Not much on the mitigation side has been mentioned from the attacker or any of the reporting. So funny that none of the companies used to defend the network have been named except Okta who was a big part of allowing them to have persistence. They did mention ESXi so I’m wondering if it was the Carbon Black stuff or other? The endpoint software was fooled by the old code-signing certificates (and to be fair this would get 99% of EDR and Antivir endpoint agents), but AlphaV’s blog on their darknet site did mention that they knew they were exposed at various points in the breach that led up to the ransomware getting deployed. I’d love to know what exposed some of their TTPs and to at least get a better idea of where their playbooks were weak (also mentioned by the attacker). Anyone with information on their SIEM, EDR, Firewalls, other controls? Any idea which logs they found? (likely AAD or Okta I’m sure but I wanted to confirm).