APT33

APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

In a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in WinRAR... If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer.

Peach Sandstorm also attempted to exploit vulnerabilities with a public proof-of-concept (POC) in Zoho ManageEngine or Confluence, to access targets’ environments. CVE-2022-47966 is a remote code execution vulnerability affecting a subset of on-premises Zoho ManageEngine products. Microsoft recommends organizations using vulnerable applications patch this vulnerability as multiple groups have been observed exploiting this vulnerability.

The following analytic detects when su runs from a page-cache-corrupted binary... This activity is significant because it indicates a possible privilege escalation attempt, allowing a user to gain root access... CVE CVE-2026-31431 ... References ... copy-fail-CVE-2026-31431