“vmware horizon servers actively being hit with cobalt strike | huntress on january 5, the uk ’ s national health service ( nhs ) alerted that hackers were actively targeting log4shell vulnerabilities in vmware horizon servers in an effort to establish persistent access via web sh…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1505.003Web Shell
94%
“we protect. this new edr capability is based on an acquisition we made in early 2021 and allows us to proactively detect and respond to non - persistent malicious behavior by giving us the ability to collect detailed information about processes. initial access source despite mass…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1505.003Web Shell
92%
“log4j library or child _ process based web shell present under the installation location with the following command : horizon _ windows _ log4j _ mitigation. bat / verbose - manually inspect / assess the files within % programfiles % \ vmware \ vmware view \ server \ appblastgate…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
80%
“##patched and internet - facing at the time of this publication. the web shells on these 18 compromised systems established a timeline that started on december 25, 2021 and continued until december 29, 2021. new behavior on january 14 at 1458 et, an unrelated managed antivirus de…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1505.003Web Shell
45%
“##patched and internet - facing at the time of this publication. the web shells on these 18 compromised systems established a timeline that started on december 25, 2021 and continued until december 29, 2021. new behavior on january 14 at 1458 et, an unrelated managed antivirus de…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
41%
“we protect. this new edr capability is based on an acquisition we made in early 2021 and allows us to proactively detect and respond to non - persistent malicious behavior by giving us the ability to collect detailed information about processes. initial access source despite mass…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
36%
“we protect. this new edr capability is based on an acquisition we made in early 2021 and allows us to proactively detect and respond to non - persistent malicious behavior by giving us the ability to collect detailed information about processes. initial access source despite mass…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
32%
“##patched and internet - facing at the time of this publication. the web shells on these 18 compromised systems established a timeline that started on december 25, 2021 and continued until december 29, 2021. new behavior on january 14 at 1458 et, an unrelated managed antivirus de…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress is monitoring an incident in which VMware Horizon Servers are being hit with Cobalt Strike. Read our up-to-date blog to learn more.