TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Trial, Error & Typos: Malware Isn't Always 'Sophisticated' | Huntress

2025-12-22 · Read original ↗

ATT&CK techniques detected

17 predictions
T1059.003Windows Command Shell
91%
“. exe file. according to virustotal, the ip address for the download ( 110. 172. 104 [. ] 95 ) is located in the republic of korea, and has a reputation for being associated with malware. however, here the threat actor faced their first roadblock, as previously mentioned, when th…”
T1543.003Windows Service
90%
“253. 121. 101 mozilla / 5. 0 + ( macintosh ; + intel + mac + os + x + 10 _ 6 _ 0 ) + applewebkit / 537. 4 + ( khtml, + like + gecko ) + chrome / 22. 0. 1229. 79 + safari / 537. 4 - - 200 0 64 10899 summary looking across these three incidents, we see commonalities in techniques a…”
T1059.001PowerShell
88%
“quarantine - led bumps in the road. however, these didn ’ t stop the attackers, as they continued to return to the endpoint via the same access method. incident 2 on november 17, huntress reported an attack on a manufacturing customer that originated via the microsoft internet in…”
T1059.003Windows Command Shell
86%
“a copy of the executable was retrieved from the endpoint, and was found to be written in go. submitting the hash to virustotal gave no indication that the file had ever been submitted for analysis. as illustrated in figure 1 above, the threat actor launching the original whoami. …”
T1059.001PowerShell
86%
“powershell - command add - mppreference - exclusionpath c : \ windows \ system32 \ 0409 - exclusionextension. exe,. bin,. dll - force powershell - command add - mppreference - exclusionpath c : \ windows \ system32 \ inetsrv - exclusionextension. exe,. bin,. dll - force powershel…”
T1053.005Scheduled Task
85%
“powershell - command add - mppreference - exclusionpath c : \ windows \ system32 \ 0409 - exclusionextension. exe,. bin,. dll - force powershell - command add - mppreference - exclusionpath c : \ windows \ system32 \ inetsrv - exclusionextension. exe,. bin,. dll - force powershel…”
T1505.003Web Shell
83%
“straightforward web server compromise leading to the deployment of a web shell, a closer investigation tells a very different story. figure 1 illustrates the threat actor running the whoami. exe command via the web server process being detected via edr. figure 1 : whoami. exe pro…”
T1053.005Scheduled Task
78%
“quarantine - led bumps in the road. however, these didn ’ t stop the attackers, as they continued to return to the endpoint via the same access method. incident 2 on november 17, huntress reported an attack on a manufacturing customer that originated via the microsoft internet in…”
T1569.002Service Execution
77%
“adding the exclusions before moving their malware over to the endpoint. following the powershell commands, attrib. exe was launched via the process tree illustrated in figure 6. figure 6 : attrib. exe command process tree the detected attrib. exe command line appeared as follows …”
T1218.011Rundll32
59%
“khtml, + like + gecko ) + chrome / 36. 0. 1944. 0 + safari / 537. 36 - 200 0 0 473 following the whoami. exe command, we see commands such as netstat - an, net user admin $, ipconfig / all, and net localgroup administrators being run, performing enumeration. we then see the follo…”
T1505.003Web Shell
59%
“that is, the attempt to execute a golang trojan on the endpoint, named agent. exe. across the three incidents, there was no apparent commonality in web pages or web applications accessed : in each incident, while the attack appears to have occurred via the web server, the page ac…”
T1543.003Windows Service
54%
“adding the exclusions before moving their malware over to the endpoint. following the powershell commands, attrib. exe was launched via the process tree illustrated in figure 6. figure 6 : attrib. exe command process tree the detected attrib. exe command line appeared as follows …”
T1059.003Windows Command Shell
52%
“straightforward web server compromise leading to the deployment of a web shell, a closer investigation tells a very different story. figure 1 illustrates the threat actor running the whoami. exe command via the web server process being detected via edr. figure 1 : whoami. exe pro…”
T1569.002Service Execution
46%
“/ 7000 ; windowsupdate, % 1053 evtx [ redacted ] - service control manager / 7009 ; 300000, windowsupdate 2025 - 11 - 17 08 : 17 : 10z evtx [ redacted ] - service control manager / 7000 ; windowsupdate, % 1053 evtx [ redacted ] - service control manager / 7009 ; 300000, windowsup…”
T1190Exploit Public-Facing Application
36%
“) platform. it would be easy to look at this incident and conclude that the attacker took a number of seamless steps that led to the successful deployment of the warlock ransomware. however, a deeper look at the windows event logs showed how the threat actor tried to install a cl…”
T1505.004IIS Components
35%
“quarantine - led bumps in the road. however, these didn ’ t stop the attackers, as they continued to return to the endpoint via the same access method. incident 2 on november 17, huntress reported an attack on a manufacturing customer that originated via the microsoft internet in…”
T1059.003Windows Command Shell
32%
“) platform. it would be easy to look at this incident and conclude that the attacker took a number of seamless steps that led to the successful deployment of the warlock ransomware. however, a deeper look at the windows event logs showed how the threat actor tried to install a cl…”

Summary

Think all threat actors are pros? This post reveals how 'unsophisticated' malware and attacker errors help defenders stop attacks before damage is done.