🎯 MITRE ATT&CK

🔎 What

Brute force from 89[.]187[.]177[.]73 (confirmed malicious via AbuseIPDB) succeeded at 07:07 AM with logon event 4624 on account LetsDefend. Attacker conducted hands-on-keyboard recon via cmd spawned from explorer[.]exe including whoami, net user, net share, and PowerShell queries for running services, Defender status, and firewall profile. Attacker ran two LOLBin PoC commands via rundll32 abusing vbscript and mshtml traversal to spawn calc[.]exe. Second variant used LoL45 junk path obfuscation to bypass AV signature matching. First variant caught by AV. No external IPs contacted, no additional payloads executed. Verdict: True Positive - Contained. Machine contained.

🕐 When

Sep 12, 2024 - 07:09 AM

📍 Where

Host Elenora at 172[.]16[.]17[.]126. Brute force from 89[.]187[.]177[.]73. Successful logon at 07:07 AM. Commands executed via cmd and PowerShell spawned from explorer[.]exe.

👤 Who

External threat actor from 89[.]187[.]177[.]73. Gained access via brute force against LetsDefend account. Activity consistent with manual recon and Defender evasion testing - no payload deployment observed.

💡 Why

Attacker enumerated users, network, shares, and security tooling post-access. Rundll32 LOLBin PoC suggests probing Defender detection thresholds. LoL45 obfuscation indicates awareness of known AV signatures for standard mshtml traversal.

📌 IOCs

🔬 Analysis Reports

🔗 AbuseIPDB (89[.]187[.]177[.]73) → https://www.abuseipdb.com/check/89.187.177.73?page=5 🔗 LOLBAS - Mshtml → https://lolbas-project.github.io/lolbas/Libraries/Mshtml/