Shared ASP.NET machine keys exposed KnowledgeDeliver deployments
Mandiant links CVE-2026-5426 exploitation to in-memory BLUEBEAM, web-root tampering, and downstream Cobalt Strike delivery through compromised LMS sites.
- 2026-07-15
- 5 min read
Operational layer / Use first
Detection & hunt kit
Deployable logic, required telemetry, and review state. Expand an artifact without leaving the intelligence report.
01 / DetectionASP.NET ViewState Deserialization Passed Integrity ValidationDetects an ASP.NET Event ID 1316 message indicating that a ViewState payload passed integrity validation and reached deserialization, which may indicate exploitation with a valid machine key.high / stableView detailsMinimize
- Use
- Detection
- Confidence state
- stable
- Priority
- high
- ATT&CK
- T1190
Required telemetry
- product
- windows
- service
- application
title: ASP.NET ViewState Deserialization Passed Integrity Validation
id: f089ce37-14a9-477f-9198-a57eafcd79cc
status: stable
author: FRAME ZERO
date: 2026-07-15
description: Detects an ASP.NET Event ID 1316 message indicating that a ViewState payload passed integrity validation and reached deserialization, which may indicate exploitation with a valid machine key.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
logsource:
product: windows
service: application
detection:
selection:
EventID: 1316
Message|contains|all:
- 'Event code: 4009'
- 'Reason: Viewstate was invalid'
condition: selection
falsepositives:
- Application defects or deployment changes that submit invalid ViewState data signed with a valid machine key
- Load-balanced ASP.NET systems with legitimate machine-key or application-state inconsistencies
level: high
tags:
- attack.initial-access
- attack.t1190
telemetry_assumptions:
- Windows Application events from internet-facing ASP.NET servers are forwarded before local tampering.
- Full event message text, provider name, host identity, and adjacent IIS request logs are retained.
related_publication: knowledgedeliver-viewstate-zero-day-bluebeam
02 / Threat huntKnowledgeDeliver BLUEBEAM Reported ArtifactsHunts for the BLUEBEAM filename and SHA-256 value and for anomalous User-Agent components reported during exploitation of KnowledgeDeliver. The values are historical and require application and host context.medium / experimentalView detailsMinimize
- Use
- Threat hunt
- Confidence state
- experimental
- Priority
- medium
- Review after
- 2026-08-14
Required telemetry
- product
- windows
ATT&CK / T1505.003
title: KnowledgeDeliver BLUEBEAM Reported Artifacts
id: df713958-bc91-46d0-a186-86d472ff8982
status: experimental
author: FRAME ZERO
date: 2026-07-15
description: Hunts for the BLUEBEAM filename and SHA-256 value and for anomalous User-Agent components reported during exploitation of KnowledgeDeliver. The values are historical and require application and host context.
references:
- https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/
logsource:
product: windows
detection:
selection_file_name:
TargetFilename|endswith: '\LoadLibrary.dll'
selection_loaded_image:
ImageLoaded|endswith: '\LoadLibrary.dll'
selection_hash:
Hashes|contains: '7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2'
selection_user_agent:
UserAgent|contains:
- 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2'
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36'
- 'Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01'
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205'
condition: 1 of selection_*
falsepositives:
- Unrelated software using the generic LoadLibrary.dll filename
- Security testing or scanning that copies the published User-Agent components
- Historical endpoint records retained after the affected application was remediated
level: medium
tags:
- attack.persistence
- attack.t1505.003
telemetry_assumptions:
- Endpoint telemetry records file paths, loaded images, and SHA-256 values on KnowledgeDeliver or IIS hosts.
- IIS, proxy, or web application telemetry maps the full request User-Agent into UserAgent for correlation.
- Analysts correlate matches with the affected application, ViewState errors, IIS process behavior, and web-root changes.
related_publication: knowledgedeliver-viewstate-zero-day-bluebeam
Analysis
Mandiant investigated a compromised KnowledgeDeliver learning-management server in late 2025 and identified an unauthenticated remote-code-execution vulnerability now tracked as CVE-2026-5426. An unknown actor used identical ASP.NET machine keys distributed across customer deployments to submit a malicious ViewState payload, run BLUEBEAM inside IIS, alter the web application, and deliver Cobalt Strike to site visitors.
KnowledgeDeliver is used primarily in Japan. Installations deployed before 24 February 2026 inherited hardcoded machineKey values from a standardized vendor configuration. A key recovered from one installation could therefore be used against another internet-facing deployment that shared the same values.
A valid machine key enabled ViewState deserialization
ASP.NET ViewState carries page state between requests and uses the configured machine key to protect integrity. The actor crafted a malicious __VIEWSTATE value with the shared key and sent it to a vulnerable server. Because the payload passed integrity validation, the application attempted deserialization and executed attacker-controlled code.
Mandiant did not identify how the actor first obtained the shared key material. The vendor configuration made the same secret available across independent customer environments, removing the isolation normally provided by per-deployment keys.
BLUEBEAM remained inside the IIS worker process
After code execution, the actor deployed the .NET-based BLUEBEAM web shell, also known as Godzilla. BLUEBEAM operated in memory inside w3wp.exe and accepted encrypted commands in HTTP POST bodies. File-based scanning alone would not reliably expose that execution path.
The actor then used icacls to grant Everyone full access to the web application directory. A JavaScript file in the application was modified to display a false security alert and load a remote script from actor-controlled infrastructure. The remote content prompted visitors to install a fake security authentication plugin. That installer delivered a Cobalt Strike BEACON payload prepared for the targeted organization.
ASP.NET event telemetry identifies the deserialization stage
Mandiant identified Windows Application Event ID 1316 as a useful ViewState signal. A message containing event code 4009 and the reason The viewstate supplied failed integrity check can indicate an attempt made with the wrong key. A message containing event code 4009 and the reason Viewstate was invalid indicates that integrity validation passed and deserialization was attempted. Execution may or may not have succeeded.
The included Sigma rule detects the second condition. It does not use the reported hash, filename, or User-Agent values. The selection maps to Exploit Public-Facing Application (T1190) because the event represents a request reaching a vulnerable internet-facing ASP.NET application with valid integrity material.
Responders should correlate the alert with IIS request logs, the target URL, request size, source address, application pool identity, w3wp.exe child processes, web-root file changes, and outbound connections. Mandiant also recommends monitoring for w3wp.exe starting cmd.exe, powershell.exe, whoami, or icacls, and for unauthorized changes to .js, .aspx, and .config files.
Key rotation and server investigation
Each KnowledgeDeliver deployment needs a unique, cryptographically strong machine key. Deployments created before 24 February 2026 should be reviewed for inherited shared values and rotated according to vendor guidance. Internet access should be limited to required organizational ranges where operationally possible.
Key rotation addresses the shared secret, while an established web shell or modified application can preserve attacker access. Responders should acquire volatile and persistent evidence, inspect the IIS worker process, compare the application tree with a trusted release, review permission changes, and remove malicious code before closing the incident. Workstations that received the false plugin prompt require separate endpoint investigation for Cobalt Strike.
Scope and limitations
This analysis relies on one original Mandiant investigation. The source confirms exploitation in a compromised environment and explains how the shared keys expanded exposure, but it does not identify the actor, count affected deployments, or establish current activity after late 2025. Indicator observation times and actor-controlled domains are unavailable. The Sigma rule detects a ViewState deserialization stage recorded by ASP.NET; it cannot confirm command execution and will miss exploitation when Windows Application messages are absent, truncated, or not forwarded.
Reported IOCs
View detailsMinimize
Mandiant supplied one file indicator and examples of identifier components found concatenated in anomalous User-Agent strings. Per-value observation times were not provided. These values are historical pivots. Defenders should confirm local log timing, file provenance, current prevalence, and benign collisions before escalation.
| Type | Reported value | Context |
|---|---|---|
| File name | LoadLibrary.dll | BLUEBEAM payload |
| SHA-256 | 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2 | BLUEBEAM payload |
| Anomalous User-Agent component | Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 | Reported as part of a concatenated identifier pattern |
| Anomalous User-Agent component | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 | Reported as part of a concatenated identifier pattern |
| Anomalous User-Agent component | Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01 | Reported as part of a concatenated identifier pattern |
| Anomalous User-Agent component | Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205 | Reported as part of a concatenated identifier pattern |
User-Agent matching has low confidence on its own. The values are easy to copy, change, or encounter in unrelated scanning. Correlation with the affected application, ViewState errors, IIS process behavior, and web-root changes is required.
The accompanying experimental hunt checks endpoint records for the reported filename or SHA-256 and web telemetry for the four User-Agent components. A filename or User-Agent match alone is insufficient; the hunt requires the affected application, host role, request path, ViewState events, and nearby IIS activity for triage.