TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Dealing with Imperfect Telemetry | Huntress

2025-10-21 · Read original ↗

ATT&CK techniques detected

10 predictions
T1021.006Windows Remote Management
79%
“. sometimes, we can wish all we want. to be taller, to have a ‘ 64 impala, or for more telemetry, and yet our wishes won ’ t be granted for whatever reason. in these scenarios, we have two options : give up and accept defeat in a fit of frustration or get to work, imperfect as th…”
T1654Log Enumeration
77%
“protect you from logs rolling over or logs being cleared by a threat actor conclusion in this blog, we covered various techniques and methods utilized by the huntress tactical response team when dealing with intrusions in a telemetry - degraded environment. cases where perfect te…”
T1654Log Enumeration
73%
“dealing with imperfect telemetry | huntress we ’ ve all seen threat reports and intrusion write - ups that look deeply polished, with a cohesive timeline that highlights incredible telemetry and analysis skills. cool diagrams abound, illustrating threat actor kill chains, beaconi…”
T1021.006Windows Remote Management
69%
“kind of lateral movement occurred, whereby the host that had the user created on it was accessed by another host through something like winrm, wmi, or maybe even an rmm. to get better answers, we turned to windows security 4624 events to see where the authentications for the affe…”
T1078.001Default Accounts
58%
“##76 events on a host of interest these events didn ’ t yield much additional information. we also examined the dns cache, active connections, and other endpoint artifacts, with no luck in determining where the user account was created from or what connections were made to this h…”
T1078Valid Accounts
57%
“##liance is subject to a brute force attack or even general internet noise. as we ’ ve blogged about before, vpn appliances are a popular initial access vector for threat actors, so we spend a lot of time looking at vpn telemetry. sometimes, we observe vpn telemetry where a login…”
T1078.004Cloud Accounts
55%
“temporal element, serving to strengthen analysis hypotheses, as illustrated below. figure 5 : image of slack message showing analysis of vpn log without a login event present these examples illustrate how even imperfect data can be used to solve tough intrusion cases and provide …”
T1078Valid Accounts
54%
“##76 events on a host of interest these events didn ’ t yield much additional information. we also examined the dns cache, active connections, and other endpoint artifacts, with no luck in determining where the user account was created from or what connections were made to this h…”
T1133External Remote Services
51%
“##liance is subject to a brute force attack or even general internet noise. as we ’ ve blogged about before, vpn appliances are a popular initial access vector for threat actors, so we spend a lot of time looking at vpn telemetry. sometimes, we observe vpn telemetry where a login…”
T1654Log Enumeration
35%
“would the above outcome have been drastically changed had the host been logging 4624 events? although we crave the satisfaction of a neatly wrapped - up intrusion case, i ’ d argue that in this case, the overall outcome would not have been drastically improved had the 4624 events…”

Summary

See how the Huntress Tactical Response team tackles security telemetry gaps. We share real-world techniques for working with missing logs, degraded telemetry, and cloud logging challenges to uncover critical insights and improve investigations.