TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Behind the Scenes: Crushing Cybercriminals with MAV | Huntress

2022-07-21 · Read original ↗

ATT&CK techniques detected

9 predictions
T1078Valid Accounts
50%
“that we expected, of brute forcing ( repeated failed logins from ip addresses in foreign countries ) the authentication method to gain entry into the server. with the evidence found here to confirm our initial suspicions of access via the internet - exposed sql server ( port 1433…”
T1190Exploit Public-Facing Application
49%
“behind the scenes : crushing cybercriminals with mav | huntress at huntress, we see a great deal of intrusions and share attack data with the community as we can. today, we ’ ll highlight how microsoft defender and multiple services ( namely managed microsoft defender, process in…”
T1046Network Service Discovery
44%
“actor to get away with this type of activity. the team next discovered that port 1433 was open for public scanning via external recon, our platform feature that offers visibility into internet - exposed services and devices that are present in an organization. whenever we detect …”
T1059.001PowerShell
42%
“##ystify this further, showing the original alert we received from our microsoft defender managed antivirus service. this alert triggered us to investigate further using our process insights edr to dig into executing processes on the system : the screenshot above lays out the con…”
T1564.012File/Path Exclusions
42%
“##ystify this further, showing the original alert we received from our microsoft defender managed antivirus service. this alert triggered us to investigate further using our process insights edr to dig into executing processes on the system : the screenshot above lays out the con…”
T1055Process Injection
41%
“we can keep the narrative of an attack in one place. this helps the team stay organized and creates a chronological record of how the investigation unfolds. then, we start collaborating together from the beginning and work together not only to investigate the incident but communi…”
T1055.001Dynamic-link Library Injection
38%
“we can keep the narrative of an attack in one place. this helps the team stay organized and creates a chronological record of how the investigation unfolds. then, we start collaborating together from the beginning and work together not only to investigate the incident but communi…”
T1110Brute Force
31%
“that we expected, of brute forcing ( repeated failed logins from ip addresses in foreign countries ) the authentication method to gain entry into the server. with the evidence found here to confirm our initial suspicions of access via the internet - exposed sql server ( port 1433…”
T1190Exploit Public-Facing Application
31%
“that we expected, of brute forcing ( repeated failed logins from ip addresses in foreign countries ) the authentication method to gain entry into the server. with the evidence found here to confirm our initial suspicions of access via the internet - exposed sql server ( port 1433…”

Summary

This blog is a follow-up on our How to Crush Cybercriminals with Managed Antivirus webinar. We'll dive deeper through a threat analysis lens.