Action Plan - Solo Operator View
You're a 1-person IT department managing 23 fire districts. You don't have 9 teams. This collapses 48 files into 4 phases ordered by priority. Of those 48 files, you will actively touch about 6. The rest are reference and audit evidence.
MDE-enrolled: ~12 station workstations
Unmanaged: ~50 volunteer personal devices
Licensing: Likely Entra ID P1
On-prem AD: Verify (likely cloud-only)
Azure Storage: Likely not in use
Coverage limitation: Tier 1 hash imports protect MDE-enrolled endpoints only (~12 station workstations).
The 31 volunteers on personal devices have zero endpoint protection from this package.
Compensating control: CISA Protective DNS (free for government entities) provides DNS-level blocking for unmanaged devices on your network.
Phase 0: Verify Backups (Before Anything Else)
Verify offline backups exist and are current. When was the last test restore? Is the backup stored offline, disconnected from the network?
Verify backup is not accessible from the M365 tenant. If ransomware encrypts your tenant, can it reach the backups?
Source: AA25-203A Mitigations: "Implement a recovery plan [CPG 5.A] to maintain and retain multiple copies of sensitive or proprietary data in a physically separate, segmented, and secure location"
Phase 1: Do Now (5 minutes)
TIER 1 AUTO-DEPLOY Import file hashes into MDE - Download mde_ioc_import.csv
Path: Defender Security Center > Settings > Indicators > File hashes > Import
Blocks 37 known Interlock files (credential stealers, keyloggers, encryptors, RATs) on every MDE-enrolled endpoint.
Path: Defender Security Center > Settings > Indicators > File hashes > Import
Blocks 37 known Interlock files (credential stealers, keyloggers, encryptors, RATs) on every MDE-enrolled endpoint.
Import IOC watchlist into Sentinel - Download sha256_hashes.csv
Path: Sentinel > Watchlists > Add new > Upload CSV
Cross-correlates Interlock hashes with all log sources automatically.
Path: Sentinel > Watchlists > Add new > Upload CSV
Cross-correlates Interlock hashes with all log sources automatically.
After Phase 1, every MDE-enrolled endpoint in all 23 districts blocks 37 known Interlock files. Volunteer personal devices are NOT covered (see CISA Protective DNS above). Time: 5 minutes.
Phase 2: This Week (2-4 hours across multiple sessions)
TIER 2 REVIEWHunt Queries (run once, review results)
Checks for domain admin compromise attempts (RC4 service ticket requests).
DOES THIS APPLY TO YOU? Run
SecurityEvent | take 1 in Sentinel. Zero results = you don't have on-prem AD logs. Skip this hunt.IF YOU FIND RESULTS: (1) Identify affected accounts. (2) Reset passwords immediately. (3) Disable unrecognized service accounts. (4) Call CISA: (888) 282-0870. (5) Call your cyber insurance carrier.
Checks for admin accounts RDPing to 3+ machines in 4 hours.
DOES THIS APPLY TO YOU? Do you use RDP to manage servers? If you don't know what RDP is, skip this.
IF YOU FIND RESULTS: (1) Is the account yours? If yes, normal. (2) If NOT yours, disable the account immediately and reset the password. (3) Check each target machine for unauthorized software.
Checks for StorageExplorer.exe or AzCopy launched outside normal context. Works even if YOU don't use Azure Storage - attackers bring their own.
IF YOU FIND RESULTS: (1) Identify which device and user. (2) Isolate the device from the network. (3) Check what data was accessed. (4) Call CISA: (888) 282-0870.
Detection Rules (import for ongoing monitoring)
For each rule: Sentinel > Analytics > Create > Scheduled query rule. Frequency: 1 hour. Severity: High. Map entities: DeviceName -> Host, AccountName -> Account.
PREREQUISITE: M365 Defender connector active. Verify:
PREREQUISITE: M365 Defender connector active. Verify:
DeviceProcessEvents | take 1 ClickFix PowerShell - fake CAPTCHA -> paste PowerShell into Run dialog
Credential stealer - cht.exe / klg.dll by hash match
Registry persistence - "Chrome Updater" run key creation
Manual Checks (full checklist)
Audit domain admin accounts (Entra ID > Roles and administrators > Global Administrator)
Verify MFA for ALL accounts, especially volunteers on personal devices
Check endpoints for AnyDesk, PuTTY: With MDE: run query in Sentinel. Without MDE: Settings > Apps > search on each station PC.
Azure Storage logging - Azure Portal > Storage accounts. If zero accounts exist, skip this entirely.
Phase 3: Read When Ready (15 minutes)
TIER 3 CONTEXT Visibility Assessment - MDE sees 5/8 steps on managed endpoints. 3 partial gaps. Volunteer devices: 0/8 visibility. Includes compensating controls.
Coverage Assessment - 5 covered, 3 partial, 0 blind spots (managed endpoints). Includes "How to Verify" queries for each step.
Evidence Bundle - Proves you operationalized CISA AA25-203A. HIPAA + NIST CSF mappings. Retain 6 years (45 CFR 164.530(j)).
HIPAA/NIST CSF Mapping - per-technique mapping including 164.308(a)(7) Contingency Plan for ransomware.
If Something Goes Wrong
1. Isolate affected devices from the network (unplug ethernet, disable WiFi)
2. Do NOT turn off the machines (preserves forensic evidence)
3. Call CISA: (888) 282-0870 or Report@cisa.gov
4. Call your cyber insurance carrier
5. Call your county IT coordinator
6. Do not pay ransom without consulting legal counsel and law enforcement
Processing Complete
CISA AA25-203A (19 pages) ingested, extracted, compiled, and packaged in 41.7 seconds
0.0s - 3.2s
PDF ingested (19 pages) - 40 file hashes extracted, 11 behavioral patterns identified, 27 ATT&CK techniques mapped
3.2s - 12.1s
Enrichment: ATT&CK v17 mapping (27 techniques, 12 tactics), D3FEND countermeasures, layer routing across 6 surfaces
12.1s - 28.4s
Rule compilation: 34 detection rules across Sentinel KQL + Sigma formats, IOC import packages for MDE
28.4s - 41.7s
Deliverable packaging: 48 files across 9 team folders, 3 deployment tiers
40
IOCs (Hashes)
27
ATT&CK Techniques
11
Tools Identified
9
Teams Served
48
Files Generated
Executive Summary
Interlock ransomware actors have targeted critical infrastructure and businesses across North America since September 2024. They use drive-by downloads from compromised websites and ClickFix social engineering (fake CAPTCHA prompts users to paste malicious PowerShell) for initial access. Post-compromise, actors deploy credential stealers (cht.exe), keyloggers (klg.dll), and use Kerberoasting to escalate to domain admin. They exfiltrate data using Azure Storage Explorer and AzCopy before deploying AES+RSA encryption with .interlock extension. Double extortion via Tor leak site.
Why this matters to San Juan County Fire: Your M365/Azure environment is both the attack surface AND the exfiltration channel. Interlock actors use YOUR tools (Azure Storage Explorer, AzCopy) to steal YOUR data through YOUR cloud infrastructure. With 23 districts sharing credentials and RDP access, a single compromised volunteer workstation could cascade across the entire county. The Friday Harbor $500K ransomware incident matches this exact operational pattern.
Stack Relevance Assessment
| Component | Your Stack | Exposure | KTLYST Coverage |
|---|---|---|---|
| Identity | Entra ID / Active Directory | Direct Target | Kerberoasting detection, domain admin abuse hunts, CA policy hardening |
| Cloud Storage | Azure / M365 | Direct Target | Azure Storage Explorer + AzCopy usage detection (T1530, T1567.002) |
| Endpoint | Microsoft Defender for Endpoint | Direct Target | 37 SHA-256 hash imports, PowerShell + RAT behavioral detections |
| SIEM | Microsoft Sentinel | Direct Target | KQL analytics rules for all 12 tactic phases |
| Remote Access | RDP / potential AnyDesk | Direct Target | Anomalous RDP detection, AnyDesk/PuTTY process alerts |
| Exchange Online | Indirect | ClickFix URL patterns, fake browser update attachment blocking |
Attack Chain - Interlock (from CISA AA25-203A)
T1189
Drive-By Download
Fake browser/security update from compromised site
BROWSER
T1204.004
ClickFix
Fake CAPTCHA -> paste PowerShell into Run dialog
ENDPOINT
T1547.001
Persistence
RAT in Startup folder + "Chrome Updater" registry key
ENDPOINT
T1056.001
Credential Theft
cht.exe stealer + klg.dll keylogger -> conhost.txt
ENDPOINT
T1558.003
Kerberoasting
Domain admin compromise via service ticket cracking
AUTH
T1021.001
RDP Lateral
RDP + AnyDesk + PuTTY with stolen domain creds
NETWORK
T1567.002
Azure Exfil
StorageExplorer.exe + AzCopy to Azure blob
CLOUD
T1486
Encrypt
conhost.exe AES+RSA -> .interlock extension
ENDPOINT
Layer routing:
BROWSERNo telemetry
ENDPOINTDeviceProcessEvents / DeviceFileEvents
AUTHSecurityEvent (4769)
NETWORKDeviceNetworkEvents / DeviceLogonEvents
CLOUDAzureActivity / StorageBlobLogs
IOC Sample (40 indicators from AA25-203A, Tables 3-4)
| File Name | SHA-256 | Role | Source |
|---|---|---|---|
| cht.exe | C20BABA26EBB596DE14B403B9F78DDC3C13CE9870EEA332476AC2C1DD582AA07 | Credential stealer | Page 4, Table 3 |
| klg.dll | A4F0B68052E8DA9A80B70407A92400C6A5DEF19717E0240AC608612476E1137E | Keylogger (logs to conhost.txt) | Page 4, Table 3 |
| conhost | 44887125aa2df864226421ee694d51e5535d8c6f70e327e9bcb366e43fd892c1 | Ransomware encryptor (masquerades as Windows) | Page 7, Table 3 |
| StorageExplorer.exe | 73a9a1e38ff40908bcc15df2954246883dadfb991f3c74f6c514b4cffdabde66 | Azure Storage browsing (exfiltration) | Page 8, Table 3 |
| AnyDesk.exe | 1a70f4eef11fbecb721b9bab1c9ff43a8c4cd7b2cafef08c033c77070c6fe069 | Remote access tool (lateral movement) | Page 7, Table 3 |
| cleanup.dll | 1845a910dcde8c6e45ad2e0c48439e5ab8bbbeb731f2af11a1b7bbab3bfe0127 | SystemBC proxy (C2 channel) | Page 7, Table 3 |
| ... 34 more hashes (37 SHA-256 + 3 SHA-1 total). Full list in iocs/full_ioc_list.json | |||
Provenance:
CISA AA25-203A, Tables 3-4, Pages 6-8
→
40 hashes extracted with filenames
→
MDE IOC import compiled
→
endpoint/mde_ioc_import.csv
48 files across 9 team folders with 3 deployment tiers | Source: CISA AA25-203A | Target: M365 / Defender / Sentinel
📊 Executive / CISO HIGH
TIER 3 threat_brief.pdf
TIER 3 team_package_index.md
🔍 Detection / SOC HIGH
💻 Endpoint / EDR PRIMARY
TIER 2 mde_custom_detections.json
TIER 3 visibility_assessment.md
👤 Identity / IAM HIGH
TIER 2 conditional_access_policy.json
TIER 3 checklist.md
☁️ Cloud Security HIGH
📧 Email Security LOW
TIER 2 clickfix_url_patterns.txt
TIER 2 fake_update_attachment_rule.ps1
Interlock primary access is drive-by, not email. These are secondary defenses.
⚔️ Red / Purple Team MEDIUM
TIER 3 attack_navigator_layer.json
TIER 2 atomic_tests/ (6 files)
TIER 3 emulation_plan.md
TIER 3 detection_gap_matrix.md
📋 Compliance / GRC MEDIUM
TIER 3 framework_mapping.csv
TIER 3 evidence_bundle.json
🔥 Shared IOC Data HIGH
TIER 1 sha256_hashes.csv (37 hashes)
TIER 1 sha1_hashes.csv (3 hashes)
TIER 1 iocs.stix.json
TIER 1 full_ioc_list.json
TIER 1Auto-deploy: hash imports, IOC watchlists. Deterministic, safe to push immediately.
TIER 2Detection-as-Code: KQL rules, behavioral detections. PR review before deployment.
TIER 3Human approval: assessments, emulation plans, policy changes.
Sentinel Rule: Interlock Credential Stealer Execution (cht.exe)
TIER 2// KTLYST - Interlock Credential Stealer Detection
// Source: CISA AA25-203A, Page 4: "FBI observed... series of PowerShell commands
// to download a credential stealer (cht.exe) [TA0006] and keylogger (klg.dll)"
// Provenance: Page 4, "Credential Access, Lateral Movement" section
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ ("cht.exe", "klg.dll")
or SHA256 in (
"C20BABA26EBB596DE14B403B9F78DDC3C13CE9870EEA332476AC2C1DD582AA07",
"A4F0B68052E8DA9A80B70407A92400C6A5DEF19717E0240AC608612476E1137E"
)
| project TimeGenerated, DeviceName, FileName, SHA256,
FolderPath, InitiatingProcessFileName, AccountName
| extend AlertDetail = strcat("Interlock credential stealer detected: ", FileName)
Provenance:
AA25-203A, Page 4, "Credential Access" section
→
cht.exe SHA-256 from Table 3
→
DeviceProcessEvents KQL rule
Sentinel Rule: Azure Exfiltration via AzCopy (T1567.002)
TIER 2// KTLYST - Interlock Azure Exfiltration Detection
// Source: CISA AA25-203A, Page 5: "Interlock actors execute AzCopy to exfiltrate
// data by uploading it to the Azure storage blob [T1567.002]"
// Also detects: StorageExplorer.exe (T1530) used for browsing Azure accounts
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName in~ ("azcopy.exe", "StorageExplorer.exe")
or SHA256 == "73a9a1e38ff40908bcc15df2954246883dadfb991f3c74f6c514b4cffdabde66"
| where InitiatingProcessFileName != "explorer.exe" // exclude normal user launch
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine,
InitiatingProcessFileName, AccountName
| extend AlertDetail = "Potential Interlock exfiltration: Azure tool launched outside normal context"
Sentinel Rule: ClickFix PowerShell Execution (T1204.004)
TIER 2// KTLYST - Interlock ClickFix Social Engineering Detection
// Source: CISA AA25-203A, Page 3: "The CAPTCHA contains instructions for users
// to open the Windows Run window, paste the clipboard contents, and then
// execute a malicious Base64-encoded PowerShell process [T1204.004]"
DeviceProcessEvents
| where TimeGenerated > ago(1d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-EncodedCommand", "-enc", "FromBase64String")
| where InitiatingProcessFileName in~ ("explorer.exe", "cmd.exe") // launched from Run dialog
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine,
InitiatingProcessCommandLine
| extend AlertDetail = "Potential ClickFix: Base64 PowerShell launched from Run dialog / Explorer"
Provenance:
AA25-203A, Page 3, "Initial Access" section, paragraph 2
→
ClickFix behavioral pattern extracted
→
DeviceProcessEvents KQL rule
Sentinel Rule: Interlock Persistence via "Chrome Updater" Registry Key
TIER 2// KTLYST - Interlock Registry Persistence Detection
// Source: CISA AA25-203A, Page 3: "Interlock actors executed a PowerShell command
// designed to add a run key value named 'Chrome Updater' [T1036.005]
// that uses a specific log file as an argument upon user login"
DeviceRegistryEvents
| where TimeGenerated > ago(1d)
| where RegistryKey has "CurrentVersion\\Run"
| where RegistryValueName =~ "Chrome Updater"
or RegistryValueData has_any ("conhost", ".log")
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName,
RegistryValueData, InitiatingProcessFileName
mde_ioc_import.csv - 37 SHA-256 Hashes from FBI Investigation
TIER 1 AUTO-DEPLOY READY| IndicatorType | IndicatorValue | Action | Title | Severity |
|---|---|---|---|---|
| FileSha256 | C20BABA26EBB596D...DD582AA07 | AlertAndBlock | Interlock - cht.exe credential stealer | High |
| FileSha256 | A4F0B68052E8DA9A...76E1137E | AlertAndBlock | Interlock - klg.dll keylogger | High |
| FileSha256 | 44887125aa2df864...3fd892c1 | AlertAndBlock | Interlock - conhost encryptor | High |
| FileSha256 | e86bb8361c436be9...81405cb1 | AlertAndBlock | Interlock - Encryptor variant | High |
| FileSha256 | 1845a910dcde8c6e...3bfe0127 | AlertAndBlock | Interlock - SystemBC proxy (cleanup.dll) | High |
| FileSha256 | 4b036cc9930bb424...96bd3e5 | Alert | Interlock - advanced_port_scanner.exe | Medium |
| ... 31 more rows. Full CSV: endpoint/mde_ioc_import.csv | ||||
Import via: Microsoft Defender Security Center > Settings > Indicators > File hashes > Import.
Or via TI Indicators API: POST /api/indicators with the full CSV contents.
Provenance:
AA25-203A, Tables 3-4, Pages 6-8
→
37 SHA-256 + 3 SHA-1 extracted
→
MDE Indicator API CSV compiled
What This Saves You
Without KTLYST: Irene reads 19 pages, manually copies 37 SHA-256 hashes from Tables 3-4, formats them into MDE import CSV with correct column headers, uploads them one by one. Time: 2-3 hours. Then repeats for detection rules, identity hardening, cloud monitoring.
With KTLYST: 40 hashes extracted with filenames and context in 3.2 seconds. MDE import CSV generated with correct schema. Irene opens Defender Security Center, clicks Import, selects the file. Time: 2 minutes. Same file distributed to all 23 districts.
Kerberoasting Detection (T1558.003)
TIER 2// KTLYST - Interlock Kerberoasting Detection
// Source: CISA AA25-203A, Page 4: "Interlock actors have compromised domain
// administrator accounts (possibly by using a Kerberoasting attack
// [T1558.003]) to gain additional privileges [T1078.002]"
SecurityEvent
| where TimeGenerated > ago(30d)
| where EventID == 4769 // Kerberos Service Ticket Request
| where TicketEncryptionType == "0x17" // RC4 encryption = Kerberoasting indicator
| where ServiceName !endswith "$" // Exclude machine accounts
| where ServiceName != "krbtgt"
| summarize RequestCount = count() by TargetUserName, IpAddress,
bin(TimeGenerated, 1h)
| where RequestCount > 5 // Multiple service ticket requests = suspicious
Provenance:
AA25-203A, Page 4, "Credential Access, Lateral Movement" section
→
Kerberoasting pattern (T1558.003)
→
SecurityEvent 4769 KQL rule
RDP Lateral Movement Hunt (T1021.001)
TIER 2// KTLYST - Interlock RDP Lateral Movement Detection
// Source: CISA AA25-203A, Page 4: "Interlock actors leverage compromised
// credentials and Remote Desktop Protocol (RDP) [T1021.001] to move
// between systems"
DeviceLogonEvents
| where TimeGenerated > ago(7d)
| where LogonType == "RemoteInteractive" // RDP logon
| where IsLocalAdmin == true
| summarize TargetCount = dcount(DeviceName) by AccountName,
RemoteIP, bin(TimeGenerated, 4h)
| where TargetCount > 2 // Same account RDPs to 3+ machines in 4 hours
| project TimeGenerated, AccountName, RemoteIP, TargetCount
Identity Checklist
TIER 3 Run Kerberoasting hunt: check for RC4 service ticket requests in last 30 days
Run RDP lateral movement hunt: check for admin accounts accessing 3+ machines
Audit domain admin accounts: verify each is necessary and MFA-enrolled
Review service accounts: identify accounts vulnerable to Kerberoasting (weak SPNs)
Verify MFA for all accounts, especially volunteer/part-time accounts
Restrict RDP access: limit to specific IP ranges or require VPN
Check for AnyDesk, PuTTY installations on endpoints (Interlock lateral movement tools)
Endpoint Visibility Assessment - Microsoft Defender for Endpoint
This tells your team exactly what MDE can and cannot see across the 8-step Interlock attack chain from CISA AA25-203A.
visibility_assessment.md
TIER 3| # | Attack Step | Layer | MDE Visibility | What MDE Sees |
|---|---|---|---|---|
| 1 | Drive-by download / fake browser update | BROWSER | PARTIAL | SmartScreen may flag download. File creation in Downloads folder visible. Browser-side compromise invisible. |
| 2 | ClickFix: paste PowerShell into Run dialog | ENDPOINT | HIGH | DeviceProcessEvents: powershell.exe with -EncodedCommand launched from explorer.exe. Strong detection signal. |
| 3 | RAT persistence: Startup folder + registry key | ENDPOINT | HIGH | DeviceRegistryEvents: "Chrome Updater" run key creation. DeviceFileEvents: file drop in Startup folder. |
| 4 | Credential theft: cht.exe + klg.dll | ENDPOINT | HIGH | DeviceProcessEvents: cht.exe execution. DeviceFileEvents: klg.dll load, conhost.txt creation. Hash match on IOC import. |
| 5 | Kerberoasting for domain admin | AUTH | PARTIAL | MDE sees network traffic to DC. Primary detection in SecurityEvent 4769 (domain controller logs), not endpoint. |
| 6 | RDP + AnyDesk lateral movement | NETWORK | HIGH | DeviceLogonEvents: RDP logons. DeviceProcessEvents: AnyDesk.exe, putty.exe execution with hash match. |
| 7 | Azure exfil: StorageExplorer + AzCopy | CLOUD | PARTIAL | DeviceProcessEvents: StorageExplorer.exe / azcopy.exe launch. But actual data transfer to Azure blob is cloud-layer. |
| 8 | Ransomware: conhost.exe encryption | ENDPOINT | HIGH | DeviceProcessEvents: conhost.exe (non-standard path). DeviceFileEvents: mass .interlock extension. Hash match. |
Overall Endpoint Visibility for Interlock Attack Chain
5 of 8 steps: HIGH visibility (steps 2, 3, 4, 6, 8)
3 of 8 steps: PARTIAL visibility (steps 1, 5, 7)
0 blind spots
Key finding: Unlike cloud-native attacks, Interlock's attack chain is heavily endpoint-resident.
MDE has HIGH visibility on 5 of 8 steps. The 3 PARTIAL steps are browser-initial-access (step 1),
Kerberoasting (step 5, primary detection on DC logs), and Azure exfiltration (step 7, primary detection
in StorageBlobLogs). Your EDR is well-positioned for this threat, but you need
domain controller log forwarding (SecurityEvent 4769) and Azure activity monitoring to close the gaps.
Detection Gap Matrix - Interlock (AA25-203A)
Maps every attack step to KTLYST-generated detection rules. Shows what's covered, what's partial, and where red team should focus.
detection_gap_matrix.md
TIER 3| # | Attack Step (from AA25-203A) | Layer | Status | KTLYST Rule / Coverage | Red Team Action |
|---|---|---|---|---|---|
| 1 | Drive-by / fake update download | BROWSER | PARTIAL | MDE SmartScreen + KTLYST hash import for fake update filenames (FortiClient.exe, GlobalProtect.exe, etc.) | Test: download masquerading file, verify SmartScreen + hash block |
| 2 | ClickFix PowerShell execution | ENDPOINT | COVERED | sentinel_rules.json: Base64 PowerShell from Run dialog detection | Validate: paste encoded PowerShell via Win+R, verify alert fires |
| 3 | Startup folder + "Chrome Updater" registry | ENDPOINT | COVERED | sentinel_rules.json: DeviceRegistryEvents "Chrome Updater" run key + Startup folder file drop | Validate: create test run key named "Chrome Updater" |
| 4 | cht.exe + klg.dll credential theft | ENDPOINT | COVERED | mde_ioc_import.csv (Tier 1 auto-deploy): hash-based block on both files | Validate: attempt to execute test file matching hash, verify block |
| 5 | Kerberoasting domain admin compromise | AUTH | COVERED | entra_kerberoast_detection.kql: SecurityEvent 4769 with RC4 encryption + volume threshold | TEST: Run Rubeus kerberoast in test domain, verify 4769 alert threshold |
| 6 | RDP + AnyDesk lateral movement | NETWORK | COVERED | RDP hunt: admin account accessing 3+ machines in 4h. AnyDesk.exe hash block via IOC import. | Validate: RDP to 3 machines with same admin account |
| 7 | Azure exfil via StorageExplorer + AzCopy | CLOUD | PARTIAL | azure_storage_exfil_detection.kql: process-level detection. Cloud-layer (StorageBlobLogs) monitoring recommended. | TEST: Run AzCopy upload, verify both process alert AND blob log capture |
| 8 | conhost.exe ransomware encryption | ENDPOINT | COVERED | MDE built-in ransomware protection + KTLYST hash import + .interlock extension detection | Validate: Atomic Red Team T1486 (safe simulation) |
6
Covered
2
Partial
0
Blind Spots
For Irene (1-person IT): 6 of 8 attack steps are fully covered by KTLYST-generated rules,
with 2 partial gaps that need additional log sources (domain controller forwarding for Kerberoasting,
Azure StorageBlobLogs for exfiltration monitoring). Zero blind spots in this attack chain.
For the consortium: This same coverage applies to all 23 districts. The Tier 1 hash imports (37 SHA-256 values) protect every endpoint immediately. The Tier 2 behavioral rules catch the attack pattern even if Interlock changes their file hashes.
For the consortium: This same coverage applies to all 23 districts. The Tier 1 hash imports (37 SHA-256 values) protect every endpoint immediately. The Tier 2 behavioral rules catch the attack pattern even if Interlock changes their file hashes.
Zero-Inference Provenance Chain
Every rule, every IOC, every detection traces back to a specific page, paragraph, and table in CISA Advisory AA25-203A (July 22, 2025). Nothing is inferred. Nothing is hallucinated. If KTLYST can't cite it, it doesn't generate it.
Provenance Example: Credential Stealer Detection Rule
| Layer | Artifact | Source Reference |
|---|---|---|
| Source | CISA Advisory AA25-203A (#StopRansomware: Interlock) | Published July 22, 2025 | Authors: FBI, CISA, HHS, MS-ISAC | TLP:CLEAR | 19 pages |
| Extraction | IOC: cht.exe SHA-256 C20BABA26EBB596D...DD582AA07 | Page 7, Table 3, Row "cht.exe" | Context: Page 4: "download a credential stealer (cht.exe) [TA0006]" |
| Enrichment | ATT&CK: TA0006 (Credential Access), T1056.001 (Keylogging) | Behavioral pattern: credential stealer + keylogger deployment post-compromise |
| Layer Routing | endpoint -> DeviceProcessEvents (file execution detection) | File hash indicator routed to endpoint process monitoring |
| Compilation | KQL Rule: DeviceProcessEvents | where SHA256 in (...) | Compiled from 2 credential-theft hashes (cht.exe + klg.dll) with same attack pattern |
| Packaging | endpoint/mde_ioc_import.csv + detection/sentinel_rules.json | Routed to 2 team folders: Tier 1 (hash import) + Tier 2 (behavioral rule) |
| Audit | metadata/generation_audit.jsonl | Full pipeline trace with timestamps, hash counts, and source verification |
generation_audit.jsonl
// Every step is logged with timestamps and artifact counts
{"step":"ingestion", "ts":"2025-07-23T09:14:02Z", "source":"CISA AA25-203A", "pages":19, "format":"PDF", "tlp":"CLEAR"}
{"step":"extraction", "ts":"2025-07-23T09:14:05Z", "sha256_hashes":37, "sha1_hashes":3, "behavioral_patterns":11, "tools_identified":11}
{"step":"enrichment", "ts":"2025-07-23T09:14:14Z", "techniques_mapped":27, "tactics":12, "attack_version":"v17"}
{"step":"compilation", "ts":"2025-07-23T09:14:30Z", "rules":34, "platforms":["sentinel","sigma","mde"]}
{"step":"packaging", "ts":"2025-07-23T09:14:44Z", "target":"San Juan County Fire", "files":48, "teams":9}