MSC EvilTwin Exploit Process Creation

Rule Info

Name
MSC EvilTwin Exploit Process Creation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects process creation events related to potential EvilTwin exploit (CVE-2025-26633) execution which manipulates .msc files and the Multilingual User Interface Path (MUIPath). This rule monitors for suspicious process executions of .msc files from abnormal locations, which could indicate exploitation attempts of CVE-2025-26633.
Reference
https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
Date
2025-03-27 00:00:00
Modified
None
Id
dc013219-0203-4431-b362-463be7511354
Tags
attack.execution attack.t1204.002 cve.2025-26633
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022