Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects possible Java payloads in web access logs

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts. This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

Read More

Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877

Read More

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Read More

Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)

Read More

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.

Read More

Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.

Read More

Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.

Read More

Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.

Read More

Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.

Read More

Detects the exploitation of the Confluence vulnerability described in CVE-2019-3398

Read More

Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972

Read More

Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978

Read More

Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766

Read More

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More

Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.

Read More

Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint

Read More

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Read More

Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection

Read More

Detects the mount of an ISO image on an endpoint

Read More

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Read More

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective

Read More

Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804

Read More

Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

Read More

Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

Read More

Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint

Read More

Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169

Read More

Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Read More

Detects known suspicious (default) user-agents related to scanning/recon tools

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Alert on when legacy authentication has been used on an account

Read More

Detects when Okta identifies new activity in the Admin Console.

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Read More

Detects PoC tool used to exploit LPE vulnerability CVE-2021-41379

Read More

Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs. To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

Read More

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More

A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

Detects the creation of a office macro file from a a suspicious process

Read More

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Read More

Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.

Read More

When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~"

Read More

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Read More

Detects attempts to create and add an account to the admin group via "dscl"

Read More

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Read More

Detects when an account is disabled or blocked for sign in but tried to log in

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Detect when authentications to important application(s) only required single-factor authentication

Read More

Detect when users are authenticating without MFA being required.

Read More

Identifies when an user or application modified the federation settings on the domain.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detects when there is a interruption in the authentication process.

Read More

Detects XSS attempts injected via GET requests in access logs

Read More

Detects an installation of a device that is forbidden by the system policy

Read More

Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE

Read More

Detect failed authentications from countries you do not operate out of.

Read More

Detects guest users being invited to tenant by non-approved inviters

Read More

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Read More

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Read More

Detects the creation of a new office macro files on the systems

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Read More

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

Read More

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Read More

Detect successful authentications from countries you do not operate out of.

Read More

Detects suspicious file type dropped by an Exchange component in IIS

Read More

Detects suspicious processes including shells spawnd from WinRM host process

Read More

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Read More

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Read More

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Detect failed attempts to sign in to disabled accounts.

Read More

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Read More

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Read More

Detects when a Security Compliance Center reported a user who exceeded sending limits of the service policies and because of this has been restricted from sending email.

Read More

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Read More

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Read More

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Read More

Detects exploitation of vulnerabilities in Arcadyan routers as reported in CVE-2021-20090 and CVE-2021-20091.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Detects potential SQL injection attempts via GET requests in access logs.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Read More

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Read More

Detects path traversal exploitation attempts

Read More

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Read More

Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539

Read More

Detects an issue in apache logs that reports threading related errors

Read More

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Read More

Detects exploitation attempt using the JNDI-Exploit-Kit

Read More

Detects URL pattern used by search(-ms)/WebDAV initial access campaigns.

Read More

Detects attempts to create and add an account to the admin group via "sysadminctl"

Read More

Detects attempts to enable the root account via "dsenableroot"

Read More

Detects URL pattern used by search(-ms)/WebDAV initial access campaign.

Read More

Detects the creation of WebDAV temporary files with suspicious extensions

Read More

Alerts on trust record modification within the registry, indicating usage of macros

Read More

Detects suspicious Spring framework exceptions that could indicate exploitation attempts

Read More

Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later

Read More

Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)

Read More

Detects exploitation attempt against Citrix Netscaler, Application Delivery Controller (ADS) and Citrix Gateway exploiting vulnerabilities reported as CVE-2020-8193 and CVE-2020-8195

Read More

Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack

Read More

MODx manager - Local File Inclusion:Directory traversal vulnerability in manager/controllers/default/resource/tvs.php in MODx Revolution 2.0.2-pl, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the class_key parameter.

Read More

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Read More

Detects CVE-2020-0688 Exploitation attempts

Read More

Detects CVE-2020-10148 SolarWinds Orion API authentication bypass attempts

Read More

Detects the exploitation attempt of the vulnerability found in F5 BIG-IP and described in CVE-2020-5902

Read More

Detects an authentication bypass vulnerability affecting the REST API URLs in ADSelfService Plus (CVE-2021-40539).

Read More

Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.

Read More

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

Read More

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Read More

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Read More

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Read More

Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814

Read More

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More

Detects CVE-2018-13379 exploitation attempt against Fortinet SSL VPNs

Read More

Detects CVE-2021-22123 exploitation attempt against Fortinet WAFs

Read More

Detects a successful Grafana path traversal exploitation

Read More

Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 (Log4Shell)

Read More

Detects access to a webshell dropped into a keystore folder on the WebLogic server

Read More

Detects exploitation attempts on WebLogic servers

Read More

Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Read More

Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.

Read More

Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.

Read More

Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla

Read More

Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer

Read More

Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin

Read More

This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893)

Read More

Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole

Read More

Detects exploitation attempts of Sitecore Experience Platform Pre-Auth RCE CVE-2021-42237 found in Report.ashx

Read More

Detects exploitation attempts of the SonicWall Jarrewrite Exploit

Read More

Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers

Read More

Detects the exploitation of the TerraMaster TOS vulnerability described in CVE-2020-28188

Read More

Detects exploitation attempts using file upload vulnerability CVE-2021-22005 in the VMWare vCenter Server.

Read More

Detects download of certain file types from hosts in suspicious TLDs

Read More

Detects executable downloads from suspicious remote systems

Read More

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Read More

Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to) Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects when Okta FastPass prevents a known phishing site.

Read More

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Read More

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Read More

Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol.

Read More

Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol.

Read More

Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol.

Read More

Detects possible exploitation activity or bugs in a web application

Read More

Detects failed logins with multiple accounts from a single process on the system.

Read More

Detects a source system failing to authenticate against a remote host with multiple users.

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects a single user failing to authenticate to multiple users using explicit credentials.

Read More

Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL).

Read More

Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol.

Read More

Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol.

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Read More

Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)

Read More

Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)

Read More

Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Read More

Detects a suspicious program execution in Outlook temp folder

Read More

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Read More

Detects attempts to enable the guest account using the sysadminctl utility

Read More

Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.

Read More

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Read More

Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.

Read More

Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

Read More

Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)

Read More

Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.

Read More