union (DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "goform/aspForm" or RemoteUrl has "SetMobileAPInfoById" | where InitiatingProcessFileName !in ("chrome.exe", "iexplore.exe", "firefox.exe") or InitiatingProcessFileName has "curl" or InitiatingProcessFileName has "wget" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has "goform" or ProcessCommandLine has "SetMobileAPInfoById" or ProcessCommandLine has "aspForm" | where ProcessCommandLine has_any ("curl", "wget", "powershell", "cmd.exe") | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (SecurityEvent | where Timestamp > ago(7d) | where Activity has "Network" and (TargetUserName has "admin" or TargetUserName has "root") | where Computer has_any ("h3c", "magic", "b1") or SourceIP in (dynamic(["0.0.0.0"])) | project Timestamp, Computer, TargetUserName, Activity, SourceIP) | summarize EventCount=count(), UniqueDevices=dcount(DeviceName), FirstSeen=min(Timestamp), LastSeen=max(Timestamp) by RemoteUrl, RemoteIP, InitiatingProcessFileName | where EventCount > 1 | limit 1000

CVE-2026-6581 is a critical buffer overflow vulnerability in H3C Magic B1 devices affecting the SetMobileAPInfoById function, exploitable remotely with a CVSS score of 8.8. Detection focuses on identifying exploitation attempts targeting H3C devices through network traffic patterns and process execution anomalies.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative tools (curl, wget) used by IT staff for device management may trigger alerts; whitelist known management IP ranges and administrative accounts. Standard web browser traffic to H3C management interfaces should be excluded. Filter out routine device health checks and firmware update processes from H3C vendor infrastructure.

Monitor for exploitation attempts by detecting network connections to H3C devices targeting the vulnerable /goform/aspForm endpoint with SetMobileAPInfoById function calls, combined with suspicious process execution (curl, wget, powershell) attempting to interact with the vulnerable endpoint. Cross-reference with authentication anomalies on H3C devices and look for buffer overflow indicators in network payloads.

let timeframe = 7d; let h3c_indicators = dynamic(['SetAPWifiorLedInfoById', 'aspForm', 'param', 'Magic B1']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any ('goform/aspForm', '/goform/') or RemoteUrl matches regex @'(?i).*SetAPWifiorLedInfoById.*' | where ActionType in ('ConnectionSuccess', 'ConnectionAttempted', 'ConnectionFailed') | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any ('goform', 'aspForm') | project Timestamp, DeviceName, ProcessCommandLine, ProcessId, AccountName, FileName), (DeviceFileEvents | where Timestamp > ago(timeframe) | where FolderPath has_any ('goform', 'aspForm') or FileName has_any (h3c_indicators) | where ActionType in ('FileCreated', 'FileModified', 'FileDeleted') | project Timestamp, DeviceName, FolderPath, FileName, ActionType, AccountName) | summarize EventCount = count() by Timestamp, DeviceName, RemoteIP, ProcessCommandLine, FileName | where EventCount > 0 | limit 1000

CVE-2026-6563 is a remote buffer overflow vulnerability in H3C Magic B1 devices affecting the SetAPWifiorLedInfoById function in /goform/aspForm, exploitable without authentication. Detection focuses on identifying exploitation attempts through network traffic patterns, process execution anomalies, and file access to vulnerable endpoints on H3C devices or management interfaces.

H3C Magic B1  ·  H3C Magic B1 up to 100R004

Legitimate administrative access to H3C device management interfaces, routine firmware updates or configuration changes via /goform/ endpoints, and normal web application file operations may trigger alerts. Whitelist known management IPs, scheduled maintenance windows, and authenticated administrative accounts. Filter out internal network scanning and vulnerability assessment tools that may probe these endpoints.

Monitor for exploitation attempts by detecting network connections to vulnerable /goform/aspForm endpoints with SetAPWifiorLedInfoById function calls, unusual process execution with buffer overflow payloads in command lines, and suspicious file modifications in web application directories. Cross-correlate network events with process and file activity to identify attack chains.

let timeframe = 7d; let h3c_indicators = dynamic(['Edit_BasicSSID', 'aspForm', 'goform']); union (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemoteUrl has_any (h3c_indicators) or InitiatingProcessCommandLine has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType), (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any (h3c_indicators) or FolderPath has_any (h3c_indicators) | project Timestamp, DeviceId, DeviceName, ProcessCommandLine, ProcessId, FileName, FolderPath, AccountName, ActionType), (SecurityEvent | where TimeGenerated > ago(timeframe) | where Activity has_any (h3c_indicators) or CommandLine has_any (h3c_indicators) | project TimeGenerated, Computer, Activity, CommandLine, Account, EventID) | where ActionType !in ('ProcessTerminated', 'NetworkConnectionTerminated') or Activity !has 'Success' | limit 1000

CVE-2026-6560 is a critical remote buffer overflow vulnerability in H3C Magic B0 devices affecting the Edit_BasicSSID function in /goform/aspForm, with a CVSS score of 8.8. Detection should focus on identifying exploitation attempts targeting H3C devices through malicious web requests and subsequent process execution or network anomalies.

H3C Magic B0  ·  H3C Magic B0 100R002

Legitimate H3C device management traffic and administrative configuration changes may trigger alerts; whitelist known H3C management IPs and scheduled maintenance windows. Filter out normal device firmware update processes and authenticated administrative sessions. Exclude internal network scanning and vulnerability assessment tools that may probe H3C devices.

Monitor for HTTP requests containing Edit_BasicSSID, aspForm, or goform path indicators targeting H3C devices. Correlate with subsequent suspicious process creation, command execution, or unexpected network connections from affected devices. Focus on remote connection attempts to H3C management interfaces and buffer overflow exploitation patterns in request payloads.

let timeWindow = 7d; let suspiciousDefenderProcesses = dynamic(['MsMpEng.exe', 'NisSrv.exe', 'WinDefend']); let suspiciousParents = dynamic(['explorer.exe', 'cmd.exe', 'powershell.exe', 'rundll32.exe', 'regsvcs.exe', 'regasm.exe', 'InstallUtil.exe']); union (DeviceProcessEvents | where Timestamp > ago(timeWindow) | where ProcessTokenElevation has_any ('TokenElevationTypeFull', 'TokenElevationTypeDefault') and (FileName in (suspiciousDefenderProcesses) or FolderPath has 'Windows\Defender' or FolderPath has 'ProgramData\Microsoft\Windows Defender') | where InitiatingProcessFileName in (suspiciousParents) or InitiatingProcessCommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, DeviceName, DeviceId, ProcessId, FileName, FolderPath, ProcessCommandLine, ProcessTokenElevation, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName, AccountDomain), (SecurityEvent | where Timestamp > ago(timeWindow) | where EventID == 4688 | where NewProcessName has_any (suspiciousDefenderProcesses) or NewProcessName has 'Windows\Defender' | where ParentProcessName in (suspiciousParents) or CommandLine matches regex @'(?i)(powershell|cmd|rundll32|regsvcs|regasm|installutil)' | project Timestamp, Computer, ProcessId = NewProcessId, FileName = NewProcessName, ProcessCommandLine = CommandLine, ParentProcessName, AccountName, AccountDomain) | project-away InitiatingProcessFileName, InitiatingProcessCommandLine | limit 1000

CVE-2026-33825 is a Windows Defender zero-day vulnerability enabling local privilege escalation to SYSTEM level on Windows 10/11 systems, exploited via the BlueHammer proof-of-concept. Detection focuses on identifying suspicious process creation with elevated token elevation and Windows Defender-related process manipulation.

Windows 10  ·  Windows 11  ·  Microsoft Defender

Legitimate Windows Defender updates and maintenance tasks may spawn elevated processes; filter by known Microsoft signed binaries and scheduled task execution contexts. Exclude processes initiated from C:\Windows\System32\svchost.exe and official Windows Update processes. Tune based on organizational baseline of normal Defender process behavior.

Monitor for suspicious process creation events where Windows Defender processes (MsMpEng.exe, NisSrv.exe) or Defender-related binaries are spawned with elevated token elevation from unusual parent processes (cmd.exe, powershell.exe, rundll32.exe, regsvcs.exe, regasm.exe, InstallUtil.exe). Cross-correlate DeviceProcessEvents and SecurityEvent (EventID 4688) to detect privilege escalation attempts exploiting CVE-2026-33825.

A Deep Dive Into Attempted Exploitation of CVE-2023-33538 CVEs: CVE-2023-33538 CVSS: 0.0 | EPSS: 0.0% | Priority: 2.5/100 ATT&CK: N/A Detection language: KQL Source: unit42.paloaltonetworks.com -- https://unit42.paloaltonetworks.com/exploitation-of-cve-2023-33538/ CVE-2023-33538 allows for command injection in TP-Link routers. We discuss exploitation attempts with payloads characteristic of Mirai botnet malware. The post A Deep Dive Into Attempted Exploitation of CVE-2023-33538 appeared first on Unit 42 .

Threat actors impersonate IT helpdesk via cross-tenant Microsoft Teams collaboration to trick users into granting remote access, then abuse legitimate tools for lateral movement and data exfiltration. Detection focuses on anomalous Teams external collaboration patterns, suspicious remote access tool execution, and data access anomalies correlated with helpdesk impersonation indicators.

let alert_keywords = dynamic(['breach', 'data breach', 'security alert', 'urgent action required', 'verify account', 'confirm identity', 'unusual activity', 'suspicious login', 'reset password', 'update payment']); let suspicious_patterns = dynamic(['click here immediately', 'verify credentials', 'confirm password', 'update billing', 'reactivate account', 'unusual access detected']); let timeframe = 7d; union (EmailEvents | where TimeGenerated > ago(timeframe) | where (Subject has_any (alert_keywords) or BodyPreview has_any (alert_keywords)) and (Subject has_any (suspicious_patterns) or BodyPreview has_any (suspicious_patterns)) | where SenderFromAddress !in ('noreply@microsoft.com', 'security-alert@microsoft.com', 'alerts@microsoft.com') | where not(SenderMailFromDomain has_any ('microsoft.com', 'azure.com', 'office.com')) | where DeliveryAction == 'Delivered' or DeliveryAction == 'Delivered as spam' | project TimeGenerated, SenderFromAddress, SenderMailFromDomain, RecipientEmailAddress, Subject, BodyPreview, UrlCount, AttachmentCount, AuthenticationDetails, ThreatTypes, DetectionMethods), (CloudAppEvents | where TimeGenerated > ago(timeframe) | where Application == 'Microsoft 365' and (RawEventData has 'breach' or RawEventData has 'security alert' or RawEventData has 'verify account') | where not(AccountUpn has_any ('@microsoft.com', '@azure.com')) | project TimeGenerated, AccountUpn, Application, ActionType, RawEventData) | extend IsPhishingLikely = iff((UrlCount > 0 or AttachmentCount > 0) and (Subject has_any (suspicious_patterns) or BodyPreview has_any (suspicious_patterns)), true, false) | where IsPhishingLikely == true or ActionType has 'suspicious' | summarize AlertCount = count(), UniqueRecipients = dcount(RecipientEmailAddress), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by SenderFromAddress, Subject | where AlertCount >= 1 | limit 1000

Detects suspicious email alerts and notifications that may be phishing attempts impersonating legitimate breach notifications, focusing on emails with urgency language, credential requests, or suspicious links. Identifies potential social engineering campaigns targeting users to bypass security controls or extract sensitive information.

Microsoft 365 Defender  ·  Microsoft Defender for Office 365  ·  Azure AD  ·  Windows Defender

Correlates email events and cloud app events to identify messages impersonating legitimate breach notifications. Filters for urgency language, credential requests, and suspicious sender domains while excluding known legitimate Microsoft security alert senders. Flags emails with URLs or attachments combined with social engineering patterns as high-confidence phishing attempts.

let PhishingKeywords = dynamic(['shipment', 'delivery', 'package', 'tracking', 'dhl', 'fedex', 'ups', 'parcel', 'arrived', 'pending', 'customs', 'clearance']); let RATIndicators = dynamic(['anydesk', 'teamviewer', 'connectwise', 'remotepc', 'splashtop', 'zoho', 'ammyy', 'supremo', 'rustdesk']); let SuspiciousExtensions = dynamic(['.exe', '.msi', '.scr', '.bat', '.cmd', '.ps1', '.vbs', '.js', '.zip', '.rar']); EmailEvents | where Timestamp > ago(7d) | where Subject has_any (PhishingKeywords) or BodyPreview has_any (PhishingKeywords) | where (AttachmentCount > 0 or UrlCount > 0) | where not(SenderFromDomain =~ 'dhl.com' or SenderFromDomain =~ 'fedex.com' or SenderFromDomain =~ 'ups.com') | project EmailId, Timestamp, SenderFromAddress, SenderFromDomain, RecipientEmailAddress, Subject, BodyPreview, AttachmentCount, UrlCount, Url, FileName, FileType, ThreatTypes, DeliveryAction | join kind=inner (DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any (RATIndicators) or FileName has_any (RATIndicators) or FolderPath has_any (RATIndicators) | where ProcessCommandLine has_any (SuspiciousExtensions) or FileName has_any (SuspiciousExtensions) | project DeviceId, DeviceName, ProcessId, ProcessCommandLine, FileName, FolderPath, ProcessCreationTime, AccountName, AccountDomain) on $left.RecipientEmailAddress == $right.AccountName | join kind=inner (DeviceNetworkEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName has_any (RATIndicators) or RemoteUrl has_any (RATIndicators) | where ActionType =~ 'ConnectionSuccess' or ActionType =~ 'ConnectionAttempt' | project DeviceId, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, Protocol) on DeviceId | project Timestamp, RecipientEmailAddress, DeviceName, Subject, FileName, ProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DeliveryAction, ThreatTypes | limit 1000

Detects delivery-themed phishing emails (DHL, FedEx, UPS) with suspicious attachments or links that may distribute remote access software like AnyDesk, TeamViewer, or ConnectWise. Correlates email delivery with subsequent suspicious process execution and network connections indicative of RAT installation.

Detects sophisticated remote access campaigns targeting manufacturing environments through suspicious process execution, network connections, and credential usage patterns consistent with cargo theft operations. Identifies anomalous administrative tool usage, lateral movement, and data exfiltration indicators across Windows endpoints and cloud infrastructure.

let timeframe = 7d; let vendor_processes = dynamic(['docker.exe', 'python.exe', 'cisco*.exe', 'setup*.exe', 'installer*.exe', 'update*.exe']); let suspicious_ports = dynamic([4444, 5555, 6666, 8888, 9999, 31337, 12345]); let baseline_domains = dynamic(['microsoft.com', 'windows.com', 'adobe.com', 'apple.com']); DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessFileName in~ (vendor_processes) or FolderPath has_any ('vendor', 'third-party', 'dependencies', 'docker', 'python') | join kind=inner (DeviceNetworkEvents | where Timestamp > ago(timeframe) | where RemotePort in (suspicious_ports) or (RemoteIPType == 'Public' and not(RemoteUrl has_any (baseline_domains)))) on DeviceId, Timestamp | project Timestamp, DeviceId, DeviceName, ProcessFileName, ProcessCommandLine, ProcessId, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, AccountName, AccountDomain | union (DeviceFileEvents | where Timestamp > ago(timeframe) | where InitiatingProcessFileName in~ (vendor_processes) and ActionType in ('FileCreated', 'FileModified') and FolderPath has_any ('system32', 'programfiles', 'windows', 'startup') | project Timestamp, DeviceId, DeviceName, InitiatingProcessFileName, FileName, FolderPath, ActionType, AccountName) | union (DeviceProcessEvents | where Timestamp > ago(timeframe) | where ProcessCommandLine has_any ('powershell', 'cmd.exe', 'wmic', 'certutil', 'bitsadmin') and InitiatingProcessFileName in~ (vendor_processes) | project Timestamp, DeviceId, DeviceName, ProcessFileName, ProcessCommandLine, InitiatingProcessFileName, AccountName) | limit 1000

This detection identifies potential supply chain compromise indicators by monitoring for suspicious third-party software execution, unexpected network communications to unfamiliar external hosts, and anomalous file modifications from vendor-supplied processes. The query focuses on manufacturing environments where supply chain dependencies pose elevated risk.

Microsoft Defender for Endpoint  ·  Microsoft Sentinel  ·  Windows  ·  Docker  ·  Python  ·  Cisco Systems

Correlates process execution from known vendor/third-party software with anomalous network communications to suspicious external IPs/ports and suspicious file system modifications in critical directories. Detects command-line tool abuse (PowerShell, cmd, WMIC, certutil, bitsadmin) spawned by vendor processes. Focuses on public IP connections outside baseline trusted domains and execution of suspicious child processes.