← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.743
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A newly identified remote access trojan called CloudZ exploits the legitimate Windows Phone Link application to silently harvest one-time passwords synced from paired Android devices, bypassing SMS-based two-factor authentication without touching the mobile device. Organizations using Windows 10 or 11 with Phone Link enabled are exposed to credential theft that most endpoint detection tools will not catch. The business risk is account takeover across any system protected by SMS-based MFA, including email, banking portals, VPNs, and enterprise SaaS platforms.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
Unknown — unattributed as of 2026-05-06
TTP Sophistication
HIGH
18 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Windows 10, Microsoft Windows 11, Microsoft Phone Link application; ConnectWise ScreenConnect (abused as delivery/access vector)
Are You Exposed?
⚠
Your industry is targeted by Unknown — unattributed as of 2026-05-06 → Heightened risk
⚠
You use products/services from Microsoft Windows 10 → Assess exposure
⚠
18 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
CloudZ targets one-time passwords used to protect email, financial platforms, VPNs, and enterprise SaaS accounts, meaning a successful compromise can result in account takeover across multiple systems even when multi-factor authentication is in place. Organizations relying on SMS-based MFA as their primary second factor face the highest exposure, and the attack's invisibility to conventional endpoint tools increases dwell time and the likelihood of undetected lateral movement. Regulatory exposure is elevated for organizations subject to data protection requirements, as unauthorized access enabled by bypassed MFA may trigger breach notification obligations depending on what systems are accessed.
You Are Affected If
You run Windows 10 or Windows 11 endpoints with Windows Phone Link application installed and an Android device paired
Users on those endpoints rely on SMS-based one-time passwords for account authentication (email, VPN, banking, SaaS)
ConnectWise ScreenConnect is present in the environment or accessible from it, whether authorized or not
Your EDR or antivirus solution does not have a detection rule for SQLite database access by non-Microsoft processes in the Phone Link data path
You have not audited or restricted RMM tool execution via application control or allowlisting policies
Board Talking Points
Attackers can bypass the text-message login codes protecting our accounts by silently reading them from company laptops — without ever touching an employee's phone.
Security teams should audit and disable the Windows Phone Link feature on sensitive systems within 72 hours, and begin migrating to stronger authentication methods within 30 days.
Organizations that take no action remain exposed to undetected account takeovers that existing security tools are unlikely to catch, increasing the risk of data breach and regulatory liability.
Technical Analysis
CloudZ is a previously undisclosed remote access trojan, active since at least January 2026 per Cisco Talos research, that deploys a custom plugin named Pheno to query the local SQLite database maintained by the Windows Phone Link application.
Phone Link syncs SMS messages from paired Android devices to the Windows host; CloudZ reads OTPs from this database without network interaction with the mobile device.
ConnectWise ScreenConnect is referenced as an abused or spoofed delivery/access vector, consistent with broader RMM-abuse patterns documented by Microsoft (T1219 ).
No CVE has been assigned. Applicable CWEs: CWE-522 (Insufficiently Protected Credentials), CWE-312 (Cleartext Storage of Sensitive Information), CWE-494 (Download of Code Without Integrity Check). MITRE ATT&CK techniques include T1555 /T1555.003 (Credentials from Password Stores), T1005 (Data from Local System), T1083 (File and Directory Discovery), T1539 (Steal Web Session Cookie), T1219 (Remote Access Software), T1036 /T1036.005 (Masquerading), T1059 /T1059.001 (Command and Scripting Interpreter: PowerShell), T1053.005 (Scheduled Task), T1056 /T1056.001 (Keylogging), T1113 (Screen Capture), T1105 (Ingress Tool Transfer), T1574 (Hijack Execution Flow), T1071.001 (Web Protocols C2), and T1132.001 (Standard Encoding). The SQLite read path is not monitored by most EDR or AV solutions, making detection with conventional signature-based defenses unlikely. No patch is available; mitigation is configuration- and detection-based. Attribution: unknown as of 2026-05-06.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to CISO and legal/privacy counsel if forensic analysis of the Phone Link SQLite database or Windows Security Event logs confirms that SMS-based OTPs were successfully read by CloudZ on any host with access to financial systems, healthcare records, PII, or privileged administrative accounts — any confirmed OTP interception on such systems triggers breach notification assessment obligations under applicable regulations (HIPAA, PCI DSS, state breach notification laws) and constitutes an active account takeover risk requiring emergency credential rotation across all downstream systems.
1
Step 1: Containment — Audit all Windows 10/11 endpoints for active Windows Phone Link pairings using your endpoint management console. Disable or unpair Phone Link on systems without a documented business requirement, especially privileged workstations. Block ScreenConnect binaries from unauthorized sources using application control or allowlisting. Apply AC-6 (Least Privilege) to restrict Phone Link access to only users with documented need. Verify ScreenConnect is listed as authorized software per CIS 2.1. Remove unauthorized ScreenConnect instances per CIS 2.3. Restrict process-level access to the Phone Link SQLite database path using file system ACLs per AC-3 (Access Enforcement) and CIS 3.3 (Configure Data Access Control Lists). (Cite: NIST AC-3 / NIST AC-6 / CIS 2.1 / CIS 2.3 / CIS 3.3 / D3-UAP)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy: isolate affected systems and block ongoing attacker access vectors before eradication begins
NIST IR-4 (Incident Handling)
NIST CM-7 (Least Functionality) — restrict Phone Link to documented business use only
NIST SI-4 (System Monitoring) — establish visibility into ScreenConnect binary execution at the endpoint layer
CIS 4.4 (Implement and Manage a Firewall on Servers) — block unauthorized ScreenConnect binaries via host-based application control
CIS 2.3 (Address Unauthorized Software) — treat unapproved ScreenConnect instances as unauthorized software requiring immediate removal
CIS 5.4 (Restrict Administrator Privileges to Dedicated Administrator Accounts) — prioritize Phone Link disablement on privileged workstations first
Compensating Control
For teams without enterprise MDM or SCCM: run the following PowerShell one-liner across all endpoints via PSRemoting to enumerate active Phone Link pairings — 'Get-AppxPackage -Name Microsoft.YourPhone | Select-Object Name,PackageFullName,InstallLocation'. To block ScreenConnect lookalikes without EDR, deploy a Software Restriction Policy or AppLocker rule denying execution of any binary matching the ScreenConnect naming convention (ScreenConnect.ClientService.exe, ScreenConnect.WindowsClient.exe) from %TEMP%, %APPDATA%, or user-writable paths. Use Sysmon Event ID 1 (Process Create) with a filter on Image paths outside of the approved ScreenConnect installation directory to detect masquerading binaries (MITRE T1036.005).
Preserve Evidence
Before disabling Phone Link, capture a forensic snapshot of the Phone Link local SQLite database at %LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\ — specifically the 'FantasyPhone.db' and any .db files present — to preserve evidence of OTP messages that may have been harvested. Also collect a timestamped registry export of HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall to document ScreenConnect installation artifacts before removal. Capture running process list (tasklist /v /fo csv) and active network connections (netstat -bno) to correlate Phone Link-adjacent processes with outbound C2 connections prior to containment.
2
Step 2: Detection — Query endpoint telemetry for file read access to %LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\ by non-Microsoft processes. Use D3-SFA (System File Analysis) to monitor the Phone Link SQLite database for access by unexpected processes. Hunt for ScreenConnect-lookalike binary names not present in the authorized software inventory (T1036.005) per CIS 2.1. Enable and review PowerShell script block logging (Windows Event ID 4104) for encoded or obfuscated execution per AU-2 (Event Logging) and AU-12 (Audit Record Generation). Monitor Windows Event ID 4698 for scheduled task creation (T1053.005). Ensure audit log collection is active across all endpoints per CIS 8.2. Alert on outbound HTTP/S traffic from processes with no established network baseline using AU-6 (Audit Record Review, Analysis, and Reporting). (Cite: NIST AU-2 / NIST AU-6 / NIST AU-12 / CIS 2.1 / CIS 8.2 / D3-SFA / D3-LAM)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis: correlate indicators across endpoint telemetry, log sources, and network traffic to establish scope of CloudZ compromise
NIST SI-4 (System Monitoring) — monitor file system access to the Phone Link LocalState path by non-Microsoft processes
NIST AU-2 (Event Logging) — ensure Windows Security, Sysmon, and PowerShell operational logs are enabled and capturing the relevant event IDs
NIST AU-6 (Audit Record Review, Analysis, and Reporting) — actively review logs for CloudZ-specific IOC patterns rather than waiting for automated alerting
NIST IR-5 (Incident Monitoring) — track and document all confirmed and suspected CloudZ-related events across the environment
CIS 8.2 (Collect Audit Logs) — validate that audit logging is enabled on all Windows 10/11 endpoints prior to hunt
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — integrate CloudZ IOCs into ongoing threat hunt cadence
Compensating Control
Without a SIEM, deploy Sysmon with SwiftOnSecurity's config (minimum) and add a custom rule targeting FileCreate and RawAccessRead events on the path '*\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\*' by Image paths not matching '*\WindowsApps\*' or '*\Microsoft.YourPhone*'. Use the following PowerShell to hunt locally for recent SQLite access to the Phone Link path: 'Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object {$_.Message -like "*YourPhone*" -and $_.Id -eq 11}'. For scheduled task hunting without a SIEM, run 'schtasks /query /fo LIST /v | findstr /i "Task Name\|Status\|Run As User\|Task To Run"' and flag any tasks executing from %TEMP% or %APPDATA%. Use the community Sigma rule for T1036.005 (Masquerading: Match Legitimate Name or Location) converted to Windows Event Log format as a manual hunt query against Sysmon Event ID 1 logs.
Preserve Evidence
Collect Windows Security Event Log entries for Event ID 4698 (Scheduled Task Created) and 4104 (PowerShell Script Block) from the suspected compromise window before any remediation clears volatile state. Export Sysmon Event ID 1 (Process Create), Event ID 11 (FileCreate), and Event ID 3 (Network Connection) filtered on processes accessing the Phone Link LocalState directory or bearing ScreenConnect-lookalike binary names. Capture the Windows Prefetch files (C:\Windows\Prefetch\) for CloudZ and Pheno binary names — prefetch entries will record execution timestamps and file paths even if the binaries have been deleted. Pull DNS client cache ('ipconfig /displaydns') and browser history from affected hosts to identify any C2 domains contacted by CloudZ during the OTP exfiltration phase.
3
Step 3: Eradication — Remove CloudZ and Pheno binaries if identified; no vendor removal tool is available as of this writing. Disable Windows Phone Link via Group Policy on endpoints where it is not required, enforcing a secure configuration baseline per CIS 4.6 (Securely Manage Enterprise Assets and Software). Confirm Phone Link removal appears in your authorized software inventory per CIS 2.1. Revoke and rotate all credentials and session tokens accessible via accounts relying on SMS-based OTP on affected systems, applying D3-CRO (Credential Rotation). Treat any harvested OTPs as compromised and invalidate active sessions on downstream systems. (Cite: NIST AC-2 / CIS 2.1 / CIS 4.6 / D3-CRO)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication: remove all components of the CloudZ RAT from the environment, eliminate the Phone Link attack surface, and invalidate any credentials compromised via OTP interception
NIST IR-4 (Incident Handling) — execute eradication as a documented phase with verification steps, not ad hoc binary deletion
NIST SI-2 (Flaw Remediation) — treat the absence of Phone Link Group Policy hardening as a configuration flaw requiring remediation
NIST SI-3 (Malicious Code Protection) — scan for CloudZ and Pheno binaries using updated signatures or YARA rules across all endpoints in scope
NIST IA-5 (Authenticator Management) — revoke and rotate credentials and session tokens for all accounts whose SMS OTPs may have been intercepted
CIS 4.6 (Securely Manage Enterprise Assets and Software) — enforce Phone Link disablement via Group Policy as a configuration management action
CIS 5.2 (Use Unique Passwords) — force password rotation on all accounts where SMS-based OTP was the second factor on affected hosts
Compensating Control
Without enterprise AV with current CloudZ signatures, write a YARA rule targeting CloudZ and Pheno binary characteristics (PE header anomalies, known strings, or import hash if available from threat intel) and scan using YARA from the command line: 'yara -r cloudz_rule.yar C:\Users\'. For scheduled task persistence removal, enumerate and diff all scheduled tasks against a known-good baseline using 'schtasks /query /fo CSV > current_tasks.csv' and compare against pre-incident exports. To disable Phone Link via GPO without enterprise tooling, use Local Group Policy Editor (gpedit.msc) on each host: navigate to User Configuration > Administrative Templates > Windows Components > Phone Link and set 'Turn off Phone Link' to Enabled. For credential rotation without a PAM tool, use 'net user [username] [newpassword] /domain' for domain accounts and force re-enrollment of MFA factors through the identity provider admin console.
Preserve Evidence
Before deleting CloudZ and Pheno binaries, collect full file hashes (SHA-256) using 'Get-FileHash -Algorithm SHA256 [filepath]', capture file metadata (creation, modification, access timestamps via 'fsutil usn readjournal'), and create forensic copies to a write-protected external drive or isolated network share for later analysis. Preserve any scheduled task XML definitions associated with CloudZ persistence before deletion ('schtasks /query /xml > [taskname].xml'). Document all accounts whose sessions were active on the affected host during the suspected compromise window by reviewing Windows Security Event ID 4624 (Logon) and 4648 (Explicit Credential Logon) logs — these define the mandatory scope for credential rotation.
4
Step 4: Recovery — Confirm Phone Link is disabled or unpaired on affected hosts and verify via Group Policy Results or endpoint management console per CIS 4.6. Validate account inventory is current and revoked access has been processed per CIS 5.1 (Establish and Maintain an Inventory of Accounts) and AC-2 (Account Management). Monitor previously exposed accounts for unauthorized access attempts for at least 30 days post-remediation per AU-6 (Audit Record Review, Analysis, and Reporting). Re-validate MFA enrollment for affected users. Migrate SMS-based OTP to TOTP applications or hardware tokens (FIDO2/WebAuthn) where feasible, applying D3-MFA (Multi-factor Authentication) and D3-CH (Credential Hardening). Enforce MFA for all externally exposed applications per CIS 6.3 and for remote access per CIS 6.4. (Cite: NIST AC-2 / NIST AU-6 / CIS 4.6 / CIS 5.1 / CIS 6.3 / CIS 6.4 / D3-MFA / D3-CH)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery: restore systems to verified-clean operational state, confirm Phone Link attack surface is eliminated, and validate that OTP interception capability has been neutralized
NIST IR-4 (Incident Handling) — verify recovery actions are complete and documented before closing the incident
NIST IA-5 (Authenticator Management) — re-validate MFA enrollment and enforce migration away from SMS-based OTP per NIST SP 800-63B guidance
NIST CA-7 (Continuous Monitoring) — maintain 30-day post-remediation monitoring window on previously exposed accounts for unauthorized access indicators
NIST SI-6 (Security and Privacy Function Verification) — verify Phone Link Group Policy enforcement is applied and effective via 'gpresult /h report.html'
CIS 6.3 (Require MFA for Externally-Exposed Applications) — enforce TOTP or FIDO2 MFA re-enrollment for all accounts previously protected by SMS-based OTP on affected systems
CIS 7.2 (Establish and Maintain a Remediation Process) — document the SMS-to-TOTP migration as a tracked remediation item with assigned ownership and deadline
Compensating Control
Without an enterprise identity platform, verify Phone Link GPO enforcement by running 'gpresult /r' on each remediated host and confirming the 'Turn off Phone Link' policy appears under Applied Group Policy Objects. For 30-day account monitoring without a SIEM, configure Windows Security audit policy on domain controllers to log Event ID 4625 (Failed Logon) and 4776 (Credential Validation) and export these daily via scheduled PowerShell task to a centralized CSV for manual review. For MFA migration without an enterprise SSO platform, use free authenticator apps (Microsoft Authenticator, Google Authenticator) or low-cost FIDO2 hardware tokens (YubiKey Security Key NFC) and re-enroll affected users through each application's MFA settings directly.
Preserve Evidence
Run 'gpresult /h gpresult_report.html' on each remediated host and archive the output as verification evidence that Phone Link policy is applied. Collect Windows Security Event ID 4624 and 4625 logs from domain controllers covering the 30-day monitoring window and flag any successful or failed logons from geographic locations, IP ranges, or time-of-day patterns inconsistent with the affected user's baseline. Document the pre- and post-remediation MFA method for each affected account in the incident record to demonstrate the SMS-to-TOTP migration was completed and to support any regulatory reporting obligations.
5
Step 5: Post-Incident — Document the detection gap: most EDR tools lack native detection for SQLite reads from cross-device sync applications. Submit a use-case request to your EDR vendor for coverage of the Phone Link data path per AU-2 (Event Logging) to ensure this event type is added to defined audit scope. Review and update the authorized RMM tool list to ensure only approved ScreenConnect instances are permitted per CIS 2.1 and CIS 2.3. Assess the broader MFA strategy: SMS-based OTP is a weak second factor; prioritize migration to phishing-resistant authenticators using D3-MFA and D3-CH. Apply D3-SICA (System Init Config Analysis) to detect persistence mechanisms written during compromise, including startup entries and scheduled tasks. Update the vulnerability management process to include cross-device sync application risk per CIS 7.1 (Establish and Maintain a Vulnerability Management Process). (Cite: NIST AU-2 / NIST AU-6 / CIS 2.1 / CIS 2.3 / CIS 7.1 / D3-MFA / D3-CH / D3-SICA)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity: conduct lessons-learned analysis focused on the Phone Link SQLite monitoring gap and the ScreenConnect delivery vector, and use findings to drive detection engineering and MFA policy improvements
NIST IR-4 (Incident Handling) — update the incident response plan to include Phone Link and cross-device sync app data paths as monitored attack surfaces
NIST IR-8 (Incident Response Plan) — revise IR plan to add CloudZ/Phone Link detection use case and ScreenConnect RMM abuse scenario
NIST SI-5 (Security Alerts, Advisories, and Directives) — formalize intake of threat intel on RAT campaigns abusing legitimate Windows features into the advisory review process
NIST RA-5 (Vulnerability Monitoring and Scanning) — incorporate Phone Link attack surface into ongoing risk assessment and configuration review cycles
CIS 7.1 (Establish and Maintain a Vulnerability Management Process) — add SQLite access monitoring for cross-device sync application data paths as a standing hunt use case
CIS 6.3 (Require MFA for Externally-Exposed Applications) — document SMS OTP deprecation plan referencing NIST SP 800-63B AAL2 requirements and set a target completion date
Compensating Control
Without an EDR vendor support portal, submit the Phone Link SQLite monitoring gap as a public feature request or community detection rule: author a Sigma rule targeting Sysmon Event ID 11 (FileCreate) and Event ID 10 (ProcessAccess) on the path '%LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\' by non-Microsoft-signed processes and publish to the SigmaHQ community repository for peer validation. For ScreenConnect allowlisting without enterprise tooling, maintain a plaintext registry of approved ScreenConnect instance URLs and relay codes in your asset management system and audit quarterly using 'Get-WinEvent' queries against Sysmon process creation logs. Use osquery with the scheduled_tasks and processes tables to build a standing post-incident hunt query for future ScreenConnect masquerading attempts: 'SELECT name, action, enabled FROM scheduled_tasks WHERE action LIKE "%ScreenConnect%"'.
Preserve Evidence
Archive the complete incident timeline, all forensic artifacts collected during Steps 1-4, EDR alert (or non-alert) records for the compromise window, and the GPO verification reports as the post-incident evidence package — this package supports both internal lessons-learned and any regulatory breach notification assessment. Document the specific EDR product version and configuration that failed to alert on the Phone Link SQLite reads, including the detection policy settings active at the time, to provide concrete data for the vendor use-case submission. Retain the YARA scan results and Sysmon log exports for a minimum of 12 months per NIST AU-11 (Audit Record Retention) requirements to support any subsequent legal, regulatory, or threat intelligence sharing needs.
Recovery Guidance
After completing eradication, verify Phone Link disablement on 100% of in-scope endpoints via 'gpresult /r' and confirm no Microsoft.YourPhone AppX package processes are running using 'Get-Process | Where-Object {$_.Name -like "*YourPhone*"}'. Monitor all accounts whose SMS-based OTPs were accessible on affected hosts for a minimum of 30 days post-remediation, specifically watching for impossible-travel logins, off-hours access, and MFA prompt fatigue patterns in identity provider logs, since OTPs intercepted prior to containment may have already been used to establish persistent session tokens. Treat SMS OTP migration to TOTP or FIDO2 as a time-bound remediation action, not a deferred improvement, given that CloudZ demonstrates an active threat actor capability to silently harvest SMS-based second factors from Windows endpoints without any mobile device interaction.
Key Forensic Artifacts
Phone Link LocalState SQLite databases at %LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\ (e.g., FantasyPhone.db) — will contain message records including intercepted OTP SMS content with timestamps that can be correlated against account access logs to confirm which OTPs were harvested
Windows Prefetch files at C:\Windows\Prefetch\ for CloudZ and Pheno binary names — will record execution timestamps and loaded DLLs even if the attacker deleted the primary binaries post-exfiltration
Sysmon Event ID 11 (FileCreate) and Event ID 10 (ProcessAccess) logs targeting the Microsoft.YourPhone_8wekyb3d8bbwe package directory — will identify the non-Microsoft process name and full path used by CloudZ to access the Phone Link SQLite database
Windows Security Event ID 4698 (Scheduled Task Created) and 4702 (Scheduled Task Updated) logs — will reveal CloudZ persistence mechanism including the command line, trigger type, and run-as account used to maintain access across reboots
Network connection logs from Sysmon Event ID 3 (Network Connection) or Windows Firewall logs filtered on processes adjacent to Phone Link or bearing ScreenConnect-lookalike names — will expose CloudZ C2 infrastructure IPs and domains used to exfiltrate harvested OTPs and receive RAT commands
Detection Guidance
Primary detection path: monitor for file read access to the Phone Link SQLite database at %LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalState\ by any process other than Microsoft.YourPhone or Windows system processes.
This is the core CloudZ/Pheno data theft vector (T1005 , T1083 ).
Apply D3-SFA (System File Analysis) — the D3FEND countermeasure for monitoring system files including authentication-adjacent databases for unauthorized access — as the primary defensive technique here.
In environments with Sysmon deployed, correlate Event ID 11 (FileCreate) and Event ID 23 (FileDelete) with process ancestry to surface anomalous database interaction. Use AU-2 (Event Logging) to ensure SQLite file access events and process creation events are defined in your audit event scope. AU-3 (Content of Audit Records) requires records include the process name, user, timestamp, and resource accessed — verify your logging configuration captures these fields for file system events. Use Sysmon Event ID 1 (Process Create) combined with CIS 2.1 software inventory to flag execution of ScreenConnect-named binaries not originating from an approved installation path (T1036.005 , T1036 ). Apply D3-LAM (Local Account Monitoring) to detect privilege misuse or lateral account activity following credential harvest. Windows Event ID 4698 flags scheduled task creation relevant to T1053.005 persistence — include this in the AU-2 audit event definition. PowerShell script block logging (Event ID 4104) must be enabled and forwarded to your SIEM; AU-6 (Audit Record Review, Analysis, and Reporting) requires active review of these records for encoded or obfuscated execution consistent with T1059.001 and T1132.001 . Network layer: alert on outbound HTTP/S connections from processes with no established network baseline, particularly processes with ScreenConnect-adjacent names (T1071.001 , T1219 ). Use AC-4 (Information Flow Enforcement) policy to restrict outbound connections from endpoint user-space processes to only approved destinations. No confirmed public IOC list (IPs, domains, hashes) has been released as of this writing — detection must rely on behavioral indicators, not signature matching. AU-11 (Audit Record Retention) — retain all relevant logs for a minimum period consistent with your retention policy to support post-incident forensic analysis. CIS 8.2 (Collect Audit Logs) requires logging is enabled across all enterprise assets; verify Phone Link host endpoints are not excluded from your log collection scope.
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (5)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Suspicious scheduled task creation
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has_any ("/sc minute", "/sc hourly", "powershell", "cmd /c", "http", "\\\\", "frombase64")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
No actionable IOCs for CrowdStrike import (benign/contextual indicators excluded).
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1083
T1555
T1059
T1059.001
T1132.001
T1036.005
+12
CM-7
SI-3
SI-4
SI-7
CA-7
SC-7
+2
A08:2021
A04:2021
A07:2021
164.308(a)(5)(ii)(D)
164.312(d)
MITRE ATT&CK Mapping
T1083
File and Directory Discovery
discovery
T1555
Credentials from Password Stores
credential-access
T1059
Command and Scripting Interpreter
execution
T1132.001
Standard Encoding
command-and-control
T1036.005
Match Legitimate Resource Name or Location
defense-evasion
T1539
Steal Web Session Cookie
credential-access
T1219
Remote Access Tools
command-and-control
T1005
Data from Local System
collection
T1105
Ingress Tool Transfer
command-and-control
T1113
Screen Capture
collection
T1574
Hijack Execution Flow
persistence
T1056
Input Capture
collection
T1036
Masquerading
defense-evasion
T1555.003
Credentials from Web Browsers
credential-access
Guidance Disclaimer
