Campaigns
Operation Mirror Sphere

Operation Mirror Sphere

CVE-2025-20352SNMPCiscoUDP-controller
Operation Zero Disco targets a Cisco SNMP flaw (CVE 2025 20352) to plant Linux rootkits on switches. Attackers send crafted SNMP packets and use a UDP controller to turn off logs, set a universal password, and hide configs, then spoof IPs and ARP to jump across VLANs and reach protected zones.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1190-Exploit Public-Facing Application


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation.

(source="C:\inetpub\logs\LogFiles\W3SVC*" OR source="/var/log/apache2/access.log" OR source="/var/log/nginx/access.log")| eval exploit_attempt=if(like(cs_uri_query, "%exec%") OR like(cs_uri_query, "%cmd%") OR like(cs_uri_query, "%cat /etc/passwd%") OR like(cs_uri_query, "%../../%"), 1, 0)| stats count by src_ip, cs_uri_query, sc_status| where exploit_attempt=1 AND count > 5| table _time, src_ip, cs_uri_query, sc_status, count

DS0029

Network Traffic

Network Traffic Content

Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access.[114] In AWS environments, monitor VPC flow logs and/or Elastic Load Balancer (ELB) logs going to and from instances hosting externally accessible applications.

(source="/var/log/zeek/http.log" OR source="C:\Windows\System32\LogFiles\Firewall")| regex http_request="(?i)select.from|union.select|cmd=.|exec=."| stats count by src_ip, dest_ip, http_method, uri_path| where count > 10| table _time, src_ip, dest_ip, http_method, uri_path, count


T1210-Exploitation of Remote Services


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.

sourcetype="WinEventLog:System" (EventCode=7031 OR EventCode=1000) OR sourcetype="linux:syslog" OR sourcetype="macos:system"| search Message="service terminated unexpectedly" OR Message="segmentation fault" OR Message="service restart"| stats count by Host, ServiceName, Message, _time| eval exploitation_suspicious=if(count > threshold OR match(Message, "segmentation fault|service terminated unexpectedly"), "suspicious", "normal")| where exploitation_suspicious="suspicious"| table _time, Host, ServiceName, Message, exploitation_suspicious

DS0029

Network Traffic

Network Traffic Content

Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.

sourcetype="network:packet_capture" OR sourcetype="ids:alert"| search (alert IN ("SMB Exploit Detected", "RDP Exploit Attempt", "MySQL Exploit Attempt")) OR (src_port IN (445, 3389, 3306))| stats count by src_ip, dest_ip, dest_port, protocol, signature, _time| eval anomaly_detected=if(count > threshold OR match(signature, "Exploit Attempt|Remote Code Execution"), "suspicious", "normal")| where anomaly_detected="suspicious"| table _time, src_ip, dest_ip, dest_port, protocol, signature, anomaly_detected


T1602.001-Data from Configuration Repository: SNMP (MIB Dump)


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or uncommon data flows. Consider analyzing packet contents to detect application layer protocols, leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows(e.g. snmp traffic originating from unauthorized or untrusted hosts, signature detection for strings mapped to device configuration(s), and anomolies in snmp request(s))



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flow (e.g. snmp traffic originating from unauthorized or untrusted hosts, signature detection for strings mapped to device configuration(s), and anomolies in snmp request(s))


T1068-Exploitation for Privilege Escalation


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[52] Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

DS0009

Process

Process Creation

Monitor for newly executed processes that may exploit software vulnerabilities in an attempt to elevate privileges. After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic is oriented around looking for an invocation of either spoolsv.exe or conhost.exe by a user, thus alerting us of any potentially malicious activity. A common way of escalating privileges in a system is by externally invoking and exploiting these executables, both of which are legitimate Windows applications.

Analytic 1 - Unusual Child Process for spoolsv.exe or connhost.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\System32\spoolsv.exe" OR Image="C:\Windows\System32\conhost.exe") AND ParentImage= "C:\Windows\System32\cmd.exe")


Observed Countries250

AD (395)
AE (472)
AF (183)
AG (155)
AI (604)
AL (22)
AM (611)
AO (565)
AQ (743)
AR (421)
AS (305)
AT (484)
AU (611)
AW (610)
AX (829)
AZ (958)
BA (342)
BB (625)
BD (8)
BE (25)
BF (827)
BG (160)
BH (443)
BI (605)
BJ (782)
BL (56)
BM (742)
BN (338)
BO (753)
BQ (684)
BR (794)
BS (736)
BT (149)
BV (77)
BW (755)
BY (888)
BZ (330)
CA (987)
CC (998)
CD (91)
CF (661)
CG (108)
CH (382)
CI (608)
CK (216)
CL (566)
CM (121)
CN (709)
CO (561)
CR (337)
CU (552)
CV (800)
CW (487)
CX (845)
CY (475)
CZ (180)
DE (692)
DJ (556)
DK (572)
DM (116)
DO (292)
DZ (874)
EC (363)
EE (545)
EG (196)
EH (942)
ER (652)
ES (869)
ET (635)
FI (365)
FJ (872)
FK (904)
FM (434)
FO (370)
FR (35)
GA (508)
GB (237)
GD (421)
GE (834)
GF (998)
GG (924)
GH (883)
GI (861)
GL (861)
GM (96)
GN (369)
GP (155)
GQ (98)
GR (918)
GS (558)
GT (84)
GU (911)
GW (731)
GY (71)
HK (205)
HM (544)
HN (91)
HR (989)
HT (90)
HU (3)
ID (622)
IE (758)
IL (649)
IM (835)
IN (543)
IO (358)
IQ (682)
IR (720)
IS (491)
IT (582)
JE (966)
JM (376)
JO (61)
JP (860)
KE (168)
KG (125)
KH (322)
KI (942)
KM (348)
KN (244)
KP (468)
KR (802)
KW (647)
KY (53)
KZ (86)
LA (6)
LB (184)
LC (609)
LI (241)
LK (657)
LR (76)
LS (684)
LT (752)
LU (653)
LV (545)
LY (891)
MA (585)
MC (270)
MD (255)
ME (360)
MF (171)
MG (512)
MH (176)
MK (869)
ML (989)
MM (204)
MN (734)
MO (130)
MP (960)
MQ (509)
MR (148)
MS (882)
MT (917)
MU (586)
MV (409)
MW (254)
MX (912)
MY (76)
MZ (948)
NA (787)
NC (598)
NE (919)
NF (271)
NG (504)
NI (930)
NL (277)
NO (820)
NP (734)
NR (905)
NU (169)
NZ (579)
OM (170)
PA (46)
PE (321)
PF (520)
PG (255)
PH (433)
PK (187)
PL (610)
PM (824)
PN (179)
PR (807)
PS (416)
PT (175)
PW (801)
PY (241)
QA (875)
RE (880)
RO (290)
RS (853)
RU (25)
RW (997)
SA (420)
SB (900)
SC (782)
SD (149)
SE (476)
SG (252)
SH (14)
SI (315)
SJ (416)
SK (986)
SL (486)
SM (722)
SN (723)
SO (601)
SR (727)
SS (381)
ST (134)
SV (63)
SX (325)
SY (816)
SZ (590)
TC (29)
TD (489)
TF (559)
TG (393)
TH (810)
TJ (291)
TK (219)
TL (296)
TM (540)
TN (741)
TO (274)
TR (828)
TT (453)
TV (576)
TW (572)
TZ (908)
UA (904)
UG (705)
UM (387)
US (753)
UY (121)
UZ (351)
VA (485)
VC (734)
VE (809)
VG (425)
VI (349)
VN (43)
VU (11)
WF (501)
WS (663)
XK (644)
YE (760)
YT (266)
ZA (898)
ZM (765)
ZW (959)