Campaigns
Coordinated Credential Abuse Against Enterprise VPN and Email Security Gateways 2

Coordinated Credential Abuse Against Enterprise VPN and Email Security Gateways 2

Credential sprayingVPN edge pressureCisco SSL VPN targetingChina-nexus APT (UAT-9686)
A large-scale, automated campaign focused on abusing login credentials to access enterprise VPN authentication systems, specifically Cisco SSL VPN and Palo Alto Networks GlobalProtect. The operation relied on scripted authentication attempts instead of exploiting technical flaws in the platforms.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1133 - External Remote Services


ID

Name

Analytic ID

Analytic Description

DET0354

Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers

AN1004

Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.

AN1005

Repeated SSH, VPN, or RDP gateway authentication attempts from external IPs → subsequent successful logon → remote shell or lateral movement activity (e.g., scp/sftp).

AN1006

Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.

AN1007

Connections to exposed container services (e.g., Docker API, Kubernetes API server) from unauthorized external IPs → abnormal container creation/start → lateral activity within cluster nodes.


T1190 - Exploit Public-Facing Application


ID

Name

Analytic ID

Analytic Description

DET0080

Exploit Public-Facing Application – multi-signal correlation (request → error → post-exploit process/egress)

AN0219

Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container.

AN0220

Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback.

AN0221

Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection.

AN0222

Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254).

AN0223

Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts.

AN0224

Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback.

AN0225

Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2.


T1562.002 - Disable Windows Event Logging


ID

Name

Analytic ID

Analytic Description

DET0187

Detect disabled Windows event logging

AN0535

Detection of attempts to disable or tamper with Windows Event Logging. This includes stopping or disabling the EventLog service, modifying registry keys related to EventLog and Autologger, using auditpol or wevtutil to disable categories or clear audit policies, and detecting suspicious gaps or resets in event logs. Defenders observe registry changes, service state changes, process execution of disabling commands, and anomalies in event record sequences.


T1572 - Protocol Tunneling


ID

Name

Analytic ID

Analytic Description

DET0538

Detection Strategy for Protocol Tunneling accross OS platforms.

AN1483

Processes such as plink.exe, ssh.exe, or netsh.exe establishing outbound network connections where traffic patterns show encapsulated protocols (e.g., RDP over SSH). Defender observations include anomalous process-to-network relationships, large asymmetric data flows, and port usage mismatches.

AN1484

sshd, socat, or custom binaries initiating port forwarding or encapsulating traffic (e.g., RDP, SMB) through SSH or HTTP. Defender sees abnormal connect/bind syscalls, encrypted traffic on ports typically used for non-encrypted services, and outlier traffic volume patterns.

AN1485

launchd or user-invoked processes (ssh, socat) encapsulating traffic via SSH tunnels, VPN-style tooling, or DNS-over-HTTPS clients. Defender sees outbound TLS traffic with embedded DNS or RDP payloads.

AN1486

VMware daemons or user processes encapsulating traffic (e.g., guest VMs tunneling via hostd). Defender sees network services inside ESXi creating flows inconsistent with management plane traffic, such as SSH forwarding or DNS-over-HTTPS from management interfaces.


T1505.003 - Web Shell


ID

Name

Analytic ID

Analytic Description

DET0394

Web Shell Detection via Server Behavior and File Execution Chains

AN1108

Unexpected file creation in web directories followed by web server processes (e.g., w3wp.exe) spawning command shells or script interpreters (e.g., cmd.exe, powershell.exe)

AN1109

File creation of unauthorized script (e.g., .php, .sh) in /var/www/html followed by execution of unexpected system utilities (e.g., curl, bash, nc) by apache/nginx

AN1110

Web servers (e.g., httpd) spawning abnormal processes post file upload into /Library/WebServer/Documents or /usr/local/var/www


T1090.002 - External Proxy


ID

Name

Analytic ID

Analytic Description

DET0325

External Proxy Behavior via Outbound Relay to Intermediate Infrastructure

AN0922

Unusual process (e.g., rundll32, mshta, wscript, or custom payloads) initiates network connection to external IPs/domains that proxy C2 traffic, often over uncommon ports or high entropy HTTP/S connections.

AN0923

curl, wget, ncat, socat, or custom binaries initiate outbound traffic to Internet-based proxies (e.g., via VPS or CDN). Behavior may include reverse shell constructs or persistent outbound beacons.

AN0924

AppleScript or terminal sessions launch tools (curl, nc, ssh) to external IPs not commonly accessed. Outbound connections are made by LaunchAgents/LaunchDaemons, often masquerading as system services.

AN0925

ESXi shell or guest VM tools initiate external connections via scripted traffic forwarding to Internet-based proxies. Detected by firewall or shell audit logs showing outbound connection spikes from hypervisor or guest VM to remote proxy nodes.

AN0926

Changes to NAT/firewall policies enabling outbound port forwarding from internal IPs to Internet-based proxy endpoints. Log spikes in outbound flows to CDN, VPS, or anomalous ASNs with few return packets.


T1059.006 - Python


ID

Name

Analytic ID

Analytic Description

DET0063

Cross-Platform Behavioral Detection of Python Execution

AN0172

Detects Python execution via python.exe or py.exe with anomalous parent lineage (e.g., Office macros, LOLBAS), execution from unusual directories, or chained network/PowerShell/system-level activity.

AN0173

Detects native Python or framework-based execution from Terminal, embedded apps, or launchd jobs. Flags network calls, persistence writes, or system enumeration after Python launch.

AN0174

Detects Python execution from non-standard user contexts or cron jobs that invoke outbound traffic, access sensitive files, or perform process injection (e.g., ptrace or /proc memory maps).

AN0175

Detects Python script or interpreter execution on ESXi hosts via embedded BusyBox shells, nested installations, or dropped files via SSH or datastore mount. Flags unusual scripting or post-compromise enumeration behavior.


T1071.001 - Web Protocols


ID

Name

Analytic ID

Analytic Description

DET0027

Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets

AN0075

Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs.

AN0076

Detects curl, wget, Python requests, or custom HTTP clients communicating over non-standard ports, with repetitive or beacon-like patterns or POST-heavy behavior to rare domains.

AN0077

Detects applications such as Automator, AppleScript, or LaunchDaemons invoking HTTP/S traffic to non-standard domains or using suspicious headers (e.g., Base64 in URIs or cookie fields).

AN0078

Detects HTTP or HTTPS communication initiated by shell-based scripts or management daemons, especially those reaching public IPs over ports 80/443 using embedded curl or wget.

AN0079

Detects Web protocol misuse such as encoded HTTP headers, WebSocket upgrade requests with abnormal payloads, or TLS handshake anomalies suggesting embedded C2 channels.


Observed Countries250

AD (797)
AE (843)
AF (644)
AG (96)
AI (258)
AL (64)
AM (536)
AO (701)
AQ (836)
AR (416)
AS (875)
AT (692)
AU (608)
AW (8)
AX (543)
AZ (247)
BA (865)
BB (822)
BD (138)
BE (68)
BF (986)
BG (28)
BH (651)
BI (200)
BJ (572)
BL (512)
BM (928)
BN (180)
BO (863)
BQ (62)
BR (396)
BS (143)
BT (504)
BV (959)
BW (828)
BY (595)
BZ (543)
CA (819)
CC (919)
CD (664)
CF (207)
CG (352)
CH (571)
CI (184)
CK (503)
CL (910)
CM (615)
CN (932)
CO (842)
CR (764)
CU (986)
CV (977)
CW (140)
CX (67)
CY (669)
CZ (90)
DE (857)
DJ (324)
DK (957)
DM (516)
DO (828)
DZ (715)
EC (54)
EE (418)
EG (283)
EH (523)
ER (52)
ES (796)
ET (183)
FI (144)
FJ (174)
FK (440)
FM (717)
FO (82)
FR (399)
GA (466)
GB (389)
GD (202)
GE (385)
GF (395)
GG (263)
GH (809)
GI (580)
GL (810)
GM (784)
GN (861)
GP (523)
GQ (570)
GR (336)
GS (287)
GT (259)
GU (125)
GW (856)
GY (691)
HK (57)
HM (850)
HN (374)
HR (445)
HT (66)
HU (133)
ID (536)
IE (375)
IL (57)
IM (725)
IN (959)
IO (685)
IQ (414)
IR (628)
IS (525)
IT (987)
JE (182)
JM (358)
JO (805)
JP (419)
KE (337)
KG (315)
KH (666)
KI (54)
KM (12)
KN (1)
KP (264)
KR (58)
KW (471)
KY (545)
KZ (954)
LA (390)
LB (127)
LC (696)
LI (466)
LK (776)
LR (303)
LS (673)
LT (241)
LU (144)
LV (76)
LY (581)
MA (124)
MC (423)
MD (881)
ME (610)
MF (704)
MG (148)
MH (274)
MK (548)
ML (898)
MM (408)
MN (144)
MO (288)
MP (19)
MQ (789)
MR (679)
MS (200)
MT (359)
MU (191)
MV (920)
MW (540)
MX (824)
MY (867)
MZ (652)
NA (986)
NC (146)
NE (286)
NF (732)
NG (988)
NI (129)
NL (804)
NO (951)
NP (667)
NR (227)
NU (942)
NZ (585)
OM (656)
PA (452)
PE (201)
PF (948)
PG (791)
PH (166)
PK (877)
PL (363)
PM (957)
PN (301)
PR (550)
PS (291)
PT (763)
PW (170)
PY (613)
QA (346)
RE (650)
RO (197)
RS (186)
RU (861)
RW (162)
SA (853)
SB (190)
SC (482)
SD (218)
SE (107)
SG (484)
SH (503)
SI (996)
SJ (695)
SK (293)
SL (551)
SM (679)
SN (863)
SO (842)
SR (800)
SS (114)
ST (367)
SV (517)
SX (725)
SY (710)
SZ (680)
TC (949)
TD (621)
TF (860)
TG (943)
TH (629)
TJ (439)
TK (618)
TL (23)
TM (66)
TN (733)
TO (480)
TR (476)
TT (843)
TV (198)
TW (266)
TZ (606)
UA (912)
UG (58)
UM (431)
US (835)
UY (591)
UZ (727)
VA (691)
VC (209)
VE (524)
VG (418)
VI (416)
VN (319)
VU (70)
WF (785)
WS (82)
XK (16)
YE (292)
YT (725)
ZA (938)
ZM (684)
ZW (549)