← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A breach of DigiCert's customer support environment in early April 2026 allowed a Chinese APT-linked threat actor to obtain EV code-signing certificates, which were used to sign malware payloads in a campaign called Zhong Stealer. A separate incident occurred on April 30, 2026, when a Microsoft Defender signature update incorrectly flagged legitimate DigiCert root certificates as malware, removing them from enterprise trust stores and causing widespread operational disruption. Organizations relying on EV-signed software for trust verification and Windows endpoints running Defender are exposed to both malware infiltration risk and self-inflicted availability loss from the defensive overreach.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity β prioritize for investigation
Actor Attribution
HIGH
Zhong Stealer (Chinese APT-linked)
TTP Sophistication
HIGH
9 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Microsoft Defender (Windows), Windows AuthRoot certificate store, DigiCert EV Code Signing Certificates, Lenovo / Kingston / Shuttle Inc / Palit Microsystems (certificate holders)
Are You Exposed?
⚠
Your industry is targeted by Zhong Stealer (Chinese APT-linked) → Heightened risk
⚠
You use products/services from Microsoft Defender (Windows) → Assess exposure
⚠
9 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
If Zhong Stealer payloads ran in your environment, credential theft and data exfiltration may have occurred, exposing sensitive internal systems and customer data to a Chinese APT-linked actor. The Defender false positive independently caused legitimate software to lose trusted status on enterprise endpoints, potentially halting certificate-dependent applications, breaking TLS connections, and triggering incident response costs with no actual attack involved. Organizations in regulated industries that rely on digitally signed software for compliance attestation face both an active threat vector and a self-inflicted audit finding from the trust-store disruption.
You Are Affected If
You received EV code-signing certificates from DigiCert through their customer support channel during or before early April 2026
You run software signed by certificates issued to Lenovo, Kingston, Shuttle Inc, or Palit Microsystems and execute those binaries on Windows endpoints
Your Windows endpoints ran Microsoft Defender with signatures updated on or around April 30, 2026, and were not immediately patched with the corrected signature release
Your environment relies on DigiCert root certificates in the Windows AuthRoot store for TLS validation or authenticode trust decisions
You have not audited your software supply chain against DigiCert's published list of 60 revoked EV certificates
Board Talking Points
A Chinese government-linked hacking group stole trusted digital certificates from a major certificate authority and used them to disguise malware as legitimate software β a technique that bypasses most standard security controls.
Security teams should audit all software signed by affected certificates, apply Microsoft's corrected update to restore normal endpoint operations, and initiate a supply-chain risk review of CA dependencies within the next 72 hours.
Without action, the organization remains exposed to credential theft from any Zhong Stealer payloads that may have executed, and to ongoing operational disruption from the trust-store failure on unpatched Windows endpoints.
Technical Analysis
DigiCert's customer support environment was compromised in early April 2026, allowing a threat actor to extract initialization codes for approved EV code-signing certificate orders.
Sixty certificates were revoked; 27 are confirmed linked to the Zhong Stealer campaign, a Chinese APT-attributed infostealer distributed via signed malicious payloads (per threat intelligence sources; verify against official DigiCert revocation list).
EV code-signing status bypasses many security controls that rely on signature trust level as a risk signal (T1553.002 , Code Signing).
The campaign also uses phishing emails (T1566.001 ), ingress tool transfer (T1105 ), and command script execution (T1059 ). A secondary failure occurred on April 30, 2026: Microsoft Defender's signature update misidentified legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha (T1562.001 , Impair Defenses: Disable or Modify Tools), removing them from the Windows AuthRoot certificate store on affected enterprise endpoints. Relevant CWE mappings: CWE-295 (Improper Certificate Validation), CWE-345 (Insufficient Verification of Data Authenticity), CWE-284 (Improper Access Control), CWE-693 (Protection Mechanism Failure). Affected certificate holders include Lenovo, Kingston, Shuttle Inc, and Palit Microsystems. No CVE has been assigned. Both issues are reported as largely contained. Source quality is moderate (T3 news sources predominate; one T1 Microsoft community thread confirmed).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to senior IR leadership, legal counsel, and executive stakeholders if any of the following conditions are confirmed: (1) a Zhong Stealer payload executed successfully on an endpoint with access to PII, PHI, financial data, or privileged credentials β triggering applicable breach notification obligations under HIPAA, state privacy statutes, or PCI DSS Requirement 12.10.4; (2) the DigiCert-breached customer support channel was used to obtain or manage your organization's own EV code-signing certificates during the April 2026 window, indicating direct supply chain compromise of your signing infrastructure; or (3) the Defender AuthRoot removal caused a CRL or OCSP validation failure that allowed revoked certificates (including the 60 compromised EV certificates) to be treated as trusted during the outage window, potentially enabling Zhong Stealer payloads to execute undetected.
1
Step 1: Containment β Cross-reference your software inventory against DigiCert's published revocation list for all 60 revoked EV code-signing certificates. Temporarily block execution of newly signed binaries from affected certificate holders (Lenovo, Kingston, Shuttle Inc, Palit Microsystems) until signatures are re-validated. Use D3-ACA (Active Certificate Analysis) to actively collect and inspect certificates on affected endpoints. (Cite: CIS 2.1 β Establish and Maintain a Software Inventory / CIS 2.3 β Address Unauthorized Software / D3-ACA β Active Certificate Analysis)
IR Detail
Containment
NIST 800-61r3 Β§3.3 β Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST CM-7 (Least Functionality β restrict unauthorized software execution)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
Use Sysinternals Sigcheck to enumerate all signed executables and dump their certificate thumbprints: `sigcheck -tv -c -a C:\` redirected to CSV, then filter output against DigiCert's published list of 60 revoked thumbprints. On endpoints, deploy an AppLocker or Windows Defender Application Control (WDAC) policy scoped to Publisher conditions that blocks the specific Subject CN values for Lenovo, Kingston, Shuttle Inc, and Palit Microsystems certificates issued between January and April 2026. No SIEM required β a PowerShell script using `Get-AuthenticodeSignature` recursively across Program Files and user-writable directories (C:\Users, C:\ProgramData, C:\Temp) can be run by one analyst across the fleet via PSRemoting.
Preserve Evidence
Before blocking, snapshot the full Authenticode signature chain for every flagged executable using `sigcheck -a -v <file>` and preserve the output β this captures the signer thumbprint, certificate serial number, timestamp authority, and chain validity status, which will be needed to confirm whether Zhong Stealer payloads were signed under one of the 60 compromised EV certificates. Also export the current Windows AuthRoot and Intermediate CA store state via `certutil -store AuthRoot > authroot_baseline.txt` and `certutil -store CA > intca_baseline.txt` before any remediation actions alter the trust store, preserving the pre-remediation chain-of-custody state for forensic comparison.
2
Step 2: Detection β Query Windows Event Log and Defender quarantine logs for Trojan:Win32/Cerdigent.A!dha detections (Event ID 1116, 1117 in Microsoft-Windows-Windows Defender/Operational). Correlate certificate store change events to identify endpoints where DigiCert roots were removed from the AuthRoot store. Apply D3-SFA (System File Analysis) to monitor certificate store files and system executables for unauthorized modification. (Cite: NIST AU-2 β Event Logging / NIST AU-6 β Audit Record Review, Analysis, And Reporting / CIS 8.2 β Collect Audit Logs / D3-SFA β System File Analysis)
IR Detail
Detection & Analysis
NIST 800-61r3 Β§3.2 β Detection and Analysis
NIST IR-4 (Incident Handling)
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
For Cerdigent.A!dha detections: query Windows Event Log β Application and Services Logs\Microsoft\Windows\Windows Defender\Operational β for Event ID 1116 (malware detected) and 1117 (malware action taken), filtering on ThreatName containing 'Cerdigent'. For AuthRoot store tampering caused by the Defender signature regression: query Security Event Log for Event ID 4657 (registry value modified) on key `HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates` to identify when DigiCert root thumbprints were removed. For Zhong Stealer credential-store access: deploy Sysmon with EventID 10 (ProcessAccess) rules targeting LSASS as TargetImage, and EventID 11 (FileCreate) for writes to `%APPDATA%\Microsoft\Credentials` and browser credential storage paths. Use this Sigma rule pattern: process creation (EventID 4688 or Sysmon EventID 1) where ParentImage is a Lenovo/Kingston/Palit/Shuttle binary signed with a certificate issued April 2026 spawning cmd.exe, powershell.exe, or regsvr32.exe.
Preserve Evidence
Collect the following before any quarantine or remediation actions alter available evidence: (1) Windows Defender quarantine folder contents at `C:\ProgramData\Microsoft\Windows Defender\Quarantine\` β Zhong Stealer payloads removed by Defender will be stored here in VDM-encoded format recoverable with MpCmdRun.exe; (2) Prefetch files under `C:\Windows\Prefetch\` for any executable names corresponding to known Zhong Stealer dropper filenames, which record execution timestamps and loaded DLL paths even after file deletion; (3) Sysmon Event ID 3 (NetworkConnect) logs capturing outbound connections from user-writable directory executables, preserving destination IPs and ports associated with Zhong Stealer C2 infrastructure; (4) CAPI2 Event Log (Applications and Services Logs\Microsoft\Windows\CAPI2\Operational) Event ID 11 (CertVerifyRevocation) and Event ID 30 (X509Objects) to reconstruct which DigiCert root certificates were evaluated, revoked, or removed during the April 30 Defender signature regression window.
3
Step 3: Eradication β Apply the corrected Microsoft Defender signature update to restore legitimate DigiCert root certificates to the Windows AuthRoot trust store per Microsoft's published guidance (verify current URL directly from Microsoft support channels β do not rely on session-cached links). Remove confirmed Zhong Stealer payloads from affected endpoints. Revoke and reissue any internal code-signing certificates obtained through DigiCert's affected customer support channel during the April 2026 window. Apply D3-CRO (Credential Rotation) to any certificates or credentials exposed through the compromised support environment. (Cite: NIST AU-9 β Protection Of Audit Information / CIS 7.2 β Establish and Maintain a Remediation Process / CIS 7.4 β Perform Automated Application Patch Management / D3-CRO β Credential Rotation)
IR Detail
Eradication
NIST 800-61r3 Β§3.4 β Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST SI-7 (Software, Firmware, and Information Integrity)
CIS 7.2 (Establish and Maintain a Remediation Process)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
To apply the corrected Defender signature update without WSUS or SCCM: run `MpCmdRun.exe -SignatureUpdate` on each affected endpoint, then verify the engine and signature version via `MpCmdRun.exe -CheckSignatureUpdate` or `Get-MpComputerStatus | Select AntivirusSignatureVersion, AntivirusSignatureLastUpdated`. For Zhong Stealer payload removal: run `MpCmdRun.exe -Scan -ScanType 2` (full scan) with updated signatures before deletion to generate a detection record, then use `MpCmdRun.exe -RemoveDefinitions -DynamicSignatures` only if a specific dynamic signature is confirmed as the false-positive source per Microsoft guidance. For certificate reissuance verification: use `certutil -verify -urlfetch <newcert.cer>` to confirm the replacement certificate chains to a non-revoked DigiCert root and passes OCSP/CRL checks. Document each remediation action with before/after `certutil -store AuthRoot` output to satisfy NIST AU-3 (Content of Audit Records) requirements without a SIEM.
Preserve Evidence
Before executing eradication, preserve: (1) a memory image of any endpoint where Zhong Stealer execution is confirmed β use WinPmem (free, open source) to capture a raw memory dump, which may contain decrypted credential material, injected code, or C2 configuration that is lost after reboot or payload removal; (2) a full copy of the Defender quarantine folder (`C:\ProgramData\Microsoft\Windows Defender\Quarantine\`) as an encrypted archive before signatures are updated, since the corrected signatures may re-classify quarantined files and alter their metadata; (3) the specific Defender signature version that caused the AuthRoot removal, recorded from `Get-MpComputerStatus | Select AntivirusSignatureVersion` on an affected endpoint before the update is applied, to establish the exact regression window for change management documentation and potential regulatory reporting.
4
Step 4: Recovery β After applying corrected Defender signatures, validate DigiCert root certificates are present and trusted in the AuthRoot store on all affected endpoints. Re-test certificate-dependent applications (TLS connections, signed software execution, Authenticode validation). Monitor Defender telemetry for recurrence of the Cerdigent.A!dha false positive. Confirm no Zhong Stealer persistence mechanisms remain via full endpoint scan with updated signatures. Apply D3-SICA (System Init Config Analysis) to verify no persistence was established in startup configuration. (Cite: NIST AU-6 β Audit Record Review, Analysis, And Reporting / NIST AU-8 β Time Stamps / CIS 7.3 β Perform Automated Operating System Patch Management / D3-SICA β System Init Config Analysis)
IR Detail
Recovery
NIST 800-61r3 Β§3.5 β Recovery
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-6 (Security and Privacy Function Verification)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Validate DigiCert root restoration without an enterprise MDM: run `certutil -store AuthRoot | findstr /i 'DigiCert'` on a sample of endpoints and compare thumbprints against DigiCert's published root list. For Authenticode validation recovery testing: use `sigcheck -tv` (Sysinternals) which will surface any certificates still failing chain validation due to residual AuthRoot store corruption. For persistence mechanism hunting specific to Zhong Stealer: query the Run and RunOnce registry keys (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`, `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`) and scheduled tasks (`schtasks /query /fo LIST /v | findstr /i 'lenovo\|kingston\|palit\|shuttle'`) for any entries referencing the affected certificate holder names or paths in user-writable directories. Use Autoruns (Sysinternals) with VirusTotal integration enabled to flag any persistence entries pointing to recently signed or unsigned binaries.
Preserve Evidence
For post-recovery validation, retain: (1) a diff of the AuthRoot certificate store between the pre-remediation baseline (`authroot_baseline.txt` captured in Step 1) and the post-recovery state, confirming all legitimate DigiCert roots are restored and no unauthorized certificates were added during the incident window; (2) Defender Event Log entries (Event ID 1150 and 1151 β antimalware platform health) confirming signature update success and the absence of further Cerdigent.A!dha detections post-update, establishing a clean-state timestamp for the recovery record; (3) CAPI2 Operational log Event ID 10 (X509Objects β successful certificate chain build) for DigiCert-anchored chains post-recovery, confirming that TLS and Authenticode operations dependent on the restored roots are functioning correctly.
5
Step 5: Post-Incident β Establish certificate transparency log monitoring to detect unauthorized issuance against your domains. Configure alerting on bulk certificate revocation events from CAs in your trust chain. Review CA vendor selection criteria to include incident response and breach notification commitments. Apply D3-ODM (Operational Dependency Mapping) to document certificate authority dependencies and their operational impact on enterprise services. Note: NIST SP 800-161 (supply chain risk management) is the appropriate framework for CA dependency risk review; it is outside the KB control set loaded in this session β verify against official NIST publications directly. (Cite: NIST AU-13 β Monitoring For Information Disclosure / NIST AC-20 β Use Of External Systems / CIS 7.1 β Establish and Maintain a Vulnerability Management Process / D3-ODM β Operational Dependency Mapping)
IR Detail
Post-Incident
NIST 800-61r3 Β§4 β Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-5 (Security Alerts, Advisories, and Directives)
NIST RA-3 (Risk Assessment)
NIST SA-9 (External System Services β third-party CA dependency management)
NIST SR-3 (Supply Chain Controls and Processes)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For certificate transparency (CT) log monitoring without a commercial platform: configure a free crt.sh monitoring account or use the `certspotter` open-source tool (Certspotter by SSLMate) to alert on any new certificate issuances for your organization's domains β this would have surfaced unauthorized EV certificate issuance from the DigiCert breach. For bulk revocation alerting: write a daily cron job or scheduled task using `certutil -URL <ca-crl-url>` to retrieve and diff CRL sequence numbers from DigiCert's CRL Distribution Points, alerting on delta counts exceeding a threshold (e.g., >10 new revocations in a single CRL update). For the NIST SP 800-161 gap review: map the DigiCert incident against SR-3 (Supply Chain Controls and Processes) and SR-6 (Supplier Assessments and Reviews) specifically β document whether your CA vendor contracts include breach notification SLAs, and whether your trust store management policy requires validation of CA security posture at renewal. Note: the step references NIST SP 800-161; the current authoritative designation for NIST supply chain risk management guidance is NIST SP 800-161 Rev. 1 (May 2022) β ensure the gap review references the revision.
Preserve Evidence
Preserve for post-incident review and potential regulatory reporting: (1) a complete timeline of the Defender signature regression β correlating the April 30 Defender signature version deployment timestamp (from Windows Update logs at `C:\Windows\SoftwareDistribution\ReportingEvents.log`) against the first AuthRoot removal Event ID 4657 observed, establishing the blast radius window; (2) a list of all certificate-dependent business processes disrupted by the AuthRoot removal (TLS failures, Authenticode blocks, application crashes), sourced from CAPI2 logs and application event logs (Event ID application errors referencing certificate validation failures), to support a business impact assessment; (3) DigiCert's breach notification communications and revocation advisory, preserved with receipt timestamps, to document whether the CA met contractual and regulatory breach notification obligations β relevant if your organization operates under FedRAMP, PCI DSS, or state breach notification statutes that include vendor incident notification requirements.
Recovery Guidance
Recovery validation must confirm two independent failure modes are resolved: the Zhong Stealer active infection and the Defender-induced AuthRoot trust store corruption β do not close the incident until both are verified clean on all affected endpoints, as partial recovery (e.g., Defender signatures updated but compromised EV-signed binaries still present) leaves the environment exposed. Monitor Defender telemetry and CAPI2 logs continuously for a minimum of 14 days post-recovery, as APT-linked campaigns such as Zhong Stealer typically include secondary persistence mechanisms (scheduled tasks, DLL side-loading, or registry-based autoruns) that may not be detected in an initial full scan. Before returning affected endpoints to full production trust, re-validate all internally deployed software packages signed by Lenovo, Kingston, Shuttle Inc, or Palit Microsystems certificates against the current DigiCert revocation list, since the trust store disruption may have masked legitimate revocation checks during the outage window.
Key Forensic Artifacts
Windows AuthRoot certificate store registry export β HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates β capturing pre- and post-incident states to identify which DigiCert root thumbprints were removed by the Defender signature regression and whether any unauthorized certificates were introduced during the incident window
CAPI2 Operational Event Log (Applications and Services Logs\Microsoft\Windows\CAPI2\Operational) β Event IDs 11 (CertVerifyRevocation) and 30 (X509Objects) β recording certificate chain validation attempts and failures specific to DigiCert-anchored chains during the April 30 Defender signature regression and any Zhong Stealer execution attempts
Windows Defender Quarantine folder contents at C:\ProgramData\Microsoft\Windows Defender\Quarantine\ β containing VDM-encoded copies of payloads detected as Trojan:Win32/Cerdigent.A!dha, recoverable via MpCmdRun.exe for static analysis to confirm whether detections were Zhong Stealer payloads or legitimate DigiCert-signed binaries misclassified by the faulty signature update
Prefetch files under C:\Windows\Prefetch\ for executables signed by the 60 compromised EV certificates β recording first and last execution timestamps, loaded DLL paths, and parent process context even if the Zhong Stealer payload was subsequently deleted or quarantined, establishing a definitive execution timeline
Sysmon Event ID 10 (ProcessAccess) targeting LSASS and Event ID 3 (NetworkConnect) from executables in user-writable directories (C:\Users, C:\ProgramData, C:\Temp) β capturing Zhong Stealer credential harvesting activity against Windows Credential Manager and browser stores, and outbound C2 connection metadata including destination IP, port, and initiating process image path
Detection Guidance
Two concurrent detection efforts are required for this campaign.
Defender False Positive (T1562.001 β Impair Defenses): Query the Microsoft-Windows-Windows Defender/Operational event log for Event ID 1116 (malware detected) and Event ID 1117 (remediation action taken) between April 30, 2026 and the date corrected signatures were deployed in your environment.
Filter for detections matching Trojan:Win32/Cerdigent.A!dha.
Correlate those events against certificate store change logs to identify endpoints where DigiCert root certificates were removed from the Windows AuthRoot store. Per NIST AU-2 (Event Logging), these event types must be captured in your defined logging scope. Per NIST AU-3 (Content Of Audit Records), each log entry must record what occurred, when, on which system, and by which process β verify your Defender log retention meets this standard. CIS 8.2 (Collect Audit Logs) requires logging to be enabled across enterprise assets; confirm Defender operational logs are being forwarded to your centralized log platform. Apply D3-SFA (System File Analysis) to monitor the Windows certificate store (specifically AuthRoot) for unauthorized removal or modification of trusted root entries.
Zhong Stealer Infostealer (T1553.002 , T1588.003 , T1195.001 , T1195.002 , T1105 , T1059 ): Enumerate executables in your environment bearing EV code-signing signatures from the 60 revoked DigiCert certificates β cross-reference against DigiCert's official published revocation list (attribution of 27 specific certificates to Zhong Stealer is based on threat intelligence reporting; verify against primary DigiCert sources before acting). Monitor for infostealer behavioral indicators: access to browser credential stores, credential manager or keychain reads, data staging in user-writable or temp directories, and outbound connections to unfamiliar endpoints over non-standard ports. Per NIST AU-6 (Audit Record Review, Analysis, And Reporting), these behavioral patterns constitute indications of inappropriate activity requiring review. Use D3-ACA (Active Certificate Analysis) to actively collect and inspect certificates on endpoints for revoked or suspect EV signatures. Apply D3-FMBV (File Magic Byte Verification) to verify that file types match their declared extensions β signed malware payloads may misrepresent file type. Apply D3-LAM (Local Account Monitoring) to detect unauthorized local account activity consistent with post-execution credential harvesting (MITRE T1078 ). Per NIST AU-13 (Monitoring For Information Disclosure), monitor open-source and external sources for IOC disclosures tied to this campaign. Note: No file hashes or confirmed C2 addresses have been published in primary sources as of this article's publication; behavioral detection is the primary available method until IOCs are formally released.
Indicators of Compromise (2)
Export as
Splunk SPL
KQL
Elastic
Copy All (2)
1 hash
1 domain
Type Value Enrichment Context Conf.
# HASH
not available
VT
MB
No confirmed Zhong Stealer payload hashes are present in current source data. Absence should be treated as a detection gap, not a clearance.
LOW
⌘ DOMAIN
not available
VT
US
No confirmed C2 domains for Zhong Stealer are present in current source data.
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (5)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Security tool tampering
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
"Set-MpPreference", "DisableRealtimeMonitoring",
"net stop", "sc stop", "sc delete", "taskkill /f",
"Add-MpPreference -ExclusionPath"
)
| where ProcessCommandLine has_any ("defender", "sense", "security", "antivirus", "firewall", "crowdstrike", "sentinel")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Sentinel rule: Phishing email delivery
KQL Query Preview
Read-only — detection query only
EmailEvents
| where Timestamp > ago(7d)
| where ThreatTypes has "Phish" or DetectionMethods has "Phish"
| summarize Attachments = make_set(AttachmentCount), Urls = make_set(UrlCount) by NetworkMessageId, Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, DeliveryLocation, ThreatTypes
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "not available",
"source": "SCC Threat Intel",
"description": "No confirmed C2 domains for Zhong Stealer are present in current source data.",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-19T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1059
T1078
T1562.001
T1195.001
T1553.002
T1588.003
+3
CM-7
SI-3
SI-4
SI-7
AC-2
AC-6
+12
A08:2021
A02:2021
A07:2021
A01:2021
MITRE ATT&CK Mapping
T1059
Command and Scripting Interpreter
execution
T1078
Valid Accounts
defense-evasion
T1562.001
Disable or Modify Tools
defense-evasion
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1588.003
Code Signing Certificates
resource-development
T1195.002
Compromise Software Supply Chain
initial-access
T1105
Ingress Tool Transfer
command-and-control
T1566.001
Spearphishing Attachment
initial-access
Guidance Disclaimer
