“##zbdzbsi " queryout " c : \ users \ public \ music \ kur. bat " - t - f " c : \ users \ public \ music \ fodsozkgau. txt " " c : \ windows \ system32 \ cmd. exe " / c bcp " select binarytable from ugnzbdzbsi " queryout " c : \ users \ public \ music \ n. bat " - t - f " c : \ us…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
90%
“the threat actor deploying mimic ransomware. as a result, prompt alerting and isolation of the endpoint by huntress analysts, and notification by an additional installed monitoring application, resulted in the ransomware deployment being prevented. this incident clearly demonstra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
79%
“message indicating that a new application, “ anydesk, ” had been added to the endpoint. at 14 : 57 : 00 utc ( a bit more than three minutes later ), an administrator accessed the endpoint via screenconnect version 23. 9. 10. 8817, successfully authenticated via duo, and began rem…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
77%
“message indicating that a new application, “ anydesk, ” had been added to the endpoint. at 14 : 57 : 00 utc ( a bit more than three minutes later ), an administrator accessed the endpoint via screenconnect version 23. 9. 10. 8817, successfully authenticated via duo, and began rem…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.003Windows Command Shell
70%
“attacking mssql servers, pt. ii | huntress the attack on february 8, 2024, huntress published the first attacking mssql servers blog post. on february 23, a huntress soc analyst observed similar activity associated with an entirely different endpoint, and escalated the incident b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1505.001SQL Stored Procedures
69%
“attacking mssql servers, pt. ii | huntress the attack on february 8, 2024, huntress published the first attacking mssql servers blog post. on february 23, a huntress soc analyst observed similar activity associated with an entirely different endpoint, and escalated the incident b…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1080Taint Shared Content
68%
“message indicating that a new application, “ anydesk, ” had been added to the endpoint. at 14 : 57 : 00 utc ( a bit more than three minutes later ), an administrator accessed the endpoint via screenconnect version 23. 9. 10. 8817, successfully authenticated via duo, and began rem…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1136.001Local Account
56%
“event log records. for example, the user1. bat file was executed at 14 : 45 : 51 utc, and was followed by commands to create the admins124 user account with the password “ @ @ @ music123.., " and add it to several local groups. these commands were visible in the edr telemetry, an…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1098.007Additional Local or Domain Groups
48%
“event log records. for example, the user1. bat file was executed at 14 : 45 : 51 utc, and was followed by commands to create the admins124 user account with the password “ @ @ @ music123.., " and add it to several local groups. these commands were visible in the edr telemetry, an…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1036.005Match Legitimate Resource Name or Location
43%
“the threat actor deploying mimic ransomware. as a result, prompt alerting and isolation of the endpoint by huntress analysts, and notification by an additional installed monitoring application, resulted in the ransomware deployment being prevented. this incident clearly demonstra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1080Taint Shared Content
42%
“the threat actor deploying mimic ransomware. as a result, prompt alerting and isolation of the endpoint by huntress analysts, and notification by an additional installed monitoring application, resulted in the ransomware deployment being prevented. this incident clearly demonstra…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
34%
“" program files ( x86 ) " \ - - silent reg add " hklm \ system \ currentcontrolset \ control \ securityproviders \ wdigest " / v uselogoncredential / t reg _ dword / d 0x00000001 del " % ~ f0 " the file ends with the del “ % ~ f0 ” command, indicating that had the file been execu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
The publication of the first blog post led a Huntress SOC analyst to identify and escalate a second, similar incident. A deeper investigation into the activity made it clear that the Huntress SOC had obviated several Trigona ransomware attacks, protecting customers from the impact of a ransomware infection.