{
  "name": "Defence Impairment Olympics",
  "slug": "defence-impairment-olympics",
  "description": "A sophisticated attack sequence was detected beginning June 7 involving a steganographically hidden webshell on a vulnerable Adobe ColdFusion server. The threat actor executed extensive enumeration commands before deploying approximately a dozen defence impairment techniques. These included disabling IIS logging, tampering with Microsoft Defender, timestomping file metadata, killing Sysmon and Filebeat processes, uninstalling ModSecurity WAF, downgrading WDigest credential protection, and using WMI Event Consumer to clear Windows Event Logs. A batch script named i.bat revealed the complete attack chain, culminating in Mimikatz credential dumping. The attack persisted through multiple remediation attempts when the vulnerable server was prematurely reconnected before complete patching was finished, allowing the threat actor to maintain access and continue operations over several days.",
  "published": "2026-06-30T02:01:09.619000+00:00",
  "created_at": "2026-06-30T13:57:56.194000+00:00",
  "modified_at": null,
  "created_at_opencti": "2026-06-30T13:57:56.194000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "coldfusion exploitation",
    "credential dumping",
    "cve-2023-26360",
    "cve-2023-29298",
    "cve-2023-29300",
    "defence evasion",
    "defence impairment",
    "iis server",
    "mimikatz",
    "steganography",
    "timestomping",
    "wdigest",
    "webshell"
  ],
  "tags": [],
  "related_entities": {
    "vulnerabilities": [
      {
        "id": "537c6437-5768-496f-a9d7-1504e8155ff8",
        "name": "CVE-2023-26360"
      },
      {
        "id": "35da99e5-9240-469a-bcf7-a751192df295",
        "name": "CVE-2023-29300"
      },
      {
        "id": "f1cdf534-463f-4e43-b833-1902837b5ae5",
        "name": "CVE-2023-29298"
      }
    ],
    "indicators": [
      {
        "id": "3bf2d40f-ffe2-4acb-badd-5dec3a7f73d6",
        "name": "f0ff36ecdc843351913dbfbd9122b62563894936ff64215a7a2f89181ebdb57f"
      },
      {
        "id": "0bf7c224-68a6-4276-9493-c153a6432519",
        "name": "40859ede262098086962ab00c89f02452aa9941c88c7f4ac002db166179980c6"
      },
      {
        "id": "b47396ef-1502-4600-83d3-10545973c4fd",
        "name": "bd74a00f4d2ec3bf50d13ddf324bb368b2464d547abd0c572ef5e2f77943a920"
      },
      {
        "id": "c4e16043-9c3a-4426-8e04-806003b78acb",
        "name": "793768ce4fadab044c7502ea5ec4d8e1569283f289dfd73419e119f32d56d0f3"
      },
      {
        "id": "33208150-c975-42d3-8a28-3f5b69018d77",
        "name": "f63d293e117cae1d0a6c24359fc1361a9dc48178049cc6491051b09268c8c39c"
      },
      {
        "id": "98dab034-2c7f-44b9-ad73-b3653f8ea9b9",
        "name": "94cd18f3f030fcc9b259dc410b17ea72a1f9800ee654f8e0f07a87bb9443b593"
      }
    ],
    "malware": [
      {
        "id": "dce99d4d-6307-4cd3-9554-4caa32be8459",
        "name": "Mimikatz",
        "slug": "mimikatz"
      }
    ]
  },
  "external_refs": [
    {
      "id": "a588e172-8a6c-4a99-9ca8-acbd201f5e82",
      "standard_id": "external-reference--69d3db4a-6a6b-514b-bfc3-a653da5f37b4",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.huntress.com/blog/mimikatz-credential-dumping-defence-impairment",
      "hash": null,
      "external_id": null,
      "created": "2026-06-30T13:57:56.155Z",
      "modified": "2026-06-30T13:57:56.155Z",
      "createdById": null
    },
    {
      "id": "5af8851e-adf5-4ece-b4bd-d52f07442798",
      "standard_id": "external-reference--e6390335-d4da-5a35-a5ce-b8cb242bf602",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a4323652af5f050747cd53a",
      "hash": null,
      "external_id": "6a4323652af5f050747cd53a",
      "created": "2026-06-30T13:57:56.127Z",
      "modified": "2026-06-30T13:57:56.127Z",
      "createdById": null
    }
  ]
}