GitHub Repo

Analytics Story: CISA AA24-241A

Updated Date: 2026-05-13 ID: f075adb6-76a6-4476-b24a-ce9d471a1bdc Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This story covers the tactics of Iran-based cyber actors exploiting U.S. and foreign organizations across multiple sectors, as detailed in CISA Alert AA24-241A. It focuses on their methods of gaining initial access, establishing persistence, and enabling ransomware attacks through vulnerabilities in public-facing networking devices.

Why it matters

As of August 2024, Iran-based cyber actors continue to exploit organizations across several U.S. sectors and other countries. The FBI assesses that a significant percentage of these operations aim to obtain network access for collaboration with ransomware affiliates. The actors typically use Shodan to identify vulnerable devices, then exploit public-facing networking equipment such as Citrix Netscaler, F5 BIG-IP, and various VPNs. They deploy webshells, create local accounts, and manipulate existing ones to maintain access. Post-exploitation, they repurpose credentials, disable security software, and use remote access tools. The group collaborates with ransomware affiliates like NoEscape, Ransomhouse, and ALPHV, actively participating in network lockdowns and extortion strategies. Defenders should prioritize patching public-facing devices, monitoring for unauthorized accounts and suspicious PowerShell activity, implementing strong access controls, and regularly reviewing logs for signs of compromise.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Ngrok Reverse Proxy Usage Proxy, Web Service, Protocol Tunneling Anomaly
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint Exploit Public-Facing Application TTP
Windows Modify Registry to Add or Modify Firewall Rule Modify Registry Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Ngrok Reverse Proxy on Network Proxy, Web Service, Protocol Tunneling Anomaly
Disable Defender AntiVirus Registry Disable or Modify Tools TTP
Ivanti Connect Secure Command Injection Attempts Exploit Public-Facing Application TTP
Citrix ADC Exploitation CVE-2023-3519 Exploit Public-Facing Application Hunting
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Windows Enable PowerShell Web Access PowerShell TTP
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 External Remote Services, Exploit Public-Facing Application TTP
Windows IIS Server PSWA Console Access Exploit Public-Facing Application Hunting
Windows Abused Web Services Web Service Anomaly
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service Anomaly
Wsmprovhost LOLBAS Execution Process Spawn Windows Remote Management TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Detect New Local Admin account Local Account TTP
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Windows Create Local Administrator Account Via Net Local Account Anomaly
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Powershell Disable Security Monitoring Disable or Modify Tools TTP
Windows DISM Install PowerShell Web Access Bypass User Account Control TTP
Ivanti Connect Secure System Information Access via Auth Bypass Exploit Public-Facing Application Anomaly
Windows Create Local Account Local Account Anomaly
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Windows Modify Registry Delete Firewall Rules Modify Registry TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows Identify PowerShell Web Access IIS Pool Exploit Public-Facing Application Hunting
Detect Remote Access Software Usage File Remote Access Tools Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Suricata Other suricata not_applicable
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 14 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows IIS Windows icon Windows IIS:Configuration:Operational IIS:Configuration:Operational
Windows Event Log Security 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4648 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 3