
Nexcorium TBK DVR Campaign
A multi-architecture Mirai variant exploiting CVE-2024-3721 in TBK DVR devices to deliver persistent IoT botnet malware. The campaign leverages vulnerability-driven attacks to gain initial access, establish persistence, and launch large-scale DDoS attacks across diverse architectures.
Indicators of Compromise
Domains (1)
r3brqw3d.b0ats.topHashes (17)
89dae116c77b0035277d39dfe01043624427c119ddee8883a3ba54a42a6ae4007c01d5b53861cd34e10a79fdea16dcf08bce9c78ed72abd6d6f3e9ce75a24734aaed4dca8bd6bb42fc4efb358a02a5542ccf23b8165e8c05899aa7ba4755b896ebf1d20d3b701cffdc768482486b0a740b510f93f47590791626d2fa74ddd62ba6eb8a5a5bb7b8476c0ceffc7be94ebe353874dd1e12a7f67ba4f7ecbcbcb2af29404df12a7723ce46c8b199c88a808aa315dd8ff8fd1e06a34ccd3d16f4553bebdae1b6a28589ecc8d84557f0e83963396291cf98d2ef26e37be7f8e0c9b1b45329a5288c832ea1838e35b62a6b38675e467301166cdcc54f98d528fe43d56936caeffec88ac696e4789416c35b345e75c023a8c07c207c79937c6a5444e1c29d85d18d2f660d8c9b805585c457811d2c5c5664ede9ee869b53e3c9999100505d7ee8de7f855fdf95d1eb12d58206319c514c7240d058c512bb22b31f6ea22ed8be3ae44305c9f7b1274de00a7f3d7ab9792ec3456e9d5bf057738666f34183f1d72060e2d4f678721c7cb2109ec97c14413cb8b58ddce0ecf0c1f13f22ee4f72eed79b57592cf537132e804ccb3fc4ba1f72205da70c3d7a6e66b43178707a9d8ee1156d815c21696aeb6321313919f0a41a520e6fa715450bbfb271a9add1e54efe16484a9c35IPv4 (2)
84.200.87.36176.65.148.186CVEs (2)
CVE-2017-17215CVE-2024-3721Notes
<span id="docs-internal-guid-82528625-7fff-f363-e4b3-f174217c0cd3"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION<br></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The Nexus Team demonstrates strategic adaptability by rapidly weaponizing CVE-2024-3721 in TBK DVR devices to deliver the Nexcorium Mirai variant, showcasing their ability to exploit emerging vulnerabilities before widespread patching occurs. Their use of multi-architecture malware and diverse persistence mechanisms indicates a sophisticated approach to maintaining long-term access across global IoT infrastructures. The campaign's impact extends to any organization with vulnerable TBK DVR devices, particularly those in surveillance and network infrastructure sectors where DVRs are critical components. The combination of vulnerability exploitation, brute-force attacks, and DDoS capabilities creates significant operational disruption potential for affected entities. For effective threat hunting, SOCRadar's IOC Radar should be leveraged to investigate these indicators across enterprise environments, identifying potentially compromised systems before they participate in botnet activities. Dark Web Monitoring capabilities become crucial for detecting credential exposures related to default IoT device credentials used in brute-force attacks. Continuous Cyber Threat Intelligence updates on Nexus Team's TTPs will enhance detection accuracy for similar campaigns. Brand Protection services should monitor for phishing domains mimicking TBK DVR support sites, while Attack Surface Management provides visibility into exposed DVR devices across organizational networks.</span></div><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span>
Mitigation
<span id="docs-internal-guid-8de0effa-7fff-c8f8-df75-ab601023b1d1"><div style="line-height:1.38;margin-top:14pt;margin-bottom:4pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION </span><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(26, 102, 204); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">REF</a></span></div><p style="line-height:1.38;margin-top:0pt;margin-bottom:9pt;padding:0pt 0pt 6pt 0pt;"><br></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><tbody><tr style="height:23.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></td></tr><tr style="height:42.75pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1055/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1055</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1055/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Process Injection</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0005/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion / </span></a><a href="https://attack.mitre.org/tactics/TA0004/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Privilege Escalation</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1040</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Behavior Prevention on Endpoint — Deploy EDR solutions capable of detecting and blocking abnormal cross-process memory write operations such as OpenProcess + WriteProcessMemory + CreateRemoteThread call chains.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1055/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1055</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1055/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Process Injection</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0005/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion / Privilege Escalation</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1026</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privileged Account Management — Restrict the use of highly privileged accounts and minimize permissions required to create or manipulate processes across the environment.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1498/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1498</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1498/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Network Denial of Service</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0040/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Impact</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1037</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Use upstream DDoS filtering services, CDN providers, and scrubbing centers to absorb and clean malicious traffic volumes before they saturate network bandwidth.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1498/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1498</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1498/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Network Denial of Service</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0040/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Impact</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1035</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Limit Access to Resource Over Network — Apply rate limiting, connection throttling, and ACLs on critical services to reduce the impact of volumetric flood attacks.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1080/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1080</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1080/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Taint Shared Content</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0008/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Lateral Movement</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1038</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention — Use application allowlisting to prevent unknown or unsigned executables dropped into shared directories from running on endpoints.</span></p></td></tr><tr style="height:42.75pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1080/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1080</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1080/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Taint Shared Content</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0008/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Lateral Movement</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1022</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict File and Directory Permissions — Enforce least-privilege write access to shared network drives and collaboration folders; prevent users from writing executable content to shared locations.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1566</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Phishing</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1049</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus/Antimalware — Enable Advanced Threat Protection (ATP) on email gateways to automatically scan attachments and URLs for malicious payloads before delivery.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1566</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Phishing</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1017</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training — Conduct regular phishing awareness training and simulations; educate users to identify suspicious emails and report them through defined procedures.</span></p></td></tr><tr style="height:29.25pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1566</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1566/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Phishing</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Initial Access</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1054</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Software Configuration — Disable Office macro execution by default and enforce DMARC, DKIM, and SPF email authentication policies to reduce spoofed sender delivery.</span></p></td></tr><tr style="height:42.75pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1059</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Command and Scripting Interprete</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">r</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Execution</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1038</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention — Use application control policies to block unauthorized use of interpreters such as PowerShell, WScript, CScript, and bash for non-administrative user accounts.</span></p></td></tr><tr style="height:42.75pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1059</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Command and Scripting Interpreter</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Execution</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1026</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privileged Account Management — Restrict script interpreter access to authorized administrator accounts only; prevent standard users from invoking execution environments.</span></p></td></tr><tr style="height:42.75pt;"><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1059</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Command and Scripting Interpreter</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/tactics/TA0002/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Execution</span></a></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(74, 134, 232); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">M1042</span></p></td><td style="vertical-align:top;background-color:#efefef;padding:7pt 9pt 7pt 9pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.8599999999999999;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 9.5pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Disable or Remove Feature or Program — Fully disable unused scripting environments such as VBScript and WScript on endpoints where they serve no operational purpose.</span></p></td></tr></tbody></table></div></span>