Know Thy Enemy: A Novel November Case on Persistent Remote Access
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
In early November 2024, a threat actor gained initial access to a network via brute-forcing a public-facing RD-Web instance. Using PsExec, they executed batch files across multiple machines to enable RDP connections and install a malicious MeshAgent. The actor renamed the MeshAgent to mimic a virtualization binary and disguised its server as a Windows Network Virtual Adapter. The attack involved lateral movement, privilege escalation, and credential access through WDigest manipulation. The threat actor's consistent tradecraft was observed in multiple environments, highlighting the importance of continuous threat hunting and feedback loops in security investigations. Lessons learned include hardening external perimeters, enforcing MFA, and deploying software allow-lists.
OPENCTI LABELS :
lateral movement,remote access,psexec,persistent,meshagent,rdp brute force
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Know Thy Enemy: A Novel November Case on Persistent Remote Access