Real Tradecraft, Real Results

 Huntress SIEM gives the upper hand..... when it's installed

In a recent incident, SIEM was NOT installed  as a result, threat actors were able to run a muck in a partner's environment. With SIEM installed, the SOC would have had a 24 hour advantage.

• Compromise an admin account and move laterally throughout the environment
• Execute data exfiltration tools on multiple endpoints

In addition, ingesting their VPN logs into SIEM would have saved the partner a whole lot of headache and prevented their logs from being overwritten before we could get to the bottom of the intrusion 

Bottom line: SIEM can give the SOC a head start and improves the partner experience during a security intrusion.

In the span of 48 hours, a threat actor tried to compromise nearly 100 identities, succeeding in some instances 😰

Their targets included:

🧱 Construction companies

🌭 Food catering providers

⚙️ Mechanical engineers

📚 Elementary schools

Locking in on the adversarial public IPv6s (2a05:541:116:2d::1, 2a05:541:116:13::1), our SOC tracked this threat actor's activities, taking them down when they made progress against an identity.

Looking closer, we found they were using the Axios framework—a legitimate tool that can be abused for phishing and account compromise. Fortunately, the SOC was equipped with ITDR to fight the threat actor for every inch of identity territory they tried to steal.

To prevent these kinds of infections in your network, we recommend:

➡️ Complex conditional access policies and MFA: We watched in real-time as the threat actor failed to gain entry to an identity, despite having the right credentials, because of these security obstacles.

➡️ Security aware users: This threat actor likely got access via mass phishing. Equipping users with the knowledge to identify phishing attempts neutralizes attacks like this before they can even begin.

With identity threats like these becoming the new norm, the question isn't if attackers will come for your users—it’s when. Start a free trial of Huntress Managed ITDR today. 

Ransomware is devastating, but mass isolating a network can also wreck productivity.

This type of nightmare fuel often starts with discovering offensive tradecraft originating from an endpoint missing our agent (never installed). In this case: 🔎 An unpatched Sonicwall device was exploited 🔎 Initial access to an unprotected device was gained 🔎 Local Administrator (500 account) was used to access the DC 🔎 Backdoor account “adm” was created and added to “Domain Admins” Incident response assistance from our SOC uncovered the same “adm” account was used with impacket to quickly access critical systems like the backup, virtual hosting, and file servers. Mass quarantine was effective at halting the incident, but could have been more surgical with complete coverage 😭

A threat actor infiltrated a medical facility and threw everything they had at the network. Here’s a breakdown of what went down 👇

✅ Netscan used for enumeration
✅ Malicious drivers deployed to disable Windows Defender
✅ Lateral movement via PSExec
✅ Mimikatz to extract cleartext credentials
✅ User accounts created for persistence
✅ Registry modifications using NPPSPY (malicious DLL)

Our 24/7 Human SOC isolated the network for the partner, stopping further damage and lateral movement.

Tips to protect your network:
➡️ Block local admin rights for day-to-day accounts
➡️ Use the Windows Firewall to prevent lateral movement
➡️ Always keep Windows instances fully patched