Adversary Tradecraft

Threats I've detected and responded to in the field. MITRE ATT&CK mapped.

Malware Execution via Fake Installer

High
T1204.002 T1036 Execution
EDR process tree showing malware execution chain

User executed a trojanized installer masquerading as legitimate software. EDR process tree revealed full execution chain from initial process spawn through code identity events and child processes.

Supply Chain Compromise - Malicious Package

High
T1195.002 T1059 Supply Chain
Process tree showing supply chain attack full chain

Malicious package installed via package manager triggered a full attack chain. Process tree analysis revealed C2 callbacks, child process spawning, and network connections to external infrastructure.

Persistence via Scheduled Task

Medium
T1053.005 Persistence
Scheduled task persistence
Add screenshot

Attacker established persistence using schtasks to execute a beacon payload on restart. Identified through scheduled task audit and removed pre-detonation.

Example - Replace with real detection

DNS Tunneling Exfiltration

Medium
T1071.004 Exfiltration
DNS tunneling detection
Add screenshot

Anomalous DNS query volume to a newly registered domain. Base64-encoded data in subdomain queries consistent with DNS tunneling exfiltration.

Example - Replace with real detection