Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
ID: 2c370579-fdab-5c95-8e51-487f8830f571
STIX ID: report--2c370579-fdab-5c95-8e51-487f8830f571
Feed Name: Threat Intelligence
Threat Score
This report describes exploitation of ASP.NET ViewState deserialization (due to reused/known machineKey) against KnowledgeDeliver instances, resulting in in-memory BLUEBEAM web shell deployment, web-file tampering to serve malicious installers, and subsequent Cobalt Strike BEACON infections; it includes observed indicators (event IDs, anomalous User-Agent strings, suspicious w3wp.exe child processes), hunting guidance, and remediation steps such as rotating machine keys and restricting LMS access.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.