← Back to Cybersecurity News Center
Severity
HIGH
Priority
0.854
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
Cisco Talos has identified UAT-8302, a China-linked espionage group actively targeting government networks across South America and southeastern Europe. The group abuses Microsoft cloud services, OneDrive and the MS Graph API, as command-and-control channels, making malicious traffic difficult to distinguish from normal enterprise activity. Post-compromise activity focuses on Active Directory and hybrid identity infrastructure, creating risk of credential theft, persistent access, and potential spillover to cloud-connected environments.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
UAT-8302
TTP Sophistication
HIGH
28 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
Government networks in South America and southeastern Europe; Microsoft OneDrive and MS Graph API (abused for C2); Microsoft Active Directory; Azure AD Connect / Entra ID Connect; MobaXterm; Windows endpoints in government environments
Are You Exposed?
⚠
Your industry is targeted by UAT-8302 → Heightened risk
⚠
You use products/services from Government networks in South America and southeastern Europe; Microsoft OneDrive and MS Graph API (abused for C2); Microsoft Active Directory; Azure AD Connect / Entra ID Connect; MobaXterm; Windows endpoints in government environments → Assess exposure
⚠
28 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
A sustained breach of government network identity infrastructure — specifically Active Directory and hybrid cloud identity systems — gives attackers the ability to impersonate any user, access classified or sensitive data, and maintain long-term undetected presence. If identity systems are compromised, every downstream application and data store must be treated as potentially accessed, creating broad incident response costs and regulatory notification obligations under frameworks governing government data handling. For organizations in southeastern Europe or South America with government contracts or data-sharing relationships, the risk extends to third-party liability and diplomatic or reputational consequences if sensitive government data is exfiltrated.
You Are Affected If
You operate Windows-based government networks in South America or southeastern Europe
Your environment uses Azure AD Connect or Entra ID Connect to synchronize on-premises Active Directory with Microsoft Entra ID
Microsoft OneDrive and MS Graph API are accessible from endpoints on your government network without application-level restrictions
MobaXterm or similar terminal emulators are deployed on Windows endpoints in your environment
You have not deployed behavioral detection or EDR coverage on domain controllers and Azure AD Connect servers
Board Talking Points
A Chinese state-sponsored espionage group is actively targeting government networks by hiding inside Microsoft cloud services your organization already uses, making the intrusion difficult to detect with standard controls.
Security operations teams should begin an immediate audit of cloud identity and Microsoft 365 activity logs, and restrict MS Graph API access to approved applications, within the next 72 hours.
Without action, attackers could maintain persistent, undetected access to government systems and exfiltrate sensitive data for months — as observed in prior campaigns by related groups.
Business Risk
Likelihood: MODERATE
Impact: VERY HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because exploitation is not confirmed in this item and UAT-8302 is conducting targeted espionage against government networks specifically — general enterprise exposure is real but the group's targeting criteria narrow immediate probability for any single organization; impact is very_high because successful compromise of Active Directory and hybrid identity infrastructure eliminates trust boundaries across every downstream system and data store, making full scope of access unquantifiable and recovery exceptionally costly and prolonged.
Treatment rationale: The threat involves a persistent, state-linked adversary exploiting identity infrastructure in a way that cannot be insured away or avoided without abandoning hybrid cloud architecture — active control hardening and detection investment is the only viable primary response.
Third-Party / Supply-Chain Risk
Microsoft OneDrive and MS Graph API are abused as C2 channels, meaning malicious traffic rides a legitimate Microsoft-managed cloud service. Organizations relying on Microsoft's shared cloud infrastructure (Azure AD Connect / Entra ID Connect) inherit the risk that adversary activity is indistinguishable from normal Microsoft service traffic at the network perimeter. NIST SP 800-161 framing: the shared-platform dependency on Microsoft cloud identity services creates an external exposure vector that the consuming organization cannot directly control or monitor at the service layer — vendor-side telemetry and Microsoft Sentinel or Defender signals become critical compensating controls. Azure AD Connect / Entra ID Connect specifically represents a high-value on-premises-to-cloud trust bridge; compromise of this component exposes both on-premises AD and cloud identity simultaneously.
Loss Exposure (illustrative)
Magnitude: Very high — illustrative $5M–$50M+ for a mid-to-large government agency or government contractor, driven by identity infrastructure recovery, forensic scope assessment across all downstream systems, mandatory notification, and operational disruption during containment
Frequency: Illustrative: for a government organization with internet-exposed hybrid identity infrastructure and Microsoft cloud dependency matching UAT-8302 targeting criteria, initial access attempts are plausible at least annually; successful compromise leading to material loss modeled as a lower-frequency tail event — illustratively once per 10–20 year exposure window per organization, though the group is actively expanding across continents
Annualized: Illustrative ALE: ($5M–$50M loss magnitude) × (0.05–0.10 annual probability for an in-scope organization) = illustrative $250K–$5M annualized exposure; this range widens significantly if identity compromise triggers full enterprise re-provisioning or classified data spillage
Basis: Loss magnitude anchored to identity-infrastructure compromise scope: full AD and hybrid identity recovery requires forensic investigation of all connected systems (scope is unbounded until proven otherwise), credential reset at enterprise scale, potential cloud tenant remediation, and regulatory engagement — these cost drivers are structural to this threat class, not generic. Frequency derived from UAT-8302's documented multi-continent targeting pattern and the group's use of living-off-the-land techniques that reduce detection probability, increasing dwell time and therefore loss severity. No external report figures cited.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Credential theft and unauthorized access to government or sensitive personnel data may invoke breach-notification obligations under applicable data protection statutes — verify with counsel.
• Sustained unauthorized access to hybrid identity infrastructure may trigger cyber-insurance notice obligations and could affect coverage applicability if timely notification requirements are not met — verify with broker and counsel.
• If the affected environment processes data subject to government security classification or controlled unclassified information (CUI) handling requirements, incident reporting obligations to oversight bodies may apply — verify with counsel.
Technical Analysis
UAT-8302 is a China-nexus APT conducting long-term espionage operations against government entities, observed from late 2024 (South America) through 2025 (southeastern Europe).
The group deploys NetDraft, CloudSorcerer v3, VSHELL, and SNOWLIGHT, malware families with documented overlap across at least six other tracked China-nexus clusters, indicating shared tooling infrastructure or direct operational coordination.
Command-and-control is routed through Microsoft OneDrive and the MS Graph API (T1102.002 , T1071.001 ), blending malicious traffic with legitimate cloud usage.
Post-compromise activity targets Active Directory (T1482 , T1069.002 , T1087.002 ) and Azure AD Connect / Entra ID Connect (T1003 , T1550.001 , T1552.001 ), enabling credential harvesting and hybrid identity persistence. Initial access and execution leverage Windows Command Shell and PowerShell (T1059.003 , T1059.001 ). Lateral movement uses SMB/Windows Admin Shares (T1021.002 ) and valid accounts (T1078 ). DLL sideloading (T1574.002 ) and masquerading (T1036 ) are used for defense evasion. Relevant weaknesses: CWE-494 (Download of Code Without Integrity Check), CWE-312 (Cleartext Storage of Sensitive Information), CWE-522 (Insufficiently Protected Credentials). Note: CVE-2025-0994 , referenced in preliminary source data, is a Trimble Cityworks deserialization vulnerability (CVSS 9.0) with no documented connection to this campaign and has been excluded from this report. Severity is assessed as High based on campaign characteristics, target profile, post-compromise scope, and EPSS percentile (0.98879). Source: Cisco Talos (https://blog.talosintelligence.com/uat-8302/).
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate to senior leadership, legal, and external IR retainer immediately if Azure AD Connect sync account compromise is confirmed, Azure AD tenant-level changes are detected (new Global Admin accounts, federated domain additions, or directory role assignments), or if any exfiltration of privileged credential material or PII from government endpoints is indicated — each condition triggers potential regulatory breach notification obligations and hybrid identity compromise requires tenant-level remediation authority beyond typical IR team scope.
1
Step 1: Containment — Audit Microsoft 365 and Entra ID audit logs immediately for anomalous OneDrive access patterns and MS Graph API calls from government endpoints. Restrict MS Graph API access to approved service principals using Conditional Access. Isolate endpoints exhibiting indicators associated with VSHELL, SNOWLIGHT, NetDraft, or CloudSorcerer v3. Enforce information flow restrictions between on-premises AD and cloud identity infrastructure. (Cite: NIST AC-4 — Information Flow Enforcement / NIST AC-20 — Use Of External Systems / CIS 8.2 — Collect Audit Logs / D3-UAP — User Account Permissions)
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST AC-3 (Access Enforcement)
NIST SI-4 (System Monitoring)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 4.4 (Implement and Manage a Firewall on Servers)
Compensating Control
Without a SIEM, use Microsoft's free Unified Audit Log via PowerShell: Connect-ExchangeOnline, then run Search-UnifiedAuditLog -RecordType SharePointFileOperation -Operations FileDownloaded,FileAccessed filtering on UserAgent strings and IP addresses outside known government IP ranges. For MS Graph API abuse, query Entra ID sign-in logs via Microsoft Graph Explorer (free) filtering on appDisplayName eq 'Microsoft Graph' with resourceDisplayName containing 'OneDrive'. Isolate flagged endpoints immediately using Windows Firewall rules via netsh advfirewall or Group Policy to block outbound 443 to Microsoft CDN ranges while preserving forensic state.
Preserve Evidence
Before containment, preserve: (1) Microsoft 365 Unified Audit Log exports filtered on OneDrive FileAccessed and FileDownloaded operations for the 90-day retention window — UAT-8302 uses OneDrive as a C2 staging area, so bulk download events from non-standard user agents are key indicators; (2) Entra ID sign-in logs showing MS Graph API OAuth token issuance to application registrations not in your approved app catalog — capture the appId, clientId, and resource fields; (3) Full memory image of any endpoint running MobaXterm at time of isolation, as SNOWLIGHT and NetDraft are delivered via DLL sideloading into MobaXterm process space; (4) Network capture (Wireshark on gateway) of TLS SNI fields to login.microsoftonline.com and graph.microsoft.com from affected endpoints to baseline normal vs. anomalous call frequency.
2
Step 2: Detection — Query Entra ID sign-in logs and Azure AD Connect sync logs for unexpected privileged sync account activity (T1078). Review Windows Security Event logs for Event IDs 4624 and 4648 on domain controllers and Azure AD Connect servers. Hunt for DLL sideloading patterns (T1574.002) using EDR telemetry, focusing on MobaXterm process trees and unsigned DLLs loaded by trusted binaries. Search for scheduled task creation (T1053.005) by non-standard accounts. Monitor local account activity for unauthorized access patterns. Analyze system files including authentication databases and configuration files for signs of tampering. (Cite: NIST AU-2 — Event Logging / NIST AU-3 — Content Of Audit Records / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 8.2 — Collect Audit Logs / D3-LAM — Local Account Monitoring / D3-SFA — System File Analysis)
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST AU-12 (Audit Record Generation)
NIST SI-4 (System Monitoring)
NIST IR-5 (Incident Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without EDR, deploy Sysmon (config: SwiftOnSecurity baseline minimum) and enable Event ID 7 (ImageLoaded) with signing status — filter for unsigned DLLs loaded by MobaXterm.exe (C:\Program Files (x86)\Mobatek\MobaXterm\). Query with: Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' | Where-Object {$_.Id -eq 7 -and $_.Message -match 'MobaXterm' -and $_.Message -match 'Signed: false'}. For scheduled task hunting (T1053.005), query Windows Security Event ID 4698 (scheduled task created) on all domain controllers: Get-WinEvent -LogName Security -FilterXPath '*[System[EventID=4698]]' | Select-Object TimeCreated, Message. For Azure AD Connect sync account abuse, extract MSOL_ or AAD_ prefixed account logons from DC Security logs using Event ID 4648 with SubjectUserName matching those patterns.
Preserve Evidence
Before completing detection sweeps, preserve: (1) Azure AD Connect server Application and System Event logs under C:\Windows\System32\winevt\Logs\ — UAT-8302 abuses the sync account's delegated rights, and Event ID 4648 with the MSOL_ sync account as SubjectUserName outside scheduled sync windows is a primary indicator; (2) Full Sysmon Event ID 1 (Process Create) logs showing MobaXterm.exe spawning child processes (cmd.exe, powershell.exe, or rundll32.exe) which is inconsistent with normal MobaXterm usage; (3) Windows Registry export of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ to capture scheduled task XML definitions including hidden or obfuscated command lines used by UAT-8302 for persistence (T1053.005); (4) Entra ID App Registration audit logs showing any OAuth2 permission grant events in the 30 days prior to detection.
3
Step 3: Eradication — Remove unauthorized scheduled tasks, DLL sideload artifacts, and identified malware components (NetDraft, CloudSorcerer v3, VSHELL, SNOWLIGHT) from affected endpoints. Verify removed software against the authorized software inventory. Reset and rotate credentials for all accounts with evidence of threat actor access, prioritizing Azure AD Connect sync accounts and domain admin accounts. Rotate secrets for any application registrations showing unauthorized MS Graph API consent. Disable or remove any unauthorized accounts discovered during investigation. (Cite: NIST AC-2 — Account Management / NIST AC-6 — Least Privilege / CIS 2.3 — Address Unauthorized Software / CIS 5.3 — Disable Dormant Accounts / CIS 6.2 — Establish an Access Revoking Process / D3-CRO — Credential Rotation / D3-CH — Credential Hardening)
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST SI-3 (Malicious Code Protection)
NIST IA-5 (Authenticator Management)
CIS 5.2 (Use Unique Passwords)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
Without enterprise credential management tooling, use the Microsoft free tool ADSIEdit or PowerShell to force-reset the MSOL_ or AAD_ sync account password: Set-ADAccountPassword -Identity 'MSOL_XXXXXXXXXX' -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'NewStrongPassword' -Force), then immediately re-sync via Azure AD Connect wizard. To remove unauthorized scheduled tasks identified in detection: schtasks /delete /tn 'TaskNameHere' /f on each affected endpoint. For DLL sideload artifact removal, verify MobaXterm installation directory (C:\Program Files (x86)\Mobatek\MobaXterm\) against known-good file hashes from vendor and delete unsigned DLLs not matching. Rotate MS Graph API application secrets via Entra ID portal under App Registrations > Certificates & Secrets — remove all client secrets not created by your team and generate new ones.
Preserve Evidence
Before eradication begins, preserve full forensic images of: (1) The MobaXterm installation directory including all DLLs — SNOWLIGHT and NetDraft are DLL sideloads and the malicious DLL files are primary eradication targets; (2) The scheduled task XML definitions exported from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ prior to deletion — these contain command-line arguments, encoded payloads, or staging paths used by UAT-8302 (T1053.005); (3) Prefetch files from C:\Windows\Prefetch\ for any executables launched from temp or user-writable directories indicating VSHELL or CloudSorcerer v3 staging activity; (4) Entra ID App Registration audit log showing the exact permissions granted to unauthorized app registrations before revocation — needed for post-incident assessment of data exposure scope.
4
Step 4: Recovery — Validate Azure AD Connect and Entra ID Connect configuration integrity against a known-good baseline. Analyze system initialization configurations to detect any persistence mechanisms re-introduced post-remediation (T1053.005). Re-enforce MFA for all privileged and externally-exposed accounts. Verify Conditional Access policy coverage across administrative and remote access paths. Monitor Entra ID and on-premises AD for re-emergence of lateral movement indicators (T1021.002, T1078) for a minimum of 30 days. Ensure audit log retention is sufficient to support ongoing post-incident review. (Cite: NIST AC-17 — Remote Access / NIST AU-11 — Audit Record Retention / CIS 6.3 — Require MFA for Externally-Exposed Applications / CIS 6.4 — Require MFA for Remote Network Access / CIS 6.5 — Require MFA for Administrative Access / D3-MFA — Multi-factor Authentication / D3-SICA — System Init Config Analysis)
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST CP-10 (System Recovery and Reconstitution)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST AC-2 (Account Management)
CIS 6.3 (Require MFA for Externally-Exposed Applications)
CIS 6.5 (Require MFA for Administrative Access)
Compensating Control
Without a commercial PAM or monitoring solution, use the free Microsoft Entra ID Workbooks (built into the Azure portal at no extra cost for P1 tenants) to create a persistent alert on sign-ins by accounts in the Global Administrator, Hybrid Identity Administrator, or Directory Synchronization Accounts roles from new locations or devices. For on-premises AD lateral movement (T1021.002 — SMB/Windows Admin Shares), enable Windows Security Event ID 5140 (network share accessed) auditing on DCs and file servers and alert on ADMIN$ or C$ access from non-admin workstations. Validate Azure AD Connect configuration integrity by running: Import-Module ADSync; Get-ADSyncScheduler and comparing connector account assignments against your pre-incident documentation.
Preserve Evidence
During recovery monitoring, continuously collect: (1) Entra ID sign-in logs filtered on the reset MSOL_ sync account and any new service principal activity — re-appearance of Graph API calls from these identities indicates reinfection or a missed persistence mechanism; (2) Windows Security Event ID 4624 logon Type 3 (network) and Type 10 (remote interactive) on domain controllers for accounts flagged during eradication, which would indicate UAT-8302 retained an undiscovered credential (T1078 — Valid Accounts); (3) SMB connection logs (Event ID 5140) on high-value servers for lateral movement using pass-the-hash or stolen Kerberos tickets consistent with T1021.002, which is UAT-8302's known post-compromise pivot technique.
5
Step 5: Post-Incident — Review cloud application consent policies to restrict MS Graph API delegated permissions to least-privilege (T1102.002, T1567.002). Assess whether the hybrid identity architecture introduces unacceptable lateral movement risk between on-premises and cloud environments. Map identified TTPs against your detection coverage using MITRE ATT&CK to identify blind spots in logging, alerting, and response playbooks. Ensure audit log collection is enabled and validated across all affected enterprise assets. Review account inventory to confirm all accounts used or created by the threat actor are removed or disabled. Update the documented vulnerability management and remediation processes to address hybrid identity attack paths. (Cite: NIST AC-6 — Least Privilege / NIST AU-2 — Event Logging / NIST AU-6 — Audit Record Review, Analysis, And Reporting / CIS 5.1 — Establish and Maintain an Inventory of Accounts / CIS 7.1 — Establish and Maintain a Vulnerability Management Process / CIS 7.2 — Establish and Maintain a Remediation Process / CIS 8.2 — Collect Audit Logs / D3-UAP — User Account Permissions)
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST RA-3 (Risk Assessment)
NIST AC-6 (Least Privilege)
NIST CM-6 (Configuration Settings)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
CIS 3.3 (Configure Data Access Control Lists)
Compensating Control
Without a threat intelligence platform, use the free MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/) to manually annotate UAT-8302 TTPs confirmed in this incident: T1574.002 (DLL Sideloading via MobaXterm), T1053.005 (Scheduled Task persistence), T1078 (Valid Accounts — MSOL_ sync account), T1021.002 (SMB lateral movement), and T1102 (Web Service C2 via OneDrive/MS Graph). For hybrid identity risk assessment, run the free Microsoft tool AADInternals (PowerShell module) in a test environment to enumerate pass-through authentication agents and AD Connect connector accounts to identify the attack surface UAT-8302 exploited. Document app consent policy changes using Entra ID's built-in Permissions & Consent settings under Enterprise Applications — restrict user consent to verified publishers only.
Preserve Evidence
For the post-incident review, compile: (1) The full timeline of UAT-8302 MS Graph API OAuth token issuance events from Entra ID logs, showing which delegated permissions (Mail.Read, Files.ReadWrite, Directory.Read.All) were abused — this directly informs which API permission scopes must be restricted in the consent policy redesign; (2) The Azure AD Connect audit log showing all synchronization events during the compromise window, available at C:\ProgramData\AADConnect\ in trace log format, to determine whether the sync account was used to push unauthorized objects or attribute changes to Entra ID; (3) A completed ATT&CK Navigator layer file (.json) documenting which UAT-8302 techniques were detected by existing controls vs. those only discovered through manual investigation — this is the primary deliverable for the detection gap assessment.
Recovery Guidance
After eradication of UAT-8302 artifacts and credential rotation, validate Azure AD Connect health by running a full delta sync (Start-ADSyncSyncCycle -PolicyType Delta) and reviewing the sync log for unexpected object changes or connector errors that may indicate a residual foothold in the hybrid identity pipeline. Re-enable and enforce MFA via Conditional Access for all accounts in the Directory Synchronization Accounts, Global Administrator, and Hybrid Identity Administrator roles before restoring any suspended services, as UAT-8302's primary persistence vector relies on accounts without MFA enforcement. Maintain enhanced logging on Entra ID sign-in activity, MS Graph API application consent events, and on-premises DC Security logs for a minimum of 30 days, given UAT-8302's demonstrated pattern of re-entry through previously compromised credentials after initial remediation.
Key Forensic Artifacts
Microsoft 365 Unified Audit Log — OneDrive FileAccessed and FileDownloaded operations with anomalous UserAgent strings or high-frequency access patterns from government endpoints, directly evidencing UAT-8302's use of OneDrive as a C2 staging channel
Entra ID Sign-In Logs — MS Graph API OAuth2 token issuance records showing appId, resourceDisplayName, and delegated permission scopes for unauthorized application registrations used by UAT-8302 to authenticate C2 callbacks through legitimate Microsoft infrastructure
Azure AD Connect trace logs at C:\ProgramData\AADConnect\ and Windows Security Event ID 4648 on the Azure AD Connect server — evidence of MSOL_ or AAD_ sync account credential abuse, which is UAT-8302's known path from on-premises AD compromise to Entra ID tenant-level access
MobaXterm installation directory DLL inventory (C:\Program Files (x86)\Mobatek\MobaXterm\) with file hashes compared against vendor-published manifest — unsigned or anomalous DLLs in this path are the primary artifacts of SNOWLIGHT and NetDraft delivery via T1574.002 DLL sideloading
Windows Registry export of HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\ and corresponding Sysmon Event ID 1 process creation logs — captures the scheduled task persistence mechanism (T1053.005) used by UAT-8302, including encoded command lines, staging paths, and execution timestamps linking tasks to malware component activity
Detection Guidance
Detection for UAT-8302 activity requires monitoring across five surfaces, grounded in the following KB-verified controls.
1.
Microsoft 365 and Entra ID Audit Logs (T1102.002 , T1567.002 ): Enable and collect audit logs per CIS 8.2 and NIST AU-2.
Review logs per NIST AU-6 for MS Graph API calls from unexpected source IPs or service principals, particularly to OneDrive endpoints outside normal business hours.
NIST AU-3 requires records to capture what occurred, when, where, and who initiated the action — verify your log schema includes service principal identity, source IP, and resource accessed. Apply D3-PBWSAM (Proxy-based Web Server Access Mediation) to route and inspect outbound Graph API and OneDrive traffic through a proxy for behavioral baselining.
2. Azure AD Connect Server Logs (T1078 , T1003 ): Monitor Azure AD Connect sync logs for unexpected sync account logins, password hash sync anomalies, and configuration changes. Apply D3-SFA (System File Analysis) to monitor AD Connect configuration files and authentication databases for unauthorized modification. Use D3-LAM (Local Account Monitoring) to detect unauthorized local account activity on the AD Connect server, which is a high-value lateral movement target. NIST AU-6 requires regular review of these logs for indicators of inappropriate activity.
3. Windows Security Event Logs on Domain Controllers (T1078 , T1550.001 , T1069.002 , T1087.002 ): Collect Event IDs 4624 (logon), 4648 (explicit credential use), 4728, 4732, 4756 (group membership changes), 4769 (Kerberos service ticket requests at high volume), and 4776 (NTLM authentication) per NIST AU-2 and CIS 8.2. NIST AU-3 requires timestamps and outcome fields — confirm these are populated. Apply D3-LAM to detect unauthorized account access patterns. Retain these logs per NIST AU-11 to support post-incident analysis across the observed campaign window (late 2024 through 2025).
4. EDR and Endpoint Telemetry (T1574.002 , T1059.001 , T1059.003 , T1027 , T1053.005 ): Hunt for MobaXterm spawning unexpected child processes, unsigned DLLs loaded via sideloading, and PowerShell or cmd.exe executing encoded or obfuscated commands. Apply D3-SFA to detect unauthorized modifications to executables and configuration files used in sideloading chains. Apply D3-FMBV (File Magic Byte Verification) to identify files where the extension has been manipulated to disguise malware components (NetDraft, SNOWLIGHT, VSHELL). Hunt for scheduled task creation by non-standard accounts per T1053.005 — correlate with NIST AU-2 event logging requirements covering process and scheduled task events. Apply D3-SICA (System Init Config Analysis) to detect persistence via startup configuration modifications.
5. Network Traffic (T1071.001 , T1567.002 , T1105 ): Apply D3-PBWSAM and D3-EBWSAM (Endpoint-based Web Server Access Mediation) to identify recurring HTTPS connections to OneDrive and Graph API endpoints at regular, beaconing intervals from government-network hosts — this pattern indicates C2 over legitimate cloud services. NIST AC-4 (Information Flow Enforcement) provides the control basis for restricting and inspecting information flows between endpoints and external cloud services. Restrict access to MS Graph API and OneDrive to approved, inventoried service principals and user accounts per NIST AC-20 (Use Of External Systems) and enforce these restrictions at the proxy layer.
Note on KB coverage gaps: The KB does not include NIST SI-family controls (e.g., SI-3 for malware protection, SI-4 for system monitoring) or IR-family controls, which would normally be cited for endpoint malware detection and incident response procedures. The citations above are limited to controls verified in the provided KB reference data.
Indicators of Compromise (1)
Export as
Splunk SPL
KQL
Elastic
Copy All (1)
1 domain
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (9)
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Sign-ins from unusual locations
KQL Query Preview
Read-only — detection query only
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| summarize Locations = make_set(Location), LoginCount = count(), DistinctIPs = dcount(IPAddress) by UserPrincipalName
| where array_length(Locations) > 3 or DistinctIPs > 5
| sort by DistinctIPs desc
Sentinel rule: Suspicious scheduled task creation
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "schtasks.exe"
| where ProcessCommandLine has "/create"
| where ProcessCommandLine has_any ("/sc minute", "/sc hourly", "powershell", "cmd /c", "http", "\\\\", "frombase64")
| project Timestamp, DeviceName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Lateral movement via RDP / SMB / WinRM
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (3389, 5985, 5986, 445, 135)
| where LocalIP != RemoteIP
| summarize ConnectionCount = count(), TargetDevices = dcount(RemoteIP) by DeviceName, InitiatingProcessFileName
| where ConnectionCount > 10 or TargetDevices > 3
| sort by TargetDevices desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Process name masquerading
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe")
| where not (FolderPath startswith "C:\\Windows\\System32" or FolderPath startswith "C:\\Windows\\SysWOW64" or FolderPath startswith "C:\\Windows\\WinSxS")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Credential dumping / LSASS access
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("procdump.exe", "mimikatz.exe", "sekurlsa.exe")
or ProcessCommandLine has_any ("lsass", "sekurlsa", "logonpasswords", "sam hive", "ntds.dit", "dcsync")
or (FileName =~ "rundll32.exe" and ProcessCommandLine has "comsvcs.dll")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious file download
KQL Query Preview
Read-only — detection query only
DeviceFileEvents
| where Timestamp > ago(7d)
| where ActionType == "FileCreated"
| where FileOriginUrl != ""
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileOriginUrl, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
Falcon API IOC Import Payload (1 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "Not publicly disclosed at time of writing",
"source": "SCC Threat Intel",
"description": "Cisco Talos report did not publish specific IOCs in the source reviewed; monitor Talos threat intelligence feeds for updates",
"severity": "medium",
"action": "no_action",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-09-17T00:00:00Z"
}
]
No hard IOCs available for AWS detection queries (contextual/benign indicators excluded).
Compliance Framework Mappings
T1059.003
T1078
T1567.002
T1059.001
T1560
T1053.005
+22
CM-7
SI-3
SI-4
AC-2
AC-6
IA-2
+5
A08:2021
A04:2021
A07:2021
164.308(a)(5)(ii)(D)
164.312(d)
MITRE ATT&CK Mapping
T1078
Valid Accounts
defense-evasion
T1567.002
Exfiltration to Cloud Storage
exfiltration
T1560
Archive Collected Data
collection
T1046
Network Service Discovery
discovery
T1021.002
SMB/Windows Admin Shares
lateral-movement
T1059
Command and Scripting Interpreter
execution
T1550.001
Application Access Token
defense-evasion
T1552.001
Credentials In Files
credential-access
T1016
System Network Configuration Discovery
discovery
T1083
File and Directory Discovery
discovery
T1102.002
Bidirectional Communication
command-and-control
T1047
Windows Management Instrumentation
execution
T1036
Masquerading
defense-evasion
T1003
OS Credential Dumping
credential-access
T1027
Obfuscated Files or Information
defense-evasion
T1018
Remote System Discovery
discovery
T1555
Credentials from Password Stores
credential-access
T1482
Domain Trust Discovery
discovery
T1105
Ingress Tool Transfer
command-and-control
T1057
Process Discovery
discovery
Free Template
AI Incident Response and Improvement Playbook (Enhanced Framework)
Professional playbook for AI governance teams. $15.
Guidance Disclaimer
