Exploit / remedy library

Exploit classes and architectural response.

Recent incidents show recurring structural failure modes: exposed infrastructure, trusted-tool abuse, malicious package execution, credentialed control paths, covert network behavior, and delayed execution influence. IVD maps these failures to bounded architectural responses across IVD-N and IVD-ACP.

These are architectural mapping cards, not evidence cards. They map public incident patterns to IVD response surfaces. Test evidence is summarized separately.

These cards map public incident patterns to IVD architectural response surfaces. They are not claims that IVD prevented, detected, or mitigated the named incidents in production. They are architectural examples showing where IVD-N and/or IVD-ACP would apply.

See the IVD-N walkthrough See the IVD-ACP walkthrough

Cross-domain identity, ransomware staging, privileged execution, enterprise-wide detonation IVD-ACP

Blockade Spider Cross Domain Ransomware

Cross-domain ransomware operations exploit trusted administrative paths, payload staging, credential access, and policy propagation. IVD-ACP challenges execution-bearing actions before they become enterprise-wide blast paths, while IVD-N may assist when coordinated network behavior becomes observable.

Surface: Cross-domain identity, ransomware staging, privileged execution, enterprise-wide detonation

Primary IVD prong: IVD-ACP

Secondary IVD prong: IVD-N where correlated behavior emerges

Failure path: Trusted administrative paths, credential access, payload staging, and policy propagation become execution channels before policy meaningfully engages.

IVD architectural response: IVD-ACP evaluates scripts, payloads, and privileged actions before trust is granted; IVD-N can contribute if staging or command traffic becomes behaviorally correlatable.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: staged payloads, admin commands, credentialed changes, and detonation paths.
Where IVD observes it: IVD-ACP at the execution boundary; IVD-N if correlated command traffic becomes visible.
What decision is made: authority is limited, sandboxed, or denied before execution inheritance.
What enforcement action follows: execution gating, quarantine, or bounded network suppression where applicable.
What is explicitly not claimed: no claim of deployment, prevention, or named-incident validation.

Open Full Exhibit

Edge devices, routers, firewalls, VPNs, and SOHO infrastructure IVD-N + IVD-ACP

China-Nexus Edge-Device Exploitation and Covert Network Abuse

Covert infrastructure and compromised edge devices create low-attribution network behavior that can be surfaced as correlated macro-patterns while associated tooling and staged actions are challenged before trust is granted.

Surface: Edge devices, routers, firewalls, VPNs, and SOHO infrastructure

Primary IVD prong: IVD-N

Secondary IVD prong: IVD-ACP

Failure path: Compromised perimeter devices become covert infrastructure and command surfaces with weak attribution and persistent control channels.

IVD architectural response: IVD-N treats the behavior as an upstream macro-pattern, while IVD-ACP constrains associated tooling, staged actions, or execution-bearing follow-on activity.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: malicious flows, relay behavior, compromised tooling, and control-plane abuse.
Where IVD observes it: IVD-N across distributed network behavior; IVD-ACP at tool or artifact execution boundaries.
What decision is made: network behavior is collapsed into bounded mitigation candidates and unsafe tool actions are gated.
What enforcement action follows: scoped upstream suppression and authority-state assignment for associated execution paths.
What is explicitly not claimed: no claim of deployment, attribution, or incident-specific operational use.

Open Full Exhibit

VPN perimeter, DNS, and covert command channels IVD-N + IVD-ACP

Hollow Panda / Check Point VPN Compromise and DNS Tunneling

VPN compromise and DNS tunneling create persistent footholds and covert command paths that can be modeled through behavioral deviation, DNS-pattern correlation, and pre-execution control of staged follow-on actions.

Surface: VPN perimeter, DNS, and covert command channels

Primary IVD prong: IVD-N

Secondary IVD prong: IVD-ACP

Failure path: Perimeter compromise creates persistent footholds, covert DNS command channels, and follow-on execution opportunities.

IVD architectural response: IVD-N observes DNS-pattern and flow behavior as macro-objects; IVD-ACP constrains staged tools, scripts, or admin actions before privileged execution.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: compromised VPN access, covert DNS traffic, and follow-on payloads or scripts.
Where IVD observes it: IVD-N across network and DNS behavior; IVD-ACP at execution-bearing artifact boundaries.
What decision is made: traffic is classified for bounded suppression and follow-on execution is restricted by authority state.
What enforcement action follows: upstream mitigation and execution gating where trust inheritance would otherwise occur.
What is explicitly not claimed: no claim of deployment, named-incident detection, or prevention.

Open Full Exhibit

OT, PLCs, SCADA/HMI, and remote engineering access IVD-N + IVD-ACP

Iran-Affiliated PLC Exploitation of U.S. Critical Infrastructure

Exposed OT control surfaces require protocol-aware monitoring, privileged action control, and service-preserving enforcement that can be evaluated across both upstream network behavior and execution-boundary authority states.

Surface: OT, PLCs, SCADA/HMI, and remote engineering access

Primary IVD prong: IVD-ACP

Secondary IVD prong: IVD-N

Failure path: Remote engineering access and exposed OT interfaces allow privileged actions to reach industrial control surfaces before authority is meaningfully constrained.

IVD architectural response: IVD-ACP assigns explicit authority states to engineering actions and tooling; IVD-N can constrain correlated network behavior while preserving legitimate service paths.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: remote engineering sessions, commands, control updates, and supporting network traffic.
Where IVD observes it: IVD-ACP at privileged action boundaries and IVD-N across coordinated transport behavior.
What decision is made: actions are constrained to explicit authority states and suspicious network behavior is evaluated for bounded response.
What enforcement action follows: execution gating, quarantine, or scoped mitigation designed to preserve critical operations.
What is explicitly not claimed: no claim of OT deployment, incident prevention, or named-case validation.

Open Full Exhibit

Social trust, remote support, script execution, and browser extension abuse IVD-ACP

Microsoft Teams Helpdesk Impersonation Attack

Social-engineered support workflows become execution paths unless tool launches, scripts, extensions, and command channels are challenged before execution and correlated when coordinated network behavior appears.

Surface: Social trust, remote support, script execution, and browser extension abuse

Primary IVD prong: IVD-ACP

Secondary IVD prong: IVD-N where network behavior becomes correlatable

Failure path: A socially engineered support interaction becomes a trusted route for scripts, extensions, or commands to inherit elevated authority.

IVD architectural response: IVD-ACP evaluates tools, scripts, and extension actions before trusted execution; IVD-N contributes if follow-on command traffic becomes behaviorally coherent.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: remote-support actions, scripts, browser extensions, and follow-on commands.
Where IVD observes it: IVD-ACP at the execution and privilege boundary; IVD-N if command traffic becomes visible across the network.
What decision is made: authority is restricted before trusted execution is inherited.
What enforcement action follows: deny, sandbox, summarize, or quarantine the action path; network suppression if correlated behavior emerges.
What is explicitly not claimed: no claim of social-engineering prevention or incident-specific deployment.

Open Full Exhibit

AI-assisted exploitation, agent tools, retrieval poisoning, and exploit-to-botnet transition IVD-N + IVD-ACP

Mythos-Class AI Vulnerability Discovery and Exploitation Risk

AI-accelerated vulnerability discovery and tool-driven execution increase the need for pre-execution admissibility and coordinated propagation control before unsafe artifacts, prompts, and commands become trusted system inputs.

Surface: AI-assisted exploitation, agent tools, retrieval poisoning, and exploit-to-botnet transition

Primary IVD prong: IVD-ACP

Secondary IVD prong: IVD-N

Failure path: Tool-using AI systems and poisoned retrieval paths can convert unsafe prompts, artifacts, or commands into trusted execution or coordinated propagation.

IVD architectural response: IVD-ACP evaluates admissibility before tools, prompts, scripts, or packages inherit authority; IVD-N constrains multi-node or botnet-style behavior if propagation becomes network-visible.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: prompts, retrieved content, tool actions, artifacts, and exploit-bearing instructions.
Where IVD observes it: IVD-ACP before indexing or execution; IVD-N if distributed control or propagation becomes observable.
What decision is made: authority is explicitly limited before execution, indexing, or tool invocation proceeds.
What enforcement action follows: deny, sandbox, summarize, or quarantine; upstream suppression if coordinated network behavior emerges.
What is explicitly not claimed: no claim that IVD was deployed in a named AI incident or that it prevented a public incident in production.

Open Full Exhibit

Routers, firewalls, VPNs, gateways, and covert relay infrastructure IVD-N + IVD-ACP

Salt Typhoon Operation - Network Device Exploitation

Network device exploitation creates covert infrastructure and multi-actor reuse that can be treated as behavior-class macro-objects rather than isolated indicators while staged artifacts and control surfaces remain subject to admissibility control.

Surface: Routers, firewalls, VPNs, gateways, and covert relay infrastructure

Primary IVD prong: IVD-N

Secondary IVD prong: IVD-ACP

Failure path: Network devices become covert infrastructure and persistent relay surfaces that support long-lived access and follow-on control activity.

IVD architectural response: IVD-N treats distributed relay behavior as a bounded macro-object; IVD-ACP constrains related tooling, artifacts, or command paths before trusted execution.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: compromised device traffic, relay behavior, and associated administrative or tooling actions.
Where IVD observes it: IVD-N in the network domain and IVD-ACP where tools or commands cross execution boundaries.
What decision is made: macro-object correlation informs bounded suppression and execution-bearing actions receive explicit authority states.
What enforcement action follows: scoped upstream mitigation and controlled execution pathways.
What is explicitly not claimed: no claim of named-operation attribution, deployment, or prevention.

Open Full Exhibit

Domain admin, payload execution, credential theft, and domain-wide detonation IVD-ACP

The Gentlemen Ransomware Attack

Ransomware staging and execution chains depend on trusted admin surfaces, payload admission, credential access, and policy mutation. IVD-ACP constrains those execution-boundary decisions while IVD-N contributes where coordinated network behavior becomes visible.

Surface: Domain admin, payload execution, credential theft, and domain-wide detonation

Primary IVD prong: IVD-ACP

Secondary IVD prong: IVD-N as applicable

Failure path: Trusted administrative authority is abused to stage, launch, and propagate ransomware before policy meaningfully constrains the execution path.

IVD architectural response: IVD-ACP evaluates payloads, scripts, and privileged commands before they receive trusted execution; IVD-N can support where lateral or command traffic becomes behaviorally coherent.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: privileged commands, staged payloads, credentials, and detonation logic.
Where IVD observes it: IVD-ACP at execution and authority boundaries; IVD-N if correlated propagation traffic becomes visible.
What decision is made: execution authority is explicitly constrained before blast-radius expansion.
What enforcement action follows: deny, sandbox, or quarantine execution paths, with scoped network response where applicable.
What is explicitly not claimed: no claim of deployment, prevention, or named-ransomware response validation.

Open Full Exhibit

Windows, Linux, ESXi, network-mounted storage, and RaaS affiliate execution chains IVD-ACP

VECT Ransomware: Wiper by Accident

VECT 2.0 is a Ransomware-as-a-Service platform that irreversibly destroys files above 128 KB due to a nonce implementation flaw, functioning as a wiper for all enterprise-critical data. IVD-ACP gates mass file operations, destructive process chains, and storage access before irreversible commit. IVD-N assists where coordinated exfiltration or extortion staging becomes network-visible.

Surface: Windows, Linux, ESXi, network-mounted storage, and RaaS affiliate execution chains

Primary IVD prong: IVD-ACP

Secondary IVD prong: IVD-N where extortion or staging behavior becomes network-visible

Failure path: Destructive mass-encryption or wipe operations inherit trusted process authority and commit irreversible storage damage before meaningful control is applied.

IVD architectural response: IVD-ACP evaluates destructive file operations, process chains, and storage access before commit; IVD-N can contribute if exfiltration, extortion staging, or relay behavior becomes visible.

Claim boundary: This is an architectural mapping example, not a claim of deployment, prevention, attribution, or incident-specific validation.

Control-path summary

What enters the system: destructive binaries, scripts, mass file operations, and staging traffic.
Where IVD observes it: IVD-ACP at execution and storage authority boundaries; IVD-N if related network behavior becomes coherent.
What decision is made: destructive execution is constrained before irreversible commit.
What enforcement action follows: deny, sandbox, or quarantine execution and storage actions; bounded network response where applicable.
What is explicitly not claimed: no claim of deployment, prevention, or named-incident validation.

Open Full Exhibit