← Back to Cybersecurity News Center
Severity
CRITICAL
CVSS
9.5
Priority
0.850
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Three versions of the widely used node-ipc npm package (9.1.6, 9.2.3, 12.0.1) were compromised following an account takeover and are actively stealing credentials from any system that installed them. The malicious code harvests cloud provider keys, CI/CD secrets, container credentials, SSH keys, and browser tokens, then exfiltrates them via DNS tunneling, a method that bypasses most conventional network monitoring. With roughly 690,000 weekly downloads, any organization running Node.js build pipelines, CI/CD systems, or applications with node-ipc as a direct or transitive dependency faces material risk of credential theft and downstream cloud infrastructure compromise.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
CRITICAL
Critical severity — immediate action required
Actor Attribution
HIGH
Unknown — external account takeover actor (attributed to compromise of 'atiertant' npm account; no named group attribution available as of publication)
TTP Sophistication
HIGH
13 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
node-ipc npm package versions 9.1.6, 9.2.3, 12.0.1; credential targets include AWS, Azure, GCP, OCI, DigitalOcean, Kubernetes, Docker, Helm, Terraform, npm, GitHub, GitLab, Git CLI, macOS Keychain, Firefox, Microsoft Teams
Are You Exposed?
⚠
Your industry is targeted by Unknown — external account takeover actor (attributed to compromise of 'atiertant' npm account; no named group attribution available as of publication) → Heightened risk
⚠
You use products/services from node-ipc npm package versions 9.1.6 → Assess exposure
⚠
13 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
If credentials were stolen, attackers gain direct access to your cloud infrastructure — they can provision resources, exfiltrate data, or destroy environments entirely, generating costs and outages that can surface within hours of compromise. CI/CD pipeline credential theft specifically enables attackers to inject malicious code into your own software releases, converting your build system into a vector against your customers. Depending on what data your cloud workloads process, a resulting breach may trigger notification obligations under GDPR, state privacy laws, or sector-specific regulations.
You Are Affected If
You have node-ipc versions 9.1.6, 9.2.3, or 12.0.1 installed as a direct or transitive dependency in any Node.js project, CI/CD pipeline, or container image
Your CI/CD runners, build servers, or Node.js application hosts have cloud provider credential files, kubeconfig, Docker config, or SSH keys present in standard home-directory paths
You use 'npm install' without lockfile enforcement (i.e., without 'npm ci'), allowing dependency resolution to pull compromised versions without pinning
Your network egress controls monitor HTTP/HTTPS traffic but do not inspect or restrict DNS TXT record queries from internal hosts
You have not audited transitive dependencies for node-ipc — it is a dependency of several widely used packages and may be present without appearing in your top-level package.json
Board Talking Points
A widely used software component installed in Node.js build pipelines was compromised by an external attacker and is actively stealing cloud access credentials from any system that ran the affected versions.
Engineering and security teams should audit all build pipelines and Node.js applications for the affected versions within 24 hours and rotate any credentials that may have been exposed.
Organizations that do not act risk unauthorized access to cloud infrastructure — enabling data theft, service disruption, or fraudulent resource usage that may not be detected until significant damage has occurred.
GDPR — credential theft enabling cloud infrastructure access may constitute a personal data breach if affected systems process EU resident data, triggering 72-hour notification obligations under Article 33
PCI-DSS — if compromised CI/CD pipelines or cloud credentials have access to cardholder data environments, this event may require breach assessment under PCI-DSS Requirement 12.10
HIPAA — if affected Node.js applications or cloud workloads handle protected health information, unauthorized access via stolen credentials constitutes a reportable security incident under the HIPAA Security Rule
Technical Analysis
Three malicious versions of the node-ipc npm package were published after an attacker compromised the 'atiertant' npm account (an inactive maintainer).
Affected versions: 9.1.6, 9.2.3, and 12.0.1.
The embedded infostealer targets an unusually broad credential surface: AWS (~/.aws/credentials, config), Azure (~/.azure/), GCP (~/.config/gcloud/), OCI (~/.oci/), DigitalOcean (~/.config/doctl/), Kubernetes (~/.kube/config), Docker (~/.docker/config.json), Helm (~/.helm/), Terraform (.terraform/ state and variable files), npm (~/.npmrc), GitHub/GitLab tokens, Git CLI credentials (~/.gitconfig, ~/.git-credentials), SSH private keys (~/.ssh/), macOS Keychain entries, Firefox stored credentials, and Microsoft Teams tokens.
Exfiltration uses DNS TXT record queries (MITRE T1048.003 ), a technique that evades security controls focused exclusively on HTTP/HTTPS egress. Relevant CWEs: CWE-506 (Embedded Malicious Code), CWE-494 (Download of Code Without Integrity Check), CWE-522 (Insufficiently Protected Credentials), CWE-312 (Cleartext Storage of Sensitive Information). MITRE ATT&CK techniques include T1195.002 (Compromise Software Supply Chain), T1083 (File and Directory Discovery), T1555 /T1555.003 (Credentials from Password Stores / Browsers), T1552.001 (Credentials in Files), T1552.004 (Private Keys), T1041 (Exfiltration Over C2 Channel), T1048.003 (Exfiltration Over Alternative Protocol, DNS), T1027 (Obfuscated Files), T1078.004 (Valid Cloud Accounts), T1560.001 (Archive Collected Data), T1199 (Trusted Relationship), T1195.001 (Compromise Software Dependencies and Development Tools). No CVE has been assigned as of publication. Safe versions are any release predating 9.1.6 that was not subsequently replaced, or versions published after the malicious versions were removed, verify via npm audit and the package's official advisory.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to CISO, legal counsel, and breach notification review immediately if audit logs confirm any exfiltrated credential was used to access systems storing PII, PHI, or PCI data, or if cloud provider logs show unauthorized resource creation, data exfiltration, or IAM privilege escalation using the compromised keys — any of these conditions likely triggers mandatory breach notification under GDPR Article 33, HIPAA §164.400, or applicable state breach laws.
1
Containment: immediately run 'npm list node-ipc' across all Node.js projects, CI/CD pipeline dependencies, and container images to identify installations of versions 9.1.6, 9.2.3, or 12.0.1; isolate any build system or runtime that has executed one of these versions pending credential rotation.
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-3 (Malicious Code Protection)
NIST CM-2 (Baseline Configuration)
CIS 2.3 (Address Unauthorized Software)
CIS 4.6 (Securely Manage Enterprise Assets and Software)
Compensating Control
Run 'npm list node-ipc 2>/dev/null | grep -E "9\.1\.6|9\.2\.3|12\.0\.1"' recursively across all project directories using: 'find / -name package-lock.json 2>/dev/null | xargs grep -l "node-ipc"'. For container images, run 'docker inspect <image> | grep -i node-ipc' or extract the layer with 'docker save <image> | tar -xO | grep node-ipc'. Network-isolate affected build runners by blocking egress at the host firewall with 'iptables -I OUTPUT -j DROP' or Windows Firewall 'netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound' until credential rotation is complete.
Preserve Evidence
Before isolating, capture: (1) full output of 'npm list node-ipc --all --json' to document the exact installed version and dependency chain; (2) process list snapshot ('ps aux' or 'Get-Process') showing any active Node.js processes that loaded node-ipc; (3) network connection state ('ss -tunap' or 'netstat -anob') to capture any live DNS tunneling sessions in progress; (4) filesystem timestamps on node_modules/node-ipc/ directory — specifically mtime on the malicious payload files — using 'stat node_modules/node-ipc/*.js'; (5) container image manifest hashes ('docker inspect --format="{{.Id}}" <image>') for all images built after the malicious version publication window.
2
Detection: query DNS logs for anomalous TXT record lookups originating from build servers, CI/CD runners, or Node.js application hosts; review SIEM for file access events touching ~/.aws/, ~/.kube/config, ~/.docker/config.json, ~/.ssh/, ~/.npmrc, ~/.git-credentials, and equivalent paths on affected hosts; cross-reference with npm install timestamps for the three malicious versions.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST SI-4 (System Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-2 (Event Logging)
NIST AU-3 (Content of Audit Records)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without SIEM: (1) DNS tunneling detection — run 'tcpdump -i any port 53 -w dns_capture.pcap' on build hosts and analyze with Wireshark filter 'dns.qry.type == 16' (TXT record type) to identify base64-encoded credential blobs in query names; (2) File access detection — deploy Sysmon with EventID 11 (FileCreate) and EventID 23 (FileDelete) targeting paths: C:\Users\*\.aws\, C:\Users\*\.kube\, C:\Users\*\.docker\; on Linux use auditd rules: 'auditctl -w /home -p r -k credential_read' for recursive read monitoring; (3) npm install timestamp correlation — parse npm debug log at ~/.npm/_logs/ or %APPDATA%\npm-cache\_logs\ filtering for 'node-ipc' entries with timestamps matching versions 9.1.6, 9.2.3, or 12.0.1; (4) use osquery to detect credential file reads: 'SELECT * FROM file_events WHERE path LIKE "/home/%/.aws/%" AND time > <epoch_of_malicious_install>'.
Preserve Evidence
Capture before analysis: (1) DNS resolver logs or pcap filtered for TXT queries with query names matching base64 patterns (regex: '[A-Za-z0-9+/]{20,}') from the affected host IPs — this is the primary exfiltration channel for this specific campaign; (2) Linux auditd logs (/var/log/audit/audit.log) or Windows Security Event Log Event ID 4663 (Object Access) for read operations on ~/.aws/credentials, ~/.aws/config, ~/.kube/config, ~/.docker/config.json, ~/.ssh/id_rsa, ~/.npmrc, ~/.git-credentials, and macOS Keychain files at ~/Library/Keychains/; (3) npm install logs from ~/.npm/_logs/ documenting the exact install timestamp of node-ipc 9.1.6, 9.2.3, or 12.0.1 to establish the credential exposure window; (4) shell history files (.bash_history, .zsh_history) from CI/CD runner accounts to identify what credentials were in scope during the execution window.
3
Eradication: pin node-ipc to a verified clean version in package.json and package-lock.json; run 'npm audit' and 'npm ci' (not 'npm install') to enforce lockfile integrity; remove and rebuild any container images that included the compromised versions; rotate ALL credentials that could have been resident on any affected host (see full credential surface in technical summary).
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST IA-5 (Authenticator Management)
NIST CM-3 (Configuration Change Control)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Credential rotation checklist for teams without secrets management tooling: (1) AWS — 'aws iam delete-access-key --access-key-id <OLD_KEY> && aws iam create-access-key' then update all pipeline environment variables; (2) Kubernetes — revoke and regenerate service account tokens: 'kubectl delete secret <sa-token-secret> -n <namespace>'; (3) Docker Hub — rotate access tokens at hub.docker.com/settings/security; (4) GitHub/GitLab — revoke all personal access tokens and deploy keys from the accounts whose .git-credentials or token files were resident on affected hosts; (5) npm — revoke publish tokens: 'npm token revoke <token>'; (6) SSH keys — remove compromised public keys from ~/.ssh/authorized_keys on all target systems and generate new keypairs. For container image integrity verification before rebuild, compute SHA256 of the clean base image: 'docker inspect --format="{{index .RepoDigests 0}}" <image>' and validate against registry digest.
Preserve Evidence
Before eradicating, preserve: (1) a read-only snapshot of the malicious node-ipc package files (node_modules/node-ipc/services/ipc.js or equivalent payload file) using 'sha256sum node_modules/node-ipc/**/*.js > malicious_file_hashes.txt' — these hashes constitute forensic evidence of the supply chain compromise; (2) the full package-lock.json before modification, capturing the resolved integrity hash for the malicious version; (3) a memory dump of any Node.js process that executed node-ipc (using 'gcore <pid>' on Linux) if the process is still running — this may contain decrypted credential values in heap; (4) container image layers ('docker save <image> > evidence_image.tar') before rebuilding, as the image history documents exactly which malicious version was embedded and when.
4
Recovery: after credential rotation, audit cloud provider access logs (AWS CloudTrail, Azure Activity Log, GCP Audit Logs) for unauthorized API calls or resource creation in the window following installation of the malicious version; re-enable CI/CD pipelines only after lockfile verification and image rebuild; monitor DNS logs for continued anomalous TXT queries as a residual indicator.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-11 (Audit Record Retention)
NIST SI-4 (System Monitoring)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
Without enterprise cloud monitoring: (1) AWS — 'aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=<compromised_key_user> --start-time <install_epoch>' filtering for CreateUser, AttachPolicy, RunInstances, CreateBucket, GetSecretValue, and AssumeRole events; (2) GCP — 'gcloud logging read "protoPayload.authenticationInfo.principalEmail=<svc_account> AND timestamp>=<install_time>"' filtering for compute.instances.insert, storage.buckets.create, and secretmanager.versions.access; (3) Azure — query Activity Log via 'az monitor activity-log list --start-time <install_date> --caller <compromised_principal>'; (4) For CI/CD pipeline re-enablement gate, use a pre-commit hook or CI step that runs 'npm ci --dry-run' and validates the package-lock.json integrity hash against a known-good reference stored in a separate trusted location; (5) continue DNS TXT query monitoring with tcpdump or network tap for 30 days post-rotation, as DNS tunneling beaconing may continue if any residual credential-bearing process was not identified.
Preserve Evidence
Collect before re-enabling pipelines: (1) AWS CloudTrail logs for the period from node-ipc install timestamp to credential rotation completion, specifically filtering event names: GetCallerIdentity, AssumeRole, CreateUser, CreateAccessKey, PutBucketPolicy, GetSecretValue — these represent the highest-value API calls an attacker would make with exfiltrated AWS credentials; (2) Kubernetes API server audit logs (typically at /var/log/kube-apiserver-audit.log) for the same window, filtering for pod creation, secret reads, and cluster-admin binding events; (3) GitHub/GitLab API audit logs for any repository clones, secret reads, or webhook modifications using the compromised tokens; (4) DNS resolver query logs covering the full exposure window — export and retain for minimum 12 months under NIST AU-11 (Audit Record Retention) to support any downstream breach notification requirements.
5
Post-Incident: implement npm package integrity controls: enforce 'npm ci' in all CI/CD pipelines, add a Software Composition Analysis (SCA) tool (e.g., Socket.dev, Snyk, Dependabot) to detect malicious package behavior before installation, restrict npm publish permissions using granular token scoping, and evaluate whether inactive maintainer accounts represent ongoing supply chain risk in your dependency tree.
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST SI-2 (Flaw Remediation)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SA-12 (Supply Chain Protection)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Free/low-cost supply chain hardening for resource-constrained teams: (1) npm package integrity — add 'npm ci' to every CI job definition and add 'package-lock.json' to branch protection rules requiring PR review before lockfile changes merge; (2) SBOM generation — run 'npm sbom --sbom-format cyclonedx > sbom.json' (available in npm >=v8.8) on each build to document the full dependency tree including transitive dependencies like node-ipc; (3) pre-install behavioral detection — integrate Socket.dev free tier (socket.dev) which specifically detects credential harvesting and DNS tunneling behavior in npm packages before install; (4) maintainer account risk — use 'npm info <package> maintainers' and cross-reference maintainer accounts against HaveIBeenPwned API for known credential breaches, specifically for packages in your dependency tree with >100k weekly downloads; (5) Sigma rule deployment — implement the Sigma rule for DNS TXT record exfiltration (available in SigmaHQ/sigma repository, category: network) tuned to flag queries from build server IP ranges.
Preserve Evidence
Preserve for lessons-learned and potential regulatory reporting: (1) complete timeline document mapping node-ipc version publication timestamp → first install on affected host → credential file access events → DNS TXT exfiltration traffic → credential rotation completion, with all timestamps in UTC; (2) the malicious payload source code from node_modules/node-ipc/ (hash-verified copy) as evidence of the account takeover mechanism and credential targeting logic; (3) full list of all credential types confirmed resident on affected hosts at time of compromise — this list determines breach notification obligations if regulated data (PII, PHI, PCI) was accessible via the exfiltrated cloud or CI/CD credentials; (4) npm registry account access logs for the node-ipc maintainer account showing the account takeover event, requested via npm security team (security@npmjs.com) if not publicly available.
Recovery Guidance
Do not re-enable any CI/CD pipeline until: (1) package-lock.json has been regenerated with a verified clean version of node-ipc pinned and the lockfile integrity hash validated against an out-of-band trusted reference, and (2) all credentials confirmed resident on affected hosts during the exposure window have been rotated and the old credentials confirmed revoked in the respective provider console. Monitor AWS CloudTrail, Azure Activity Log, GCP Audit Logs, and DNS TXT query logs continuously for a minimum of 30 days post-rotation, as threat actors who received exfiltrated credentials via DNS tunneling may defer exploitation to avoid detection — delayed use of stolen cloud keys or Kubernetes service account tokens is a documented post-supply-chain-compromise pattern. Retain all forensic artifacts and log exports for a minimum of 12 months to support any regulatory investigation or downstream customer notification obligations.
Key Forensic Artifacts
DNS resolver logs or pcap filtered for TXT record queries (Wireshark filter: dns.qry.type == 16) from build server and CI/CD runner IPs — the node-ipc malicious payload specifically used DNS TXT records as the exfiltration channel, so base64-encoded subdomains in TXT queries are the primary network-layer indicator of successful credential theft
npm debug and install logs at ~/.npm/_logs/ (Linux/macOS) or %APPDATA%\npm-cache\_logs\ (Windows) containing timestamped records of node-ipc 9.1.6, 9.2.3, or 12.0.1 installation, establishing the precise start of the credential exposure window
Linux auditd logs or Windows Security Event Log Event ID 4663 (Attempt to Access an Object) for file read operations targeting ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.ssh/id_rsa, ~/.npmrc, ~/.git-credentials, and ~/Library/Keychains/ — these paths are explicitly targeted by the node-ipc malicious payload's credential harvesting routine
Filesystem metadata (mtime, atime, ctime via 'stat') on node_modules/node-ipc/ payload files and the specific JavaScript files containing the credential harvesting and DNS tunneling code — timestamps confirm when the malicious code was written to disk relative to npm install events
Cloud provider API audit trails (AWS CloudTrail event history, GCP Cloud Audit Logs, Azure Activity Log) filtered for the IAM principals associated with credentials resident on affected hosts during the exposure window, specifically for high-value actions: AssumeRole, GetSecretValue, CreateUser, RunInstances, storage.objects.get, Microsoft.KeyVault/vaults/secrets/read — these logs establish whether exfiltrated credentials were subsequently exploited
Detection Guidance
Primary detection path: DNS logs.
Query for TXT record lookups from build servers, CI/CD runners, or Node.js application hosts to any external domain, especially high-frequency or automated-pattern queries, which are atypical for these systems.
Secondary path: file system access monitoring.
Look for processes associated with Node.js or npm accessing credential file paths including ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, ~/.ssh/id_rsa (and variants), ~/.npmrc, ~/.git-credentials, ~/.config/gcloud/application_default_credentials.json, ~/.azure/, and macOS Keychain access events. In CI/CD systems (GitHub Actions, GitLab CI, Jenkins), review job logs for unexpected network activity or file read operations during the build phase. SCA tools with behavioral analysis can provide pre-install detection for future variants. Specific DNS exfiltration domains were not confirmed in public sources at publication. Treat any anomalous TXT-record DNS egress from build/runtime hosts as suspicious pending further analysis.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
3 hashs
1 domain
Type Value Enrichment Context Conf.
# HASH
node-ipc@9.1.6
VT
MB
Malicious npm package version — contains embedded infostealer with DNS exfiltration
HIGH
# HASH
node-ipc@9.2.3
VT
MB
Malicious npm package version — contains embedded infostealer with DNS exfiltration
HIGH
# HASH
node-ipc@12.0.1
VT
MB
Malicious npm package version — contains embedded infostealer with DNS exfiltration
HIGH
⌘ DOMAIN
[not confirmed in available sources]
VT
US
DNS TXT exfiltration destination domains were not confirmed in T3 sources available at publication — monitor for anomalous TXT record queries from build/runtime hosts as a behavioral IOC
LOW
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Supply chain / cross-tenant access
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where HomeTenantId != ResourceTenantId
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, HomeTenantId, ResourceTenantId
| sort by TimeGenerated desc
Sentinel rule: Data exfiltration via unusual ports
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort !in (80, 443, 8080, 8443)
| where RemotePort > 0
| where InitiatingProcessFileName !in~ ("svchost.exe", "onedrive.exe", "teams.exe", "outlook.exe")
| summarize Connections = count() by DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
| where Connections > 100
| sort by Connections desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "[not confirmed in available sources]",
"source": "SCC Threat Intel",
"description": "DNS TXT exfiltration destination domains were not confirmed in T3 sources available at publication \u2014 monitor for anomalous TXT record queries from build/runtime hosts as a behavioral IOC",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-14T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1195.002
T1083
T1078.004
T1027
T1555
T1555.003
+7
CM-7
SA-9
SR-3
SI-7
SI-3
SI-4
+5
A04:2021
A07:2021
A08:2021
164.308(a)(5)(ii)(D)
164.312(d)
164.312(e)(1)
MITRE ATT&CK Mapping
T1195.002
Compromise Software Supply Chain
initial-access
T1083
File and Directory Discovery
discovery
T1027
Obfuscated Files or Information
defense-evasion
T1555
Credentials from Password Stores
credential-access
T1555.003
Credentials from Web Browsers
credential-access
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
T1552.001
Credentials In Files
credential-access
T1041
Exfiltration Over C2 Channel
exfiltration
T1199
Trusted Relationship
initial-access
T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol
exfiltration
Guidance Disclaimer
