This is a defensive tool-intelligence page. It is intended for analyst navigation, source review, and hunt planning. It is not a malware-analysis report and does not contain sample code or binaries.
Summary
- Associated actor(s): UNC1860
- Tool type(s): Defense-evasion utility
- Confidence level(s): High
- Source ID(s):
SRC-MANDIANT-UNC1860
Behavior
| Actor | Behavior Summary |
|---|
| UNC1860 | Mandiant reports TEMPLELOCK as a .NET utility observed in foothold utilities and passive implants, capable of terminating threats associated with Windows Event Log service and restarting service operation on demand. |
Hash And IOC Status
| Actor | Status | Reference |
|---|
| UNC1860 | Hash not committed; use Mandiant activity-level IOC list. | SRC-MANDIANT-UNC1860 |
Hashes and IOCs on this page are source pointers or representative public indicators. They SHOULD be refreshed from the linked source before operational use and MUST NOT be used alone for actor attribution.
Defensive Hunting Notes
| Actor | Hunting Notes |
|---|
| UNC1860 | Hunt Event Log service stop/start anomalies, log service tampering, and unusual .NET utility execution from compromised servers. |
Handling Notes
| Actor | Handling Notes |
|---|
| UNC1860 | Treat as behavior trigger, not attribution by itself. |
Crosslinks
Mapped ATT&CK Techniques For Associated Actor(s)
| Actor | Technique | Tactic | Mapping Quality | Source |
|---|
| UNC1860 | T1190 Exploit Public-Facing Application | Initial Access | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1505.003 Web Shell | Persistence | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1105 Ingress Tool Transfer | Command and Control | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1021.001 Remote Services: RDP | Lateral Movement | M2 | SRC-MANDIANT-UNC1860 |
| UNC1860 | T1078 Valid Accounts | Defense Evasion | M2 | SRC-MANDIANT-UNC1860 |
These detections are mapped through the associated actor or scenario and are not automatically tool-specific. Promote a tool-specific detection only after the behavior is tied to telemetry and test evidence.
These hunts are mapped through the associated actor or scenario and may need narrowing before they are used for this specific tool.
Source Review
| Source | Publisher | Date | Reliability | Type | Last Reviewed |
|---|
SRC-MANDIANT-UNC1860 | Google Cloud / Mandiant | 2024-09-19 | A | Vendor CTI | 2026-05-14 |
If a source publishes a large or frequently changing IOC appendix, keep the current IOC list in the source system or TIP and store only the pointer here.