“##moting - dcom object activation ( ex. mmc com object ) - process execution over rdp - headless rdp execution when bringing these two pillars together, we noticed not only how prevalent lateral movement was happening in cases like ransomware, but how this telemetry actually allo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003.001LSASS Memory
92%
“netexec - goexec real - world scenario huntress observed user system executing malicious commands to dump the lsass process to harvest credentials via rundll32. exe loading cmsvcs. dll. this activity stemmed from mmc. exe ( microsoft management console ), which leverages dcom as …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.006Windows Remote Management
92%
“1 ) doesn ’ t have the huntress edr installed, while the target machine ( machine 2 ) does. - attacker has valid credentials of a user ( thor ) that can access machine 2. - attacker leverages the mmc20. application com object to laterally move and execute an encoded powershell co…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
89%
“threat actor was seen trying to enable rdp connections via the registry in order to log into the affected server via rdp. ransomware precursor focus next, we can target key ransomware precursors that are also often run by administrators and can be problematic to identify maliciou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.003Distributed Component Object Model
74%
“( remote machine ) - remote code execution ( remote machine ) after organizing the data into these pillars, we saw significant value in focusing on remote authentication and remote execution, especially when combining both into a single event for our detection engineers and soc a…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.002SMB/Windows Admin Shares
68%
“how huntress addresses lateral movement lateral movement is one of the most common attack tactics that attackers use once they ' re inside an organization. leveraging lateral movement techniques allows attackers to move laterally across the organization, deepening their compromis…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
63%
“building the feature remote interaction with a host is very common within organizations. this is because administrators need to be able to access a resource remotely or manage a machine ’ s settings / updates / etc. due to this need, there are default ways that make machines acce…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1550.002Pass the Hash
56%
“registry hives, ntds. dit ) to a common staging directory ( c : \ users \ public \ music ). - lateral movement and activity on host b : multiple users were observed logging into host b from the same ( internal ) ip address and associated hostnames over several weeks. one user was…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
47%
“how huntress addresses lateral movement lateral movement is one of the most common attack tactics that attackers use once they ' re inside an organization. leveraging lateral movement techniques allows attackers to move laterally across the organization, deepening their compromis…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
34%
“1 ) doesn ’ t have the huntress edr installed, while the target machine ( machine 2 ) does. - attacker has valid credentials of a user ( thor ) that can access machine 2. - attacker leverages the mmc20. application com object to laterally move and execute an encoded powershell co…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1563.002RDP Hijacking
34%
“threat actor was seen trying to enable rdp connections via the registry in order to log into the affected server via rdp. ransomware precursor focus next, we can target key ransomware precursors that are also often run by administrators and can be problematic to identify maliciou…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003OS Credential Dumping
31%
“registry hives, ntds. dit ) to a common staging directory ( c : \ users \ public \ music ). - lateral movement and activity on host b : multiple users were observed logging into host b from the same ( internal ) ip address and associated hostnames over several weeks. one user was…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1563.002RDP Hijacking
30%
“##moting - dcom object activation ( ex. mmc com object ) - process execution over rdp - headless rdp execution when bringing these two pillars together, we noticed not only how prevalent lateral movement was happening in cases like ransomware, but how this telemetry actually allo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress Managed EDR tackles lateral movement, a common attack tactic, with a layered approach to telemetry collection and detection. Read on to learn how we identify malicious activity while minimizing false positives.