Know Thy Enemy: A Novel November Case on Persistent Remote Access

Tags

External References

• https://www.huntress.com/
• https://otx.alienvault.com/

Description

In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtualization binary and disguised its server as a Windows Network Virtual Adapter. The attack involved lateral movement, privilege escalation, and credential access through WDigest manipulation. The threat actor's consistent tradecraft was observed in multiple environments, highlighting the importance of continuous threat hunting and feedback loops in security investigations. Lessons learned include hardening external perimeters, enforcing MFA, and deploying software allow-lists.

Date