THREAT OPS › Threat News › Leveraging Tailscale Keys
Leveraging Tailscale Keys
<p class="wp-block-paragraph"><em><strong>TL;DR</strong>: </em>This post introduces red team operators to Tailscale concepts and tradecraft that can be leveraged in the reader compromises Tailscale keys in their target environment.</p>
<p class="wp-block-paragraph">Over the past year, we started coming across Tailscale authentication keys in Continuous Integration/Continuous Deployment (CI/CD)
MITRE ATT&CK techniques
- CredentialsT1589.001
Indicators of compromise
- https://tailscale.com/learn/understanding-mesh-vpnsurl
- https://login.tailscale.com/adminurl
- https://login.tailscale.com/admin/acls/fileurl
- http://openapiurl
- https://api.tailscale.com/api/v2/oauth/tokenurl
- https://tailscale.com/download/linuxurl
- 198.51.100.1ipv4
- 100.80.197.85ipv4
- 10.0.0.0/8cidr
- 198.51.100.1/32cidr
Original source: https://specterops.io/blog/2026/03/12/leveraging-tailscale-keys/