CVE-2026-6581 is a critical buffer overflow vulnerability in H3C Magic B1 devices affecting the SetMobileAPInfoById function, exploitable remotely with a CVSS score of 8.8. Detection focuses on identifying exploitation attempts targeting H3C devices through network traffic patterns and process execution anomalies.

union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "goform/aspForm" or RemoteUrl has "SetMobileAPInfoById" | where InitiatingProcessFileName !in ("chrome.exe", "iexplore.exe", "firefox.exe") or InitiatingProcessFileName has "curl" or InitiatingProcessFileName has "wget" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "goform" or ProcessCommandLine has "SetMobileAPInfoById" or ProcessCommandLine has "aspForm" | where ProcessCommandLine has_any ("curl", "wget", "powershell", "cmd.exe") | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (SecurityEvent | where Timestamp > ago(7d) | where Activity has "Network" and (TargetUserName has "admin" or TargetUserName has "root") | where Computer has_any ("h3c", "magic", "b1") or SourceIP in (dynamic(["0.0.0.0"])) | project Timestamp, Computer, TargetUserName, Activity, SourceIP) | summarize EventCount=count(), UniqueDevices=dcount(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by RemoteUrl, RemoteIP, InitiatingProcessFileName | where EventCount > 1 | limit 1000

CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies, and file access to vulnerable endpoints on H3C devices or management interfaces.

let timeframe = 7d; let h3c_indicators = dynamic(['SetAPWifiorLedInfoById', 'aspForm', 'param', 'Magic B1']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any ('goform/aspForm', '/goform/') or RemoteUrl matches regex @'(?i).*SetAPWifiorLedInfoById.*' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempted', 'ConnectionFailed') | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any ('goform', 'aspForm') | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any ('goform', 'aspForm') or FileName has_any (h3c_indicators) | where ActionType in ('FileCreated', 'FileModified', 'FileDeleted') | project Timestamp, DeviceName, FolderPath, FileName, ActionType, AccountName) | summarize EventCount = count() by Timestamp, DeviceName, RemoteIP, ProcessCommandLine, FileName | where EventCount > 0 | limit 1000

CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.

let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000

CVE-2026-33825 is a Windows Defender zero-day vulnerability enabling local privilege escalation to SYSTEM level on Windows 10/11 systems, exploited via the BlueHammer proof-of-concept. Detection focuses on identifying suspicious process creation with elevated token elevation and Windows Defender-related process manipulation.

let timeWindow = 7d; let suspiciousDefenderProcesses = dynamic(['MsMpEng.exe', 'NisSrv.exe', 'WinDefend']); let suspiciousParents = dynamic(['explorer.exe', 'cmd.exe', 'powershell.exe', 'rundll32.exe', 'regsvcs.exe', 'regasm.exe', 'InstallUtil.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeWindow) | where ProcessTokenElevation has_any ('TokenElevationTypeFull', 'TokenElevationTypeDefault') and (FileName in (suspiciousDefenderProcesses) or FolderPath has 'Windows\Defender' or FolderPath has 'ProgramData\Microsoft\Windows Defender') | where InitiatingProcessFileName in (suspiciousParents) or InitiatingProcessCommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, DeviceName, DeviceId, ProcessId, FileName, FolderPath, ProcessCommandLine, ProcessTokenElevation, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain), (SecurityEvent | where Timestamp > ago(timeWindow) | where EventID == 4688 | where NewProcessName has_any (suspiciousDefenderProcesses) or NewProcessName has 'Windows\Defender' | where ParentProcessName in (suspiciousParents) or CommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, Computer, ProcessId = NewProcessId, FileName = NewProcessName, ProcessCommandLine = CommandLine, ParentProcessName, AccountName, AccountDomain) | project-away InitiatingProcessFileName, InitiatingProcessCommandLine | limit 1000

A Deep Dive Into Attempted Exploitation of CVE-2023-33538 CVEs: CVE-2023-33538 CVSS: 0.0 | EPSS: 0.0% | Priority: 2.5/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/ CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic...

Threat actors impersonate IT helpdesk via cross-tenant Microsoft Teams collaboration to trick users into granting remote access, then abuse legitimate tools for lateral movement and data exfiltration. Detection focuses on anomalous Teams external collaboration patterns, suspicious remote access tool execution, and data access anomalies correlated with helpdesk impersonation indicators.

Threat Brief: Escalation of Cyber Risk Related to Iran (Updated April 17) CVEs: N/A CVSS: 0.0 | EPSS: 0.0% | Priority: 2.7/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/ Unit 42 details recent Iranian cyberattack activity, sharing direct observations of phishing, hacktivist activity and...

This threat focuses on visibility and inventory management of Infrastructure-as-Code (IaC) resources across cloud deployments, particularly as AI applications introduce new resource types. Detection should identify unauthorized IaC modifications, unexpected resource deployments, and configuration drift that could indicate compromise or misconfiguration.

let TimeWindow = 7d; let SuspiciousIaCPatterns = dynamic(['terraform', 'cloudformation', 'bicep', 'ansible', 'pulumi', 'helm']); let SuspiciousFileExtensions = dynamic(['.tf', '.json', '.yaml', '.yml', '.hcl', '.py']); union (DeviceFileEvents | where TimeGenerated > ago(TimeWindow) | where ActionType in ('FileCreated', 'FileModified') | where FileName has_any (SuspiciousIaCPatterns) or FolderPath has_any (SuspiciousIaCPatterns) or FileName has_any (SuspiciousFileExtensions) | where FolderPath has_any ('.git', 'terraform', 'ansible', 'cloudformation', 'infrastructure', 'deployment', 'iac') | project TimeGenerated, DeviceName, DeviceId, FileName, FolderPath, ActionType, AccountName, SHA256), (DeviceProcessEvents | where TimeGenerated > ago(TimeWindow) | where ProcessCommandLine has_any (SuspiciousIaCPatterns) or FileName has_any (SuspiciousIaCPatterns) | where ProcessCommandLine has_any ('apply', 'deploy', 'plan', 'destroy', 'init', 'validate') | project TimeGenerated, DeviceName, DeviceId, FileName, ProcessCommandLine, ProcessId, AccountName, SHA256), (CloudAppEvents | where TimeGenerated > ago(TimeWindow) | where Application in ('Azure DevOps', 'GitHub', 'GitLab', 'Terraform Cloud') | where ObjectName has_any (SuspiciousIaCPatterns) or RawEventData has_any (SuspiciousIaCPatterns) | where ActionType in ('Add', 'Modify', 'Delete', 'Deploy') | project TimeGenerated, AccountId, Application, ObjectName, ActionType, RawEventData) | summarize EventCount = count(), UniqueUsers = dcount(AccountName), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by DeviceName, FileName, ActionType | where EventCount > 5 | limit 1000

Nigerian advance-fee scams use social engineering via email to trick users into sending money or credentials, often leveraging Office 365 and cloud services. Detection focuses on identifying suspicious email patterns, credential compromise attempts, and unusual financial transaction requests.

let timeframe = 7d; let suspicious_keywords = dynamic(['advance fee', 'wire transfer', 'urgent payment', 'inheritance', 'lottery', 'nigerian', 'prince', 'bank details', 'verify account', 'confirm identity', 'urgent action required']); let financial_keywords = dynamic(['payment', 'transfer', 'account', 'banking', 'funds', 'money']); EmailEvents | where TimeGenerated > ago(timeframe) | where EmailDirection == 'Inbound' | where isnotempty(Subject) and isnotempty(BodyPreview) | extend SubjectLower = tolower(Subject), BodyLower = tolower(BodyPreview) | where (SubjectLower has_any (suspicious_keywords) or BodyLower has_any (suspicious_keywords)) | where BodyLower has_any (financial_keywords) | where SenderFromAddress !has_any ('@microsoft.com', '@office365.com', '@company.com') | extend SuspiciousIndicators = case(SubjectLower has 'urgent', 1, 0) + case(BodyLower has 'verify', 1, 0) + case(BodyLower has 'confirm', 1, 0) + case(BodyLower has 'click', 1, 0) | where SuspiciousIndicators >= 2 | project TimeGenerated, SenderFromAddress, SenderDisplayName, Subject, RecipientEmailAddress, BodyPreview, AuthenticationDetails, ThreatTypes, DeliveryAction, SuspiciousIndicators | order by TimeGenerated desc | limit 1000

This detection identifies lateral movement patterns following domain compromise by correlating credential abuse, unusual logon activity, and process execution across multiple devices within a short timeframe. The query surfaces suspicious authentication chains and cross-device activity that indicate threat actor momentum during post-compromise lateral movement.

let timeWindow = 7d; let suspiciousLogonThreshold = 5; let lateralMovementWindow = 1h; DeviceLogonEvents | where Timestamp > ago(timeWindow) | where ActionType in ('LogonSuccess', 'LogonFailed') and LogonType in ('Network', 'Service') | where RemoteDeviceName != '' or RemoteIP != '' | summarize LogonCount = count(), UniqueDevices = dcount(DeviceId), UniqueRemoteIPs = dcount(RemoteIP), UniqueAccounts = dcount(AccountName), FirstLogon = min(Timestamp), LastLogon = max(Timestamp) by AccountName, AccountDomain | where LogonCount >= suspiciousLogonThreshold and UniqueDevices >= 2 | join kind=inner (DeviceProcessEvents | where Timestamp > ago(timeWindow) | where ProcessCommandLine has_any ('net', 'psexec', 'wmic', 'winrm', 'ssh', 'scp') or InitiatingProcessFileName in~ ('cmd.exe', 'powershell.exe', 'psexec.exe', 'wmic.exe') | summarize ProcessCount = count(), UniqueProcesses = dcount(FileName), ProcessDevices = dcount(DeviceId) by AccountName, AccountDomain) on AccountName, AccountDomain | join kind=inner (DeviceNetworkEvents | where Timestamp > ago(timeWindow) and ActionType == 'ConnectionSuccess' | where RemotePort in (135, 139, 445, 3389, 5985, 5986, 22) | summarize NetworkConnections = count(), UniqueRemoteIPs_Net = dcount(RemoteIP), UniqueRemoteDevices = dcount(RemoteUrl) by InitiatingProcessAccountName) on $left.AccountName == $right.InitiatingProcessAccountName | project AccountName, AccountDomain, LogonCount, UniqueDevices, UniqueRemoteIPs, ProcessCount, NetworkConnections, FirstLogon, LastLogon, UniqueProcesses, UniqueRemoteDevices | where LogonCount > suspiciousLogonThreshold and UniqueDevices >= 2 and ProcessCount >= 3 and NetworkConnections >= 2 | limit 1000