From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

SOC Prime Team

From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

A threat actor first gained access through an exposed F5 BIG-IP load balancer, then pivoted to an internal Linux server and later compromised an internal Atlassian Confluence instance by exploiting a known vulnerability. From there, the attacker conducted broad discovery, stole credentials, and launched Kerberos and NTLM relay attacks against Windows domain assets. The operation relied on a mix of open-source tools and custom scripts for scanning, lateral movement, and data exfiltration.

Investigation

Microsoft Defender Security Research traced the intrusion from the compromised BIG-IP appliance to the internal Linux host, where investigators found a custom scanning tool downloaded from a malicious IP address. The analysis also documented use of utilities such as Nmap, gowitness, and Responder during the attack. Researchers further uncovered credential theft from Confluence configuration files, followed by relay attacks targeting the domain controller and other Windows resources.

Mitigation

Organizations should treat internet-facing edge appliances as Tier-0 assets, apply strict patching and lifecycle management for aging or unsupported devices, and limit exposure of management interfaces. Internal web applications should be hardened and updated promptly against known vulnerabilities. Stronger authentication controls, including disabling NTLM where possible and enforcing SMB signing, can help reduce the impact of relay-based attacks.

Response

Defenders should alert on unusual SSH logins from unexpected IP addresses, monitor for unauthorized file transfers and execution of known scanning utilities, and block suspicious ELF binaries. Security teams should also rotate potentially exposed credentials, enforce least privilege for service accounts, and verify the integrity of Confluence and Active Directory configurations.

"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#c2e0ff classDef tool fill:#e6e6e6 classDef credential fill:#ffdd99 %% Step 1 u2013 Exploit Publicu2011Facing Application step1_exploit["Technique – T1190 Exploit Publicu2011Facing Application Description: Adversary exploits a vulnerability in an Internetu2011exposed service to gain initial access."] class step1_exploit technique %% Tool u2013 Vulnerable F5 BIGu2011IP tool_f5["Tool – Name: F5 BIGu2011IP load balancer (vulnerable) CVE: CVEu20112025u201153521"] class tool_f5 tool %% Step 2 u2013 Exploitation of Remote Services step2_remote["Technique – T1210 Exploitation of Remote Services Description: Use the same vulnerability to execute code on the target system and move laterally."] class step2_remote technique %% Step 3 u2013 SSH Remote Services step3_ssh["Technique – T1021.004 SSH Description: Authenticate via SSH with a privileged account to an internal Linux host."] class step3_ssh technique %% Step 4 u2013 Remote Service Session Hijacking step4_hijack["Technique – T1563.001 Remote Service Session Hijacking Description: Maintain a live interactive SSH session for command execution."] class step4_hijack technique %% Step 5 u2013 Active Scanning (IP Blocks) step5_ipscan["Technique – T1595.001 Scanning IP Blocks Description: Run Nmap scripts to discover active hosts and open ports across internal subnets."] class step5_ipscan technique %% Tool u2013 Nmap tool_nmap["Tool – Name: Nmap Purpose: Network discovery and port scanning"] class tool_nmap tool %% Step 6 u2013 Active Scanning (Vulnerability) step6_vulnscan["Technique – T1595.002 Vulnerability Scanning Description: Use custom scanner and gowitness to locate vulnerable internal applications such as Confluence."] class step6_vulnscan technique %% Tool u2013 gowitness tool_gowitness["Tool – Name: gowitness Purpose: Capture screenshots of web services for enumeration"] class tool_gowitness tool %% Step 7 u2013 System Network Configuration Discovery step7_netconfig["Technique – T1016 System Network Configuration Discovery Description: Collect network configuration details to map the environment."] class step7_netconfig technique %% Step 8 u2013 File and Directory Discovery step8_filedisc["Technique – T1083 File and Directory Discovery Description: Enumerate files on the compromised Linux host and Confluence server (e.g., server.xml, confluence.cfg.xml)."] class step8_filedisc technique %% Step 9 u2013 Unsecured Credentials step9_creds["Technique – T1552 Unsecured Credentials Description: Extract service account credentials from configuration files."] class step9_creds technique %% Credential node cred_service["Credential – Harvested service account credentials"] class cred_service credential %% Step 10 u2013 Valid Accounts step10_valid["Technique – T1078 Valid Accounts Description: Reu2011use harvested Confluence credentials to authenticate to Active Directory services."] class step10_valid technique %% Step 11 u2013 Lateral Movement via Remote Services step11_lateral["Technique – T1021 Remote Services Description: Attempt NTLMu2011based lateral movement using enumeration and file sharing tools."] class step11_lateral technique %% Tools u2013 enum4linux, netexec, smbclient tool_enum4linux["Tool – Name: enum4linux Purpose: Gather Windows enumeration data"] class tool_enum4linux tool tool_netexec["Tool – Name: netexec Purpose: Execute commands over SMB"] class tool_netexec tool tool_smbclient["Tool – Name: smbclient Purpose: Access SMB shares"] class tool_smbclient tool %% Step 12 u2013 Pass the Ticket (Kerberos/NTLM Relay) step12_passticket["Technique – T1550.003 Pass the Ticket Description: Perform Kerberos and NTLM relay attacks (e.g., PetitPotam) against domain controllers."] class step12_passticket technique %% Tool u2013 PetitPotam tool_petitpotam["Tool – Name: PetitPotam Purpose: NTLM relay via Microsoft RPC"] class tool_petitpotam tool %% Step 13 u2013 Steal or Forge Kerberos Tickets step13_kerb["Technique – T1558 Steal or Forge Kerberos Tickets Description: Obtain privileged Kerberos tickets to further compromise AD."] class step13_kerb technique %% Step 14 u2013 Hijack Execution Flow (File Permissions) step14_perm["Technique – T1574.005 Hijack Execution Flow: Executable Installer File Permissions Weakness Description: Add executable permissions to malicious ELF binaries before execution."] class step14_perm technique %% Step 15 u2013 Deploy Web Shell step15_webshell["Technique – T1505.003 Server Software Component: Web Shell Description: Deploy a web shell on the Confluence server for persistence."] class step15_webshell technique %% Step 16 u2013 Application Layer Protocols (File Transfer & Web) step16_transfer["Technique – T1071.002 Application Layer Protocol: File Transfer Protocols & T1071.001 Web Protocols Description: Transfer tools and payloads via FTP and HTTP."] class step16_transfer technique %% Step 17 u2013 Exfiltration Over Alternative Protocol step17_exfil["Technique – T1048 Exfiltration Over Alternative Protocol Description: Exfiltrate data and tooling using nonu2011standard application protocols."] class step17_exfil technique %% Connections step1_exploit –>|exploits| tool_f5 step1_exploit –>|leads_to| step2_remote step2_remote –>|uses| step3_ssh step3_ssh –>|maintains| step4_hijack step4_hijack –>|enables| step5_ipscan step5_ipscan –>|uses| tool_nmap step5_ipscan –>|leads_to| step6_vulnscan step6_vulnscan –>|uses| tool_gowitness step6_vulnscan –>|leads_to| step7_netconfig step7_netconfig –>|leads_to| step8_filedisc step8_filedisc –>|leads_to| step9_creds step9_creds –>|produces| cred_service step9_creds –>|leads_to| step10_valid step10_valid –>|uses| cred_service step10_valid –>|enables| step11_lateral step11_lateral –>|uses| tool_enum4linux step11_lateral –>|uses| tool_netexec step11_lateral –>|uses| tool_smbclient step11_lateral –>|leads_to| step12_passticket step12_passticket –>|uses| tool_petitpotam step12_passticket –>|leads_to| step13_kerb step13_kerb –>|leads_to| step14_perm step14_perm –>|leads_to| step15_webshell step15_webshell –>|enables| step16_transfer step16_transfer –>|enables| step17_exfil %% Class assignments class step1_exploit,step2_remote,step3_ssh,step4_hijack,step5_ipscan,step6_vulnscan,step7_netconfig,step8_filedisc,step9_creds,step10_valid,step11_lateral,step12_passticket,step13_kerb,step14_perm,step15_webshell,step16_transfer,step17_exfil action class tool_f5,tool_nmap,tool_gowitness,tool_enum4linux,tool_netexec,tool_smbclient,tool_petitpotam tool class cred_service credential "

Attack Flow

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

Attack Narrative & Commands:
1. Stage 1 – Privileged SSH Access from F5 BIG‑IP
  - An adversary has obtained credentials for the privileged account privileged_account on a F5 BIG‑IP appliance.
  - Using the appliance’s management SSH service, the attacker opens a session to the target Linux host, injecting the environment variable HOSTNAME=F5_BIG-IP_device to satisfy the rule’s SourceHostName match.
2. Stage 2 – Network Reconnaissance (nmap)
  - Within the SSH session, the attacker runs nmap against the internal subnet to map live hosts and services.
3. Stage 3 – Web‑Service Reconnaissance (gowitness)
  - After identifying web servers, the attacker invokes gowitness to capture screenshots of HTTP/HTTPS endpoints.
4. Evasion Avoidance (Rule‑specific)
  - No use of Python’s ftplib; thus the exclusion_ftp clause does not fire.

Regression Test Script:

#!/usr/bin/env bash
#
# Multi‑Stage Intrusion Simulation – triggers the Sigma rule.
# Prerequisite: the executing user must have sudo rights to set HOSTNAME for the session.
#

set -euo pipefail

# -------------------------------------------------
# Stage 1 – Simulate privileged SSH login from F5
# -------------------------------------------------
export HOSTNAME="F5_BIG-IP_device"
export LOGNAME="privileged_account"
export USER="privileged_account"

echo "[*] Simulating privileged SSH session from ${HOSTNAME} as ${USER}"

# -------------------------------------------------
# Stage 2 – Run nmap (network discovery)
# -------------------------------------------------
echo "[*] Running nmap scan on internal subnet 10.0.0.0/24"
nmap -sn 10.0.0.0/24

# -------------------------------------------------
# Stage 3 – Run gowitness (web‑service enumeration)
# -------------------------------------------------
echo "[*] Executing gowitness against discovered web hosts"
# Assume gowitness is installed and in $PATH
gowitness file -f /tmp/discovered_web_hosts.txt

echo "[+] Simulation complete – expected alert should be generated."

Cleanup Commands:

#!/usr/bin/env bash
#
# Cleanup for the multi‑stage intrusion simulation
#

set -euo pipefail

# Remove temporary files created by gowitness
rm -f /tmp/discovered_web_hosts.txt

# Unset environment variables used for the simulation
unset HOSTNAME LOGNAME USER

echo "[*] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free