TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Attack Behaviors | Huntress

2024-05-30 · Read original ↗

ATT&CK techniques detected

9 predictions
T1059.001PowerShell
93%
“huntress soc continued to report on identical attacks as those described by dray in his tweet through march and into april, as late as april 22, 2024. during the observed incidents, the attack used and commands issued remained the same, including the use of powershell to download…”
T1078Valid Accounts
78%
“a successful login, via a brute - force attack. in some incidents, huntress analysts have observed endpoint names such as 0day - project and kali across multiple incidents. in others, analysts have identified issues as the “ workstation ” name extracted from the successful login …”
T1219Remote Access Tools
71%
“x ( formerly known as twitter ). max went on to point to the national vulnerability database entry for cve - 2023 - 48788, which was added on march 12, 2024. and as max mentioned, threat actors were apparently compromising endpoints via this vulnerability to deploy screenconnect …”
T1078.003Local Accounts
65%
“events a day to locate the truly malicious events? one way to address this, and one of the approaches huntress analysts have been using, is to track, among other indicators, the use of usernames and passwords across known - malicious incidents. in several instances, usernames and…”
T1204.002Malicious File
54%
“of incidents to develop effective protection and detection mechanisms that impose a significant cost on the threat actor. if the threat actor ’ s attack is detected and responded to early enough, then their ability to troubleshoot the issue and take the appropriate action to bypa…”
T1078.003Local Accounts
51%
“##ities, the threat clusters appear as similar histograms, occurring within the same hours of operations speaking of threat clusters, the activity illustrated in figure 1 of that same blog article had been previously observed by huntress analysts associated with medusa ransomware…”
T1078.001Default Accounts
47%
“##name and / or the password will make it easier to differentiate the malicious activity. taking advantage of these habits to protect the organization imposes a cost on the threat actor. some threat actors are prepared prior to an attack to change their infrastructure, because hi…”
T1219Remote Access Tools
41%
“used by threat actors to secure their archives can allow defenders to detect ( and respond to ) threat actor activity at various points throughout the attack chain, obviating follow - on activity. recurrence of endpoint names microsoft windows itself, and various rmm tools, can c…”
T1190Exploit Public-Facing Application
35%
“x ( formerly known as twitter ). max went on to point to the national vulnerability database entry for cve - 2023 - 48788, which was added on march 12, 2024. and as max mentioned, threat actors were apparently compromising endpoints via this vulnerability to deploy screenconnect …”

Summary

In the cybersecurity community, we may hear analysts say, “Oh, threat actors change their tactics…”, and at times, they may include the word “always” as part of that statement. However, the question at hand is, “Does the data really show that to be the case?” What are we truly seeing in real-world incidents?