
Enumeration Campaign: Target List Construction
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1046 - Network Service Scanning
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection Strategy for Network Service Discovery Across Platforms | Detects processes performing network enumeration (e.g., port scans, service probing) by correlating process creation, socket connections, and sequential destination IP probing within a time window. | ||
Detects use of network scanning utilities or scripts performing rapid connections to multiple services or hosts using auditd and netflow/pcap telemetry. | |||
Detects Bonjour-based mDNS enumeration or use of system tools (e.g., dns-sd, nmap) to find active services via multicast probing or targeted scans. | |||
Detects lateral discovery or container breakout attempts using netcat, curl, or custom binaries probing other services within the same namespace or VPC subnet. |
T1102 - Web Service
ID | Name | Analytic ID | Analytic Description |
Detects unusual outbound connections to web services from uncommon processes using SSL/TLS, particularly those exhibiting high outbound data volume or persistence. | |||
Detects command-line tools, agents, or scripts making outbound HTTPS connections to popular web services like Discord, Slack, Dropbox, or Graph API in an unusual context. | |||
Detects user agents or background services making unauthorized or unscheduled web API calls to cloud/web services over HTTPS. | |||
Detects guest VMs or management agents issuing HTTP(S) traffic to external services without a valid patch management or backup justification. |
T1190 - Exploit Public-Facing Application
ID | Name | Analytic ID | Analytic Description |
Adversary sends crafted HTTP/S (or other service) input to an Internet-facing app (IIS/ASP.NET, API, device portal). Chain: (1) abnormal request patterns to public endpoint → (2) elevated 4xx/5xx or unusual methods/paths → (3) server process (w3wp.exe/other service) spawns shell/LOLbins or loads non-standard modules → (4) optional outbound callback from the host/container. | |||
Adversary exploits Apache/Nginx/app servers. Chain: (1) suspicious requests in access logs → (2) spike of 5xx or WAF blocks → (3) web server or interpreter (apache2/nginx/php-fpm/node/python) spawns /bin/sh, curl, wget, socat, or writes webshell → (4) outbound callback. | |||
Adversary targets macOS-hosted public services (e.g., nginx, node). Chain: suspicious inbound request → service crash/5xx → service spawns shell or writes file → new outbound connection. | |||
Adversary exploits containerized app via ingress or service. Chain: (1) suspicious request in ingress/app logs → (2) container process spawns a shell/exec/sidecar (kubectl exec/docker exec) → (3) egress to Internet or metadata service (169.254.169.254). | |||
Adversary targets cloud-hosted public endpoints. Chain: (1) ALB/ELB/Cloud LB logs show exploit-like inputs or error spikes → (2) workload spawns shell or reaches metadata API → (3) egress to new external hosts. | |||
Adversary exploits exposed OpenSLP on ESXi or vCenter public endpoints. Chain: inbound request pattern to mgmt service → hostd/vpxd error/crash/restart → unexpected process behavior or datastore access → outbound callback. | |||
Adversary exploits public admin services on routers/firewalls/switches. Chain: anomalous HTTP/SNMP/SmartInstall inputs → device syslog errors/restarts → config changes/CLI spawn → egress to attacker C2. |
T1210 - Exploitation of Remote Services
ID | Name | Analytic ID | Analytic Description |
Exploitation of Remote Services – multi-platform lateral movement detection | Correlates inbound network access to remote service ports (e.g., SMB/RPC 445/135, RDP 3389, WinRM 5985/5986) with near-time instability in the target service (crash, abnormal restart), suspicious child process creation under the service, and post-access lateral-movement behaviors. The chain indicates likely exploitation rather than normal administration. | ||
Links inbound network access to SSHD/SMB/NFS/Databases or custom daemons with subsequent daemon crash/restart, core dump, or spawning of shells/reverse shells from the service context, indicating remote exploitation. | |||
Detects exploitation targeting ESXi/vCenter by correlating attempts to reach known exploitable endpoints (OpenSLP 427, CIM 5989, Hostd/Vpxa HTTPS 443, ESXi SOAP) with vmkernel/hostd crashes, unexpected hostd/vpxa restarts, or new reverse/outbound connections from ESXi host/vCenter to internal assets. | |||
Ties inbound access to exposed services (ARD/VNC 5900, SSH 22, ScreenSharing, web services) with process crashes in unified logs and abnormal child processes spawned under those services (e.g., bash, curl) to indicate exploitation. |
T1212 - Exploitation for Credential Access
ID | Name | Analytic ID | Analytic Description |
Detects adversary exploitation of authentication mechanisms or credential validation processes. Defender perspective includes forged Kerberos tickets (e.g., MS14-068), abnormal LSASS memory access, replayed authentication attempts, and unexpected crashes of authentication services. Multi-event correlation ties exploitation attempts to abnormal process creation, service instability, and suspicious authentication events. | |||
Detects exploitation of authentication daemons or PAM modules. Defender perspective includes failed or anomalous PAM authentications, abnormal segfaults in authentication services, and exploitation attempts followed by successful unauthorized logins. Correlation identifies memory corruption, replay attempts, and privilege escalation tied to credential services. | |||
Detects exploitation attempts against macOS authentication frameworks such as OpenDirectory or Keychain. Defender perspective includes abnormal crashes in opendirectoryd, unauthorized Keychain API usage, and unusual sudo or login events. Correlation links unexpected process behavior with credential access anomalies. | |||
Detects exploitation of vulnerabilities in cloud identity providers (IdPs) such as Azure AD or Okta for credential access. Defender perspective includes anomalous token creation or renewal, authentication bypass events, and API abuse to mint unauthorized tokens. Correlation highlights exploitation attempts tied to absent or inconsistent audit logs. |
T1552 - Unsecured Credentials
ID | Name | Analytic ID | Analytic Description |
Detect Access or Search for Unsecured Credentials Across Platforms | Unusual access to bash history, registry credentials paths, or private key files by unauthorized or scripting tools, with correlated file and process activity. | ||
Reading of sensitive files like .bash_history, /etc/shadow, or private key directories by unauthorized users or unusual processes. | |||
Unusual access to ~/Library/Keychains, ~/.bash_history, or Terminal command history by unauthorized processes or users. | |||
Unusual web-based access or API scraping of password managers, single sign-on sessions, or credential sync services via browser automation or anomalous API tokens. | |||
Unauthorized API or console calls to retrieve or reset password credentials, download key material, or modify SSO settings. | |||
Access to container image layers or mounted secrets (e.g., Docker secrets) by processes not tied to entrypoint or orchestration context. | |||
Use of configuration backup utilities or CLI access to dump plaintext passwords, local user hashes, or SNMP strings. |
T1592 - Gather Victim Host Information
ID | Name | Analytic ID | Analytic Description |
Internet scanners may be used to look for patterns associated with malicious content designed to collect host information from visitors.[4][1] |
T1595 - Active Scanning
ID | Name | Analytic ID | Analytic Description |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1595.002 - Vulnerability Scanning
ID | Name | Analytic ID | Analytic Description |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |