TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

They Got In Through SonicWall. Then They Tried to Kill | Huntress

2026-02-04 · Read original ↗

ATT&CK techniques detected

16 predictions
T1543.003Windows Service
96%
“using fnv - 1a ( seed 0x811c9dc5 ). during runtime, it enumerates running processes via createtoolhelp32snapshot, converts each name to lowercase, computes its fnv - 1a hash, and compares against the pre - computed target hashes. this allows fast integer comparison rather than 59…”
T1003OS Credential Dumping
75%
“they got in through sonicwall. then they tried to kill | huntress summary in early february 2026, huntress responded to an intrusion where threat actors leveraged compromised sonicwall sslvpn credentials to gain initial access to a victim network. once inside, the attacker deploy…”
T1055.001Dynamic-link Library Injection
73%
“that typically guards critical system processes and edr agents. the encase forensic driver ( enportv. sys ) exposes 18 + ioctl functions designed for forensic acquisition, including process termination ( killproc ), dkom process hiding ( hideproc / unhideproc ), kernel - mode fil…”
T1068Exploitation for Privilege Escalation
62%
“##w * functions, the wrapper sets previousmode to kernelmode, signaling that parameters come from a trusted source, windows skips the security validation it would enforce on usermode callers. figure 8 : usermode component sending target pid to kernel driver via ioctl 0x223078 ( s…”
T1027Obfuscated Files or Information
56%
“legitimate firmware update utility. embedded byovd the edr killer binary leverages a custom encoding scheme to conceal its embedded kernel driver payload. rather than storing the driver as raw bytes or using traditional encryption, the malware developers opted for a wordlist - ba…”
T1553.002Code Signing
55%
“signature is mathematically valid and was issued by a trusted authority, it cannot determine whether that certificate has since been revoked by the issuing ca. this limitation exists for practical reasons : drivers load early in the boot process before network services are availa…”
T1685Disable or Modify Tools
48%
“that typically guards critical system processes and edr agents. the encase forensic driver ( enportv. sys ) exposes 18 + ioctl functions designed for forensic acquisition, including process termination ( killproc ), dkom process hiding ( hideproc / unhideproc ), kernel - mode fil…”
T1078Valid Accounts
46%
“ip address in february 2026. notably, the logs also captured a denied portal login attempt from 193. 160. 216 [. ] 221 just one minute prior ; the account lacked privileges for portal access from that location. the attacker then successfully authenticated via vpn client from a di…”
T1068Exploitation for Privilege Escalation
44%
“enable hvci / memory integrity - ensures microsoft ' s vulnerable driver blocklist is enforced - alert and monitor services with names mimicking oem / hardware components created outside normal software deployment - deploy microsoft ' s recommended driver block rules via wdac to …”
T1543.003Windows Service
43%
“it deletes the old service before creating a new one. it then registers the driver with the service control manager using carefully chosen names designed to blend in with legitimate oem software : service name : oemhwupd display name : oem hardware hal service description : manag…”
T1055.001Dynamic-link Library Injection
40%
“\ oemhwupd. sys ”, after which the binary applies anti - forensic measures : setting the file attributes to hidden and system to conceal it from casual directory browsing, and copying timestamps from the legitimate ntdll. dll to make the malicious driver blend in with system file…”
T1553.002Code Signing
35%
“, microsoft created an exception : drivers signed with certificates issued before july 29, 2015, that chain to a supported cross - signed ca are still permitted to load. the encase driver ' s certificate was issued on december 15, 2006, well before this cutoff. - valid timestamp …”
T1652Device Driver Discovery
33%
“##w * functions, the wrapper sets previousmode to kernelmode, signaling that parameters come from a trusted source, windows skips the security validation it would enforce on usermode callers. figure 8 : usermode component sending target pid to kernel driver via ioctl 0x223078 ( s…”
T1003OS Credential Dumping
32%
“##w * functions, the wrapper sets previousmode to kernelmode, signaling that parameters come from a trusted source, windows skips the security validation it would enforce on usermode callers. figure 8 : usermode component sending target pid to kernel driver via ioctl 0x223078 ( s…”
T1068Exploitation for Privilege Escalation
32%
“it deletes the old service before creating a new one. it then registers the driver with the service control manager using carefully chosen names designed to blend in with legitimate oem software : service name : oemhwupd display name : oem hardware hal service description : manag…”
T1068Exploitation for Privilege Escalation
31%
“384, 528 - byte string of space - separated english words. when decoded, these words translate back into the original kernel driver. figure 3 : snippet of the word dictionary figure 4 : wordlist - encoded driver payload the decoding routine implements a straightforward lookup alg…”

Summary

Huntress responded to a 2026 intrusion using compromised SonicWall VPN credentials and a revoked EnCase forensic driver to terminate EDR processes via BYOVD.