TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Boring Isn't Harmless: Common Cyberattack Tradecraft Risks | Huntress

2025-06-05 · Read original ↗

ATT&CK techniques detected

11 predictions
T1110Brute Force
99%
“for defenders. “ assume nothing. if you think something is configured a certain way in your network, test your assumptions. all of this is complex. it sounds pretty easy, but if you are in charge of a production network with different functionalities, requirements, compliance reg…”
T1110Brute Force
98%
“from a defender ’ s perspective, brute force attacks are surprisingly easy to gloss over. here ’ s why : the speedy persistence of brute force attempts fills up windows endpoint event logs, causing them to roll over every few minutes. this can easily mask not only brute force att…”
T1133External Remote Services
98%
“the driver behind widespread vpn compromise? plain and simple tradecraft like stolen credentials, appliance brute force, or disabled mfa accounts are consistent culprits. more alarmingly, we ’ ve started to see attackers level up their vpn game with : - logins from malicious ip a…”
T1588.002Tool
71%
“us a defensive opportunity to neutralize and stop them, ” says dray agha, senior manager, security operations center, emea. in a recent tradecraft tuesday episode, “ the most boring ( not really ) tradecraft tuesday ever, ” dray agha and anton ovrutsky from our 24 / 7 security op…”
T1572Protocol Tunneling
70%
“functionality like ssh and ngrok, which makes detection squirrely. tunneling also lets attackers bypass perimeter controls like firewall configurations that you ’ ve set up and audited to a tee. tunneling isn ’ t glamorous tradecraft, but it is extremely impactful when attackers …”
T1021.001Remote Desktop Protocol
57%
“like xenarmor to collect a boatload of credentials at one time wifi password theft from the host while these techniques aren ’ t new, they ’ re showing up more often across targeted environments, and we ’ re tracking these trends. what you can do : remove local administrator acce…”
T1003OS Credential Dumping
56%
“like xenarmor to collect a boatload of credentials at one time wifi password theft from the host while these techniques aren ’ t new, they ’ re showing up more often across targeted environments, and we ’ re tracking these trends. what you can do : remove local administrator acce…”
T1078Valid Accounts
54%
“like xenarmor to collect a boatload of credentials at one time wifi password theft from the host while these techniques aren ’ t new, they ’ re showing up more often across targeted environments, and we ’ re tracking these trends. what you can do : remove local administrator acce…”
T1078Valid Accounts
39%
“crackmapexec disappointingly, we don ’ t often see threat actors fumble lateral movement attempts. “ i wish we saw a lot more failed attempts at lateral movement, like the workstation doesn ’ t recognize the login, the time of day isn ’ t correct for a login, or the password does…”
T1550.002Pass the Hash
37%
“crackmapexec disappointingly, we don ’ t often see threat actors fumble lateral movement attempts. “ i wish we saw a lot more failed attempts at lateral movement, like the workstation doesn ’ t recognize the login, the time of day isn ’ t correct for a login, or the password does…”
T1550.002Pass the Hash
33%
“like xenarmor to collect a boatload of credentials at one time wifi password theft from the host while these techniques aren ’ t new, they ’ re showing up more often across targeted environments, and we ’ re tracking these trends. what you can do : remove local administrator acce…”

Summary

Don’t underestimate basic attacker tradecraft tactics. Learn how common cybersecurity tradecraft succeeds and get practical tips from the Huntress SOC to shut it down.