- Compromise an admin account and move laterally throughout the environment
- Execute data exfiltration tools on multiple endpoints
Behind every neutralized threat at Huntress is our Security Operations team, combining expertise with relentless dedication. Discover the real stories where their tradecraft protects what matters most—your business.
Their targets included:
🧱 Construction companies
🌭 Food catering providers
⚙️ Mechanical engineers
📚 Elementary schools
Locking in on the adversarial public IPv6s (2a05:541:116:2d::1, 2a05:541:116:13::1), our SOC tracked this threat actor's activities, taking them down when they made progress against an identity.
Looking closer, we found they were using the Axios framework—a legitimate tool that can be abused for phishing and account compromise. Fortunately, the SOC was equipped with ITDR to fight the threat actor for every inch of identity territory they tried to steal.
To prevent these kinds of infections in your network, we recommend:
➡️ Complex conditional access policies and MFA: We watched in real-time as the threat actor failed to gain entry to an identity, despite having the right credentials, because of these security obstacles.
➡️ Security aware users: This threat actor likely got access via mass phishing. Equipping users with the knowledge to identify phishing attempts neutralizes attacks like this before they can even begin.
With identity threats like these becoming the new norm, the question isn't if attackers will come for your users—it’s when. Start a free trial of Huntress Managed ITDR today.
This type of nightmare fuel often starts with discovering offensive tradecraft originating from an endpoint missing our agent (never installed). In this case: 🔎 An unpatched Sonicwall device was exploited 🔎 Initial access to an unprotected device was gained 🔎 Local Administrator (500 account) was used to access the DC 🔎 Backdoor account “adm” was created and added to “Domain Admins” Incident response assistance from our SOC uncovered the same “adm” account was used with impacket to quickly access critical systems like the backup, virtual hosting, and file servers. Mass quarantine was effective at halting the incident, but could have been more surgical with complete coverage 😭
📬 You get a text claiming there’s an issue with your USPS shipment. 📱 But the number has an international country code, yet it’s referencing USPS. 🔗 The link’s not clickable, but the message says replying will fix that.
But here’s what happens if you reply:
✅ Netscan used for enumeration
✅ Malicious drivers deployed to disable Windows Defender
✅ Lateral movement via PSExec
✅ Mimikatz to extract cleartext credentials
✅ User accounts created for persistence
✅ Registry modifications using NPPSPY (malicious DLL)
Our 24/7 Human SOC isolated the network for the partner, stopping further damage and lateral movement.
Tips to protect your network:
➡️ Block local admin rights for day-to-day accounts
➡️ Use the Windows Firewall to prevent lateral movement
➡️ Always keep Windows instances fully patched
See how the global Huntress SOC can augment your team with 24/7 coverage and unmatched human expertise.