Campaigns
The MCPwn Campaign: Unauthorized Nginx Server Takeovers

The MCPwn Campaign: Unauthorized Nginx Server Takeovers

Nginx UICVE-2026-33032vulnerability exploitation
The Nginx UI campaign involves exploitation of CVE-2026-33032. Threat actors are leveraging this vulnerability to potentially gain unauthorized access or control over Nginx UI instances.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Technique ID

Technique Name

Data Source

Detection Description

T1033

System Owner/User Discovery

Process Creation

Monitor execution of whoami, w, who, net user, id, query user and similar user-discovery commands.



Command Execution

Capture and analyze command-line arguments via Windows Event ID 4688.



OS API Execution

Monitor API calls used to query user/session information (e.g., GetUserNameA, WTSEnumerateSessions).

T1003

OS Credential Dumping

Process Access

Monitor API calls to LSASS: OpenProcess, ReadProcessMemory, MiniDumpWriteDump.



Windows Registry

Detect access or copying of SAM, SYSTEM, SECURITY registry hives.



Process Creation

Detect known credential dumping tools: Mimikatz, procdump, comsvcs.dll, secretsdump.



Application Log

Analyze Windows Event ID 4663 (object access) and 4656 (handle requests) on credential stores.



Network Traffic

Detect DCSync attacks — unexpected DS-Replication-Get-Changes-All usage by non-DC accounts.

T1059.007

Command and Scripting Interpreter: JavaScript

Process Creation

Monitor wscript.exe, cscript.exe, node.exe for anomalous parent-child process chains.



Script Execution

Detect .js/.jse files executed from user profile, temp, or download directories.



Network Traffic

Monitor JavaScript-initiated outbound network connections from script interpreters.



Command Execution

Capture Windows Script Host invocations and arguments via Event Log.

T1082

System Information Discovery

Process Creation

Monitor systeminfo, uname -a, hostname, ver, Get-ComputerInfo and similar commands.



Command Execution

Detect WMI queries targeting Win32_OperatingSystem and Win32_ComputerSystem classes.



Windows Registry

Monitor access to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion and related keys.



Application Log

Flag multiple sequential system enumeration commands from a single session as anomalous.

T1190

Exploit Public-Facing Application

Application Log

Analyze web server logs for abnormal payloads, error code spikes (4xx/5xx), and traffic anomalies.



Network Traffic

Review WAF and IDS/IPS alerts for SQLi, XXE, SSRF, and RCE attempt signatures.



Process Creation

Detect unexpected child processes spawned from web server processes (e.g., Apache/IIS → cmd.exe).



File Creation

Monitor for web shell file creation in web-accessible directories post-exploitation.

T1055

Process Injection

OS API Execution

Monitor API calls: CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtMapViewOfSection, QueueUserAPC.



Network Connection

Detect legitimate processes (svchost.exe, explorer.exe) making unexpected outbound network connections.



Process Access

Identify process hollowing via permission changes to process memory regions.



Process Metadata

Detect anomalous DLL loads and unexpected module injections via ETW.

T1505.003

Server Software Component: Web Shell

File Creation

Monitor creation of new script files (.php, .asp, .aspx, .jsp) in web-accessible directories.



Process Creation

Detect web server processes (IIS, Apache, Nginx) spawning OS command interpreters.



Application Log

Analyze HTTP logs for unusual parameters, encoded payloads, and suspicious user-agent strings.



File Modification

Use File Integrity Monitoring (FIM) on web directories to detect unauthorized modifications.

T1548

Abuse Elevation Control Mechanism

Process Creation

Monitor UAC bypass techniques: fodhelper, eventvwr, sdclt, cmstp, and similar known abuses.



Command Execution

Detect sudo, su, runas, and privilege escalation command usage.



Application Log

Analyze Windows Event ID 4688 for high-privilege process creation; Event ID 4672/4673 for privilege assignments.



File Modification

Detect unexpected SUID/SGID bit changes on Linux/macOS file systems.

T1090

Proxy

Network Traffic

Detect HTTP/HTTPS CONNECT tunneling to unusual or newly observed external IP addresses.



Network Connection

Identify connections to Tor exit nodes, known VPN services, or anonymizing proxies.



Application Log

Detect domain fronting via SNI and Host header mismatches in TLS traffic logs.



Network Traffic

Analyze NetFlow/IPFIX data for traffic routing anomalies inconsistent with network topology.

T1059

Command and Scripting Interpreter

Process Creation

Monitor spawning of PowerShell, Bash, Python, cmd.exe, wscript.exe, cscript.exe.



Command Execution

Log and analyze command-line arguments (Windows Event ID 4688 / Sysmon Event ID 1).



Script Execution

Enable PowerShell Script Block Logging and Module Logging for full script visibility.



Process Creation

Detect suspicious parent→child process relationships (e.g., Office apps spawning script interpreters).

T1083

File and Directory Discovery

Process Creation

Monitor execution of dir, ls, find, tree, Get-ChildItem and enumeration commands.



File Access

Detect bulk file access activity targeting sensitive directories (C:\Users, /etc, /root).



Command Execution

Flag rapid sequential directory listing operations within a single session as anomalous.



Application Log

Analyze Windows Event ID 4663 for object access audit entries on sensitive directories.

T1078

Valid Accounts

Logon Session

Monitor logins from unusual times, geolocations, or unrecognized devices.



Application Log

Correlate failed logins followed by success (brute-force + success) via Event ID 4625/4624.



User Account

Detect same credential being used across multiple systems as lateral movement indicator.



Logon Session

Use UEBA to identify deviations from established user behavior baselines.

T1027

Obfuscated Files or Information

File Access

Perform entropy analysis on files and scripts to identify high-entropy (encoded) content.



Script Execution

Detect Base64, XOR, hex encoding usage in scripts via PowerShell Script Block Logging.



Command Execution

Monitor PowerShell -EncodedCommand, certutil -decode, and similar decoding tool invocations.



Network Traffic

Use deep packet inspection (DPI) to identify obfuscation or steganography in network payloads.

T1486

Data Encrypted for Impact

File Modification

Detect mass file modification or extension changes within a short time window (ransomware pattern).



Command Execution

Monitor VSS deletion commands: vssadmin delete shadows, wmic shadowcopy delete.



OS API Execution

Detect processes making heavy use of encryption APIs (CryptoAPI, bcrypt.dll).



File Creation

Detect ransom note file creation (e.g., README.txt, HOW_TO_DECRYPT.html).

T1573

Encrypted Channel

Network Traffic

Monitor for self-signed certificates, unusual issuers, and short-lived certs in TLS sessions.



Network Traffic

Compare TLS/SSL JA3 and JA3S fingerprints against known C2 tool signatures.



Network Connection

Detect encrypted traffic occurring on non-standard or unexpected ports.



Network Traffic

Analyze data transfer sizes and timing regularity for beaconing pattern detection.

T1203

Exploitation for Client Execution

Process Creation

Detect unexpected child processes from browsers or Office apps (e.g., Winword.exe → cmd.exe).



Application Log

Monitor application crash logs and crash dumps as indicators of active exploit attempts.



Network Connection

Detect outbound network connections initiated from sandboxed or client application processes.



Script Execution

Monitor macro and script execution triggered from high-risk document formats.

T1071.001

Application Layer Protocol: Web Protocols

Network Traffic

Analyze HTTP traffic for anomalous User-Agent strings, non-standard headers, and beaconing intervals.



Network Traffic

Detect periodic, regular HTTP requests indicative of automated C2 beaconing.



Network Traffic

Analyze DNS and HTTP logs for newly registered or DGA-generated domain names.



Network Traffic

Inspect large HTTP POST requests for potential data exfiltration over web protocols.

T1018

Remote System Discovery

Process Creation

Monitor execution of nmap, net view, arp -a, ping sweep, nbtscan, and similar tools.



Network Connection

Detect connection attempts to large ranges of IP addresses in short time windows.



Network Traffic

Monitor NetBIOS, SNMP, and LDAP queries used for network host enumeration.



Application Log

SIEM correlation: flag excessive network discovery from a single source IP within defined time thresholds.

T1105

Ingress Tool Transfer

Process Creation

Monitor certutil, bitsadmin, Invoke-WebRequest, wget, curl, tftp used for file download.



File Creation

Detect creation of executable files (.exe, .dll, .bat, .ps1, .sh) downloaded from the internet.



Network Traffic

Monitor for anomalous transfer volumes, frequencies, and suspicious file types in network traffic.



Network Connection

Match downloaded file hashes against threat intelligence feeds in real time.

T1021.001

Remote Services: Remote Desktop Protocol

Logon Session

Monitor Windows Event ID 4624 (Logon Type 10) for remote desktop logon events.



Network Connection

Detect RDP connections (TCP 3389) from unknown IPs or outside of business hours.



Application Log

Monitor failed RDP logon attempts (Event ID 4625) for brute-force patterns.



Application Log

Analyze TerminalServices-RemoteConnectionManager and Security event logs for suspicious RDP activity.



Logon Session

Detect lateral movement: a single account establishing RDP sessions to multiple hosts in sequence.

Observed Countries250

AD (456)
AE (530)
AF (1)
AG (643)
AI (745)
AL (138)
AM (61)
AO (160)
AQ (754)
AR (798)
AS (139)
AT (86)
AU (679)
AW (958)
AX (868)
AZ (44)
BA (560)
BB (698)
BD (384)
BE (310)
BF (286)
BG (478)
BH (485)
BI (403)
BJ (538)
BL (819)
BM (156)
BN (568)
BO (321)
BQ (477)
BR (918)
BS (536)
BT (707)
BV (425)
BW (349)
BY (775)
BZ (217)
CA (109)
CC (827)
CD (62)
CF (490)
CG (964)
CH (492)
CI (18)
CK (786)
CL (505)
CM (278)
CN (141)
CO (982)
CR (442)
CU (318)
CV (502)
CW (762)
CX (997)
CY (495)
CZ (177)
DE (782)
DJ (659)
DK (26)
DM (799)
DO (495)
DZ (399)
EC (232)
EE (582)
EG (100)
EH (899)
ER (769)
ES (854)
ET (150)
FI (428)
FJ (702)
FK (729)
FM (505)
FO (554)
FR (108)
GA (330)
GB (7)
GD (796)
GE (548)
GF (909)
GG (666)
GH (605)
GI (352)
GL (819)
GM (530)
GN (842)
GP (906)
GQ (259)
GR (143)
GS (767)
GT (641)
GU (700)
GW (102)
GY (119)
HK (158)
HM (308)
HN (9)
HR (347)
HT (987)
HU (763)
ID (493)
IE (881)
IL (132)
IM (385)
IN (586)
IO (78)
IQ (830)
IR (407)
IS (764)
IT (618)
JE (529)
JM (251)
JO (665)
JP (953)
KE (131)
KG (960)
KH (414)
KI (939)
KM (726)
KN (894)
KP (531)
KR (330)
KW (480)
KY (162)
KZ (69)
LA (945)
LB (667)
LC (201)
LI (362)
LK (388)
LR (767)
LS (875)
LT (122)
LU (109)
LV (43)
LY (48)
MA (18)
MC (778)
MD (51)
ME (574)
MF (180)
MG (590)
MH (189)
MK (939)
ML (113)
MM (692)
MN (827)
MO (713)
MP (132)
MQ (446)
MR (565)
MS (226)
MT (585)
MU (21)
MV (977)
MW (312)
MX (182)
MY (180)
MZ (584)
NA (455)
NC (891)
NE (917)
NF (684)
NG (296)
NI (509)
NL (486)
NO (759)
NP (545)
NR (266)
NU (517)
NZ (873)
OM (821)
PA (145)
PE (425)
PF (932)
PG (110)
PH (759)
PK (401)
PL (463)
PM (199)
PN (866)
PR (532)
PS (13)
PT (939)
PW (761)
PY (875)
QA (952)
RE (13)
RO (783)
RS (559)
RU (563)
RW (407)
SA (241)
SB (124)
SC (569)
SD (98)
SE (621)
SG (748)
SH (843)
SI (708)
SJ (118)
SK (682)
SL (266)
SM (127)
SN (61)
SO (565)
SR (162)
SS (244)
ST (643)
SV (210)
SX (168)
SY (705)
SZ (591)
TC (154)
TD (169)
TF (846)
TG (950)
TH (334)
TJ (592)
TK (715)
TL (562)
TM (105)
TN (779)
TO (677)
TR (432)
TT (900)
TV (821)
TW (321)
TZ (196)
UA (844)
UG (626)
UM (681)
US (557)
UY (867)
UZ (4)
VA (167)
VC (681)
VE (925)
VG (716)
VI (257)
VN (913)
VU (722)
WF (190)
WS (392)
XK (161)
YE (960)
YT (382)
ZA (945)
ZM (293)
ZW (342)