Defence Impairment Olympics
Essential information
- Published
- 30/06/2026 04:01
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- coldfusion exploitation credential dumping cve-2023-26360 cve-2023-29298 cve-2023-29300 defence evasion defence impairment iis server mimikatz steganography timestomping wdigest webshell
- Related entities
- 3 vulnerabilities (cve), 6 indicators, 1 malware
Description
A sophisticated attack sequence was detected beginning June 7 involving a steganographically hidden webshell on a vulnerable Adobe ColdFusion server. The threat actor executed extensive enumeration commands before deploying approximately a dozen defence impairment techniques. These included disabling IIS logging, tampering with Microsoft Defender, timestomping file metadata, killing Sysmon and Filebeat processes, uninstalling ModSecurity WAF, downgrading WDigest credential protection, and using WMI Event Consumer to clear Windows Event Logs. A batch script named i.bat revealed the complete attack chain, culminating in Mimikatz credential dumping. The attack persisted through multiple remediation attempts when the vulnerable server was prematurely reconnected before complete patching was finished, allowing the threat actor to maintain access and continue operations over several days.