TLCTC Blog - 2025/01/15

TLCTC Analysis: CrowdStrike 2024 Threat Hunting Report

Date: 2025/01/15

Here's a TLCTC-based analysis of your uploaded CrowdStrike 2024 Threat Hunting Report (link: PDF) Document type: Threat Intelligence Report.

TLCTC Mappings by Subject (Selected Highlights)

This analysis applies the Top Level Cyber Threat Clusters (TLCTC) framework to major threat actors identified in the CrowdStrike 2024 Threat Hunting Report, revealing common attack patterns and strategic defense priorities through standardized threat cluster notation.

SCATTERED SPIDER (Cross-Domain/Cloud)

Key TTPs from Report

Phishing to steal credentials β†’ authenticate to cloud control plane β†’ abuse VM management agent to run commands on a hosted VM β†’ create local user β†’ download FleetDeck RMM.

TLCTC Mapping

  • #9 Social Engineering β€” spear-phishing to obtain creds.
  • #4 Identity Theft β€” use of valid credentials to log into the cloud console.
  • #1 Abuse of Functions β€” leveraging cloud IAM/policies and the legitimate VM management agent to execute commands and establish persistence.
  • #7 Malware β€” installation/use of dual-use RMM (FleetDeck) as foreign code/tooling.
#9 β†’ #4 β†’ #1 β†’ #7

Common attack path

FAMOUS CHOLLIMA (DPRK Insider Operations)

Key TTPs

False/stolen IDs to get hired and provisioned; minimal job activity; exfil via Git/SharePoint/OneDrive; widespread RMM (RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, Chrome Remote Desktop).

TLCTC Mapping

  • #9 Social Engineering β€” deception during recruiting/onboarding.
  • #1 Abuse of Functions β€” exploiting legitimate HR/onboarding and access-provisioning processes to obtain corporate identities/devices.
  • #4 Identity Theft β€” subsequent use of the provisioned/stolen identities to access VPNs and internal systems.
  • #7 Malware β€” installation/use of RMM tools as dual-use execution for persistence/remote control.
#9 β†’ #1 β†’ #7 β†’ #4

Common attack path

HORDE PANDA (Identity-Centric AD Targeting)

Key TTPs

VPN-range logons with valid accounts; DCSync attempts; implants (LuaPlug/KEYPLUG) via DLL side-loading; LDAP queries for LAPS/unconstrained delegation; persistence as service/scheduled task.

TLCTC Mapping

  • #4 Identity Theft β€” use of multiple compromised identities to reach DCs.
  • #7 Malware β€” KEYPLUG/LuaPlug implants (foreign code), side-loading persistence.
  • #1 Abuse of Functions β€” DCSync/LDAP queries misuse intended AD/LDAP capabilities for credential replication/discovery (no exploit needed).

Common attack paths:

#4 β†’ #1

(identity + DCSync/LDAP)

#4 β†’ #7 β†’ #1

when implants are present first on the host used to drive AD abuse

PUNK SPIDER (Akira Ransomware, Fast BGH)

Key TTPs

Initial access by exploiting Palo Alto GlobalProtect (CVE-2024-3400) on an unmanaged appliance; RDP with service account; attempts at privilege escalation, share discovery (SharpShares/Invoke-ShareFinder), Akira deployment; data staging with WinRAR; exfil via FileZilla (blocked).

TLCTC Mapping

  • #2 Exploiting Server β€” exploit of public-facing VPN (implementation flaw/CVE).
  • #4 Identity Theft β€” subsequent use of a service account to RDP internally.
  • #7 Malware β€” ransomware payload and toolset (custom scripts, share scanners).
  • #1 Abuse of Functions β€” group membership changes (e.g., ESX Admins) and other privileged but legitimate operations.
#2 β†’ #4 β†’ (#1 + #7)

Common attack path followed by data theft/encryption

STATIC KITTEN (Iran-Nexus, RMM-Heavy)

Key TTPs

Spear-phishing β†’ ZIP β†’ MSI β†’ install Atera/ScreenConnect; repeated use of cloud storage delivery; renaming installers; command-line/MSI-based execution.

TLCTC Mapping

  • #9 Social Engineering β€” phishing lures distributing installers.
  • #7 Malware β€” deployment of dual-use RMM agents for persistence/remote ops.
#9 β†’ #7

Common attack path (often repeated per host)

CHEF SPIDER (Initial Access via RMM)

Key TTPs

Persona + contact form β†’ calendar invite β†’ phishing link to "meeting" domain β†’ ScreenConnect download/exec β†’ follow-on script to alter power settings; intrusion reconstructed within minutes by hunters.

TLCTC Mapping

  • #9 Social Engineering β€” staged lure chain to deliver RMM.
  • #7 Malware β€” ScreenConnect as dual-use remote tool.
  • #1 Abuse of Functions β€” post-access system configuration changes via legitimate OS features.
#9 β†’ #7 β†’ #1

Common attack path

COZY BEAR & "Cloud Learners" (Cloud TTP Spectrum)

Key TTPs (Examples in Report)

Adding federated IdPs/backdoors in Entra ID/Okta; creating third-party apps with Graph permissions to read mail; secrets-manager/Vault access; SharePoint searches for VPN setup; using S3-browser-style tools for exfil; broad use of residential proxies/Tor.

TLCTC Mapping

  • #4 Identity Theft β€” token/session/cred abuse across M365/Azure portals.
  • #1 Abuse of Functions β€” IdP federation, Graph-app creation, mailbox permissioning, SharePoint search: all are legitimate control-plane/app features misused.
  • #7 Malware β€” use of tooling/agents on VMs or exfil utilities where introduced.

Common attack paths:

#4 β†’ #1

(post-auth abuse of cloud features)

#3/#2 β†’ #7 β†’ #4 β†’ #1

when host exploitation precedes cloud pivot

Cross-Cutting Patterns (From the Report β†’ TLCTC)

RMM Explosion

70% YoY rise; 27% of interactive intrusions used RMM; ScreenConnect most observed. In TLCTC this consistently maps to #7 Malware (dual-use execution), often after the foothold.

Strategic Significance: This represents a shift within #7 towards "dual-use" software abuse. Detection evasion occurs as RMM tools appear legitimate, operational efficiency increases with pre-built applications, and controls are circumvented in environments without strict application allow-listing. Adversaries prioritize stealth over novelty, exploiting trust in legitimate software to hide in plain sight.

Identity as the Pivot

Valid accounts dominate post-exploitation; identity telemetry surfaces unmanaged-host footholds early. This is #4 Identity Theft (use) coupled with #1 for many AD/LDAP/IdP abuses.

Cloud Control-Plane Abuse

Commanding VMs via agents, tweaking MFA/logging, federation tricks, metadata queriesβ€”primarily #1 Abuse of Functions once authenticated; initial entry varies (#9/#4, #2/#3).

Speed of eCrime

Breakout in ~62 minutes (external stat in the report's context) reinforces sequences where early #4 β†’ #1 β†’ #7 must be detected fast.

Strategic Summaries (TLCTC Lens)

SCATTERED SPIDER

Cross-domain specialist. Recurrent sequence #9 β†’ #4 β†’ #1 β†’ #7; emphasizes identity+cloud control-plane abuse and RMM-based persistence. Defenses should key on identity anomalies and cloud agent misuse.

FAMOUS CHOLLIMA

Blends insider tradecraft: #9 β†’ #1 β†’ #7 β†’ #4. Treat onboarding/access provisioning as an attack surface; monitor RMM patterns and persona/IP anomalies tied to roles.

HORDE PANDA

Identity-led AD abuse with implants: #4 β†’ #7 β†’ #1. Watch for DCSync/LDAP behaviors from atypical sources/accounts; close unmanaged-host gaps.

PUNK SPIDER

Rapid BGH operator: #2 β†’ #4 β†’ (#1 + #7). Patch public-facing infra; constrain service accounts; pre-stage IOAs for Akira/tooling.

STATIC KITTEN / CHEF SPIDER

Phish-to-RMM pipelines: #9 β†’ #7 (plus #1 for living-off-the-land). Harden mail/web; aggressively baseline RMMs and block unknown installers/domains.

COZY BEAR & Cloud Learners

Cloud feature misuse dominates: #4 β†’ #1 (+ #7 if host agents used). Enforce least privilege; monitor federation/app-registration, Graph scopes, mailbox perms.

Detailed Forensic Case Studies: TLCTC Attack Sequences

SCATTERED SPIDER Cloud Management Agent Case (Page 16)

Attack Path: #9 β†’ #4 β†’ #1 β†’ #7

Granular Step-by-Step Forensic Analysis:

  • #9 Social Engineering: Attack initiated with unspecified phishing campaign targeting users
  • #4 Identity Theft: Phishing successfully compromised user credentials, used to authenticate to cloud control plane
  • #1 Abuse of Functions: Abused legitimate cloud VM management agent to remotely execute commands:
    • nltest /dclist:<domain> - AD environment mapping
    • nltest /domain_trusts - Trust relationship reconnaissance
    • wmic product get name, version - Software enumeration
    • net user - New user creation for persistence
  • #7 Malware: Downloaded FleetDeck RMM tool, renamed to chrome.exe for evasion

FAMOUS CHOLLIMA 100+ Companies Target Case (Page 19)

Attack Path: #9 β†’ #1 β†’ #7 β†’ #4

Granular Step-by-Step Forensic Analysis:

  • #9 Social Engineering: Deceived corporate hiring processes with falsified/stolen identity documents to secure legitimate remote IT positions
  • #1 Abuse of Functions: As provisioned employee, abused legitimate access to corporate systems using Git, SharePoint, and OneDrive for unauthorized data exfiltration attempts
  • #7 Malware: Installed suite of legitimate RMM tools for covert C2: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, Chrome Remote Desktop
  • #4 Identity Theft: Leveraged RMM tools with stolen/provisioned company credentials to connect remotely from external IPs, impersonating legitimate employee outside expected context

HORDE PANDA Activity Case (Page 24)

Attack Path: #4 β†’ #1 β†’ #7

Granular Step-by-Step Forensic Analysis:

  • #4 Identity Theft: Initial access via multiple previously compromised user identities authenticating to network via VPN
  • #1 Abuse of Functions: Abused core AD replication feature with DCSync attack, impersonating domain controller to request password data without executing foreign code on DC
  • #7 Malware: Deployed custom implants LuaPlug and KEYPLUG using DLL side-loading technique, where legitimate executable loads malicious DLL

PUNK SPIDER Hunting Case (Page 37)

Attack Path: #2 β†’ #4 β†’ #1 β†’ #7

Granular Step-by-Step Forensic Analysis:

  • #2 Exploiting Server: Exploited CVE-2024-3400 in unmanaged, public-facing Palo Alto GlobalProtect VPN appliance
  • #4 Identity Theft: Used compromised service account to authenticate and move laterally via RDP
  • #1 Abuse of Functions: Added compromised accounts to ESX Admins AD group for privileged virtual infrastructure access
  • #7 Malware: Rapid succession of tools:
    • Reconnaissance: SharpShares, Invoke-ShareFinder.ps1
    • Staging & Exfiltration: WinRAR for archival, FileZilla for data theft
    • Final Payload: Akira ransomware execution

Key Insights from TLCTC Analysis

The TLCTC framework reveals several critical patterns in the CrowdStrike 2024 Threat Hunting Report that traditional threat intelligence approaches might miss:

  • Identity-Centric Attack Chains: Nearly all major threat actors leverage #4 Identity Theft as a critical pivot point, emphasizing the need for robust identity security controls.
  • RMM as Universal Persistence: The explosive growth in RMM usage maps consistently to #7 Malware in dual-use scenarios, requiring new detection approaches that account for legitimate business usage.
  • Function Abuse Over Exploitation: Advanced threat actors increasingly rely on #1 Abuse of Functions rather than traditional exploits, leveraging legitimate cloud APIs, AD functions, and system features.
  • Social Engineering Evolution: #9 Social Engineering has evolved beyond simple phishing to sophisticated multi-stage deception campaigns, including fake personas and insider recruitment.

This TLCTC analysis demonstrates how a unified threat taxonomy can reveal strategic patterns across diverse threat actors, enabling organizations to prioritize defenses based on actual attack sequences rather than isolated techniques. The standardized attack path notation provides security operations teams with a common language for threat hunting, incident response, and strategic risk communication.

Organizations can use these TLCTC mappings to align their detection strategies, focusing on the critical transition points where threat actors move between clusters, particularly the common patterns of #9 β†’ #4 and #4 β†’ #1 that appear across multiple threat actors in the report.