“extrapolate indicators of compromise from the various intrusions we come across. one such indicator is workstation names. certain workstation names are observed across intrusions, and in this particular case one such known malicious workstation name popped up on our radar. this m…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.006Windows Remote Management
86%
“rdp configurations, we ’ d expect these events to come from some kind of system management process. if the systems administrator performed these actions via command line, we ’ d expect to see a process lineage similar to our net localgroup example above. in this case, an examinat…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
82%
“that the installed service was out of date and missing patches. the huntress team has blogged about this vulnerability in detail before, and we all know that patching is difficult, so it ’ s not at all surprising to see older software out there. after some further investigation o…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078Valid Accounts
80%
“movement. a few questions remain, however. we still don ’ t know how the threat actor got into the environment in the first place, and we also don ' t know how the veeam service was discovered. was this service specifically targeted or was it spotted in an opportunistic fashion? …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098Account Manipulation
64%
“kind of initial access and perhaps credential dumping techniques were also in play, as these are often necessary prerequisites for lateral movement. this dynamic can be illustrated by the image below : in this particular case, the analyst received a number of signals, all cluster…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003OS Credential Dumping
56%
“response team handled. on the investigation side, we aimed to highlight methodology where possible. it ’ s one thing to generically state “ monitor for brute force attempts ” or “ look out for anomalous parent - child process relationships, ” but it ’ s quite another to actualize…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078Valid Accounts
50%
“##ing off the ip address associated with the lateral movement activity, the huntress tactical response team reviewed the provided vpn telemetry and found a suspicious authentication event. however, since the vpn device doesn ’ t hold a lot of telemetry, we were only able to ident…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1557.001Name Resolution Poisoning and SMB Relay
47%
“that the installed service was out of date and missing patches. the huntress team has blogged about this vulnerability in detail before, and we all know that patching is difficult, so it ’ s not at all surprising to see older software out there. after some further investigation o…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1136.001Local Account
40%
“during investigations, an often paradoxical dynamic plays out. more information sometimes leads not to further clarity, but only to further questions. we may know that the threat actor is within the network, and we may also know the methods of lateral movement, but key pieces of …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
36%
“rdp configurations, we ’ d expect these events to come from some kind of system management process. if the systems administrator performed these actions via command line, we ’ d expect to see a process lineage similar to our net localgroup example above. in this case, an examinat…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098.007Additional Local or Domain Groups
33%
“during investigations, an often paradoxical dynamic plays out. more information sometimes leads not to further clarity, but only to further questions. we may know that the threat actor is within the network, and we may also know the methods of lateral movement, but key pieces of …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021Remote Services
32%
“##ing off the ip address associated with the lateral movement activity, the huntress tactical response team reviewed the provided vpn telemetry and found a suspicious authentication event. however, since the vpn device doesn ’ t hold a lot of telemetry, we were only able to ident…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Explore the inner workings of real-world cyberattacks and gain insight into the challenges faced by Huntress threat analysts. Discover the critical role of investigative techniques and their importance in uncovering and addressing these threats.