TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Information to Insights: Intrusion Analysis Methodology

2025-07-30 · Read original ↗

ATT&CK techniques detected

16 predictions
T1021.001Remote Desktop Protocol
99%
"username used for the rdp connection. during an intrusion, if you suspect rdp lateral movement activity is going on, you usually rush to open up event viewer, browse to the security log, and get greeted with the following : figure 12 : image showing event id 1102 - security log c…"
T1021.001Remote Desktop Protocol
99%
"analysis, tooling will only serve as a distraction. often, tooling will also abstract analysis from you. for example, you may only work with tooling that labels activity as “ registry credential dumping ” and presents the information it has to you, but does not expose the raw tel…"
T1021.001Remote Desktop Protocol
99%
"##p lateral movement, should the security log be cleared. figure 13 : image showing two windows events triggered by successful rdp authentication these events are extremely valuable and important, even if the security event log has not been cleared, since a type - 10 4624 event i…"
T1110Brute Force
98%
"attack before finding success with an account in the environment. by looking closely at just two windows event ids, we can potentially gather information about the source of the brute force, what accounts were compromised, from where they were compromised, and whether this activi…"
T1003.001LSASS Memory
97%
"a ton of insight and bubble up additional threads to pull on during investigations. below is a mind map of some considerations and analysis techniques for these two events. figure 7 : mind map of 4624 / 4625 event id analysis let ’ s switch gears slightly and look at some credent…"
T1078Valid Accounts
80%
". event 1 has a substatus of 0xc0000064, whereas event 2 has a substatus of 0xc000006a. if we look at documentation for event id 4625 via ultimate windows security, we see a handy table translating these values for us : figure 2 : windows security event id 4625 error code transla…"
T1003OS Credential Dumping
73%
"event logs generated from this activity, we can see our old friend 4624 again. we can see again that the authentication protocol for this event is ntlm, and the source network address belongs to the same ip address that we observed brute forcing our environment. figure 9 : image …"
T1003OS Credential Dumping
54%
"a ton of insight and bubble up additional threads to pull on during investigations. below is a mind map of some considerations and analysis techniques for these two events. figure 7 : mind map of 4624 / 4625 event id analysis let ’ s switch gears slightly and look at some credent…"
T1592Gather Victim Host Information
49%
"are thousands of write - ups, videos, blogs, tutorials, courses, et cetera, on virtually any offensive security or dfir - related topic. this is not to mention the capabilities that llms provide. however, insights are missing from this abundance of information. we often get so wr…"
T1018Remote System Discovery
39%
"are thousands of write - ups, videos, blogs, tutorials, courses, et cetera, on virtually any offensive security or dfir - related topic. this is not to mention the capabilities that llms provide. however, insights are missing from this abundance of information. we often get so wr…"
T1003OS Credential Dumping
39%
"##n id into a search text bot within the event viewer, and click on “ find next ” to see the events that come up. an example of this low - tech technique is below. figure 10 : animation showing a simple technique for pivoting off a login id we can see within 5145 event ids the va…"
T1557.001Name Resolution Poisoning and SMB Relay
38%
"##24 events with successful logins and events generated on the host to which the authentication was successful. what can we glean from these events? quite a bit! we see : - a single account ( administrator ) authenticating to three distinct systems : win11v, win11a, dc - all thre…"
T1187Forced Authentication
37%
"scanner / smb / smb _ login module from metasploit can configure this setting, for example : figure 4 : illustration of configurable authentication methods within metasploit ’ s smb _ login module although this option can be changed, why not take advantage of a threat actor ’ s l…"
T1003OS Credential Dumping
33%
"information to insights : intrusion analysis methodology when you ’ re performing intrusion analysis, it ’ s easy to get disoriented. there are usually hundreds of windows event ids to sort through, generated by potentially thousands of endpoints. indeed, this gordian knot is not…"
T1563.002RDP Hijacking
32%
"##p lateral movement, should the security log be cleared. figure 13 : image showing two windows events triggered by successful rdp authentication these events are extremely valuable and important, even if the security event log has not been cleared, since a type - 10 4624 event i…"
T1110.003Password Spraying
32%
"scanner / smb / smb _ login module from metasploit can configure this setting, for example : figure 4 : illustration of configurable authentication methods within metasploit ’ s smb _ login module although this option can be changed, why not take advantage of a threat actor ’ s l…"

Summary

Transform raw Windows event data into actionable insights. Learn expert methodologies for intrusion analysis, authentication events, credential dumping, and RDP activity to stay ahead of threats.