TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

How EDR Telemetry Powers Managed Investigations

2025-09-22 · Read original ↗

ATT&CK techniques detected

11 predictions
T1021.001Remote Desktop Protocol
96%
“the soc looked at in this investigation also revealed that the threat actor gained access via a publicly accessible remote desktop protocol ( rdp ) instance, and likely deployed the ransomware via unc paths. soc analysts isolated the impacted host from the network. however, this …”
T1486Data Encrypted for Impact
89%
“– or maybe a stealthy threat actor has been laying low in a company ’ s environment, quietly gathering data. we frequently see this type of situation when businesses first install our agent, or test out our services in a trial. because they didn ’ t previously have edr, threat ac…”
T1078Valid Accounts
80%
“– or maybe a stealthy threat actor has been laying low in a company ’ s environment, quietly gathering data. we frequently see this type of situation when businesses first install our agent, or test out our services in a trial. because they didn ’ t previously have edr, threat ac…”
T1219Remote Access Tools
75%
“- by download, or maybe it came from a targeted phishing attack – two different things with very different implications for the impacted customer. this type of information can help the soc team determine how severe the threat is and how remediation should be handled. earlier this…”
T1021.001Remote Desktop Protocol
71%
“– or maybe a stealthy threat actor has been laying low in a company ’ s environment, quietly gathering data. we frequently see this type of situation when businesses first install our agent, or test out our services in a trial. because they didn ’ t previously have edr, threat ac…”
T1219Remote Access Tools
60%
“the soc looked at in this investigation also revealed that the threat actor gained access via a publicly accessible remote desktop protocol ( rdp ) instance, and likely deployed the ransomware via unc paths. soc analysts isolated the impacted host from the network. however, this …”
T1566.004Spearphishing Voice
60%
“– or maybe a stealthy threat actor has been laying low in a company ’ s environment, quietly gathering data. we frequently see this type of situation when businesses first install our agent, or test out our services in a trial. because they didn ’ t previously have edr, threat ac…”
T1588.002Tool
51%
“##emetry and found that the activity went back as far as november 2023 in the observed hosts. figure 2 : process tree involving the use of pcalua. exe at the end of the day, we uncovered three intrusions across three different organizations that were located in canada. we also fo…”
T1219Remote Access Tools
50%
“– or maybe a stealthy threat actor has been laying low in a company ’ s environment, quietly gathering data. we frequently see this type of situation when businesses first install our agent, or test out our services in a trial. because they didn ’ t previously have edr, threat ac…”
T1018Remote System Discovery
34%
“##emetry data is at the very heart of an edr solution, both managed and unmanaged. the processes and files running on an endpoint can give important clues about potentially malicious activity. however, managed edr helps businesses derive meaning from that telemetry through a dedi…”
T1566.004Spearphishing Voice
34%
“the soc looked at in this investigation also revealed that the threat actor gained access via a publicly accessible remote desktop protocol ( rdp ) instance, and likely deployed the ransomware via unc paths. soc analysts isolated the impacted host from the network. however, this …”

Summary

Learn more about what it actually means to go up against hackers–and why creative, human-led investigations are essential for keeping your organization safe from modern threats.