CVE-2019-1000

An elevation of privilege vulnerability exists in Microsoft Azure Active Directory Connect build 1.3.20.0, which allows an attacker to execute two PowerShell cmdlets in context of a privileged account, and perform privileged actions.To exploit this, an attacker would need to authenticate to the...

Exploit for Deserialization of Untrusted Data in Microsoft

LetsDefend-CVE-2022-41082-Exploitation-Attempt 🛡️ Incident...

Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks

Cybersecurity researchers have shed light on a new malware campaign that makes use of a PowerShell-based shellcode loader to deploy a remote access trojan called Remcos RAT. "Threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents," Qualys...

Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

Cybercriminals are progressively turning PowerShell to launch stealthy attacks that evade traditional antivirus and endpoint defenses. By running code directly in memory, these threats leave minimal evidence on disk, making them particularly challenging to detect. A recent example is Remcos RAT, ...

Fileless Remcos RAT Attack Evades Antivirus Using PowerShell Scripts

A new wave of attacks uses PowerShell and LNK files to secretly install Remcos RAT, enabling full remote…...

Horabot Malware Targets 6 Latin American Nations Using Invoice-Themed Phishing Emails

Cybersecurity researchers have discovered a new phishing campaign that's being used to distribute malware called Horabot targeting Windows users in Latin American countries like Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. The campaign is "using crafted emails that impersonate invoice...

Authenticated Command Injection

github.com/nrkno/terraform-provider-windns is vulnerable to Authenticated command injection. The vulnerability is due to lack of input sanitization in the windnsrecord resource. Specifically, user-supplied inputs were not properly sanitized before being passed to the underlying PowerShell command...

Microsoft Security Essentials Detection (Windows SMB Login)

Detects and gathers information of Microsoft Security Essentials. Supports following operating systems: - Windows XP SP3 - Vista SP1 - Windows 7 The information is retrieved via Powershell. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced...

Microsoft/Windows Defender Detection (Windows SMB Login)

Detects and gathers information of Microsoft/Windows Defender on Windows operating systems. Supports Windows 7 and Server 2008 onwards. The information is retrieved via Powershell. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and a...

Photon OS 5.0: Powershell PHSA-2024-5.0-0316

An update of the powershell package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2024-5.0-0316. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

Exploit for OS Command Injection in Php

CVE-2024-4577...

Russian Hackers Using ClickFix Fake CAPTCHA to Deploy New LOSTKEYS Malware

The Russia-linked threat actor known as COLDRIVER has been observed distributing a new malware called LOSTKEYS as part of an espionage-focused campaign using ClickFix-like social engineering lures. "LOSTKEYS is capable of stealing files from a hard-coded list of extensions and directories, along...

CVE-2025-46735 Terraform WinDNS Provider improperly sanitizes input variables in `windns_record`

Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found in Terraform WinDNS Provider before version 1.0.5. The windnsrecord resource did not sanitize the input variables. This could lead to authenticated command...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the windnsrecord resource. An attacker can execute arbitrary commands on the underlying system by injecting malicious inputs into the PowerShell command prompt used by the application. Remediation Upgrade...

MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks

The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver. "MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts," Recorded Future's Insikt Group said in a report shared...

Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo...

Node.js Malware Campaign Targets Crypto Users with Fake Binance and TradingView Installers

Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing ...

Enable Azure AD Joined Device Management Functional Limitations

After configuring "Enable Azure AD Joined Device Management" stale machine objects are not automatically removed from AAD. - Made a custom aad role with the following permissions: microsoft.directory/devices/standard/read microsoft.directory/devices/delete - Assigned this role to the spn we use...

GOFFEE continues to attack organizations in Russia

GOFFEE is a threat actor that first came to our attention in early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of...

Log Files Associated With Deleted Jobs or Tenants Are Not Automatically Deleted

Challenge The diagnostic log files created by Veeam Backup & Replication / Veeam Cloud Connect that are associated with a deleted or disabled job, repository, or tenant are not automatically removed and remain on disk taking up space. Cause This is expected behavior as log file management only...