AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

Cutting Edge Ivanti Connect Secure Exploitation

Cutting Edge activity against Ivanti Connect Secure and Policy Secure appliances showed how edge-device exploitation can lead to web shell persistence, credential theft, and log or artifact manipulation.

MITRE ATT&CKConfidence: high
T1190T1505.003T1552T1070.004

How The Activity Unfolds In ATT&CK

Cutting Edge is a strong edge-appliance case: exploitation starts at the internet boundary, persistence lands in the web layer, credential material is targeted, and cleanup attempts complicate investigation.

  1. T1190 Exploit Public-Facing Application. Internet-facing Ivanti systems provide the access path.
  2. T1505.003 Web Shell. Web shells maintain access to the appliance environment.
  3. T1552 Unsecured Credentials. The actor targets credential material reachable from the compromised system.
  4. T1070.004 File Deletion. Cleanup behavior attempts to reduce forensic visibility.

Defender Readout

This activity belongs in the top set because appliance compromise is now a core intrusion pattern for perimeter access, stealth, and difficult forensic recovery.

Evidence And Mapping Rationale

T1190Exploit Public-Facing Application
Exploit Public-Facing Application

MITRE maps the campaign to exploitation of exposed Ivanti appliances.

T1505.003Web Shell
Web Shell

MITRE maps the campaign to web shell deployment for persistence and access.

T1552Unsecured Credentials
Unsecured Credentials

MITRE maps the activity to credential access from exposed or weakly protected material.

T1070.004File Deletion
File Deletion

MITRE maps the campaign to file deletion used to remove artifacts.