GitHub Repo

Analytics Story: CISA AA24-241A

Updated Date: 2026-05-13 ID: f075adb6-76a6-4476-b24a-ce9d471a1bdc Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This story covers the tactics of Iran-based cyber actors exploiting U.S. and foreign organizations across multiple sectors, as detailed in CISA Alert AA24-241A. It focuses on their methods of gaining initial access, establishing persistence, and enabling ransomware attacks through vulnerabilities in public-facing networking devices.

Why it matters

As of August 2024, Iran-based cyber actors continue to exploit organizations across several U.S. sectors and other countries. The FBI assesses that a significant percentage of these operations aim to obtain network access for collaboration with ransomware affiliates. The actors typically use Shodan to identify vulnerable devices, then exploit public-facing networking equipment such as Citrix Netscaler, F5 BIG-IP, and various VPNs. They deploy webshells, create local accounts, and manipulate existing ones to maintain access. Post-exploitation, they repurpose credentials, disable security software, and use remote access tools. The group collaborates with ransomware affiliates like NoEscape, Ransomhouse, and ALPHV, actively participating in network lockdowns and extortion strategies. Defenders should prioritize patching public-facing devices, monitoring for unauthorized accounts and suspicious PowerShell activity, implementing strong access controls, and regularly reviewing logs for signs of compromise.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Citrix ADC Exploitation CVE-2023-3519 Exploit Public-Facing Application Hunting
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 External Remote Services, Exploit Public-Facing Application TTP
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Wsmprovhost LOLBAS Execution Process Spawn Windows Remote Management TTP
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service Anomaly
Windows Create Local Account Local Account Anomaly
Ivanti Connect Secure Command Injection Attempts Exploit Public-Facing Application TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows Modify Registry Delete Firewall Rules Modify Registry TTP
Windows Abused Web Services Web Service Anomaly
Ngrok Reverse Proxy on Network Proxy, Web Service, Protocol Tunneling Anomaly
Windows Modify Registry to Add or Modify Firewall Rule Modify Registry Anomaly
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Detect New Local Admin account Local Account TTP
Windows DISM Install PowerShell Web Access Bypass User Account Control TTP
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Exploit Public-Facing Application TTP
Windows Ngrok Reverse Proxy Usage Proxy, Web Service, Protocol Tunneling Anomaly
Windows Identify PowerShell Web Access IIS Pool Exploit Public-Facing Application Hunting
Windows IIS Server PSWA Console Access Exploit Public-Facing Application Hunting
Disable Defender AntiVirus Registry Disable or Modify Tools TTP
Windows Enable PowerShell Web Access PowerShell TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Ivanti Connect Secure System Information Access via Auth Bypass Exploit Public-Facing Application Anomaly
Powershell Disable Security Monitoring Disable or Modify Tools TTP
Windows Create Local Administrator Account Via Net Local Account Anomaly
PowerShell 4104 Hunting PowerShell Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Threat Network icon Network pan:threat not_applicable
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Suricata Other suricata not_applicable
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 14 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4732 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4648 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

References

Source: GitHub | Version: 3