Threat Research

Identifies when a legitimate Windows system executable normally found in the system directory is launched from an unusual or unexpected location....

Identifies suspicious child processes launched by Node.js server processes on Windows, which may signal exploitation of vulnerabilities such as CVE-2025-55182 (React2Shell)....

Identifies the execution of curl.exe using the file:// protocol to access and read local files....

Identifies cases where the ArcGIS Server process (ArcSOC.exe), responsible for hosting REST services, creates files with suspicious types that may indicate executables, scripts, or other anomalous files....

Identifies script interpreters, command-line utilities, and other potentially suspicious child processes spawned by ArcSOC.exe. ArcSOC.exe is the process responsible for hosting ArcGIS Server REST services....

Detects instances where a web browser process opens an HTML file from a user’s Downloads folder. This behavior may be indicative of phishing activity, in which threat actors distribute HTML attachments to users. Opening such attachments can result in the execution of malicious scripts or the delivery of malware....

Detects the use of the Grixba reconnaissance tool through characteristic command-line patterns. Grixba, employed by the Play ransomware group, supports pre-attack operations such as network scanning, data collection, and clearing of event logs....

Detects changes to NTFS symbolic link settings via fsutil, which may allow remote-to-local or remote-to-remote symlinks that could be abused in attacks....

Detects a suspicious CertReq execution that initiates a file download. This activity is commonly associated with attackers attempting to retrieve additional payloads or configuration files....

Monitors for instances where command-line interpreters like cmd.exe or powershell.exe are spawned as child processes of the WSUS service (wsusservice.exe). This behavior strongly indicates potential exploitation of a critical remote code execution vulnerability, such as CVE-2025-59287, where attackers may launch shells to perform reconnaissance or additional malicious actions....