# [HIGH] Understanding Current Threats to Kubernetes Environments **Source:** Unit 42 (Palo Alto) **Published:** 2026-04-06 **Article:** https://unit42.paloaltonetworks.com/modern-kubernetes-threats/ **Curated:** Analyst-reviewed 2026-04-28 ## Threat profile Unit 42's 20-minute deep-dive on modern Kubernetes attack patterns, drawn from incident-response engagements across 2024-2026. Themes: 1. **Misconfigured kubelet API (TCP/10250)** still the most-prevalent initial-access vector — Internet-exposed kubelets allow `kubectl exec`-equivalent without auth. 2. **Service-account token theft + replay** — pods with overly-permissive `automountServiceAccountToken: true` leak tokens that grant cluster-wide RBAC. 3. **Compromised container images / typosquatted Helm charts** — supply chain on the cluster's pull path. 4. **Cryptojacking-as-canary** — opportunistic miners deploy as the canary in the K8s coal mine; behind every miner is the underlying weakness an APT could escalate. 5. **etcd / control-plane exposure** — direct etcd port (TCP/2379) externally accessible in some deployments; full cluster-state read. The article is also a good mapping reference for **MITRE ATT&CK for Containers** (T1610, T1611, T1612, T1613) which most enterprise SOCs don't have well-tuned detections for. We've kept severity **HIGH** because the IOCs (3 IPs + multiple SHA256 hashes) are vendor-attributed and immediately operational, AND the K8s detection backlog is universally underbuilt. ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2025-55182` - **IPv4:** `104.238.149.198`, `45.76.155.14`, `23.235.188.3` - **SHA256 hashes** (cryptojackers / post-exploit binaries): see `intel/iocs.csv` (filter `sources=Unit 42 (Palo Alto)`). ## MITRE ATT&CK (analyst-validated) - **T1190** — Exploit Public-Facing Application (kubelet, etcd, dashboard) - **T1610** — Deploy Container (post-compromise pod / DaemonSet drop) - **T1611** — Escape to Host (privileged container → node) - **T1612** — Build Image on Host (live-patching containers) - **T1613** — Container and Resource Discovery - **T1078.004** — Valid Accounts: Cloud Accounts (service-account token replay) - **T1552.005** — Credentials in CI/CD Variables / SA tokens - **T1496** — Resource Hijacking (cryptojacking) - **T1071.001** — Application Layer Protocol: Web Protocols - **T1059.004** — Unix Shell ## Recommended SOC actions (priority-ordered) 1. **External-attack-surface scan** for exposed kubelet (TCP/10250, /10255), etcd (TCP/2379, /2380), Kubernetes API (TCP/6443), Dashboard (varies). If anything you own appears on Shodan / Censys, off the Internet by Friday. 2. **Audit `automountServiceAccountToken`** across your cluster — set to `false` by default in the namespace, opt in per-Pod where needed. 3. **Block the 3 Unit 42 IPs at egress** today. 4. **Hash-match the SHA256 list** against your container-runtime telemetry (Sysdig / Falco / Defender for Containers). 5. **Falco / runtime-detection** for `T1611` escape patterns: `mount`/`unshare`/`/proc/*/root` access from inside containers, `nsenter` use, privileged container creation. 6. **Hunt cryptojacker indicators** — XMRig / kdevtmpfsi / kinsing process names; outbound to mining pools (`pool.minexmr.com` family). ## Splunk SPL — kubelet / etcd / K8s API on public IP ```spl | tstats `summariesonly` count from datamodel=Network_Traffic.All_Traffic where (All_Traffic.dest_port IN (10250,10255,2379,2380,6443) OR All_Traffic.src_port IN (10250,10255,2379,2380,6443)) AND (All_Traffic.src_category="dmz" OR All_Traffic.dest_category="external") by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port, All_Traffic.src_category, All_Traffic.dest_category | `drop_dm_object_name(All_Traffic)` | sort - count ``` ## Splunk SPL — outbound to Unit 42 K8s threat IOCs ```spl | tstats `summariesonly` count from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest IN ("104.238.149.198","45.76.155.14","23.235.188.3") by All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port, All_Traffic.src_category | `drop_dm_object_name(All_Traffic)` ``` ## Splunk SPL — cryptojacker process patterns ```spl | tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.process_name IN ("xmrig","xmrig.exe","kdevtmpfsi","kinsing", "kthreaddi","kthreaddk","cpuminer","minerd") OR Processes.process="*pool.minexmr.com*" OR Processes.process="*xmr-asia.nanopool.org*" OR Processes.process="*--cpu-priority*" OR Processes.process="*stratum+tcp://*" by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` ## Defender KQL — outbound to Unit 42 K8s IOCs ```kql DeviceNetworkEvents | where Timestamp > ago(90d) | where RemoteIP in ("104.238.149.198","45.76.155.14","23.235.188.3") | project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ## Defender KQL — cryptojacker / suspicious miner activity ```kql DeviceProcessEvents | where Timestamp > ago(60d) | where FileName in~ ("xmrig","xmrig.exe","kdevtmpfsi","kinsing","kthreaddi", "kthreaddk","cpuminer","minerd") or ProcessCommandLine has_any ("pool.minexmr.com","xmr-asia.nanopool.org", "stratum+tcp://","--cpu-priority") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ## Defender KQL — privileged-container or escape-pattern indicator ```kql DeviceProcessEvents | where Timestamp > ago(60d) | where InitiatingProcessFileName in~ ("dockerd","containerd","containerd-shim", "kubelet","crio","runc") | where ProcessCommandLine has_any ( "--privileged","mount /dev","unshare","/proc/1/root","/proc/self/root", "nsenter","capsh","cap_sys_admin","setcap") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, ProcessCommandLine | order by Timestamp desc ``` ## Why this matters for your SOC Kubernetes is **the largest under-defended surface** in most enterprise estates because: - Cluster admins live on the platform-engineering team, not the SOC. - Container runtime events are often not in the SIEM. - ATT&CK for Containers (T1610-T1613) is newer; many detection content libraries don't cover it. Unit 42's article is the industry's clearest current public catalogue. Pair it with **Falco** (or Defender for Containers / Sysdig / etc.) for runtime detection, and pair runtime-detection with **CSPM** (Wiz / Prisma Cloud / Defender for Cloud) for posture findings. The combination is what gives you Kubernetes coverage approximating Windows-EDR coverage. Block the 3 IPs and the SHA256 list now. Schedule the K8s detection-engineering work for next quarter. Threat Research Center Threat Research Malware Malware Understanding Current Threats to Kubernetes Environments 20 min read Related Products Advanced DNS Security Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex Cloud Cortex Xpanse Next-Generation Firewall Unit 42 Cloud Security Assessment Unit 42 Incident Response By: Eyal Rafian Bill Batchelor Published: April 6, 2026 Categories: Malware Threat Research Tags: Audit … ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2025-55182` - **IPv4 (defanged):** `104.238.149.198` - **IPv4 (defanged):** `45.76.155.14` - **IPv4 (defanged):** `23.235.188.3` - **SHA256:** `05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69` - **SHA256:** `7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0` - **SHA256:** `bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d` ## MITRE ATT&CK Techniques - **T1071.001** — Web Protocols - **T1071.004** — DNS - **T1071** — Application Layer Protocol - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1190** — Exploit Public-Facing Application - **T1566.002** — Spearphishing Link - **T1204.001** — User Execution: Malicious Link - **T1566.001** — Spearphishing Attachment - **T1204.002** — User Execution: Malicious File - **T1059.001** — PowerShell - **T1059.005** — Visual Basic - **T1218** — System Binary Proxy Execution - **T1021.002** — SMB/Windows Admin Shares - **T1569.002** — Service Execution - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1204.004** — User Execution: Malicious Copy and Paste - **T1027** — Obfuscated Files or Information - **T1486** — Data Encrypted for Impact - **T1003.001** — LSASS Memory - **T1003** — OS Credential Dumping - **T1219** — Remote Access Software - **T1195.002** — Compromise Software Supply Chain ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Beaconing — periodic outbound to small set of destinations `UC_BEACONING` · phase: **c2** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, values(All_Traffic.dest_port) AS ports from datamodel=Network_Traffic.All_Traffic where All_Traffic.action="allowed" AND All_Traffic.dest_category!="internal" by _time span=10s, All_Traffic.src, All_Traffic.dest | `drop_dm_object_name(All_Traffic)` | streamstats current=f last(_time) AS prev_time by src, dest | eval delta = _time - prev_time | stats avg(delta) AS avg_delta stdev(delta) AS sd_delta count by src, dest | where count > 30 AND sd_delta < 5 AND avg_delta>=30 AND avg_delta<=600 | sort - count ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" and ActionType == "ConnectionSuccess" | project DeviceName, RemoteIP, RemotePort, Timestamp | sort by DeviceName asc, RemoteIP asc, RemotePort asc, Timestamp asc | extend prev_dev = prev(DeviceName, 1), prev_ip = prev(RemoteIP, 1), prev_port = prev(RemotePort, 1), prev_ts = prev(Timestamp, 1) | where DeviceName == prev_dev and RemoteIP == prev_ip and RemotePort == prev_port | extend delta_sec = datetime_diff('second', Timestamp, prev_ts) | summarize conn_count = count(), avg_delta = avg(delta_sec), stdev_delta = stdev(delta_sec) by DeviceName, RemoteIP, RemotePort | where conn_count > 30 and avg_delta between (30.0 .. 600.0) and stdev_delta < 5.0 | order by conn_count desc ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where FolderPath has_any ("\Google\Chrome\User Data\","\Microsoft\Edge\User Data\","\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### Suspicious URL click in email — phishing landing page `UC_PHISH_LINK` · phase: **delivery** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Email.All_Email where All_Email.action="delivered" AND All_Email.url!="-" by All_Email.src_user, All_Email.recipient, All_Email.url, All_Email.subject | rex field=All_Email.url "https?://(?[^/]+)" | join type=inner email_domain [| tstats `summariesonly` count from datamodel=Web where Web.action="allowed" by Web.src, Web.dest, Web.url, Web.user | rex field=Web.url "https?://(?[^/]+)"] | stats values(All_Email.subject) as subject, values(Web.url) as clicked_url, earliest(_time) as first_seen, latest(_time) as last_seen by All_Email.recipient, email_domain ``` **Defender KQL:** ```kql let LookbackDays = 7d; let DeliveredEmails = EmailEvents | where Timestamp > ago(LookbackDays) | where DeliveryAction == "Delivered" | project NetworkMessageId, Subject, SenderFromAddress, RecipientEmailAddress, EmailTimestamp = Timestamp; EmailUrlInfo | where Timestamp > ago(LookbackDays) | join kind=inner DeliveredEmails on NetworkMessageId | join kind=inner ( UrlClickEvents | where Timestamp > ago(LookbackDays) | where ActionType == "ClickAllowed" | project Url, ClickTimestamp = Timestamp, AccountUpn, IPAddress ) on Url | project ClickTimestamp, RecipientEmailAddress, SenderFromAddress, Subject, Url, UrlDomain, IPAddress | order by ClickTimestamp desc ``` ### Email attachment opened from external sender `UC_PHISH_ATTACH` · phase: **delivery** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count from datamodel=Email.All_Email where All_Email.file_name!="-" by All_Email.src_user, All_Email.recipient, All_Email.file_name, All_Email.subject | rename All_Email.recipient as user | join type=inner user [| tstats `summariesonly` count from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("OUTLOOK.EXE","winword.exe","excel.exe","powerpnt.exe") AND Processes.process_name IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | rename Processes.user as user] ``` **Defender KQL:** ```kql let LookbackDays = 7d; let MalAttachments = EmailAttachmentInfo | where Timestamp > ago(LookbackDays) | project NetworkMessageId, RecipientEmailAddress, AttachmentFileName = FileName, AttachmentSHA256 = SHA256; DeviceProcessEvents | where Timestamp > ago(LookbackDays) | where InitiatingProcessFileName in~ ("OUTLOOK.EXE","winword.exe","excel.exe","powerpnt.exe") | where FileName in~ ("cmd.exe","powershell.exe","wscript.exe","cscript.exe", "mshta.exe","rundll32.exe","regsvr32.exe") | join kind=inner MalAttachments on $left.AccountUpn == $right.RecipientEmailAddress | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, AttachmentFileName, AttachmentSHA256 ``` ### Office app spawning script/LOLBin child process `UC_OFFICE_CHILD` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") AND Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### Remote service execution — PsExec / SMB lateral movement `UC_LATERAL_PSEXEC` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") OR (Processes.process_name="wmic.exe" AND Processes.process="*/node:*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("psexec.exe","psexesvc.exe","paexec.exe","smbexec.py") or (FileName =~ "wmic.exe" and ProcessCommandLine has "/node:") | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) `UC_FAKECAPTCHA` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("explorer.exe","RuntimeBroker.exe") AND Processes.process_name IN ("powershell.exe","pwsh.exe","mshta.exe") AND (Processes.process="*iex*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*FromBase64*" OR Processes.process="*DownloadString*" OR Processes.process="*hxxp*" OR Processes.process="*curl*" OR Processes.process="*wget*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("explorer.exe","RuntimeBroker.exe") | where FileName in~ ("powershell.exe","pwsh.exe","mshta.exe") | where ProcessCommandLine matches regex @"(?i)(iex|invoke-expression|frombase64|downloadstring|hxxp|curl |wget )" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine ``` ### PowerShell encoded / obfuscated command `UC_PS_OBFUSCATED` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("powershell.exe","pwsh.exe") AND (Processes.process="*-enc *" OR Processes.process="*EncodedCommand*" OR Processes.process="*FromBase64String*" OR Processes.process="*-nop*" OR Processes.process="*-w hidden*" OR Processes.process="*Invoke-Expression*" OR Processes.process="*IEX(*" OR Processes.process="*DownloadString*" OR Processes.process="*Net.WebClient*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe","pwsh.exe") | where ProcessCommandLine matches regex @"(?i)(-enc|encodedcommand|frombase64string|-nop|-w\s+hidden|invoke-expression|iex\s*\(|downloadstring|net\.webclient)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine ``` ### Ransomware-style mass file rename / extension change `UC_RANSOM_ENCRYPT` · phase: **actions** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count, dc(Filesystem.file_name) AS files from datamodel=Endpoint.Filesystem where Filesystem.action IN ("modified","renamed") by Filesystem.dest, Filesystem.user, _time span=1m | `drop_dm_object_name(Filesystem)` | where files > 200 | sort - files ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(1d) | where ActionType in ("FileRenamed","FileModified") | summarize files = dcount(FileName) by DeviceName, AccountName, bin(Timestamp, 1m) | where files > 200 | order by files desc ``` ### LSASS process access / dump (credential theft) `UC_LSASS` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="*lsass*" OR Processes.process="*sekurlsa*" OR Processes.process="*MiniDump*" OR Processes.process="*comsvcs.dll*MiniDump*" OR Processes.process="*procdump*lsass*") OR (Processes.process_name="rundll32.exe" AND Processes.process="*comsvcs*MiniDump*") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceEvents | where Timestamp > ago(7d) | where ActionType == "OpenProcessApiCall" | where FileName =~ "lsass.exe" | where InitiatingProcessFileName !in~ ("MsSense.exe","MsMpEng.exe","csrss.exe", "svchost.exe","wininit.exe","services.exe", "lsm.exe","SearchProtocolHost.exe") | project Timestamp, DeviceName, ActionType, FileName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, AccountName | order by Timestamp desc ``` ### RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard `UC_RMM_TOOLS` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe","kaseya*.exe") by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("AnyDesk.exe","TeamViewer.exe","TeamViewer_Service.exe", "ScreenConnect.ClientService.exe","ConnectWiseControl.ClientService.exe", "atera_agent.exe","SplashtopStreamer.exe","RustDesk.exe","NinjaOne.exe") or FileName matches regex @"(?i)kaseya.*\.exe" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine ``` ### Trusted vendor binary / installer launching unusual children `UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe") AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe") | where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `104.238.149.198`, `45.76.155.14`, `23.235.188.3` - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2025-55182` - **File hash IOCs — endpoint file/process match** ([template](../_TEMPLATES.md#hash-ioc)) — phase: **install**, confidence: **High** - file hash IOC(s): `05eac3663d47a29da0d32f67e10d161f831138e10958dcd88b9dc97038948f69`, `7d2c9b4a3942f6029d2de7f73723b505b64caa8e1763e4eb1f134360465185d0`, `bb470a803b6d7b12fb596d2e4a18ea9ca91f40fd34ded7f01a487eed9a1d814d` ## Why this matters Severity classified as **CRIT** based on: CVE present, IOCs present, 16 use case(s) fired, 24 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.