TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Threat Intel Accelerates Detection and Response | Huntress

2024-02-14 · Read original ↗

ATT&CK techniques detected

11 predictions
T1059.001PowerShell
97%
“. at this point, the huntress agent had only been on the endpoint for a matter of minutes, and the mav alert preceded the agent installation by almost two weeks. at the point the threat intel team accessed the endpoint information page in the huntress portal, the agent had only b…”
T1190Exploit Public-Facing Application
92%
“. 36. mitre att & ck mapping initial access - t1190 - exploit public - facing application execution - t1059. 001 ( powershell ), t1059. 003 ( windows command shell ) persistence - t1078 ( valid accounts ; per unit42 ’ s threat brief, the threat actor had to first authenticate to …”
T1059.001PowerShell
81%
“/ c finger [ email protected ] [. ] 82 the time between windows defender identifying ( windows defender / 1116 event record ) and taking action on ( windows defender / 1117 event record ) was 17 seconds, more than enough time for the command to complete successfully. there was si…”
T1190Exploit Public-Facing Application
68%
“’ very own dray agha. the total time between the identified commands was under a minute, as illustrated in both the windows event log data, and the web server logs. as there was no follow - on activity identified, it would appear that the commands detected were associated with a …”
T1685.001Disable or Modify Windows Event Log
45%
“##b \ logs \ logfiles \ w3scv1 \ u _ ex240112. log file ; specifically, post requests with status code of 200, to the / owa / [ email protected ] / powershell page ( user - agent : mozilla / 5. 0 + ( windows + nt + 10. 0 ; + win64 ; + x64 ) + applewebkit / 537. 36 + ( khtml, + li…”
T1059.001PowerShell
44%
“##b \ logs \ logfiles \ w3scv1 \ u _ ex240112. log file ; specifically, post requests with status code of 200, to the / owa / [ email protected ] / powershell page ( user - agent : mozilla / 5. 0 + ( windows + nt + 10. 0 ; + win64 ; + x64 ) + applewebkit / 537. 36 + ( khtml, + li…”
T1059.001PowerShell
43%
“##change cmdletlogs / 6 event records in the c : \ windows \ system32 \ winevt \ logs \ msexchange management. evtx event log file that contain the strings “ system. diagnostics ”, " w3wp # msexchangepowershellapppool ", and “ processstartinfo arguments ”, followed by the base64 …”
T1078Valid Accounts
38%
“. 36. mitre att & ck mapping initial access - t1190 - exploit public - facing application execution - t1059. 001 ( powershell ), t1059. 003 ( windows command shell ) persistence - t1078 ( valid accounts ; per unit42 ’ s threat brief, the threat actor had to first authenticate to …”
T1564.003Hidden Window
35%
“/ c finger [ email protected ] [. ] 82 the time between windows defender identifying ( windows defender / 1116 event record ) and taking action on ( windows defender / 1117 event record ) was 17 seconds, more than enough time for the command to complete successfully. there was si…”
T1059.001PowerShell
33%
“. 36. mitre att & ck mapping initial access - t1190 - exploit public - facing application execution - t1059. 001 ( powershell ), t1059. 003 ( windows command shell ) persistence - t1078 ( valid accounts ; per unit42 ’ s threat brief, the threat actor had to first authenticate to …”
T1027.010Command Obfuscation
32%
“. at this point, the huntress agent had only been on the endpoint for a matter of minutes, and the mav alert preceded the agent installation by almost two weeks. at the point the threat intel team accessed the endpoint information page in the huntress portal, the agent had only b…”

Summary

Evidence of a pre-existing exploit was rendered when the Huntress agent was added to an endpoint. Within minutes, and in part through the use of previously published threat intelligence, analysts were able to identify the issue and make recommendations to the customer to remediate the root cause.