TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Evicting the Adversary | Huntress

2022-05-10 · Read original ↗

ATT&CK techniques detected

9 predictions
T1021.001Remote Desktop Protocol
99%
"to run impacket effectively. from the adversary ’ s perspective, they go from being able to run commands ( in the green box ) to losing their shell and no longer being able to re - authenticate again as erochester ( red box ). remote desktop protocol ( rdp ) if you cast your mind…"
T1021.006Windows Remote Management
99%
"the red arrow, we ’ re told that the shell is still connected and alive. the pink arrow lets us know that afairfax is the user currently remoting, and the shellruntime by the blue arrow lets us know afairfax has been using winrm for the last 26 minutes! ejecting afairfax ' s powe…"
T1021.001Remote Desktop Protocol
72%
"the adversary to rdp in, let ’ s evict them! this is one of the easier methods of ejection : bmason is forced to sign out, and we have terminated the rdp gui that the adversary was previously enjoying. now, we can repeat the password change / account disabling for bmason that we …"
T1078Valid Accounts
67%
"illuminates the adversaries ’ activities - some commands that will allow you to evict the adversary scenario note : none of the usernames or screenshots in this article come from our partners or clients! all fictional details, but real security techniques. picture it : it ’ s 2am…"
T1021.001Remote Desktop Protocol
49%
"##on. but notice the ‘ source. domain ’ column, which betrays that the bmason user is interacting from the ‘ kali ’ machine. but in real life, you may not have an attacker ’ s machine so obviously named. this kind of telemetry can be useful in helping you determine if the rdp ses…"
T1486Data Encrypted for Impact
43%
"to deny the adversary and then deliver upgraded defenses in the immediate future. in other words, we defenders are being pulled in many directions. if you follow the guidance in this article, you ’ ll evict the adversary with ease. but before you fly out and ruin the attackers ’ …"
T1078Valid Accounts
38%
"a look at our elastic instance, which collects our logs, we see that it has detected that wsmprovhost has spawned a ‘ whoami ’. wsmprovhost is an executable that supports powershell remoting and windows remote management. it is a legitimate, built - in functionality that allows a…"
T1021.006Windows Remote Management
36%
"leverages windows management instrumentation to have a powerful and quiet impact on a victim machine. monitoring whilst impacket is a stealthy toolkit, a mature logging solution will catch enough relics of activity to warrant a defender ’ s suspicion. in the pink box, we see the …"
T1059.001PowerShell
33%
"illuminates the adversaries ’ activities - some commands that will allow you to evict the adversary scenario note : none of the usernames or screenshots in this article come from our partners or clients! all fictional details, but real security techniques. picture it : it ’ s 2am…"

Summary

This blog shows how to catch an adversary moving from machine to machine, how to terminate this movement and how to evict the adversary from your network.