Documentation Index

Fetch the complete documentation index at: https://docs.hunters.ai/llms.txt

Use this file to discover all available pages before exploring further.

📢 Read the latest Release Notes to learn what's new on Hunters! 💡

Release Notes - June 2026 - #2

Prev Next

Security Content

AXON Threat Hunting Reports

Multi-Layer Encoded Command Execution

Team AXON has identified cases where adversaries abuse process executions where command lines contain Base64-encoded content that, when decoded, reveals additional encoded commands or decoding routines.

This behavior is commonly associated with defense evasion and command obfuscation techniques used by attackers to conceal malicious payloads from security controls, analysts, and logging systems. Rather than executing commands directly, adversaries may embed multiple layers of encoding that require sequential decoding before the final payload is revealed.

The threat hunting campaign focuses on process creation events containing Base64 encoding or decoding operations across Windows, Linux, and macOS systems. Particular attention is given to cases where decoded content contains additional encoded data, nested decoding operations, or indicators of command execution.

The threat hunting campaign focused on the period between May 1, 2026, and June 14, 2026. If any results were found.

More details and findings (if exists) can be found on the Hunters platform under “Axon Reports”.

Azure Service Principal Sign-In via an Anomalous User Agent Category

Service Principals (SPNs) typically exhibit highly predictable behavioral patterns, utilizing a consistent set of User Agents to perform automated tasks. Because these identities lack human variability, a sudden divergence in their sign-in telemetry serves as a high-fidelity indicator of potential credential theft.

This threat hunt campaign establishes a behavioral baseline for each Azure Service Principal by tracking its historical User Agent categories over a 45-day learning period. An important logic nuance: each service principal is tied to an underlying app registration and is granted security permissions required to operate on behalf of the application. Therefore, updates to the app registration can result in a legitimate change to the User Agent that the service principal uses when signing in. To minimize false positives, the detection logic correlates sign-in events with Azure Audit logs and automatically suppresses hits if a corresponding update to the app registration occurred within 24 hours before the anomalous sign-in.

This threat hunt campaign was conducted from April 1st, 2026, to May 16th, 2026.

More details and findings (if exists) can be found on the Hunters platform under “Axon Reports”.

Suspicious User-Agent in Azure Non-Interactive/SPN Sign-In Activity

To improve coverage of our previous campaign - AXON Proactive Threat Hunting – Suspicious User-Agent Observed in Sign-In Activity, which focused exclusively on User Principal sign-ins, we conducted this campaign, which focused on SPNs and non-interactive sign-ins.

SPNs are high-value targets for adversaries as they lack MFA enforcement and usually hold elevated privileges such as Contributor or Application Administrator, and non-interactive sign-ins are usually automatic, consistent, and predictable.

A newly released detector (called "Suspicious User-Agent Observed in Azure Non-Interactive/SPN Sign In Activity") has been introduced to identify this threat hunt thesis, analyzing user-agents for authentication activity originating from offensive-related distributions and tools such as Kali Linux, Parrot Linux, BackBox Linux, BlackArch Linux, Scout Suite, TrailBlazer, and TruffleHog.

This threat hunt campaign was conducted from March 6th, 2026, to June 21st, 2026.

More details and findings (if exists) can be found on the Hunters platform under “Axon Reports”.


Publicly Accessible Storage Resources

As part of a proactive threat hunting initiative, AXON conducted an external exposure assessment focused on publicly accessible cloud storage resources across AWS S3, Azure Blob Storage, and Google Cloud Storage.

Using customer domains and organization identifiers, AXON generated potential cloud storage resource names and performed automated discovery and validation to identify publicly accessible assets. The assessment focused on detecting cloud storage resources that were reachable from the internet and determining whether bucket or container contents could be enumerated or accessed anonymously.

The findings contained in this report represent externally observable cloud storage exposures identified during the assessment period and should be reviewed to determine whether the exposure is expected, required for business operations, or should be remediated.

The scan was executed on June 22, 2026.

More details and findings (if exists) can be found on the Hunters platform under “Axon Reports”

New Detectors

Context Unified Anomalous Login

Detects successful anomalous logins by organizational users across unified authentication sources, including identity providers, SaaS applications, cloud platforms, VPNs, and additional integrated login systems.

Detection is based on each user’s historical login baseline and evaluates multiple behavioral parameters, including geolocation, IP address, user agent category, and other contextual signals. Login events from non-organizational IP addresses, that also exhibit multiple anomalous characteristics, will generate leads.

This detector replaces several legacy detectors whose detection accuracy declined over time, providing improved precision and broader cross-source coverage. See the below “Deprecated detectors” section for the full list of detectors.

Deprecated Detectors

Following the aforementioned deployment of the new detector “Context Unified Anomalous Login”. The following detectors will be deprecated:

  • CloudTrail anomalous console login

  • Anomalous login by an Azure account

  • Office365 anomalous login

  • Okta anomalous login

  • Okta successful login from host without an EDR agent

  • Okta successful administrative access from host without an EDR agent

  • Successful Duo authentication from host without an EDR agent

  • Successful Azure portal sign-in from machine without EDR agent

  • Successful Azure CLI sign-in from machine without EDR agent

  • Successful AWS console login from host without an EDR agent

  • Successful G Suite login from computer without EDR agent

  • G Suite successful authorization of token to GCP related interface without EDR agent

The deprecation will take place on July 6, 2026.

Enrichments and Scoring

New enrichment - Windows Recent Password Change

This enrichment queries Windows Security Event Logs for password reset events associated with a specific Windows username. It analyzes both Event ID 4723 for users who change their own passwords and Event ID 4724 for a privileged user who changes another user’s password.

The enrichment provides context such as the last password change time, the initiating user, and the related source computer.

These insights can help get the context of the user in the lead for a better understanding of the behavior observed.

New scoring layer - Windows Recent Password Change Model

The scoring model applies a configurable confidence modifier to the lead’s confidence based on whether the user’s password was reset recently or not.

This can help reduce noise in scenarios where a password reset initiates behavior that can be falsely determined as suspicious activity while prioritizing meaningful leads and increasing confidence in scenarios where a password change can indicate account takeover.