TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Know Thy Enemy: A Novel November Case | Huntress

2024-11-25 · Read original ↗

ATT&CK techniques detected

9 predictions
T1110Brute Force
91%
“know thy enemy : a novel november case | huntress threat actors are, frankly, rarely original. they share the same playbooks, tactics, and often don ' t even bother to rename offensive security tool names. in early november 2024, the huntress soc investigated what appeared to be …”
T1021.002SMB/Windows Admin Shares
86%
“brute force is unsophisticated but does achieve results for threat actors. a brute force against a non - mfa ’ d authentication service will inevitably yield access. a user was eventually accessed from brute force via the following public ipv4s between october 28 and november 12 …”
T1021.001Remote Desktop Protocol
82%
“is the art of specifically querying a verbose set of telemetries with specific security questions until the investigator is satisfied. the aims for threat hunting are myriad, but the goal for the soc at this time was to identify if this threat actor had compromised any other envi…”
T1497.001System Checks
65%
“it bluntly, weird. to confirm, windows network virtual adapter is a technology dedicated to host - based virtualization and has nothing to do with malicious activity. what the threat actor has attempted to do here is fly under the radar by renaming their client - side meshagent a…”
T1497.001System Checks
56%
“windows nt \ nvspbind \ nvspbind. exe " — the name of a virtualization binary ( but more on this shortly ). a quick analysis of the binary showed the meshagent instance reached out to the following domain : wss [ : / / ] 193. 46. 255 [. ] 73 : 443 / agent [. ] ashx pivoting on th…”
T1133External Remote Services
56%
“know thy enemy : a novel november case | huntress threat actors are, frankly, rarely original. they share the same playbooks, tactics, and often don ' t even bother to rename offensive security tool names. in early november 2024, the huntress soc investigated what appeared to be …”
T1556.006Multi-Factor Authentication
43%
“— third - party mfa for rdp is notoriously difficult to configure correctly. - where possible, deploy allow - lists for software to ensure that threat actors and users alike cannot easily run whatever tools and toys they wish haphazardly. indicators of compromise mitre att & ck c…”
T1110Brute Force
41%
“is the art of specifically querying a verbose set of telemetries with specific security questions until the investigator is satisfied. the aims for threat hunting are myriad, but the goal for the soc at this time was to identify if this threat actor had compromised any other envi…”
T1021.002SMB/Windows Admin Shares
35%
“by manipulating both the registry and the firewall rules. its contents are revealed below : mimon. bat worked to ensure the successful installation of the meshagent, remove lsa protection, and enable wdigest to facilitate the storage of credentials in plaintext. the contents of t…”

Summary

In this blog, Huntress SOC investigators unravel the lateral movement and persistence of an interesting threat actor and their novel infrastructure