216.73.217.80

Know Thy Enemy: A Novel November Case on Persistent Remote Access

· Published 26/11/2024 21:13 · Modified 26/11/2024 21:35

Export JSON

Essential information

Published
26/11/2024 21:13
Modified
26/11/2024 21:35
Tags
2024-11-26 lateral movement meshagent persistent psexec rdp brute force remote access
Related entities
6 observables, 6 techniques (mitre)

Description

In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using , they executed batch files across multiple machines to enable RDP connections and install a malicious . The actor renamed the to mimic a virtualization binary and disguised its server as a Windows Network Virtual Adapter. The attack involved , privilege escalation, and credential access through WDigest manipulation. The threat actor's consistent tradecraft was observed in multiple environments, highlighting the importance of continuous threat hunting and feedback loops in security investigations. Lessons learned include hardening external perimeters, enforcing MFA, and deploying software allow-lists.

External references