
Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign
Earth Baku, an APT group linked to APT41, has expanded its operations beyond the Indo-Pacific to target Europe, the Middle East, and Africa, including countries like Italy, Germany, UAE, and Qatar. The group's recent tactics involve exploiting public-facing applications, particularly IIS servers, to gain initial entry for cyber attacks. Their sophisticated and persistent methods pose a significant challenge to global cybersecurity, highlighting the need for robust defensive measures.
Indicators of Compromise
Domains (4)
parça.cdn78544.ruwww.mircoupdate.https443.netwww.sitennews.comwww.cdn7854.workers.devHashes (48)
7463700ec5768d4af6549028465f978059611555aa8e22e2b7c664b1cdbfa9aed72f202c1d684c9a19f075290a60920fcdcbd9c25e06ac6da5497fa19459d0007449ec1a3e6bc591334db6fb3598aecb8d8161a7fcd835781820e4921039525975f9324d5b46b63e31f307757cedf305005ce9990a07cbf428072e4a3bc3376aba096045824f4c344141c4b827ff67c180096ff5f2cc1474bcac2cbda36019776d7861f12d9b59c4ec10a9396dca694fe64366e0dab82d046cf92457f97efd50a68ceb85adef6b7466fb63e6e49c2c201a0b6204e1d0269812a4b66272070b165d1f11bd4d009a81bf28a3e5144550355b3dfb67a0ef65dc7f69470b4faf4ca18405d742405d3a6d3bda6bc49630dd5f3604a3d6ae27cbd533e425f8abbaafdc073b35ecbd1833575fbfb1307654fc532fd938482e09426cfb0541ad87a04f7573eaba82ef1c502448e533007e92b1afa879b09f85f28b71648668ea62839ff5e5f1360d4c299bb32e33e081115f2b520251a983af2ebc649b4b9b70308246fed3fdf103e8585192452bb43e902f009c7bc066a3e9625ce47b87085b66e0ee6e17ecb3333872c38625ca62de3bcbe29740c1a0b8921fcf482fce25afb8a29fcd526f61ba30f14dcc7ecfad3e+28 moreIPv4 (3)
212.87.212.11578.108.216.205.182.207.28Notes
<span id="docs-internal-guid-8c2f9d58-7fff-863d-17b0-76a142a77d1a"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Earth Baku has notably expanded its operations, extending from the Indo-Pacific region to target Europe and the MEA since late 2022. This campaign showcases the group’s advanced techniques, including the exploitation of public-facing applications like IIS servers for initial access, followed by the deployment of sophisticated malware such as the Godzilla webshell for control. The use of advanced loaders like StealthVector and StealthReacher to stealthily launch backdoor components, along with the modular backdoor SneakCross, highlights the group's evolving tactics.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Additionally, Earth Baku employs various tools during post-exploitation, including a customized iox tool, Rakshasa, and TailScale for persistence, as well as MEGAcmd for efficient data exfiltration. These developments underscore the group’s increasing sophistication and present significant challenges for cybersecurity defenses.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">To counter such advanced threats, organizations need robust cybersecurity measures. Implementing the principle of least privilege, regularly updating systems, enforcing strict patch management, and developing proactive incident response strategies are essential steps. The 3-2-1 backup rule also ensures data integrity, even in the event of an attack.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Organizations should consider deploying advanced security technologies such as SOCRadar's</span><a href="https://socradar.io/products/extended-threat-intelligence/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"> Extended Threat Intelligence</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">, which offers continuous attack surface identification and comprehensive prevention, detection and response capabilities. Backed by advanced threat research, intelligence and artificial intelligence, this feature significantly improves the overall security posture. In addition, the</span><a href="https://socradar.io/what-is-extended-detection-and-response-xdr/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;"> Extended Detection and Response (XDR)</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> service provides expert threat monitoring, correlation and analysis, delivering powerful protection without overburdening IT teams, enabling organisations to scale securely with the cloud.</span></p><div><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-b6ad43a3-7fff-ec26-e77a-8027daaca174"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Application Layer Protocol: Web Protocols</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1031</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1031"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network Intrusion Prevention</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.</span></p></td></tr></tbody></table></div><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Account Discovery</span></p><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:82.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1028"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1028</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1028"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Operating System Configuration</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located </span><span style="font-size: 8.5pt; font-family: " color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. </span><a href="https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[8]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Manage the creation, modification, use, and permissions associated to user accounts.</span></p></td></tr></tbody></table></div><br><br><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Valid Accounts</span></p><br><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1036"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1036</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1036"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Account Use Policies</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use conditional access policies to block logins from non-compliant devices or from outside defined organization IP ranges.</span><a href="https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-policy-common"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[71]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1015"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1015</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1015"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Active Directory Configuration</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable legacy authentication, which does not support MFA, and require the use of modern authentication protocols instead.</span></p></td></tr><tr style="height:68.5pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1013"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1013</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1013"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Application Developer Guidance</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).</span></p></td></tr><tr style="height:94pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1027"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1027</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1027"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Password Policies</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.</span><a href="https://www.us-cert.gov/ncas/alerts/TA13-175A"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[72]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> When possible, applications that use SSH keys should be updated periodically and properly secured.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources.</span></p></td></tr><tr style="height:82pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. </span><a href="https://technet.microsoft.com/en-us/library/dn535501.aspx"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[3]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> </span><a href="https://technet.microsoft.com/en-us/library/dn487450.aspx"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[73]</span></a><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"> These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. </span><a href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[74]</span></a></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1018</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1018"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Regularly audit user accounts for activity and deactivate or remove any that are no longer needed.</span></p></td></tr><tr style="height:55.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1017</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1017"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">User Training</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Applications may send push notifications to verify a login as a form of multi-factor authentication (MFA). Train users to only accept valid push notifications and to report suspicious push notifications.</span></p></td></tr></tbody></table></div><br><br></span>