SOC Incident Toolkit
Back to Campaigns
Screening Serpens  2026 Multi-Country Espionage Campaigns

Screening Serpens 2026 Multi-Country Espionage Campaigns

UNC1549Screening SerpensSmoke SandstormIranian Dream JobIran APTMiniUpdateMiniJunk V2

Screening Serpens is an Iran-nexus advanced persistent threat group conducting cyberespionage aligned with Iranian intelligence objectives. Between February and April 2026, coinciding directly with a regional conflict that began on 28 February 2026, the group deployed six new RAT variants across five countries grouped into two malware families: MiniUpdate (newly discovered) and MiniJunk V2 (evolved from the previously documented MiniJunk backdoor).

Indicators of Compromise

Domains (22)

licencemanagers.azurewebsites.netbuisness-centeral.azurewebsites.netThemesManagers.azurewebsites.netdocspace-twpf0e.onlyoffice.comLicenceSupporting.azurewebsites.netbusiness-startup.azurewebsites.netRamiltons-finance.azurewebsites.netPremierHealthAdvisory.azurewebsites.netBusinessstartup.azurewebsites.netPremier-HealthAdvisory.azurewebsites.netbusiness-startup.orgPremierHealthAdvisory.comPeerDistSvcManagers.azurewebsites.netQuantumWeave.azurewebsites.netRamiltonsfinance.comRamiltonsfinance.azurewebsites.netdocspace-y4cumb.onlyoffice.comThemesProviderManagers.azurewebsites.netBuisness-centeral-transportation.combuisness-centeral-transportation.azurewebsites.net+2 more

Hashes (12)

b19e06da580cf91691eda066ac9ee4b09c6e5dc26c367af12660fe1f9306eec4332ba2f0297dfb1599adecc3e9067893e7cf243aa23aedce4906a4c480574c179cf029daca89523d917dafed0568d11d00e45ec96b5b90b4a1f7fd4018c7da8444f4f7aca7f1d9bfdaf7b3736934cbe19f851a707662f8f0b0c49b383e05425074882085db2088356ed7f72f01e0404a0a98cda88ef56fb15ce74c1f36b26d278808c794c24367438f183e4be941876f1d3ecd0c8d2eb43b10d2380841d2283b9e4a658e6d831c9e9bdfe11884a75b7c64812ed0a80e8495ddf6b316505acac143dc62cef52ebdd69e79f10015b3e13890f26c058325c0ff139c70f8d8eadcfad4a7e9f107fe40c1a5d0139c6c6e25bf6bf57f61feff090bee28f476bb3cc3c20db36a04d304ad96f9e6f97b531934594cd95a5cea9ff2c9af249201089dc864bc3b44154518c5794ce639108e7b9c5fecb0c189607a26de1aaed518d890c7ad38bd137c672bd58d08c4f0502f993a6561e2c3411773d1ae57ee0151a0a9d11d

APT Groups

UNC1549

IR

Notes

<div style="line-height: 1.2; margin-top: 2pt; margin-bottom: 2pt;"><span style="font-size: 14pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">CONCLUSION<br></span><span style="font-size: 10pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Screening Serpens has materially elevated its tradecraft in 2026 with the first documented fusion of DLL sideloading and AppDomainManager hijacking — a combination that blinds EDR telemetry before the malicious payload initialises. With six RAT variants deployed across five countries in ten weeks the group shows no sign of slowing; organisations in aerospace, defense and technology should prioritise behavioral detections over signature-only controls. SOCRadar Threat Intelligence Platform, IOC Radar and Attack Surface Management modules provide continuous coverage of Screening Serpens infrastructure and credential-exposure risks.</span></div><div><span style="font-size: 10pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;"><br></span></div>

Mitigation

<p style="margin: 2pt 0px; line-height: 1.2;"><span style="font-size: 14pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); font-weight: 700; font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITIGATION</span></p><p style="margin: 3pt 0px 4pt; line-height: 1.2;"><span style="font-size: 10pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">MITRE ATT&amp;CK mitigation controls for Screening Serpens 2026 TTPs. Both M-codes and T-codes link directly to the MITRE ATT&amp;CK knowledge base.</span></p><div align="left" style="margin-left: 0pt;"><table style="border-width: medium; border-style: none; border-color: currentcolor; border-image: initial; border-collapse: collapse;"><colgroup><col><col><col><col><col><col></colgroup><thead><tr style="height: 0pt;"><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(26, 43, 74); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation ID</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(26, 43, 74); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Mitigation Name</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(26, 43, 74); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ATT&amp;CK ID</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(26, 43, 74); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">ATT&amp;CK Technique</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(26, 43, 74); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Implementation</span></p></th><th style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(26, 43, 74); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(255, 255, 255); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Priority</span></p></th></tr></thead><tbody><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1017/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1017</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1566/001/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1566.001</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Spear-Phishing Link</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Train personnel to identify unsolicited recruitment archives, fake job-requisition PDFs and spoofed video-conferencing domains. Include Screening Serpens lure samples in awareness exercises.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Critical</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1017/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1017</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">User Training</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1566/002/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1566.002</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Spear-Phishing via Service</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Teach employees to verify recruiter identities before downloading archives from social media or file-sharing services (filemail.com, ONLYOFFICE DocSpace).</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">High</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1038/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1038</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Execution Prevention</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1574/001/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1574.001</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">DLL Side-Loading</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Deploy WDAC or AppLocker to block unsigned DLL execution from %APPDATA%. Prevent loading of UpdateChecker.dll, unbcl.dll, Connection.dll, uevmonitor.dll from user-writable paths.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Critical</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1040/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1040</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Behavior Prevention on Endpoint</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1574/014/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1574.014</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">AppDomainManager Hijacking</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Configure EDR to alert on .config files containing &lt;etwEnable enabled='false'/&gt;, &lt;bypassTrustedAppStrongNames enabled='true'/&gt; or &lt;publisherPolicy apply='no'/&gt;. Treat as critical indicators.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Critical</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1049/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1049</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Antivirus / Antimalware</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1574/014/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1574.014</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">AppDomainManager Hijacking</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Enable Microsoft-Windows-DotNETRuntime ETW provider. Alert when ETW is disabled or when InitInstall.dll / UpdateChecker.dll are loaded via sideloading chain from %APPDATA%.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">High</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1026/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1026</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Privileged Account Management</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1053/005/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1053.005</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Scheduled Task / Job</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict Task Scheduler write access. Monitor Event ID 4698 for tasks with svchost.exe parent and %APPDATA% action path — the MiniUpdate persistence signature.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">High</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1045/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1045</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Code Signing</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1574/001/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1574.001</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">DLL Side-Loading</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Require code-signing validation for DLLs loaded by production processes. Reject DLLs signed under stolen or impersonated vendor certificates.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">High</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1031/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1031</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Network Intrusion Prevention</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1071/001/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1071.001</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Web Protocols</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Sinkhole all listed C2 domains at DNS and HTTPS proxy. Alert on outbound connections to newly registered azurewebsites.net subdomains impersonating healthcare, finance or tech brands.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; background-color: rgb(244, 245, 248); padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Critical</span></p></td></tr><tr style="height: 0pt;"><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/mitigations/M1021/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">M1021</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Restrict Web-Based Content</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><a href="https://attack.mitre.org/techniques/T1566/002/" style="color: rgb(59, 130, 246);"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(31, 92, 153); font-variant: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">T1566.002</span></a></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Spear-Phishing via Service</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">Block ONLYOFFICE DocSpace URLs and filemail.com at web gateway. Alert on any archive download originating from either service on corporate devices.</span></p></td><td style="border-width: 0.5pt; border-style: solid; border-color: rgb(191, 191, 191); vertical-align: top; padding: 4pt 6pt; overflow: hidden; overflow-wrap: break-word;"><p style="margin: 0pt 0px; line-height: 1.2;"><span style="font-size: 9pt; font-family: Calibri, sans-serif; color: rgb(0, 0, 0); font-variant: normal; vertical-align: baseline; white-space: pre-wrap;">High</span></p></td></tr></tbody></table></div>