CrowdStrike 2025 Threat Hunting Report: A TLCTC Analysis

Key TLCTC Findings

• Cluster Distribution: The report reveals a threat landscape dominated by bridge clusters (#9 Social Engineering, #10 Supply Chain Attack) as initial vectors, rapidly transitioning to #4 Identity Theft and #1 Abuse of Functions.
• The 81% malware-free statistic indicates adversaries are increasingly bypassing #7 Malware entirely.
• Attack Velocity: SCATTERED SPIDER's 24-hour attack-to-ransomware timeline represents VC-2/VC-3 class velocity (Tactical/Operational), requiring automated detection and response.
• The transition from #9→#4 occurs in under 5 minutes in documented cases.
• Cross-Domain Operations: All major threat actors demonstrate multi-cluster attack paths crossing responsibility sphere boundaries, particularly @Org(Identity)→@Org(Cloud)→@Org(OnPrem) traversals that exploit identity-to-cloud-to-endpoint trust relationships.

TLCTC Framework Reference

The 10 Top Level Cyber Threat Clusters classify attacks by the generic vulnerability initially exploited. This cause-based taxonomy prevents the conflation of threats with outcomes that plagues traditional cybersecurity language.

Threat Landscape Cluster Distribution

The CrowdStrike report's findings map to a clear TLCTC cluster distribution pattern. The 81% malware-free intrusion statistic is particularly significant from a TLCTC perspective: it demonstrates adversary preference for #4 Identity Theft and #1 Abuse of Functions over #7 Malware.

Primary Attack Vectors (Initial Clusters)

Case Study: Attack Path Analysis

The following attack paths use TLCTC notation including velocity (Δt), domain boundary operators (||...||), and Data Risk Event tags ([DRE: C/I/A]). Each path represents a documented intrusion from the CrowdStrike report.

SCATTERED SPIDER – Identity-Driven Attack

Attack Path (TLCTC Notation):

#9 ||[human][@External→@Org(HelpDesk)]|| 
    →[Δt<1m] #4 
    →[Δt=2-5m] #1 
    →[Δt=hours] #4 
    →[Δt<24h] #7 + [DRE: C, A]

Interpretation:

• #9 (Social Engineering): Help desk vishing attack targeting password/MFA reset
• ||[human][@External→@Org(HelpDesk)]||: Bridge cluster crossing from external attacker to organizational help desk domain
• →[Δt<1m] #4: Account takeover within 1 minute (VC-4 Real-Time velocity)
• →[Δt=2-5m] #1: MFA device registration, email deletion – abusing legitimate functions
• →[Δt=hours] #4: Lateral credential theft (ntds.dit via VM hard disk attachment)
• →[Δt<24h] #7 + [DRE: C, A]: Ransomware deployment with confidentiality and availability impact

BLOCKADE SPIDER – Cross-Domain Disruption

Attack Path (TLCTC Notation):

#2 ||[@External→@Org(VPN)]|| 
    → #4 
    → #1 ||[@Org(OnPrem)→@Org(Cloud)]|| 
    → #1 
    → #7

Interpretation:

• #2 (Exploiting Server): Unmanaged VPN appliance exploitation (implementation flaw)
• #4 (Identity Theft): Veeam credential dumping attempts
• #1 (Abuse of Functions): Falcon sensor interference attempts (failed), rogue IAM agent creation
• ||[@Org(OnPrem)→@Org(Cloud)]||: Domain boundary crossing from on-premises to Microsoft 365/cloud
• #7 (Malware): ESXi endpoint deployment, SOCKS proxy implants (thwarted before ransomware)

Key TLCTC Insight: Detection succeeded through cross-domain correlation (Falcon Next-Gen SIEM) that unified identity, endpoint, cloud, and IAM logs. Without unified visibility, each cluster transition would appear benign in isolation.

GLACIAL PANDA – Telecommunications Targeting

#2 →[Δt=days-weeks] #4 
    →[Δt=VC-1] #1 
    →[Δt=VC-1] #7 + [DRE: C]

Interpretation:

• #2 (Exploiting Server): CVE-2016-5195 (Dirty COW), CVE-2021-4034 (PwnKit) exploitation
• #4 (Identity Theft): ShieldSlide trojanized OpenSSH for credential harvesting
• #1 (Abuse of Functions): Legitimate account abuse, LOTL techniques, trojanized cron daemons
• #7 (Malware): Reverse shell C2 (netcat, Perl scripts) with confidentiality impact

Velocity Class: VC-1 (Strategic): This "long game" approach exemplifies slow, deliberate movement with dwell times measured in weeks to months. Detection requires long log retention, cross-source correlation, and deliberate hunting.

GENESIS PANDA – Cloud Control Plane

#2 → #4 ||[@Org(VM)→@CSP(ControlPlane)]|| 
    → #1 
    → (#4 + #1) + [DRE: C]

Interpretation:

• #2 (Exploiting Server): Initial cloud VM compromise
• #4 (Identity Theft): IMDS credential harvesting from compromised VMs
• ||[@Org(VM)→@CSP(ControlPlane)]||: Critical boundary crossing from VM data plane to cloud control plane
• #1 (Abuse of Functions): Cloud control plane access, VM creation, SSH key addition, backdoor access key creation
• (#4 + #1): Parallel identity theft and function abuse for lateral movement and persistence

Key TLCTC Insight: The 136% increase in cloud intrusions reflects adversary recognition that the @Org(VM)→@CSP(ControlPlane) boundary often lacks the monitoring density of traditional network perimeters. IMDS becomes the #4 enabler for #1 at cloud scale.

MURKY PANDA – Trusted Relationship Abuse

#10 ||[trust][@Vendor(Supplier)→@Org(EntraID)]|| 
    → #4 
    → #1 
    → #2 + [DRE: C]

Interpretation:

• #10 (Supply Chain Attack): Supplier compromise enabling victim Entra ID tenant access
• ||[trust][@Vendor(Supplier)→@Org(EntraID)]||: Bridge cluster boundary crossing via trusted third-party relationship
• #4 (Identity Theft): Backdoor Entra ID accounts and service principals
• #1 (Abuse of Functions): Third-party application compromise for email access
• #2 (Exploiting Server): Zero-day exploitation (confirmed February 2025)

Key TLCTC Insight: Supply chain attacks (#10) are bridge clusters that inherit trust relationships. The falsifiability test: "If removing the third-party trust link stops this step from succeeding" confirms #10 classification.

GRACEFUL SPIDER – Zero-Day Campaign (Cleo)

#2 [CVE-2024-55956] →[Δt=instant] #7 →[Δt<10m] [DETECTED]

Interpretation:

• #2 (Exploiting Server): CVE-2024-55956 zero-day (patch bypass via license forgery)
• →[Δt=instant] #7: Immediate malware execution (malicious ZIP → autorun → PowerShell shellcode → Cobalt Strike)
• →[Δt<10m] [DETECTED]: CrowdStrike OverWatch detection within 10 minutes

Velocity Class: VC-4 (Real-Time): The #2→#7 transition was instantaneous, but detection occurred before adversary could progress further. This demonstrates that even VC-4 velocity attacks can be contained with architectural controls and rapid detection.

FAMOUS CHOLLIMA – GenAI-Enabled Infiltration

#9 ||[human][@DPRK→@Org(HR)]|| 
    →[Δt=weeks] #4 ||[@External→@Org(Internal)]|| 
    →[Δt=months] #1 + [DRE: C]

Interpretation:

• #9 (Social Engineering): GenAI-powered résumés, deepfake interviews, synthetic identity creation (320+ companies infiltrated)
• ||[human][@DPRK→@Org(HR)]||: Bridge cluster crossing from nation-state actor to organizational HR/hiring process
• #4 (Identity Theft): Legitimate employee identity acquisition through fraudulent hiring
• ||[@External→@Org(Internal)]||: Boundary crossing from external applicant to internal employee status
• #1 (Abuse of Functions): Legitimate employee access abuse, multi-job workflow management, code repository access

Velocity Class: VC-1 (Strategic): This insider threat pattern operates at strategic timescales (weeks to months) but achieves deep persistence. GenAI enhances #9 effectiveness at scale (220% increase in infiltrations).

Attack Velocity Analysis

TLCTC v2.0 defines four velocity classes that determine feasible defensive response modes. The CrowdStrike report provides concrete Δt measurements that inform control design.

TLCTC Cluster Trend Analysis

Cluster #9 (Social Engineering) – Dominant Initial Vector

The vishing surge (H1 2025 exceeding all of 2024) confirms #9 as the preferred bridge cluster for initial access. This aligns with the "Enterprising Adversary Era" theme: social engineering scales efficiently and bypasses technical controls.

• Help desk targeting exploits human trust in organizational processes
• GenAI enhancement (FAMOUS CHOLLIMA) increases #9 velocity and scale
• Primary downstream path: #9 → #4 → #1 (social engineering → identity theft → function abuse)

Cluster #4 (Identity Theft) – Central Pivot Cluster

The 81% malware-free statistic demonstrates that #4 has become the central pivot cluster in modern attack paths. Adversaries prefer credential theft (#4) over malware (#7) because:

• Legitimate credential use evades signature-based detection
• Identity artifacts enable immediate #1 (Abuse of Functions)
• Cloud environments (136% increase) are identity-first by design

Cluster #1 (Abuse of Functions) – Post-Access Dominance

Living-off-the-Land (LOTL) techniques represent #1 in its purest form: attackers invoke legitimate system functions for unintended purposes. The CrowdStrike findings show #1 as the most common post-access cluster:

• Cloud control plane abuse (GENESIS PANDA): #4 → #1
• IAM agent creation (BLOCKADE SPIDER): #4 → #1
• Legitimate admin tool abuse: PowerShell, WMI, RDP

Cluster #2 (Exploiting Server) – Zero-Day Persistence

Despite the shift to identity-based attacks, #2 remains critical for initial access against hardened targets:

• 52% of 2024 CVEs related to initial access
• Zero-day campaigns: Cleo (GRACEFUL SPIDER), Cisco IOS (OPERATOR PANDA)
• Edge device exploitation as preferred #2 entry point

Cluster #10 (Supply Chain Attack) – Sophisticated Boundary Crossing

MURKY PANDA's trusted relationship abuse exemplifies sophisticated #10 usage. The supply chain vector enables boundary crossing that inherits victim trust relationships. The domain boundary operator ||[trust][@Vendor→@Org]|| captures this precisely: the attacker leverages pre-established trust rather than creating new access paths.

TLCTC-Informed Recommendations

The following recommendations map CrowdStrike's guidance to TLCTC control objectives. Each recommendation addresses specific clusters and velocity classes.

Cluster #9 Controls (Social Engineering Prevention)

Deploy phishing-resistant MFA (hardware keys) to break the #9→#4 transition. User education must specifically address vishing and help desk social engineering. Implement verification procedures that resist real-time manipulation.

Cluster #4 Controls (Identity Theft Prevention)

Identity threat detection must span on-premises, cloud, and SaaS domains. Implement JIT access to reduce standing privilege exposure. Monitor for anomalous authentication patterns (time, location, user agent) and MFA device enrollment. Protect IMDS endpoints in cloud environments.

Cluster #1 Controls (Function Abuse Prevention)

Behavioral analytics must detect legitimate tool abuse (LOTL). Cloud control plane monitoring is essential for GENESIS PANDA-style attacks. Implement least-privilege access models and monitor for privilege escalation patterns.

Cluster #2 Controls (Server Exploitation Prevention)

Prioritize patching for internet-facing services (52% of CVEs). Implement vulnerability management with AI-powered prioritization. Monitor for exploit chain patterns and zero-day post-exploitation behaviors. Ensure edge devices and VPN appliances are managed and monitored.

Cluster #10 Controls (Supply Chain Protection)

Audit third-party access to identity systems (Entra ID, service principals). Implement conditional access policies for external partner access. Monitor for anomalous third-party application behavior. Regular review of trust relationships and access grants.

Cross-Domain Visibility (All Clusters)

Deploy XDR and next-gen SIEM for unified visibility across endpoint, identity, cloud, and network device telemetry. Cross-domain correlation is essential for detecting BLOCKADE SPIDER-style attacks that appear benign in isolation. Enable agentic AI for alert triage at VC-3/VC-4 velocity.

Velocity-Appropriate Response (VC-3/VC-4 Automation)

Human response is structurally insufficient for VC-3 (minutes) and VC-4 (seconds) transitions. Invest in automated containment (SOAR, EDR), architectural controls (rate limits, circuit breakers), and hardening measures that prevent progression regardless of detection speed.

Conclusion

The CrowdStrike 2025 Threat Hunting Report, analyzed through the TLCTC framework lens, reveals a threat landscape defined by:

• Bridge cluster dominance: #9 (Social Engineering) and #10 (Supply Chain Attack) as preferred initial vectors that bypass technical security controls
• Identity-centric attack paths: #4 (Identity Theft) → #1 (Abuse of Functions) as the dominant post-access pattern, explaining the 81% malware-free statistic
• Accelerating velocity: Attack timelines compressing from VC-2 (Tactical/hours) toward VC-3 (Operational/minutes), requiring automated response
• Cross-domain operations: Adversaries exploiting identity-cloud-endpoint trust relationships across responsibility sphere boundaries

The TLCTC framework provides the semantic precision needed to classify these threats by cause rather than outcome. This enables:

• Comparable incident learning across organizations and sectors
• Targeted control design mapped to specific generic vulnerabilities
• Risk appetite discussions anchored in cluster-level exposure
• Velocity-aware response mode selection (VC-1 through VC-4)

As adversaries become more "enterprising" in their approach, defenders need a common language that transcends vendor-specific terminology and outcome-based categorization. TLCTC provides that foundation—the "Rosetta Stone" for translating between strategic risk management and operational security operations.