InfoSec Briefing - March 02, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Sunday, March 1st, 2026, covering five articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.

Trail of Bits has released mquire, an open-source Linux memory forensics tool that performs type-aware analysis of kernel memory snapshots without requiring external debug symbols. The tool leverages kernel-embedded BTF and kallsyms to enable incident responders and security researchers to detect rootkits, analyze malware, and recover hidden files from memory dumps of Linux systems running kernel 4.18 or newer.

Security researchers from Pwn0 have disclosed two critical Remote Code Execution vulnerabilities in Unitree Go2 robots affecting firmware versions 1.1.7 through 1.1.11. CVE-2026-27509 allows unauthenticated RCE as root via unvalidated Python code through DDS packets, while CVE-2026-27510 exploits the Android app's local database, both enabling complete robot takeover with persistent access capabilities.

Researchers David Cash and Richard Warren have disclosed a Remote Code Execution vulnerability in the Delinea Protocol Handler's sslauncher URL handler affecting Secret Server Protocol Handler versions 6.0.3.39 and below and Connection Manager versions 2.7.1 and below. The flaw stems from improper sanitization of server-supplied launcher data, allowing attackers to execute arbitrary processes by manipulating encrypted instructions sent via malicious webpages, though Delinea has now released patches.

According to decoder.cloud, Windows Server 2025 has silently mitigated a specific NTLM relay attack that previously allowed attackers to relay authentication from misconfigured Domain Controllers to escalate privileges. The mitigation is hardcoded in msv1_0.dll and prevents NTLMv1 response generation regardless of LmCompatibilityLevel settings, effectively breaking the attack chain.

MacNoise, an open-source macOS telemetry generation framework from 0xv1n, simulates realistic system events including network connections, file operations, process execution, and TCC permission probes. Security teams can use this modular tool to test detection capabilities of EDR, SIEM, and firewall solutions by emulating attacker behaviors aligned with MITRE ATT&CK techniques.

That concludes today's briefing.

📰 Articles Covered

mquire: Zero-dependency Linux memory forensics PoC — leverages kernel-embedded BTF and kallsyms for type-aware memory analysis without external debug info. - trailofbits

**mquire** is a cybersecurity tool designed for analyzing Linux kernel memory snapshots. It allows security researchers and incident responders to query and extract information from memory dumps without needing external debug symbols, making it effective for analyzing unknown or custom kernels. 【1】

### What Happened

mquire itself is not a report of a specific incident. Instead, it is a tool that enables the analysis of system memory to uncover past events or current malicious activity. It works by parsing type information (BTF) and symbol information (Kallsyms) embedded within modern Linux kernels to reconstruct and query kernel data structures. 【1】

### Who is Affected

The tool is designed to analyze **Linux systems**. Any Linux distribution with kernel version 4.18 or newer (with BTF enabled) or kernel version 6.4 or newer (for Kallsyms support) can have its memory snapshots analyzed by mquire. 【1】

### Security Implications

mquire has significant implications for security analysis:

* **Forensic Analysis**: It allows for deep inspection of a system's memory to find evidence of compromise, such as running processes, network connections, and loaded kernel modules, even if they have been hidden or tampered with. 【1】
* **Incident Response**: Enables rapid querying of memory dumps to identify malicious activity and understand the scope of an incident. 【1】
* **Malware Analysis**: Can be used to examine running processes and their file operations without detection, aiding in the analysis of sophisticated malware. 【1】
* **Rootkit Detection**: By comparing different enumeration methods (e.g., `task_list` vs. `pid_ns`), mquire can help detect rootkits that attempt to hide processes from standard system tools. 【1】
* **File Recovery**: The `.dump` command can extract files directly from the kernel's file cache, potentially recovering deleted or hidden files that are still present in memory. 【1】

### Technical Details

mquire operates by reading two key pieces of information embedded within Linux kernel memory snapshots:

* **BTF (BPF Type Format)**: This describes the structure and layout of kernel data types, parsed using the `btfparse` crate. 【1】
* **Kallsyms**: This provides the memory locations of kernel symbols, similar to the data found in `/proc/kallsyms`. 【1】

By combining these, mquire can reconstruct complex kernel data structures like process memory mappings, cached file data, and kernel logs. It offers various SQL tables for querying system information, process details, kernel modules, network activity, and file system cache contents. 【1】

The tool provides three main commands:
* `mquire shell`: An interactive SQL shell for querying memory. 【1】
* `mquire query`: Executes a single SQL query and outputs results. 【1】
* `mquire command`: Executes custom commands for specialized analysis, such as displaying a process tree (`.task_tree`) or carving memory regions (`.carve`). 【1】

mquire also supports query optimization techniques, such as using `AS MATERIALIZED` to cache table results and optimizing JOIN order for better performance. 【1】

### What Defenders Should Know

Defenders should be aware of mquire's capabilities for memory forensics and incident response. Key takeaways include:

* **Memory Analysis is Crucial**: mquire highlights the importance of memory dumps as a rich source of forensic data, especially for detecting advanced threats that may evade disk-based detection. 【1】
* **Rootkit Evasion**: Defenders should understand that rootkits can hide processes, and tools like mquire can help uncover these hidden entities by comparing different data sources. 【1】
* **File Cache Forensics**: The ability to extract files from the kernel's file cache means that even deleted files might be recoverable from memory, emphasizing the need for thorough memory acquisition and analysis. 【1】
* **Tooling for Defense**: mquire itself can be a valuable tool for defenders to analyze compromised systems or to understand the behavior of potential threats within a Linux environment. 【1】
* **Kernel Version Dependencies**: Be aware of the kernel version requirements for BTF and Kallsyms support, as older kernels might not be fully compatible. 【1】
MacNoise is an extensible and modular macOS system telemetry generation framework. It generates real system events (network connections, file writes, process spawns, plist mutations, TCC permissionetc - 0xv1n

MacNoise is a cybersecurity framework designed to **generate system telemetry on macOS** for security teams to test their detection tools. 【1】

**What Happened:**
The article describes the **MacNoise framework**, which simulates various system events on macOS. It is not reporting on a specific security incident but rather a tool for proactive security testing. 【1】

**Who is Affected:**
The tool is designed for **security teams and defenders** who manage Endpoint Detection and Response (EDR) systems, Security Information and Event Management (SIEM) solutions, and firewalls on macOS environments. 【1】

**Security Implications:**
MacNoise helps **validate the effectiveness of security tooling** by simulating real-world events, including those that mimic attacker behavior. This allows organizations to identify gaps in their detection capabilities before actual threats emerge. It can test against various **MITRE ATT&CK techniques**. 【1】

**Technical Details:**
- **Extensible and Modular Framework:** MacNoise allows for the execution of individual modules, categories of modules, or pre-built scenarios. 【1】
- **Simulated Events:** It generates telemetry for events such as network connections, file writes, process spawns, and TCC (Transparency, Consent, and Control) permission probes. 【1】
- **Output Formats:** Supports structured JSONL output and detailed audit logging in OCSF format for analysis. 【1】
- **Emulation of Attacker Behavior:** Scenarios are designed to emulate realistic attacker actions. 【1】

**What Defenders Should Know:**
Defenders can leverage MacNoise to **proactively test their detection capabilities** against a range of simulated threats. By running specific modules or scenarios, security teams can **identify weaknesses in their security posture** and ensure their tools are effectively detecting potential malicious activities on macOS systems. 【1】
From DDS Packets to Robot Shells: Two RCEs in Unitree Robots (CVE-2026-27509 & CVE-2026-27510) - Pwn0 (researchers: @digicat and @Ruikai). Affected vendor: Unitree (Hangzhou Yushu Technology Co., Ltd.)

A cybersecurity article details two critical Remote Code Execution (RCE) vulnerabilities, **CVE-2026-27509** and **CVE-2026-27510**, discovered in **Unitree Go2 robots** 【1】. These vulnerabilities allow attackers to gain complete control over the robots 【1】.

**What Happened:**
Two primary vulnerabilities were identified:
* **CVE-2026-27509** is an **unauthenticated RCE as root** that affects firmware versions V1.1.7 through V1.1.11 (EDU). It is exploited by sending unvalidated Python code through the robot's DDS (Data Distribution Service) `rt/api/programming_actuator/*` DataWriter, which is then executed by the `actuator_manager.py` script 【1】.
* **CVE-2026-27510** is an RCE that targets the **Android app's local database**. Attackers can modify the `pyCode` field within stored action blocks (Blockly) to inject and execute arbitrary Python code 【1】.

Both exploits can be made **persistent** by binding the malicious code to a physical controller button press, ensuring execution even after reboots 【1】.

**Who is Affected:**
The **Unitree Go2 robot** is the primary affected product. Specific firmware versions confirmed to be vulnerable include V1.1.7, V1.1.8, V1.1.9, and V1.1.11 for both CVEs. Other firmware versions and potentially other Unitree products may also be at risk 【1】.

**Security Implications:**
These vulnerabilities grant attackers **unauthenticated RCE as root**, enabling them to:
* **Take complete control** of the robot 【1】.
* Install **malicious software**, such as reverse shells or backdoors 【1】.
* Achieve **persistent access** across reboots by linking malicious scripts to controller hotkeys 【1】.
* Potentially use the compromised robot as a **pivot point** into a local network 【1】.
* CVE-2026-27510 has a **broader attack surface** through the mobile app, potentially leading to mass compromise if malicious programs are shared 【1】.

**Technical Details:**
* **CVE-2026-27509 (DDS RCE):** Exploits the lack of authentication in DDS, allowing any device on the network to communicate with the `rt/api/programming_actuator/request` topic. Unvalidated Python code sent to this topic is executed as root 【1】. Network routing or direct connection to the robot's internal IP is required for exploitation 【1】.
* **CVE-2026-27510 (Database RCE):** Involves modifying the `pyCode` field in the `unitree_go2.db` SQLite database on a rooted Android phone. When the modified program is executed on the robot, the injected Python code runs with root privileges 【1】.

**What Defenders Should Know:**
* **Patching:** Unitree has released patches, with V1.1.13 addressing CVE-2026-27510. Defenders must **update their robots to the latest firmware** 【1】. Note that CVE-2026-27509 may not be patched in EDU versions 【1】.
* **Network Segmentation:** Isolate the robot's network from untrusted networks to prevent unauthorized DDS communication 【1】.
* **Physical Security:** Secure the robot and its controller to prevent unauthorized physical access that could facilitate persistence 【1】.
* **App Security:** Secure the mobile device running the Unitree app by avoiding rooting and being cautious with app installations 【1】.
* **Monitoring:** Monitor network traffic for suspicious DDS activity and analyze robot logs for unusual script execution 【1】.
* **Responsible Disclosure:** Unitree has a security response center and encourages vulnerability reporting through their responsible disclosure program 【1】.
Delinea Protocol Handler - Return of the MSI: RCE via Custom Launcher - AmberWolf controls the content posted on the blog. The authors are David Cash and Richard Warren .

A vulnerability in the **Delinea Protocol Handler** has been discovered, specifically within the `sslauncher://` URL handler, which can lead to **Remote Code Execution (RCE)** 【1】.

**What Happened:**
The vulnerability arises from **improper sanitization of server-supplied launcher data** 【1】. When a user visits a malicious webpage and accepts a security warning, an attacker can exploit this to execute arbitrary processes on the victim's computer 【1】. The process involves a malicious server sending manipulated instructions to the client-side application (like `RDPWin.exe` on Windows) via the `sslauncher://` URL. These instructions, which are encrypted, can be altered to specify any executable and its arguments 【1】.

**Who is Affected:**
- **Delinea Secret Server Protocol Handler** versions **6.0.3.39 and below** 【1】.
- **Delinea Connection Manager** versions **2.7.1 and below** (affecting both **Windows and macOS** systems) 【1】.

**Security Implications:**
The primary security implication is the ability for an attacker to achieve **Remote Code Execution (RCE)** on a victim's machine 【1】. This means an attacker could potentially run any program, steal data, install malware, or gain further control over the compromised system.

**Technical Details:**
The vulnerability lies in how the protocol handler processes data from the `sslauncher://` URL 【1】. The client application receives encrypted instructions for launching processes from the server. An attacker, by controlling these instructions, can manipulate parameters such as `WinProcessName` and `WinProcessArgs` on Windows, or `Processname` and `ProcessArgs` on macOS, to execute malicious code 【1】.

**What Defenders Should Know:**
- **Upgrade:** The most crucial step for defenders is to **upgrade to the latest version of the Delinea Protocol Handler**, as Delinea has reportedly fixed this issue 【1】.
- **Monitoring:** It is advisable to **monitor for suspicious processes being launched by `RDPWin.exe`** (or similar client applications) 【1】. While these applications legitimately launch other processes for connection facilitation, any unexpected or unauthorized process launches should be investigated.
What Windows Server 2025 Quietly Did to Your NTLM Relay - decoder.cloud

Windows Server 2025 has introduced a change that mitigates a specific **NTLM relay attack** that was previously effective against older versions of Windows Server, including Server 2022 【1】.

**What Happened:**
The attack involved tricking a misconfigured Domain Controller (DC) with a low `LmCompatibilityLevel` (0, 1, or 2) into authenticating to an attacker's machine. The attacker would then relay this authentication over LDAPS to another DC. This allowed the attacker to modify sensitive attributes, leading to privilege escalation, such as writing `msDS-KeyCredentialLink` or adding Resource-Based Constrained Delegation (RBCD) 【1】.

**Who is Affected:**
This change in Windows Server 2025 affects **scenarios where the victim Domain Controller is running Windows Server 2025** 【1】.

**Security Implications:**
The primary security implication is that **this specific NTLM relay attack vector is no longer viable against Windows Server 2025 victim DCs** 【1】. This significantly reduces the risk of privilege escalation through this particular method.

**Technical Details:**
The mitigation is hardcoded within the `msv1_0.dll` file on Windows Server 2025. Regardless of the `LmCompatibilityLevel` setting, the system will no longer generate NTLMv1 responses. This effectively breaks the attack chain that relied on these responses for relaying authentication 【1】.

**What Defenders Should Know:**
Defenders should be aware that **this particular NTLM relay attack is now mitigated in Windows Server 2025** 【1】. However, it is important to note that **other NTLM relay attack surfaces might still exist**, and ongoing vigilance and security best practices are still necessary 【1】.