← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.888
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
On May 18, 2026, attackers compromised a developer's machine at Nrwl and pushed a malicious update to the Nx Console VS Code extension, exposing a large population of developers for approximately 11 minutes. The payload stole developer credentials across AWS, GitHub, npm, 1Password, and Anthropic Claude Code. The most serious business risk is downstream: stolen npm OIDC tokens were used to publish poisoned packages carrying valid cryptographic provenance signatures, meaning malicious code can enter your software supply chain appearing fully trusted and verified.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Unknown — initial access vector not disclosed by Nx maintainers
TTP Sophistication
HIGH
16 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Nx Console VS Code Extension (nrwl.angular-console v18.95.0); Microsoft Visual Studio Code; Cursor; JetBrains IDEs; 1Password; Anthropic Claude Code; npm; GitHub; AWS
Are You Exposed?
⚠
Your industry is targeted by Unknown — initial access vector not disclosed by Nx maintainers → Heightened risk
⚠
You use products/services from Nx Console VS Code Extension (nrwl.angular-console v18.95.0); Microsoft Visual Studio Code; Cursor; JetBrains IDEs; 1Password; Anthropic Claude Code; npm; GitHub; AWS → Assess exposure
⚠
16 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A compromised developer tool pushed malicious code directly into the environments of an estimated 2.2 million software developers, exposing cloud access keys, code repository credentials, and package publishing tokens. Any organization whose developers installed the malicious version may have had AWS infrastructure, GitHub repositories, and software release pipelines silently accessed by an unknown attacker. The most severe financial and reputational exposure comes from the downstream poisoning risk: if stolen publishing credentials were used before detection, your customers and partners may have unknowingly installed attacker-controlled software packages that carry legitimate-looking security certificates.
You Are Affected If
Developers in your organization use the Nx Console VS Code extension (nrwl.angular-console) and had version 18.95.0 installed on or after May 18, 2026
Developer machines had AWS credential files (~/.aws/credentials), GitHub tokens, or npm authentication tokens (~/.npmrc) accessible during the exposure window
Your organization publishes npm packages and uses npm OIDC tokens or Sigstore/SLSA provenance attestations in your CI/CD pipeline
Developer machines run VS Code, Cursor, or JetBrains IDEs with VS Code extension compatibility enabled
Your organization's downstream consumers or CI/CD pipelines automatically trust Sigstore-backed SLSA provenance attestations without signer identity pinning
Board Talking Points
Attackers inserted malicious code into a widely used developer tool and used stolen credentials to publish poisoned software packages that appear cryptographically verified — the attack subverted the security controls designed to catch exactly this kind of tampering.
Security teams should immediately identify affected developer machines, rotate all cloud and code repository credentials from those machines, and audit any software your organization published after May 18, 2026.
Organizations that do not act risk undetected attacker access to cloud infrastructure and the possibility that compromised software packages bearing your organization's trusted signature have already reached customers or partners.
Technical Analysis
Affected component: Nx Console VS Code extension (nrwl.angular-console), version 18.95.0, distributed via the VS Code Marketplace.
The attack originated from a compromised developer machine with publish access to the extension.
The malicious payload is a multi-stage credential stealer targeting 1Password vaults, AWS credential files (~/.aws/credentials), GitHub tokens, npm authentication tokens (~/.npmrc), and Anthropic Claude Code credentials.
Exfiltration uses multiple channels: HTTPS (T1071.001 ), GitHub API webhooks (T1102.001 ), and DNS tunneling (T1071.004 ). The novel escalation path: stolen npm OIDC tokens, when combined with Sigstore integration, allow the attacker to publish downstream npm packages with valid SLSA provenance attestations and cryptographic signatures (T1553.002 ). These packages pass signature verification in CI/CD pipelines that trust Sigstore-backed attestations, constituting supply chain compromise at the verification layer, not merely the package layer. Hardcoded credentials in exfiltration logic are not protected and are embedded within malicious code. No CVE assigned at time of publication. Version 18.95.0 should be considered compromised; users should verify current installed version and rotate all credentials accessible from affected developer machines. Patch status: Nrwl pulled version 18.95.0 from the marketplace; users should confirm they are on a clean version. Sources: StepSecurity blog, The Hacker News, GitHub issue #1955 (all T3, search-retrieved, recommend human validation before actioning).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to CISO, legal counsel, and potentially SEC/breach notification counsel if any poisoned npm packages were published to the public registry or consumed by downstream customers, as this constitutes a supply chain breach with potential third-party harm and regulatory notification obligations under applicable state breach laws, GDPR Article 33, or SOC 2 contractual requirements.
1
Step 1: Containment — Query endpoint management (Intune, Jamf, osquery) using your software inventory to identify all developer machines where nrwl.angular-console v18.95.0 was installed between May 18, 2026, and remediation. Remove the extension from VS Code, Cursor, and any JetBrains IDE that syncs VS Code extensions. Treat every identified machine as fully compromised for credential purposes. (Cite: CIS 2.1 — Establish and Maintain a Software Inventory / CIS 2.3 — Address Unauthorized Software / D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST CM-7 (Least Functionality)
CIS 2.3 (Address Unauthorized Software)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
Run `code --list-extensions | grep angular-console` on each developer workstation or deploy as a one-liner via Ansible/SSH: `ssh user@host 'code --list-extensions 2>/dev/null | grep -i angular-console'`. For JetBrains sync, check `~/.config/JetBrains/*/options/other.xml` or the JetBrains Toolbox sync directory for extension manifests. Force-remove with `code --uninstall-extension nrwl.angular-console`. On Windows, check `%USERPROFILE%\.vscode\extensions\nrwl.angular-console-18.95.0` and delete the directory. Document machine hostnames and timestamps before removal.
Preserve Evidence
Before removing the extension, preserve: the extension directory contents at `~/.vscode/extensions/nrwl.angular-console-18.95.0/` (hash all files with `sha256sum *` or `Get-FileHash`); VS Code extension installation logs at `~/.config/Code/logs/` (Linux) or `%APPDATA%\Code\logs\` (Windows); the extension's `package.json` and any bundled JS files for malware analysis; Cursor extension path at `~/.cursor/extensions/`; JetBrains plugin cache at `~/.local/share/JetBrains/` or `%APPDATA%\JetBrains\`. Capture a full memory image if the IDE was running during the May 18 exposure window — the payload may have executed in the extension host process and left artifacts in heap memory.
2
Step 2: Detection — Review AU-2-defined event types across all relevant log sources for the May 18 exposure window. Query AU-6-governed audit records for: anomalous DNS subdomain query patterns from developer workstations consistent with data encoding (T1071.004); GitHub audit log entries for unexpected token creation, OAuth authorization, and repository access; npm publish events by accounts on affected machines; AWS CloudTrail API calls originating from ~/.aws/credentials on flagged hosts; and HTTPS POST traffic to unknown external endpoints from IDE processes. Verify AU-8 timestamps are synchronized to establish accurate event sequencing. (Cite: NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, and Reporting / NIST AU-8 — Time Stamps / CIS 8.2 — Collect Audit Logs / D3-SFA — System File Analysis / D3-LAM — Local Account Monitoring)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
CIS 8.2 (Collect Audit Logs)
Compensating Control
DNS tunneling detection: export DNS query logs from Pi-hole, BIND query logs, or router syslog and run `awk '{print $NF}' dns.log | awk -F. '{print $(NF-1)"."$NF}' | sort | uniq -c | sort -rn` — look for high-entropy subdomains or unusually high query counts to a single second-level domain from IDE processes. For GitHub audit logs, use `gh api /orgs/{org}/audit-log --paginate | jq '.[] | select(.created_at >= "2026-05-18T00:00:00Z")' > github_audit.json` and filter on `action: "token.create"`, `npm.publish`, and `oauth_application.create`. For AWS CloudTrail without SIEM, use AWS CLI: `aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=<compromised-iam-user> --start-time 2026-05-18T00:00:00Z | jq '.Events[] | {EventTime, EventName, SourceIPAddress}'`. For process-level network traffic, deploy Sysmon with Event ID 3 (Network Connection) filtering on `code.exe`, `cursor.exe`, and `idea64.exe` as parent processes making outbound connections to non-Microsoft, non-GitHub IP ranges.
Preserve Evidence
Collect before analysis: Sysmon Event ID 1 (Process Create) and Event ID 3 (Network Connection) logs for `code --extensionHostProcess` and child processes spawned during May 18 exposure window; DNS resolver cache snapshots (`ipconfig /displaydns` on Windows, `resolvectl query` on Linux) from affected workstations captured before reboot; AWS CloudTrail logs filtered to the IAM principal associated with `~/.aws/credentials` on each affected machine for the window 2026-05-18T00:00:00Z to remediation time; GitHub audit log exports showing token last-used timestamps and source IPs; `~/.npmrc` file (contains npm auth token — do not transmit in plaintext, hash and vault); browser localStorage and session storage from VS Code's Electron renderer process at `~/.config/Code/Local Storage/` which may contain cached OAuth tokens.
3
Step 3: Eradication — Rotate all credentials accessible on affected developer machines: revoke and reissue AWS IAM keys, GitHub personal access tokens and OAuth tokens, npm authentication tokens (~/.npmrc), 1Password service account credentials if the vault was unlocked during the exposure window, and Anthropic Claude Code API keys. Revoke and reissue npm OIDC tokens used in CI/CD pipelines. Apply AC-2 account management procedures to disable any session tokens that cannot be immediately rotated. Use CIS 6.2 access revoking process to automate token invalidation where supported. (Cite: NIST AC-2 — Account Management / CIS 6.2 — Establish an Access Revoking Process / D3-CRO — Credential Rotation / D3-CH — Credential Hardening)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST IA-5 (Authenticator Management)
NIST AC-2 (Account Management)
NIST SI-2 (Flaw Remediation)
CIS 5.2 (Use Unique Passwords)
CIS 6.2 (Establish an Access Revoking Process)
Compensating Control
AWS IAM rotation: `aws iam list-access-keys --user-name <user>` to enumerate, then `aws iam update-access-key --access-key-id <key-id> --status Inactive` to disable before deletion. GitHub PAT revocation: navigate to Settings > Developer settings > Personal access tokens and revoke all tokens; for org-level, use `gh api -X DELETE /user/installations/<id>` for OAuth apps. npm token rotation: `npm token revoke <token>` for each token listed via `npm token list`. For CI/CD OIDC token reissuance, update the GitHub Actions OIDC trust policy in `~/.github/workflows/*.yml` to require a new subject claim format and rotate the npm automation token in repo secrets. Package tampering check: for each post-May-18 published package, run `npm pack <package>@<version> --dry-run` locally from a clean machine and diff against `git archive HEAD | tar -tz` output — any file present in the published tarball but absent from the git tree is a red flag.
Preserve Evidence
Before rotating credentials, preserve forensic copies of: `~/.aws/credentials` and `~/.aws/config` (vault these — do not email); `~/.npmrc` full contents including registry auth tokens; VS Code Electron keychain entries via `secret-tool search --all application 'VS Code'` (Linux) or Windows Credential Manager export (`cmdkey /list`); 1Password CLI session token cache at `~/.op/` if the agent was running; Anthropic API key references in shell history (`~/.bash_history`, `~/.zsh_history`) and in `.env` files recursively under the developer's home directory (`find ~ -name '.env' -exec grep -l ANTHROPIC {} \;`); GitHub Actions workflow run logs for any pipeline executions triggered by affected accounts on or after May 18, 2026.
4
Step 4: Recovery — Audit all npm packages your organization published or consumed between May 18 and the remediation date. Verify Sigstore/SLSA attestations on recently published packages against expected signing identities — a valid attestation signed by a compromised OIDC token will appear legitimate and must be treated as suspect. Apply D3-SFA monitoring to detect unauthorized modification of package build artifacts and configuration files. Re-run CI/CD pipelines using clean credentials. Confirm affected extensions are uninstalled and replaced with a verified clean version. Use AU-9 protections to ensure audit records produced during this period have not been tampered with. (Cite: NIST AU-9 — Protection of Audit Information / NIST AC-3 — Access Enforcement / CIS 2.2 — Ensure Authorized Software is Currently Supported / D3-SFA — System File Analysis / D3-ACA — Active Certificate Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CP-10 (System Recovery and Reconstitution)
NIST IR-4 (Incident Handling)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
Compensating Control
Sigstore attestation verification: use the `cosign` CLI (`cosign verify-attestation --type slsaprovenance <package>`) and cross-check the `Issuer` and `Subject` fields in the Rekor transparency log entry against your known-good OIDC subject (e.g., `https://github.com/<org>/<repo>/.github/workflows/publish.yml@refs/heads/main`). Any attestation where the OIDC subject matches an affected developer's identity or an unexpected workflow path should be treated as poisoned. For package content auditing without tooling: `npm pack <package>@<version>` to download the tarball, then `tar -tzf <tarball> | sha256sum` and compare against a pre-incident hash from your artifact registry or `npm view <package>@<version> dist.shasum`. Clean VS Code extension reinstall: verify the Marketplace version hash via `code --install-extension nrwl.angular-console@<clean-version>` only after confirming the clean version hash against the publisher's GitHub release SHA.
Preserve Evidence
Collect before clearing systems for reuse: Sigstore Rekor transparency log entries for all npm packages published by affected accounts between May 18 and remediation — retrieve via `rekor-cli search --email <developer-email> --format json > rekor_entries.json`; npm publish audit trail from `npm audit` and registry publish history (`npm info <package> time`); CI/CD pipeline artifact hashes from GitHub Actions run summaries for any workflow triggered during the exposure window; a before/after diff of `package-lock.json` and `yarn.lock` files in any repository where affected developers merged PRs after May 18 — dependency confusion or subtle version pin changes are a secondary attack vector.
5
Step 5: Post-Incident — Address structural supply chain gaps exposed by this attack. Implement signer identity pinning (expected OIDC issuer and subject) in your SLSA attestation trust policy rather than trusting any valid Sigstore signature. Enforce short-lived OIDC tokens for npm publish workflows. Apply AC-6 least privilege to restrict which developer accounts hold npm publish rights. Require MFA on all accounts with marketplace publish access per CIS 6.5. Apply D3-SICA analysis to IDE extension startup configurations to detect persistence mechanisms (T1547.011). Evaluate whether IDE extensions are subject to the same supply chain controls as production dependencies, and document findings under CIS 7.1 vulnerability management process. (Cite: NIST AC-6 — Least Privilege / NIST AC-20 — Use of External Systems / CIS 6.5 — Require MFA for Administrative Access / CIS 7.1 — Establish and Maintain a Vulnerability Management Process / D3-SICA — System Init Config Analysis / D3-MFA — Multi-factor Authentication)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SA-12 (Supply Chain Protection)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-7 (Least Functionality)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 2.1 (Establish and Maintain a Software Inventory)
Compensating Control
OIDC signer identity pinning: in your GitHub Actions workflow, add a `permissions: id-token: write` scope restriction and use `cosign` with `--certificate-identity-regexp` and `--certificate-oidc-issuer` flags to enforce that only your org's specific workflow subject can be considered a valid publisher. IDE extension allowlisting: create a `.vscode/extensions.json` with a controlled `recommendations` list, enforce via a pre-commit hook that fails if `code --list-extensions` output contains extensions not on the allowlist (`comm -23 <(code --list-extensions | sort) <(sort allowlist.txt)`). Developer machine compromise detection without EDR: deploy Sysmon with a community config (e.g., SwiftOnSecurity or Olaf Hartong's modular config) and forward Event IDs 1, 3, 7, 11, 22 to a central syslog server; write a Sigma rule targeting `code --extensionHostProcess` spawning `cmd.exe`, `powershell.exe`, or `curl` as child processes — these are anomalous for a legitimate IDE extension.
Preserve Evidence
For the lessons-learned report, preserve and analyze: the full Rekor transparency log search results for all packages published via compromised OIDC tokens to establish the blast radius of downstream poisoning; a timeline reconstruction built from GitHub audit log, AWS CloudTrail, and npm publish history showing the sequence from extension installation to credential exfiltration to downstream package publish; the malicious extension's bundled JavaScript (deobfuscated if necessary using `node --inspect` or `js-beautify`) to document exact exfiltration targets and methods for detection rule development; any network PCAP captured from affected workstations during the exposure window showing the C2 POST requests, for IOC extraction (destination IPs, URI patterns, User-Agent strings, payload structure).
Recovery Guidance
After credential rotation and clean pipeline execution, monitor npm publish activity for all affected developer accounts and CI/CD service accounts for a minimum of 30 days, as threat actors who obtained OIDC tokens may have pre-positioned access in GitHub Actions environments not yet discovered. Treat any npm package published between May 18, 2026, and the completion of full credential rotation as potentially tampered — notify downstream consumers and consider yanking and republishing those versions with a verified clean build. Maintain heightened AWS CloudTrail alerting on the rotated IAM principals for at least 60 days to detect any delayed use of credentials exfiltrated before rotation completed.
Key Forensic Artifacts
VS Code extension host process artifacts: directory `~/.vscode/extensions/nrwl.angular-console-18.95.0/` including all bundled JavaScript files — the malicious payload would be embedded here as obfuscated JS executed in the extension host process; hash all files before removal
Sysmon Event ID 3 (Network Connection) records showing outbound HTTPS POST connections from `code --extensionHostProcess` (PID resolvable via Event ID 1 parent-child chain) to non-IDE infrastructure during the May 18 exposure window — these capture the exfiltration C2 beacon
AWS CloudTrail `GetCallerIdentity`, `ListBuckets`, and any `sts:AssumeRole` events sourced from developer workstation IPs using long-lived IAM keys from `~/.aws/credentials`, timestamped within the 11-minute exposure window or shortly after, indicating automated credential harvesting and immediate abuse
Sigstore Rekor transparency log entries (`rekor-cli search --email <affected-developer>`) for npm packages published after May 18 — a poisoned package will show a valid OIDC attestation but the signing event timestamp and source IP will be anomalous relative to the developer's normal publish pattern
Shell history files (`~/.bash_history`, `~/.zsh_history`) and VS Code Electron SQLite databases at `~/.config/Code/Local Storage/leveldb/` which may contain cached GitHub OAuth tokens, npm session tokens, or Anthropic API keys written by the extension payload as part of its harvesting routine
Detection Guidance
Detection for this campaign requires coordinated monitoring across endpoint, network, and cloud audit log sources, grounded in NIST AU-2 (Event Logging) and AU-6 (Audit Record Review, Analysis, and Reporting), with log collection enforced per CIS 8.2.
1.
EXTENSION INVENTORY (CIS 2.1 / D3-SFA): Query endpoint management platforms (Intune, Jamf, osquery) for installed VS Code extensions matching nrwl.angular-console at exactly version 18.95.0.
Flag any machine with a match as a priority investigation target.
This is your fastest scoping action.
2. DNS TUNNELING DETECTION (NIST AU-2 / AU-6 / D3-LAM): Search DNS resolver logs for high-frequency subdomain queries originating from developer workstations on May 18, 2026. Indicators: long randomized-looking subdomain labels, elevated query rate to a single apex domain, query volume inconsistent with normal developer activity. This maps to T1071.004 (Application Layer Protocol: DNS). AU-8 timestamp synchronization is required to correctly sequence these events against the 11-minute exposure window.
3. GITHUB AUDIT LOG (NIST AU-6 / AU-12 / CIS 8.2): Filter GitHub organization audit logs for token creation events, new OAuth application authorizations, unexpected repository access, and repository push events from accounts associated with affected machines. Scope the query to May 18, 2026. Cross-reference against AC-2-managed account inventory to identify accounts that should not have had publish or admin access.
4. NPM PUBLISH AUDIT (NIST AU-6 / AU-10 / D3-SFA): Query the npm registry for packages published by developer accounts linked to affected machines after May 18. Cross-reference against expected release schedules and source repository commit hashes. Any package published via a compromised OIDC token will carry a valid Sigstore attestation — use D3-ACA (Active Certificate Analysis) to inspect the signing identity embedded in the attestation, not just the validity of the signature. A valid signature from an unexpected or revoked OIDC subject is a positive indicator of downstream poisoning (T1553.002 , T1195.001 ).
5. AWS CLOUDTRAIL (NIST AU-6 / AU-3 / CIS 8.2): Search CloudTrail for API calls using access keys stored in ~/.aws/credentials on flagged developer machines. Prioritize: calls outside normal working hours, calls from unexpected source IPs, IAM role assumption events, and S3 or Secrets Manager access. AU-3 requires that records establish what occurred, when, where, and who — verify these fields are populated before drawing conclusions.
6. ENDPOINT PROCESS BEHAVIOR (NIST AU-2 / D3-SFA / D3-SICA): On endpoint detection platforms, search for IDE processes (Code, Cursor, JetBrains) spawning unexpected child processes or executing Python or JavaScript interpreters outside normal extension activity (T1059.006 , T1059.007 ). Apply D3-SICA analysis to extension startup configuration paths to detect persistence modifications (T1547.011 ). Monitor for unauthorized reads of ~/.aws/credentials, ~/.npmrc, and 1Password vault files by processes other than their expected owners.
7. OUTBOUND HTTPS EXFILTRATION (NIST AU-2 / D3-PBWSAM / D3-EBWSAM): Review proxy or firewall logs for HTTPS POST requests to unknown external endpoints originating from IDE processes on May 18 (T1071.001 , T1567.001 ). Apply D3-PBWSAM or D3-EBWSAM controls to mediate and log outbound web traffic from developer endpoints. Anomalous destinations contacted by extension-host processes are a strong behavioral indicator.
All log sources must be retained per AU-11 (Audit Record Retention) to support post-incident forensic analysis. AU-9 (Protection of Audit Information) must be verified to confirm logs from the exposure window have not been modified or deleted.
Indicators of Compromise (3)
Export as
Splunk SPL
KQL
Elastic
Copy All (3)
1 hash
1 url
1 domain
Type Value Enrichment Context Conf.
# HASH
Not publicly disclosed at time of publication
VT
MB
File hash for malicious nrwl.angular-console v18.95.0 VSIX package — check StepSecurity blog and GitHub issue #1955 for updated indicators
LOW
🔗 URL
Not publicly disclosed at time of publication
VT
US
HTTPS exfiltration endpoint used by the payload — monitor StepSecurity disclosure for updated network IOCs
LOW
⌘ DOMAIN
Not publicly disclosed at time of publication
VT
US
DNS tunneling apex domain used for credential exfiltration — monitor StepSecurity disclosure for updated DNS IOCs
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
1 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Nx Console VS Code Extension Supply Chain Compromise Enables Sigstore-Backed Dow
let malicious_urls = dynamic(["Not publicly disclosed at time of publication"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (5)
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Persistence via registry / startup
KQL Query Preview
Read-only — detection query only
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce", "\\Winlogon\\", "\\Services\\")
| where RegistryValueData has_any (".exe", ".dll", ".bat", ".ps1", ".vbs", "cmd", "powershell", "http")
| project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "Not publicly disclosed at time of publication",
"source": "SCC Threat Intel",
"description": "DNS tunneling apex domain used for credential exfiltration \u2014 monitor StepSecurity disclosure for updated DNS IOCs",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1553.002
T1543.001
T1071.001
T1027
T1071.004
T1554
+10
SI-3
SI-4
IA-5
SI-7
CM-3
SR-2
+1
A07:2021
A04:2021
A08:2021
16.10
5.2
2.5
2.6
6.3
15.1
A.8.28
A.5.34
A.5.21
A.8.24
A.5.23
164.308(a)(5)(ii)(D)
164.312(d)
MITRE ATT&CK Mapping
T1027
Obfuscated Files or Information
defense-evasion
T1554
Compromise Host Software Binary
persistence
T1528
Steal Application Access Token
credential-access
T1102.001
Dead Drop Resolver
command-and-control
T1036.001
Invalid Code Signature
defense-evasion
T1552.001
Credentials In Files
credential-access
T1555
Credentials from Password Stores
credential-access
T1567.001
Exfiltration to Code Repository
exfiltration
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
Guidance Disclaimer
