TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Analyzing Initial Access Across Today's Business Environment | Huntress

2024-12-19 · Read original ↗

ATT&CK techniques detected

10 predictions
T1021.001Remote Desktop Protocol
97%
"for the purposes of this blog, it makes sense to categorize rdp and exposed perimeter together, as these vectors are tightly related to each other. indeed, the tactical response team worked on a large portion of cases involving initial access through an exposed perimeter. for rdp…"
T1078Valid Accounts
95%
"ve set the stage, let ’ s dive into analyzing the initial access methods observed by the tactical response team. due to the sensitive nature of this information, exact numbers are not provided. however, when reviewing the various categories of initial access vectors discovered, a…"
T1078Valid Accounts
81%
"to the amount of effort required to rebuild an entire network post - ransomware deployment. initial access via vpn appliance second place amongst the initial access methods observed by the tactical response team is initial access through a vpn appliance. this category includes ma…"
T1078Valid Accounts
74%
"view this dynamic from the point of view of a threat actor to help us gain greater understanding. given the choice of exploiting a device versus using valid - yet - compromised credentials, we can begin to see why this avenue of compromise is more attractive for a threat actor. d…"
T1021.001Remote Desktop Protocol
70%
"view this dynamic from the point of view of a threat actor to help us gain greater understanding. given the choice of exploiting a device versus using valid - yet - compromised credentials, we can begin to see why this avenue of compromise is more attractive for a threat actor. d…"
T1133External Remote Services
53%
"to the amount of effort required to rebuild an entire network post - ransomware deployment. initial access via vpn appliance second place amongst the initial access methods observed by the tactical response team is initial access through a vpn appliance. this category includes ma…"
T1110.004Credential Stuffing
50%
"for the purposes of this blog, it makes sense to categorize rdp and exposed perimeter together, as these vectors are tightly related to each other. indeed, the tactical response team worked on a large portion of cases involving initial access through an exposed perimeter. for rdp…"
T1021.001Remote Desktop Protocol
49%
"is in place for brute force - type attacks - monitoring is in place for authentication via suspicious workstation names - complex passwords are enforced - all effort is made to prevent users from reusing passwords - time - of - day login restrictions are added to accounts - accou…"
T1556.006Multi-Factor Authentication
48%
"it. however, the application tasked with providing the mfa challenge was configured to “ fail open. ” this means that if the application crashed or became unresponsive, it would allow authentication without an mfa challenge. this dynamic is fully understandable for critical busin…"
T1563.002RDP Hijacking
32%
"for the purposes of this blog, it makes sense to categorize rdp and exposed perimeter together, as these vectors are tightly related to each other. indeed, the tactical response team worked on a large portion of cases involving initial access through an exposed perimeter. for rdp…"

Summary

Learn more about the initial access techniques observed by the Huntress SOC and Tactical Response teams! Gain valuable insights to help you protect your environment.