CVE-2026-6581 is a critical buffer overflow vulnerability in H3C Magic B1 devices affecting the SetMobileAPInfoById function, exploitable remotely with a CVSS score of 8.8. Detection focuses on identifying exploitation attempts targeting H3C devices through network traffic patterns and process execution anomalies.

union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "goform/aspForm" or RemoteUrl has "SetMobileAPInfoById" | where InitiatingProcessFileName !in ("chrome.exe", "iexplore.exe", "firefox.exe") or InitiatingProcessFileName has "curl" or InitiatingProcessFileName has "wget" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "goform" or ProcessCommandLine has "SetMobileAPInfoById" or ProcessCommandLine has "aspForm" | where ProcessCommandLine has_any ("curl", "wget", "powershell", "cmd.exe") | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (SecurityEvent | where Timestamp > ago(7d) | where Activity has "Network" and (TargetUserName has "admin" or TargetUserName has "root") | where Computer has_any ("h3c", "magic", "b1") or SourceIP in (dynamic(["0.0.0.0"])) | project Timestamp, Computer, TargetUserName, Activity, SourceIP) | summarize EventCount=count(), UniqueDevices=dcount(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by RemoteUrl, RemoteIP, InitiatingProcessFileName | where EventCount > 1 | limit 1000

Monitor for exploitation attempts by detecting network connections to H3C devices targeting the vulnerable /goform/aspForm endpoint with SetMobileAPInfoById function calls, combined with suspicious process execution (curl, wget, powershell) attempting to interact with the vulnerable endpoint. Cross-reference with authentication anomalies on H3C devices and look for buffer overflow indicators in network payloads.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative tools (curl, wget) used by IT staff for device management may trigger alerts; whitelist known management IP ranges and administrative accounts. Standard web browser traffic to H3C management interfaces should be excluded. Filter out routine device health checks and firmware update processes from H3C vendor infrastructure.

CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies, and file access to vulnerable endpoints on H3C devices or management interfaces.

let timeframe = 7d; let h3c_indicators = dynamic(['SetAPWifiorLedInfoById', 'aspForm', 'param', 'Magic B1']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any ('goform/aspForm', '/goform/') or RemoteUrl matches regex @'(?i).*SetAPWifiorLedInfoById.*' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempted', 'ConnectionFailed') | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any ('goform', 'aspForm') | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any ('goform', 'aspForm') or FileName has_any (h3c_indicators) | where ActionType in ('FileCreated', 'FileModified', 'FileDeleted') | project Timestamp, DeviceName, FolderPath, FileName, ActionType, AccountName) | summarize EventCount = count() by Timestamp, DeviceName, RemoteIP, ProcessCommandLine, FileName | where EventCount > 0 | limit 1000

Monitor for exploitation attempts by detecting network connections to vulnerable /goform/aspForm endpoints with SetAPWifiorLedInfoById function calls, unusual process execution with buffer overflow payloads in command lines, and suspicious file modifications in web application directories. Cross-correlate network events with process and file activity to identify attack chains.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative access to H3C device management interfaces, routine firmware updates or configuration changes via /goform/ endpoints, and normal web application file operations may trigger alerts. Whitelist known management IPs, scheduled maintenance windows, and authenticated administrative accounts. Filter out internal network scanning and vulnerability assessment tools that may probe these endpoints.

CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.

let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000

Monitor for HTTP requests containing Edit_BasicSSID, aspForm, or goform path indicators targeting H3C devices. Correlate with subsequent suspicious process creation, command execution, or unexpected network connections from affected devices. Focus on remote connection attempts to H3C management interfaces and buffer overflow exploitation patterns in request payloads.

H3C Magic B0  ·  H3C Magic B0 100R002

Legitimate H3C device management traffic and administrative configuration changes may trigger alerts; whitelist known H3C management IPs and scheduled maintenance windows. Filter out normal device firmware update processes and authenticated administrative sessions. Exclude internal network scanning and vulnerability assessment tools that may probe H3C devices.

CVE-2026-33825 is a Windows Defender zero-day vulnerability enabling local privilege escalation to SYSTEM level on Windows 10/11 systems, exploited via the BlueHammer proof-of-concept. Detection focuses on identifying suspicious process creation with elevated token elevation and Windows Defender-related process manipulation.

let timeWindow = 7d; let suspiciousDefenderProcesses = dynamic(['MsMpEng.exe', 'NisSrv.exe', 'WinDefend']); let suspiciousParents = dynamic(['explorer.exe', 'cmd.exe', 'powershell.exe', 'rundll32.exe', 'regsvcs.exe', 'regasm.exe', 'InstallUtil.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeWindow) | where ProcessTokenElevation has_any ('TokenElevationTypeFull', 'TokenElevationTypeDefault') and (FileName in (suspiciousDefenderProcesses) or FolderPath has 'Windows\Defender' or FolderPath has 'ProgramData\Microsoft\Windows Defender') | where InitiatingProcessFileName in (suspiciousParents) or InitiatingProcessCommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, DeviceName, DeviceId, ProcessId, FileName, FolderPath, ProcessCommandLine, ProcessTokenElevation, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain), (SecurityEvent | where Timestamp > ago(timeWindow) | where EventID == 4688 | where NewProcessName has_any (suspiciousDefenderProcesses) or NewProcessName has 'Windows\Defender' | where ParentProcessName in (suspiciousParents) or CommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, Computer, ProcessId = NewProcessId, FileName = NewProcessName, ProcessCommandLine = CommandLine, ParentProcessName, AccountName, AccountDomain) | project-away InitiatingProcessFileName, InitiatingProcessCommandLine | limit 1000

Monitor for suspicious process creation events where Windows Defender processes (MsMpEng.exe, NisSrv.exe) or Defender-related binaries are spawned with elevated token elevation from unusual parent processes (cmd.exe, powershell.exe, rundll32.exe, regsvcs.exe, regasm.exe, InstallUtil.exe). Cross-correlate DeviceProcessEvents and SecurityEvent (EventID 4688) to detect privilege escalation attempts exploiting CVE-2026-33825.

Windows 10  ·  Windows 11  ·  Microsoft Defender

Legitimate Windows Defender updates and maintenance tasks may spawn elevated processes; filter by known Microsoft signed binaries and scheduled task execution contexts. Exclude processes initiated from C:\Windows\System32\svchost.exe and official Windows Update processes. Tune based on organizational baseline of normal Defender process behavior.

A Deep Dive Into Attempted Exploitation of CVE-2023-33538 CVEs: CVE-2023-33538 CVSS: 0.0 | EPSS: 0.0% | Priority: 2.5/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/ CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware. The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42 .

{ "summary": "Threat actors impersonate IT helpdesk via cross-tenant Microsoft Teams collaboration to trick users into granting remote access, then abuse legitimate tools for lateral movement and data exfiltration. Detection focuses on anomalous Teams external collaboration patterns, suspicious remote access tool execution, and data access anomalies correlated with helpdesk impersonation indicators.", "attack_techniques": [ "T1566.002", "T1598.003", "T1199", "T1550.001", "T1570", "T1021.001", "T1021.006", "T1087", "T1010", "T1005", "T1020

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) CVEs: N/A CVSS: 0.0 | EPSS: 0.0% | Priority: 2.7/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and cybercrime. We include recommendations for defenders. The post Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) appeared first on Unit 42 .

{ "summary": "This threat focuses on visibility and inventory management of Infrastructure-as-Code (IaC) resources across cloud deployments, particularly as AI applications introduce new resource types. Detection should identify unauthorized IaC modifications, unexpected resource deployments, and configuration drift that could indicate compromise or misconfiguration.", "attack_techniques": [ "T1199", "T1526", "T1538", "T1580" ], "detection_query": "let TimeWindow = 7d; let SuspiciousIaCPatterns = dynamic(['terraform', 'cloudformation', 'bicep', 'ansible', 'pulum

Nigerian advance-fee scams use social engineering via email to trick users into sending money or credentials, often leveraging Office 365 and cloud services. Detection focuses on identifying suspicious email patterns, credential compromise attempts, and unusual financial transaction requests.

let timeframe = 7d; let suspicious_keywords = dynamic(['advance fee', 'wire transfer', 'urgent payment', 'inheritance', 'lottery', 'nigerian', 'prince', 'bank details', 'verify account', 'confirm identity', 'urgent action required']); let financial_keywords = dynamic(['payment', 'transfer', 'account', 'banking', 'funds', 'money']); EmailEvents | where TimeGenerated > ago(timeframe) | where EmailDirection == 'Inbound' | where isnotempty(Subject) and isnotempty(BodyPreview) | extend SubjectLower = tolower(Subject), BodyLower = tolower(BodyPreview) | where (SubjectLower has_any (suspicious_keywords) or BodyLower has_any (suspicious_keywords)) | where BodyLower has_any (financial_keywords) | where SenderFromAddress !has_any ('@microsoft.com', '@office365.com', '@company.com') | extend SuspiciousIndicators = case(SubjectLower has 'urgent', 1, 0) + case(BodyLower has 'verify', 1, 0) + case(BodyLower has 'confirm', 1, 0) + case(BodyLower has 'click', 1, 0) | where SuspiciousIndicators >= 2 | project TimeGenerated, SenderFromAddress, SenderDisplayName, Subject, RecipientEmailAddress, BodyPreview, AuthenticationDetails, ThreatTypes, DeliveryAction, SuspiciousIndicators | order by TimeGenerated desc | limit 1000

Identifies inbound emails containing advance-fee scam keywords (Nigerian prince, inheritance, urgent payment, wire transfer) combined with financial action requests and social engineering indicators (verify account, confirm identity, click here). Filters out legitimate internal and known-good senders. Scores emails by suspicious indicator density to reduce false positives.

Microsoft Office 365  ·  Microsoft Exchange Online  ·  Microsoft Defender for Office 365

Legitimate financial institutions, payroll systems, and banking partners may trigger alerts; whitelist known internal finance departments and trusted external payment processors. Newsletters about inheritance planning or lottery notifications from legitimate sources should be excluded. Adjust keyword list to organization-specific terminology to reduce noise from business communications.

{ "summary": "This detection identifies lateral movement patterns following domain compromise by correlating credential abuse, unusual logon activity, and process execution across multiple devices within a short timeframe. The query surfaces suspicious authentication chains and cross-device activity that indicate threat actor momentum during post-compromise lateral movement.", "attack_techniques": [ "T1021", "T1078", "T1550", "T1556" ], "detection_query": "let timeWindow = 7d; let suspiciousLogonThreshold = 5; let lateralMovementWindow = 1h; DeviceLogonEvents |