Know Thy Enemy: A Novel November Case on Persistent Remote Access
Essential information
- Published
- 26/11/2024 21:13
- Modified
- 26/11/2024 21:35
- Tags
- 2024-11-26 lateral movement meshagent persistent psexec rdp brute force remote access
- Related entities
- 6 observables, 6 techniques (mitre)
Description
In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtualization binary and disguised its server as a Windows Network Virtual Adapter. The attack involved lateral movement, privilege escalation, and credential access through WDigest manipulation. The threat actor's consistent tradecraft was observed in multiple environments, highlighting the importance of continuous threat hunting and feedback loops in security investigations. Lessons learned include hardening external perimeters, enforcing MFA, and deploying software allow-lists.