"connections may be malicious or at least suspicious? one way to accomplish this is to enrich these ip addresses with the type of metadata outlined above, and use that information to detect any anomalies. asns are a critical data point in these types of investigations, as geograph…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078.004Cloud Accounts
90%
"partner networks ’ active directory domain, and the mfa prompt would be handled by entra. in this case, the partner was alerted by their users to an unexpected mfa prompt. upon investigation, it was discovered that about 60 accounts were targeted. successful authentication occurr…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1078Valid Accounts
87%
"##try, the compromise appeared to originate from the partner ' s remote desktop gateway host. this is not enough information, however, and we needed to understand who “ patient zero ” was and when exactly the account was compromised, so that the partner ( and us ) understood the …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1110.003Password Spraying
83%
"place, it would be difficult — if not outright impossible — to flag this account compromise. for data sets containing thousands of authentication events, checking each ip manually is not feasible. in this case, we were able to provide the partner with a full picture of the intrus…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1003OS Credential Dumping
48%
"common pattern of the threat actor going after credentials in two distinct ways : - through registry dumping - through browser login history theft the command line arguments utilized for the above techniques indicated that lateral movement was at play for this particular incident…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
37%
"##try, the compromise appeared to originate from the partner ' s remote desktop gateway host. this is not enough information, however, and we needed to understand who “ patient zero ” was and when exactly the account was compromised, so that the partner ( and us ) understood the …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Autonomous system numbers are like the address book of the internet, and not every IP address belongs to a “friendly” address. Learn more about how the Huntress Hunt & Response teams utilize ASNs.