (Persistence)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessFileName has_any ("MsMpEng.exe", "NisSrv.exe", "MpCmdRun.exe")
| where ProcessTokenElevation == "TokenElevationTypeFull"
| where AccountName !has "SYSTEM" and AccountName !has "LOCAL SERVICE"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, ProcessId, ProcessIntegrityLevel
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessIntegrityLevel == "System"
| where AccountName !has "SYSTEM" and AccountName !has "LOCAL SERVICE" and AccountName !has "NETWORK SERVICE"
| where InitiatingProcessIntegrityLevel in ("Low", "Medium")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, ProcessId
| limit 1000
union
(DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\ProgramData\\Microsoft\\Windows Defender", "\\Program Files\\Windows Defender")
| where ActionType in ("FileCreated", "FileModified")
| where AccountName !has "SYSTEM"),
(DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKeyPath has_any ("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender", "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\WinDefend")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where AccountName !has "SYSTEM")
| project Timestamp, DeviceName, AccountName, ActionType, FileName, RegistryKeyPath
| limit 1000
Source: picussecurity.com
3/100
CVSS 0.0
EPSS 0.0%
microsoft.com
KQL
Analysis
# SOC BRIEFING: Cross-Tenant Helpdesk Impersonation & Data Exfiltration
## SUMMARY
Threat actors are impersonating IT helpdesk staff via external Microsoft Teams collaboration to socially engineer users into granting remote access, then leveraging legitimate admin tools for lateral movement and data exfiltration. This human-operated attack bypasses traditional detection by masquerading as routine IT support activity across Teams, endpoint, and identity infrastructure.
## TRIAGE
**Severity: CRITICAL**
Immediate investigation priority. This is a high-confidence, human-operated intrusion pattern with direct data exfiltration risk and cross-tenant compromise potential. Requires real-time monitoring and rapid response.
---
## DETECTION
**Query 1: Suspicious External Teams Collaboration + Credential Requests**
**Query 2: Remote Access Tool Execution + Lateral Movement Post-Teams Contact**
**Query 3: Bulk Data Access + Exfiltration Post-Helpdesk Impersonation**
CloudAuditEvents
| where TimeGenerated > ago(7d)
| where ActionType has_any ("Create", "Deploy", "Provision", "Update")
| where ResourceType has_any ("VirtualMachine", "StorageAccount", "KeyVault", "AppService", "FunctionApp", "Container", "Database")
| where RawEventData has_any ("terraform", "bicep", "cloudformation", "arm", "pulumi")
| where InitiatedBy !has "automation" and InitiatedBy !has "service principal"
| summarize count(), make_set(ActionType), make_set(ResourceType) by InitiatedBy, ResourceGroup, bin(TimeGenerated, 1h)
| where count_ > 3
| project TimeGenerated, InitiatedBy, ResourceGroup, count_, set_ActionType, set_ResourceType
| limit 1000
union
(DeviceRegistryEvents
| where TimeGenerated > ago(7d)
| where RegistryKey has_any ("terraform", "pulumi", "bicep", "cloudformation", "ansible")
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where InitiatingProcessFileName !in ("powershell.exe", "pwsh.exe", "git.exe", "terraform.exe", "pulumi.exe")
),
(DeviceFileEvents
| where TimeGenerated > ago(7d)
| where FolderPath has_any (".terraform", ".pulumi", "bicep", "cloudformation", "ansible")
| where ActionType in ("FileCreated", "FileModified")
| where InitiatingProcessFileName !in ("powershell.exe", "pwsh.exe", "git.exe", "terraform.exe", "pulumi.exe", "code.exe", "notepad.exe")
)
| summarize count(), make_set(ActionType), make_set(InitiatingProcessFileName) by DeviceName, AccountName, bin(TimeGenerated, 1h)
| where count_ > 2
| project TimeGenerated, DeviceName, AccountName, count_, set_ActionType, set_InitiatingProcessFileName
| limit 1000
AADSpnSignInEventsBeta
| where TimeGenerated > ago(7d)
| where ServicePrincipalName has_any ("terraform", "pulumi", "bicep", "deployment", "automation")
| where ErrorCode != "0"
CloudAppEvents
| where Timestamp > ago(7d)
| where Application has "Teams" and ActionType in ("TeamsSessionStarted", "ExternalUserAdded", "GuestUserAdded")
| where isnotempty(AccountName) and AccountName !contains_cs (TenantId)
| join kind=inner (
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType in ("UserLoggedIn", "CredentialAdded", "PasswordChanged")
| where RawEventData has_any ("remote", "access", "support", "helpdesk")
) on AccountName
| project Timestamp, AccountName, Application, ActionType, DeviceName, RawEventData
| limit 1000
let TeamsExternalContact = CloudAppEvents
| where Timestamp > ago(7d)
| where Application has "Teams" and ActionType has "ExternalUser"
| project ContactTime=Timestamp, AccountName, DeviceName;
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("psexec", "wmic", "winrm", "schtasks", "net use", "runas") or FileName in~ ("mstsc.exe", "splashtop.exe", "teamviewer.exe", "anydesk.exe", "chrome.exe")
| join kind=inner TeamsExternalContact on AccountName, DeviceName
| where Timestamp >= ContactTime and Timestamp <= ContactTime + 24h
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, ProcessId
| limit 1000
let SuspiciousLogon = SigninLogs
| where TimeGenerated > ago(7d)
| where RiskDetail has_any ("unfamiliarLocation", "atypicalTravelProperties", "maliciousIPAddress") or ConditionalAccessStatus == "failure"
| where AppDisplayName has_any ("Teams", "Outlook", "SharePoint", "OneDrive")
| project LogonTime=TimeGenerated, UserPrincipalName, IPAddress, DeviceName;
CloudAppEvents
| where TimeGenerated > ago(7d)
| where ActionType in ("FileDownloaded", "FileUploaded", "FileShared", "MailItemsAccessed", "SearchQueryInitiatedSharePoint</div>
</div>
<div style="padding:8px 18px;background:#f8fafc;border-top:1px solid #e2e8f0;
font-size:12px;color:#64748b;">
Source: <a href="https://www.microsoft.com/en-us/security/blog/2026/04/18/crosstenant-helpdesk-impersonation-data-exfiltration-human-operated-intrusion-playbook/" style="color:#2563eb;text-decoration:none;">microsoft.com</a>
</div>
</div>
<div style="border:1px solid #e2e8f0;border-radius:8px;margin-bottom:28px;
overflow:hidden;box-shadow:0 1px 4px rgba(0,0,0,.06);
font-family:-apple-system,'Segoe UI',Arial,sans-serif;">
<div style="padding:14px 18px;border-bottom:1px solid #e2e8f0;border-left:4px solid #64748b;background:#f8fafc;">
<span style="float:right;font-size:13px;font-weight:700;padding:2px 10px;
border-radius:3px;background:#94a3b8;color:#fff;">3/100</span>
<div style="margin:0 0 6px;font-size:15px;font-weight:600;">
<a href="https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" style="color:#1e293b;text-decoration:none;">Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17)</a>
</div>
<div style="font-size:12px;color:#64748b;margin-top:6px;">
<span style="margin-right:14px;">CVSS 0.0</span>
<span style="margin-right:14px;">EPSS 0.0%</span>
<span>unit42.paloaltonetworks.com</span>
</div>
<div style="margin-top:8px;line-height:2;"><span style="display:inline-block;padding:2px 10px;border-radius:3px;font-size:11px;font-weight:600;letter-spacing:0.3px;margin-right:6px;margin-bottom:4px;background:#f1f5f9;color:#475569;">KQL</span></div>
</div>
<div style="padding:14px 18px;">
<span style="font-size:11px;font-weight:700;color:#64748b;text-transform:uppercase;letter-spacing:0.8px;margin:12px 0 4px;display:block;margin-top:0;">Analysis</span>
<div class="summary">Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) CVEs: N/A CVSS: 0.0 | EPSS: 0.0% | Priority: 2.7/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders. The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42 .</div>
</div>
<div style="padding:8px 18px;background:#f8fafc;border-top:1px solid #e2e8f0;
font-size:12px;color:#64748b;">
Source: <a href="https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/" style="color:#2563eb;text-decoration:none;">unit42.paloaltonetworks.com</a>
</div>
</div>
<div style="border:1px solid #e2e8f0;border-radius:8px;margin-bottom:28px;
overflow:hidden;box-shadow:0 1px 4px rgba(0,0,0,.06);
font-family:-apple-system,'Segoe UI',Arial,sans-serif;">
<div style="padding:14px 18px;border-bottom:1px solid #e2e8f0;border-left:4px solid #64748b;background:#f8fafc;">
<span style="float:right;font-size:13px;font-weight:700;padding:2px 10px;
border-radius:3px;background:#94a3b8;color:#fff;">2/100</span>
<div style="margin:0 0 6px;font-size:15px;font-weight:600;">
<a href="https://www.wiz.io/blog/wiz-iac-inventory" style="color:#1e293b;text-decoration:none;">IaC Inventory: A Unified View Across Code, Deployments, and Cloud</a>
</div>
<div style="font-size:12px;color:#64748b;margin-top:6px;">
<span style="margin-right:14px;">CVSS 0.0</span>
<span style="margin-right:14px;">EPSS 0.0%</span>
<span>wiz.io</span>
</div>
<div style="margin-top:8px;line-height:2;"><span style="display:inline-block;padding:2px 10px;border-radius:3px;font-size:11px;font-weight:600;letter-spacing:0.3px;margin-right:6px;margin-bottom:4px;background:#f1f5f9;color:#475569;">KQL</span></div>
</div>
<div style="padding:14px 18px;">
<span style="font-size:11px;font-weight:700;color:#64748b;text-transform:uppercase;letter-spacing:0.8px;margin:12px 0 4px;display:block;margin-top:0;">Analysis</span>
<div class="summary"># SOC BRIEFING: IaC Inventory & Configuration Drift Detection
## SUMMARY
Infrastructure-as-Code (IaC) resources—particularly those supporting AI applications—are proliferating across cloud environments with limited visibility into deployment state, configuration drift, and unauthorized modifications. Untracked IaC drift creates attack surface for privilege escalation, lateral movement, and persistence without detection.
## TRIAGE
**Severity: Medium**
**Priority: Investigate within 24 hours**
Detection focus: unauthorized IaC modifications, cloud resource creation outside change control, and configuration divergence from source repositories.
---
## DETECTION
**Query 1: Detect Unauthorized Cloud Resource Creation (Advanced Hunting)**
**Query 2: Detect IaC Configuration Drift via Unauthorized Registry/File Modifications (Endpoint)**
**Query 3: Detect Suspicious Service Principal / Managed Identity Activity on IaC Resources (Azure AD)**
Source: wiz.io
Analysis
# SOC BRIEFING: NIGERIAN ADVANCE-FEE SCAM CAMPAIGN
## SUMMARY
Classic advance-fee scams (Nigerian prince variants) continue to successfully compromise users through social engineering and credential harvesting, often leading to wire fraud, BEC attacks, or lateral movement into corporate networks. These campaigns remain effective because they exploit human psychology rather than technical vulnerabilities, making them difficult to block purely through technical controls.
## TRIAGE
**Severity: HIGH**
Immediate investigation priority. While not a zero-day exploit, successful compromise enables wire fraud, account takeover, and potential lateral movement. Focus on users who engaged with suspicious emails and any downstream credential usage.
---
## DETECTION
**Query 1: Identify suspicious email with advance-fee scam indicators**
**Query 2: Detect credential entry or password reset following suspicious email receipt**
**Query 3: Detect unusual wire transfer or payment-related process execution post-email**
---
## MITRE ATT&CK
- **T1566.002** – Phishing: Spearphishing Link
- **T1598.003** – Phishing for Information: Spearphishing Link
- **T1589.001** – Gather Victim Identity Information: Credentials
- **T1110.001** – Brute Force: Password Guessing
- **T1078.001** – Valid
EmailEvents
| where Timestamp > ago(7d)
| where (Subject has_any ("inheritance", "lottery", "unclaimed funds", "tax refund", "prince", "advance fee", "wire transfer", "urgent payment") or Body has_any ("wire funds", "bank details", "payment required", "claim your", "verify account"))
| where DeliveryAction =~ "Delivered" or DeliveryAction =~ "Delivered as spam"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, ThreatTypes, DetectionMethods
| limit 1000
let suspicious_senders = EmailEvents
| where Timestamp > ago(7d)
| where (Subject has_any ("inheritance", "lottery", "unclaimed funds", "tax refund", "prince", "advance fee") or Body has_any ("wire funds", "bank details", "payment required"))
| distinct RecipientEmailAddress;
SigninLogs
| where Timestamp > ago(7d)
| where UserPrincipalName in (suspicious_senders)
| where ResultType != "0"
| where ClientAppUsed =~ "Browser"
| where RiskLevelDuringSignIn =~ "high" or RiskLevelAggregated =~ "high"
| project Timestamp, UserPrincipalName, AppDisplayName, IPAddress, ResultType, RiskLevelDuringSignIn, Location
| limit 1000
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("wire", "transfer", "payment", "banking", "swift", "iban") or FileName has_any ("banking.exe", "transfer.exe", "payment.exe")
| where ProcessIntegrityLevel =~ "Low" or ProcessTokenElevation =~ "TokenElevationTypeLimited"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FileName, ProcessId, InitiatingProcessFileName
| limit 1000
Source: malwarebytes.com
2/100
CVSS 0.0
EPSS 0.0%
microsoft.com
KQL
Analysis
# SOC BRIEFING: Domain Compromise & Lateral Movement Detection
## SUMMARY
A domain compromise enabled rapid lateral movement across the environment through credential abuse, which was contained via exposure-based detection and isolation. This scenario highlights the critical need to detect anomalous authentication patterns and lateral movement indicators before attackers establish persistence across multiple systems.
## TRIAGE
**Severity: CRITICAL**
Immediate investigation priority. Domain compromise with active lateral movement represents the highest-risk post-breach scenario. Assume credential exposure and begin containment immediately.
---
## DETECTION
**Query 1: Anomalous Logon Events – Impossible Travel & Unusual Locations**
**Query 2: Lateral Movement via Process Execution – Credential Access Patterns**
**Query 3: Credential Abuse – Multiple Failed Logons Followed by Success**
```
let TimeWindow = 7d;
let FailureThreshold = 5;
SecurityEvent
| where TimeGenerated > ago(TimeWindow)
| where EventID in (4625, 4624)
| project Timestamp = TimeGenerated, Computer, Account, LogonType, I
let TimeWindow = 7d;
let AlertThreshold = 3;
SigninLogs
| where TimeGenerated > ago(TimeWindow)
| where ResultType == 0
| where UserType == "Member"
| project Timestamp = TimeGenerated, UserPrincipalName, IPAddress, Location, DeviceDetail, AppDisplayName, AuthenticationMethodsUsed
| summarize LogonCount = count(), UniqueIPs = dcount(IPAddress), UniqueLocations = dcount(Location), LatestLogon = max(Timestamp) by UserPrincipalName
| where LogonCount >= AlertThreshold and UniqueLocations >= 2
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(TimeWindow)
| where ResultType == 0
| project UserPrincipalName, IPAddress, Location, Timestamp = TimeGenerated
) on UserPrincipalName
| project UserPrincipalName, LogonCount, UniqueIPs, UniqueLocations, LatestLogon, IPAddress, Location
| limit 1000
let TimeWindow = 7d;
let SuspiciousProcesses = dynamic(["mimikatz.exe", "procdump.exe", "psexec.exe", "wmiexec.vbs", "secretsdump.py", "lsass.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(TimeWindow)
| where ProcessCommandLine has_any (SuspiciousProcesses) or FileName in (SuspiciousProcesses)
| where AccountName !has "SYSTEM" and AccountName !has "LOCAL SERVICE"
| project Timestamp, DeviceName, DeviceId, ProcessCommandLine, FileName, AccountName, AccountDomain, ProcessId, InitiatingProcessFileName
| join kind=inner (
DeviceNetworkEvents
| where TimeGenerated > ago(TimeWindow)
| where ActionType == "ConnectionSuccess"
| project DeviceId, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName
) on DeviceId
| project Timestamp, DeviceName, ProcessCommandLine, FileName, AccountName, RemoteIP, RemotePort, RemoteUrl
| limit 1000
Source: microsoft.com
ThreatPulse — Automated Threat Intelligence
Unsubscribe |
Update Preferences
Don't miss what's next. Subscribe to Ethan Andrews: