March 2026 — Cyber-Sabotage, Administrative Tool Weaponization & Geopolitical Retaliation
AutoTableTop™ version 2.0 Scenario Package
Summary – A New Class of Cyber Threat
The Stryker Corporation cyberattack of March 11, 2026 represents a structural shift in the cyber threat landscape. This was not a ransomware attack for financial gain — it was a state-aligned destructive wiper operation conducted by Handala, an Iran-linked hacktivist group assessed by multiple intelligence firms as a front for Void Manticore, a destructive operations unit within Iran’s Ministry of Intelligence and Security (MOIS). The stated motivation was retaliation for U.S. military strikes in Iran.
The attackers compromised a privileged administrator account via Adversary-in-the-Middle (AiTM) phishing, created a “Ghost Admin” account with Global Administrator privileges in Microsoft Entra ID, and used Microsoft Intune’s built-in remote wipe function to factory-reset approximately 80,000 to 200,000 devices across 79 countries in under three hours. No ransomware or traditional malware was deployed. Every destructive action was a signed, legitimate administrative command — a textbook Living-off-the-Land (LotL) operation that rendered endpoint detection and response (EDR) solutions architecturally blind.
| ~200K Devices Wiped | 79 Countries Affected | 50 TB Data Exfiltrated | 3 hours Attack Duration |
ThreatGEN provides a complete exercise package for AutoTableTop™ 2.0 facilitators to run tabletop exercises based on this incident. The package includes a Settings File with detailed network environment and six scenario injects, a Facilitator Guide, a Participant Presentation, a Network Architecture Diagram, and a sample Incident Response Plan — all derived from the real-world incident and publicly available forensic reporting.
Why This Scenario Matters
This scenario demonstrates that the most dangerous attack surface in a modern enterprise is not the endpoint — it is the identity and administrative control plane. When an attacker gains Global Administrator privileges, they hold a kill-switch for every enrolled device in the organization, and every command they issue is treated as a legitimate administrative action. Traditional endpoint security (EDR, antivirus, endpoint hardening) is architecturally irrelevant against this class of attack.
Exercise Themes – What Participants Will Face
- Wiper vs. ransomware response differences — no ransom note, no negotiation, no decryption key
- Identity and control-plane compromise detection — the attack that EDR cannot see
- Living-off-the-Land attack recognition using legitimate administrative tooling
- Endpoint management platform weaponization (Intune, JAMF, Workspace ONE as attack vectors)
- Out-of-band communications when corporate email and Teams are down
- Manufacturing and supply chain continuity during total IT disruption
- Medical device safety assurance and patient impact communications
- Multi-agency coordination (FBI, CISA, White House NCD, HHS, H-ISAC)
- Geopolitically motivated threat actor response and threat intelligence integration
- BYOD shared-fate risk during destructive attacks on MDM platforms
Exercise Files, Scenario Package for AutoTableTop™ 2.0
Download these files to run the Stryker Corporation wiper incident exercise in AutoTableTop™ 2.0. Upload the Settings File, Incident Response Plan, and Network Diagram into the AutoTableTop™ settings screen to begin.
| Comprehensive facilitator guide with executive summary, threat actor profile, technical deep dive, granular timeline (MSEL), six exercise injects, pressure-cooker questions, win/loss conditions, participant roles, key takeaways, and source references. | TTX Facilitator Guide | Download |
| Participant presentation covering executive summary, threat actor profile, attack chain, defense failures, target profile, six exercise injects, facilitator questions, win/loss conditions, and key takeaways. | Participant Presentation | Download |
| Four-layer network architecture diagram showing the cloud identity layer (Entra ID, Intune, M365), hybrid on-prem infrastructure, architecturally isolated medical device ecosystem, and manufacturing/supply chain systems with attack path overlay. | Network Diagram | Download |
| Sample Incident Response (“I/R”) Plan, so that participant actions are evaluated against the plan during the exercise. | I/R Plan | Download |
| AutoTableTop™ 2.0 settings file with detailed company profile, network environment description, real staff names and roles, six scenario injects, and attack context. | Settings File | Download |
Available in AutoTableTop™ 2.0
This scenario is now available as a built-in scenario template within the AutoTableTop™ 2.0 simulation platform. Navigate to the scenario selection screen, select “Stryker Corporation — Wiper Incident (March 2026)”, and customize it for your organization’s specific environment, staff, and network architecture before running your tabletop exercise.This is an AutoTableTop™ version 2.0 scenario. It will be updated for version 2.1 when that release becomes available. All downloadable files above are compatible with the current 2.0 platform.
Getting Started, How to Run This Exercise
Option 1 — Use the built-in template: Log in to AutoTableTop™ 2.0, select the Stryker Corporation scenario from the scenario library, customize the settings for your organization (company name, staff, network environment), and launch the exercise.
Option 2 — Use the downloadable files: Download the Settings File, Incident Response Plan, and Network Diagram above. Upload all three into the AutoTableTop™ 2.0 settings screen. The AI engine will use the detailed network environment, company profile, and inject scenarios to generate a realistic, tailored tabletop exercise. Use the Facilitator Guide and Participant Presentation to brief your team before and during the exercise.
Copyright 2026 by Derezzed Inc. D/B/A ThreatGEN, all rights reserved.