✨ Highlights
-
🛡️ SAP NetWeaver Exploitation
Released a new analytic story targeting CVE-2025-31324 in SAP NetWeaver, including a dedicated hunting detection for “SAP NetWeaver Visual Composer Exploitation Attempt” to catch early signs of exploitation. You can read more about this vulnerability here. -
🍏 AMOS Stealer Analytics
Added a new analytic story for AMOS Stealer and introduced the “macOS AMOS Stealer – Virtual Machine Check Activity” detection, which looks for the execution of theosascriptcommand along with specific command-line strings. -
🪟 Additional Windows Detections
We shipped three new Windows-focused detections to improve visibility into post-compromise activity: one that identifies reconnaissance by monitoring built-in log query utilities against the Windows Event Log, another that alerts when an adversary clears the Event Log via Wevtutil, and a third that detects malicious file downloads executed through the CertUtil utility.
New Analytic Story - [2]
New Analytics - [5]
- MacOS AMOS Stealer - Virtual Machine Check Activity
- SAP NetWeaver Visual Composer Exploitation Attempt
- Windows EventLog Recon Activity Using Log Query Utilities
- Windows Eventlog Cleared Via Wevtutil
- Windows File Download Via CertUtil
Other Updates
- Updated the
is_nirsoft_softwarelookup with additional nirsoft tooling - Updated attack_data links for several detections.