[EXP] Multi-Stage Intrusion Chain Edge Exploit to Identity and Cloud Compromise

Report Type CVE Vulnerability Intelligence Report

Threat Category Active Exploitation Vulnerability (EXP)

Assessment Date April 03, 2026

Amendment Date: July 05, 2026

Primary Impact Domain Identity and Cloud Control Plane Compromise

Published by: CyberDax LLC
Author: Edward “Tony” Dolley
Role: Founder / Principal Threat Researcher, CyberDax LLC
Publication Date: April 03, 2026
Amendment Date: July 05, 2026
Publication Type: Cybersecurity Research Report / White Paper


BLUF

 Organizations face critical enterprise risk from intrusion chains that originate from exploitation of internet-facing edge devices and rapidly escalate into identity system takeover and cloud control compromise, enabling complete operational disruption, data exfiltration, and ransomware enablement. These attacks are initiated through vulnerabilities in perimeter appliances such as Fortinet VPNs, Ivanti Connect Secure gateways, and Palo Alto firewalls, allowing attackers to bypass traditional perimeter defenses and directly access trusted network zones. Exploitation is highly mature and operationalized, with threat actors consistently weaponizing vulnerabilities within hours and executing repeatable edge-to-identity-to-cloud compromise playbooks across multiple sectors. Organizations must treat exposed edge infrastructure and identity control planes as immediate enterprise risk priorities and reallocate security focus toward rapid patch enforcement, identity session protection, and privileged access restriction to prevent full-chain compromise.

Executive Risk Translation
A single exploited edge device can allow attackers to assume trusted identities and gain administrative control of cloud environments, resulting in full enterprise compromise before traditional security controls can respond.

S3 Why This Matters Now

·        Active exploitation campaigns targeting Fortinet, Ivanti, and Palo Alto edge vulnerabilities are occurring within hours to days of public disclosure.

·        FortiBleed reporting reinforces this intrusion model by showing how Fortinet edge exposure can shift from appliance compromise into credential harvesting, credential reuse, access resale, and ransomware-affiliate enablement.

·        Public exploit code and automated scanning frameworks are rapidly integrated into attacker operations, increasing exploitation scale and speed.

·        Observed intrusion timelines show full progression from edge access to cloud control in less than 48 hours.

·        Persistent exposure of edge infrastructure combined with delayed patch cycles continues to expand the accessible attack surface.

·        Detection visibility remains fragmented across edge, identity, and cloud layers, delaying recognition of multi-stage compromise.

S4 Key Judgments

·        Edge device exploitation is the dominant and most reliable initial access vector in modern enterprise intrusion campaigns.

·        Identity systems function as the primary control plane for attacker expansion, persistence, and privilege escalation.

·        Cloud environments represent the ultimate objective due to centralized access to data, infrastructure, and administrative control.

·        Attacker success depends on transitioning from network access to identity control without triggering detection.

·        Organizations without integrated identity and cloud security controls remain highly susceptible to full-chain compromise.

S5 Executive Risk Summary

·        Exploitation of edge devices enables unauthorized entry into trusted network zones, bypassing perimeter security controls.

·        Attackers extract credentials and session artifacts, allowing impersonation of legitimate users and bypass of authentication safeguards.

·        Compromised identities are leveraged to escalate privileges and gain administrative access within enterprise environments.

·        Administrative access to cloud control planes enables persistent access, infrastructure manipulation, and large-scale data exfiltration.

S6 Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

·        Low Impact Scenario
Edge exploitation detected and contained prior to identity compromise, resulting in limited investigation scope and minimal operational disruption. Estimated cost: 300,000 to 900,000 USD

·        Moderate Impact Scenario
Identity compromise achieved with partial cloud access, resulting in data exposure, extended response operations, and regulatory notification requirements. Estimated cost: 2 million to 8 million USD

·        High Impact Scenario
Full intrusion chain execution including identity takeover, cloud administrative control, data exfiltration, and ransomware deployment, resulting in enterprise-wide disruption, regulatory penalties, and prolonged recovery. Estimated cost: 12 million to 60 million USD or higher

S6A Key Cost Drivers

·        Speed of detection between edge exploitation and identity compromise

·        Degree of privileged identity access obtained by attackers

·        Extent of cloud control-plane access and persistence mechanisms

·        Volume and sensitivity of accessed or exfiltrated data

·        Duration and complexity of incident response across multiple environments

·        Regulatory exposure and legal obligations

·        Operational downtime and business disruption

S6B Compliance and Risk Context

Compliance Exposure Indicator
Severe exposure for organizations handling regulated data due to unauthorized identity-based access across enterprise and cloud systems.

Risk Register Entry

·        Risk Title: Edge-to-Identity-to-Cloud Intrusion Chain

·        Risk Description: Exploitation of perimeter infrastructure enabling identity compromise and cloud administrative control

·        Likelihood: High

·        Impact: Severe

·        Risk Rating: Critical

Annualized Risk Exposure
Estimated annualized exposure ranges from 5 million to 25 million USD based on high exploitation frequency, rapid attack execution timelines, and significant impact of full-chain compromise events.

S7 Operational Impact Assessment

·        Initial access originating from exploited edge infrastructure is treated as trusted internal activity, allowing attacker operations to inherit legitimate network trust and bypass internal security controls.

·        Authentication integrity is degraded as attackers operate using valid credentials and active session tokens, undermining confidence in identity-based access decisions.

·        Session persistence mechanisms enable continued access even after credential resets, delaying effective containment.

·        Administrative control over cloud environments allows unauthorized creation of privileged roles, persistence artifacts, and modification of critical services.

·        Security monitoring effectiveness is reduced as attacker behavior blends with legitimate identity and cloud activity, complicating detection and investigation.

·        Incident response requires synchronized containment across edge, identity, and cloud layers, significantly increasing operational complexity and recovery timelines.

S8 Bottom Line for Executives

Organizations must immediately eliminate exposed edge vulnerabilities, enforce strict identity session controls, and restrict privileged access to cloud environments to disrupt this attack chain. Security operations must prioritize detection of abnormal identity activity and cross-layer behavior rather than relying on endpoint-centric alerts. Failure to execute these controls allows attackers to progress from initial access to full enterprise control with minimal resistance.

S9 Board-Level Takeaway

This threat represents a governance-level failure condition where inadequate control over edge exposure, identity privilege, and cloud access enables enterprise-wide compromise. The board must ensure that management enforces accountability for vulnerability remediation at the edge, strict identity governance, and controlled cloud privilege boundaries as core risk controls. Failure to enforce these controls constitutes a material breakdown in enterprise risk management with direct financial and regulatory consequences.


S10 Campaign Overview

This campaign represents a multi-stage intrusion pattern in which attackers exploit internet-facing edge devices such as Fortinet SSL VPN, Ivanti Connect Secure, and Palo Alto GlobalProtect systems to gain trusted internal access. These systems act as authentication gateways, allowing attackers to transition from external access into enterprise identity systems without triggering traditional perimeter defenses.

Across observed incidents, attackers have leveraged device-level access to obtain authentication material, including credentials and active session artifacts, which are then used to establish valid identity sessions. This enables rapid pivot from initial access into identity control and subsequent expansion into cloud environments.

 FortiBleed reporting reinforces this campaign model by demonstrating how Fortinet edge exposure can function as a credential-harvesting and access-monetization pathway. In this pattern, compromised FortiGate or Fortinet remote-access infrastructure may expose credentials, session material, or authentication-adjacent data that can be reused by follow-on operators, sold through access-broker channels, or leveraged by ransomware affiliates. The operational risk is not limited to initial appliance compromise; the greater enterprise exposure comes from downstream use of harvested access to authenticate as trusted users, expand into identity systems, and enable extortion-driven objectives

The campaign demonstrates a consistent operational model combining opportunistic exploitation at scale with targeted follow-on activity, including privilege escalation, data access, and ransomware deployment. The defining characteristic is the use of trusted identity pathways to achieve low-noise, high-impact compromise.

S11 Sectors AffectedS11 Sectors Affected

·        Financial Services where centralized identity systems provide access to financial data and transactional platforms

·        Healthcare where remote access infrastructure supports distributed clinical systems and sensitive patient data

·        Technology and SaaS providers where identity systems directly control cloud infrastructure and customer environments

·        Government and Public Sector where large identity ecosystems and legacy edge infrastructure increase exposure

·        Critical Infrastructure where remote access systems are essential for operational continuity

·        Manufacturing where VPN access bridges corporate IT and operational technology environments

S12 Countries Affected

·        United States

·        United Kingdom

·        Canada

·        Germany

·        Australia

·        Japan

These regions are consistently targeted due to high concentrations of enterprise infrastructure, cloud adoption, and reliance on remote access technologies.

S13 Targeting Probability Assessment

Primary Targets
Organizations with exposed or unpatched edge devices that are directly integrated with identity providers and cloud platforms

Secondary Targets
Organizations with weak identity controls, including lack of session monitoring, token protection, or excessive privilege assignment

High-Probability Conditions

·        Delayed patching of internet-facing edge infrastructure

·        Fortinet or FortiGate remote-access exposure where previously harvested credentials, VPN access material, or authentication-adjacent data may remain valid or reusable

·        Direct trust relationships between VPN systems and identity providers

·        Overprivileged cloud IAM roles and broad administrative access

·        Limited monitoring of identity session activity

Attacker ROI Drivers

·        Immediate access without user interaction or phishing

·        Ability to scale exploitation across large numbers of targets

·        Monetization of harvested Fortinet access through credential reuse, access resale, initial-access broker activity, or ransomware-affiliate handoff

·        Direct transition from access to identity control

·        High-value outcomes through cloud and data access

S13A Exploit Conditions Snapshot

·        Internet-facing edge device exposure with active remote access services

·        Vulnerable firmware or software versions with publicly available exploit code

·        Lack of segmentation between edge systems and identity infrastructure

·        Active session handling or credential storage on edge devices

·        Fortinet or FortiGate credential material exposed through prior compromise, packet capture, support bundle exposure, configuration access, or credential-harvesting activity

·        Weak credential rotation or continued trust in Fortinet-derived VPN credentials after suspected or confirmed edge-device exposure

·        Reuse of Fortinet remote-access credentials across identity, administrative, or cloud-connected systems

·        Identity providers configured to trust upstream authentication without additional validation

These conditions enable rapid transition from exploitation to identity-level access.

S14 Initial Access Vector

The primary initial access vector is exploitation of vulnerabilities in internet-facing edge devices, including VPN gateways and firewall systems. These vulnerabilities allow attackers to access device file systems, configuration data, or session management components.

Because these systems function as authentication intermediaries, successful exploitation provides access within trusted network boundaries. This eliminates the need for phishing or endpoint compromise and allows attackers to interact directly with authentication infrastructure.

S15 Adversary Capability Profiling

Skill Level
High, with demonstrated ability to rapidly weaponize vulnerabilities and execute multi-stage intrusion chains

Infrastructure Maturity
Mature, leveraging distributed scanning infrastructure and automated exploitation frameworks

Operational Scalability
High during initial access, enabling exploitation of large numbers of exposed edge devices

Tooling Sophistication
Moderate to high, focused on exploit execution, credential extraction, and use of legitimate administrative interfaces

Escalation Likelihood
High, with consistent progression from initial access to identity compromise and privilege escalation

S16 Adversary Operational Objectives

·        Establish authenticated access within enterprise identity systems

·        Escalate privileges to administrative levels within identity providers

·        Extend access into cloud environments through identity-based authorization

·        Access and exfiltrate sensitive data from enterprise and cloud systems

·        Monetize harvested Fortinet or FortiGate access through credential reuse, access resale, initial-access broker transfer, or ransomware-affiliate handoff

·        Establish persistent access through identity and cloud control mechanisms

·        Execute monetization objectives including ransomware deployment

S17 Exploit Status

Exploitation of edge device vulnerabilities is actively occurring in the wild, with attackers leveraging publicly available exploit code and automated scanning tools. Observed campaigns demonstrate rapid weaponization following vulnerability disclosure, with exploitation timelines measured in hours.

The widespread exposure of vulnerable edge systems and delays in patch deployment contribute to sustained exploitation opportunities. This indicates a high likelihood of continued exploitation across affected environments.

FortiBleed reporting should be treated as a material exploitation-status update within this same edge-device intrusion family. The significance is not limited to new appliance compromise; the operational risk comes from Fortinet or FortiGate access material that may remain usable after exposure, enabling credential reuse, downstream identity access, access resale, and ransomware-affiliate monetization. This reinforces the need to treat exposed or previously compromised Fortinet infrastructure as an active identity-risk condition until credentials, sessions, and trust relationships have been rotated or invalidated.

S17B Defensive Weakness Profile

·        Overreliance on perimeter security controls without sufficient identity-layer monitoring

·        Lack of visibility into session-based authentication activity within identity providers

·        Insufficient segmentation between edge infrastructure and internal identity systems

·        Limited monitoring of cloud control-plane activity and identity-based access

·        Delayed patching of critical edge infrastructure due to operational constraints


These weaknesses enable attackers to transition from initial access to identity control with minimal resistance and limited detection.

S18 Attack Chain Overview

This intrusion chain begins with exploitation of internet-facing edge devices that function as authentication gateways, allowing attackers to gain access within trusted network boundaries. Because these systems originate authenticated sessions, attacker activity inherits internal trust and bypasses traditional perimeter detection.

Following initial access, attackers obtain authentication material from compromised devices and use it to establish valid sessions within identity providers. This enables immediate access to enterprise identity systems without triggering authentication challenges.

Attackers then expand access through enumeration of identity structures and privilege relationships, identifying escalation pathways and high-value targets. Privilege escalation is subsequently achieved through modification of identity roles and permissions, transitioning attacker access to administrative control.

With identity-level administrative access established, attackers extend control into cloud environments through identity-based authorization. This enables direct manipulation of infrastructure, access to sensitive data, and establishment of persistence mechanisms.

The attack concludes with execution of objectives such as data exfiltration, persistence, or ransomware deployment, conducted entirely through legitimate identity and cloud control channels.

S19 MITRE ATT&CK Mapping

Initial Access — T1190 Exploit Public-Facing Application
Exploitation of edge devices provides direct access to trusted network and authentication infrastructure

Credential Access — T1555 Credentials from Password Stores
Access to configuration files and memory exposes stored credentials and authentication data

Credential Access — T1550 Use of Alternate Authentication Material
Session tokens and authentication artifacts are reused to establish authenticated sessions without reauthentication

Persistence — T1078 Valid Accounts
Compromised credentials and session tokens are used to maintain persistent identity-based access

Privilege Escalation — T1098 Account Manipulation
Identity roles and permissions are modified to elevate access and gain administrative control

Discovery — T1087 Account Discovery
Attackers enumerate users, roles, and identity structures within enterprise environments

Discovery — T1069 Permission Groups Discovery
Privilege group relationships and role assignments are analyzed to identify escalation pathways

Lateral Movement — T1021 Remote Services
Authenticated access is used to move across enterprise systems and services

Command and Control — T1071 Application Layer Protocol
Communication occurs through standard protocols, blending with legitimate traffic

Exfiltration — T1041 Exfiltration Over C2 Channel
Data is extracted using authenticated communication channels

Impact — T1486 Data Encrypted for Impact
Administrative access enables ransomware deployment or destructive actions


S20 Attack Stage Breakdown

Stage 1 – Credential Harvesting

Attackers exploit edge devices to access configuration storage, memory, and active session data. This allows extraction of stored credentials and authentication artifacts associated with legitimate users. In many cases, attackers obtain session tokens that represent already authenticated user sessions, eliminating the need for credential-based login attempts.

Stage 2 – Valid Account Authentication

Using harvested credentials and session artifacts, attackers establish authenticated sessions within identity providers. Session reuse allows access without triggering authentication workflows, bypassing multi-factor authentication enforcement tied to login events. Activity appears as legitimate user behavior within identity logs.

Stage 3 – Account and Resource Discovery

Once authenticated, attackers query identity providers and cloud environments to enumerate users, roles, service accounts, and privilege relationships. This stage identifies high-value targets, administrative roles, and escalation pathways across both enterprise identity systems and cloud environments.

Stage 4 – Privilege Escalation and Control Transition

Attackers escalate privileges by modifying identity roles, group memberships, or cloud IAM permissions through administrative interfaces and APIs. This transitions attacker access from standard user context to administrative control over identity systems and cloud resources.

Stage 5 – Persistence and Objective Execution

With administrative control established, attackers maintain persistent access through identity-based mechanisms and execute objectives. This includes accessing or exfiltrating data, creating additional access pathways, modifying infrastructure, or deploying ransomware. All activity occurs through legitimate identity and cloud control channels, reducing detection likelihood.

S20A Adversary Tradecraft Summary

This intrusion model reflects a mature operational approach centered on identity control rather than traditional system exploitation. Attackers prioritize acquisition of authenticated access early in the intrusion chain, recognizing that control of identity systems enables access to both enterprise and cloud environments without additional exploitation.

 

A defining characteristic of this tradecraft is the use of existing authentication material to establish trusted access. By leveraging session-based authentication rather than initiating new login attempts, attackers avoid triggering authentication controls and reduce visibility within security monitoring systems.

 

The operational model supports separation between initial access and objective execution. Opportunistic exploitation identifies vulnerable edge systems and harvests access at scale, while follow-on actors leverage identity control for monetization or strategic objectives. This division increases efficiency, scalability, and resilience across campaigns.

 

FortiBleed reporting strengthens this tradecraft assessment by showing how Fortinet-derived access can support a divided intrusion economy. One operator may obtain or harvest credential material from exposed Fortinet or FortiGate infrastructure, while a separate access broker or ransomware affiliate later uses that material for authenticated entry, internal expansion, data access, or extortion preparation. This separation makes the intrusion chain harder to recognize because the exploitation event, credential reuse, and ransomware activity may occur at different times and may involve different actors.

 

The approach emphasizes low-noise execution, reliance on trusted system behavior, and rapid progression from initial access to full environment control, making detection dependent on correlation across identity, endpoint, and network telemetry.

S21 Indicators of Compromise (IOC Summary)

·        Edge device access involving configuration files, session storage, or authentication components outside normal administrative activity

·        Fortinet or FortiGate administrative, VPN, diagnostic, configuration-export, packet-capture, support-bundle, or backup activity occurring outside approved maintenance windows or involving unusual source infrastructure.

·        Fortinet-derived credential or VPN activity followed by first-seen identity-provider access, new source IP authentication, unusual geographic access, unmanaged-device access, or administrative activity inconsistent with the user’s historical access pattern.

·        Presence of unauthorized files or scripts on edge infrastructure indicative of persistent access mechanisms

·        Identity session activity exhibiting inconsistencies in origin, continuity, or authentication lineage relative to expected user behavior

·        Identity activity originating from infrastructure-associated IP ranges, including VPN gateways or edge systems, rather than user endpoints

·        Privilege modification events within identity or cloud environments occurring outside established administrative workflows

·        Cloud control-plane activity occurring in temporal proximity to identity session irregularities or privilege escalation

·        Ransomware staging, data-access activity, file-encryption preparation, backup interference, or security-control modification occurring after Fortinet-origin VPN access, Fortinet-derived credential reuse, or first-seen identity activity associated with Fortinet exposure.

S22 Malware and Tooling

·        Exploitation of internet-facing edge infrastructure including Fortinet, Ivanti, and Palo Alto systems to obtain configuration and session artifacts

·        Use of Fortinet or FortiGate administrative functions, VPN services, diagnostic interfaces, packet-capture capabilities, configuration exports, support bundles, or backup artifacts to expose credential-bearing data or authentication-adjacent material.

·        Reuse of Fortinet-derived credentials, VPN access material, or authentication artifacts by follow-on operators, access brokers, or ransomware affiliates to establish valid-looking access without requiring new exploitation of the edge device.

·        Use of web shells or equivalent mechanisms on edge appliances to maintain access and enable command execution

·        Extraction of credential and session-related data from device storage and configuration components

·        Reuse of authentication material through session inheritance, replay, or token reuse techniques

·        Use of identity provider administrative interfaces and APIs to modify roles, permissions, and access control structures

·        Use of cloud control-plane APIs to establish persistence, escalate privileges, and manipulate infrastructure

·        Reliance on legitimate system functionality and trusted interfaces rather than traditional malware deployment

·        Use of legitimate VPN authentication, administrative tooling, remote-access pathways, data-staging utilities, backup-disruption activity, or encryption preparation after Fortinet-origin access has been converted into downstream identity or ransomware operations.

S23 Behavior and Log Artifacts

Purpose

To define stage-aligned attacker behaviors that represent observable activity and serve as candidate inputs for detection engineering validation.

Stage 1 – Credential Harvesting

·        Access to edge device configuration and session storage components

·        Interaction with credential-bearing system locations

·        FortiGate administrative, diagnostic, packet-capture, support-bundle, configuration-export, or backup access involving credential-bearing or authentication-adjacent data

·        Fortinet VPN, session, configuration, or traffic-capture artifacts accessed outside approved maintenance or forensic workflows

·        Presence or execution of unauthorized files or scripts on edge systems

Stage 2 – Valid Account Authentication

·        Session establishment inconsistent with expected authentication flow

·        Identity activity lacking clear authentication lineage

·        First-seen identity-provider authentication following known or suspected Fortinet exposure

·        Successful authentication from Fortinet VPN ranges, Fortinet-derived source context, or source infrastructure inconsistent with the user’s normal access history

·        Session behavior inconsistent with established user access patterns

Stage 3 – Account and Resource Discovery

·        Enumeration of identity objects, roles, permissions, and service principals

·        Repeated access to directory or IAM metadata

·        Unusual query patterns within identity and cloud environments

Stage 4 – Privilege Escalation and Control Transition

·        Modification of roles, group memberships, or IAM policies

·        Elevation of privileges beyond normal identity usage patterns

·        Administrative actions originating from previously non-privileged identities

Stage 5 – Persistence and Objective Execution

·        Creation of new identities, credentials, or long-lived access mechanisms

·        Data access inconsistent with identity baseline behavior

·        Ransomware staging, file-access expansion, backup interference, or encryption preparation following Fortinet-origin VPN access or Fortinet-derived credential reuse

·        Data-access or extortion-preparation behavior occurring after access-broker-style handoff from Fortinet-exposed credentials or VPN material

·        Infrastructure modification or impact-aligned activity


S24 Detection Strategy

Purpose

To define the detection approach and prioritization model that will be implemented and validated through S25 detection engineering.

Detection Philosophy

·        Focus on identity-centric intrusion behavior and post-authentication misuse rather than initial access signatures

·        Prioritize session-based anomalies and identity activity patterns over login failure detection

·        Detect multi-stage progression through correlation across edge, identity, and cloud activity

Stage-Aligned Detection Model

·        Stage 1: Monitor interaction with edge systems and credential-bearing components

·        Stage 2: Identify session anomalies and inconsistencies in authentication lineage

·        Stage 3: Detect identity and IAM enumeration behavior

·        Stage 4: Detect privilege escalation and access control modification

·        Stage 5: Detect persistence mechanisms and impact-related activity

Detection Priorities

·        Identity session irregularities and inconsistencies

·        Fortinet-origin VPN, administrative, diagnostic, packet-capture, configuration-export, support-bundle, and credential-reuse activity that precedes first-seen identity access, privilege escalation, data staging, or ransomware preparation

·        Privilege escalation events within identity providers and cloud environments

·        Privilege escalation events within identity providers and cloud environments

·        Cloud administrative activity following identity anomalies

·        Edge system interaction patterns associated with credential access

Detection Constraints

·        Limited visibility into edge appliance internals depending on platform and logging configuration

·        Fortinet-derived credential exposure may be difficult to prove directly when packet capture, support-bundle access, configuration export, or credential harvesting occurs inside appliance-level workflows or before centralized telemetry collection begins

·        Incomplete session lineage visibility within identity providers

·        Encrypted traffic limiting inspection of network-level activity

·        High baseline of legitimate administrative behavior introducing potential detection noise

S25 Ultra-Tuned Detection Engineering Rules

FortiBleed Tuning Addendum

FortiBleed-specific coverage should be implemented as tuning and localization of the existing edge-to-identity-to-cloud detection model, not as a separate rule family. Detection teams should localize edge-appliance scope to include Fortinet and FortiGate VPN, firewall, management, diagnostic, configuration-export, support-bundle, backup, and packet-capture activity where telemetry is available.

Existing Stage 1 rules should be tuned to include Fortinet-derived configuration, session, credential, support-bundle, backup, and packet-capture artifacts. Existing Stage 2 rules should correlate Fortinet VPN or FortiGate-origin access with first-seen identity-provider authentication, new source IP activity, unmanaged-device access, unusual geography, missing authentication lineage, or user behavior inconsistent with historical remote-access patterns.

Existing Stage 4 and Stage 5 rules should prioritize privilege changes, durable access creation, cloud administrative activity, data staging, backup interference, security-control modification, and ransomware-preparation activity that occurs after Fortinet-origin VPN access or suspected Fortinet-derived credential reuse. Analysts should treat Fortinet-derived credential reuse as an identity-risk condition even when direct appliance-level credential theft is not visible.

A key limitation is that FortiBleed-style credential harvesting may occur inside appliance-level workflows, including packet capture, diagnostic access, support-bundle handling, configuration export, or memory/session exposure, before centralized telemetry records the theft itself. For this reason, S25 detections should prioritize correlation between Fortinet exposure, credential reuse, identity anomalies, and downstream ransomware or cloud-control activity rather than relying on direct proof of appliance-internal sniffing.

Suricata

Engineering Position

These Suricata rules are intentionally limited to realistic network-layer observables. They provide supporting detection signals, not authoritative confirmation of credential theft, valid-account misuse, privilege escalation, or persistence. Incident-level conclusions require correlation with identity, endpoint, and cloud-audit telemetry.

Rule Name
Edge Appliance Sensitive Path Access Burst

Mapped Stage
Stage 1 Credential Harvesting

MITRE ATT&CK
T1190 – Exploit Public-Facing Application
T1555 – Credentials from Password Stores
T1550 – Use of Alternate Authentication Material

Purpose
Detect repeated access to high-risk administrative, export, configuration, and session-related web paths on internet-facing edge appliances consistent with post-access retrieval behavior.

What this rule detects
Repeated HTTP GET requests to sensitive edge appliance paths associated with administrative access, export functions, diagnostics, or session/configuration retrieval.

What this rule does not prove
Does not confirm credential theft, token theft, or successful session compromise.

Tuning Explanation
Restrict to known edge appliance IP ranges only.
Use only where HTTP URI visibility or TLS decryption is available.
Suppress approved vulnerability scanners, monitoring systems, backup collectors, and administrative bastions.
This path set is a generic baseline and should be replaced with product-specific paths where possible.
Treat as a collection-behavior signal, not exploit confirmation.

Suricata Rule

alert http $EXTERNAL_NET any -> $EDGE_APPLIANCES $HTTP_PORTS (
    msg:"CYBERDAX EXP edge appliance sensitive path access burst";
    flow:to_server,established;
    http.method; content:"GET"; nocase;
    http.uri;
    pcre:"/^\/(?:admin|api|diag|debug|export|backup|session|config)(?:\/|\?|$)/Ui";
    dsize:>50;
    threshold:type both, track by_src, count 4, seconds 180;
    classtype:attempted-admin;
    metadata:service http, deployment Perimeter, attack_target edge-appliance, confidence Medium;
    sid:410001;
    rev:5;
)

Administrator Localization Instructions
Replace $EDGE_APPLIANCES with actual appliance ranges.
Replace URI patterns with vendor-specific paths where possible.
Clone POST variant only if required by the appliance.
Add suppressions for approved sources.
Disable if URI visibility is unavailable.

Logical Notes
Single-rule meaning: sensitive-path access anomaly.
Correlated meaning: possible credential or session artifact retrieval.

Rule Regret Check
Deployment caution
Requires URI visibility.

Confidence caution
May generate noise in managed environments.

Coverage value
Strong early-stage signal.

Rule Execution Validity
Correlation-ready detection. Not sufficient alone to confirm credential harvesting.

Rule Name
Identity Provider TLS Access from Non-User Infrastructure

Mapped Stage
Stage 2 Valid Account Authentication

MITRE ATT&CK
T1078 – Valid Accounts
T1550 – Use of Alternate Authentication Material

Purpose
Detect TLS access to identity-provider endpoints from infrastructure or edge network segments where user-authentication traffic is not expected.

What this rule detects
TLS sessions from non-user infrastructure to a specific identity-provider hostname.

What this rule does not prove
Does not confirm successful authentication or account compromise.

Tuning Explanation
Restrict to non-user infrastructure ranges.
Use exact IdP hostnames only.
Clone per IdP.
Suppress federation and proxy infrastructure.
Treat as contextual identity anomaly.

Suricata Rule

alert tls $INFRASTRUCTURE_NET any -> $EXTERNAL_NET 443 (
    msg:"CYBERDAX EXP identity-provider TLS access from non-user infrastructure";
    flow:to_server,established;
    tls.sni;
    content:"login.microsoftonline.com"; nocase; endswith;
    threshold:type both, track by_src, count 3, seconds 300;
    classtype:policy-violation;
    metadata:service tls, deployment Egress, attack_target identity-provider, confidence Medium;
    sid:410002;
    rev:5;
)

Administrator Localization Instructions
Replace hostname with tenant IdP domains.
Scope infrastructure ranges correctly.
Suppress legitimate identity infrastructure.
Avoid generic matching.

Logical Notes
Single-rule meaning: unexpected IdP access origin.
Correlated meaning: possible session misuse.

Rule Regret Check
Deployment caution
SNI visibility may be reduced or eliminated in some environments.

Confidence caution
Middleware may generate similar traffic.

Coverage value
Strong supporting signal.

Rule Execution Validity
Correlation-ready detection. Requires identity telemetry for confirmation.

Rule Name
Cloud Control Plane TLS Access from Non-Admin Host

Mapped Stage
Late-Chain Activity (Privilege Escalation or Persistence — cannot be distinguished at network layer)

MITRE ATT&CK

T1098 – Account Manipulation
T1078 – Valid Accounts

Purpose

Detect TLS access to cloud control-plane endpoints from hosts that are not approved administrative systems.

What this rule detects

TLS connections to cloud management endpoints from atypical host classes.

What this rule does not prove

Does not confirm escalation, persistence, or objective execution.

Tuning Explanation

Restrict to non-admin hosts.
Use exact control-plane endpoints only.
Suppress automation and admin systems.
Azure is the only concretely implemented provider in this rule set.

Suricata Rule

alert tls $NON_ADMIN_HOSTS any -> $EXTERNAL_NET 443 (
    msg:"CYBERDAX EXP cloud control-plane TLS access from non-admin host";
    flow:to_server,established;
    tls.sni;
    content:"management.azure.com"; nocase; endswith;
    threshold:type both, track by_src, count 5, seconds 600;
    classtype:policy-violation;
    metadata:service tls, deployment Egress, attack_target cloud-control-plane, confidence Medium;
    sid:410003;
    rev:5;
)

Administrator Localization Instructions

Replace host scope appropriately.
Clone per provider as needed.
Exclude admin and automation systems.

Logical Notes

Single-rule meaning: control-plane access from wrong host.
Correlated meaning: late-stage attack activity.

Rule Regret Check

Deployment caution
Depends on host-role accuracy and SNI visibility.

Confidence caution
Automation traffic may resemble malicious activity.

Coverage value
Strong late-chain signal.

Rule Execution Validity

Correlation-ready detection. Requires identity and cloud telemetry.

Engineering Note

Rule effectiveness depends on:

·        HTTP visibility or TLS decryption (Rule 1)

·        SNI visibility (Rules 2 and 3)

·        Accurate asset scoping and suppression

These rules must be correlated with identity, endpoint, and cloud telemetry for full detection confidence.

SentinelOne

Engineering Position

These detections represent host-observable behavioral signals only. They do not independently confirm identity compromise, privilege escalation, or persistence. The modeled intrusion chain is identity-centric and requires correlation across endpoint, identity-provider, and cloud telemetry for confirmation.


These rules are deployment templates requiring enforcement controls. They are not safe for unrestricted standalone deployment.

Event Taxonomy Requirement

SentinelOne event schemas vary by tenant.

Before deployment, the following must be mapped:

·        process events (for example: Process Creation, Process)

·        network events (for example: Network Connection)

·        file events (for example: File Read, File Creation)

Failure to map event taxonomy invalidates rule execution.

Rule Name
Sensitive Configuration or Session Artifact Access on Edge-Adjacent Systems

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1555 – Credentials from Password Stores
T1550 – Use of Alternate Authentication Material

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement

Deployment restricted to systems that store edge configuration exports, support bundles, or backup artifacts.

Enforcement Method

Enforced through deployment scoping only to approved host groups.

Implementation Constraint Notes

Deployment outside scoped edge-adjacent systems is not permitted.
Broad Linux deployment is not permitted.

SentinelOne Deep Visibility Query

EventType IN ("File Creation","File Modification","File Rename","File Read")
AND AgentOs = "linux"
AND FilePath RegExp "(?i)(session|token|config|backup|export)"
AND ProcessName IN ("bash","sh","python","python3","tar","cp","scp","curl","wget","grep","cat")
AND NOT ProcessName IN ("rsync")
AND NOT CommandLine RegExp "(?i)(ansible|puppet|chef|salt|backup|monitor|compliance)"

Logical Notes

Single-rule meaning: sensitive file-access behavior
Correlated meaning: potential credential or session artifact harvesting

Rule 2

Rule Name

Outbound Identity-Provider Access from Non-User Host

Mapped Stage

Stage 2 Valid Account Authentication

MITRE ATT&CK

T1078 – Valid Accounts
T1550 – Use of Alternate Authentication Material

SOC Usage Mode

Correlation-only
Minimum Deployment Requirement

Requires:

·        host-role classification

·        destination enrichment OR baseline deviation detection

Enforcement Method

Must be enforced through:

·        deployment only on non-user host groups

·        correlation with identity telemetry

·        enrichment identifying identity-provider infrastructure

Implementation Constraint Notes

Standalone alerting is not permitted.
Deployment without host-role scoping is not permitted.
Deployment without enrichment or correlation is not permitted.

SentinelOne Deep Visibility Query

EventType = "Network Connection"
AND DstPort = "443"
AND ProcessName IN ("chrome","msedge","firefox","curl","wget","powershell","pwsh","python","python3")
AND NOT ProcessName IN ("java","node","kubelet")
AND NOT CommandLine RegExp "(?i)(identity-sync|federation|sso|proxy)"

Logical Notes

Single-rule meaning: authentication-capable outbound traffic
Correlated meaning: potential session misuse

Rule Name
Cloud and Identity Enumeration Command Activity

Mapped Stage

Stage 3 Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

SOC Usage Mode

Correlation or hunt only

Minimum Deployment Requirement

Requires:

·        multi-execution correlation

·        OR time-based burst logic external to SentinelOne

Enforcement Method

Enforced through:

·        SIEM/XDR correlation logic

·        OR hunt-only operational use

Implementation Constraint Notes

Standalone alerting is not permitted.
Single execution must not trigger paging.
Deployment without correlation capability is not permitted.

SentinelOne Deep Visibility Query

EventType = "Process Creation"
AND (
  CommandLine RegExp "(?i)\baz ad user list\b"
  OR CommandLine RegExp "(?i)\baws iam list-"
  OR CommandLine RegExp "(?i)\bgcloud projects get-iam-policy\b"
)
AND NOT CommandLine RegExp "(?i)(terraform|ansible|ci-runner|approved-admin)"

Logical Notes

Single-rule meaning: enumeration command execution
Correlated meaning: privilege discovery

Rule Name

Privilege Modification Command Execution from Non-Standard Host

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Enforced through:

·        suppression lists

·        host-role scoping

·        workflow exclusion

Implementation Constraint Notes

Deployment without suppression maturity is not permitted.
Deployment on approved admin systems is not permitted.

SentinelOne Deep Visibility Query

EventType = "Process Creation"
AND CommandLine RegExp "(?i)(\baz role assignment create\b|\baws iam attach-role-policy\b|\bgcloud projects add-iam-policy-binding\b)"
AND NOT CommandLine RegExp "(?i)(terraform|ci-runner|approved-admin|change-window)"

Logical Notes

Single-rule meaning: privilege-changing command execution
Correlated meaning: escalation confirmed via audit logs

Rule Name

Persistence or High-Risk Cloud Operation Tool Execution

Mapped Stage

Stage 5 Persistence / Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

Requires:

·        host-role scoping

·        exclusion of backup, migration, provisioning systems

Enforcement Method

Enforced through:

·        deployment only on atypical hosts

·        correlation with prior-stage activity

·        optional rule splitting

Implementation Constraint Notes

Standalone alerting is not permitted until validated.
If noise persists, rule must be split into:

·        persistence creation

·        data operation

Weakening detection logic is not permitted.

SentinelOne Deep Visibility Query

EventType = "Process Creation"
AND (
  CommandLine RegExp "(?i)(\bcreate-access-key\b|\bclient secret\b|\bservice-principal create\b)"
  OR CommandLine RegExp "(?i)(\baws s3 cp\b|\bgsutil cp\b)"
)
AND NOT CommandLine RegExp "(?i)(backup|migration|provisioning|approved-admin|ci-runner)"

Logical Notes

Single-rule meaning: high-risk cloud tooling execution
Correlated meaning: persistence or objective execution

Splunk

Engineering Position

Splunk is the authoritative detection layer for identity and cloud control-plane activity. These rules detect confirmed authentication, privilege modification, persistence creation, and high-risk operational behavior when proper logging and normalization are present.

Detection quality depends on:

·        normalized fields

·        complete cloud audit log ingestion

·        suppression maturity for approved workflows

Event Normalization Requirement

User Identity
user, userPrincipalName, identity, principal

Source IP
src_ip, client_ip, ipAddress

Action
action, operationName, eventName

Failure to normalize invalidates detection consistency.

Rule Name

Sensitive Configuration or Session Artifact Access via File or Storage Logs

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1555 – Credentials from Password Stores

SOC Usage Mode

Correlation-only (low confidence standalone)

Minimum Deployment Requirement

Requires reliable file-access or storage-access logging.

Enforcement Method

Enforced through correlation with:

·        endpoint telemetry

·        edge access activity

Implementation Constraint Notes

Standalone alerting is not permitted.
Deployment without verified file or storage telemetry is not permitted.

Splunk Query

index=* (file_access OR storage_access)
| eval file_path=coalesce(file_path, object, uri)
| search file_path="*config*" OR file_path="*session*" OR file_path="*token*" OR file_path="*backup*"
| bin time span=10m
| stats count by user, src
ip, file_path, _time
| where count > 3

Variant Analysis

Covered:

·        config, session, token, backup artifacts

Not Covered:

·        endpoint-local access without logging

·        encrypted storage access without visibility

Rule Name

Successful Authentication from Atypical Source or First-Seen IP

Mapped Stage

Stage 2 Valid Account Authentication

MITRE ATT&CK

T1078 – Valid Accounts

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement

Requires:

·        historical authentication data (baseline)

·        source IP tracking

Enforcement Method

Enforced through:

·        first-seen source detection OR

·        deviation from historical user baseline

Implementation Constraint Notes

Standalone alerting without baseline comparison is not permitted.

Splunk Query

index=auth_logs
| eval user=coalesce(user, userPrincipalName, identity, principal)
| eval src_ip=coalesce(src_ip, client_ip, ipAddress)
| search result="success"
| stats earliest(_time) as first_seen by user, src_ip
| where first_seen > relative_time(now(), "-1d")

Variant Analysis

Covered:

·        new source IP authentication events

Not Covered:

·        token reuse without new login

·        federated authentication without source visibility

Rule Name

Identity and IAM Enumeration Burst

Mapped Stage

Stage 3 Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

SOC Usage Mode

Alert-capable with enforced burst logic

Minimum Deployment Requirement

Requires:

·        cloud audit logs

·        normalized action field

Enforcement Method

Enforced through:

·        time-bound burst window

·        user-level aggregation

Implementation Constraint Notes

Single-event alerting is not permitted.
Burst window enforcement is mandatory.

Splunk Query

index=cloud_logs
| eval user=coalesce(user, userPrincipalName, identity, principal)
| eval action=coalesce(action, operationName, eventName)
| search action IN ("ListUsers","ListRoles","GetRole","ListGroups","DescribeInstances")
| bin time span=5m
| stats count, dc(action) as distinct
actions by user, time
| where count > 5 OR distinct
actions > 3

Variant Analysis

Covered:

·        multi-action enumeration bursts

Not Covered:

·        low-and-slow enumeration

·        provider-specific APIs not listed

Rule Name

Privilege Boundary Change or Role Assignment Modification

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Alert-capable primary detection

Minimum Deployment Requirement

Requires:

·        cloud audit logs with administrative actions

·        suppression of approved admin workflows

Enforcement Method

Enforced through:

·        direct detection of privilege-changing actions only

Implementation Constraint Notes

Credential creation and data operations are not permitted in this rule.

Splunk Query

index=cloud_logs
| eval user=coalesce(user, userPrincipalName, identity, principal)
| eval action=coalesce(action, operationName, eventName)
| search action IN ("AddRoleAssignment","AttachRolePolicy","PutRolePolicy","AddMemberToPrivilegedGroup","GrantAdminRole")
| stats count by user, action

Variant Analysis

Covered:

·        direct role and policy modification actions

Not Covered:

·        indirect escalation paths

·        inherited privilege escalation

Rule Name

Durable Access Artifact Creation

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Alert-capable high-confidence detection

Minimum Deployment Requirement

Requires cloud audit logs capturing identity-object creation.

Enforcement Method

Enforced through:

·        direct detection of credential and identity artifact creation

Implementation Constraint Notes

Privilege modification is not permitted in this rule.

Splunk Query

index=cloud_logs
| eval user=coalesce(user, userPrincipalName, identity, principal)
| eval action=coalesce(action, operationName, eventName)
| search action IN ("CreateAccessKey","CreateServicePrincipal","AddClientSecret","CreateApplicationCredential","GrantOAuthConsent")
| stats count by user, action

Variant Analysis

Covered:

·        credential and identity artifact creation

Not Covered:

·        delegated token creation not logged

·        temporary token abuse

Rule Name

High-Risk Cloud Data or Control-Plane Action

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Correlation-first (alert after tuning maturity)

Minimum Deployment Requirement

Requires:

·        cloud audit logs

·        suppression of normal data workflows

Enforcement Method

Enforced through:

·        correlation with prior-stage activity

·        or tuned action-family filtering

Implementation Constraint Notes

If noise is high, must split by:

·        data actions

·        control-plane actions

Splunk Query

index=cloud_logs
| eval user=coalesce(user, userPrincipalName, identity, principal)
| eval action=coalesce(action, operationName, eventName)
| search action IN ("PutObject","UploadObject","CreateSnapshot","ModifyLogging","DisableSecurityControl")
| stats count by user, action

Variant Analysis

Covered:

·        storage, snapshot, and control-plane actions

Not Covered:

·        encrypted or delegated operations

·        provider-specific APIs not included

Elastic

Engineering Position

Elastic functions as the identity, cloud, and correlation enforcement layer. It is authoritative for:

·        Successful authentication validation

·        Privilege boundary changes

·        Persistence artifact creation

·        Multi-stage attack correlation

Elastic is not authoritative for edge appliance internals, and detection must account for:

·        incomplete session lineage

·        encrypted traffic limitations

·        legitimate administrative noise

Detection is therefore identity-centric and correlation-driven, not single-signal dependent.

Data Normalization Requirement (Mandatory)

User Identity

user.name, user.email, user.id

Source Context

source.ip, source.geo.country_name

Action

event.action, event.type, cloud.audit.method_name

Outcome

event.outcome

Constraint

Deployment without validated normalization is not permitted

Rule Name

Edge-Adjacent Sensitive Artifact Access or Suspicious Tooling

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1555 – Credentials from Password Stores
T1550 – Use of Alternate Authentication Material

Rule Type
Custom query

SOC Usage Mode

Correlation-only

Minimum Deployment Requirement

·        Edge-adjacent host scoping

·        File and process telemetry availability

Enforcement Method

Enforced through strict host scoping only

Implementation Constraint Notes

·        Standalone alerting is not permitted

·        Provides partial Stage 1 coverage only

·        Broad enterprise deployment is not permitted

Elastic Query

host.os.type:linux and
(
  (event.category:file and file.path:(*session* or token or config or backup or export))
  or
  (event.category:process and process.command_line:(*session* or token or config or backup or tmp))
)
and not process.command_line:(*ansible* or puppet or chef or backup)

Administrator Localization Instructions

·        Replace generic paths with real export and backup locations

·        Restrict to systems handling edge-derived artifacts

·        Add suppression for approved automation

Variant Analysis

Covered

·        Artifact access patterns

·        Basic suspicious tooling

Not Covered

·        Appliance-internal access

·        Memory-only harvesting

·        Vendor-specific paths

Rule Name

Successful Authentication Deviating from Historical Baseline

Mapped Stage

Stage 2 Valid Account Authentication

MITRE ATT&CK

T1078 – Valid Accounts
T1550 – Use of Alternate Authentication Material

Rule Type

ES|QL

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement

·        Minimum 14-day historical baseline

·        Normalized identity and source fields

Enforcement Method

Baseline comparison (historical vs recent activity)

Implementation Constraint Notes

·        Deployment without baseline data is not permitted

·        Failed logins must not be included

Elastic Query

FROM auth-*
| WHERE event.outcome == "success"
| EVAL actor = COALESCE(user.name, user.email, user.id)
| EVAL src = COALESCE(source.ip, related.ip)
| WHERE actor IS NOT NULL AND src IS NOT NULL
| EVAL recent = CASE(@timestamp >= NOW() - 1 day, 1, 0)
| STATS
    recent_count = SUM(recent),
    historical_count = COUNT() - SUM(recent)
  BY actor, src
| WHERE recent_count > 0 AND historical_count == 0

Administrator Localization Instructions

·        Adjust baseline window if required

·        Integrate with device trust or MFA context if available

Variant Analysis

Covered

·        First-seen source authentication

Not Covered

·        Token reuse

·        Federated auth without source attribution

Rule Name

Identity and IAM Enumeration Burst

Mapped Stage

Stage 3 Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

Rule Type

Threshold rule

SOC Usage Mode

Alert-capable (burst enforced)

Minimum Deployment Requirement

·        Normalized cloud audit logs

·        Exception lists for admin tooling

Enforcement Method

Time-bound threshold enforcement

Implementation Constraint Notes

·        Single-event alerting is not permitted

·        Exception tuning is mandatory

Elastic Query

event.action:(
  "ListUsers" or
  "ListRoles" or
  "GetRole" or
  "ListGroups" or
  "ListServicePrincipals" or
  "GetIamPolicy" or
  "ListRoleAssignments" or
  "ListApplications"
)

Threshold Configuration

Group by: user.name
Count: ≥ 6
Window: 5 minutes

Administrator Localization Instructions

·        Replace with tenant-specific verbs

·        Add suppression for governance tools

Variant Analysis

Covered

·        Burst enumeration patterns

Not Covered

·        Low-and-slow enumeration

·        Unmapped provider actions

Rule Name

Privilege Boundary Change or Access-Control Modification

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

Rule Type

Custom query

SOC Usage Mode

Alert-capable primary detection

Minimum Deployment Requirement

·        Cloud audit logs

·        Admin suppression rules

Enforcement Method

Direct privilege-change action matching

Implementation Constraint Notes

·        Credential creation not permitted here

·        Action set must be tenant-validated

Elastic Query

event.action:(
  "AddRoleAssignment" or
  "AttachRolePolicy" or
  "PutRolePolicy" or
  "AddMemberToPrivilegedGroup" or
  "GrantAdminRole" or
  "SetIamPolicy"
)

Administrator Localization Instructions

·        Map provider-specific privilege actions

·        Suppress approved workflows

Variant Analysis

Covered

·        Direct privilege escalation actions

Not Covered

·        Indirect escalation

·        Unlogged permission inheritance

Rule Name

Durable Access Artifact Creation

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

Rule Type

Custom query

SOC Usage Mode

Alert-capable high-confidence detection

Minimum Deployment Requirement

·        Credential creation logs

Enforcement Method

Direct artifact creation detection

Implementation Constraint Notes

·        Privilege modification not permitted here

·        Action set must be tenant-validated

Elastic Query

event.action:(
  "CreateAccessKey" or
  "CreateServicePrincipal" or
  "AddClientSecret" or
  "CreateApplicationCredential" or
  "AddPasswordCredential" or
  "AddKeyCredential"
)

Administrator Localization Instructions

·        Map provider-specific credential verbs

·        Keep suppression minimal and controlled

Variant Analysis

Covered

·        Durable credential creation

Not Covered

·        Temporary tokens

·        Delegated access

Rule Name

High-Risk Cloud Action Following Privilege Transition

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

Rule Type

EQL

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

·        Normalized logs

·        Consistent user attribution

Enforcement Method

Sequence-based correlation

Implementation Constraint Notes

·        Standalone alerting is not permitted

·        Split rule if data noise is high

Elastic Query

sequence by user.name with maxspan=30m
  [ any where event.action in (
      "AddRoleAssignment",
      "AttachRolePolicy",
      "PutRolePolicy",
      "GrantAdminRole",
      "SetIamPolicy"
    ) ]
  [ any where event.action in (
      "PutObject",
      "UploadObject",
      "CreateSnapshot",
      "ModifyLogging",
      "DisableSecurityControl",
      "DeleteTrail"
    ) ]

Administrator Localization Instructions

·        Replace action sets with tenant-specific mappings

·        Split into separate rules if needed

Variant Analysis

Covered

·        Privilege transition followed by high-risk action

Not Covered

·        Slow execution outside correlation window

·        Unattributed delegated actions

QRadar

Engineering Position

QRadar is the stateful offense and correlation layer for this chain. Event rules in CRE are the primary detection mechanism, building blocks provide reusable scope and action families, and reference sets hold watchlist/baseline state used by rules.

Mandatory Pre-Deployment Controls

Before enabling any rule below:

1. Validate building blocks

·        BB:HostDefinition:Edge_Adjacent_Systems

·        BB:HostDefinition:Non_User_Infrastructure

·        BB:HostDefinition:Non_Admin_Hosts

·        BB:LogSource:Identity_Provider

·        BB:Exclude:Approved_Admin_and_Automation

·        BB:ActionFamily:Identity_IAM_Enumeration

·        BB:ActionFamily:Privilege_Boundary_Change

·        BB:ActionFamily:Durable_Access_Artifact_Creation

BB:ActionFamily:High_Risk_Cloud_Post_Control

2. Validate reference sets

·        RS:User_Source_Baseline_14d

·        RS:Recent_Stage2_Actors_30m

·        RS:Recent_Stage4_Actors_30m

3. Validate custom event properties if DSM normalization is incomplete

·        CEP_UserName

·        CEP_SourceIP

·        CEP_ActionName

·        CEP_Outcome

·        CEP_TargetObject

·        CEP_ActorRole

Deployment without validated BB population and reference-set readiness is not permitted. QRadar supports custom event properties and reference-set-backed rule logic directly.

Reference Set Lifecycle Controls

RS:User_Source_Baseline_14d

·        populate during a 7-day burn-in period

during burn-in, do not create offenses from first-seen user/source logic

·        after burn-in, add CEP_UserName|CEP_SourceIP on successful auth events with 14-day expiry

·        review top churn pairs weekly; remove known ephemeral or synthetic sources if needed

RS:Recent_Stage2_Actors_30m

·        populated only by Rule 2

·        30-minute expiry

·        used only for downstream Stage 5B correlation

RS:Recent_Stage4_Actors_30m

·        populated only by Rule 4

·        30-minute expiry

·        used only for downstream Stage 5B correlation

Starter Building Block Content

BB:ActionFamily:Privilege_Boundary_Change

Starter provider verbs:

·        Azure / Entra: Add member to role, Add directory role member, Add app role assignment

·        AWS: AttachRolePolicy, AttachUserPolicy, PutRolePolicy, PutUserPolicy

·        GCP: SetIamPolicy, projects.setIamPolicy

BB:ActionFamily:Durable_Access_Artifact_Creation

Starter provider verbs:

·        Azure / Entra: Add client secret, Add password credential, Add key credential, Create service principal

·        AWS: CreateAccessKey, CreateLoginProfile

·        GCP: service-account key creation equivalents as normalized in the tenant

BB:ActionFamily:High_Risk_Cloud_Post_Control

Starter provider verbs:

·        Azure: storage upload, diagnostic/logging changes, snapshot or disk export equivalents as normalized

·        AWS: PutObject, CloudTrail/logging changes, snapshot creation equivalents

·        GCP: storage object upload, logging/config changes, snapshot equivalents as normalized


These are starter populations, not complete coverage. Variant completeness still depends on tenant-normalized event names and QIDs. Building blocks are specifically intended to hold reusable groups of event names, IPs, or privileged identities.

Rule Name
Edge-Adjacent Artifact Access or Suspicious Tooling

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1555 – Credentials from Password Stores
T1550 – Use of Alternate Authentication Material

Rule Type

Event Rule — Local

SOC Usage Mode

Correlation-only

Minimum Deployment Requirement

·        BB:HostDefinition:Edge_Adjacent_Systems validated

·        edge-adjacent host telemetry available

·        approved maintenance exclusions validated

Enforcement Method

Strict host scoping with BB:HostDefinition:Edge_Adjacent_Systems and BB:Exclude:Approved_Admin_and_Automation

Implementation Constraint Notes

·        standalone offense creation is not permitted

·        broad deployment is not permitted

·        partial Stage 1 coverage only, consistent with the source model’s edge-visibility constraints

CRE Wizard Test Order

when the event matches any of:

o   event name/category indicates file access to session, token, config, backup, or export artifacts

o   event name/category indicates suspicious process or script touching those artifacts

and when the event matches BB:HostDefinition:Edge_Adjacent_Systems

and when the event does not match BB:Exclude:Approved_Admin_and_Automation

and when at least 3 events are seen with the same source IP or hostname in 10 minutes

Responses

·        add to offense only

·        magnitude: Low

·        rule response note: Stage1_Supporting_Edge_Artifact_Access

AQL Validation

SELECT username, sourceip, destinationip, QIDNAME(qid), COUNT(*) AS event_count
FROM events
WHERE (
  UTF8(payload) ILIKE '%session%' OR
  UTF8(payload) ILIKE '%token%' OR
  UTF8(payload) ILIKE '%config%' OR
  UTF8(payload) ILIKE '%backup%' OR
  UTF8(payload) ILIKE '%export%'
)
GROUP BY username, sourceip, destinationip, QIDNAME(qid)
LAST 10 MINUTES

Variant Analysis

Covered

copied config, session, token, and backup artifact access; suspicious tooling on edge-adjacent systems.

Not Covered

appliance-internal-only activity, memory-only harvesting, vendor-specific artifact names absent from normalized telemetry.

Rule Name

Successful Identity Activity from First-Seen or Infrastructure Source

Mapped Stage

Stage 2 Valid Account Authentication

MITRE ATT&CK

T1078 – Valid Accounts
T1550 – Use of Alternate Authentication Material

Rule Type

Event Rule — Global

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement

·        BB:LogSource:Identity_Provider validated

·        BB:HostDefinition:Non_User_Infrastructure validated

·        RS:User_Source_Baseline_14d active after burn-in

·        CEP_Outcome normalized

Enforcement Method

Infrastructure-origin scoping or first-seen user/source baseline test

Implementation Constraint Notes

·        failed-auth-only logic is not permitted

·        deployment before baseline burn-in is not permitted for first-seen mode

·        this remains supporting detection because session lineage can be incomplete in the source model

CRE Wizard Test Order

1.       when the event matches BB:LogSource:Identity_Provider

2.       and when CEP_Outcome = success

3.       and when any of:

o   source IP is in BB:HostDefinition:Non_User_Infrastructure

o   CEP_UserName|CEP_SourceIP is not in RS:User_Source_Baseline_14d

4.       and when the event does not match BB:Exclude:Approved_Admin_and_Automation

Responses

·        create offense

·        magnitude: Medium

·        add CEP_UserName to RS:Recent_Stage2_Actors_30m with 30-minute expiry

·        after burn-in, add CEP_UserName|CEP_SourceIP to RS:User_Source_Baseline_14d with 14-day expiry

·        rule response note: Stage2_Supporting_Identity_Anomaly

AQL Validation

SELECT username, sourceip, LOGSOURCENAME(logsourceid), QIDNAME(qid), COUNT(*) AS event_count
FROM events
WHERE LOGSOURCENAME(logsourceid) ILIKE '%okta%'
   OR LOGSOURCENAME(logsourceid) ILIKE '%azure%'
   OR LOGSOURCENAME(logsourceid) ILIKE '%entra%'
GROUP BY username, sourceip, LOGSOURCENAME(logsourceid), QIDNAME(qid)
LAST 1 DAY

Variant Analysis

Covered: infrastructure-origin successful identity activity and first-seen user/source pairs.
Not Covered: token reuse with no IdP event, federated flows with poor attribution, session inheritance without a new success event.

Rule Name

Identity and IAM Enumeration Burst

Mapped Stage

Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

Rule Type

Event Rule — Global

SOC Usage Mode

Alert-capable with burst enforcement

Minimum Deployment Requirement

·        BB:ActionFamily:Identity_IAM_Enumeration populated

·        approved governance and inventory exclusions validated

·        actor field normalized

Enforcement Method

Global burst threshold by actor, with distinct-action expectation

Implementation Constraint Notes

·        single-event alerting is not permitted

·        governance and inventory suppression is mandatory

·        if the tenant cannot distinguish event families well, keep this rule supporting-only

CRE Wizard Test Order

1.       when the event matches BB:ActionFamily:Identity_IAM_Enumeration

2.       and when the event does not match BB:Exclude:Approved_Admin_and_Automation

3.       and when at least 6 events are seen with the same CEP_UserName in 5 minutes

4.       and when at least 2 different QIDs or normalized actions are observed for that same CEP_UserName in the same interval

Responses

·        create offense if none exists

·        otherwise add to existing offense for same CEP_UserName

·        magnitude: Medium

·        rule response note: Stage3_Enumeration_Burst

AQL Validation

SELECT username, QIDNAME(qid), COUNT(*) AS event_count
FROM events
WHERE QIDNAME(qid) ILIKE '%ListUsers%'
   OR QIDNAME(qid) ILIKE '%ListRoles%'
   OR QIDNAME(qid) ILIKE '%ListGroups%'
   OR QIDNAME(qid) ILIKE '%GetIamPolicy%'
GROUP BY username, QIDNAME(qid)
LAST 5 MINUTES

Variant Analysis

Covered: burst enumeration of users, groups, roles, service principals, applications, and IAM metadata.
Not Covered: low-and-slow discovery, provider-specific verbs absent from the BB, and discovery only visible in upstream SaaS logs not ingested into QRadar.

Rule Name

Privilege Boundary Change or Access-Control Modification

Mapped Stage

Stage 4 Privilege Escalation and Control Transition

MITRE ATT&CK

T1098 – Account Manipulation

Rule Type

Event Rule — Local

SOC Usage Mode

Alert-capable primary detection

Minimum Deployment Requirement

·        BB:ActionFamily:Privilege_Boundary_Change populated

·        approved admin exceptions validated

·        CEP_ActionName normalized

Enforcement Method

Direct action-family match only

Implementation Constraint Notes

·        credential creation is not permitted in this rule

·        data actions are not permitted in this rule

·        deployment without approved admin exceptions is not permitted

CRE Wizard Test Order

1.       when the event matches BB:ActionFamily:Privilege_Boundary_Change

2.       and when the event does not match BB:Exclude:Approved_Admin_and_Automation

Responses

·        create offense

·        magnitude: High

·        add CEP_UserName to RS:Recent_Stage4_Actors_30m with 30-minute expiry

·        rule response note: Stage4_Privilege_Boundary_Change

AQL Validation

SELECT username, sourceip, QIDNAME(qid), COUNT(*) AS event_count
FROM events
WHERE QIDNAME(qid) ILIKE '%Role%'
   OR QIDNAME(qid) ILIKE '%Policy%'
   OR QIDNAME(qid) ILIKE '%PrivilegedGroup%'
GROUP BY username, sourceip, QIDNAME(qid)
LAST 1 DAY

Variant Analysis

Covered: direct role, policy, trust-policy, and privileged membership changes.
Not Covered: indirect escalation via inherited permissions, non-audited control expansion, and poorly normalized provider actions.

Rule Name

Durable Access Artifact Creation

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

Rule Type

Event Rule — Local

SOC Usage Mode

Alert-capable high-confidence detection

Minimum Deployment Requirement

·        BB:ActionFamily:Durable_Access_Artifact_Creation populated

·        credential/application creation logs ingested

·        CEP_ActionName normalized

Enforcement Method

Direct artifact-creation match only

Implementation Constraint Notes

·        privilege-boundary changes are not permitted in this rule

·        bulk data or storage actions are not permitted in this rule

CRE Wizard Test Order

1.       when the event matches BB:ActionFamily:Durable_Access_Artifact_Creation

2.       and when the event does not match BB:Exclude:Approved_Admin_and_Automation

Responses

·        create offense

·        magnitude: High

·        rule response note: Stage5_Persistence_Durable_Access

AQL Validation

SELECT username, sourceip, QIDNAME(qid), COUNT(*) AS event_count
FROM events
WHERE QIDNAME(qid) ILIKE '%AccessKey%'
   OR QIDNAME(qid) ILIKE '%ServicePrincipal%'
   OR QIDNAME(qid) ILIKE '%ClientSecret%'
   OR QIDNAME(qid) ILIKE '%Credential%'
GROUP BY username, sourceip, QIDNAME(qid)
LAST 1 DAY

Variant Analysis

Covered: durable credential and identity-artifact creation.
Not Covered: temporary-token abuse, delegated grants without durable object creation, unmanaged trust-path persistence.

Rule Name
High-Risk Cloud Action Following Privilege Transition or Identity Anomaly

Mapped Stage
Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

Rule Type

Event Rule — Global

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

·        BB:ActionFamily:High_Risk_Cloud_Post_Control populated

·        RS:Recent_Stage2_Actors_30m and RS:Recent_Stage4_Actors_30m active

·        shared actor field normalized

·        backup and sanctioned automation exceptions validated

Enforcement Method

Reference-set-backed staged correlation

Implementation Constraint Notes

·        standalone single-event alerting is not permitted

·        if CEP_UserName is unreliable, define and validate one fallback join key before deployment, such as:

o   sourceip|targetobject

o   service principal ID

o   application ID

·        do not mix join strategies inside one deployed rule

CRE Wizard Test Order

1.       when the event matches BB:ActionFamily:High_Risk_Cloud_Post_Control

2.       and when the event does not match BB:Exclude:Approved_Admin_and_Automation

3.       and when either:

o   CEP_UserName is in RS:Recent_Stage2_Actors_30m

o   CEP_UserName is in RS:Recent_Stage4_Actors_30m

Responses

·        create offense if none exists for CEP_UserName

·        otherwise add to existing offense for CEP_UserName

·        magnitude: Critical

·        rule response note: Stage5_Objective_Execution_Post_Control

AQL Validation

SELECT username, QIDNAME(qid), COUNT(*) AS event_count
FROM events
WHERE QIDNAME(qid) ILIKE '%PutObject%'
   OR QIDNAME(qid) ILIKE '%UploadObject%'
   OR QIDNAME(qid) ILIKE '%Snapshot%'
   OR QIDNAME(qid) ILIKE '%Logging%'
   OR QIDNAME(qid) ILIKE '%SecurityControl%'
GROUP BY username, QIDNAME(qid)
LAST 30 MINUTES

Variant Analysis

Covered: late-stage storage, snapshot, logging, and security-control actions after earlier identity anomaly or privilege transition.
Not Covered: low-and-slow post-control activity outside the window, delegated-service actions without stable attribution, provider verbs missing from the BB.

Sigma

Engineering Position

Sigma is the portable detection-content layer. These rules are designed to be converted into backend-specific implementations, not to replace backend-native state, baseline, threshold, reference-set, or offense logic.

These rules are:

·        detection-portable

·        implementation-aware

·        backend-dependent for enforcement of stateful logic

Global Backend Enforcement Requirement

Before conversion and deployment, validate backend mappings for:

User Identity

user.name, user.id, user.email

Source Context

source.ip, source.geo.country_name

Action / Operation

event.action

Outcome

event.outcome

Process / File Context

process.name, process.command_line, file.path

Constraint

Deployment without validated backend field mapping is not permitted.

Rule Name

Edge-Adjacent Sensitive Artifact Access or Suspicious Tooling

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1555 – Credentials from Password Stores
T1550 – Use of Alternate Authentication Material

SOC Usage Mode

Correlation-only

Minimum Deployment Requirement

Deploy only to:

·        edge-adjacent Linux telemetry

·        hosts that store copied edge artifacts

·        hosts with process and file visibility

Enforcement Method

Host scoping and exclusion logic must be enforced in the destination backend.

Implementation Constraint Notes

·        Standalone alerting is not permitted

·        Broad enterprise deployment is not permitted

·        Partial Stage 1 coverage only

·        Backend host scoping is mandatory

Backend Enforcement Notes

The destination SIEM or EDR must restrict this rule to approved edge-adjacent host groups or equivalent tags.

title: Edge-Adjacent Sensitive Artifact Access or Suspicious Tooling
id: 8a3f1d2e-1c6b-4d15-9b11-110000000001
status: experimental
description: Detects suspicious access to copied edge configuration, session, token, backup, export, or support-bundle artifacts, or suspicious tooling interacting with those artifacts on edge-adjacent Linux systems.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
logsource:
  product: linux
detection:
  selection_file:
    file.path|contains:
      - session
      - token
      - config
      - backup
      - export
      - support
  selection_proc:
process.name|endswith:
      - bash
      - sh
      - python
      - python3
      - curl
      - wget
      - chmod
      - chown
  selection_cmd:
    process.command_line|contains:
      - session
      - token
      - config
      - backup
      - export
      - support
      - /tmp/
      - /var/tmp/
  filter_main_legit:
    process.command_line|contains:
      - ansible
      - puppet
      - chef
      - salt
      - backup
      - monitor
      - compliance
  condition: (selection_file or (selection_proc and selection_cmd)) and not filter_main_legit
falsepositives:
  - Approved maintenance or support activity on edge-adjacent systems
level: medium
tags:
  - attack.credential_access
  - attack.t1555
  - attack.t1550

Variant Analysis

Covered

·        artifact access patterns

·        suspicious tooling touching session, token, config, backup, export, or support artifacts

Not Covered

·        appliance-internal-only activity

·        memory-only harvesting

·        vendor-specific artifact names not present in file or process telemetry

Rule Name

Successful Authentication from Infrastructure-Associated Source Context

Mapped Stage

Stage 2 Valid Account Authentication

MITRE ATT&CK

T1078 – Valid Accounts
T1550 – Use of Alternate Authentication Material

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement

Requires:

·        successful authentication logs

·        source IP visibility

·        backend-specific infrastructure source scoping

Enforcement Method

Infrastructure-source context must be enforced in the destination backend.

Implementation Constraint Notes

This Sigma rule does not implement first-seen or baseline logic by itself

·        Failed-login-only deployment is not permitted

·        This is supporting detection only

Backend Enforcement Notes

If first-seen, baseline deviation, impossible-travel, or device-anomaly logic is required, it must be implemented in the destination backend after Sigma conversion.

title: Successful Authentication from Infrastructure-Associated Source Context
id: 8a3f1d2e-1c6b-4d15-9b11-110000000002
status: experimental
description: Detects successful authentication events from infrastructure-associated source ranges or other non-user source contexts. Historical baseline and first-seen logic must be implemented in the target backend if required.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
logsource:
  category: authentication
detection:
  selection_success:
    event.outcome: success
  selection_infra_source:
    source.ip|cidr:
      - 10.0.0.0/8
      - 172.16.0.0/12
      - 192.168.0.0/16
  condition: selection_success and selection_infra_source
falsepositives:
  - Approved identity middleware
  - Federation services
  - Infrastructure-based identity workflows
level: medium
tags:
  - attack.persistence
  - attack.valid_accounts
  - attack.t1078
  - attack.t1550

Variant Analysis

Covered

·        successful auth from infrastructure-associated source context

Not Covered

·        token reuse without new login

·        baseline deviation or first-seen logic unless added downstream

·        federated auth with poor source attribution

Rule Name

Identity and IAM Enumeration Activity

Mapped Stage

Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

SOC Usage Mode

Correlation or threshold-backed alerting

Minimum Deployment Requirement

Requires:

·        normalized cloud and identity audit verbs

·        backend thresholding or correlation support

·        exception lists for governance and inventory activity

Enforcement Method

Burst thresholds and actor grouping must be enforced in the destination backend.

Implementation Constraint Notes

·        Single-event alerting is not permitted

·        Backend thresholding is mandatory for production use

Backend Enforcement Notes

Destination backend should require:

·        actor grouping

·        short interval threshold

·        approved inventory/admin suppressions

title: Identity and IAM Enumeration Activity
id: 8a3f1d2e-1c6b-4d15-9b11-110000000003
status: experimental
description: Detects identity and IAM enumeration actions associated with discovery of users, roles, groups, service principals, applications, and IAM policy metadata.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
logsource:
  category: cloud
detection:
  selection_actions:
    event.action:
      - ListUsers
      - ListRoles
      - GetRole
      - ListGroups
      - ListServicePrincipals
      - GetIamPolicy
      - ListRoleAssignments
      - GetDirectoryRole
      - ListApplications
  filter_main_legit:
user.name:
      - governance-service
      - inventory-service
      - approved-admin
  condition: selection_actions and not filter_main_legit
falsepositives:
  - Governance collectors
  - Inventory tooling
  - Approved administrative review activity
level: medium
tags:
  - attack.discovery
  - attack.account_discovery
  - attack.permission_groups_discovery
  - attack.t1087
  - attack.t1069

Variant Analysis

Covered

·        identity and IAM read actions for users, roles, groups, service principals, applications, and policy metadata

Not Covered

·        low-and-slow discovery

·        provider-specific unmapped verbs

·        production-safe burst logic unless enforced downstream

Rule Name

Privilege Boundary Change or Access-Control Modification

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Alert-capable primary detection

Minimum Deployment Requirement

Requires:

·        normalized cloud and identity admin verbs

·        approved admin exclusions

·        tenant verb validation

Enforcement Method

Direct privilege-change matching in the destination backend.

Implementation Constraint Notes

·        Credential creation is not permitted in this rule

·        Post-control data actions are not permitted in this rule

·        Provider verb validation is mandatory

Backend Enforcement Notes

Destination backend should preserve direct action-family semantics and maintain approved admin exceptions.

title: Privilege Boundary Change or Access-Control Modification
id: 8a3f1d2e-1c6b-4d15-9b11-110000000004
status: experimental
description: Detects direct authority-expanding changes such as role assignment, privileged group membership modification, or IAM policy change.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
logsource:
  category: cloud
detection:
  selection_actions:
    event.action:
      - AddRoleAssignment
      - AttachRolePolicy
      - PutRolePolicy
      - AddMemberToPrivilegedGroup
      - GrantAdminRole
      - UpdateAssumeRolePolicy
      - SetIamPolicy
      - AddDirectoryRoleMember
  filter_main_legit:
user.name:
      - approved-admin
      - pam-service
      - breakglass-approved
  condition: selection_actions and not filter_main_legit
falsepositives:
  - Approved privileged administration
  - Emergency access workflows
level: high
tags:
  - attack.privilege_escalation
  - attack.account_manipulation
  - attack.t1098

Variant Analysis

Covered

·        direct role, policy, trust-policy, and privileged membership changes

Not Covered

·        indirect escalation through inherited permissions

·        poorly normalized provider verbs

Rule Name

Durable Access Artifact Creation

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Alert-capable high-confidence detection

Minimum Deployment Requirement

Requires:

·        cloud and identity audit coverage for credential and identity-object creation

·        tenant verb validation

Enforcement Method

Direct durable-artifact creation matching in the destination backend.

Implementation Constraint Notes

·        Privilege-boundary change actions are not permitted here

·        Bulk data actions are not permitted here

·        Provider verb validation is mandatory

Backend Enforcement Notes

Destination backend should keep suppressions narrow and tied only to approved provisioning workflows.

title: Durable Access Artifact Creation
id: 8a3f1d2e-1c6b-4d15-9b11-110000000005
status: experimental
description: Detects creation of long-lived access artifacts such as access keys, service principals, client secrets, and application credentials.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
logsource:
  category: cloud
detection:
  selection_actions:
    event.action:
      - CreateAccessKey
      - CreateServicePrincipal
      - AddClientSecret
      - CreateApplicationCredential
      - GrantOAuthConsent
      - AddPasswordCredential
      - AddKeyCredential
  filter_main_legit:
user.name:
      - approved-provisioning
      - approved-admin
  condition: selection_actions and not filter_main_legit
falsepositives:
  - Approved provisioning systems
  - Narrowly scoped credential rotation workflows
level: high
tags:
  - attack.persistence
  - attack.valid_accounts
  - attack.account_manipulation
  - attack.t1078
  - attack.t1098

Variant Analysis

Covered

·        durable credential and identity-artifact creation

Not Covered

·        temporary-token abuse

·        delegated access paths without durable object creation

Rule Name

High-Risk Cloud Action Following Privilege Transition

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

Requires a backend that supports:

·        Sigma correlation

·        or equivalent translated sequence logic

·        stable actor attribution

Enforcement Method

Sequence or correlation logic must be implemented in the destination backend.

Implementation Constraint Notes

·        Standalone single-event alerting is not permitted

·        This rule requires a backend supporting Sigma correlation or an equivalent translated feature

·        If storage-heavy activity is common, split storage actions from control-plane impairment actions downstream

Backend Enforcement Notes

Do not deploy this rule as a plain single-event Sigma conversion. It must be converted into backend correlation or sequence logic.

title: High-Risk Cloud Action Following Privilege Transition
id: 8a3f1d2e-1c6b-4d15-9b11-110000000006
status: experimental
description: Detects high-risk cloud data or control-plane actions following a privilege boundary change by the same actor within a constrained interval.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
correlation:
  type: event_count
  rules:
    - 8a3f1d2e-1c6b-4d15-9b11-110000000004
    - 8a3f1d2e-1c6b-4d15-9b11-110000000006-base
  group-by:
    - user.name
  timespan: 30m
level: high
tags:
  - attack.exfiltration
  - attack.impact
  - attack.valid_accounts
  - attack.account_manipulation
  - attack.t1078
  - attack.t1098
---
title: High-Risk Cloud Action Following Privilege Transition Base
id: 8a3f1d2e-1c6b-4d15-9b11-110000000006-base
status: experimental
description: Base detector for high-risk cloud post-control actions.
references:
  - internal-source
author: OpenAI
date: 2026-04-03
logsource:
  category: cloud
detection:
  selection_actions:
    event.action:
      - PutObject
      - UploadObject
      - CreateSnapshot
      - ModifyLogging
      - DisableSecurityControl
      - StopLogging
      - DeleteTrail
      - UpdateBucketPolicy
  filter_main_legit:
user.name:
      - approved-backup
      - approved-admin
      - approved-automation
  condition: selection_actions and not filter_main_legit
falsepositives:
  - Approved backup workflows
  - Sanctioned cloud administration
level: medium
tags:
  - attack.exfiltration
  - attack.impact
  - attack.t1078
  - attack.t1098

Variant Analysis

Covered

·        ordered progression from privilege transition into storage, snapshot, logging, and security-control-impacting actions

Not Covered

·        slow post-control actions outside the correlation window

·        delegated service activity without stable actor attribution

·        backends that do not support Sigma correlation or equivalent translated logic

YARA

Engineering Position

YARA is the artifact and content-detection layer.

It is appropriate for:

·        suspicious web shells

·        dropped scripts

·        copied session or credential dump artifacts

·        shell-history fragments

·        recovered admin tooling

·        operator notes and staging files

It is not the authoritative layer for:

·        successful authentication detection

·        identity session anomalies

·        privilege changes in IdP or cloud logs

·        cloud control-plane sequencing

Those behaviors are identity- and cloud-native in this intrusion model and belong in log and correlation layers rather than static content signatures.

Rule Name

Edge Web Shell or Unauthorized Edge Script Artifact

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1190 – Exploit Public-Facing Application
T1555 – Credentials from Password Stores

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement
Deploy only on:

·        edge-adjacent file collections

·        suspicious web directories

·        extracted appliance file systems

·        support bundles

·        forensic triage sets from suspected edge compromise

Enforcement Method

Restrict scanning scope to edge-adjacent artifacts only.

Implementation Constraint Notes

Broad enterprise-wide YARA deployment is not permitted.
This rule is intended for unauthorized files or scripts on edge systems, which the intrusion model explicitly identifies as a Stage 1 behavior.

rule CYBERDAX_EXP_Edge_Webshell_Or_Unauthorized_Script
{
    meta:
        description = "Detects suspicious edge web shells or unauthorized script artifacts associated with edge-to-identity intrusion chains"
        author = "OpenAI"
        date = "2026-04-03"
        stage = "Stage 1 Credential Harvesting"
        mitre_1 = "T1190 - Exploit Public-Facing Application"
        mitre_2 = "T1555 - Credentials from Password Stores"
        usage_mode = "Alert-capable supporting detection"

    strings:
        $php_1 = "system($_" ascii nocase
        $php_2 = "shell_exec($_" ascii nocase
        $php_3 = "passthru($_" ascii nocase
        $php_4 = "eval(base64_decode(" ascii nocase
        $php_5 = "assert($_POST" ascii nocase

        $jsp_1 = "Runtime.getRuntime().exec" ascii nocase
        $jsp_2 = "ProcessBuilder(" ascii nocase

        $py_1  = "subprocess.Popen(" ascii nocase
        $py_2  = "os.system(" ascii nocase

        $sh_1  = "/bin/sh" ascii nocase
        $sh_2  = "/bin/bash" ascii nocase

        $net_1 = "curl -k" ascii nocase
        $net_2 = "wget --no-check-certificate" ascii nocase
        $net_3 = "chmod +x /tmp/" ascii nocase

        $edge_1 = "sessionid" ascii nocase
        $edge_2 = "auth_token" ascii nocase
        $edge_3 = "vpn" ascii nocase
        $edge_4 = "support bundle" ascii nocase
        $edge_5 = "configuration export" ascii nocase

    condition:
        (
            2 of ($php_*) or
            2 of ($jsp_*) or
            2 of ($py_*) or
            2 of ($sh_*,$net_*)
        )
        or
        (
            1 of ($php_*,$jsp_*,$py_*,$sh_*,$net_*) and
            2 of ($edge_*)
        )
}

Variant Analysis

Covered

·        PHP, JSP, Python, and shell-style web-shell or script artifacts

·        unauthorized tooling with edge/session-oriented context

Not Covered

·        heavily obfuscated shells

·        compiled implants with no useful strings

·        pure memory-only shell activity

·        benign admin scripts that do not contain shell-like or web-shell-like behavior markers

Rule Name
Edge Session or Credential Dump Artifact

Mapped Stage

Stage 1 Credential Harvesting

MITRE ATT&CK

T1555 – Credentials from Password Stores
T1550 – Use of Alternate Authentication Material

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

Use only on:

·        copied config files

·        extracted edge storage

·        support bundles

·        memory string dumps exported to text

·        recovered dump artifacts from suspected edge compromise

Enforcement Method

Restrict to artifacts collected from exploited or suspected edge infrastructure.

Implementation Constraint Notes

Standalone alerting is not permitted.
This rule is intended to detect artifact content consistent with session or credential exposure, which the intrusion model places at the core of Stage 1.

rule CYBERDAX_EXP_Edge_Session_Or_Credential_Dump_Artifact
{
    meta:
        description = "Detects edge-derived dump artifacts containing session, cookie, token, or credential-related content"
        author = "OpenAI"
        date = "2026-04-03"
        stage = "Stage 1 Credential Harvesting"
        mitre_1 = "T1555 - Credentials from Password Stores"
        mitre_2 = "T1550 - Use of Alternate Authentication Material"
        usage_mode = "Correlation-first"

    strings:
        $h1 = "Set-Cookie:" ascii nocase
        $h2 = "Authorization: Bearer " ascii nocase
        $h3 = "Cookie:" ascii nocase

        $t1 = "sessionid=" ascii nocase
        $t2 = "auth_token=" ascii nocase
        $t3 = "remember_token=" ascii nocase
        $t4 = "refresh_token" ascii nocase
        $t5 = "access_token" ascii nocase

        $c1 = "password=" ascii nocase
        $c2 = "credential" ascii nocase
        $c3 = "saml" ascii nocase
        $c4 = "oauth" ascii nocase
        $c5 = "vpn" ascii nocase

    condition:
        (
            2 of ($h*) and
            2 of ($t*,$c*)
        )
        or
        (
            4 of ($t*,$c*)
        )
}

Variant Analysis

Covered

·        dumped cookies, bearer headers, token fields, and credential-bearing text artifacts

·        support-bundle or copied-storage text with auth-related residue

Not Covered

·        encrypted dumps

·        binary-only token containers

·        proprietary vendor encodings with no readable auth markers

Rule Name

Recovered Identity and Cloud Administration Script Artifact

Mapped Stage

Stage 3 Account and Resource Discovery
Stage 4 Privilege Escalation and Control Transition

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery
T1098 – Account Manipulation

SOC Usage Mode

Hunt-only

Minimum Deployment Requirement

Use on:

·        recovered scripts

·        dropped admin tooling

·        shell-history exports

·        forensic text collections

·        operator notes

Enforcement Method

Hunt in recovered files only. Do not use as a standalone production alert.

Implementation Constraint Notes

Standalone alerting is not permitted.
This rule is hunt-only because these stages are primarily expressed through IdP and cloud administrative interfaces and APIs, not static malware artifacts.

rule CYBERDAX_EXP_Recovered_Identity_Cloud_Admin_Script
{
    meta:
        description = "Detects recovered scripts or textual artifacts containing identity and cloud enumeration or privilege modification tooling"
        author = "OpenAI"
        date = "2026-04-03"
        stage = "Stage 3 and Stage 4"
        mitre_1 = "T1087 - Account Discovery"
        mitre_2 = "T1069 - Permission Groups Discovery"
        mitre_3 = "T1098 - Account Manipulation"
        usage_mode = "Hunt-only"

    strings:
        $az_1 = "az ad user list" ascii nocase
        $az_2 = "az role assignment list" ascii nocase
        $az_3 = "az role assignment create" ascii nocase

        $aws_1 = "aws iam list-" ascii nocase
        $aws_2 = "aws iam get-" ascii nocase
        $aws_3 = "aws iam attach-role-policy" ascii nocase

        $gcp_1 = "gcloud projects get-iam-policy" ascii nocase
        $gcp_2 = "gcloud projects add-iam-policy-binding" ascii nocase

        $ms_1 = "Add-AzureADDirectoryRoleMember" ascii nocase
        $ms_2 = "Add-MgGroupMember" ascii nocase
        $ms_3 = "Get-MgUser" ascii nocase
        $ms_4 = "Get-MgDirectoryRole" ascii nocase

    condition:
        2 of them
}

Variant Analysis

Covered

·        recovered scripts or notes containing common Azure, AWS, GCP, and Microsoft identity administration verbs

Not Covered

·        pure API abuse with no script artifact

·        GUI-only admin activity

·        renamed or encoded tooling with no readable command residue

Rule Name

Durable Access Creation Artifact

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Alert-capable supporting detection

Minimum Deployment Requirement

Use on:

·        attacker scripts

·        shell-history exports

·        automation fragments

·        recovered admin tooling files

·        textual forensic artifacts

Enforcement Method

Restrict to recovered or suspicious artifacts and pair with cloud-audit confirmation.

Implementation Constraint Notes

This rule does not confirm successful persistence on its own.
Use with identity or cloud logs to confirm long-lived access creation, which the intrusion model identifies as Stage 5 behavior.

rule CYBERDAX_EXP_Durable_Access_Creation_Artifact
{
    meta:
        description = "Detects scripts or text artifacts used to create durable cloud or identity access artifacts"
        author = "OpenAI"
        date = "2026-04-03"
        stage = "Stage 5 Persistence"
        mitre_1 = "T1078 - Valid Accounts"
        mitre_2 = "T1098 - Account Manipulation"
        usage_mode = "Alert-capable supporting detection"

    strings:
        $a1 = "CreateAccessKey" ascii nocase
        $a2 = "CreateServicePrincipal" ascii nocase
        $a3 = "AddClientSecret" ascii nocase
        $a4 = "AddPasswordCredential" ascii nocase
        $a5 = "AddKeyCredential" ascii nocase
        $a6 = "CreateApplicationCredential" ascii nocase
        $a7 = "service-principal create" ascii nocase
        $a8 = "create-access-key" ascii nocase
        $a9 = "grant oauth consent" ascii nocase

    condition:
        2 of them
}

Variant Analysis

Covered

·        scripts or text showing durable credential, secret, key, or service-principal creation

Not Covered

·        direct console/API activity without artifact residue

·        temporary token abuse

·        delegated-consent paths with no local script or text evidence

Rule Name

High-Risk Cloud Objective or Impact Artifact

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1041 – Exfiltration Over C2 Channel
T1486 – Data Encrypted for Impact
T1098 – Account Manipulation

SOC Usage Mode

Hunt-only or correlation-first

Minimum Deployment Requirement

Use on:

·        recovered scripts

·        operator notes

·        shell-history files

·        dumped command files

·        staging artifacts

Enforcement Method

Use as hunt content or supporting artifact detection only.

Implementation Constraint Notes

Standalone alerting is not permitted.
This rule is supporting-only because Stage 5 objective execution in the intrusion model occurs largely through legitimate identity and cloud control channels, not necessarily static malware files.

rule CYBERDAX_EXP_High_Risk_Cloud_Objective_Artifact
{
    meta:
        description = "Detects scripts or artifacts associated with high-risk cloud data access, logging impairment, snapshot activity, or destructive objective execution"
        author = "OpenAI"
        date = "2026-04-03"
        stage = "Stage 5 Objective Execution"
        mitre_1 = "T1041 - Exfiltration Over C2 Channel"
        mitre_2 = "T1486 - Data Encrypted for Impact"
        mitre_3 = "T1098 - Account Manipulation"
        usage_mode = "Hunt-only or correlation-first"

    strings:
        $d1 = "aws s3 cp" ascii nocase
        $d2 = "gsutil cp" ascii nocase
        $d3 = "PutObject" ascii nocase
        $d4 = "UploadObject" ascii nocase
        $d5 = "CreateSnapshot" ascii nocase
        $d6 = "DeleteTrail" ascii nocase
        $d7 = "DisableSecurityControl" ascii nocase
        $d8 = "ModifyLogging" ascii nocase
        $d9 = "encrypt" ascii nocase
        $d10 = "ransom" ascii nocase

    condition:
        (
            2 of ($d1,$d2,$d3,$d4,$d5,$d6,$d7,$d8)
        )
        or
        (
            1 of ($d1,$d2,$d3,$d4,$d5,$d6,$d7,$d8) and
            1 of ($d9,$d10)
        )
}

Variant Analysis

Covered

·        recovered artifacts indicating bulk data movement, snapshot creation, logging impairment, security-control manipulation, or destructive intent

Not Covered

·        pure console/API activity with no file or text artifact

·        provider-specific verbs not represented in strings

·        minimalist operator behavior leaving no script residue

Engineering Note

This hardened YARA set now matches the intrusion model’s real detection boundaries:

·        strongest at Stage 1 for web shells, dump artifacts, and unauthorized files/scripts

·        supporting or hunt-only for later stages where the attack shifts into identity and cloud control channels

·        not a replacement for identity or cloud-native telemetry, which the source model explicitly prioritizes for detection across Stage 2 through Stage 5

AWS

Engineering Position

AWS is the native cloud audit and control-plane detection layer for AWS-visible behavior in this intrusion chain. It is strongest for:

·        Stage 3 discovery

·        Stage 4 privilege escalation

·        Stage 5 persistence

·        Stage 5 objective execution

It is weaker for:

·        direct Stage 1 edge exploit visibility

·        upstream identity-provider session lineage outside AWS-visible telemetry

·        appliance-internal artifact access

Mandatory Data Source Requirement

Before deployment, validate:

CloudTrail

·        Management events enabled

·        Write events enabled

·        Read events enabled where required

·        Global service events enabled

S3 / Data Events

·        Enable S3 data events for relevant buckets if using object-level actions like PutObject

Identity Context

·        Principal attribution fields available and consistent enough for downstream joins

Constraint

Deployment without validated CloudTrail coverage is not permitted. Rules using object-level S3 actions are not valid unless S3 data events are enabled for the relevant scope.

Rule Name
AWS Identity and IAM Enumeration Burst

Mapped Stage

Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

SOC Usage Mode

Correlation or threshold-backed alerting

Minimum Deployment Requirement

Requires:

·        CloudTrail IAM read activity

·        downstream thresholding

·        downstream exclusions for approved inventory, governance, and admin automation

Enforcement Method

EventBridge matches IAM enumeration APIs.
Burst logic must be enforced in the downstream target.

Implementation Constraint Notes

·        Single-event alerting is not permitted

·        Production use requires short-window actor grouping

·        Approved governance and inventory tooling must be excluded downstream

·        Failed API calls should be excluded

EventBridge Event Pattern JSON

{
  "source": ["aws.iam"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["iam.amazonaws.com"],
    "eventName": [
      "ListUsers",
      "ListRoles",
      "ListAttachedUserPolicies",
      "ListAttachedRolePolicies",
      "GetRole",
      "GetPolicy",
      "GetPolicyVersion",
      "ListAccessKeys",
      "GetAccountAuthorizationDetails"
    ],
    "readOnly": [true],
    "errorCode": [
      { "exists": false }
    ]
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        group by actor, such as principal ARN or username

·        alert only when the same actor performs repeated enumeration in a short window such as 5 minutes

·        optionally require 3 or more distinct enumeration APIs

·        suppress known inventory, governance, and approved admin tooling

Variant Analysis

Covered

·        common AWS IAM enumeration APIs

Not Covered

·        low-and-slow discovery

·        non-IAM enumeration outside this action family

·        service-specific read APIs not listed here

Logical Notes

Single-rule meaning: IAM enumeration activity observed.
Correlated meaning: privilege-path or target discovery in AWS.

Rule Execution Validity

Deployable only with downstream thresholding or correlation.

Rule Name

Privilege Boundary Change via IAM Policy or Role Modification

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Alert-capable primary detection

Minimum Deployment Requirement

Requires:

·        CloudTrail write activity

·        downstream allowlist for approved administration and automation

·        principal normalization

Enforcement Method

Direct match on privilege-boundary-changing IAM APIs.

Implementation Constraint Notes

·        Durable-access creation is not permitted in this rule

·        Storage or data actions are not permitted in this rule

·        Approved admin exceptions must be enforced downstream

·        Failed API calls should be excluded

EventBridge Event Pattern JSON

{
  "source": ["aws.iam"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["iam.amazonaws.com"],
    "eventName": [
      "AttachUserPolicy",
      "AttachRolePolicy",
      "PutUserPolicy",
      "PutRolePolicy",
      "PutRolePermissionsBoundary",
      "CreatePolicyVersion",
      "UpdateAssumeRolePolicy",
      "AddUserToGroup"
    ],
    "readOnly": [false],
    "errorCode": [
      { "exists": false }
    ]
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        suppress explicitly approved admin and automation identities

·        raise severity when the actor is not a normal administrator

·        optionally inspect whether CreatePolicyVersion created a new default version

·        enrich AddUserToGroup to confirm the group is privileged

Variant Analysis

Covered

·        direct IAM role, user, inline policy, permissions-boundary, trust-policy, and group membership changes

Not Covered

·        indirect escalation through inherited permissions

·        escalation caused by pre-existing over-privileged roles without a new IAM change

·        privilege changes hidden behind unmapped APIs

Logical Notes

Single-rule meaning: direct privilege-boundary change in AWS IAM.
Correlated meaning: confirmed escalation into higher authority.

Rule Execution Validity

Deployable as a primary escalation detector.

Rule Name

Durable Access Artifact Creation in AWS

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Alert-capable high-confidence detection

Minimum Deployment Requirement

Requires:

·        CloudTrail write activity

·        downstream exception handling for tightly controlled provisioning workflows

Enforcement Method

Direct match on durable-access artifact creation APIs.

Implementation Constraint Notes

·        Privilege-boundary changes are not permitted in this rule

·        Storage and data actions are not permitted in this rule

·        Suppressions must remain narrow and explicit

·        CreateUser is often legitimate in some environments; split or suppress aggressively if onboarding volume is high

·        Failed API calls should be excluded

EventBridge Event Pattern JSON

{
  "source": ["aws.iam"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["iam.amazonaws.com"],
    "eventName": [
      "CreateAccessKey",
      "CreateLoginProfile",
      "CreateUser"
    ],
    "readOnly": [false],
    "errorCode": [
      { "exists": false }
    ]
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        exclude only tightly controlled provisioning identities

·        raise severity on access-key creation by non-admin or non-provisioning actors

·        distinguish expected onboarding from suspicious persistence creation

·        strongly consider splitting CreateUser into its own rule if it is common in the tenant

Variant Analysis

Covered

·        access key creation

·        console credential creation

·        IAM user creation where relevant to the environment

Not Covered

·        STS-only temporary session abuse

·        delegated access paths without durable IAM artifact creation

·        persistence through unmanaged or external identity trust not reflected in IAM creation events

Logical Notes

Single-rule meaning: durable access artifact creation in AWS.
Correlated meaning: persistence establishment through legitimate AWS control-plane mechanisms.

Rule Execution Validity

Deployable as a primary persistence detector, with careful CreateUser handling.

Rule Name

High-Risk Cloud Action Following Privilege Transition

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

Requires:

·        CloudTrail write activity

·        a stateful downstream target

·        actor continuity or an alternate join-key strategy

·        mature backup and automation exceptions

·        S3 data events enabled for the relevant buckets if PutObject is used

Enforcement Method

EventBridge matches high-risk post-control actions.
Downstream logic must correlate them to a prior Rule 2 privilege-transition event.

Implementation Constraint Notes

·        Standalone single-event alerting is not permitted

·        Actor continuity must be validated downstream

·        If storage-heavy workloads are common, split data actions from logging or security-control impairment actions

·        Do not rely on event proximity alone; use the same actor or a validated fallback join key

·        PutObject requires S3 data events and should be removed if those data events are not enabled

·        Failed API calls should be excluded

EventBridge Event Pattern JSON

{
  "source": ["aws.s3", "aws.ec2", "aws.cloudtrail"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": [
      "s3.amazonaws.com",
      "ec2.amazonaws.com",
      "cloudtrail.amazonaws.com"
    ],
    "eventName": [
      "PutObject",
      "PutBucketPolicy",
      "CreateSnapshot",
      "StopLogging",
      "DeleteTrail",
      "UpdateTrail"
    ],
    "readOnly": [false],
    "errorCode": [
      { "exists": false }
    ]
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        correlate to a prior privilege-transition event by the same actor within a bounded interval such as 30 minutes

·        separate storage-heavy operations from trail or logging impairment if needed

·        elevate to critical only when prior privilege-transition context exists

·        define fallback join strategy if actor naming is inconsistent, such as:

o   principal ARN

o   session issuer ARN

o   assumed-role principal ID

Variant Analysis

Covered

·        storage policy or object actions

·        snapshot creation

·        CloudTrail trail/logging changes after privilege transition

Not Covered

·        low-and-slow post-control activity outside the correlation window

·        delegated-service execution with weak actor attribution

·        high-risk post-control APIs outside the listed services or event names

Logical Notes

Single-rule meaning: high-risk AWS action observed.
Correlated meaning: objective execution, defense impairment, or late-stage operational action after escalation.

Rule Execution Validity

Deployable only as correlation-first content.

Rule Name

AWS Administrative API Activity Signal Aggregator from Infrastructure-Associated Source Context

Mapped Stage

Stage 2 Valid Account Authentication
Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1078 – Valid Accounts
T1087 – Account Discovery

SOC Usage Mode

Supporting detection or correlation-first

Minimum Deployment Requirement

Requires:

·        source IP visibility in CloudTrail-delivered events

·        downstream infrastructure-source scoping

·        approved automation exclusions

Enforcement Method

EventBridge matches a narrow AWS IAM administrative signal family.
Downstream logic must determine whether source context is infrastructure-associated or otherwise suspicious.

Implementation Constraint Notes

·        Standalone paging is not permitted unless infrastructure-source logic is mature

·        This remains supporting-only because AWS-native logs do not always prove the upstream identity anomaly by themselves

·        Approved automation and CI or CD roles must be excluded

·        This is a signal aggregator, not a primary high-confidence rule

·        Failed API calls should be excluded

EventBridge Event Pattern JSON

{
  "source": ["aws.iam"],
  "detail-type": ["AWS API Call via CloudTrail"],
  "detail": {
    "eventSource": ["iam.amazonaws.com"],
    "eventName": [
      "ListUsers",
      "ListRoles",
      "GetRole",
      "AttachUserPolicy",
      "AttachRolePolicy"
    ],
    "errorCode": [
      { "exists": false }
    ]
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        compare source IP against known infrastructure or non-user ranges

·        exclude approved automation, CI or CD, and sanctioned admin roles

·        treat as a supporting signal linking infrastructure-origin activity to AWS discovery or control actions

·        optionally enrich with VPC, proxy, NAT, or organization egress context

Variant Analysis

Covered

·        AWS IAM administrative APIs from potentially suspicious source context

Not Covered

·        token reuse without distinguishable source context

·        AWS service-to-service paths that mask the initiating actor

·        persistence creation or high-risk storage actions, which are intentionally excluded from this aggregator

Logical Notes

Single-rule meaning: AWS administrative API signal observed.
Correlated meaning: suspicious authenticated-session use leading into AWS discovery or control activity.

Rule Execution Validity

Deployable as supporting or correlation-first content only.

Engineering Note

This corrected AWS rule set is now explicitly written in the agreed system-ready format: Amazon EventBridge event pattern JSON.

That means:

·        EventBridge handles matching

·        downstream targets handle state

·        downstream targets handle thresholding

·        downstream targets handle correlation

·        downstream targets handle exceptions and severity

It is therefore easier to translate for teams using:

·        EventBridge directly

·        Lambda

·        Step Functions

·        SIEM forwarding

·        Security Hub custom findings

·        other cloud-native or third-party pipelines

Azure

Engineering Position

Azure Activity Log Alert JSON is strongest for:

·        Stage 4 privilege-boundary and access-control modification

·        Stage 5 high-risk post-control Azure management actions

It is weaker for:

·        Stage 1 edge artifact visibility

·        Stage 2 identity session lineage and sign-in anomaly detection

·        Stage 3 burst-based discovery detections

·        identity-native persistence actions that live primarily outside Azure Activity Log

Mandatory Data Source Requirement

Before deployment, validate:

·        Azure Activity Log coverage for all intended subscriptions or scopes

·        reliable use of:

o   category

o   operationName

o   caller

o   status

o   resourceProvider

o   resourceType

·        action groups for downstream handling

Constraint
Deployment without validated Activity Log coverage is not permitted.

Rule Name

Azure Privilege Boundary Change or Access-Control Modification

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Alert-capable primary detection

Minimum Deployment Requirement

Requires:

·        Administrative Activity Log coverage

·        approved admin exception process

·        scope set to relevant subscription or management scope

Enforcement Method

Direct Activity Log matching on high-risk RBAC, policy, and access-control operations

Implementation Constraint Notes

·        Durable-access creation is not permitted in this rule

·        Data-plane actions are not permitted in this rule

·        Approved admin exceptions must be enforced downstream

Azure Activity Log Alert JSON

{
  "type": "Microsoft.Insights/activityLogAlerts",
  "apiVersion": "2020-10-01",
  "name": "cdx-az-priv-boundary-change",
  "location": "Global",
  "properties": {
    "enabled": true,
    "description": "Detect direct Azure privilege-boundary or access-control modification events.",
    "scopes": [
      "/subscriptions/<SUBSCRIPTION_ID>"
    ],
    "condition": {
      "allOf": [
        {
          "field": "category",
          "equals": "Administrative"
        },
        {
          "anyOf": [
            {
              "field": "operationName",
              "containsAny": [
                "Microsoft.Authorization/roleAssignments/write",
                "Microsoft.Authorization/roleDefinitions/write",
                "Microsoft.Authorization/denyAssignments/write",
                "Microsoft.Authorization/policyAssignments/write",
                "Microsoft.Authorization/policyDefinitions/write",
                "Microsoft.Authorization/policySetDefinitions/write",
                "Microsoft.Authorization/elevateAccess/Action"
              ]
            }
          ]
        },
        {
          "field": "status",
          "equals": "Succeeded"
        }
      ]
    },
    "actions": {
      "actionGroups": [
        {
          "actionGroupId": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG>/providers/microsoft.insights/actionGroups/<ACTION_GROUP_NAME>"
        }
      ]
    }
  }
}

Target / Downstream Action Guidance

Downstream handling should:

·        suppress approved change windows and sanctioned admin workflows

·        enrich with caller, resourceGroup, resourceProvider, and resourceType

·        elevate severity when the caller is not part of a known privileged-admin set

Variant Analysis

Covered

·        direct RBAC, deny-assignment, policy, and elevate-access control-plane changes

Not Covered

·        indirect escalation through pre-existing privilege

·        identity-native entitlement changes visible only in Entra-focused audit sources

Logical Notes

Single-rule meaning: direct Azure privilege-boundary or access-control modification observed.
Correlated meaning: confirmed escalation into higher authority in Azure control plane.

Rule Execution Validity

Deployable as a primary escalation detector.

Rule Name

Azure High-Risk Control-Surface Change Signal

Mapped Stage

Stage 4 Privilege Escalation
Stage 5 Objective Execution

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Supporting detection

Minimum Deployment Requirement

Requires:

·        Administrative Activity Log coverage

·        downstream approved-admin and approved-governance handling

·        well-chosen scope

Enforcement Method

Direct Activity Log matching on policy and diagnostics control-surface changes

Implementation Constraint Notes

·        This is a supporting signal, not a primary high-confidence detector

·        Use this to enrich investigations around policy rollback, diagnostics tampering, or broader control-surface manipulation

·        If noisy, split policy changes from diagnostics changes

Azure Activity Log Alert JSON

{
  "type": "Microsoft.Insights/activityLogAlerts",
  "apiVersion": "2020-10-01",
  "name": "cdx-az-control-surface-signal",
  "location": "Global",
  "properties": {
    "enabled": true,
    "description": "Detect high-impact Azure policy or diagnostics control-surface changes as supporting signals.",
    "scopes": [
      "/subscriptions/<SUBSCRIPTION_ID>"
    ],
    "condition": {
      "allOf": [
        {
          "field": "category",
          "equals": "Administrative"
        },
        {
          "anyOf": [
            {
              "field": "operationName",
              "containsAny": [
                "Microsoft.Authorization/policyAssignments/write",
                "Microsoft.Authorization/policyDefinitions/write",
                "Microsoft.Authorization/policySetDefinitions/write",
                "Microsoft.Insights/diagnosticSettings/write",
                "Microsoft.Insights/diagnosticSettings/delete"
              ]
            }
          ]
        },
        {
          "field": "status",
          "equals": "Succeeded"
        }
      ]
    },
    "actions": {
      "actionGroups": [
        {
          "actionGroupId": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG>/providers/microsoft.insights/actionGroups/<ACTION_GROUP_NAME>"
        }
      ]
    }
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        suppress known approved governance and diagnostics workflows

·        annotate this alert as supporting-only unless tied to earlier suspicious identity or privilege events

Variant Analysis

Covered

·        policy assignment and definition changes

·        diagnostics-setting changes

Not Covered

·        identity-only events outside Activity Log

·        semantically risky but operationally normal governance changes

Logical Notes

Single-rule meaning: Azure policy or diagnostics control-surface change observed.
Correlated meaning: supporting signal for escalation or post-control activity.

Rule Execution Validity

Deployable as supporting detection only.

Rule Name
High-Risk Azure Control-Plane Action Following Privilege Transition

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

Requires:

·        Administrative Activity Log coverage

·        a stateful downstream target

·        actor continuity or a validated fallback join-key strategy

·        mature automation and backup exceptions

Enforcement Method

The Activity Log alert matches high-risk post-control management actions.
Downstream logic must correlate them to a prior Rule 1 privilege-transition event.

Implementation Constraint Notes

·        Standalone single-event alerting is not permitted

·        This rule is intentionally stateless at the Activity Log layer and must be correlated downstream

·        If one action family is noisy, split resource-write actions from diagnostics or logging actions

Azure Activity Log Alert JSON

{
  "type": "Microsoft.Insights/activityLogAlerts",
  "apiVersion": "2020-10-01",
  "name": "cdx-az-high-risk-post-control",
  "location": "Global",
  "properties": {
    "enabled": true,
    "description": "Detect high-risk Azure control-plane actions intended for downstream correlation after privilege transition.",
    "scopes": [
      "/subscriptions/<SUBSCRIPTION_ID>"
    ],
    "condition": {
      "allOf": [
        {
          "field": "category",
          "equals": "Administrative"
        },
        {
          "anyOf": [
            {
              "field": "operationName",
              "containsAny": [
                "Microsoft.Storage/storageAccounts/write",
                "Microsoft.Compute/snapshots/write",
                "Microsoft.Insights/diagnosticSettings/write",
                "Microsoft.Insights/diagnosticSettings/delete",
                "Microsoft.Security/securitySolutions/write"
              ]
            }
          ]
        },
        {
          "field": "status",
          "equals": "Succeeded"
        }
      ]
    },
    "actions": {
      "actionGroups": [
        {
          "actionGroupId": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG>/providers/microsoft.insights/actionGroups/<ACTION_GROUP_NAME>"
        }
      ]
    }
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        correlate this event to a prior Rule 1 privilege-transition event by the same caller within a bounded window such as 30 minutes

·        define fallback join strategy if caller is inconsistent, such as service principal ID or application ID

·        split storage-heavy actions from diagnostics modifications if they behave differently in the tenant

Variant Analysis

Covered

·        storage-account changes

·        snapshot creation

·        diagnostics changes

·        selected security-control-related management actions

Not Covered

·        data-plane actions not represented in Activity Log

·        low-and-slow post-control activity outside the downstream correlation window

·        delegated or unattributed actions without stable actor continuity

Logical Notes

Single-rule meaning: high-risk Azure control-plane action observed.
Correlated meaning: objective execution or late-stage operational action after privilege transition.

Rule Execution Validity

Deployable only as correlation-first content.

Rule Name

Azure Administrative Signal Aggregator for Suspicious Caller Context

Mapped Stage

Stage 2 Valid Account Authentication
Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1078 – Valid Accounts
T1087 – Account Discovery

SOC Usage Mode

Supporting detection or correlation-first

Minimum Deployment Requirement

Requires:

·        Activity Log visibility

·        downstream caller-context enrichment

·        approved automation exclusions

Enforcement Method

The Activity Log alert matches a narrow Azure administrative signal family.
Downstream logic must determine whether the caller or execution context is suspicious.

Implementation Constraint Notes

·        Activity Log Alert JSON does not natively implement first-seen caller logic, impossible travel, or identity-risk logic

·        Standalone paging is not permitted unless downstream caller-context enrichment is mature

·        This is intentionally a signal wrapper, not a primary self-contained detector

Azure Activity Log Alert JSON

{
  "type": "Microsoft.Insights/activityLogAlerts",
  "apiVersion": "2020-10-01",
  "name": "cdx-az-admin-signal-wrapper",
  "location": "Global",
  "properties": {
    "enabled": true,
    "description": "Detect Azure administrative signal family intended for downstream correlation with suspicious caller context.",
    "scopes": [
      "/subscriptions/<SUBSCRIPTION_ID>"
    ],
    "condition": {
      "allOf": [
        {
          "field": "category",
          "equals": "Administrative"
        },
        {
          "anyOf": [
            {
              "field": "operationName",
              "containsAny": [
                "Microsoft.Authorization/roleAssignments/write",
                "Microsoft.Authorization/policyAssignments/write",
                "Microsoft.Storage/storageAccounts/write",
                "Microsoft.Insights/diagnosticSettings/write"
              ]
            }
          ]
        },
        {
          "field": "status",
          "equals": "Succeeded"
        }
      ]
    },
    "actions": {
      "actionGroups": [
        {
          "actionGroupId": "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RG>/providers/microsoft.insights/actionGroups/<ACTION_GROUP_NAME>"
        }
      ]
    }
  }
}

Target / Downstream Action Guidance

Downstream logic should:

·        enrich with caller, execution context, and known admin or automation exceptions

·        compare caller context against non-user or otherwise suspicious indicators

·        treat as a supporting signal linking suspicious caller context to Azure discovery or control activity

Variant Analysis

Covered

·        Azure administrative signal family for supporting suspicious-context detections

Not Covered

·        true first-seen caller logic

·        impossible-travel or device-anomaly logic

·        Entra-native session anomalies outside Activity Log visibility

Logical Notes

Single-rule meaning: Azure administrative activity observed.
Correlated meaning: suspicious authenticated use leading into Azure control activity.

Rule Execution Validity

Deployable as supporting or correlation-first content only.

GCP / Eventarc

Rule Name

GCP IAM Discovery Signal

Mapped Stage

Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

SOC Usage Mode

Supporting detection

Minimum Deployment Requirement

·        Cloud Audit Logs enabled

·        downstream processor capable of actor grouping and short-window counting

·        allowlisting for governance, inventory, and approved admin tooling

Enforcement Method

Eventarc matches narrow IAM discovery events only. Burst enforcement must happen downstream.

Implementation Constraint Notes

·        Standalone alerting is not permitted

·        Single events should be treated as signal only

·        This rule should not be used as a complete burst detector by itself

Variant Analysis

Covered

·        IAM role enumeration

·        service account listing

·        IAM policy retrieval

Not Covered

·        broad service-specific discovery outside these methods

·        low-and-slow enumeration

·        data-plane discovery

Logical Notes

Single event = benign-capable discovery signal
Correlated pattern = discovery activity

Rule Execution Validity

Supporting only

System-Ready Code

# Primary trigger
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.ListRoles

# Additional variants
---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.ListServiceAccounts

---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: cloudresourcemanager.googleapis.com
  - attribute: methodName
    value: GetIamPolicy

Log Type Dependency

Admin Activity only.

Rule Name

GCP IAM Policy Modification

Mapped Stage

Stage 4 Privilege Escalation

MITRE ATT&CK

T1098 – Account Manipulation

SOC Usage Mode

Primary detection

Minimum Deployment Requirement

·        Cloud Audit Logs enabled

·        admin and automation allowlisting defined

·        resource hierarchy context available downstream

Enforcement Method

Direct match on privilege-boundary-changing IAM methods.

Implementation Constraint Notes

·        Persistence behavior is not permitted in this rule

·        Post-control or storage behavior is not permitted in this rule

·        Approved admin exceptions must be applied downstream

Variant Analysis

Covered

·        IAM policy changes

·        custom role creation

·        custom role update

Not Covered

·        indirect escalation through pre-existing privilege

·        adjacent identity-system privilege changes not emitted here

Logical Notes

Single event = privilege-boundary change
Correlated meaning = escalation

Rule Execution Validity

Primary alert-capable detection

System-Ready Code

# Primary trigger
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: cloudresourcemanager.googleapis.com
  - attribute: methodName
    value: SetIamPolicy

# Additional variants
---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.CreateRole

---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.UpdateRole

Log Type Dependency

Admin Activity only.

Rule Name

GCP Service Account Key Creation

Mapped Stage

Stage 5 Persistence

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Supporting detection

Minimum Deployment Requirement

·        Cloud Audit Logs enabled

·        provisioning workflows identified

·        tight suppressions for approved service-account lifecycle operations

Enforcement Method

Direct match on durable access artifact creation visible in audit logs.

Implementation Constraint Notes

·        Broad provisioning suppressions are not permitted

·        This is supporting detection because not every persistence path is equally visible here

·        Temporary-token abuse is out of scope for this rule

Variant Analysis

Covered

·        service account key creation

·        service account creation

Not Covered

·        temporary-token abuse

·        delegated access without durable artifact creation

·        external trust-based persistence

Logical Notes

Single event = credential or identity artifact creation
Correlated meaning = persistence

Rule Execution Validity

Supporting, high-confidence with tuning

System-Ready Code

# Primary trigger
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.CreateServiceAccountKey

# Additional variant
---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.CreateServiceAccount

Log Type Dependency

Admin Activity only.

Rule Name

GCP High-Risk Post-Control Action

Mapped Stage

Stage 5 Objective Execution

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

SOC Usage Mode

Correlation-first

Minimum Deployment Requirement

·        Cloud Audit Logs enabled

·        stateful downstream processor

·        actor continuity or fallback join strategy

·        automation and backup exceptions

Enforcement Method

Eventarc matches high-risk post-control management actions. Downstream logic must correlate them to a prior Rule 2 event.

Implementation Constraint Notes

·        Standalone alerting is not permitted

·        Eventarc itself does not provide the needed state

·        If noisy, split storage-permission changes from logging-impact changes

Variant Analysis

Covered

·        snapshot creation

·        logging sink changes

·        storage bucket IAM policy changes

Not Covered

·        data-plane object activity

·        low-and-slow post-control activity outside correlation window

·        unattributed delegated actions

Logical Notes

Single event = high-risk action
Correlated meaning = objective execution

Rule Execution Validity

Correlation-only

System-Ready Code

# Primary trigger
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: compute.googleapis.com
  - attribute: methodName
    value: v1.compute.snapshots.insert

# Additional variants
---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: logging.googleapis.com
  - attribute: methodName
    value: google.logging.v2.ConfigServiceV2.UpdateSink

---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: storage.googleapis.com
  - attribute: methodName
    value: storage.buckets.setIamPolicy

Log Type Dependency

Admin Activity only in this canonical set. Data Access is intentionally excluded here.

Rule Name

GCP Administrative Signal Wrapper

Mapped Stage

Stage 2 Valid Account Authentication
Stage 3 Account and Resource Discovery

MITRE ATT&CK

T1078 – Valid Accounts
T1087 – Account Discovery

SOC Usage Mode

Supporting / correlation input

Minimum Deployment Requirement

·        Cloud Audit Logs enabled

·        downstream caller-context enrichment

·        admin and automation exception handling

Enforcement Method

Eventarc matches a narrow admin signal family. Downstream logic determines whether caller context is suspicious.
Implementation Constraint Notes

·        Standalone alerting is not permitted

·        This rule must not duplicate primary rule families

·        First-seen logic, baseline deviation, and identity-risk scoring are downstream-only

Variant Analysis

Covered

·        IAM read operations used as supporting admin-context signals

Not Covered

·        true identity anomalies

·        session risk analytics

·        device or impossible-travel context

Logical Notes

Single event = admin activity signal
Correlated meaning = suspicious authenticated usage

Rule Execution Validity

Supporting / correlation-only

System-Ready Code

# Primary trigger
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.ListRoles

# Additional variant
---
eventType: google.cloud.audit.log.v1.written
filters:
  - attribute: serviceName
    value: iam.googleapis.com
  - attribute: methodName
    value: google.iam.admin.v1.ListServiceAccounts

Log Type Dependency

Admin Activity only‍ ‍

S26 Threat-to-Rule Traceability Matrix

Behavior

IAM role, service account, and policy discovery through repeated control-plane read activity

MITRE ATT&CK

T1087 – Account Discovery
T1069 – Permission Groups Discovery

Mapped Rule(s)

·        Rule 1 — GCP IAM Discovery Signal

·        Rule 5 — GCP Administrative Signal Wrapper

Telemetry Source

Cloud Audit Logs — Admin Activity

Coverage Disposition

Hunt Only

Detection Limitation

·        Single events are benign-capable

·        Detection requires downstream aggregation and thresholding

Behavior

Privilege boundary change through IAM policy modification or custom-role manipulation

MITRE ATT&CK

T1098 – Account Manipulation

Mapped Rule(s)

·        Rule 2 — GCP IAM Policy Modification

Telemetry Source

Cloud Audit Logs — Admin Activity

Coverage Disposition

Detected

Detection Limitation

·        Abuse of existing privileges does not generate new IAM change events

Behavior

Creation of durable access through service account or service account key creation

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

Mapped Rule(s)

·        Rule 3 — GCP Service Account Key Creation

Telemetry Source

Cloud Audit Logs — Admin Activity

Coverage Disposition

Detected

Detection Limitation

·        Token-based or federated persistence may not generate equivalent artifacts

Behavior

High-risk post-escalation action through snapshot creation, logging modification, or storage permission change

MITRE ATT&CK

T1078 – Valid Accounts
T1098 – Account Manipulation

Mapped Rule(s)

·        Rule 4 — GCP High-Risk Post-Control Action

Telemetry Source

Cloud Audit Logs — Admin Activity

Coverage Disposition

Partially Detected

Detection Limitation

·        Requires correlation with prior escalation events

Behavior

Suspicious administrative activity from a caller context inconsistent with operational expectations

MITRE ATT&CK

T1078 – Valid Accounts

Mapped Rule(s)

·        Rule 5 — GCP Administrative Signal Wrapper

Telemetry Source

Cloud Audit Logs — Admin Activity

Coverage Disposition

Hunt Only

Detection Limitation

·        Requires downstream identity enrichment and context analysis

S27 Behavior & Log Artifacts

Behavioral Profile

·        Control-plane activity driven through legitimate cloud APIs

·        IAM and policy discovery preceding privilege changes

·        Transition from read operations to write operations

·        Creation of service account credentials for persistence

·        Administrative actions following escalation affecting critical resources

Primary Log Artifacts

·        iam.googleapis.com — ListRoles

·        iam.googleapis.com — ListServiceAccounts

·        cloudresourcemanager.googleapis.com — SetIamPolicy

·        iam.googleapis.com — CreateServiceAccountKey

·        compute.googleapis.com — snapshots.insert

·        logging.googleapis.com — UpdateSink

Behavior-to-Artifact Logic

·        Discovery manifests as repeated IAM read operations

·        Escalation manifests as IAM policy modification

·        Persistence manifests as credential creation

·        Objective activity manifests as high-risk administrative actions

Telemetry Pillar Mapping

Cloud Control-Plane Telemetry

·        Cloud Audit Logs — Admin Activity

Identity Context

·        Principal identity

·        User versus service account

Operational Context

·        Project, folder, or organization scope

S27A Infrastructure Intelligence

Infrastructure Characteristics

·        Single principal performing multiple IAM and administrative actions

·        Transition from read-heavy to write-heavy API usage

·        Execution through service accounts or delegated identities

Operational Pattern

·        Discovery followed by escalation

·        Escalation followed by persistence or administrative action

·        Repeated use of the same identity across multiple resources

·        Activity spanning multiple scopes

Infrastructure Insight

·        Cloud control-plane APIs function as the attacker’s operational infrastructure

·        Identity reuse is a primary indicator of activity chaining

·        Traditional external infrastructure indicators are less relevant


S28 Detection Strategy and SOC Implementation Guidance

Detection Strategy

·        Use Eventarc as a signal-generation layer

·        Apply correlation and aggregation in downstream systems

·        Prioritize escalation and persistence signals

SOC Implementation Model

Signal Intake

·        Ingest Eventarc-triggered events

·        Normalize identity and resource context

Correlation Layer

·        Correlate escalation to post-control actions

·        Apply thresholds to discovery behavior

Decision Layer

·        Suppress approved workflows

·        Escalate abnormal or unauthorized activity

Decision Conditions

·        Escalate on unauthorized IAM policy modification

·        Escalate on unauthorized service account key creation

·        Escalate critically when escalation is followed by high-risk action

·        Do not alert on isolated discovery events

SOC Usage Mapping

·        Rule 2 — Primary detection

·        Rule 3 — High-confidence supporting detection

·        Rule 4 — Correlation-only

·        Rule 1 and Rule 5 — Supporting signals

S29 Detection Coverage Matrix (Strategic Layer)

Coverage Mapping

IAM discovery

·        Coverage Disposition: Hunt Only

·        Detection Strength: Low

·        Strategic Value: Early-stage signal requiring aggregation

Privilege escalation

·        Coverage Disposition: Detected

·        Detection Strength: High

·        Strategic Value: Strong control-plane indicator

Persistence through service account key creation

·        Coverage Disposition: Detected

·        Detection Strength: High

·        Strategic Value: Durable access indicator

High-risk post-control actions

·        Coverage Disposition: Partially Detected

·        Detection Strength: Medium

·        Strategic Value: Correlation-dependent signal

Suspicious administrative context

·        Coverage Disposition: Hunt Only

·        Detection Strength: Low

·        Strategic Value: Contextual enrichment signal

Strategic Assessment

·        Strong coverage of escalation and persistence

·        Moderate coverage of post-escalation activity

·        Limited coverage of early discovery behavior

Coverage Gaps

·        Identity-session anomalies

·        Low-and-slow discovery patterns

·        Cross-project lateral movement

·        Non-key persistence mechanisms

S30 Detection Validation

Validation Approach

·        Validate against known administrative workflows

·        Simulate escalation, persistence, and post-control activity

·        Verify suppression and correlation logic

Validation Criteria

·        Rules trigger on expected malicious behavior

·        Rules do not generate excessive false positives

·        Correlation produces actionable alerts

Validation Outcome

·        Escalation detection is reliable

·        Persistence detection is reliable with tuning

·        Post-control detection requires correlation

·        Discovery and context signals require enrichment

Validation Limitations

·        Eventarc provides no native stateful logic

·        Detection depends on downstream correlation

·        Identity context requires additional telemetry

Final Validation Statement

·        Detection model is effective for control-plane threats

·        Full effectiveness depends on a properly implemented correlation layer

S31 — Telemetry Dependencies

Purpose

Define the required telemetry and context necessary to support detection and correlation of control-plane abuse across the attack lifecycle.

Dependencies

Cloud Audit Logs — Admin Activity

·        Required for IAM policy changes, service account activity, and high-risk administrative actions

·        Must be enabled across project, folder, and organization scope

Eventarc Trigger Layer

·        Required for ingestion of audit-log events using serviceName and methodName

·        Misconfiguration results in loss of detection signals

Principal Identity Context

·        Required to track actor continuity across discovery, escalation, and execution

·        Must distinguish user identities, service accounts, and delegated identities

Downstream Correlation Engine

·        Required for aggregation of discovery activity

·        Required to correlate escalation to post-control actions

·        Required for suppression of approved workflows

Allowlisting and Administrative Context

·        Required to differentiate approved administrative actions from unauthorized activity

·        Includes admin roles, automation identities, and change windows

S32 — Detection Limitations

Purpose

Define detection gaps and adversarial conditions that reduce detection effectiveness.

Identified Gaps

Pre-existing privilege abuse

·        Attackers using existing elevated access do not trigger IAM change events

Identity-layer visibility limitations

·        No native visibility into login anomalies, token theft, or session hijacking

Low-and-slow discovery

·        Distributed or delayed discovery avoids aggregation thresholds

Persistence without key creation

·        Workload identity, federation, or delegated access may bypass key-based detection

Distributed execution

·        Activity spread across multiple identities reduces correlation effectiveness

Logging manipulation risk

·        Early modification of logging configuration may degrade visibility

Impact

·        Detection effectiveness depends on centralized and consistent attacker behavior

·        Distributed or delayed activity reduces detection reliability

·        Identity-layer attacks remain partially unobserved

S33 — Defensive Control & Hardening Improvements

Purpose

Define control improvements directly aligned to detection gaps and attacker bypass paths.

Strategic Improvements

Restrict IAM policy modification permissions

·        Limit SetIamPolicy capability to controlled roles

·        Enforce approval workflows for privilege changes

Reduce service account key exposure

·        Disable unnecessary key creation

·        Replace long-lived keys with short-lived identity mechanisms

Enforce identity isolation

·        Reduce reuse of service accounts across systems

·        Limit identity reuse across attack stages

Protect logging configuration

·        Monitor and restrict logging sink modifications

·        Preserve telemetry integrity

Strengthen correlation capability

·        Implement actor-based aggregation

·        Enforce escalation-to-action correlation

Control Impact Mapping

·        IAM restriction reduces escalation risk

·        Service account hardening reduces persistence risk

·        Identity isolation reduces attack chaining capability

·        Logging protection preserves detection visibility

·        Correlation improves multi-stage detection accuracy

S34 — Defensive Control & Hardening Architecture


Purpose

Define the defensive architecture and its alignment to attack phases.

Defensive Architecture Layers
Signal Layer

·        Eventarc ingestion of Cloud Audit Logs

·        Supports rule-based signal generation

Correlation Layer

·        Aggregates discovery activity

·        Correlates escalation to post-control actions

Decision Layer

·        Produces alerts based on unauthorized escalation and persistence

·        Applies suppression and prioritization

Governance Layer

·        Enforces IAM control and identity management

·        Maintains allowlisting and policy enforcement

Architecture Alignment to Attack Phases

Discovery

·        Detected through aggregated IAM activity

Escalation

·        Detected through IAM policy modification

Persistence

·        Detected through service account and key creation

Objective Execution

·        Detected through correlated administrative actions

Architecture Objectives

·        Detect privilege escalation immediately

·        Detect persistence through credential creation

·        Correlate multi-stage attack behavior

·        Maintain low false positives through contextual suppression

S35 — Defensive Control Mapping Matrix

Purpose

Map defensive controls to each attack phase and assess effectiveness.

Control Mapping by Phase

Phase 1A — Credential Lure Delivery

·        Not observed in currently available reporting; may occur during post-exploitation depending on attacker objectives and target environment

Phase 1B — Credential and Session Artifact Access

·        Limited visibility in control-plane telemetry

·        Requires identity-provider integration

Phase 2 — Discovery

·        Control: IAM activity monitoring and aggregation

·        Effectiveness: Low without correlation

Phase 3 — Privilege Escalation

·        Control: IAM policy change detection

·        Effectiveness: High

Phase 4 — Persistence

·        Control: Service account and key monitoring

·        Effectiveness: High with suppression

Phase 5 — Objective Execution

·        Control: Correlated administrative action detection

·        Effectiveness: Medium

Control Effectiveness

·        Strong for escalation and persistence detection

·        Moderate for post-escalation activity

·        Weak for identity-layer and early discovery behavior

S36 — CyberDax Intelligence Maturity Assessment

Purpose

Assess detection, telemetry, and response maturity for this threat model.

Maturity Assessment

Detection Maturity

·        Moderate

·        Strong for escalation and persistence events

·        Dependent on correlation for full coverage

Telemetry Maturity

·        Moderate to High

·        Strong control-plane visibility

·        Limited identity-layer visibility

Response Maturity

·        Moderate

·        Requires structured triage and correlation workflows

Control Effectiveness Score

·        Moderate

Audit Evidence Statement

·        Detection capability validated against control-plane activity

·        Known bypass paths identified in detection limitations

·        Detection effectiveness depends on correlation implementation

Security Program Integration Note

·        Detection must integrate with centralized SOC workflows

·        Correlation and enrichment are required for full effectiveness

·        IAM governance must align with detection and response

S37 — Strategic Defensive Improvements

Purpose

Define prioritized actions to improve security posture and detection capability.

Recommendations

·        Restrict IAM policy modification to approved roles

·        Monitor all service account key creation

·        Implement correlation for multi-stage detection

·        Protect logging configuration from unauthorized changes

·        Reduce identity reuse across environments

Implementation Priorities

Immediate
Alert on unauthorized IAM policy changes
Alert on service account key creation

Near-Term
Implement correlation between escalation and post-control actions
Apply aggregation to discovery activity

Long-Term
Adopt identity-centric security model
Replace long-lived credentials with short-lived mechanisms
Strengthen cross-scope governance

S38 — Attack Economics & Organizational Impact Model

Purpose

Model adversary operational investment, execution efficiency, and return on investment to determine exploitation attractiveness and recurrence likelihood.

Adversary Operational Investment

·        Low infrastructure cost due to reliance on native GCP control-plane APIs rather than external command-and-control infrastructure

·        Minimal tooling requirements; activity executed through authenticated API calls

·        Operational dependency centered on identity access acquisition rather than malware development

·        High scalability through reuse of compromised identities

Credential Harvesting Operations

·        Acquisition of valid authentication material through phishing, token capture, or credential reuse

·        Low operational cost relative to success rate in cloud-enabled environments

·        High success probability due to credential reuse and exposure patterns

Credential Store and Session Artifact Access

·        Immediate access when valid credentials or session artifacts are obtained

·        Eliminates need for initial privilege escalation when sufficient permissions exist

·        Reduces time-to-impact and operational complexity

Authentication Material Staging and Reuse Preparation

·        Service account key creation enables durable credential staging

·        Credentials reusable across sessions, systems, and time periods

·        Persistence cost negligible once credentials are established

Credential Reuse Against Enterprise Services

·        Reuse of credentials enables access across multiple services and projects

·        Supports lateral movement without additional exploitation effort

·        Enables repeated operational use without re-compromise

Adversary Return on Investment

·        High return due to elimination of infrastructure cost and low execution complexity

·        Durable access increases long-term value of compromise

·        Minimal reinvestment required after initial compromise

Return on Investment Assessment

·        High ROI driven by low operational cost and high scalability

·        Attack model economically sustainable and repeatable

·        Detection gaps increase probability of successful execution

Economic Alignment to S6

·        Low attacker cost combined with moderate-to-high enterprise impact creates asymmetric risk

·        Detection limitations increase likelihood of prolonged unauthorized access

·        Control gaps increase total impact cost through extended exposure duration

S39 — Economic Impact & Organizational Exposure

Multi-stage edge-to-identity-to-cloud intrusion chains create organizational exposure by increasing uncertainty around edge-device integrity, remote-access trust, credential safety, identity-session validity, cloud administrative control, privileged access boundaries, data-access scope, ransomware readiness, legal exposure, cyber-insurance review, customer-impact analysis, and business-continuity readiness. Exposure rises when suspicious activity affects Fortinet or FortiGate VPN and firewall infrastructure, Ivanti Connect Secure gateways, Palo Alto GlobalProtect systems, FortiWeb systems, identity providers, privileged accounts, service accounts, cloud IAM roles, cloud administrative consoles, sensitive data repositories, backup systems, regulated-data environments, customer-facing applications, or business-critical operational dependencies.

Estimated Economic Exposure

Estimated exposure should be treated as scenario-based rather than fixed. The most defensible enterprise estimate is tied to whether activity remains attempted or low-scope edge-device exploitation, becomes confirmed or strongly suspected compromise of an edge appliance with credential or session exposure, or expands into Fortinet-derived credential reuse, identity-provider access, cloud control-plane activity, data access, ransomware staging, backup interference, security-control modification, regulatory review, customer notification assessment, cyber-insurance scrutiny, executive reporting, or board-level recovery-trust restoration.

Low Impact Scenario

Estimated $300K - $900K

This scenario applies when edge exploitation, Fortinet or FortiGate exposure, suspicious VPN activity, GlobalProtect anomaly, Ivanti gateway activity, FortiWeb administrative activity, or edge-adjacent artifact access is detected and contained before identity compromise, privileged access, cloud administrative activity, data exposure, or ransomware preparation occurs. Activity may involve suspicious administrative access, abnormal VPN activity, diagnostic or configuration-review concerns, blocked access to credential-bearing artifacts, failed session reuse, or early investigation of edge-appliance exposure, but endpoint, identity, VPN, cloud, network, backup, and SIEM telemetry support a failed, contained, or non-impacting event. Response remains limited to appliance isolation or validation, firmware and patch review, configuration inspection, targeted credential rotation, VPN session review, identity-log validation, short-term monitoring, and executive assurance that identity control and cloud access were not materially affected.

Moderate Impact Scenario

Estimated $2M - $8M

This scenario applies when confirmed or strongly suspected edge compromise affects one or more Fortinet, FortiGate, Ivanti, Palo Alto, FortiWeb, VPN, firewall, identity-adjacent, or cloud-connected systems and the organization cannot immediately determine whether credentials, session artifacts, support bundles, configuration data, packet-capture output, service-account material, cloud keys, or privileged authentication paths were exposed. Response may require broad credential rotation, VPN session invalidation, identity-provider review, MFA and conditional-access validation, cloud IAM audit, service-account review, privileged-role review, source-host reconstruction, endpoint and network triage, backup validation, legal and compliance review, cyber-insurance coordination, executive reporting, and business-owner validation for affected systems or dependencies.

High Impact Scenario

Estimated $12M - $60M+

This scenario applies when edge-device compromise becomes an enterprise-impact event involving confirmed or strongly suspected credential harvesting, Fortinet-derived credential reuse, identity compromise, privilege escalation, cloud administrative control, data exfiltration, ransomware staging, security-control modification, backup interference, regulated-data exposure, customer-facing service disruption, or uncertainty over whether trusted access paths can be restored. The organization may need to assume that remote-access infrastructure, identity sessions, privileged accounts, service accounts, cloud roles, administrative consoles, data repositories, backup paths, and recovery workflows were exposed until forensic evidence proves otherwise. Response may require extended incident response, emergency remote-access containment, broad credential and token invalidation, identity and cloud-control rebuild, privileged-access review, backup and recovery validation, data-access scoping, affected-population analysis, legal and regulatory notification assessment, cyber-insurance engagement, extortion response support, communications planning, executive and board reporting, customer or partner notification, and formal validation that affected business services can safely resume.

Annualized Risk Exposure

Estimated annualized exposure ranges from $5M - $25M for materially exposed enterprise environments with internet-facing edge infrastructure, Fortinet or FortiGate remote-access services, Ivanti Connect Secure gateways, Palo Alto GlobalProtect systems, FortiWeb management interfaces, weak credential rotation, incomplete VPN telemetry, limited edge-appliance logging, fragmented identity-session visibility, excessive cloud IAM privilege, unmanaged service accounts, incomplete cloud audit coverage, weak administrative workflow controls, unvalidated backup recovery, or poor correlation across edge, identity, endpoint, and cloud telemetry. Exposure may exceed the high-impact scenario range where edge compromise results in confirmed or suspected credential harvesting, durable identity access, cloud administrative control, regulated-data exposure, ransomware deployment, customer impact, extortion communication, cyber-insurance review, or board-level reporting.

Remote-Access and Edge-Platform Dependency

Remote-access and edge-platform dependency is high where Fortinet, FortiGate, Ivanti, Palo Alto, FortiWeb, VPN, firewall, WAF, or secure-access infrastructure provides business-critical access to workforce systems, privileged administration, cloud management, production applications, operational technology, regulated workflows, third-party support, or distributed service delivery. Dependency increases when affected appliances, VPN sessions, authentication paths, support bundles, configuration exports, packet-capture data, service accounts, privileged identities, cloud access paths, backup workflows, or customer-facing dependencies are required to maintain trusted operations during containment and recovery.

Control-Plane Trust

Control-plane trust is reduced when the organization cannot prove that edge-device state, VPN session history, authentication lineage, identity-provider logs, MFA enforcement, conditional-access decisions, privileged-role changes, cloud IAM activity, service-account ownership, data-access records, backup integrity, and post-containment evidence remained reliable during the event. Control-plane trust is further reduced when Fortinet-derived or edge-derived credentials may have been reused after appliance exposure, when sessions cannot be tied to approved authentication events, or when cloud administrative activity cannot be tied to approved users, approved devices, expected source infrastructure, and documented change-control records.

Visibility Confidence

Visibility confidence is highest when edge-appliance logs, VPN session logs, administrative access logs, diagnostic activity, support-bundle handling, configuration-export records, packet-capture records, identity-provider logs, MFA and conditional-access logs, endpoint telemetry, network telemetry, DNS logs, proxy logs, firewall logs, cloud audit logs, service-account records, privileged-access records, backup telemetry, vulnerability-management data, change-control records, incident-response notes, asset inventory, and business-owner context can be joined reliably. Visibility confidence is reduced where appliance-internal telemetry is incomplete, packet-capture or diagnostic activity is not centrally logged, VPN source attribution is weak, identity-session lineage is incomplete, source-host enrichment is inconsistent, cloud audit logging is partial, service-account ownership is unclear, timestamp normalization is poor, or backup validation is manual.

Privileged Object Confidence

Privileged object confidence is high when VPN accounts, privileged users, service accounts, cloud credentials, access keys, client secrets, session tokens, break-glass accounts, administrator roles, cloud IAM policies, identity-provider groups, emergency-access paths, backup accounts, SSH keys, API keys, and remote-administration credentials can be reviewed and tied to approved ownership, expected source hosts, approved use cases, and change-control records. Confidence is reduced when privileged objects are undocumented, shared across teams, reused across systems, stored on or accessible from exposed edge infrastructure, changed outside approved windows, poorly monitored, or disconnected from incident-response evidence after suspicious Fortinet, VPN, identity, or cloud activity.

Credential and Session Dependency

Credential and session dependency is high where remote-access infrastructure relies on reusable credentials, long-lived sessions, service accounts, cloud credentials, VPN tokens, SAML assertions, authentication cookies, support-bundle artifacts, configuration-stored secrets, or privileged access paths to deliver normal business operations. These dependencies increase impact when the organization cannot quickly prove whether exposed credentials, Fortinet-derived VPN access material, session artifacts, cloud credentials, service-account credentials, or privileged authentication paths remained trustworthy after suspected edge-device exposure or credential-harvesting activity.

Downstream Service Dependency

Downstream service dependency is high when compromised edge infrastructure can reach identity providers, directory services, privileged-management systems, administrative hosts, cloud control planes, data repositories, backup systems, internal applications, regulated systems, customer portals, operational technology, or business-critical services. These dependencies increase the impact of even limited edge-appliance activity when internal reachability, authentication lineage, privileged access, cloud administrative activity, data-access scope, or dependent-service state cannot be validated quickly.

Customer, Workforce, and Regulatory Exposure

Customer, workforce, and regulatory exposure increases when suspicious edge-to-identity-to-cloud activity may affect customer-facing applications, regulated data, workforce records, finance systems, legal systems, healthcare data, government systems, partner integrations, cloud-connected workloads, privileged accounts, service accounts, backup environments, or business-critical remote-access dependencies. Exposure also increases when incomplete telemetry prevents timely confirmation of whether credential exposure, identity access, cloud control-plane activity, data access, ransomware staging, backup interference, security-control modification, customer-facing outage, sensitive-data exposure, or post-containment activity was legitimate, malicious, or caused by approved operational activity.

Residual Economic Risk

Residual economic risk remains after containment if the organization cannot prove that affected edge appliances were isolated, vulnerable firmware was remediated, VPN sessions were invalidated, credentials were rotated, identity-provider activity was reviewed, privileged access was validated, cloud IAM changes were inspected, service-account activity was scoped, cloud administrative actions were reviewed, data-access activity was assessed, backup integrity was validated, legal and regulatory obligations were assessed, cyber-insurance evidence was preserved, and edge-to-identity-to-cloud trust was restored. Residual risk is highest where edge-appliance logs, VPN session records, packet-capture records, support-bundle handling, identity-provider logs, cloud audit logs, endpoint telemetry, backup records, dependency maps, business-owner mappings, change-control records, or remediation evidence are incomplete.

Proof-of-Concept / KEV Behavioral Coverage Assessment

This report’s behavioral detection model directly covers edge-to-identity-to-cloud intrusion activity that aligns with exploitation or abuse of internet-facing edge infrastructure, credential or session artifact access, valid-account authentication, identity-provider access, identity and IAM enumeration, privilege-boundary modification, durable access creation, cloud administrative activity, data access, exfiltration preparation, security-control modification, backup interference, and ransomware staging.

The model directly covers CVE-2026-24858 because the vulnerability represents FortiGate zero-day access behavior that can enable unauthorized appliance login, credential exposure, persistence, lateral movement, and downstream enterprise access. This aligns with the report’s Fortinet edge-access, credential/session artifact, valid-account, identity-pivot, and downstream control-plane model. CVE-2026-24858 is CISA KEV-confirmed for this review.

The model directly covers CVE-2026-0257 because the vulnerability affects Palo Alto PAN-OS GlobalProtect portal and gateway authentication and can allow unauthorized VPN access. This aligns with the report’s GlobalProtect session-irregularity, missing authentication-lineage, first-seen source, valid-account, and VPN-origin identity-access model. CVE-2026-0257 is CISA KEV-confirmed for this review.

The model directly covers CVE-2025-59718 because the vulnerability affects FortiOS, FortiProxy, and FortiSwitchManager FortiCloud SSO authentication and can enable unauthenticated administrative access through crafted SAML activity. This aligns with the report’s Fortinet edge-authentication, configuration access, credential exposure, session misuse, and identity-pivot model. CVE-2025-59718 is CISA KEV-confirmed for this review.

The model directly covers CVE-2025-22457 because the vulnerability affects Ivanti Connect Secure VPN appliances and has been associated with remote code execution against edge infrastructure. This aligns with the report’s Ivanti gateway exploitation, edge-device compromise, post-exploitation access, malware/backdoor deployment, and identity-adjacent intrusion model. CVE-2025-22457 is CISA KEV-confirmed for this review.

The model directly covers CVE-2025-0282 because the vulnerability affects Ivanti Connect Secure and aligns with the same internet-facing VPN appliance compromise, unauthorized access, post-exploitation, and follow-on identity-risk behavior modeled in S21 through S25. CVE-2025-0282 is CISA KEV-confirmed for this review.

The model directly covers CVE-2024-3400 because the vulnerability affects Palo Alto PAN-OS GlobalProtect and has been exploited as an edge-device initial-access path. This aligns with the report’s GlobalProtect VPN anomaly, authentication-lineage gap, edge-to-identity transition, and follow-on control-plane activity model. CVE-2024-3400 is CISA KEV-confirmed for this review.

The model directly covers CVE-2024-21893 because the vulnerability affects Ivanti Connect Secure and Policy Secure SAML functionality and has been exploited in edge-device compromise activity. This aligns with the report’s SAML-adjacent authentication risk, edge-gateway exploitation, trusted access, and post-authentication misuse model. CVE-2024-21893 is CISA KEV-confirmed for this review.

The model directly covers CVE-2024-21887 because the vulnerability affects Ivanti Connect Secure and Policy Secure command-execution behavior and aligns with the report’s edge-device exploitation, post-exploitation access, credential access, and follow-on identity or cloud-control risk model. CVE-2024-21887 is CISA KEV-confirmed for this review.

The model directly covers CVE-2023-46805 because the vulnerability affects Ivanti Connect Secure and Policy Secure authentication bypass and aligns with the report’s exposed remote-access gateway compromise, authentication bypass, trusted network access, and downstream identity-risk model. CVE-2023-46805 is CISA KEV-confirmed for this review.

The model directly covers CVE-2022-40684 because the vulnerability affects Fortinet administrative authentication behavior and has historical relevance to FortiGate configuration and credential exposure. This aligns with the report’s Fortinet edge-compromise, configuration access, VPN credential exposure, and downstream credential-reuse model. CVE-2022-40684 is CISA KEV-confirmed for this review.

The model directly covers CVE-2018-13379 because the vulnerability affects Fortinet VPN credential exposure and represents a historical but still operationally relevant credential-reuse pattern. This aligns with the report’s VPN credential exposure, valid-account authentication, session misuse, and downstream identity-compromise model. CVE-2018-13379 is CISA KEV-confirmed for this review.

The model provides coverage with adaptation for CVE-2025-64446 because the vulnerability affects FortiWeb path traversal and administrative command execution. The behavior fits the broader exposed security-appliance compromise model, but local tuning is required for FortiWeb management paths, command-execution evidence, WAF telemetry, and affected administrative interfaces. CVE-2025-64446 is CISA KEV-confirmed for this review.

The model provides coverage with adaptation for CVE-2025-59719 because the vulnerability affects FortiWeb FortiCloud SSO authentication rather than the FortiGate/FortiOS remote-access path that is most central to this report. The detection model can support adapted coverage where observable behavior includes unauthenticated administrative access, configuration exposure, credential exposure, FortiWeb management activity, or downstream identity and access reuse. CVE-2025-59719 is CISA KEV-confirmed for this review.

The model provides coverage with adaptation for CVE-2025-58034 because the vulnerability affects FortiWeb OS command-injection behavior rather than the Fortinet VPN credential-reuse path most directly modeled in this report. Adapted coverage is strongest where observable behavior includes FortiWeb command execution, appliance persistence, credential access, lateral movement, or downstream identity and cloud-control activity. CVE-2025-58034 is CISA KEV-confirmed for this review.

The model provides coverage with adaptation for CVE-2025-4428 because the vulnerability affects Ivanti Endpoint Manager Mobile remote-code-execution behavior rather than Ivanti Connect Secure remote-access gateway compromise. The report’s detection model can support adapted coverage where observable behavior includes internet-facing appliance exploitation, payload execution, Tomcat or Java execution artifacts, credential access, persistence, identity access, or downstream administrative activity. CVE-2025-4428 is CISA KEV-confirmed for this review.

The model provides coverage with adaptation for CVE-2025-4427 because the vulnerability affects Ivanti Endpoint Manager Mobile authentication bypass rather than Ivanti Connect Secure VPN access. Adapted coverage is appropriate where observable behavior aligns with unauthorized access to protected resources, appliance compromise, credential exposure, or downstream identity-control behavior. CVE-2025-4427 is CISA KEV-confirmed for this review.

The model provides coverage with adaptation for CVE-2024-21762 because the vulnerability affects FortiOS/FortiProxy code-execution behavior and aligns with the exposed Fortinet edge-device exploitation class, but the specific exploit path may require Fortinet version, SSL-VPN, management-plane, and appliance-specific telemetry tuning before it can be represented as direct coverage. CVE-2024-21762 is CISA KEV-confirmed for this review.

The report is behavior-led and should not be interpreted as limited to one appliance name, one Fortinet product label, one Ivanti advisory, one Palo Alto advisory, one exploit nickname, one CVE, one KEV entry, one packet-capture method, one VPN log field, one source IP, one actor name, one ransomware name, one access-broker report, one scanner fingerprint, one proof-of-concept, one user agent, one request path, one payload structure, or one static IOC.

Detection Engineering Coverage Interpretation

The S25 detection content provides direct behavioral coverage for edge-to-identity-to-cloud compromise where observable behavior falls directly inside the report’s detection model: edge-appliance sensitive path access, configuration or session artifact access, identity-provider access from non-user infrastructure, successful authentication from atypical or first-seen sources, identity and IAM enumeration, privilege-boundary changes, durable access artifact creation, high-risk cloud data or control-plane actions, and multi-stage correlation across edge, endpoint, identity, and cloud telemetry.

The S25 detection content provides coverage with adaptation for FortiBleed, Fortinet, FortiGate, FortiWeb, Ivanti, Palo Alto, GlobalProtect, packet-capture, support-bundle, diagnostic-access, configuration-export, VPN credential-reuse, access-broker, ransomware-affiliate, and downstream cloud-control behaviors when those behaviors can be correlated through edge-appliance logs, VPN logs, endpoint telemetry, identity-provider logs, cloud audit logs, NDR telemetry, DNS logs, proxy logs, firewall logs, SIEM enrichment, incident-response evidence, approved administrator context, and post-access telemetry.

The S25 detection content provides CVE, proof-of-concept, KEV, exploit-tooling, actor, ransomware, access-broker, and campaign coverage only as behavior-led coverage. Product names, CVE IDs, KEV status, proof-of-concept availability, vendor advisory labels, scanner names, actor names, ransomware names, exploit nicknames, access-broker labels, source IPs, or tool names should not be used as detection inputs unless they are locally approved enrichment fields supporting triage. Detection coverage remains based on observable edge access, credential or session artifact exposure, authentication-lineage anomalies, identity misuse, privilege modification, durable access creation, cloud control-plane activity, data staging, and ransomware preparation.

Direct Coverage

Direct behavioral coverage applies to edge-to-identity-to-cloud compromise behavior that can be detected by the report’s S21 through S25 logic without requiring a separate detection model.

Directly covered CVEs

11

·        CVE-2026-24858

·        CVE-2026-0257

·        CVE-2025-59718

·        CVE-2025-22457

·        CVE-2025-0282

·        CVE-2024-3400

·        CVE-2024-21893

·        CVE-2024-21887

·        CVE-2023-46805

·        CVE-2022-40684

·        CVE-2018-13379

Future Fortinet, FortiGate, FortiOS, FortiProxy, FortiSwitchManager, Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto GlobalProtect, PAN-OS, VPN, firewall, or edge-appliance compromise where observable behavior includes configuration or session artifact access, credential exposure, valid-account use, identity-provider access, identity and IAM enumeration, privilege escalation, durable access creation, cloud control-plane activity, data access, or impact preparation.

Coverage With Adaptation

Coverage with adaptation applies to related edge-appliance, VPN, WAF, identity-provider, cloud-control, access-broker, and ransomware-affiliate activity that shares parts of the report’s credential-exposure, session-reuse, identity-control, cloud-administration, or extortion-preparation model but requires local tuning for affected appliance, affected version, authentication model, exploit path, telemetry source, VPN log field, IdP integration, packet-capture visibility, session-token handling, support-bundle handling, or downstream access path.

CVEs covered with adaptation

6

·        CVE-2025-64446

·        CVE-2025-59719

·        CVE-2025-58034

·        CVE-2025-4428

·        CVE-2025-4427

·        CVE-2024-21762

Future FortiWeb, Ivanti EPMM, non-VPN Fortinet, non-VPN Ivanti, Fortinet WAF, edge-management, appliance-command-execution, appliance-authentication-bypass, or edge-adjacent exploitation where observable behavior aligns with credential theft, session reuse, authentication-lineage gaps, valid-account access, identity enumeration, privilege escalation, cloud administrative control, or ransomware enablement.

Initial access broker activity involving exposed edge devices, VPN credentials, session artifacts, Fortinet-derived access material, identity-provider access, cloud-console access, or privileged remote-access paths where the observable telemetry aligns with this report’s S21 through S25 model.

Ransomware affiliate activity that uses edge-device compromise, stolen VPN credentials, Fortinet-derived access, session reuse, identity compromise, cloud administrative access, data staging, backup interference, security-control modification, or encryption preparation as an initial access or impact path.

Future proof-of-concept, KEV, scanner, exploit-attempt, malware, access-broker, ransomware, or campaign activity involving exposed edge infrastructure, Fortinet or FortiGate remote access, identity-provider compromise, credential reuse, cloud-control-plane activity, data theft, or ransomware preparation where observable telemetry aligns with the report’s detection strategy.

Named Malware / Tooling / Exploit-Framework Coverage

Named malware, tooling, scanner, proof-of-concept, exploit-framework, access-broker, ransomware, or tradecraft coverage should be interpreted as behavior-led coverage only. A tool name, exploit name, scanner label, GitHub repository, payload artifact, source IP, user agent, public reporting label, ransomware name, malware family, access-broker label, or actor name should not be used as a detection input unless it is locally approved enrichment supporting triage. Coverage applies when the observable behavior aligns with this report’s edge-appliance exposure, credential or session artifact access, valid-account use, identity-provider access, privilege modification, durable access creation, cloud administrative activity, data access, backup interference, security-control modification, or ransomware-preparation model.

Direct Behavior-Led Coverage

·        Multi-stage edge exploit to identity and cloud compromise.

·        FortiBleed-style Fortinet or FortiGate credential-harvesting and access-monetization behavior where observable activity includes exposed Fortinet infrastructure, credential or session artifact exposure, suspicious VPN access, first-seen identity access, credential reuse, access resale, ransomware-affiliate handoff, cloud administrative activity, or extortion preparation.

·        Generic Fortinet, VPN, firewall, and edge-appliance exploit-follow-on behavior producing suspicious administrative access, configuration or session artifact access, authentication-lineage gaps, valid-account access, identity-provider activity, cloud-control activity, data access, or ransomware staging.

·        Ivanti Connect Secure exploitation behavior producing appliance compromise, web shell or backdoor deployment, credential access, authentication bypass, command execution, identity-adjacent access, internal movement, or downstream control-plane exposure.

·        Palo Alto GlobalProtect exploitation behavior producing unauthorized VPN access, authentication-lineage gaps, first-seen source activity, suspicious portal or gateway activity, valid-account access, or downstream identity and cloud-control activity.

Coverage With Adaptation

·        Packet-capture or appliance-internal credential-harvesting activity where local Fortinet or FortiGate telemetry is incomplete but downstream VPN, identity, cloud, or ransomware-preparation telemetry supports behavior alignment.

·        FortiWeb exploitation where the affected product is a WAF or management surface rather than the FortiGate/FortiOS remote-access path, but observable behavior includes administrative access, command execution, configuration exposure, credential access, persistence, or downstream identity activity.

·        Ivanti Endpoint Manager Mobile exploitation where the affected platform differs from Ivanti Connect Secure but observable behavior includes authentication bypass, remote code execution, web middleware manipulation, credential exposure, persistence, or downstream identity and control-plane activity.

·        Access-broker or credential-market activity where exposed VPN credentials, Fortinet-derived access material, session artifacts, or identity credentials are reused by a different operator after the original exposure event.

·        Ransomware affiliate activity where the intrusion path begins with or depends on edge-derived credentials, VPN access, identity compromise, cloud administrative control, backup interference, security-control modification, data staging, or encryption preparation.

·        Future exploit kits, scanner modules, proof-of-concept tools, credential-harvesting methods, packet-capture abuse, support-bundle abuse, diagnostic-access abuse, configuration-export abuse, ransomware playbooks, access-broker workflows, or campaign-specific tooling that produce aligned edge, identity, cloud, data-access, or impact telemetry.

Named APT / Actor / Campaign Activity Coverage

Actor, APT, ransomware, access-broker, and campaign coverage should be treated as enrichment and coverage context only. The report does not detect actor names directly. It detects the behavior those actors, affiliates, brokers, ransomware operators, or intrusion sets may produce when abusing Fortinet, FortiGate, FortiWeb, Ivanti, Palo Alto, VPN, firewall, edge-authentication, identity-provider, cloud-control, data-access, or ransomware-preparation paths.

Direct Behavior-Led Coverage

·        UNC5221 where observable behavior includes Ivanti Connect Secure exploitation, authentication bypass, command execution, appliance compromise, SPAWN ecosystem malware, TRAILBLAZE, BUSHFIRE, persistence, credential access, internal movement, or downstream identity and control-plane activity.

·        UTA0218 / Operation MidnightEclipse where observable behavior includes Palo Alto GlobalProtect exploitation, PAN-OS compromise, appliance access, command execution, persistence, exfiltration preparation, valid-account misuse, or downstream identity and control-plane activity.

·        UNC3886 where observable behavior includes Fortinet, FortiGate, VMware, network appliance, virtualization infrastructure, credential theft, rootkit, backdoor, persistence, lateral movement, or long-term covert access behavior aligned to this report’s edge-to-identity model.

·        FortiBleed-style credential-harvesting and credential-reuse operators where observable behavior includes Fortinet or FortiGate exposure, credential or session material exposure, VPN credential reuse, first-seen identity access, cloud administrative activity, access resale, ransomware-affiliate handoff, or extortion preparation.

Coverage With Adaptation

·        APT5 or suspected Chinese state-linked Pulse Secure / Ivanti exploitation activity where observable behavior includes VPN appliance compromise, authentication bypass, web shell deployment, credential exposure, persistence, identity access, or downstream enterprise compromise.

·        Volt Typhoon-style edge and network-device compromise where observable behavior includes edge infrastructure abuse, living-off-the-land administration, valid-account access, persistence, credential exposure, or stealthy control-plane access aligned to this report’s model.

·        Salt Typhoon-style network-control and telecom infrastructure compromise where observable behavior includes edge or network-device access, valid-account use, administrative control, credential exposure, persistence, and downstream infrastructure visibility aligned to this report’s model.

·        Russian-speaking FortiBleed credential-harvesting or access-market activity where observable behavior includes Fortinet credential collection, brute-force activity, hash cracking, VPN credential reuse, access resale, or ransomware-affiliate enablement. This should not be labeled as a classic APT group unless public reporting or local evidence supports that attribution.

·        Ransomware affiliate activity using Fortinet-derived, VPN-derived, or edge-derived access where observable behavior includes valid-account entry, lateral movement, identity compromise, cloud access, data staging, backup interference, security-control modification, or encryption preparation.

·        Future actor clusters, ransomware groups, intrusion sets, access brokers, cloud-extortion groups, or campaign labels using Fortinet-style credential exposure, edge-appliance exploitation, VPN credential reuse, session artifact abuse, identity compromise, cloud administrative control, data access, or ransomware preparation where behavior-to-telemetry alignment is validated.

Named classic APT groups should not be listed as direct coverage unless public reporting or local evidence ties the named group to edge-appliance exploitation, Fortinet-derived credential use, Ivanti gateway compromise, Palo Alto GlobalProtect compromise, identity compromise, cloud-control abuse, ransomware enablement, or aligned post-compromise behavior. The correct standard is to avoid invented classic APT attribution while including sourced actor, campaign, access-broker, ransomware, and exploitation operations tied to the same behavior class.

Active Exploitation and KEV Coverage Interpretation

Active exploitation, weaponization, proof-of-concept availability, and KEV status should be treated as urgency and remediation-prioritization signals, not as the basis for detection coverage by themselves. The report should count actively exploited, CISA KEV-confirmed, or in-the-wild items only when the observable exploitation behavior aligns with S21 through S25.

The current coverage model directly covers edge-to-identity-to-cloud intrusion behavior where exploitation or abuse of exposed edge infrastructure leads to credential exposure, session reuse, identity compromise, privilege escalation, cloud administrative control, data access, or ransomware enablement.

The current coverage model directly covers FortiBleed-style reporting when the observable behavior aligns with Fortinet or FortiGate credential exposure, credential reuse, access resale, ransomware-affiliate handoff, identity access, or cloud-control activity.

The current coverage model adaptively covers FortiWeb exploitation where the vulnerability affects WAF administration, command execution, path traversal, or FortiCloud SSO behavior rather than FortiGate or FortiOS VPN access. These items should remain covered with adaptation when downstream authentication, identity, cloud, data-access, or ransomware-preparation telemetry aligns with the report’s detection model.

The current coverage model adaptively covers appliance-internal Fortinet packet-capture, diagnostic, support-bundle, configuration-export, or memory/session exposure where direct proof of credential theft depends on local appliance telemetry or forensic collection. These items should remain covered with adaptation when downstream authentication, identity, VPN, cloud, or ransomware-preparation telemetry aligns with the report’s detection model.

Non-Coverage Conditions

Non-coverage applies where related activity does not produce observable suspicious edge-appliance activity, credential or session artifact access, VPN anomaly, authentication-lineage gap, first-seen identity access, identity-provider misuse, IAM enumeration, privilege modification, durable access creation, cloud administrative activity, data access, backup interference, security-control modification, ransomware staging, extortion preparation, or recovery-trust uncertainty.

Activity limited to unrelated endpoint malware, unrelated SaaS platforms, generic phishing, unrelated web application exploitation, denial-of-service without edge-to-identity relevance, network-only scanning, isolated vulnerability reporting, unrelated CVE exploitation, or actor attribution without aligned telemetry should not be represented as covered by this report.

A CVE, exploit report, proof-of-concept, scanner, actor, campaign, ransomware label, access-broker label, or malware family should not be counted when it depends on unrelated exploitation mechanics, lacks sufficient technical detail, produces no aligned edge, identity, cloud, credential, session, data-access, ransomware, or recovery-trust telemetry, cannot be correlated through the report’s S21 through S25 strategy, or would require a separate detection model.

Coverage should not depend only on branding, infrastructure indicators, static IOCs, exploit nickname, source IPs, user agents, request strings, public reporting labels, vendor naming, ransomware naming, or actor attribution rather than observable behavior aligned with the report’s detection model.

Current Coverage Count

Directly covered CVEs

11

·        CVE-2026-24858

·        CVE-2026-0257

·        CVE-2025-59718

·        CVE-2025-22457

·        CVE-2025-0282

·        CVE-2024-3400

·        CVE-2024-21893

·        CVE-2024-21887

·        CVE-2023-46805

·        CVE-2022-40684

·        CVE-2018-13379

CVEs covered with adaptation

6

·        CVE-2025-64446

·        CVE-2025-59719

·        CVE-2025-58034

·        CVE-2025-4428

·        CVE-2025-4427

·        CVE-2024-21762

Total CVEs directly or adaptively covered by this report’s behavioral detection model

17

CISA KEV-confirmed CVEs directly covered

11

·        CVE-2026-24858

·        CVE-2026-0257

·        CVE-2025-59718

·        CVE-2025-22457

·        CVE-2025-0282

·        CVE-2024-3400

·        CVE-2024-21893

·        CVE-2024-21887

·        CVE-2023-46805

·        CVE-2022-40684

·        CVE-2018-13379

CISA KEV-confirmed CVEs covered with adaptation

6

·        CVE-2025-64446

·        CVE-2025-59719

·        CVE-2025-58034

·        CVE-2025-4428

·        CVE-2025-4427

·        CVE-2024-21762

Total CISA KEV-confirmed CVEs represented in this coverage set

17

Known exploited, actively exploited, or exploitation-reported items represented in this coverage set

17

Directly covered proof-of-concept / exploit behavior classes

1 core behavior class: exposed edge-appliance compromise leading to credential or session exposure and downstream identity or cloud-control activity.

Proof-of-concept / KEV / exploit behavior classes covered with adaptation

6 related behavior classes: appliance-internal credential harvesting, packet-capture or diagnostic abuse, support-bundle or configuration-export exposure, WAF administrative compromise, mobile-management appliance compromise, and access-broker or ransomware-affiliate reuse of edge-derived credentials.

Directly covered named APT / actor / campaign behavior patterns

4

·        UNC5221 Ivanti Connect Secure exploitation behavior

·        UTA0218 / Operation MidnightEclipse Palo Alto GlobalProtect exploitation behavior

·        UNC3886 Fortinet, network appliance, and virtualization infrastructure compromise behavior

·        FortiBleed-style Fortinet credential-harvesting and access-monetization behavior

Actor / campaign behavior patterns covered with adaptation

6

·        APT5 or suspected Chinese state-linked Pulse Secure / Ivanti exploitation behavior

·        Volt Typhoon-style edge and network-device compromise behavior

·        Salt Typhoon-style network-control and telecom infrastructure compromise behavior

·        Russian-speaking FortiBleed credential-harvesting or access-market activity

·        Ransomware affiliate use of edge-derived credentials, VPN access, or identity compromise

·        Future actor clusters, ransomware groups, intrusion sets, access brokers, cloud-extortion groups, or campaign labels using aligned edge-to-identity-to-cloud behavior

Coverage Qualification

This count is a living analytical note, not a universal Fortinet, FortiGate, FortiWeb, Ivanti, Palo Alto, VPN, firewall, edge-appliance, identity-provider, cloud, ransomware, access-broker, vulnerability, proof-of-concept, exploit-tooling, actor, campaign, APT, or credential-market coverage claim. A related CVE, proof-of-concept, exploit report, KEV entry, scanner pattern, tooling report, actor report, ransomware report, access-broker report, malware report, or advisory should only be added when it shares enough observable behavior with the report’s detection model to support credible detection or detection-readiness coverage.

Direct coverage should remain limited to edge-to-identity-to-cloud behavior, including suspicious edge-appliance access, configuration or session artifact access, credential exposure, VPN anomaly, first-seen identity access, authentication-lineage gaps, identity-provider misuse, IAM enumeration, privilege modification, durable access creation, cloud administrative activity, data access, and ransomware preparation.

Covered-with-adaptation items should remain counted only when the activity can be correlated through edge-appliance logs, VPN logs, endpoint telemetry, identity-provider logs, cloud audit logs, WAF logs, reverse-proxy logs, DNS logs, proxy logs, firewall logs, NDR telemetry, SIEM enrichment, incident-response evidence, approved administrator context, approved remote-access context, and post-access telemetry where applicable.

KEV status, active exploitation status, proof-of-concept availability, exploit nicknames, public exploitation reports, scanner fingerprints, actor names, ransomware names, access-broker labels, campaign labels, malware names, vendor names, and tool names should be treated as urgency, enrichment, and prioritization context only when their behavior aligns to the report’s S21 through S25 detection strategy.

A related CVE, proof-of-concept, scanner pattern, exploit report, actor cluster, ransomware report, access-broker report, campaign report, malware report, tool report, or advisory should not be counted when it depends on unrelated exploitation mechanics, lacks aligned telemetry, affects only unrelated application functionality, produces no edge, identity, cloud, credential, session, data-access, ransomware, or recovery-trust behavior, or requires a separate detection model.

Executive Exposure Statement

The organization’s economic exposure is highest when edge-device activity creates uncertainty around whether remote-access infrastructure, VPN sessions, credentials, identity-provider trust, privileged accounts, cloud administrative control, data repositories, backup systems, and customer-facing services remain trustworthy. The strategic risk is not only one Fortinet appliance, one FortiGate VPN, one FortiWeb instance, one Ivanti gateway, one Palo Alto firewall, one CVE, one patch, one packet-capture method, one credential list, one access-broker report, one ransomware affiliate, one source IP, one scanner, one exploit nickname, one APT label, or one public advisory; it is the possibility that adversaries can convert exposed edge infrastructure into reusable credentials, trusted identity access, cloud control, data exposure, ransomware enablement, legal and customer-impact review, and executive uncertainty about whether enterprise operations can safely return to a trusted state.

S40 — References

Primary Reporting and Vendor Analysis

·        SentinelOne / public reporting via TechRadar — Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials — 16 March 2026 — hxxps://www[.]techradar[.]com/pro/security/fortinet-patches-fortigate-firewall-vulnerabilities-that-allowed-hackers-to-steal-enterprise-credentials

·        Rapid7 / Arctic Wolf reporting via ITPro — Two Fortinet vulnerabilities are being exploited in the wild — patch now — 19 December 2025 — hxxps://www[.]itpro[.]com/security/two-fortinet-vulnerabilities-are-being-exploited-in-the-wild-patch-now

·        Arctic Wolf reporting via TechRadar — Fortinet products hit by further security flaws, giving hackers access to systems and more — 17 December 2025 — hxxps://www[.]techradar[.]com/pro/security/fortinet-products-hit-by-further-security-flaws-giving-hackers-access-to-systems-and-more

·        TechRadar / BleepingComputer reporting — Fortinet customers told to update immediately following major security issue — 17 November 2025 — hxxps://www[.]techradar[.]com/pro/security/fortinet-customers-told-to-update-immediately-following-major-security-issue-heres-what-we-know

·        TechRadar / Rapid7 reporting — Rapid7 observes new Palo Alto VPN flaw exploited in the wild to bypass GlobalProtect authentication — 2 June 2026 — hxxps://www[.]techradar[.]com/pro/security/rapid7-observes-new-palo-alto-vpn-flaw-exploited-in-the-wild-to-bypass-globalprotect-authentication

·        TechRadar / Mandiant reporting — Ivanti patches serious Connect Secure flaw — 4 April 2025 — hxxps://www[.]techradar[.]com/pro/security/ivanti-patches-serious-connect-secure-flaw

·        TechRadar / CISA reporting — CISA flags serious Ivanti Endpoint Manager Mobile flaws — 22 September 2025 — hxxps://www[.]techradar[.]com/pro/security/cisa-flags-some-more-serious-ivanti-software-flaws-so-patch-now

·        Wired — Here Are the Google and Microsoft Security Updates You Need Right Now — 2024 — hxxps://www[.]wired[.]com/story/here-are-the-microsoft-and-google-security-updates-you-need-right-now

·        TechRadar — Fortinet FortiGate devices hit in automated attacks which create rogue accounts and steal firewall data — 23 January 2026 — hxxps://www[.]techradar[.]com/pro/security/fortinet-fortigate-devices-hit-in-automated-attacks-which-create-rogue-accounts-and-steal-firewall-data

Threat Tracking and Activity Context

·        Google Cloud / Mandiant — Ivanti Connect Secure exploitation and UNC5221 activity context — hxxps://cloud[.]google[.]com/blog/topics/threat-intelligence/

·        Palo Alto Networks Unit 42 — Operation MidnightEclipse and UTA0218 activity context — hxxps://unit42[.]paloaltonetworks[.]com/

·        Google Cloud / Mandiant — UNC3886 network appliance, Fortinet, VMware, and virtualization infrastructure activity context — hxxps://cloud[.]google[.]com/blog/topics/threat-intelligence/

·        Arctic Wolf — Fortinet FortiCloud SSO exploitation and configuration export activity context — hxxps://arcticwolf[.]com/resources/blog/

·        Rapid7 — Fortinet and Palo Alto exploitation observations and vulnerability analysis — hxxps://www[.]rapid7[.]com/blog/

·        CISA — Ivanti EPMM exploitation analysis and malware activity context — hxxps://www[.]cisa[.]gov/news-events/cybersecurity-advisories

·        Microsoft Threat Intelligence / Five Eyes advisory context — People’s Republic of China state-sponsored cyber actor living-off-the-land and network-device abuse — hxxps://www[.]microsoft[.]com/en-us/security/blog/

·        CISA — People’s Republic of China state-sponsored cyber actor living-off-the-land guidance — hxxps://www[.]cisa[.]gov/news-events/cybersecurity-advisories

Vulnerability Records and Advisory Sources

·        CVE Program — CVE-2026-24858 — FortiGate / Fortinet NGFW zero-day access behavior — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-24858

·        CVE Program — CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect portal and gateway authentication bypass — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-0257

·        CVE Program — CVE-2025-64446 — FortiWeb path traversal / administrative command execution — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-64446

·        CVE Program — CVE-2025-59719 — FortiWeb FortiCloud SSO authentication bypass — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-59719

·        CVE Program — CVE-2025-59718 — FortiOS, FortiProxy, and FortiSwitchManager FortiCloud SSO authentication bypass — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-59718

·        CVE Program — CVE-2025-58034 — FortiWeb OS command injection — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-58034

·        CVE Program — CVE-2025-4428 — Ivanti Endpoint Manager Mobile remote code execution — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-4428

·        CVE Program — CVE-2025-4427 — Ivanti Endpoint Manager Mobile authentication bypass — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-4427

·        CVE Program — CVE-2025-22457 — Ivanti Connect Secure remote code execution — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-22457

·        CVE Program — CVE-2025-0282 — Ivanti Connect Secure exploitation path — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2025-0282

·        CVE Program — CVE-2024-3400 — Palo Alto PAN-OS GlobalProtect exploitation path — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2024-3400

·        CVE Program — CVE-2024-21893 — Ivanti Connect Secure and Policy Secure SAML server-side request forgery — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2024-21893

·        CVE Program — CVE-2024-21887 — Ivanti Connect Secure and Policy Secure command injection — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2024-21887

·        CVE Program — CVE-2024-21762 — FortiOS / FortiProxy code execution behavior — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2024-21762

·        CVE Program — CVE-2023-46805 — Ivanti Connect Secure and Policy Secure authentication bypass — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2023-46805

·        CVE Program — CVE-2022-40684 — Fortinet administrative authentication bypass and configuration exposure behavior — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2022-40684

·        CVE Program — CVE-2018-13379 — Fortinet VPN credential exposure behavior — hxxps://www[.]cve[.]org/CVERecord?id=CVE-2018-13379

Vendor Security Advisory Portals

·        Fortinet PSIRT — FortiOS, FortiProxy, FortiSwitchManager, FortiWeb, and FortiGate advisories — hxxps://www[.]fortiguard[.]com/psirt

·        Palo Alto Networks Security Advisories — PAN-OS and GlobalProtect advisories — hxxps://security[.]paloaltonetworks[.]com/

·        Ivanti Security Advisories — Connect Secure, Policy Secure, and Endpoint Manager Mobile advisories — hxxps://forums[.]ivanti[.]com/s/security-advisory

·        Rapid7 Vulnerability Research and MDR Blog — exploitation observations and detection context — hxxps://www[.]rapid7[.]com/blog/

·        Arctic Wolf Labs Blog — Fortinet exploitation and edge-device activity context — hxxps://arcticwolf[.]com/resources/blog/

·        Google Cloud Threat Intelligence / Mandiant Blog — UNC5221 and UNC3886 activity context — hxxps://cloud[.]google[.]com/blog/topics/threat-intelligence/

·        Palo Alto Networks Unit 42 Blog — Operation MidnightEclipse, UTA0218, and PAN-OS exploitation context — hxxps://unit42[.]paloaltonetworks[.]com/

Threat Technique and Exploitation Catalogs

·        MITRE ATT&CK Enterprise Matrix / Techniques Catalog — hxxps://attack[.]mitre[.]org/

CISA Known Exploited Vulnerabilities Catalog — hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog

Previous
Previous

[EXP] PTC Windchill Webshell Exploitation and Java Enterprise Application Data Exposure

Next
Next

[MAL] JadePuffer Agentic Ransomware and Database-Extortion Automation