User names used by actor seen using VPNs with Canadian source IP addresses 10/05/2024.
Replace targetDomain below with the domain of the VPN service (i.e. victim Domain)
| monitor |
| paservice@targetDomain |
| admin@targetDomain |
| admin.paloalto@targetDomain |
| panagent |
| vpnuser |
| palo.alto |
| pansa |
| palo.alto@targetDomain |
| paloalto_sa |
| ldap_firewall@targetDomain |
| vpnuser@targetDomain |
| pamonitor@targetDomain |
| support |
| panaduser@targetDomain |
| paloalto_sa@targetDomain |
| vpntest@targetDomain |
| test2 |
| networkmanager |
| SVC_PaloAlto@targetDomain |
| ldap_Firewall@targetDomain |
| paltoldap@targetDomain |
| ldap_firewall |
| pasvc |
| panaduser |
| panagent@targetDomain |
| testuser |
| pamonitor |
| monitor@targetDomain |
| paservice |
| test1 |
| admin.palo |
| palo |
| test1@targetDomain |
| vpntest |
| admin.palo@targetDomain |
| SVC_PaloAlto |
| palo@targetDomain |
| itsupport |
| Administrator |
| sa.paloalto2@targetDomain |
| paloaltoservice |
| paadmin |
| paloaltoservice@targetDomain |
| paadmin@targetDomain |
| pasvc@targetDomain |
| admin |
| admin.paloalto |
| svc_palo |
| pansa@targetDomain |
| Administrator@targetDomain |
| test2@targetDomain |
| sa.paloalto2 |
| ldap_Firewall |
| networkmanager@targetDomain |
| svc_palo@targetDomain |
| paltoldap |
| testuser@targetDomain |
| paloaltosa |
