TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

'Advanced' Intrusion Targeting a Marketing Research Company | Huntress

2025-05-27 · Read original ↗

ATT&CK techniques detected

4 predictions
T1059.003Windows Command Shell
76%
“host was isolated within minutes of the first execution to prevent further activity from occurring. the threat actor returned days later and created a service titled webrootcheck with a “ service file name ” ( command for the service ) of cmd. exe / c c : \ temp \ 1. bat. they th…”
T1190Exploit Public-Facing Application
58%
“' advanced ' intrusion targeting a marketing research company | huntress in early 2025, huntress security operations center ( soc ) analysts responded to an intrusion involving a critical market research company conducting business throughout the fortune 50 and governments worldw…”
T1087.003Email Account
45%
“##lookup to enumerate mail servers : the following detection rules are not high - fidelity at scale, but may be used either separately or collectively to identify threat actor activity as part of a routine threat hunting cadence involving analytical methods such as clustering or …”
T1556.002Password Filter DLL
37%
“of its execution. this registry manipulation is a common tactic used by threat actors to more easily dump hashed user passwords from memory. reg add " hklm \ system \ currentcontrolset \ control \ lsa " / v disablerestrictedadmin / t reg _ dword / d 00000000 / f the following com…”

Summary

An intrusion at a market research company used living-off-the-land techniques, but Huntress detected and mitigated the threat, uncovering tactics like service creation and registry manipulation. Learn more and get detection guidance and mitigation strategies.