{
	"id": "a6a4bb58-ea84-4521-9b09-963d5611d1a4",
	"created_at": "2026-04-06T00:19:12.305231Z",
	"updated_at": "2026-04-10T13:11:57.824034Z",
	"deleted_at": null,
	"sha1_hash": "a1fa7c6cf423a96868ecb95fc9b63ac6c1ee1831",
	"title": "Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152704,
	"plain_text": "Iranian Government-Sponsored APT Actors Compromise Federal\r\nNetwork, Deploy Crypto Miner, Credential Harvester | CISA\r\nPublished: 2022-11-25 · Archived: 2026-04-05 13:49:56 UTC\r\nSummary\r\nFrom mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian\r\nExecutive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity.\r\nIn the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell\r\nvulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to\r\nthe domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts\r\nto maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was\r\ncompromised by Iranian government-sponsored APT actors.\r\nCISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network\r\ndefenders detect and protect against related compromises.\r\nCISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available\r\npatches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or\r\ncompromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to\r\nassume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged\r\naccounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in\r\nthe Mitigations section of this CSA to protect against similar malicious cyber activity.\r\nFor more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber\r\nThreat Overview and Advisories webpage and FBI’s Iran Threats webpage.\r\nDownload the PDF version of this report: pdf, 528 kb.\r\nFor a downloadable copy of the Malware Analysis Report (MAR) accompanying this report, see: MAR 10387061-\r\n1.v1.\r\nFor a downloadable copy of IOCs, see: AA22-320A.stix, 1.55 mb.\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK for Enterprise framework, version 11. See the MITRE ATT\u0026CK\r\nTactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK® tactics and\r\ntechniques with corresponding mitigation and/or detection recommendations.\r\nOverview\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 1 of 12\n\nIn April 2022, CISA conducted retrospective analysis using EINSTEIN—an FCEB-wide intrusion detection system\r\n(IDS) operated and monitored by CISA—and identified suspected APT activity on an FCEB organization’s\r\nnetwork. CISA observed bi-directional traffic between the network and a known malicious IP address associated\r\nwith exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers. In coordination\r\nwith the FCEB organization, CISA initiated threat hunting incident response activities; however, prior to deploying\r\nan incident response team, CISA observed additional suspected APT activity. Specifically, CISA observed HTTPS\r\nactivity from IP address 51.89.181[.]64 to the organization’s VMware server. Based on trusted third-party\r\nreporting, 51.89.181[.]64 is a Lightweight Directory Access Protocol (LDAP) server associated with threat actors\r\nexploiting Log4Shell. Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP\r\naddress. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the\r\nvictim server was returning this Log4Shell LDAP callback to the actors’ server.\r\nCISA assessed that this traffic indicated a confirmed compromise based on the successful callback to the indicator\r\nand informed the organization of these findings; the organization investigated the activity and found signs of\r\ncompromise. As trusted-third party reporting associated Log4Shell activity from 51.89.181[.]64 with lateral\r\nmovement and targeting of DCs, CISA suspected the threat actors had moved laterally and compromised the\r\norganization’s DC.\r\nFrom mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined\r\nthat the organization was compromised as early as February 2022, by likely Iranian government-sponsored APT\r\nactors who installed XMRig crypto mining software. The threat actors also moved laterally to the domain\r\ncontroller, compromised credentials, and implanted Ngrok reverse proxies.\r\nThreat Actor Activity\r\nIn February 2022, the threat actors exploited Log4Shell [T1190 ] for initial access [TA0001 ] to the\r\norganization’s unpatched VMware Horizon server. As part of their initial exploitation, CISA observed a connection\r\nto known malicious IP address 182.54.217[.]2 lasting 17.6 seconds.\r\nThe actors’ exploit payload ran the following PowerShell command [T1059.001] that added an exclusion rule to\r\nWindows Defender [T1562.001]:\r\npowershell try{Add-MpPreference -ExclusionPath 'C:\\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc \"$BASE64 encoded payload to download next stage and execute it\"\r\nThe exclusion rule allowlisted the entire c:\\drive, enabling threat actors to download tools to the c:\\drive without\r\nvirus scans. The exploit payload then downloaded mdeploy.text from 182.54.217[.]2/mdepoy.txt to\r\nC:\\users\\public\\mde.ps1 [T1105 ]. When executed, mde.ps1 downloaded file.zip from 182.54.217[.]2 and\r\nremoved mde.ps1 from the disk [T1070.004 ].\r\nfile.zip contained XMRig cryptocurrency mining software and associated configuration files.\r\nWinRing0x64.sys – XMRig Miner driver\r\nwuacltservice.exe – XMRig Miner\r\nconfig.json – XMRig miner configuration\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 2 of 12\n\nRuntimeBroker.exe – Associated file. This file can create a local user account [T1136.001 ] and tests for\r\ninternet connectivity by pinging 8.8.8.8 [T1016.001 ]. The exploit payload created a Scheduled Task\r\n[T1053.005 ] that executed RuntimeBroker.exe daily as SYSTEM. Note: By exploiting Log4Shell, the\r\nactors gained access to a VMware service account with administrator and system level access. The\r\nScheduled Task was named RuntimeBrokerService.exe to masquerade as a legitimate Windows task.\r\nSee MAR 10387061-1.v1 for additional information, including IOCs, on these four files.\r\nAfter obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP\r\n[T1021.001 ] and the built-in Windows user account DefaultAccount [T1078.001 ] to move laterally [TA0008\r\n] to a VMware VDI-KMS host. Once the threat actor established themselves on the VDI-KMS host, CISA\r\nobserved the actors download around 30 megabytes of files from transfer[.]sh server associated with\r\n144.76.136[.]153. The actors downloaded the following tools:\r\nPsExec – a Microsoft signed tool for system administrators.\r\nMimikatz – a credential theft tool.\r\nNgrok – a reverse proxy tool for proxying an internal service out onto an Ngrok domain, which the user\r\ncan then access at a randomly generated subdomain at *.ngrok[.]io. CISA has observed this tool in use by\r\nsome commercial products for benign purposes; however, this process bypasses typical firewall controls and\r\nmay be a potentially unwanted application in production environments. Ngrok is known to be used for\r\nmalicious purposes.[1 ]\r\nThe threat actors then executed Mimikatz on VDI-KMS to harvest credentials and created a rogue domain\r\nadministrator account [T1136.002 ]. Using the newly created account, the actors leveraged RDP to propagate to\r\nseveral hosts within the network. Upon logging into each host, the actors manually disabled Windows Defender via\r\nthe Graphical User Interface (GUI) and implanted Ngrok executables and configuration files. The threat actors\r\nwere able to implant Ngrok on multiple hosts to ensure Ngrok’s persistence should they lose access to a machine\r\nduring a routine reboot. The actors were able to proxy [T1090 ] RDP sessions, which were only observable on the\r\nlocal network as outgoing HTTPS port 443 connections to tunnel.us.ngrok[.]com and korgn.su.lennut[.]com (the\r\nprior domain in reverse). It is possible, but was not observed, that the threat actors configured a custom domain, or\r\nused other Ngrok tunnel domains, wildcarded here as *.ngrok[.]com, *.ngrok[.]io, ngrok.*.tunnel[.]com, or\r\nkorgn.*.lennut[.]com.\r\nOnce the threat actors established a deep foothold in the network and moved laterally to the domain controller, they\r\nexecuted the following PowerShell command on the Active Directory to obtain a list of all machines attached to the\r\ndomain [T1018 ]:\r\nPowershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address \u0026gt;\r\nThe threat actors also changed the password for the local administrator account [T1098 ] on several hosts as a\r\nbackup should the rogue domain administrator account get detected and terminated. Additionally, the threat actor\r\nwas observed attempting to dump the Local Security Authority Subsystem Service (LSASS) process [T1003.001\r\n] with task manager but this was stopped by additional anti-virus the FCEB organization had installed.\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 3 of 12\n\nSee table 1 for all referenced threat actor tactics and techniques in this advisory, as well as corresponding detection\r\nand/or mitigation recommendations. For additional mitigations, see the Mitigations section.\r\nTable 1: Cyber Threat Actors ATT\u0026CK Techniques for Enterprise\r\nInitial Access\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nExploit\r\nPublic-Facing\r\nApplication\r\nT1190\r\nThe actors exploited\r\nLog4Shell for initial access\r\nto the organization’s\r\nVMware Horizon server.\r\nMitigation/Detection: Use a firewall or web-application firewall and enable logging to prevent\r\nand detect potential Log4Shell exploitation\r\nattempts [M1050 ].\r\nMitigation: Perform regular vulnerability\r\nscanning to detect Log4J vulnerabilities and\r\nupdate Log4J software using vendor provided\r\npatches [M1016 ],[M1051 ].\r\nExecution\r\nTechnique\r\nTitle\r\nID Use Recommendation\r\nCommand\r\nand Scripting\r\nInterpreter:\r\nPowerShell\r\nT1059.001\r\nThe actors ran PowerShell\r\ncommands that added an\r\nexclusion rule to Windows\r\nDefender.\r\nThe actors executed\r\nPowerShell on the AD to\r\nobtain a list of machines on\r\nthe domain.\r\nMitigation: Disable or remove PowerShell for\r\nnon-administrative users [M1042 ],[M1026 ]\r\nor enable code-signing to execute only signed\r\nscripts [M1045 ].\r\nMitigation: Employ anti-malware to automatically\r\ndetect and quarantine malicious scripts [M1049\r\n].\r\nPersistence\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nAccount\r\nManipulation\r\nT1098 The actors changed the\r\npassword for the local\r\nadministrator account on\r\nseveral hosts.\r\nMitigation: Use multifactor authentication for\r\nuser and privileged accounts [M1032 ].\r\nDetection: Monitor events for changes to account\r\nobjects and/or permissions on systems and the\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 4 of 12\n\ndomain, such as event IDs 4738, 4728, and 4670.\r\nMonitor for modification of accounts in correlation\r\nwith other suspicious activity [DS0002 ].\r\nCreate\r\nAccount:\r\nLocal\r\nAccount\r\nT1136.001 The actors’ malware can\r\ncreate local user accounts.\r\nMitigation: Configure access controls and\r\nfirewalls to limit access to domain controllers and\r\nsystems used to create and manage accounts.\r\nDetection: Monitor executed commands and\r\narguments for actions that are associated with local\r\naccount creation, such as net user /add , useradd,\r\nand dscl -create [DS0017 ].\r\nDetection: Enable logging for new user creation\r\n[DS0002 ].\r\nCreate\r\nAccount:\r\nDomain\r\nAccount\r\nT1136.002\r\nThe actors used Mimikatz\r\nto create a rogue domain\r\nadministrator account.\r\nMitigation: Configure access controls and\r\nfirewalls to limit access to domain controllers and\r\nsystems used to create and manage accounts.\r\nDetection: Enable logging for new user creation,\r\nespecially domain administrator accounts [DS0002\r\n].\r\nScheduled\r\nTask/Job:\r\nScheduled\r\nTask\r\nT1053.005\r\nThe actors’ exploit payload\r\ncreated Scheduled Task\r\nRuntimeBrokerService.exe,\r\nwhich executed\r\nRuntimeBroker.exe daily\r\nas SYSTEM.\r\nMitigation: Configure settings for scheduled tasks\r\nto force tasks to run under the context of the\r\nauthenticated account instead of allowing them to\r\nrun as SYSTEM [M1028 ].\r\nDetection: Monitor for newly constructed\r\nprocesses and/or command-lines that execute from\r\nthe svchost.exe in Windows 10 and the Windows\r\nTask Scheduler taskeng.exe for older versions of\r\nWindows [DS0009 ]\r\nDetection: Monitor for newly constructed\r\nscheduled jobs by enabling the Microsoft-Windows-TaskScheduler/Operational setting\r\nwithin the event logging service [DS0003 ].\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 5 of 12\n\nValid\r\nAccounts:\r\nDefault\r\nAccounts\r\nT1078.001\r\nThe actors used built-in\r\nWindows user account\r\nDefaultAccount.\r\nMitigation: Change default usernames and\r\npasswords immediately after the installation and\r\nbefore deployment to a production environment\r\n[M1027 ].\r\nDetection: Develop rules to monitor logon\r\nbehavior across default accounts that have been\r\nactivated or logged into [DS0028 ].\r\nDefense Evasion\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nImpair\r\nDefenses:\r\nDisable or\r\nModify Tools\r\nT1562.001\r\nThe actors added an\r\nexclusion rule to Windows\r\nDefender. The tool\r\nallowlisted the entire\r\nc:\\drive, enabling the actors\r\nto bypass virus scans for\r\ntools they downloaded to\r\nthe c:\\drive.\r\nThe actors manually\r\ndisabled Windows\r\nDefender via the GUI.\r\nMitigation: Ensure proper user permissions are in\r\nplace to prevent adversaries from disabling or\r\ninterfering with security services. [M1018 ].\r\nDetection: Monitor for changes made to Windows\r\nRegistry keys and/or values related to services and\r\nstartup programs that correspond to security tools\r\nsuch as\r\nHKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\r\nDefender [DS0024 ].\r\nDetection: Monitor for telemetry that provides\r\ncontext for modification or deletion of information\r\nrelated to security software processes or services\r\nsuch as Windows Defender definition files in\r\nWindows and System log files in Linux [DS0013\r\n].\r\nDetection: Monitor processes for unexpected\r\ntermination related to security tools/services\r\n[DS0009 ].\r\nIndicator\r\nRemoval on\r\nHost: File\r\nDeletion\r\nT1070.004\r\nThe actors removed\r\nmalicious file mde.ps1\r\nfrom the dis.\r\nDetection: Monitor executed commands and\r\narguments for actions that could be utilized to\r\nunlink, rename, or delete files [DS0017 ].\r\nDetection: Monitor for unexpected deletion of\r\nfiles from the system [DS0022 ].\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 6 of 12\n\nCredential Access\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nOS\r\nCredential\r\nDumping:\r\nLSASS\r\nMemory\r\nT1003.001\r\nThe actors were observed\r\ntrying to dump LSASS\r\nprocess.\r\nMitigation: With Windows 10, Microsoft\r\nimplemented new protections called Credential\r\nGuard to protect the LSA secrets that can be used\r\nto obtain credentials through forms of credential\r\ndumping [M1043 ]\r\nMitigation: On Windows 10, enable Attack\r\nSurface Reduction (ASR) rules to secure LSASS\r\nand prevent credential stealing [M1040 ].\r\nMitigation: Ensure that local administrator\r\naccounts have complex, unique passwords across\r\nall systems on the network [M1027 ].\r\nDetection: Monitor for unexpected processes\r\ninteracting with LSASS.exe. Common credential\r\ndumpers such as Mimikatz access LSASS.exe by\r\nopening the process, locating the LSA secrets key,\r\nand decrypting the sections in memory where\r\ncredential details are stored. [DS0009 ].\r\nDetection: Monitor executed commands and\r\narguments that may attempt to access credential\r\nmaterial stored in the process memory of the\r\nLSASS [DS0017 ].\r\nCredentials\r\nfrom\r\nPassword\r\nStores\r\nT1555 The actors used Mimikatz\r\nto harvest credentials. Mitigation: Organizations may consider weighing\r\nthe risk of storing credentials in password stores\r\nand web browsers. If system, software, or web\r\nbrowser credential disclosure is a significant\r\nconcern, technical controls, policy, and user\r\ntraining may be used to prevent storage of\r\ncredentials in improper locations [M1027 ].\r\nDetection: Monitor for processes being accessed\r\nthat may search for common password storage\r\nlocations to obtain user credentials [DS0009 ].\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 7 of 12\n\nDetection: Monitor executed commands and\r\narguments that may search for common password\r\nstorage locations to obtain user credentials\r\n[DS0017 ].\r\nDiscovery\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nRemote\r\nSystem\r\nDiscovery\r\nT1018\r\nThe actors executed a\r\nPowerShell command on\r\nthe AD to obtain a list of\r\nall machines attached to the\r\ndomain.\r\nDetection: Monitor executed commands and\r\narguments that may attempt to get a listing of other\r\nsystems by IP address, hostname, or other logical\r\nidentifier on a network that may be used for lateral\r\nmovement [DS0017 ].\r\nDetection: Monitor for newly constructed network\r\nconnections associated with pings/scans that may\r\nattempt to get a listing of other systems by IP\r\naddress, hostname, or other logical identifier on a\r\nnetwork that may be used for lateral movement\r\n[DS0029 ].\r\nDetection: Monitor for newly executed processes\r\nthat can be used to discover remote systems, such\r\nas ping.exe and tracert.exe, especially when\r\nexecuted in quick succession [DS0009 ].\r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery:\r\nInternet\r\nConnection\r\nDiscovery\r\nT1016.001\r\nThe actors’ malware tests\r\nfor internet connectivity by\r\npinging 8.8.8.8.\r\nMitigation: Monitor executed commands,\r\narguments [DS0017 ] and executed processes\r\n(e.g., tracert or ping) [DS0009 ] that may check\r\nfor internet connectivity on compromised systems.\r\nLateral Movement\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nRemote\r\nServices:\r\nRemote\r\nT1021.001 The actors used RDP to\r\nmove laterally to multiple\r\nhosts on the network.\r\nMitigation: Use MFA for remote logins [M1032\r\n].\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 8 of 12\n\nDesktop\r\nProtocol\r\nMitigation: Disable the RDP service if it is\r\nunnecessary [M1042 ].\r\nMitigation: Do not leave RDP accessible from the\r\ninternet. Enable firewall rules to block RDP traffic\r\nbetween network security zones within a network\r\n[M1030 ].\r\nMitigation: Consider removing the local\r\nAdministrators group from the list of groups\r\nallowed to log in through RDP [M1026 ].\r\nDetection: Monitor for user accounts logged into\r\nsystems associated with RDP (ex: Windows EID\r\n4624 Logon Type 10). Other factors, such as\r\naccess patterns (ex: multiple systems over a\r\nrelatively short period of time) and activity that\r\noccurs after a remote login, may indicate\r\nsuspicious or malicious behavior with RDP\r\n[DS0028 ].\r\nCommand and Control\r\nTechnique\r\nTitle\r\nID Use Recommendations\r\nProxy T1090\r\nThe actors used Ngrok to\r\nproxy RDP connections\r\nand to perform command\r\nand control.\r\nMitigation: Traffic to known anonymity networks\r\nand C2 infrastructure can be blocked through the\r\nuse of network allow and block lists [M1037 ].\r\nDetection: Monitor and analyze traffic patterns\r\nand packet inspection associated to protocol(s) that\r\ndo not follow the expected protocol standards and\r\ntraffic flows (e.g., extraneous packets that do not\r\nbelong to established flows, gratuitous or\r\nanomalous traffic patterns, anomalous syntax, or\r\nstructure) [DS0029 ].\r\nIngress Tool\r\nTransfer\r\nT1105\r\nThe actors downloaded\r\nmalware and multiple tools\r\nto the network, including\r\nPsExec, Mimikatz, and\r\nNgrok.\r\nMitigation: Employ anti-malware to automatically\r\ndetect and quarantine malicious scripts [M1049\r\n].\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 9 of 12\n\nINCIDENT RESPONSE\r\nIf suspected initial access or compromise is detected based on IOCs or TTPs in this CSA, CISA encourages\r\norganizations to assume lateral movement by threat actors and investigate connected systems and the DC.\r\nCISA recommends organizations apply the following steps before applying any mitigations, including patching.\r\n1. Immediately isolate affected systems.\r\n2. Collect and review relevant logs, data, and artifacts. Take a memory capture of the device(s) and a forensic\r\nimage capture for detailed analysis.\r\n3. Consider soliciting support from a third-party incident response organization that can provide subject matter\r\nexpertise to ensure the actor is eradicated from the network and to avoid residual issues that could enable\r\nfollow-on exploitation.\r\n4. Report incidents to CISA via CISA’s 24/7 Operations Center (SayCISA@cisa.dhs.gov or 1-844-Say-CISA) or your local FBI field office, or FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail\r\nat CyWatch@fbi.gov .\r\n \r\nMitigations\r\nCISA and FBI recommend implementing the mitigations below and in Table 1 to improve your organization's\r\ncybersecurity posture on the basis of threat actor behaviors.\r\nInstall updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest\r\nversion.\r\nIf updates or workarounds were not promptly applied following VMware’s release of updates for\r\nLog4Shell in December 2021 , treat those VMware Horizon systems as compromised. Follow the\r\npro-active incident response procedures outlined above prior to applying updates. If no compromise\r\nis detected, apply these updates as soon as possible.\r\nSee VMware Security Advisory VMSA-2021-0028.13 and VMware Knowledge Base (KB)\r\n87073 to determine which VMware Horizon components are vulnerable.\r\nNote: Until the update is fully implemented, consider removing vulnerable components from\r\nthe internet to limit the scope of traffic. While installing the updates, ensure network\r\nperimeter access controls are as restrictive as possible.\r\nIf upgrading is not immediately feasible, see KB87073 and KB87092 for vendor-provided temporary workarounds. Implement temporary solutions using an account with\r\nadministrative privileges. Note that these temporary solutions should not be treated as\r\npermanent fixes; vulnerable components should be upgraded to the latest build as soon as\r\npossible.\r\nPrior to implementing any temporary solution, ensure appropriate backups have been\r\ncompleted.\r\nVerify successful implementation of mitigations by executing the vendor supplied script\r\nHorizon_Windows_Log4j_Mitigations.zip without parameters to ensure that no\r\nvulnerabilities remain. See KB87073 for details.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 10 of 12\n\nKeep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).\r\nMinimize the internet-facing attack surface by hosting essential services on a segregated DMZ, ensuring\r\nstrict network perimeter access controls, and not hosting internet-facing services that are not essential to\r\nbusiness operations. Where possible, implement regularly updated web application firewalls (WAF) in front\r\nof public-facing services. WAFs can protect against web-based exploitation using signatures and heuristics\r\nthat are likely to block or alert on malicious traffic.\r\nUse best practices for identity and access management (IAM) by implementing phishing resistant\r\nmultifactor authentication (MFA), enforcing use of strong passwords, regularly auditing administrator\r\naccounts and permissions, and limiting user access through the principle of least privilege. Disable inactive\r\naccounts uniformly across the AD, MFA systems, etc.\r\nIf using Windows 10 version 1607 or Windows Server 2016 or later, monitor or disable Windows\r\nDefaultAccount, also known as the Default System Managed Account (DSMA).\r\nAudit domain controllers to log successful Kerberos Ticket Granting Service (TGS) requests and ensure\r\nthe events are monitored for anomalous activity.  \r\nSecure accounts.\r\nEnforce the principle of least privilege. Administrator accounts should have the minimum permission\r\nnecessary to complete their tasks.\r\nEnsure there are unique and distinct administrative accounts for each set of administrative tasks.\r\nCreate non-privileged accounts for privileged users and ensure they use the non-privileged accounts\r\nfor all non-privileged access (e.g., web browsing, email access).\r\nCreate a deny list of known compromised credentials and prevent users from using known-compromised\r\npasswords.\r\nSecure credentials by restricting where accounts and credentials can be used and by using local device\r\ncredential protection features.\r\nUse virtualizing solutions on modern hardware and software to ensure credentials are securely\r\nstored.\r\nEnsure storage of clear text passwords in LSASS memory is disabled. Note: For Windows 8, this is\r\nenabled by default. For more information see Microsoft Security Advisory Update to Improve\r\nCredentials Protection and Management .\r\nConsider disabling or limiting NTLM and WDigest Authentication.\r\nImplement Credential Guard for Windows 10 and Server 2016 (refer to Microsoft: Manage Windows\r\nDefender Credential Guard for more information). For Windows Server 2012R2, enable Protected\r\nProcess Light for Local Security Authority (LSA).\r\nMinimize the AD attack surface to reduce malicious ticket-granting activity. Malicious activity such\r\nas “Kerberoasting” takes advantage of Kerberos’ TGS and can be used to obtain hashed credentials\r\nthat threat actors attempt to crack.\r\n \r\nVALIDATE SECURITY CONTROLS\r\nIn addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating your\r\norganization's security program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 11 of 12\n\nframework in this advisory. CISA and FBI recommend testing your existing security controls inventory to assess\r\nhow they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see table 1).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nCISA and FBI recommend continually testing your security program, at scale, in a production environment to\r\nensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nReferences\r\n[1] MITRE ATT\u0026CK Version 11: Software – Ngrok\r\nRevisions\r\nInitial Version: November 16, 2022\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-320a\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa22-320a"
	],
	"report_names": [
		"aa22-320a"
	],
	"threat_actors": [
		{
			"id": "81dde5cc-c29f-430d-8c6e-e5e92d5015e7",
			"created_at": "2022-10-25T16:07:23.704358Z",
			"updated_at": "2026-04-10T02:00:04.718034Z",
			"deleted_at": null,
			"main_name": "Harvester",
			"aliases": [],
			"source_name": "ETDA:Harvester",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Graphon",
				"Metasploit",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434752,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a1fa7c6cf423a96868ecb95fc9b63ac6c1ee1831.pdf",
		"text": "https://archive.orkl.eu/a1fa7c6cf423a96868ecb95fc9b63ac6c1ee1831.txt",
		"img": "https://archive.orkl.eu/a1fa7c6cf423a96868ecb95fc9b63ac6c1ee1831.jpg"
	}
}