{ "id": "a6821fb9-b217-471f-900a-917df2e69b99", "created_at": "2026-04-06T00:06:16.212114Z", "updated_at": "2026-04-10T03:37:32.780615Z", "deleted_at": null, "sha1_hash": "427e5708ff22dc52341887836fd85b8af6d8367e", "title": "Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1361796, "plain_text": "Increasing resilience against Solorigate and other sophisticated\r\nattacks with Microsoft Defender\r\nBy Microsoft 365 Defender Team\r\nPublished: 2021-01-14 · Archived: 2026-04-05 21:29:34 UTC\r\nUPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor\r\nbehind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple\r\nother organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving\r\nforward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the\r\nexamples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor\r\nbehind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components\r\nas NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the\r\ncampaign of attacks.\r\nEven as investigations into the sophisticated attack known as Solorigate are still underway, details and insights\r\nabout the tools, patterns, and methods used by the attackers point to steps that organizations can take to improve\r\ntheir defenses against similar attacks. Solorigate is a cross-domain compromise—comprehensive visibility and\r\ncoordinated defense are critical in responding to the attack. The same unified end-to-end protection is key to\r\nincreasing resilience and preventing such attacks.\r\nThis blog is a guide for security administrators using Microsoft 365 Defender and Azure Defender to\r\nidentify and implement security configuration and posture improvements that harden enterprise\r\nenvironments against Solorigate’s attack patterns.\r\nThis blog will cover:\r\nProtecting devices and servers\r\nProtecting on-premises and cloud infrastructure\r\nProtecting Microsoft 365 cloud from on-premises attacks\r\nAdditional recommendations and best practices\r\nThe recommendations on this blog are based on our current analysis of the Solorigate attack. While this threat\r\ncontinues to evolve and investigations continue to unearth more information, we’re publishing these\r\nrecommendations to help customers apply improvements today. To get the latest information and guidance from\r\nMicrosoft, visit https://aka.ms/solorigate. Security operations and incident response teams looking for detection\r\ncoverage and hunting guidance can refer to https://aka.ms/detect_solorigate.\r\nWhat the Solorigate attack tells us about the state of cyberattacks\r\nSolorigate is a complex, multi-stage attack that involved the use of advanced attacker techniques across multiple\r\nenvironments and multiple domains to compromise high-profile targets. To perpetrate this sophisticated attack, the\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 1 of 13\n\nattackers performed the steps below, which are discussed in detail in this blog:\r\n1. Compromise a legitimate binary belonging to the SolarWinds Orion Platform through a supply-chain attack\r\n2. Deploy a backdoor malware on devices using the compromised binary to allow attackers to remotely\r\ncontrol affected devices\r\n3. Use the backdoor access on compromised devices to steal credentials, escalate privileges, and move\r\nlaterally across on-premises environments to gain the ability to create SAML tokens\r\n4. Access cloud resources to search for accounts of interest and exfiltrate emails\r\nFigure 1. High-level end-to-end Solorigate attack chain\r\nAs its intricate attack chain shows, Solorigate represents a modern cyberattack conducted by highly motivated\r\nactors who have demonstrated they won’t spare resources to get to their goal. The collective intelligence about this\r\nattack shows that, while hardening individual security domains is important, defending against today’s advanced\r\nattacks necessitates a holistic understanding of the relationship between these domains and how a compromise in\r\none environment can be a jump-off point to another.\r\nThe Microsoft Defender for Endpoint threat analytics reports published in Microsoft 365 security center enable\r\ncustomers to trace such cross-domain threats by providing end-to-end analysis of critical threats. In the case of\r\nSolorigate, Microsoft researchers have so far published two threat analytics reports, which continue to be updated\r\nas additional information becomes available:\r\nSophisticated actor attacks FireEye, which provides information about the FireEye breach and\r\ncompromised red-team tools\r\nSolorigate supply chain attack, which provides a detailed analysis of the SolarWinds supply chain\r\ncompromise\r\nIn addition to providing detailed descriptions of the attack, TTPs, indicators of compromise (IoCs), and the all-up\r\nimpact of the threat to the organization, the threat analytics reports empower security administrators to review\r\norganizational resilience against the attack and apply recommended mitigations. These mitigations and other\r\nrecommended best practices are discussed in the succeeding sections. Customers who don’t have access to threat\r\nanalytics can refer to a publicly available customer guidance.\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 2 of 13\n\nFigure 2. Microsoft Defender for Endpoint threat analytics report on Solorigate attack\r\nProtecting devices and servers\r\nThe attackers behind Solorigate gain initial access to target networks by activating backdoor codes inserted into\r\nthe compromised SolarWinds binary. Protecting devices against this stage of the attack can help prevent the more\r\ndamaging impact of the latter stages.\r\nEnsure full visibility into your device estate by onboarding them to Microsoft Defender for\r\nEndpoint\r\nIn the ongoing comprehensive research into the complex Solorigate attack, one thing remains certain: full in-depth\r\nvisibility into your devices is key to gaining insights on security posture, risk, and potential attack activity. Make\r\nsure all your devices are protected and monitored by Microsoft Defender for Endpoint.\r\nFigure 3.  Status tile in the Device configuration management tab of Microsoft Defender for Endpoint, showing\r\nonboarded devices compared to the total number of devices managed via Endpoint Manager\r\nIdentify and patch vulnerable SolarWinds Orion applications\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 3 of 13\n\nThe Solorigate attack uses vulnerable versions of the SolarWinds Orion application so we recommend that you\r\nidentify devices running vulnerable versions of the application and ensure they are updated to the latest version.\r\nThe threat analytics report uses insights from threat and vulnerability management to identify such devices. On the\r\nMitigations page in Threat analytics, you can view the number of devices exposed to vulnerability ID TVM-2020-\r\n0002, which we added specifically to help with Solorigate investigations:\r\nFigure 4. The Threat analytics Mitigations page shows information on exposed devices\r\nThe new vulnerability ID TVM-2020-0002 was added to the threat and vulnerability management Weaknesses\r\npage in Microsoft Defender for Endpoint so you can easily find exposed devices that have vulnerable SolarWinds\r\nsoftware components installed. Additional details are available in the vulnerability details pane.\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 4 of 13\n\nFigure 5. Threat and vulnerability management vulnerability details pane for TVM-2020-0002  \r\nCustomers can also use the software inventory page in threat and vulnerability management to view the\r\nSolarWinds Orion versions present on endpoints in your environment and whether the vulnerable versions are\r\npresent. Links to the threat analytics reports are provided under the Threats column. You can then assess the\r\nfootprint of a specific software in your organization and identify the impacted devices without the need to run\r\nscans across the install base.\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 5 of 13\n\nFigure 6. Threat and Vulnerability Management software inventory page displaying installed SolarWinds Orion\r\nsoftware\r\nSecurity recommendations are provided to update devices running vulnerable software versions.\r\nFigure 7. Threat and Vulnerability Management security recommendations page\r\nSecurity admins can also use advanced hunting to query, refine, and export data. The following query retrieves an\r\ninventory of the SolarWinds Orion software in your organization, organized by product name and sorted by the\r\nnumber of devices that have software installed:\r\nDeviceTvmSoftwareInventoryVulnerabilities\r\n| where SoftwareVendor == ‘solarwinds’\r\n| where SoftwareName startswith ‘orion’\r\n| summarize dcount(DeviceName) by SoftwareName\r\n| sort by dcount_DeviceName desc\r\nThe following query searches threat and vulnerability management data for SolarWinds Orion software known to\r\nbe affected by Solorigate:\r\nDeviceTvmSoftwareInventoryVulnerabilities\r\n| where CveId == ‘TVM-2020-0002’\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 6 of 13\n\n| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion\r\nFor each security recommendation you can submit a request to the IT administrator to remediate vulnerable\r\ndevices. Doing this creates a security task in Microsoft Endpoint Manager (formerly Intune) that can be\r\ncontinuously tracked in the threat and vulnerability management Remediation page. To use this capability, you\r\nneed to enable a Microsoft Endpoint Manager connection.\r\nFigure 8. Threat and vulnerability management ‘Remediation options’ for security recommendations and\r\n‘Remediation activities’ tracking\r\nImplement recommended security configurations\r\nIn addition to providing vulnerability assessments, Threat and Vulnerability Management also provides security\r\nrecommendation guidance and device posture assessment that help mitigate this attack. These recommendations\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 7 of 13\n\nuse vulnerability data that is also present in the Solorigate threat analytics report.\r\nFigure 9. Threat analytics Mitigation page shows secure configuration recommendations for devices exposed to\r\nSolorigate\r\nThe following security recommendations are provided in response to Solorigate:\r\nComponent  Secure configuration recommendations \r\nAttack\r\nstage\r\nSecurity controls (Antivirus) Turn on real-time protection Stage 1\r\nSecurity controls (Antivirus)\r\nUpdate Microsoft Defender Antivirus definitions\r\nto version 1.329.427.0 or later\r\nStage 1\r\nSecurity controls (Attack\r\nsurface reduction)\r\nBlock execution of potentially obfuscated scripts Stage 2\r\nSecurity controls (Attack\r\nsurface reduction)\r\nBlock executable files from running unless they\r\nmeet a prevalence, age, or trusted list criterion\r\nStage 2\r\nSecurity controls (Microsoft\r\nDefender SmartScreen)\r\nSet Microsoft Defender SmartScreen Microsoft\r\nEdge site and download checking to block or\r\nwarn\r\nStage 2\r\nApplying these security controls can be accomplished using Microsoft Endpoint Manager (Intune and\r\nConfiguration Manager). Refer to the following documentation for guidance on deploying and managing policies\r\nwith Endpoint Manager:\r\nManage endpoint security policies in Microsoft Intune\r\nWindows 10 Antivirus policy settings for Microsoft Defender Antivirus in Intune\r\nIntune endpoint security Attack surface reduction settings\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 8 of 13\n\nProtecting on-premises and cloud infrastructure\r\nIn addition to compromising client endpoints, attackers can also activate backdoor code via the compromised\r\nSolarWinds binary installed on cloud or on-premises servers, allowing them to gain a stronger foothold in the\r\nenvironment.\r\nProtect your on-premises and cloud servers\r\nA large part of many customers’ infrastructure are virtual machines. Azure Defender helps security professionals\r\nprotect cloud workloads spanning virtual machines, SQL, storage, containers, IoT, Azure network layer, Azure\r\nKey Vault, and more.\r\nAs mentioned earlier, one of the key actions that should be taken to help prevent Solorigate and similar attacks is\r\nto ensure that all devices are protected and monitored by Microsoft Defender for Endpoint. Deploying Azure\r\nDefender for Servers enables Defender for Endpoint for your virtual machines to provide comprehensive detection\r\ncoverage across the Solorigate attack chain. Azure Defender’s integrated vulnerability assessment solution for\r\nAzure and hybrid machines can also help address the Solorigate attack by providing visibility into vulnerability\r\nassessment findings in Azure Security Center.\r\nEnable additional infrastructure protection and monitoring\r\nTo help provide additional in-depth defenses against Solorigate, Azure Defender recently introduced new\r\nprotection modules for Azure resources. Enabling these protections can improve your visibility into malicious\r\nactivities and increase the number of Azure resources protected by Azure Defender.\r\nAzure Defender for Resource Manager allows you to continuously monitor all Azure resource management\r\noperations and breadth in protection, which includes the ability to detect attempts to exclude known malicious\r\nfiles by the VM Antimalware extension and other suspicious activities that could limit antimalware protection on\r\nAzure VMs.\r\nIn addition, Azure Defender for DNS ensures that all DNS queries from Azure resources using Azure DNS,\r\nincluding communication with malicious domains used in the Solorigate attack, are monitored, and helps identify\r\nSolorigate activity across any of your Azure cloud resources. This helps prevent the malicious Solorigate DLL\r\nfrom being able to connect to a remote network infrastructure to prepare for possible second-stage payloads.\r\nProtect your Active Directory and AD FS infrastructure\r\nAfter gaining access, attackers may attempt to steal credentials, escalate privileges, and move laterally in the\r\nenvironment. Having complete visibility into your Active Directory, either completely on-premises or hosted in\r\nIaaS machines, is key in detecting these attacks and identifying opportunities to harden security posture to prevent\r\nthem.\r\nIn hybrid environments, make sure that Microsoft Defender for Identity sensor components are deployed on all\r\nyour Domain Controllers and Active Directory Federation Services (AD FS) servers. Microsoft Defender for\r\nIdentity not only detects malicious attempts to compromise your environment but also builds profiles of your on-https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 9 of 13\n\npremises identities for proactive investigations and provides you with built-in security assessments. We\r\nrecommend prioritizing the deployment of Microsoft Defender for Identity sensors and using the “Unmonitored\r\ndomain controllers” security assessment, which lists any detected domain controllers in your environment that are\r\nunmonitored. (Note: this capability can monitor your environment only after deploying at least one sensor on a\r\ndomain controller.)\r\nFigure 10. Unmonitored domain controllers‘ security assessment in the Microsoft Cloud App Security portal\r\nProtecting Microsoft 365 cloud from on-premises attacks\r\nThe end goal of the attackers behind Solorigate is to gain access to a target organization’s cloud environment,\r\nsearch for accounts of interest, and exfiltrate emails. From a compromised device, they move laterally across the\r\non-premises environment, stealing credentials and escalating privileges until they can gain the ability to create\r\nSAML tokens that they then use to access the cloud environment. Protecting cloud resources from on-premises\r\nattack can prevent the attackers from successfully achieving their long game.\r\nImplement recommended security configurations to harden cloud posture\r\nFurther best practices and recommendations to reduce the attack surface and protect the cloud from on-premise\r\ncompromise can be found in our protecting Microsoft 365 cloud from on-premises attacks blog.\r\nImplement conditional access and session control to secure access to cloud resources\r\nIn addition to hardening the individual surfaces to disrupt and prevent the attack, extending policies to implement\r\nzero trust and access controls is key in preventing compromised or unhealthy devices from accessing corporate\r\nassets, as well as governing cloud access from compliant devices.\r\nEnable conditional access policies\r\nConditional access helps you better protect your users and enterprise information by making sure that only secure\r\nusers and devices have access. We recommend implementing the common recommended policies for securing\r\naccess to Microsoft 365 cloud services, including on-premises applications published with Azure Active Directory\r\n(Azure AD) Application Proxy.\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 10 of 13\n\nAdditionally, you can configure user risk and device risk conditional access policies to enable access to enterprise\r\ninformation based on the risk level of a user or device, helping keep trusted users on trusted devices using trusted\r\napplications.\r\nEnable real-time monitoring and session control\r\nDirectly integrated with conditional access, session controls in Microsoft Cloud App Security enable extending\r\naccess decisions into the session, with real-time monitoring and control over user actions in your sanctioned apps.\r\nImplement policies to prevent data exfiltration in risky situations, including blocking or protecting downloads to\r\nrisky or unmanaged devices, as well as for partner users.\r\nAdditional recommendations and best practices\r\nStrengthen your security posture even further by reviewing all improvement actions available via Microsoft\r\nSecure Score. Secure Score helps operationalize security posture management and improve your organizational\r\nsecurity hygiene for your production tenant. Below are some of the Secure Score improvement actions for Azure\r\nActive Directory that have a direct impact against Solorigate attack patterns:\r\nDo not allow users to grant consent to unmanaged applications\r\nEnable Password Hash Sync if hybrid\r\nEnable policy to block legacy authentication\r\nEnable self-service password reset\r\nEnsure all users can complete multi-factor authentication for secure access\r\nRequire MFA for administrative roles\r\nTurn on sign-in risk policy\r\nTurn on user risk policy\r\nUse limited administrative roles\r\nIn addition, you can use the identity security posture assessment feature in Microsoft Defender for Identity to\r\nidentify common protection gaps that might exist in your environment. Addressing detection gaps such as the\r\nfollowing improves your Microsoft Secure Score and improves your overall resilience to a wide range of\r\ncredential theft attacks:\r\nStop entities that are exposing credentials in cleartext, including ones that are tagged as sensitive. Attackers\r\nlisten to cleartext credentials being sent over the network to harvest credentials and escalate privileges.\r\nWhile we have no indication that this technique was used in Solorigate, this is a general attack trend that\r\norganizations must be aware of and prevent.\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 11 of 13\n\nFigure 11. Entities exposing credentials in clear text security assessment in the Microsoft Cloud App Security\r\nportal\r\nRemediate accounts with unsecure attributes that could allow attackers to compromise them once an initial\r\nfoothold in the environment is established.\r\nFigure 12. Unsecure account attributes security assessment in the Microsoft Cloud App Security portal\r\nReduce risky lateral movement paths to sensitive users. An attacker could move across devices to elevate to\r\na more privileged role and operate deeper in your organization’s environment, as we’ve witnessed in the\r\nSolorigate attack.\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 12 of 13\n\nFigure 13. Risky lateral movement paths security assessment in the Microsoft Cloud App Security portal\r\nMultiple layers of coordinated defense against advanced cross-domain attacks\r\nMicrosoft 365 Defender and Azure Defender deliver unified, intelligent, and automated security across domains to\r\nempower organizations to gain end-to-end threat visibility, which as the Solorigate attack has shown, is a critical\r\nsecurity capability for all organizations to have. In addition to providing comprehensive visibility and rich\r\ninvestigation tools, Microsoft 365 Defender and Azure Defender help you to continuously improve your security\r\nposture as a direct result of insights from collective industry research or your own investigations into attacks\r\nthrough configurations you can make directly in the product or in-product recommendations you can implement.\r\nFor additional information and guidance from Microsoft, refer to the following:\r\nCustomer guidance on recent nation-state cyber attacks\r\nAnalyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack\r\nSolarWinds post-compromise hunting with Azure Sentinel\r\nAdvice for incident responders on recovery from systemic identity compromises\r\nUsing Microsoft 365 Defender to protect against Solorigate\r\nDeep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop\r\nSource: https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-mic\r\nrosoft-defender/\r\nhttps://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/" ], "report_names": [ "increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433976, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/427e5708ff22dc52341887836fd85b8af6d8367e.pdf", "text": "https://archive.orkl.eu/427e5708ff22dc52341887836fd85b8af6d8367e.txt", "img": "https://archive.orkl.eu/427e5708ff22dc52341887836fd85b8af6d8367e.jpg" } }