TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Remote Monitoring and Management Tools | Huntress

2025-07-17 · Read original ↗

ATT&CK techniques detected

16 predictions
T1486Data Encrypted for Impact
99%
“succeeded in deploying akira ransomware on some endpoints. the huntress agent was installed after the initial compromise and ransomware deployment, so there were no ransomware canary reports, and endpoint detection and response ( edr ) telemetry was not available until after the …”
T1219Remote Access Tools
98%
“huntress soc promptly responded after the installation of the cloudflare tunnels and windows defender ’ s detection of initial attempts to deploy akira ransomware. the soc isolated endpoints and notified the msp of the atera rmm starting point, interrupting the threat actor ’ s e…”
T1486Data Encrypted for Impact
98%
“the endpoints had varying types of activities across them ; some had cloudflare tunnels installed, while others had ransomware ( successfully ) deployed, as indicated by mav detection. on others, the threat actor had disabled windows defender after it detected and quarantined its…”
T1219Remote Access Tools
92%
“remote monitoring and management tools | huntress in mid - june, huntress saw an incident where a threat actor compromised an msp ’ s remote monitoring and management ( rmm ) tool in an attempt to target three of its customers. while the huntress security operations center ( soc …”
T1219Remote Access Tools
91%
“that an rmm or some other means of remote access ( besides rdp specifically ) was used. the workstation name from which the authentication had originated had also been observed during the previous incident highlighted in our previous blog. at 08 : 23 utc, windows defender then de…”
T1486Data Encrypted for Impact
90%
“##ware executable, c : \ programdata \ akira. ex _, was detected and successfully quarantined. figure 3 : mav detection of the akira ransomware executable six seconds later, windows defender rtp was disabled, and the following powershell code was visible in windows event logs, in…”
T1080Taint Shared Content
85%
“##ware executable, c : \ programdata \ akira. ex _, was detected and successfully quarantined. figure 3 : mav detection of the akira ransomware executable six seconds later, windows defender rtp was disabled, and the following powershell code was visible in windows event logs, in…”
T1219Remote Access Tools
72%
“, as seen in the following system event log record : service control manager / 7045c : \ windows \ system32 \ cloudflared. exe tunnel run - - token [ redacted ] the windows service or “ autorun ” detected by the huntress platform is illustrated in figure 2. figure 2 : threat acto…”
T1486Data Encrypted for Impact
50%
“of tactics, techniques, and procedures ( ttps ) alongside identical indicators of compromise ( iocs ). a third attack identified during the first week of july, the huntress soc began reporting a third attack where, again, the partner atera rmm instance was identified as the sourc…”
T1080Taint Shared Content
50%
“the endpoints had varying types of activities across them ; some had cloudflare tunnels installed, while others had ransomware ( successfully ) deployed, as indicated by mav detection. on others, the threat actor had disabled windows defender after it detected and quarantined its…”
T1219Remote Access Tools
47%
“result, artifacts such as encrypted canary files or edr telemetry were not available. instead, when we pieced the incident together, we relied solely on log files retrieved from the endpoints. in this incident, the msp was also able to provide log data demonstrating access to the…”
T1136Create Account
38%
“##ware executable, c : \ programdata \ akira. ex _, was detected and successfully quarantined. figure 3 : mav detection of the akira ransomware executable six seconds later, windows defender rtp was disabled, and the following powershell code was visible in windows event logs, in…”
T1078Valid Accounts
34%
“that an rmm or some other means of remote access ( besides rdp specifically ) was used. the workstation name from which the authentication had originated had also been observed during the previous incident highlighted in our previous blog. at 08 : 23 utc, windows defender then de…”
T1080Taint Shared Content
34%
“succeeded in deploying akira ransomware on some endpoints. the huntress agent was installed after the initial compromise and ransomware deployment, so there were no ransomware canary reports, and endpoint detection and response ( edr ) telemetry was not available until after the …”
T1199Trusted Relationship
31%
“remote monitoring and management tools | huntress in mid - june, huntress saw an incident where a threat actor compromised an msp ’ s remote monitoring and management ( rmm ) tool in an attempt to target three of its customers. while the huntress security operations center ( soc …”
T1021.001Remote Desktop Protocol
31%
“that an rmm or some other means of remote access ( besides rdp specifically ) was used. the workstation name from which the authentication had originated had also been observed during the previous incident highlighted in our previous blog. at 08 : 23 utc, windows defender then de…”

Summary

When a threat actor exploited an MSP's RMM tool to target businesses, Huntress investigated and uncovered another eerily similar incident with key differences that reveal evolving tactics