Today > | 7 High | 23 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

Know Thy Enemy: A Novel November Case on Persistent Remote Access

Nov. 26, 2024, 9:35 p.m.

Description

In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtualization binary and disguised its server as a Windows Network Virtual Adapter. The attack involved lateral movement, privilege escalation, and credential access through WDigest manipulation. The threat actor's consistent tradecraft was observed in multiple environments, highlighting the importance of continuous threat hunting and feedback loops in security investigations. Lessons learned include hardening external perimeters, enforcing MFA, and deploying software allow-lists.

Date

Published: Nov. 26, 2024, 9:13 p.m.

Created: Nov. 26, 2024, 9:13 p.m.

Modified: Nov. 26, 2024, 9:35 p.m.

Indicators

fdf51eba1b48ed4180dfbb66d8e299794998252517597aff4a44162183f7dcd9

b629fe2363a23f7c0a6f40235ca25098321ba49bc397b36e2856a1ae76055c56

fcea81909388611359bbaf41871300075e192a3246b9e1bebc5f3f0aaa2b2c9a

217.138.216.60

193.46.255.73

146.70.36.132

Attack Patterns

T1003.001

T1569.002

T1110

T1059.003

T1036.005

T1219