Skip to content
.ca
sign in
4 minhigh

Initial access techniques used by Iran-based threat actors

Iranian-linked threat actors consistently utilize a core set of cost-effective initial access techniques, including social engineering, rapid exploitation of known vulnerabilities, and credential abuse. These groups frequently leverage legitimate RMM tools and trusted cloud services to establish persistence and evade detection, highlighting the need for robust identity management, prompt patching, and perimeter security.

Conf:highAnalyzed:2026-03-13reports

Authors: Sophos Counter Threat Unit Research Team

ActorsIranian-linked threat groupsCyber Av3ngers
PhishingRMM AbuseInitial AccessIranVulnerability Exploitation

Source:Sophos

Key Takeaways

  • Iranian threat actors heavily rely on cost-effective, repeatable initial access techniques like phishing, password spraying, and exploiting public-facing applications.
  • Phishing campaigns often involve multistep rapport-building and host payloads on trusted cloud services like OneDrive and Google Drive.
  • Threat actors rapidly adopt public exploit code for vulnerabilities in perimeter systems, notably Fortinet, Microsoft Exchange, and VMware.
  • Legitimate RMM tools (e.g., ScreenConnect, Atera, PDQ) are frequently abused to gain remote execution capabilities without deploying custom malware.
  • Default and weak credentials remain a significant risk, particularly for exposed ICS/OT systems like Unitronics PLCs targeted by groups like Cyber Av3ngers.

Affected Systems

  • Fortinet FortiOS
  • Microsoft Exchange Server
  • VMware Horizon
  • Microsoft 365 / Entra ID
  • ICS/OT systems (Unitronics PLCs)

Vulnerabilities (CVEs)

  • CVE-2018-13379
  • CVE-2019-5591
  • CVE-2020-12812
  • CVE-2021-34473
  • CVE-2021-26855
  • CVE-2021-26857
  • CVE-2021-26858
  • CVE-2021-27065
  • CVE-2021-44228

Attack Chain

Intrusions typically begin with phishing, password spraying, or the exploitation of unpatched public-facing applications. Once initial access is achieved, threat actors often deploy web shells or install legitimate RMM tools (like ScreenConnect or Atera) to establish persistent remote access. From this foothold, they pivot deeper into the internal network, utilizing compromised credentials to access cloud services, VPNs, or RDP endpoints, effectively blending in with legitimate administrative traffic.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides a strategic overview of techniques and behaviors but does not include specific detection rules or queries.

Detection Engineering Assessment

EDR Visibility: Medium — Threat actors heavily rely on legitimate RMM tools and valid accounts, which can blend in with normal administrative activity, reducing EDR efficacy without behavioral tuning. Network Visibility: Medium — Network sensors can detect exploit attempts against perimeter devices, but post-compromise traffic often uses encrypted channels (VPN, RDP, HTTPS for cloud services) with valid credentials. Detection Difficulty: Moderate — The reliance on Living-off-the-Land (LotL) techniques, valid credentials, and legitimate RMM tools makes distinguishing malicious activity from legitimate administrative tasks challenging.

Required Log Sources

  • Web Server Logs
  • VPN/Firewall Logs
  • Authentication Logs (Entra ID/Active Directory)
  • Endpoint Process Execution Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected installations or executions of RMM tools (ScreenConnect, Atera, etc.) originating from non-administrative user contexts or unusual parent processes (e.g., browsers, Office apps).Endpoint Process LogsPersistence/C2Medium
Monitor for high-volume authentication failures followed by a successful login from the same source IP, indicating potential password spraying.Authentication LogsInitial AccessLow
Identify web server processes (e.g., w3wp.exe, nginx) spawning unexpected child processes like cmd.exe or powershell.exe, suggesting web shell activity.Endpoint Process LogsExecution/PersistenceLow

Control Gaps

  • Lack of MFA on external remote services
  • Unpatched perimeter devices
  • Permissive outbound network filtering allowing unauthorized RMM tools

Key Behavioral Indicators

  • Web server process spawning command shells
  • Multiple failed logins across different accounts from a single IP
  • Execution of RMM binaries from user download directories

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Implement phishing-resistant MFA for all external-facing services and cloud accounts.
  • Patch known exploited vulnerabilities in perimeter systems (Fortinet, Exchange, VMware).
  • Change default credentials on all internet-exposed devices, especially ICS/OT systems.

Infrastructure Hardening

  • Restrict outbound network access to only approved RMM tools and block known malicious or unapproved RMM domains.
  • Monitor and restrict access to public-facing applications and management interfaces.

User Protection

  • Deploy endpoint protection to monitor for unauthorized RMM installations and web shell deployments.
  • Implement email filtering to block malicious attachments and links to credential harvesting sites.

Security Awareness

  • Train employees to recognize multistep rapport-building phishing attempts and impersonation tactics.
  • Educate users on the risks of downloading software from unverified links in emails.

MITRE ATT&CK Mapping

  • T1566.001 - Spearphishing Attachment
  • T1566.002 - Spearphishing Link
  • T1566.003 - Spearphishing via Service
  • T1190 - Exploit Public-Facing Application
  • T1110.003 - Password Spraying
  • T1078.004 - Valid Accounts: Cloud Accounts
  • T1219.002 - Remote Access Tools: Remote Desktop Software
  • T1133 - External Remote Services
  • T1078.001 - Valid Accounts: Default Accounts
  • T1078.003 - Valid Accounts: Local Accounts

Related