SOC Incident Toolkit
Back to Campaigns
HIGH WEBWORM EUROPEAN ESPIONAGE CAMPAIGN EchoCreep & GraphWorm Backdoors via Discord and Microsoft Graph API

HIGH WEBWORM EUROPEAN ESPIONAGE CAMPAIGN EchoCreep & GraphWorm Backdoors via Discord and Microsoft Graph API

WebwormEchoCreepGraphWormFishMongerSoftEther

Webworm, a China-aligned APT active since 2022, introduced two new backdoors in 2025 — EchoCreep (Discord C&C) and GraphWorm (Microsoft Graph API / OneDrive C&C) — while shifting targeting from Asia to European government organisations. ESET decrypted 400+ Discord messages across four victim channels, with the earliest C&C activity dating to 21 March 2024.

Indicators of Compromise

Domains (2)

whpjewellers.s3.amazonaws.comwamanharipethe.s3.ap-south-1.amazonaws.com

Hashes (6)

A3C077BDF8898E612CCD65BC82E7960834ADB2A91DF40A4A31B30B62EC33DC6FECC2C4408302ADC7CB4E50433336707381429707F59C3CBE8D497D9877F1970D620216C5FFF4E14A6CCC13FCCC2672177DCFE9EE25841DFD58D3D6871BF867FE32141DFB948159A7FC2E688386864BEA59FD40DFFC4B24D6

IPv4 (5)

104.243.23.43144.168.60.23364.176.85.158108.61.200.15145.77.13.67

APT Groups

Earth Lusca

CN

Webworm

CN

Vicious Panda

CN

UAT-8302

CN

Notes

<div><span id="docs-internal-guid-935b211f-7fff-56bb-bc5c-b316185b9b6f"><p style="line-height:1.2;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 14pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION</span></p><br><p style="line-height:1.5;text-align: justify;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">The 2025 Webworm campaign shows a China-aligned APT routing its full C2 through trusted SaaS — Discord, Microsoft Graph/OneDrive, GitHub, and Amazon S3 — so malicious traffic blends into normal cloud usage. AES-CBC-128 messages ride Discord channels, beacons stage inside per-victim OneDrive folders, and a chained proxy fabric over Vultr and IT7 Networks defeats tracing. The European pivot, together with Italian government VM snapshots and Spanish documents recovered from an exposed S3 bucket, confirms strategic collection rather than financial motive.</span></p><p style="line-height:1.5;text-align: justify;margin-top:12pt;margin-bottom:12pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">This is the gap SOCRadar's </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Extended Threat Intelligence</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> platform closes. </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">IOC Radar</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> and the </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CTI</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> module operationalize the published hashes and IPs in minutes; </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Attack Surface Management</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> surfaces exposed buckets and over-privileged Azure AD principals; </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Advanced Dark Web Monitoring</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"> tracks the leaked archives that follow. When attackers hide inside legitimate cloud traffic, perimeter detection alone no longer sees them — </span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">XTI does</span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">.</span></p><div><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div></span></div>

Mitigation

<span id="docs-internal-guid-214f6aa2-7fff-a46d-6d67-13acc7872cea"><p style="line-height:1.5;text-align: justify;margin-top:0pt;margin-bottom:6pt;"><span style="font-size: 13pt; font-family: Arial, sans-serif; color: rgb(31, 56, 100); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION<a href="https://attack.mitre.org/"> </a></span><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/">[REF]</a></span></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col><col></colgroup><thead><tr style="height:0pt;"><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.5; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique ID</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.5; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Technique Name</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.5; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Tactic</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.5; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></th><th style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#1f3864;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height: 1.5; margin-top: 0pt; margin-bottom: 0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Description</span></p></th></tr></thead><tbody><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1595/002/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1595.002</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Active Scanning: Vulnerability Scanning</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Reconnaissance</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1056/">M1056</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Pre-compromise — Minimise externally exposed surface; harden web servers; monitor for nuclei / dirsearch user-agent patterns and high-volume directory bruteforcing from single source IPs.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1584/006/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1584.006</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Compromise Infrastructure: Web Services</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1056/">M1056</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Pre-compromise — Apply least-privilege S3 bucket policies, enable public-access blocks and bucket logging, alert on anomalous PUT/GET volumes from non-corporate IPs.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1608/002/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1608.002</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Stage Capabilities: Upload Tool</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Resource Development</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1056/">M1056</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Pre-compromise — Block or monitor GitHub raw URLs and unattended clones from production estate; threat-hunt for forked-WordPress repositories that host foreign binaries in /wp-admin/.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1059/003/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1059.003</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Scripting Interpreter: Windows Command Shell</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1038/">M1038</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention — AppLocker / WDAC allow-listing of cmd.exe parents; alert on cmd.exe spawned by unsigned Go binaries or by scheduled tasks not in baseline.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1053/005/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1053.005</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Scheduled Task/Job: Scheduled Task</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1028/">M1028</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Operating System Configuration — Audit scheduled tasks daily; alert on unfamiliar task names (e.g., MicrosoftSSHUpdate) running with SYSTEM privileges.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1547/001/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1547.001</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Boot or Logon Autostart Execution: Registry Run Keys</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Persistence</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1024/">M1024</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict Registry Permissions — Baseline expected Run/RunOnce entries; alert on additions pointing to user-writable directories or unsigned binaries.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1078/004/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1078.004</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Valid Accounts: Cloud Accounts</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1032/">M1032</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Multi-factor Authentication — Enforce hardware MFA on every Microsoft cloud account that can call Graph; review Files.ReadWrite.All / Sites.ReadWrite.All application scopes.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1078/004/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1078.004</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Valid Accounts: Cloud Accounts</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1018/">M1018</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Account Management — Audit Azure AD app registrations and service principals quarterly; revoke unused Graph permissions; review consented OAuth apps.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1027/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1027</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Obfuscated Files or Information</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Defense Evasion</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1049/">M1049</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus/Antimalware — Deploy YARA rules and EDR signatures for the published ESET SHA-1 hashes; treat AES-CBC-128 + base64 traffic to Discord API endpoints as anomalous.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1102/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1102</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Web Service</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1037/">M1037</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Restrict outbound discord.com and consumer OneDrive from server segments where these services are not business-required.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1071/001/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1071.001</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Application Layer Protocol: Web Protocols</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1031/">M1031</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention — Inspect HTTPS metadata to discord.com/api/* and graph.microsoft.com/* from production workloads; flag long-lived sessions with consistent jitter.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1090/003/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1090.003</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Proxy: Multi-hop Proxy</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1037/">M1037</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Block SoftEther VPN signatures, frp/iox port-forwarding patterns; alert on encrypted tunnels originating from server segments toward Vultr / IT7 Networks ASNs.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1572/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1572</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Protocol Tunneling</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Command and Control</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1037/">M1037</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Filter Network Traffic — Block SoftEther known ports (443 disguised, 5555) and JA3 fingerprints; allow only named, allow-listed VPN destinations from production hosts.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1041/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1041</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exfiltration Over C2 Channel</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Exfiltration</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1057/">M1057</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;background-color:#f4f6fb;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Data Loss Prevention — Threshold-alert on large outbound transfers via MS Graph /createUploadSession from hosts that do not normally use OneDrive.</span></p></td></tr><tr style="height:0pt;"><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/techniques/T1021/007/"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1021.007</span></a></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Remote Services: Cloud Services</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Lateral Movement</span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 11pt; font-family: Arial, sans-serif; color: rgb(5, 99, 193); font-weight: 700; font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="https://attack.mitre.org/mitigations/M1026/">M1026</a></span></p></td><td style="border-left:solid #bfbfbf 0.5pt;border-right:solid #bfbfbf 0.5pt;border-bottom:solid #bfbfbf 0.5pt;border-top:solid #bfbfbf 0.5pt;vertical-align:middle;padding:4.5pt 6.5pt 4.5pt 6.5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.5;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privileged Account Management — Enforce MFA + Conditional Access on every cloud admin account; restrict service-principal-based access to specific origin networks.</span></p></td></tr></tbody></table></div></span>