← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.788
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Anthropic's Project Glasswing, built on the Mythos model, demonstrated that AI can discover vulnerabilities across major software stacks, including a 27-year-old OpenBSD flaw, at speeds that human patch cycles cannot match. Reportedly, fewer than 1% of discovered vulnerabilities were remediated, a structural gap that AI-assisted attack tooling is already exploiting: autonomous attack chains have reportedly compromised 2,516 organizations across 106 countries. This is not a single-vendor incident, it is a signal that the asymmetry between AI-accelerated offense and human-paced defense has become operationally consequential.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Unknown — FortiGate MCP campaign actor (unattributed)
TTP Sophistication
HIGH
9 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Firefox, Linux, FreeBSD, OpenBSD, OpenSSL, FortiGate appliances, major operating systems and browsers (unspecified versions)
Are You Exposed?
⚠
Your industry is targeted by Unknown — FortiGate MCP campaign actor (unattributed) → Heightened risk
⚠
You use products/services from Firefox → Assess exposure
⚠
9 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
The discovery-remediation gap documented in Project Glasswing means that AI tooling can identify exploitable flaws in widely deployed software — Firefox, Linux, OpenSSL, FortiGate — faster than vendors and security teams can patch and deploy fixes. For organizations relying on perimeter appliances and standard browser stacks, this translates directly to an extended window of exposure that attackers are already exploiting: 2,516 organizations across 106 countries were reportedly compromised through AI-assisted attack chains. The reputational and operational consequences of falling into that gap — regulatory notification obligations, operational downtime, and customer trust erosion — are compounded by the fact that the attack surface is not a single patchable vulnerability but a structural lag in the security industry's response capacity.
You Are Affected If
Your organization deploys FortiGate appliances for perimeter security, VPN, or network segmentation
Your workforce uses Firefox as a standard browser in managed or unmanaged endpoints
Your infrastructure runs Linux, FreeBSD, OpenBSD, or OpenSSL in production systems
Your vulnerability management program operates on patch cycles longer than 30 days for critical-rated findings
Your perimeter management interfaces (FortiGate, firewalls, VPN concentrators) are accessible from the internet
Board Talking Points
AI tools can now discover software vulnerabilities faster than the security industry can fix them — and attackers are using the same capability to compromise organizations at scale.
We should commission an immediate review of our patch pipeline capacity and perimeter appliance exposure within the next 30 days to determine whether our current remediation timelines leave us in the gap.
Organizations that do not address this structural lag face an increasing probability of compromise through vulnerabilities that are known but not yet patched — with associated breach notification, downtime, and regulatory costs.
NIS2 (EU) — if your organization operates critical infrastructure in EU member states, AI-assisted compromise of perimeter appliances and operational systems may trigger incident notification obligations under NIS2 Article 23
DORA (EU) — financial entities using FortiGate or affected software stacks in ICT infrastructure must assess whether this threat pattern affects ICT risk management obligations under DORA Articles 5-14
NIST CSF / FISMA — US federal agencies and contractors running affected software on federal systems should assess against NIST SP 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning) requirements
Technical Analysis
Project Glasswing represents a documented inflection point in AI-assisted vulnerability research.
Operating on the Mythos model, the system reportedly achieved a 72.4% autonomous exploit success rate in testing against Firefox and identified a vulnerability in OpenBSD that had persisted undetected for 27 years, a class of flaw that conventional automated scanning and manual auditing had failed to surface across nearly three decades of security review.
The vulnerability classes involved are not novel: use-after-free (CWE-416), race conditions (CWE-362), buffer errors (CWE-119), out-of-bounds writes (CWE-787), and code injection (CWE-94) represent the same memory safety and concurrency failure patterns that security teams have managed for years.
What has changed is the speed and scale at which they can be discovered and weaponized.
The operationally significant finding is the discovery-remediation gap. If the reported figures are accurate, the vast majority of vulnerabilities identified during the project period remained unpatched, not because vendors were unresponsive, but because the volume and velocity of discovery exceeded the capacity of existing patch development and deployment pipelines. This is a structural problem, not an isolated failure.
The FortiGate MCP campaign component introduces a separate but related concern. An unattributed threat actor, reportedly leveraging AI-assisted tooling according to security news coverage, exploited FortiGate appliances, likely leveraging CVE-class flaws in perimeter devices, using attack chains across 2,516 organizations in 106 countries. The MITRE ATT&CK techniques mapped to this activity include T1595.002 (Vulnerability Scanning), T1190 (Exploit Public-Facing Application), T1588.006 and T1587.004 (acquiring and developing capabilities including exploits), T1068 (Privilege Escalation via Exploitation), T1059 (Command and Scripting Interpreter), T1203 (Exploitation for Client Execution), T1003 (Credential Dumping), and T1486 (Data Encrypted for Impact). This technique chain is consistent with a full kill chain from initial reconnaissance through operational impact, ransomware, data theft, or persistent access, executed at machine speed.
Important verification note: The source quality score for this story is 0.64, and primary sourcing is T3 (secondary news coverage and vendor advisories). The 72.4% exploit success rate, the 2,516 organization compromise figure, and the attribution of attacks to AI-assisted tooling are drawn from news coverage of the Glasswing research, not from a reviewed primary research publication. Specific CVE assignments and CVSS scores have not been independently verified against NVD or CISA KEV. The CVSS 9.5 figure in the item data is an editorial severity estimate, not an assigned score. Security teams should treat quantitative claims as directionally significant but verify against primary sources before operational reliance.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately if FortiGate event logs show any admin account creation or configuration change not traceable to a known change ticket, or if Sysmon/auditd telemetry reveals any interpreter process (bash, python3, perl) spawned as a child of an OpenSSL-linked service or Firefox, as these are the specific execution pathways consistent with AI-chained autonomous exploits targeting the named software stack; also escalate if your exposure audit reveals any FortiGate management interface resolvable from the public internet, given CISA's documented history of active exploitation against FortiGate perimeter devices.
1
Step 1: Assess exposure, audit your environment for all software and appliances named in this story: Firefox, Linux, FreeBSD, OpenBSD, OpenSSL, and FortiGate devices; prioritize FortiGate perimeter appliances given active exploitation attribution. Note: Specific vulnerable versions have not yet been disclosed. Monitor NVD, Mozilla, and Fortinet PSIRT for CVE assignments and patch releases.
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Establishing IR Capability and Asset Visibility
NIST SI-2 (Flaw Remediation)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST RA-5 (Vulnerability Monitoring and Scanning)
CIS 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Run 'nmap -sV --script=banner -p 443,8443,8080,10443 <perimeter_range>' to identify FortiGate management interfaces exposed externally; cross-reference against Shodan CLI ('shodan search hostname:fortigate') for internet-facing instances. For Linux/OpenBSD hosts, run 'rpm -qa' or 'dpkg -l' piped to grep for OpenSSL version strings; for FreeBSD run 'pkg info | grep -E "openssl|firefox"'. Document every host running OpenSSL versions predating 3.x as highest priority given AI-discovered class vulnerabilities tend to target memory management primitives present in older codebases.
Preserve Evidence
Before remediating, snapshot FortiGate running config via 'get system status' and 'show full-configuration' — capture firmware version, exposed management interface bindings (HTTPS/SSH on WAN), and any recently added admin accounts. On Linux/OpenBSD systems, record current OpenSSL version ('openssl version -a'), linked library inventory ('ldd /usr/bin/openssl'), and /etc/os-release to establish a pre-patch baseline for post-incident comparison. Save FortiGate event logs from Log & Report > System Events filtered to the last 30 days before any changes.
2
Step 2: Review controls, verify that EDR telemetry covers scripting interpreter abuse (T1059), privilege escalation attempts (T1068), and credential access events (T1003); confirm FortiGate firmware is current and management interfaces are not exposed to the internet
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Monitoring and Telemetry Coverage
NIST SI-4 (System Monitoring)
NIST AU-2 (Event Logging)
NIST AU-12 (Audit Record Generation)
NIST IR-4 (Incident Handling)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Deploy Sysmon with SwiftOnSecurity config (github.com/SwiftOnSecurity/sysmon-config) and verify Event ID 1 (Process Create) captures interpreter spawning — specifically: cmd.exe, powershell.exe, python3, perl, bash launched as child processes of Firefox, sshd, or any OpenSSL-linked service. For T1068 on Linux, enable auditd rules: 'auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -k priv_esc' to catch SUID/SGID abuse. For FortiGate, enable 'config log eventfilter' with 'set admin enable' and 'set system enable' to capture firmware tampering and admin login events, then forward via syslog to a central rsyslog host.
Preserve Evidence
Query Sysmon Event ID 1 logs for processes spawned by Firefox parent PID or sshd on OpenBSD/FreeBSD hosts within the past 30 days. On FortiGate, export Log & Report > Traffic Logs and Event Logs filtering on admin login source IPs and configuration changes — autonomous exploit chains targeting FortiGate (consistent with prior MITRE T1190 External Remote Services campaigns against FortiGate CVEs such as CVE-2023-27997) leave admin account creation events and REST API calls in these logs. Capture '/var/log/auth.log' on Linux and '/var/log/authlog' on OpenBSD for privilege escalation indicators aligned with T1068.
3
Step 3: Update threat model, add AI-accelerated vulnerability discovery and autonomous exploit chaining as a named threat pattern in your threat register; the discovery-remediation gap is now a documented attack surface, not a theoretical one
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Threat Modeling and IR Plan Maintenance
NIST RA-3 (Risk Assessment)
NIST IR-8 (Incident Response Plan)
NIST PM-16 (Threat Awareness Program)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Create a threat register entry using a free risk register template (NIST IR 8286A provides a free Community Profile template) with the following fields specific to this threat pattern: Threat Name = 'AI-Autonomous Exploit Chain'; Attack Surface = 'Pre-patch window on OpenSSL, Firefox, FortiGate firmware'; Likelihood Driver = 'Discovery-remediation velocity gap (Glasswing demonstrated sub-hour discovery vs. weeks-long patch cycles)'; Impact = 'Perimeter compromise via FortiGate + lateral movement via T1059/T1068 on Linux/OpenBSD hosts'. Link this entry to your existing patch SLA policy so SLA breaches automatically elevate the residual risk score.
Preserve Evidence
Before updating the threat model, pull your historical patch SLA metrics from your ticketing system (Jira, ServiceNow, or even a spreadsheet) for OpenSSL, Firefox, and FortiGate firmware over the past 24 months — this establishes your actual discovery-to-remediation gap baseline, which the Glasswing findings suggest is structurally exploitable. Document mean time to patch (MTTP) per product line as forensic evidence of organizational exposure window if an incident later requires breach timeline reconstruction under NIST IR-5 (Incident Monitoring).
4
Step 4: Audit patch pipeline capacity, assess whether your vulnerability management program can handle discovery velocity that exceeds historical CVE rates; identify where triage, testing, and deployment bottlenecks exist
IR Detail
Preparation
NIST 800-61r3 §2 — Preparation: Resource and Capability Readiness
NIST SI-2 (Flaw Remediation)
NIST CA-7 (Continuous Monitoring)
NIST PM-4 (Plan of Action and Milestones Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Map your patch pipeline stages on a whiteboard or spreadsheet: (1) NVD/CISA KEV ingestion, (2) affected asset identification, (3) patch testing in non-prod, (4) deployment approval, (5) verification. For each stage, record the current cycle time and responsible party. For FortiGate specifically, test whether your team can execute a firmware upgrade on a perimeter device within 72 hours of a PSIRT advisory — this is the operationally relevant threshold given AI-assisted tooling can develop working exploits within hours of disclosure based on Glasswing's demonstrated capability. Use CISA's free Known Exploited Vulnerabilities catalog (cisa.gov/known-exploited-vulnerabilities-catalog) as your triage input and measure how long after KEV addition your environment achieves full remediation.
Preserve Evidence
Pull your vulnerability scanner output (OpenVAS/GVM is free) filtered to Firefox, OpenSSL CVEs, and FortiGate advisories from the past 12 months; calculate the delta between CVE NVD publication date and your verified-remediated date for each. This gap analysis is the primary forensic artifact establishing organizational exposure duration — it directly quantifies how much of your environment was in the pre-patch window that AI-assisted attack tooling exploits. Preserve this data in case of regulatory inquiry under breach notification requirements.
5
Step 5: Communicate findings, brief leadership on the structural gap between AI-assisted discovery and remediation capacity; frame it as an operational risk to patching SLAs, not as a single product vulnerability
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: Lessons Learned and Organizational Improvement
NIST IR-6 (Incident Reporting)
NIST IR-8 (Incident Response Plan)
NIST PM-3 (Information Security and Privacy Resources)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Prepare a one-page risk brief structured as: (1) Current state — your MTTP for FortiGate firmware and OpenSSL patches vs. AI-assisted exploit development timelines documented in Project Glasswing reporting; (2) Gap quantification — number of assets in your environment running affected software stacks with no current CVE but within the structural exposure window; (3) Resource ask — specific headcount, tooling, or process changes needed to close the gap. Use the CISA Known Exploited Vulnerabilities catalog entry counts for FortiGate (historically 20+ KEV entries) as a concrete reference point for leadership to understand vendor-specific exploitation frequency.
Preserve Evidence
The primary evidence for this briefing is your own patch gap data from Step 4 combined with the Glasswing-reported statistic that fewer than 1% of AI-discovered vulnerabilities were remediated at time of disclosure — document this ratio against your own remediation percentage for the affected product stack. If your environment had any FortiGate management interfaces exposed per the Step 1 audit, include that finding as a concrete current-state risk indicator. Preserve all briefing materials as they establish the organizational awareness baseline, which is relevant if a subsequent incident triggers regulatory notification requirements.
6
Step 6: Monitor developments, track NVD, CISA advisories, Mozilla security advisories, and Fortinet PSIRT for CVE assignments and patches tied to the vulnerability classes described; watch for follow-up research publication from Anthropic or Mythos-related disclosures
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: Threat Intelligence Integration
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST SI-4 (System Monitoring)
NIST IR-5 (Incident Monitoring)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Configure free RSS/Atom feed aggregation (Feedly free tier or a self-hosted FreshRSS instance) to ingest: NVD CVE feed filtered to vendors 'mozilla', 'openssl', 'fortinet', 'linux', 'freebsd', 'openbsd'; CISA KEV RSS feed; Fortinet PSIRT advisories (fortiguard.fortinet.com/psirt); and Mozilla Foundation Security Advisories (mozilla.org/en-US/security/advisories/). Set a daily 15-minute triage window to review new entries against your asset inventory from Step 1. For Mythos/Glasswing-specific research, set a Google Scholar alert for 'Project Glasswing', 'Mythos model vulnerability', and 'AI vulnerability discovery autonomous exploit' to catch peer-reviewed follow-up publications before they are widely weaponized.
Preserve Evidence
When a new CVE is assigned to any of the named products, immediately query your FortiGate logs for the specific service or interface class the CVE targets — for example, if a new OpenSSL CVE targets TLS handshake processing, query FortiGate SSL inspection logs and Linux syslog for TLS negotiation anomalies in the 30 days prior to CVE publication, as AI-assisted exploit chains may have been active in the pre-disclosure window. Preserve a 90-day rolling archive of FortiGate traffic logs, Linux /var/log/syslog, and OpenSSL application logs (Apache/Nginx access and error logs) per NIST AU-11 (Audit Record Retention) to support retroactive analysis when new CVEs are disclosed.
Recovery Guidance
Following containment of any confirmed FortiGate or OpenSSL-related compromise, verify firmware integrity by comparing the installed FortiGate firmware hash against Fortinet's published hash on PSIRT advisories before bringing the appliance back to production — autonomous exploit chains have been observed implanting persistent backdoors in perimeter firmware in prior FortiGate campaigns. Monitor all previously affected hosts for 30 days post-recovery using auditd on Linux and Sysmon on Windows endpoints for re-emergence of T1059 interpreter abuse or T1068 privilege escalation patterns that would indicate incomplete eradication or a second-stage implant. Revalidate that no new admin accounts, API keys, or SSH authorized_keys entries were added to FortiGate or Linux/OpenBSD hosts during the exposure window, as credential persistence is a primary objective of autonomous attack chains operating at the scale described (2,516 organizations).
Key Forensic Artifacts
FortiGate event logs (Log & Report > Event Logs, filtered to admin-login, system-config-change, and firmware-upgrade event types) — autonomous exploit chains targeting FortiGate perimeter appliances consistently create rogue admin accounts or modify SSL-VPN configurations as a persistence mechanism; these events appear in FortiGate system event logs even when management interface logging is set to minimal verbosity
OpenSSL application logs from web servers and VPN concentrators (/var/log/apache2/error.log, /var/log/nginx/error.log) filtered for TLS handshake failures, malloc/free errors, or segfault-adjacent entries — AI-discovered memory corruption vulnerabilities in OpenSSL (consistent with the 27-year-old OpenBSD flaw class) produce characteristic error patterns before successful exploitation achieves clean execution
Linux auditd syscall logs (/var/log/audit/audit.log) filtered for execve calls with euid=0 from non-root parent processes on hosts running OpenSSL-linked services — privilege escalation via T1068 against a kernel or library vulnerability leaves a syscall trace where the effective UID transitions from unprivileged to root without a corresponding sudo or su event in /var/log/auth.log
FreeBSD/OpenBSD kernel message logs (/var/log/messages, 'dmesg' output) for segfault or memory protection violation entries tied to sshd, httpd, or any OpenSSL-linked daemon — a 27-year-old flaw class in OpenBSD specifically is likely a memory safety issue that produces kernel-level crash artifacts or coredumps in /var/crash before a reliable exploit is achieved
Firefox parent-process telemetry via Sysmon Event ID 1 (Process Create) and Event ID 3 (Network Connection) on Windows endpoints — AI-chained browser exploits targeting Firefox as an entry point produce characteristic child process spawning (cmd.exe, powershell.exe, wscript.exe as children of firefox.exe) and outbound connection attempts from the Firefox process to C2 infrastructure, both of which are captured in Sysmon logs before any EDR behavioral alert fires
Detection Guidance
Given the MITRE techniques mapped to this campaign, focus detection efforts on three areas.
Perimeter and initial access: Review FortiGate VPN and management interface logs for anomalous authentication attempts, unexpected firmware queries, or lateral movement originating from appliance IPs.
T1190 exploitation of public-facing appliances often leaves traces in web application logs as malformed requests or unexpected HTTP method patterns.
Post-exploitation behavior: Hunt for T1059 activity, unusual scripting interpreter invocations (Bash, Python, PowerShell) spawned from processes that do not normally execute them. Correlate with T1068 privilege escalation attempts: look for processes spawning with elevated privileges without a corresponding user-initiated sudo or equivalent event. T1003 credential dumping leaves artifacts in LSASS access events on Windows and in /etc/shadow access attempts on Linux systems.
Memory safety exploitation patterns: Given the memory safety vulnerability classes involved (CWE-416 use-after-free and CWE-787 out-of-bounds write), exploitation against browsers like Firefox typically manifests as renderer process crashes followed immediately by unexpected network connections or process spawning. Enable crash telemetry and correlate browser crash events with outbound connection anomalies.
Discovery-phase indicators: T1595.002 vulnerability scanning from external sources targeting your perimeter appliances may appear in firewall logs as systematic port sweeps or repeated probes against management ports (8443, 443, 22) from rotating IP ranges.
Log sources to prioritize: FortiGate syslog and PSIRT advisories, EDR process creation and network events, browser crash telemetry, authentication logs for perimeter devices, and outbound DNS for unexpected or newly registered domains.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 tool
Type Value Enrichment Context Conf.
⚙ TOOL
Pending — refer to Anthropic Project Glasswing primary research disclosure and Fortinet PSIRT FG-IR-26-076 for published indicators
AI-assisted exploit tooling (Mythos model) and FortiGate MCP campaign indicators including C2 infrastructure, payload hashes, and scanning signatures have been referenced in news coverage but specific values were not published in available T3 sources
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
IOC Detection Queries (1)
Known attack tool — NOT a legitimate system binary. Any execution is suspicious.
KQL Query Preview
Read-only — detection query only
// Threat: AI-Driven Vulnerability Discovery Outpaces Remediation: Project Glasswing Expose
// Attack tool: Pending — refer to Anthropic Project Glasswing primary research disclosure and Fortinet PSIRT FG-IR-26-076 for published indicators
// Context: AI-assisted exploit tooling (Mythos model) and FortiGate MCP campaign indicators including C2 infrastructure, payload hashes, and scanning signatures have been referenced in news coverage but specific
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "Pending — refer to Anthropic Project Glasswing primary research disclosure and Fortinet PSIRT FG-IR-26-076 for published indicators"
or ProcessCommandLine has "Pending — refer to Anthropic Project Glasswing primary research disclosure and Fortinet PSIRT FG-IR-26-076 for published indicators"
or InitiatingProcessCommandLine has "Pending — refer to Anthropic Project Glasswing primary research disclosure and Fortinet PSIRT FG-IR-26-076 for published indicators"
| project Timestamp, DeviceName, FileName, FolderPath,
ProcessCommandLine, AccountName, AccountDomain,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Ransomware activity
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileRenamed"
| where FileName endswith_any (".encrypted", ".locked", ".crypto", ".crypt", ".enc", ".ransom")
| summarize RenamedFiles = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where RenamedFiles > 20
| sort by RenamedFiles desc
Sentinel rule: Credential dumping / LSASS access
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("procdump.exe", "mimikatz.exe", "sekurlsa.exe")
or ProcessCommandLine has_any ("lsass", "sekurlsa", "logonpasswords", "sam hive", "ntds.dit", "dcsync")
or (FileName =~ "rundll32.exe" and ProcessCommandLine has "comsvcs.dll")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Web application exploit patterns
KQL Query Preview
Read-only — detection query only
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceVendor has_any ("PaloAlto", "Fortinet", "F5", "Citrix")
| where Activity has_any ("attack", "exploit", "injection", "traversal", "overflow")
or RequestURL has_any ("../", "..\\\\", "<script", "UNION SELECT", "\${jndi:")
| project TimeGenerated, DeviceVendor, SourceIP, DestinationIP, RequestURL, Activity, LogSeverity
| sort by TimeGenerated desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1588.006
T1587.004
T1486
T1003
T1595.002
T1190
+3
CP-9
CP-10
AC-6
IA-5
SI-4
CA-8
+8
MITRE ATT&CK Mapping
T1588.006
Vulnerabilities
resource-development
T1486
Data Encrypted for Impact
impact
T1003
OS Credential Dumping
credential-access
T1595.002
Vulnerability Scanning
reconnaissance
T1190
Exploit Public-Facing Application
initial-access
T1203
Exploitation for Client Execution
execution
T1068
Exploitation for Privilege Escalation
privilege-escalation
T1059
Command and Scripting Interpreter
execution
Guidance Disclaimer
