← Back to Cybersecurity News Center
Severity
CRITICAL
Priority
0.565
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A critical unpatched vulnerability in Hugging Face's LeRobot robotics platform allows an unauthenticated attacker to execute arbitrary code on AI inference servers by sending a malicious network message. Organizations running LeRobot's PolicyServer or robot client components in production AI/ML environments are directly exposed until a fix ships in version 0.6.0. Because these components often run with elevated system privileges, a successful attack could result in full server compromise, manipulation of AI-controlled robotic systems, and lateral movement across connected infrastructure.
Impact Assessment
CISA KEV Status
Not listed
Attack Vector
HIGH
Exploitable remotely over the internet
Complexity
HIGH
No special conditions required to exploit
Authentication
HIGH
No credentials needed — anyone can attempt
User Interaction
HIGH
Fully automated — no user action needed
Active Exploitation
LOW
No confirmed active exploitation
Affected Product
INFO
Hugging Face LeRobot <= 0.4.3 (open-source robotics platform; PolicyServer and robot client components)
Are You Exposed?
⚠
You use Hugging Face LeRobot <= 0.4.3 (open-source robotics platform; PolicyServer and robot client components) → Investigate immediately
⚠
Affected systems are internet-facing → Increased attack surface
✓
You have patched to the latest version → Reduced risk
✓
Systems are behind network segmentation / WAF → Mitigated exposure
Business Context
A successful exploit gives an attacker full control of the AI inference server — including any robotic systems that server directs — without requiring any stolen credentials or prior foothold. In environments where LeRobot controls physical or industrial robotic hardware, compromise could disrupt automated operations, corrupt AI model outputs, or cause unsafe physical actions by connected robots. Organizations in regulated industries that use AI/ML inference infrastructure may face additional scrutiny if an exploit leads to data exposure or operational disruption, particularly if the affected servers process sensitive operational data.
You Are Affected If
You run Hugging Face LeRobot version 0.4.3 or earlier in any environment (on-premises, cloud, or containerized)
The LeRobot PolicyServer or robot client gRPC endpoint is reachable from untrusted networks — including internal segments with broad lateral access
The PolicyServer process runs with elevated OS privileges (root, sudo, or a high-privilege service account)
Your environment has not applied network-layer access controls blocking unauthenticated gRPC access to LeRobot components
You have not yet validated that your deployment is isolated pending the v0.6.0 patch release
Board Talking Points
A critical flaw in an open-source AI robotics platform allows an attacker to take complete control of affected servers without any login credentials — no patch exists yet.
Technology teams should immediately isolate any LeRobot inference servers from untrusted network access and monitor for a vendor patch expected in version 0.6.0.
Without containment, an attacker who reaches these systems could disrupt AI-driven operations, manipulate robotic systems, and move laterally across connected infrastructure.
Technical Analysis
CVE-2026-25874 affects Hugging Face LeRobot versions 0.4.3 and earlier.
The vulnerability chain combines three weaknesses: unsafe deserialization of attacker-controlled pickle data (CWE-502) received over gRPC channels that require no authentication (CWE-306) and transmit in cleartext (CWE-319).
An unauthenticated remote attacker who can reach an exposed gRPC endpoint can send a crafted pickle payload that triggers arbitrary code execution on the server, no credentials, no prior access required.
The PolicyServer and robot client components are the affected surfaces; both frequently run with elevated OS privileges in inference environments, which amplifies post-exploitation impact. CVSS base score is 9.5, meeting the critical threshold. EPSS score is 0.00062 (19th percentile) as of the item capture date; exploitation activity has not yet been widely observed, but the attack primitive (pickle deserialization for RCE) is well understood and weaponizable. No patch is available. Remediation is planned for version 0.6.0. MITRE ATT&CK techniques relevant to exploitation and post-exploitation: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1210 (Exploitation of Remote Services), T1021 (Remote Services), T1565 (Data Manipulation), T1552 (Unsecured Credentials). NVD entry and secondary source URLs are listed in item metadata but could not be actively verified at response time; analyst should confirm directly at nvd.nist.gov.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to senior IR leadership and legal/compliance if network flow logs or process execution records show any inbound gRPC connection to PolicyServer from an unauthorized IP prior to containment, any unexpected child process spawned by the PolicyServer process, or any new accounts, cron jobs, or modified files on inference hosts — these indicators suggest confirmed exploitation of CVE-2026-25874, which on a system running with elevated privileges constitutes a full server compromise requiring breach notification assessment, particularly if the inference server had access to sensitive training data, PII, or operational technology (OT) robotics control channels.
1
Step 1: Containment — Query your asset inventory (CIS 1.1) and software inventory (CIS 2.1) to identify all hosts running LeRobot 0.4.3 or earlier with PolicyServer or robot client components active. Enforce network-layer information flow controls to block external and untrusted internal traffic to the gRPC port (NIST AC-4 — Information Flow Enforcement). Apply host-based firewall rules on affected servers to deny unauthenticated inbound gRPC connections (CIS 4.4). If internet-facing, take the service offline or place it behind a proxy that enforces access mediation before the patch is available (D3-PBWSAM — Proxy-based Web Server Access Mediation).
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SC-7 (Boundary Protection)
NIST CM-7 (Least Functionality)
CIS 4.4 (Implement and Manage a Firewall on Servers)
CIS 12.2 (Establish and Maintain a Secure Network Architecture) — isolate PolicyServer segment from untrusted networks
Compensating Control
Run 'ss -tlnp | grep python' or 'netstat -tlnp | grep python' on each suspected host to confirm gRPC port binding (commonly 50051 TCP for LeRobot PolicyServer). Apply immediate iptables DROP rule: 'iptables -I INPUT -p tcp --dport 50051 -j DROP' (adjust port per your deployment). For container environments: 'docker ps --format "{{.Names}} {{.Ports}}" | grep 50051' to locate exposed containers, then remove or modify port mappings. Use nmap from a jump host: 'nmap -p 50051 --open <subnet>' to confirm exposure scope across the environment without requiring a SIEM.
Preserve Evidence
Before isolating hosts, capture full network socket state: 'ss -tnp state established' to document any active gRPC connections to PolicyServer at time of containment. Record source IPs of any established connections to the gRPC port — these are candidate attacker IPs if exploitation preceded discovery. Preserve /proc/<pid>/net/tcp and /proc/<pid>/cmdline for the PolicyServer process PID before any service restart. If the host is a container, capture 'docker inspect <container_id>' output and network namespace state before isolation to preserve pre-containment configuration.
2
Step 2: Detection — Use your software inventory (CIS 2.1) and asset inventory (CIS 1.1) to query for lerobot pip package or container image at version 0.4.3 or below. Enable and review audit logs (CIS 8.2 — Collect Audit Logs; NIST AU-2 — Event Logging) on hosts running PolicyServer for inbound gRPC connection events from IPs outside authorized robot client or orchestration ranges. Ensure audit records capture what occurred, when, where, and by whom (NIST AU-3 — Content Of Audit Records). In SIEM, correlate T1190 (exploit of public-facing application) on AI inference hosts with subsequent T1059 (scripting interpreter execution) events. Monitor for anomalous child process creation under the PolicyServer parent process using NIST AU-6 (Audit Record Review, Analysis, And Reporting). Apply D3-SFA (System File Analysis) to detect unauthorized modification of system executables or configuration files on affected hosts.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Version discovery without SIEM: run 'pip show lerobot' or 'pip3 show lerobot' on each host, or query container images with 'docker run --rm <image> pip show lerobot'. For process spawn detection without EDR, deploy Sysmon with EventID 1 (Process Create) configured to alert on python.exe or python3 spawning sh, bash, cmd.exe, or curl as child processes — this captures the post-exploit shell spawn that pickle RCE would trigger. Use the Sigma rule equivalent: parent_image contains 'python' AND image contains ('sh','bash','curl','wget','nc'). On Linux hosts, enable auditd with: 'auditctl -a always,exit -F arch=b64 -S execve -F ppid=<PolicyServer_PID>' to capture all child process executions from the PolicyServer parent process. Query pip package version across fleet via osquery: 'SELECT name, version FROM python_packages WHERE name = "lerobot";'
Preserve Evidence
Capture pip freeze output ('pip freeze | grep -i lerobot') from all AI/ML inference hosts before any updates to establish installed version at time of detection. Pull Python process execution history from auditd logs or Sysmon EventID 1 records filtered on PolicyServer's PID as parent — pickle deserialization RCE will surface as an unexpected child process (shell, interpreter, or network utility) spawned directly by the PolicyServer Python process. Review /var/log/syslog or journalctl output for the PolicyServer service for Python exceptions, unexpected import errors, or traceback output that may indicate a failed or probing exploit attempt. Check network flow logs (NetFlow, VPC Flow Logs, or pcap from an in-path sensor) for inbound gRPC traffic (TCP 50051 or configured port) originating from IPs outside the authorized robot client IP list — especially high-frequency or large-payload connections consistent with pickle payload delivery.
3
Step 3: Eradication — No vendor patch is available for LeRobot <= 0.4.3. Apply compensating controls: enforce strict network-layer ACLs so only authorized robot clients reach the gRPC endpoint (NIST AC-4 — Information Flow Enforcement; CIS 4.2 — Establish and Maintain a Secure Configuration Process for Network Infrastructure). Require mutual TLS on gRPC channels and apply D3-CH (Credential Hardening) and D3-ACA (Active Certificate Analysis) to validate and harden transport certificates. Restrict the PolicyServer process account to least-privilege permissions (NIST AC-6 — Least Privilege; D3-UAP — User Account Permissions; CIS 5.4 — Restrict Administrator Privileges to Dedicated Administrator Accounts). Do not accept pickle data from untrusted sources; evaluate switching serialization format pending the v0.6.0 release. Manage and disable any default or unnecessary accounts associated with the LeRobot deployment (CIS 4.7 — Manage Default Accounts on Enterprise Assets and Software).
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SC-8 (Transmission Confidentiality and Integrity)
NIST SC-23 (Session Authenticity)
NIST CM-6 (Configuration Settings)
NIST CM-7 (Least Functionality)
CIS 4.2 (Establish and Maintain a Secure Configuration Process for Network Infrastructure)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Because no LeRobot patch exists as of CVE-2026-25874 disclosure, the primary compensating control is network enforcement: configure iptables or nftables with an allowlist permitting only authorized robot client IPs to reach the gRPC port ('iptables -A INPUT -p tcp --dport 50051 -s <authorized_client_IP> -j ACCEPT; iptables -A INPUT -p tcp --dport 50051 -j DROP'). For mTLS without enterprise PKI, generate self-signed CA and client/server certificates using openssl and configure gRPC channel credentials in LeRobot's Python gRPC initialization if the framework exposes channel security options. As a serialization-layer compensating control, wrap the PolicyServer's pickle.loads call with a HMAC-signed payload validator if code modification is operationally feasible — reject any payload whose signature does not match a pre-shared key between authorized clients and the server. Document all compensating controls as risk acceptance entries per NIST 800-61r3 §3.4 until v0.6.0 is available.
Preserve Evidence
Before applying ACLs, extract the full PolicyServer configuration file (typically a YAML or JSON config in the LeRobot deployment directory) to document the current gRPC binding address and port, authentication settings (or absence thereof), and any existing TLS configuration. If exploitation is suspected, preserve a memory snapshot of the PolicyServer process using 'gcore <pid>' or LiME kernel module before killing and re-configuring — pickle-deserialized payloads that establish persistence may have injected code into the Python interpreter's memory space. Capture current iptables/nftables ruleset ('iptables -L -n -v') as a pre-change baseline. Check for new cron entries ('crontab -l -u <service_account>'), new systemd unit files in /etc/systemd/system/, and new files in /tmp or world-writable directories — these are common post-exploitation persistence mechanisms a pickle RCE payload would deploy.
4
Step 4: Recovery — After network controls are in place, validate gRPC endpoints are unreachable from untrusted segments using an internal port scan or service probe (CIS 4.4 — Implement and Manage a Firewall on Servers). Review process execution audit records on affected hosts for signs of prior exploitation — unexpected child processes, new local accounts, modified files (NIST AU-6 — Audit Record Review, Analysis, And Reporting; NIST AU-11 — Audit Record Retention; D3-LAM — Local Account Monitoring). Apply D3-SICA (System Init Config Analysis) to verify no persistence mechanisms were written to startup configurations. When LeRobot 0.6.0 is released, apply the update through your patch management process (CIS 7.3 — Perform Automated Operating System Patch Management; CIS 7.4 — Perform Automated Application Patch Management) and verify gRPC channel enforces authentication before restoring full network access. Confirm audit log storage capacity is sufficient to retain forensic evidence through the investigation period (NIST AU-4 — Audit Storage Capacity).
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SI-2 (Flaw Remediation)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST CM-3 (Configuration Change Control)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Validate network isolation from an untrusted vantage point using nmap: 'nmap -p 50051 -Pn <PolicyServer_IP>' from a host outside the authorized ACL — connection refused or filtered confirms the control is effective. For behavior baseline monitoring without an EDR, configure auditd to log all execve, connect, and open syscalls for the PolicyServer process user account and pipe to a local file for daily diff review. Use AIDE (Advanced Intrusion Detection Environment) to establish a filesystem integrity baseline of the LeRobot installation directory and Python site-packages immediately after containment: 'aide --init && cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db'. When v0.6.0 ships, verify the fix by reviewing the LeRobot GitHub release diff for the specific commit addressing pickle deserialization authentication and confirm 'pip show lerobot' reports version 0.6.0 or later before restoring gRPC access.
Preserve Evidence
Conduct a post-containment process ancestry review: query auditd EXECVE records or Sysmon EventID 1 logs for the 48-72 hours preceding detection, filtering on the PolicyServer process account as the UID — any child processes (bash, sh, python -c, curl, wget, nc) spawned from that account that are not part of normal LeRobot operation are indicators of prior successful exploitation. Check /etc/passwd and /etc/shadow modification timestamps, and review 'last' and 'lastlog' output for new or unexpected login activity under the service account or root. Run 'find / -newer /path/to/lerobot/install -type f -not -path "/proc/*" -not -path "/sys/*"' to surface files created or modified after LeRobot installation — attacker-dropped webshells, reverse shell scripts, or persistence implants will appear here.
5
Step 5: Post-Incident — Conduct an inventory audit of all AI/ML inference components that use pickle serialization or unauthenticated inter-service communication (CIS 2.1 — Establish and Maintain a Software Inventory; CIS 2.2 — Ensure Authorized Software is Currently Supported). Add LeRobot and similar open-source AI/robotics serving frameworks to your documented vulnerability management process (CIS 7.1 — Establish and Maintain a Vulnerability Management Process; CIS 7.2 — Establish and Maintain a Remediation Process). Update access control policies to explicitly govern authentication requirements for all network-exposed inference endpoints (NIST AC-1 — Policy And Procedures; NIST AC-17 — Remote Access). Apply D3-ODM (Operational Dependency Mapping) to document dependencies between AI inference components and downstream systems so future impact assessments are faster. Review remote access controls to ensure AI/ML serving endpoints are not reachable without authentication (NIST AC-17 — Remote Access).
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity (Lessons Learned)
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
NIST SA-11 (Developer Testing and Evaluation)
NIST SI-2 (Flaw Remediation)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Identify all Python-based services in the environment that call pickle.loads or use torch.load (which internally invokes pickle) by running a grep across deployed codebases: 'grep -r "pickle.loads\|torch.load\|joblib.load\|numpy.load" /opt /srv /app --include="*.py"'. Enumerate unauthenticated inter-service gRPC or HTTP endpoints using nmap service discovery: 'nmap -p 50051,8080,8443 --open -sV <internal_subnet>' and flag any service returning a gRPC or HTTP response without requiring client credentials. Subscribe to Hugging Face's security advisories via their GitHub Security Advisories feed (github.com/huggingface/lerobot/security/advisories) and add to your vulnerability feed aggregator or manually review weekly. Add a checklist item to your AI/ML library intake process: does this library expose a network port? Does it use pickle, joblib, or torch serialization on that port? Is mutual authentication required by default?
Preserve Evidence
Compile a full lessons-learned artifact package including: (1) timeline of CVE-2026-25874 discovery to containment with timestamps, (2) list of all LeRobot versions and hosts identified in the asset inventory audit, (3) network flow evidence showing whether unauthorized gRPC connections occurred before containment (confirming or ruling out pre-containment exploitation), (4) results of the post-containment filesystem integrity scan (AIDE output or find-newer results), and (5) the grep output of all pickle.loads usages across the AI/ML service codebase. This package satisfies NIST IR-8 (Incident Response Plan) documentation requirements and feeds directly into the lessons-learned session.
Recovery Guidance
After applying network ACLs and confirming gRPC isolation via external port scan, maintain enhanced auditd or Sysmon monitoring on all PolicyServer hosts for a minimum of 30 days, specifically watching for execve events under the LeRobot service account, new outbound connections, and filesystem changes in Python site-packages directories — pickle-based implants may have been staged pre-containment and could activate on a delay. Upon release of LeRobot v0.6.0, validate the patch by reviewing the specific commit diff for authenticated gRPC channel enforcement before upgrading production systems, and re-run nmap and process baseline comparisons immediately post-upgrade to confirm no regression. Do not restore full network access to PolicyServer until v0.6.0 is confirmed deployed, gRPC authentication is verified functional, and a clean-bill-of-health check (no anomalous processes, no unexpected files, no unauthorized accounts) has been completed on each host.
Key Forensic Artifacts
Python process execution records (auditd EXECVE events or Sysmon EventID 1) filtered on the PolicyServer process PID as parent — a successful pickle deserialization RCE against CVE-2026-25874 will manifest as an unexpected child process (bash, sh, curl, nc, or a Python one-liner) spawned directly by the LeRobot PolicyServer Python interpreter process
Network flow records (NetFlow, VPC Flow Logs, pcap) for TCP connections to the gRPC port (default 50051) in the 30 days preceding detection — large inbound payload sizes from unauthorized source IPs are consistent with pickle payload delivery; multiple short-duration connections from a single external IP suggest reconnaissance probing of the unauthenticated endpoint
Filesystem timeline artifacts from /tmp, /var/tmp, the LeRobot installation directory, and Python site-packages — a post-exploitation pickle payload would typically drop a persistence script, reverse shell, or SSH authorized_keys modification; use 'find / -newer <lerobot_install_timestamp> -type f' or AIDE database diff to surface attacker-created files
Python interpreter memory snapshot (gcore output or LiME memory dump) from the PolicyServer process if exploitation is suspected prior to containment — malicious pickle payloads executing arbitrary code within the Python interpreter may leave injected code objects or modified built-in function references detectable in heap analysis using Volatility with a Python-aware profile
/etc/passwd, /etc/shadow, crontab files (crontab -l for all users), and systemd unit files in /etc/systemd/system/ with modification timestamps — CVE-2026-25874 grants unauthenticated RCE on a likely elevated-privilege process, making privilege persistence via new accounts, scheduled tasks, or service unit implants the highest-probability post-exploitation action an attacker would take
Detection Guidance
Primary detection focus is the unauthenticated gRPC endpoint exposed by LeRobot's PolicyServer (CWE-306, CWE-502, CWE-319).
Begin with software and asset inventory queries: use CIS 2.1 (Establish and Maintain a Software Inventory) and CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) to enumerate all hosts or containers running huggingface/lerobot or the lerobot pip package at version 0.4.3 or below.
Flag any instance not present in a controlled, approved software inventory under CIS 2.3 (Address Unauthorized Software).
On network telemetry, identify hosts with open gRPC ports (commonly TCP 50051 or deployment-configured alternatives) associated with LeRobot processes. Flag inbound connections from IPs outside your authorized robot client or orchestration IP allowlist — this directly addresses CWE-306 (missing authentication) and maps to NIST AC-4 (Information Flow Enforcement) gap detection. Enable event logging per NIST AU-2 (Event Logging) on all PolicyServer hosts and ensure audit records meet NIST AU-3 (Content Of Audit Records) requirements: event type, timestamp, source IP, process identity, and outcome must all be captured. Use NIST AU-6 (Audit Record Review, Analysis, And Reporting) workflows to review these logs for anomalous inbound gRPC sessions and subsequent process execution. On the host, monitor for anomalous child process creation where the parent is the PolicyServer process — specifically shell interpreters (bash, sh, cmd, powershell), network tools (curl, wget, nc), or credential-reading utilities. This maps to T1059 (Command and Scripting Interpreter) post-exploitation and is detectable via NIST AU-12 (Audit Record Generation) endpoint process logging. Apply D3-SFA (System File Analysis) to detect unauthorized modification of PolicyServer executables, configuration files, or authentication databases on affected hosts. Apply D3-LAM (Local Account Monitoring) to detect new local accounts or privilege escalation events on inference servers following exploitation of T1552 (Unsecured Credentials) or T1021 (Remote Services). Note: in-process RCE via pickle deserialization may execute entirely within the PolicyServer process and evade child-process-based detection. Prioritize network-layer blocking (NIST AC-4; CIS 4.4) and gRPC connection logging (NIST AU-2; CIS 8.2) over host-based process monitoring as primary controls. Use D3-PBWSAM (Proxy-based Web Server Access Mediation) to enforce access mediation in front of the gRPC endpoint and log all connection attempts, including those that do not result in a child process spawn. Retain all relevant audit logs at sufficient capacity and duration to support forensic review of any suspected exploitation window (NIST AU-4 — Audit Storage Capacity; NIST AU-11 — Audit Record Retention).
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (3)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1059
T1565
T1552
T1021
T1210
T1190
CM-7
SI-3
SI-4
SI-7
AC-17
AC-3
+8
A02:2021
A08:2021
A07:2021
MITRE ATT&CK Mapping
T1059
Command and Scripting Interpreter
execution
T1565
Data Manipulation
impact
T1552
Unsecured Credentials
credential-access
T1021
Remote Services
lateral-movement
T1210
Exploitation of Remote Services
lateral-movement
T1190
Exploit Public-Facing Application
initial-access
Guidance Disclaimer
