← Back to Threat Briefs

Cyber Threat Brief — March 8 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief — March 8 2026

Generated: 2026-03-08 05:00 PT
Threats Covered: 3
Sources: GitHub PoC/exploit monitoring, X/Twitter threat intelligence, CISA KEV, Web search

1. Grafana SQL Expressions RCE via DuckDB (CVE-2024-9264)

Summary

Grafana’s experimental SQL Expressions feature contains a critical injection flaw — any authenticated user with Viewer-or-above permissions can POST raw DuckDB SQL to /api/ds/query, read local files with read_blob(), or chain in DuckDB’s community shellfs extension for full shell execution. Vulhub published a production-quality exploit environment today with copy-paste HTTP payloads, moving this from “interesting advisory” to “here’s the request body.” If you run Grafana 11.0–11.2.1 with DuckDB on the system PATH, treat this as actively weaponized.

What’s New (Last 24 Hours)

Vulhub published a fully functional Docker environment for CVE-2024-9264 (March 8 2026) with complete HTTP request bodies demonstrating: (1) local file read via read_blob('/etc/passwd'), and (2) a one-shot RCE chain that installs the DuckDB shellfs community extension and executes arbitrary shell commands via read_csv() pipe syntax — all in a single multi-query request to the SQL Expressions API endpoint.

Actionable Intel

ArtifactTypeATT&CK TechniqueData SourceHow to Use
POST /api/ds/query?ds_type=__expr__&expression=true&requestId=Q100TTPT1190Web server / reverse proxy logsHunt for POSTs to /api/ds/query with ds_type=__expr__ and expression=true, especially from Viewer-level accounts or unexpected source IPs
"type":"sql" with "datasource":{"type":"__expr__"} in request bodyTTPT1190Grafana app logs / HTTP body inspection (WAF)Flag SQL Expression queries using the __expr__ datasource with type=sql — this is the injection surface
read_blob('/etc/passwd') in SQL expression bodyTTPT1005WAF body inspection / Grafana logsAlert on DuckDB file-read primitives in SQL Expressions request bodies; any path argument is suspicious
INSTALL shellfs FROM community in SQL expression bodyTTPT1059WAF body inspection / Grafana logsDetect DuckDB extension install attempts in SQL Expressions; no legitimate user workflow requires installing extensions via the API
LOAD shellfs in SQL expression bodyTTPT1059WAF body inspection / Grafana logsDetect DuckDB extension load commands; correlate with prior INSTALL commands in same session
read_csv('id > /tmp/rce_out 2>&1 |', header=false)TTPT1059WAF body inspection / EDR process telemetryDetect pipe-syntax commands in DuckDB read_csv calls — this is the shellfs RCE trigger
/tmp/rce_outIOCT1005Linux file telemetry (auditd / EDR)Watch for creation or read of /tmp/rce_out by the Grafana process user shortly after /api/ds/query requests

Potential Detection Coverage Based on MITRE ATT&CK Technique

SourceDetectionsCoverage
SplunkAdobe ColdFusion Unauthenticated Arbitrary File ReadCovers the T1190 web-exploit pattern of unauthenticated file read via crafted HTTP requests to web application endpoints — directly analogous to Grafana’s read_blob() primitive; adapt the URL/parameter fields for /api/ds/query
ElasticBinary Executed from Shared Memory DirectoryCovers post-exploitation process execution from temp/shared directories on Linux (T1059) — relevant when shellfs chain writes and executes from /tmp/rce_out
SigmaPotential Local File Read Vulnerability In JVM Based ApplicationCovers T1190 web-app file read exploitation patterns in application logs; logic applies to any app-layer local file read including Grafana’s DuckDB read_blob() abuse

Sources

2. Mythic C2 Portal Exposed (167.99.208.145:7443)

Summary

RedPacketSecurity published a Shodan-derived IOC report on March 7 documenting a live, publicly accessible Mythic C2 management portal at 167.99.208.145:7443 (DigitalOcean, Amsterdam). The report includes a stable UI asset path, JA3S and JARM TLS fingerprints, and server metadata — all usable for hunting or blocking. This is infrastructure exposure intel, not a campaign report, but any internal host communicating with this IP/port/fingerprint combination should be treated as a high-priority indicator of Mythic agent activity.

What’s New (Last 24 Hours)

RedPacketSecurity published a Shodan snapshot (March 7 2026) of an internet-exposed Mythic C2 portal, providing: the hosting IP/port, Mythic UI favicon asset path (/new/favicon.ico), nginx/1.25.5 server header, JA3S (574866101f64002c6421cc329e4d5458), JARM (1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926e), and TLS certificate issuer Mythic valid through 2027.

Actionable Intel

ArtifactTypeATT&CK TechniqueData SourceHow to Use
167.99.208.145IOCT1071.001Firewall / NetFlow / proxy logsBlock or alert on outbound connections to this IP; pivot to other internal hosts with any egress to it within the same time window
167.99.208.145:7443IOCT1071.001Firewall / NetFlow / proxy logsSpecifically hunt outbound HTTPS to TCP/7443 toward this IP; correlate with SNI absence (IP-direct TLS)
/new/favicon.icoIOCT1071.001Proxy logs / HTTP access logsAlert on HTTP(S) requests to path /new/favicon.ico on any external host — characteristic Mythic UI asset; operator portal fingerprinting or agent check-in
JA3S 574866101f64002c6421cc329e4d5458IOCT1071.001TLS fingerprint telemetry (Zeek / Suricata / network sensor)Match server-side JA3S on outbound TLS sessions; cluster infrastructure with matching fingerprints for broader Mythic infrastructure discovery
JARM 1dd40d40d00040d00042d43d000000831b6af40378e2dd35eeac4e9311926eIOCT1071.001TLS fingerprint telemetryHunt for JARM matches to identify additional similarly-configured Mythic portals; prioritize for block/investigation

Potential Detection Coverage Based on MITRE ATT&CK Technique

SourceDetectionsCoverage
SplunkHTTP C2 Framework User AgentCovers T1071.001 C2 communication over HTTP by detecting known C2 framework user-agent strings; complement with the Mythic-specific IP/JARM indicators for non-UA-based detection
ElasticSUNBURST Command and Control ActivityPattern-matches C2 network activity (T1071.001) using domain/IP indicators; logic is directly applicable to Mythic IOC enrichment — substitute Mythic IP/port/path for SUNBURST indicators
SigmaHackTool - CobaltStrike Malleable Profile Patterns - ProxyCovers T1071.001 malleable C2 HTTP pattern matching via proxy logs; the /new/favicon.ico Mythic path can be added as an additional URI pattern indicator in this rule’s logic

Sources

3. New KQL Detections: Scheduled Task AppData Persistence, Defender AV Exclusion, and Rare LNK Drops

Summary

BertJanCyber pushed three new Microsoft Defender XDR / Sentinel KQL detection queries on March 7 covering three common attacker behaviors: persistence via scheduled tasks pointed at AppData directories (no admin required), defense evasion via Add-MpPreference/Set-MpPreference Defender exclusion commands, and rare .lnk shortcut drops on the desktop (T1027.012 LNK Icon Smuggling). These are ready-to-deploy queries with tuning built in — useful for any team running Defender for Endpoint or Microsoft Sentinel.

What’s New (Last 24 Hours)

Three KQL queries committed to the Bert-JanP/Hunting-Queries-Detection-Rules repo on March 7 2026:

  • Scheduled Tasks from AppData Created or Updated (T1053.005): Detects ScheduledTaskCreated/ScheduledTaskUpdated events where task content references AppData paths; excludes known OneDrive FPs.
  • Defender AV Exclusion Events (T1562.001): Catches Add-MpPreference/Set-MpPreference with exclusion parameters via both DeviceProcessEvents and DeviceEvents PowerShell command telemetry.
  • Rare .lnk File Created on Desktop (T1027.012): Uses ShellLinkCreateFileEvent + FileProfile to surface only low-prevalence shortcut drops on user desktops.

Actionable Intel

ArtifactTypeATT&CK TechniqueData SourceHow to Use
ScheduledTaskCreated or ScheduledTaskUpdated with AppData or %localappdata% or %appdata% in task contentTTPT1053.005EDR process telemetry (Defender for Endpoint DeviceEvents)Deploy KQL: filter DeviceEvents for ActionType in ('ScheduledTaskCreated','ScheduledTaskUpdated') where AdditionalFields has_any AppData path patterns; exclude OneDrive baseline entries
Add-MpPreference or Set-MpPreference with ExclusionPath, ExclusionExtension, ExclusionProcess, or ExclusionIpAddressTTPT1562.001EDR process telemetry (DeviceProcessEvents) and PowerShell telemetry (DeviceEvents with ActionType == 'PowerShellCommand')Union both telemetry sources to catch inline CLI usage and obfuscated script-block executions of Defender exclusion commands
ShellLinkCreateFileEvent with FolderPath has 'Desktop' and GlobalPrevalence <= 1000TTPT1027.012EDR file telemetry (Defender for Endpoint DeviceEvents)Alert on rare .lnk files created on user desktops; use FileProfile enrichment to suppress high-prevalence known-good shortcuts

Potential Detection Coverage Based on MITRE ATT&CK Technique

SourceDetectionsCoverage
SplunkPowershell Windows Defender Exclusion Commands / Add or Set Windows Defender ExclusionDirect T1562.001 coverage for Add-MpPreference/Set-MpPreference Defender exclusion commands via Sysmon/endpoint telemetry — same technique the new KQL query addresses, useful for Splunk-based environments
ElasticWindows Defender Exclusions Added via PowerShell / Disabling Windows Defender Security Settings via PowerShellT1562.001 coverage matching the same PowerShell Defender exclusion pattern; Elastic rules fire on Add-MpPreference process events with exclusion arguments
SigmaSuspicious Scheduled Task Creation / Scheduled Task Executed From A Suspicious Location / Powershell Defender ExclusionMulti-technique coverage: T1053.005 scheduled task creation and suspicious execution locations; T1562.001 PowerShell Defender exclusion; T1027.012 lacks direct Sigma coverage but the AppData scheduled task rule complements the new KQL query

Sources