{ "id": "6b1d7b96-19e3-4849-85eb-3a9a38df8788", "created_at": "2026-04-06T00:16:11.718085Z", "updated_at": "2026-04-10T03:37:33.219714Z", "deleted_at": null, "sha1_hash": "8a0bb533b8f68d4914c01eea0eb6d0b97ff93a54", "title": "Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 105976, "plain_text": "Eviction Guidance for Networks Affected by the SolarWinds and\r\nActive Directory/M365 Compromise | CISA\r\nPublished: 2021-05-21 · Archived: 2026-04-05 17:23:00 UTC\r\nImportant: Category 3 organizations should use out-of-band communications for all mitigation and remediation\r\ncommunications and documentation, i.e., do not use any compromised systems to internally or externally\r\ncommunicate remediation plans or actions.\r\nRemediation plans for dealing with malicious compromises are necessarily unique to every organization, and\r\nsuccess requires careful consideration. There are three phases for evicting the actor:\r\nPhase 1: Pre-Eviction. Actions to detect and identify APT activity and prepare the network for eviction.\r\nNote: for the purposes of this guidance, a network is defined as any computer network with hosts that share\r\neither a logical trust or any account credentials with affected versions of SolarWinds Orion.\r\nPhase 2: Eviction. Actions to remove the APT actor from on-premises and cloud environments. This phase\r\nincludes rebuilding devices and systems.\r\nPhase 3: Post-Eviction. Actions to ensure eviction was successful and the network has good cyber\r\nposture.\r\nConducting each step in this guidance is necessary to fully evict the adversary from Category 3 networks. Failure\r\nto perform comprehensive and thorough remediation activity will expose enterprise networks and cloud\r\nenvironments to substantial risk for long-term undetected APT activity, and compromised organizations will risk\r\nfurther loss of sensitive data and erosion of public trust in their networks.\r\nAlthough this guidance provides a level of detail that describes actions to be completed, it does not describe how\r\nthese actions should be completed. To successfully evict the threat actor, these actions need to be conducted in the\r\norder specified. Additionally, this guidance clearly notes caveats and provides references to help agencies develop\r\ntheir plan.\r\nPre-Eviction Phase\r\n1. Define the true scope by identifying trust boundaries (including between Active Directory [AD] forests\r\nand domains) and determining the enterprise assets to which this guidance applies (i.e., determine what\r\nassets are within the trust boundary).\r\na. For example, the organization needs to determine the identity provider (IdP) sources (such as Okta,\r\nMicrosoft Active Directory Federation Services [ADFS], Duo) that it uses to issue single-sign on\r\n(SSO) credentials and it needs to identify assets that rely on the SSO credentials to allow access\r\n(i.e., what controlled data sources are accessible via that credential).\r\n2. Investigate suspicious account activity associated with your SolarWinds servers, especially service\r\naccounts used by SolarWinds Orion. Additionally, enumerate and investigate any credentials stored or used\r\non the SolarWinds server, including network administration and device credentials. This can be conducted,\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 1 of 10\n\nfor example, using a transitive mapping of all potentially compromised credentials to the systems that those\r\ncredentials accessed. If—as a Category 3 agency—you cannot confirm that all your credential activity is\r\nbenign, you should proceed as if the highest administrative level of credentials on your affected\r\nSolarWinds server has been compromised. In many cases, the adversary may have had this access for\r\nmonths. Refer to the following resources for more information.\r\na. FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple\r\nGlobal Victims With SUNBURST Backdoor\r\nb. CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies,\r\nCritical Infrastructure, and Private Sector Organization\r\n3. Investigate potential Security Assertion Markup Language (SAML) abuse in your environment. Refer\r\nto the following resources.\r\na. CISA Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud\r\nEnvironments\r\nb. National Security Agency: Detecting Abuse of Authentication Mechanisms\r\nc. FireEye: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452\r\nd. Microsoft: Understanding \"Solorigate\"'s Identity IOCs - for Identity Vendors and their customers\r\n4. Scope the intrusion.\r\na. Look for the artifacts from known TTPs associated with this activity. Refer to SolarWinds and\r\nActive Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known\r\nTactics, Techniques, and Procedures for TTPs and corresponding detection artifacts. Prioritize these\r\nby biggest value for the investment (e.g., prioritize these by techniques or technologies that cover\r\nmultiple tactics or that provide visibility into shared data sources). After identifying the TTPs for\r\nwhich your organization has security controls to detect/stop/mitigate, you can make risk-based\r\ndecisions on how to address visibility and protection strategies for the remaining MITRE\r\nAdversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK)-based paths.\r\nb. Audit all network device configurations stored or managed on the SolarWinds monitoring server for\r\nsigns of unauthorized or malicious configuration changes. Organizations should audit the current\r\nnetwork device running configuration and any local configurations that could be loaded at boot\r\ntime.\r\nc. Assess the current endpoint telemetry collection level and configure endpoint forensics and\r\ndetection solutions for aggressive collection; prioritize this by value of asset and account.\r\n5. Harden the enterprise attack surface.\r\na. Review and validate perimeter firewall rulesets. Remove all allow rules for which the organization\r\ndoes not have a clearly defined, understood, and documented need. “Deny all” statements that\r\nidentify necessary connections and allow them as exceptions are the standard for perimeter devices.\r\ni. Reduce the number of systems that are able to access the internet directly. Note: this action\r\nmay require analysis by network engineers with fundamental knowledge of (1) how network\r\ndata communicates through agency trust boundaries and (2) the IP routing in the enterprise.\r\nFor example, domain controllers should never be used for—or capable of— browsing\r\nthe internet. (Microsoft’s analysis of domain controllers identified that privileged\r\nusers often use Internet Explorer to browse the intranet or internet.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 2 of 10\n\nFor more information on designing networks where critical or security-related\r\nappliances and servers do not have access to the internet, refer to the United\r\nKingdom’s National Cyber Security Centre (NCSC): Security Architecture Anti-Patterns .\r\nii. Reduce the number of egress ports at the enterprise perimeter. This requires a review of all\r\nperimeter firewall rulesets (rulesets may differ among firewalls).\r\nb. Implement host-based firewalls to make the work of moving laterally more challenging for the\r\nadversary, disrupting the ability to move from compromised workstations to domain resources.\r\nConsider blocking or closely monitoring workstation-to-workstation communications as much as\r\npossible, using Privileged Access Workstations (PAWs) and servers for administrative functions.\r\nFirewalls and endpoint detection and response functions may have similar capability, but both need\r\nto feature (1) filtering of allowed connections and (2) visibility/detection for connections.\r\nc. Close and/or monitor high-risk ports (e.g., Remote Desktop Protocol [RDP], Server Message Block\r\n[SMB], File Transfer Protocol [FTP], Trivial File Transfer Protocol [TFTP], Secure Shell [SSH],\r\nand WebDAV).\r\nd. Carefully employ application execution control (allowlisting), especially for systems providing\r\nremote access to the enterprise.\r\ne. Enforce enterprise Domain Name System (DNS) resolution for all systems. Do not allow internal\r\nsystems to directly access internet DNS servers.\r\nf. Ensure that all endpoints that will need to be updated are powered on for as long as possible during\r\nthe eviction phase. Note: this action is necessary for all vital changes to AD to be pushed to all\r\nsystems in the environment prior to reconnection and also to verify that all systems are rebooted.\r\nThis action is especially tricky given that many user endpoints are not connected 24/7 due to remote\r\nwork. Organizations may want to look at “jailing” systems that connect in this way into minimal\r\nvirtual local area networks (VLANs) until they can be verified to have received and implemented\r\nupdates and any other mitigations (endpoint detection and response [EDR] agents, patches, antivirus\r\ndefinitions, specific scans, etc.) decided on by the organization.\r\ng. Agencies using Microsoft Defender for Endpoint or Microsoft 365 Defender should refer to\r\nMicrosoft: Use attack surface reduction rules to prevent malware infection for more information\r\non hardening the enterprise attack surface.\r\n6. Identify federation model for on-premises resources to cloud trust relationship and identify\r\nadversary activity in Microsoft 365 (M365)/Azure environment.\r\na. Identify the Source Anchor for Azure AD Connect in the current Azure Tenant, if used. (This is\r\nrequired in order to sever the connection and restore later).\r\nb. Run Sparrow or similar tools to identify permission and credential changes to applications and\r\nservice principals. Identify overly permissive applications, unusual credentials in applications, or\r\nmodifications to federation trust settings. Refer to CISA Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments for more information.\r\nc. Review M365 tenant configuration and perform a cloud security assessment for administrative\r\naccounts and applications. Specifically, review all accounts with privileged access and each\r\napplication to determine if the rights and credentials are as intended and still necessary. This\r\nassessment should include shared trusts or identity relationships with third-party cloud service\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 3 of 10\n\nproviders (CSPs) in which the identity is a resident on the CSP’s tenant but is also capable of\r\nperforming actions in the organization’s M365 environment.\r\nEviction Phase\r\nNote: to effectively the APT actor, the following steps should be completed fully and in the order listed. These\r\nsteps may affect operations of critical business functions. CISA recommends agencies conduct a thorough risk\r\nassessment prior to starting eviction so that potential impacts on critical business functions are documented and\r\nunderstood. Given that these steps are complex, CISA also encourages agencies to use third-party help to support\r\neviction efforts if needed.\r\n1. Sever the enterprise network from the internet.\r\nNote: this step requires the agency to understand its internal and external connections. When making the\r\ndecision to sever internet access, knowledge of connections must be combined with care to avoid\r\ndisrupting critical functions.\r\n2. Reset the Kerberos Ticket Granting Ticket account (krbtgt).\r\nNote: krbtgt must be reset twice; the second time after the first has finished. The resets may take a long\r\ntime to propagate fully on large AD environments. For more information, refer to Microsoft guidance: AD\r\nForest Recovery - Resetting the krbtgt password.\r\n3. Eradicate known malware/backdoors/implants discovered during pre-eviction steps.\r\nNote: this can be done while waiting for the krbtgt resets to complete.\r\n4. Apply network device mitigations identified in CISA Alert  AA20-352A: Advanced Persistent Threat\r\nCompromise of Government Agencies, Critical Infrastructure, and Private Sector Organization.\r\nFor network devices managed by the SolarWinds monitoring server, the running firmware/software should\r\nbe checked against known good hash values from the network vendor. CISA recommends that, if possible,\r\norganizations re-upload known good firmware/software to managed network devices and perform a reboot.\r\nNote: be sure to wait until krbtgt reset completes to avoid interrupting the reset.\r\n5. Unenroll any suspicious MFA Tokens. Audit all MFA tokens configured in your environment, especially\r\nthose used for remote access. Unenroll any tokens that cannot be accounted for or are suspicious.\r\n6. Rebuild and reimage systems.\r\nNote: agencies should do an impact assessment for endpoints to determine if they need to be reimaged. An\r\nagency should identify (1) credentials observed on compromised machines as at risk and (2) any\r\nsubsequent system accessed from the corresponding accounts as compromised. Consider:\r\na. Was the endpoint altered by a known malicious actor action? If yes, reimage the system.\r\nb. Was data on the endpoint accessed but the endpoint shows no sign of being altered? If yes, you may\r\nnot need to reimage the system.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 4 of 10\n\n7. Regain control of the AD and ADFS, by instituting Local Administrator Password Solution (LAPS),\r\nPAWs, and modified administrative accounts.\r\na. Re-establish control of the ecosystem items that were most easily manipulated by the attacker. Start\r\nwith the “lowest hanging fruit,” i.e., items that are low risk to operations, low administrative\r\noverhead, that do not require new skill sets to control. These actions block the most frequently used\r\nattack methods on a network. Refer to the Microsoft and Center for Internet Security joint\r\npresentation Critical Hygiene for Preventing Major Breaches for more information on prioritizing\r\ncontrols with the largest return on investment.\r\ni. Audit the privilege levels of accounts that were utilized on affected SolarWinds Orion\r\nservers. Consider only granting the minimal rights and accounts needed to function,\r\nfollowing Just Enough Administration (JEA) principles. (Refer to Microsoft: Just Enough\r\nAdministration for more information.)\r\nii. Ensure there are unique and distinct administrative accounts for each set of administrative\r\ntasks. Enforce the principle of least privilege. Remove all accounts that are unnecessary;\r\nremove privileges not expressly required by an account’s function or role. Institute a group\r\npolicy that disables remote interactive logins, and use Domain Protected Users Group.\r\niii. Enforce MFA for all administrative accounts and functions.\r\niv. Create and establish PAWs for administrative accounts and mandate use for administrative\r\nfunctions (AD Administrators first, at minimum).\r\nv. Enable unique local administrative accounts (e.g., LAPS) and a management function for\r\nthose accounts. Note: for LAPS, if the endpoints are cloned, each individual endpoint’s local\r\nadministrative account password needs to be changed afterward to enforce uniqueness.\r\n8. Rotate all the Secrets.\r\na. Rotate secrets associated with remote access MFA token generation.\r\nb. Reset passwords for:\r\ni. All AD accounts with elevated privileges (such as administrators)\r\nii. All AD service accounts\r\niii. Directory Services Restore Mode (DSRM) account on domain controllers\r\niv. All AD accounts\r\nv. Accounts with suspicious activity or whose credentials existed on compromised systems,\r\nsuch as affected SolarWinds servers\r\nvi. Any account where Smartcard/Personal Identity Verification (PIV) is not enforced (which\r\nare on an exception or similar exemption)\r\nNote: the New Technology LAN Manager (NTLM) hashes of smartcard/PIV-enabled\r\naccounts can be used in pass-the-hash attacks and should be refreshed regularly. For more\r\ninformation, including guidance and scripts on rolling over these hashes, refer to the\r\nNational Security Agency (NSA) Information Assurance Advisory: Long-Lived Hashes for\r\nAD Smartcard Required Accounts, NSA Cyber’s GitHub page on Pass the-Hash Guidance\r\n, and Microsoft: Passwordless Strategy .\r\nvii. All AD user accounts\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 5 of 10\n\nviii. All Windows local administrative accounts (including those that are renamed, especially\r\nthose not managed by LAPS in environment)\r\nix. Non-AD application privileged accounts (e.g., elevated accounts on systems that are not\r\njoined to AD; some high value assets (HVAs) may fall into this category)\r\nx. Network device administrative accounts\r\nxi. Non-AD HVA user accounts\r\nc. Change all credentials being used to manage network devices, including keys and strings used to\r\nsecure network device functions (Simple Network Management Protocol [SNMP] strings/user\r\ncredentials, IPsec/IKE preshared keys, routing secrets, TACACS/RADIUS secrets, RSA\r\nkeys/certificates, etc.). Monitor for failed logins resulting from these resets.\r\n9. Sever Azure environment from on-premises, and conduct M365/Azure remediation.\r\na. Evaluate IdP sources. Harden SSO features. (See FireEye’s white paper, Remediation and\r\nHardening Strategies for Microsoft 365 to Defend Against UNC2452 ). Turn on advanced logging\r\nand establish a privileged access management (PAM) baseline (expected privileged account state)\r\nfor cloud environments.\r\nb. Harden the Azure AD Connect Service. (See Trimarc Security’s post, Securing Microsoft Azure AD\r\nConnect ).\r\nc. Review and adjust federation trust relationships. Note: Microsoft recommends severing federation\r\ntrusts between on-premises networks and the cloud; organizations should migrate to an external IdP\r\nor use Azure AD to manage users and, if the latter, users should be “mastered” from Azure AD.\r\nRevoke unauthorized or unnecessary federation trusts if maintaining a federated identity solution.\r\n(CISA recommends avoiding federated enterprise environments whenever possible.) For more\r\ninformation review the following resources.\r\nMicrosoft: Protecting Microsoft 365 from on-premises attacks \r\nCrowdStrike: CrowdStrike Launches Free Tool to Identify and Help Mitigate Risks in Azure\r\nActive Directory\r\nd. Fully isolate your M365 admin accounts. Activities in this step include, but are not limited to (1)\r\ncreating cloud-only administrators, controlled appropriately with role based access control (RBAC)\r\nand MFA, and (2) monitoring, in an automated fashion, any changes to the established baseline or\r\nunusual use. See the following resources for more information (Note: CISA will be releasing\r\nguidance on cloud remediation and hardening following dissemination of this guidance).\r\nMicrosoft: Advice for incident responders on recovery from systemic identity compromises\r\nMicrosoft: Protecting Microsoft 365 from on-premises attacks\r\ne. After remediating privileged identities (step d), revoke all existing M365 tokens.\r\nf. Double check to ensure no on-premises accounts have administrative privileges in M365.\r\ng. Review and sanitize (i.e., remove unwelcome actions) compromised mailboxes using industry\r\nstandard tooling and service portal manual review.\r\nh. Review, and adjust accordingly, Tenant settings and configurations. Use publicly available or open-source tools such as CrowdStrike Reporting Tool for Azure (CRT) and Hawk to review Tenant\r\nsettings. Refer to CISA Alert AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft\r\nCloud Environments.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 6 of 10\n\ni. Use tools—such as Sparrow or Azure AD Investigator—to review existing Azure applications.\r\nRemediate applications that have been compromised. Refer to CISA Alert AA21-008A: Detecting\r\nPost-Compromise Threat Activity in Microsoft Cloud Environments.\r\nj. Perform IdP review and eviction.\r\n10. Clear DNS cache on all servers, workstations, and non-Windows systems.\r\na. Reduce the “Domain member: Maximum machine account password age” in Group Policy to 2–3\r\ndays during eviction; it can be set back to the default 30 days after eviction is complete. This will\r\nhasten the resetting of the Computer object passwords. For more information, refer to Microsoft:\r\nMachine Account Password Process .\r\nb. Reboot all servers and workstations, especially those joined to the AD.\r\n11. Verify eviction steps have been properly completed.\r\na. Have all the tasks above been completed on all applicable systems and accounts? Note: CISA\r\nhighly recommends implementing a process to verify you have completed each task.\r\nb. Have the endpoints that were not completely mitigated been removed from network\r\ncommunication, pending their completion?\r\nc. Have you applied all critical and high patches to the endpoints that lack them, especially any that\r\nneeded re-imaging?\r\nd. Have you added enhanced visibility and monitoring capabilities for cloud environments—such as\r\ntelemetry for cloud environments—into existing agency security information and event\r\nmanagement (SIEM) technology?\r\ne. Have you implemented monitoring capability for highly privileged cloud identities and Service\r\nPrincipals? \r\nPost Eviction\r\n1. Report to your senior leadership completed pre-eviction and eviction actions as well as those\r\nremaining to be completed; provide leadership an assessment of the risk remaining, including assumed\r\nresidual risk.\r\n2. Reconnect to the internet. Note: the decision to reconnect to the internet depends on senior leadership’s\r\nconfidence in the actions taken. It is possible—depending on the environment—that new information\r\ndiscovered during pre-eviction and eviction steps could add additional eviction tasks.\r\n3. Create an actionable and accountable plan for integrating the next 60 days of Active Directory\r\nprivilege credential baselining guidance (i.e., completing the next step). Note: this next step has high\r\noverhead and will likely disrupt business operations; agencies must have a plan for testing breaks\r\nassociated with the changes to administrative control schemes and will need to alter their policies and\r\nprocedures to accommodate these disruptions.\r\n4. Establish and control baseline mechanisms for administrators. Note: this step should be completed\r\nover the next 60 days. While completing this task, agencies should move on to the next step.\r\na. Implement PAWs for remaining administrative accounts.\r\nb. Perform additional hardening of administrative accounts.\r\ni. Implement Credential Guard. (Refer to Microsoft: Manage Windows Defender Credential\r\nGuard for more information ). Introducing Credential Guard as an endpoint tool can be\r\nchallenging for organizations due to hardware restrictions, but the impact on privileged\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 7 of 10\n\nidentity credential management is significant. Chief information security officers (CISOs)\r\nshould prioritize identity-focused solutions for immediate action.\r\nii. Restrict RDP usage to an exclusive list of necessary administrators and from only dedicated\r\nadministrative workstations (such as PAWs) and identified necessary alternative locations.\r\nRDP access should be judiciously and carefully scoped and monitored.\r\niii. Establish time bound and temporal escalated Domain Privileges (require second factor for\r\nelevation and that access expires).\r\nc. Implement JEA for domain controller access and maintenance.\r\nd. Harden/reduce attack surface of domain controllers. Remove connection to the internet whenever\r\npossible, and remove all unnecessary protocols, services, and accounts (in accordance with the\r\nprinciple of least functionality). Consider implementing Windows Server Core for all domain\r\ncontrollers.\r\n5. Integrate detection mechanisms that focus on endpoints and changes to privileged identity sources.\r\nSolutions include pervasive use of endpoint security (such as the Microsoft Defender Suite of services,\r\nincluding Endpoint and Identity) as well as high value identity monitoring solutions. The view of user\r\nbehavior should be unified across all platforms and behavioral analytics should be enabled. Note:\r\nbehavioral analytics (with an understanding of what traditional administrative activity consists of, and what\r\ntools are used for it) combined with frequency analysis of activity is often the only avenue for network\r\ndefenders to detect anomalous activity.\r\n6. Report to CISA. Post-eviction, all Category 3 agencies should report to CISA actions taken, any actions\r\nleft incomplete, and their assessments of the residual risk. Following dissemination of this guidance, CISA\r\nwill release a checklist to the Homeland Security Information Network (HSIN) for agencies to use to\r\ncomplete the steps in this guidance. Agencies should fill out and submit the checklist to CISA.\r\n7. Maintain vigilance. In the hours, days, and weeks after the network’s internet connection is restored, the\r\nagency’s detection capability will be important in verifying that all threat actor activity within the\r\nenterprise has stopped. Extended vigilance is necessary because this threat actor has demonstrated extreme\r\npatience with follow-on activity.\r\na. Agencies should ensure their security operations center (SOC) has capabilities for enhanced\r\nvisibility and monitoring of enterprise network and cloud environments. Refer to SolarWinds and\r\nActive Directory/M365 Compromise: Detecting APT Activity from Known Tactics, Techniques, and\r\nProcedures for known TTPs that agencies should look out for as part of network and environment\r\nmonitoring.\r\nb. Configure endpoint forensics and detection solutions for aggressive collection; prioritize this by\r\nvalue of asset and account.\r\nFrequently Asked Questions\r\nDoes my organization have to complete all the steps in this eviction guidance?\r\nIn accordance with ED 21-01: Supplemental Direction Version 4, agencies with networks that used affected\r\nversions of SolarWinds Orion and have evidence of follow-on threat actor activity, such as binary beaconing to\r\navsvmcloud[.]com and secondary command and control (C2) activity to a separate domain or IP address, must\r\nexecute and complete the pre-eviction phase of this guidance. Agencies that find additional adversarial activities\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 8 of 10\n\nmust execute and complete the eviction and post eviction phases of this guidance. Conducting all of the steps in\r\nthis guidance is necessary to fully evict the adversary from applicable networks. Failure to perform comprehensive\r\nand thorough remediation activity will expose enterprise networks and cloud environments to substantial risk for\r\nlong-term undetected APT activity.\r\nIs there a time limit to completing the eviction activities?\r\nIn accordance with ED 21-01: Supplemental Direction Version 4, agencies subject to the requirements must\r\ncomplete the applicable phases in this eviction guidance by July 16, 2021, or within 90 days of discovery of\r\nfollow-on threat activity after issuance of ED 21-01 Supplemental Direction Version 4.\r\nGiven that severing the enterprise network from the internet will have significant operational impact, does\r\nthe organization need to take all its endpoints offline?\r\nIf the affected organization can authoritatively and comprehensively identify compromised internet-connected\r\nendpoints, identities, and systems and is able to take those offline without affecting uncompromised or non-internet connected systems, then the agency does not need to disconnect non-compromised endpoints or non-internet-connected systems. This will still disrupt C2 activities while allowing the agency to keep as much of the\r\nsystem up as possible. Note: access to environments with pervasively compromised credentials will frequently\r\nappear to be standard user activity, as it will use “native” services and identities.\r\nWill CISA provide agencies new TTPs in the event of a reinfection?\r\nRefer to SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity\r\nfrom Known Tactics, Techniques, and Procedures for reinfection TTPs and corresponding detection artifacts.\r\nWill CISA provide architectural recommendations for future rebuilds?\r\nThis current guidance is tailored to provide short-term remediation steps for agencies to evict this adversary from\r\ncompromised on-premises and cloud environments and protect networks against additional compromise. CISA\r\nwill be releasing long-term enterprise architecture and security operations guidance that incorporates updated\r\ncredential/access management, monitoring, and detection guidance for a more secure, resilient federal enterprise.\r\nSummary\r\nSince December 2020, the Cybersecurity and Infrastructure Security Agency (CISA) has been responding to a\r\nsignificant cyber incident. An advanced persistent threat (APT) actor added malicious code to multiple versions of\r\nSolarWinds Orion and, in some instances, leveraged it for initial access to enterprise networks of multiple U.S.\r\ngovernment agencies, critical infrastructure entities, and private sector organizations. Once inside the network, the\r\nthreat actor bypassed multi-factor authentication (MFA) and moved laterally to Microsoft Cloud systems by\r\ncompromising federated identity solutions. Note: on April 15, 2021, the U.S. Government attributed this activity\r\nto the Russian Foreign Intelligence Service (SVR). See the statement from the White House for additional details.\r\nFor more information and resources on this activity, refer to us-cert.cisa.gov/remediating-apt-compromised-networks.\r\nFor more information on CISA’s response to this activity, refer to cisa.gov/supply-chain-compromise.\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 9 of 10\n\nCISA has provided this guidance to federal agencies with networks that used affected versions of SolarWinds\r\nOrion and have evidence of follow-on threat actor activity—CISA Alert AA20-352A: Advanced Persistent Threat\r\nCompromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations labels these as\r\nCategory 3 agencies. This guidance is intended to support Category 3 agencies in crafting their eviction plans in\r\naccordance with ED 21-01: Supplemental Direction Version 4. Note: agencies should refer to CISA Alert AA20-\r\n352A for guidance on determining if they are Category 3. CISA is aware of other initial access vectors; agencies\r\nshould not assume they are not compromised by this APT actor solely because they have never used affected\r\nversions of SolarWinds Orion.\r\nThose agencies should investigate to confirm they have not observed related threat actor tactics, techniques, and\r\nprocedures (TTPs). CISA recommends any agency that detects related activity review this guidance as well as\r\nCISA Alert AA20-352A, and contact CISA for further assistance.\r\nAlthough this guidance is tailored to federal agencies, CISA encourages critical infrastructure entities; state, local,\r\nterritorial, and tribal government organizations; and private sector organizations to review and apply it, as\r\nappropriate.\r\nThe steps provided in this guidance are resource-intensive and highly complex and will require the enterprise\r\nnetwork to be disconnected from the internet for 3–5 days. In order to have fully informed senior-level support,\r\nCISA recommends that agency senior leadership conduct planning sessions throughout this process to understand\r\nthe resources needed and any potential disruption in business operations. CISA encourages agency leadership to\r\nreview CISA Insights: SolarWinds and AD/M365 Compromise Risk Decisions for Leaders for more information.\r\nBy taking steps to evict this adversary from compromised on-premises and cloud environments, agencies will\r\nposition themselves for long-term actions to build more secure, resilient networks.\r\nFor a PDF copy of this report, click here.\r\nContact Information\r\nRecipients of this report are encouraged to contribute any additional information that they may have related to this\r\nthreat. For any questions related to this report, please contact CISA at:\r\nPhone: 1-844-Say-CISA (1-844-729-2472)\r\nEmail: central@cisa.gov\r\nRevisions\r\nMay 14, 2021: Initial Version\r\nSource: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nhttps://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a" ], "report_names": [ "ar21-134a" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434571, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a0bb533b8f68d4914c01eea0eb6d0b97ff93a54.pdf", "text": "https://archive.orkl.eu/8a0bb533b8f68d4914c01eea0eb6d0b97ff93a54.txt", "img": "https://archive.orkl.eu/8a0bb533b8f68d4914c01eea0eb6d0b97ff93a54.jpg" } }