← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.706
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
AI models capable of accelerated vulnerability discovery and exploit generation are collapsing the time between vulnerability disclosure and active exploitation. According to the CrowdStrike 2026 Global Threat Report (medium confidence - primary document verification pending), AI-enabled attacks increased 89% year-over-year, zero-days exploited before public disclosure increased 42%, and the fastest observed lateral movement breakout time was 27 seconds. These figures expose a structural mismatch between how most enterprises manage patch backlogs and how fast adversaries now operate. Security programs built on periodic scanning and severity-ranked remediation queues are no longer matched to this threat tempo; continuous exposure management and near-real-time detection are now operational requirements, not aspirational goals.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
TTP Sophistication
HIGH
10 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Enterprise security programs broadly; CrowdStrike Falcon Platform referenced as detection/response context; Anthropic Claude Mythos and OpenAI GPT-5.4-Cyber cited as frontier AI capability examples
Are You Exposed?
⚠
You use products/services from Enterprise security programs broadly; CrowdStrike Falcon Platform referenced as detection/response context; Anthropic Claude Mythos and OpenAI GPT-5.4-Cyber cited as frontier AI capability examples → Assess exposure
⚠
10 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
AI-compressed exploit windows remove the operational assumption that most enterprises have quietly relied on for years: that there is enough time between vulnerability disclosure and active attack to patch, test, and deploy a fix. For organizations in sectors with complex change-control processes — financial services, healthcare, critical infrastructure — this tempo mismatch is now a material risk, not a theoretical one. A 27-second adversary breakout time means that prevention-only postures are insufficient; containment speed becomes a board-level metric. Regulatory implications are indirect but real: breach notification timelines, audit trails, and evidence of reasonable security controls all become harder to defend if organizations cannot demonstrate detection and response capabilities matched to this adversary pace.
You Are Affected If
Your organization relies on periodic vulnerability scanning (weekly or monthly) rather than continuous exposure monitoring for internet-facing systems
Your patch remediation SLAs for critical findings exceed 72 hours for externally accessible services
Your security operations center operates manual triage workflows without automated containment playbooks for lateral movement events
Your enterprise uses CrowdStrike Falcon and has not validated that Identity Protection and behavioral detection modules are fully deployed and tuned
Your privileged access management program has gaps in MFA enforcement or credential rotation cadence, creating valid-credential abuse opportunities (T1078, T1550)
Board Talking Points
Adversaries using AI can move from initial access to full lateral movement in as little as 27 seconds — faster than any human analyst can triage an alert, let alone respond.
Within the next 90 days, the security team should complete an honest assessment of detection and containment speed against this breakout time and present a gap-closure plan with defined investment requirements.
Organizations that do not close the gap between adversary tempo and detection latency face materially higher breach likelihood and significantly reduced ability to contain damage before critical systems are compromised.
Technical Analysis
The traditional patch-queue defense model rests on an assumed buffer: a vulnerability is disclosed, assigned a CVSS score, queued by severity, and remediated within a defined SLA, often days to weeks for critical findings.
That buffer is the structural assumption under attack.
According to the CrowdStrike 2026 Global Threat Report (medium confidence pending primary document cross-verification), AI-enabled attacks increased 89% year-over-year, zero-days exploited before public disclosure increased 42%, and the fastest observed adversary lateral movement breakout time was 27 seconds.
These figures represent a tempo at which even well-staffed SOCs operating manual triage cannot respond before an attacker has already moved. The MITRE ATT&CK techniques mapped to this threat pattern tell the operational story: adversaries are combining automated reconnaissance (T1595 , Active Scanning, T1087 , Account Discovery) with exploit public-facing applications (T1190 ) and exploitation of remote services (T1210 ) to gain initial access at machine speed. Once inside, they escalate privilege (T1068 ), abuse valid credentials (T1078 ), and use alternate authentication material (T1550 ) to maintain access and resist eviction. Tool acquisition (T1588.006 , Vulnerabilities, T1587.004 , Exploits) is now partially automated through AI-assisted exploit generation, shortening the adversary development cycle that defenders historically relied on for lead time. General-capability AI models lower the skill floor for exploit development and compress the adversary research cycle. CrowdStrike's published materials reference collaborative AI security work with Anthropic and OpenAI in the context of defensive tooling, specifically the CrowdStrike Falcon platform and OpenAI TAC partnership, which is the verifiable claim. The defensive implication is architectural. CWE-200 (exposure of sensitive information), CWE-306 (missing authentication), CWE-269 (improper privilege management), CWE-284 (improper access control), and CWE-212 (exploitation for credential access) represent the vulnerability classes most likely to be discovered and weaponized at AI speed, not because they are novel, but because they are common, well-documented in training corpora, and exploitable with existing tooling. Security programs that have not moved toward continuous asset visibility, real-time exposure scoring, and automated response playbooks face an increasing gap between their detection latency and adversary breakout time.
Action Checklist IR ENRICHED
Triage Priority:
URGENT
Escalate immediately to CISO and legal counsel if threat intelligence indicates active AI-enabled scanning or exploitation attempts against your internet-facing assets (evidenced by T1595 reconnaissance patterns in web logs combined with rapid exploit delivery), if mean-time-to-detect exceeds the 27-second adversary breakout time documented in the CrowdStrike 2026 GTR making containment theoretically impossible before lateral movement completes, or if any privileged account shows Event ID 4624/4672 anomalies suggesting T1078 abuse coinciding with known vulnerability disclosure dates — the latter may trigger breach notification obligations under HIPAA, PCI-DSS, or state privacy statutes if PII or PHI systems are in scope.
1
Step 1: Assess exposure, audit your current mean-time-to-remediate for critical and high vulnerabilities; if your SLA exceeds 72 hours for internet-facing systems, you are operating outside the tempo this threat environment requires
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR capability and measuring operational readiness before adverse events occur
NIST SI-2 (Flaw Remediation) — requires identifying, reporting, and correcting system flaws with tested updates
NIST RA-3 (Risk Assessment) — mandates assessing likelihood and impact to inform prioritization decisions
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — documented process with SLA targets
CIS 7.2 (Establish and Maintain a Remediation Process) — risk-based remediation strategy with monthly or more frequent review
Compensating Control
Export your vulnerability scanner data (OpenVAS, Nessus Essentials, or even CISA's free scanner) to a spreadsheet and calculate mean-time-to-remediate per asset tier manually: `awk -F',' '{print $1, $3, $5}' vuln_export.csv | sort -k3`. For internet-facing asset enumeration without a CMDB, run `nmap -sV --open -p 80,443,8080,8443,22,3389 <your_CIDR>` weekly and diff outputs to catch new exposure. Flag any critical or high finding on an internet-facing asset with a discovery-to-patch delta exceeding 72 hours as a policy exception requiring documented risk acceptance.
Preserve Evidence
Before re-baselining SLAs, capture current state snapshots: export your vulnerability scanner's 'open findings' report filtered to CVSS ≥ 7.0 on internet-facing assets with discovery dates, to establish the pre-improvement baseline. Document current patch-queue age distribution (buckets: 0–24h, 24–72h, 72h–7d, 7d+) so post-improvement metrics are comparable. Archive firewall/NAT rule tables and internet-exposed service inventory (ports, banners, software versions) as the exposure baseline this assessment is measuring against. This is not post-exploitation evidence — it is the pre-incident evidence of structural exposure that AI-speed adversaries will exploit first.
2
Step 2: Review controls, verify EDR coverage and detection rule freshness across all endpoints and servers; confirm that lateral movement detection (T1210, T1550, T1078 abuse) is active and alerting, not just logging; validate MFA enforcement on all privileged accounts and remote access paths
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Acquiring tools and resources, and validating detection capability before adversary contact
NIST SI-4 (System Monitoring) — implement monitoring of the system to detect attacks and indicators of potential attacks
NIST IR-4 (Incident Handling) — implement incident handling capability including detection, analysis, containment, and eradication
NIST IA-5 (Authenticator Management) — enforce MFA as an authenticator assurance requirement for privileged access
CIS 6.3 (Require MFA for Externally-Exposed Applications) — enforce MFA on all externally-exposed applications
CIS 6.5 (Require MFA for Administrative Access) — require MFA for all administrative access accounts
CIS 8.2 (Collect Audit Logs) — ensure logging is enabled across enterprise assets
Compensating Control
For T1210 (Exploitation of Remote Services) detection without EDR: deploy Sysmon with SwiftOnSecurity's config and enable Event ID 3 (Network Connection) filtered on processes that should never initiate outbound connections (e.g., IIS worker process w3wp.exe, sqlservr.exe). For T1550 (Use Alternate Authentication Material) and T1078 (Valid Accounts) abuse detection: query Windows Security Event Log for Event ID 4624 (Logon) with LogonType 3 or 10 combined with Event ID 4672 (Special Privileges Assigned) using `Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4672} | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}`. Validate MFA gaps with `net user /domain` cross-referenced against your VPN/RDP authentication logs for accounts lacking MFA enrollment. Use the free Sigma rule set (github.com/SigmaHQ/sigma — verify URL) converted to your log platform's query language for lateral movement pattern detection.
Preserve Evidence
At the 27-second breakout time documented by CrowdStrike 2026 Global Threat Report, lateral movement artifacts appear nearly simultaneously with initial access. Preserve: Windows Security Event Log Event ID 4648 (Explicit Credential Use) and 4768/4769 (Kerberos TGT/Service Ticket Requests) timestamped within the first 60 seconds of any anomalous logon, as AI-driven tools will request service tickets for high-value targets immediately. Capture NetFlow or Windows Firewall logs showing SMB (port 445), RDP (port 3389), and WinRM (port 5985/5986) connections originating from the initially compromised host within the first two minutes. Preserve EDR process tree telemetry showing parent-child relationships for any process spawned by internet-facing services, as AI-generated exploits targeting T1190 will produce anomalous process lineage (e.g., Apache/IIS spawning cmd.exe or PowerShell).
3
Step 3: Update threat model, incorporate AI-accelerated exploit development as a standing threat assumption in your risk register; map your highest-value assets against T1190, T1068, and T1595 to identify where AI-speed initial access would cause the most damage
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Maintaining situational awareness and updating organizational risk posture based on current threat intelligence
NIST RA-3 (Risk Assessment) — assess risk to organizational operations, assets, and individuals using current threat intelligence
NIST RA-5 (Vulnerability Monitoring and Scanning) — scan for vulnerabilities in the system and hosted applications at defined frequencies
NIST SI-5 (Security Alerts, Advisories, and Directives) — receive and disseminate security alerts from external organizations on an ongoing basis
NIST IR-8 (Incident Response Plan) — develop and maintain an IR plan that reflects current threat landscape
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — incorporate threat intelligence into vulnerability prioritization
Compensating Control
Map T1190 (Exploit Public-Facing Application), T1068 (Exploitation for Privilege Escalation), and T1595 (Active Scanning) against your asset inventory using MITRE ATT&CK Navigator (free, browser-based at attack.mitre.org/resources/attack-navigator — verify URL). For each high-value asset, document: current patch lag, exposure to internet, and presence of known exploitable vulnerabilities using CISA KEV (Known Exploited Vulnerabilities) catalog cross-reference. Run `nuclei -l internet_assets.txt -severity critical,high` (free Nuclei scanner from ProjectDiscovery) to identify T1190-relevant attack surface. Formalize AI-accelerated exploitation as a threat assumption by adding a line to your risk register: 'Assumed capability: adversary can develop functional exploit within seconds of vulnerability disclosure for any CVE with public PoC, per CrowdStrike 2026 GTR.' Review and update this entry quarterly.
Preserve Evidence
For T1595 (Active Scanning) reconnaissance evidence that precedes AI-speed exploitation: review web server access logs (IIS: `%SystemDrive%\inetpub\logs\LogFiles\`, Apache: `/var/log/apache2/access.log`) for systematic URI enumeration, path traversal probes, or technology fingerprinting patterns (e.g., requests for `/wp-admin`, `/.env`, `/actuator/health`) in the 24–48 hours before any incident. Check firewall/IDS logs for port scan signatures originating from the same source IP as subsequent exploitation attempts — AI-driven attack platforms often perform rapid reconnaissance immediately before exploit delivery. Preserve DNS query logs for your domains showing lookups that correlate with scanning activity, as adversaries using AI tooling may automate subdomain enumeration targeting T1595.002 (Vulnerability Scanning).
4
Step 4: Communicate findings, brief leadership on the adversary breakout-time data as a concrete operational constraint; frame the conversation around detection and containment speed, not just prevention
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Translating operational findings into organizational decision-making, policy updates, and resource allocation
NIST IR-6 (Incident Reporting) — require personnel to report findings to organizational leadership within defined timeframes
NIST IR-8 (Incident Response Plan) — maintain an IR plan that communicates roles, responsibilities, and resource requirements to leadership
NIST PM-9 (Risk Management Strategy) — develop and implement a risk management strategy that includes current threat data
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — communicate vulnerability management metrics to leadership as part of program governance
Compensating Control
Prepare a one-page executive brief using the CrowdStrike 2026 Global Threat Report's 27-second breakout time and 89% YoY increase in AI-enabled attacks as the anchor data points — these are concrete, sourced metrics that reframe the conversation from 'patching hygiene' to 'detection velocity requirement.' Structure the brief around three operational questions: (1) What is our current mean-time-to-detect? (2) What is our mean-time-to-contain once an alert fires? (3) Does our containment capability operate faster than 27 seconds of adversary lateral movement? Attach your Step 1 MTTR audit output as the supporting data. For teams without a formal GRC platform, document this communication in a dated memo and retain it as evidence of leadership notification for compliance and audit purposes.
Preserve Evidence
This step is a communication action, not an investigative one; however, document the briefing itself as a governance artifact. Retain: the dated executive brief with the specific metrics cited (27-second breakout time, 89% YoY AI-enabled attack increase from CrowdStrike 2026 GTR), any decisions or resource commitments made in response, and the current MTTR and detection coverage gap data presented. This documentation supports NIST IR-6 (Incident Reporting) compliance and provides the pre-improvement baseline for post-program audit evidence. If a real incident occurs within the gap period, this record demonstrates organizational awareness and risk acceptance posture, which is relevant for regulatory breach notification assessments.
5
Step 5: Monitor developments, track CrowdStrike 2026 Global Threat Report publication for primary document verification of the cited statistics; monitor CISA and MITRE ATT&CK for updated guidance on AI-enabled adversary techniques as this threat class matures
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Updating threat intelligence feeds, improving detection capability, and sharing intelligence to mature organizational defenses
NIST SI-5 (Security Alerts, Advisories, and Directives) — receive system security alerts and advisories from CISA and other external organizations on an ongoing basis
NIST IR-8 (Incident Response Plan) — update the IR plan based on lessons learned and new threat intelligence
NIST RA-10 (Threat Hunting) — proactively and iteratively search through systems to detect and isolate advanced threats that evade existing controls
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — review and update vulnerability management documentation annually or when significant changes occur
Compensating Control
Subscribe to CISA's free alert feed at cisa.gov/news-events/cybersecurity-advisories (verify URL) and configure RSS ingestion into your ticketing system or email distribution list for the 'Alerts' category, filtering for AI-related or automation-enabled attack technique advisories. Monitor MITRE ATT&CK for technique updates in the Initial Access (TA0001) and Execution (TA0002) tactic categories, specifically watching for new sub-techniques under T1190 and T1068 as AI-generated exploit tooling creates novel execution patterns. Set a calendar-based review cadence (monthly) to cross-reference your detection rules against updated ATT&CK technique descriptions using the free Sigma rule repository (SigmaHQ/sigma on GitHub). When the CrowdStrike 2026 Global Threat Report primary document becomes available, validate the 27-second breakout time and 89% AI-attack increase figures cited in this advisory and update your risk register entry from Step 3 accordingly.
Preserve Evidence
Maintain a threat intelligence log documenting: date of each CISA advisory reviewed, MITRE ATT&CK version in use at time of rule validation, and any detection rule updates triggered by new AI-technique guidance. This log serves as evidence of NIST SI-5 (Security Alerts, Advisories, and Directives) compliance. If the CrowdStrike 2026 GTR primary document revises the cited statistics upon full publication, retain both the pre-publication figures used in Step 4 leadership communication and the verified post-publication figures, with a dated correction memo — this demonstrates continuous improvement per NIST 800-61r3 §4 and supports audit defensibility for risk register entries based on this advisory.
Recovery Guidance
Because AI-accelerated exploitation compresses the window between initial access and lateral movement to seconds, recovery verification must assume that any system reachable from the initially compromised host within 27 seconds of first alert is potentially compromised — do not limit forensic scope to the first-touched asset. Post-containment, validate integrity of privileged account credentials (rotate all service accounts and admin credentials that existed on affected systems, not just those with confirmed access events) and re-baseline your detection rule coverage against the MITRE ATT&CK techniques cited in this advisory (T1190, T1068, T1595, T1210, T1550, T1078) before returning systems to production. Monitor affected network segments for 14 days post-recovery using enhanced NetFlow retention and Sysmon Event ID 3 logging, as AI-driven threat actors may retain persistence mechanisms that activate on a delayed schedule or trigger on specific conditions.
Key Forensic Artifacts
Web server access logs (IIS: %SystemDrive%\inetpub\logs\LogFiles\W3SVC*\*.log, Apache/Nginx: /var/log/apache2/access.log or /var/log/nginx/access.log) — AI-generated exploit delivery targeting T1190 produces anomalous URI patterns, oversized POST bodies, or rapid sequential requests matching vulnerability-specific payloads; these logs capture the exact moment of initial access attempt and are the primary evidence source for reconstructing AI-speed attack timelines
Windows Security Event Log entries for Event ID 4624 (Successful Logon), 4625 (Failed Logon), 4648 (Explicit Credential Use), 4768 (Kerberos TGT Request), and 4769 (Kerberos Service Ticket Request) — at 27-second breakout times, these events cluster within a 30–90 second window of initial compromise and reveal the T1078/T1550 lateral movement path taken by AI-driven tooling conducting automated credential reuse across reachable systems
Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logs from the exploited host — AI-generated exploits targeting T1068 (Exploitation for Privilege Escalation) produce characteristic process lineage anomalies (e.g., web service processes spawning cmd.exe, PowerShell, or net.exe) and immediate outbound connection attempts to C2 infrastructure; these events provide the process tree evidence needed to reconstruct automated post-exploitation activity
Memory image of the exploited process (captured via WinPmem free tool or `procdump -ma <PID>` from Sysinternals) — AI-generated exploits delivered in-memory against internet-facing services leave no disk artifacts, making process memory the only forensic source for recovering shellcode, injected DLLs, or in-memory C2 beacon configurations; must be captured before process restart or system reboot destroys evidence
Network capture (pcap) of traffic from the affected host in the 60–120 seconds surrounding the initial exploitation event (captured via Wireshark `tshark -i <interface> -w capture.pcap` or firewall session logs) — AI-speed lateral movement at T1210 generates anomalous SMB/RDP/WinRM connection bursts to multiple internal hosts within seconds of initial compromise, a pattern that is statistically distinct from normal traffic and serves as the primary network-layer evidence of automated propagation
Detection Guidance
Given the adversary breakout times cited in recent threat reports (pending primary document verification), detection strategies must shift from alert-review workflows to automated containment triggers.
For reference, the CrowdStrike telemetry suggests breakout times in the range of seconds; adjust your detection thresholds accordingly.
Focus hunting and tuning efforts on the following: lateral movement velocity, flag any account authenticating to more than three internal hosts within a 60-second window (maps to T1210 , T1550 , T1078 abuse patterns); privilege escalation sequences, alert on token manipulation or unexpected privilege changes following initial access events (T1068 ); reconnaissance bursts, detect internal port scanning or account enumeration (T1595 , T1087 ) originating from workstations or servers with no prior history of that behavior; exploit-against-public-facing-application signatures, ensure WAF and IDS rules for T1190 are current and tuned against recent CVE exploit patterns, not just signatures from prior years.
Log sources to prioritize: authentication logs (failed and successful), process creation logs on Windows endpoints (especially for living-off-the-land binaries tied to credential access), and network flow data for east-west lateral movement. For organizations running CrowdStrike Falcon, verify that Identity Protection and behavioral detection modules are active and tuned to the adversary tempo outlined above. For organizations on other platforms, implement equivalent lateral movement and privilege escalation detection as outlined above, independent of vendor-specific benchmarks.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators
The CrowdStrike 2026 Global Threat Report is cited as the primary quantitative source for AI-enabled attack telemetry; any campaign-specific IOCs associated with the threat patterns described would be published in that report or associated CrowdStrike Intelligence advisories
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: Frontier AI Compresses Exploit Windows to Near-Zero, Breaking Traditional Patch-
// Attack tool: Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators
// Context: The CrowdStrike 2026 Global Threat Report is cited as the primary quantitative source for AI-enabled attack telemetry; any campaign-specific IOCs associated with the threat patterns described would be
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators"
or ProcessCommandLine has "Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to CrowdStrike 2026 Global Threat Report for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (2)
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1190
T1210
T1550
T1588.006
T1587.004
T1078
+4
CA-8
RA-5
SC-7
SI-2
SI-7
AC-6
+8
6.3
5.4
6.8
6.1
6.2
7.3
+1
MITRE ATT&CK Mapping
T1190
Exploit Public-Facing Application
initial-access
T1210
Exploitation of Remote Services
lateral-movement
T1550
Use Alternate Authentication Material
defense-evasion
T1588.006
Vulnerabilities
resource-development
T1078
Valid Accounts
defense-evasion
T1087
Account Discovery
discovery
T1595
Active Scanning
reconnaissance
T1212
Exploitation for Credential Access
credential-access
T1068
Exploitation for Privilege Escalation
privilege-escalation
Guidance Disclaimer
