TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Triangulation | Huntress

2022-06-14 · Read original ↗

ATT&CK techniques detected

9 predictions
T1569.002Service Execution
98%
“of psexec is the reciprocating agent that ephemerally appears on the target machine. monitoring for psexesvc. exe to pop up somewhere in your environment is a great opportunity for detection. a psexec connection will instigate an eventid 7045 ( service ) on the target machine ’ s…”
T1569.002Service Execution
94%
“. all we can conclude from the registry data is that psexec has been on disk and associated with the jeyre account. background activity moderator ( bam ) background activity moderator is an interesting source of telemetry, seemingly available from windows 10 onwards. i ’ ve heard…”
T1021.002SMB/Windows Admin Shares
89%
“in order to tell a far more detailed, convincing story that offered the partner confidence in our report and our recommendations. to triangulate psexec, i ’ ll recreate our investigation and show you a couple of cool artefacts we can collect, contrast and compare : - the windows …”
T1569.002Service Execution
81%
“on the host. things executed will have a. pf file, but just looking at this directory alone is useful. you can pick up a. pf file and parse it using eric zimmerman ’ s pecmd tool : by leveraging prefetch, we gain something quite interesting that we did not have before : precise f…”
T1569.002Service Execution
73%
“in order to tell a far more detailed, convincing story that offered the partner confidence in our report and our recommendations. to triangulate psexec, i ’ ll recreate our investigation and show you a couple of cool artefacts we can collect, contrast and compare : - the windows …”
T1569.002Service Execution
50%
“’ re less likely to evade will be the impact on the windows registry. we can take a look in our registry for the eulaaccepted, which will appear with the value of ‘ 1 ’ if psexec has been dropped on this machine and the eula pop - up has been accepted. we can look across the regi…”
T1021.002SMB/Windows Admin Shares
41%
“we now have a better window of time that we can offer our reader for malicious activity. layers of evidence like layers of swiss cheese, the different sources of telemetry individually have gaps — but combined, they make a more cohesive block ; a more definitive, credible story i…”
T1569.002Service Execution
30%
“findings by pivoting over to the target machine. in the target ’ s prefetch directory, we can find record of psexesvc. exe : the reciprocating agent to psexec. by parsing psexesvc ’ s prefetch file, we get a more certain timestamp. this assumes the threat actor did not change the…”
T1021Remote Services
30%
“we now have a better window of time that we can offer our reader for malicious activity. layers of evidence like layers of swiss cheese, the different sources of telemetry individually have gaps — but combined, they make a more cohesive block ; a more definitive, credible story i…”

Summary

This blog dives into triangulation as a guiding concept during investigations and reporting.