Adversary Tradecraft

Threats I've detected and responded to in the field. MITRE ATT&CK mapped. Click into each for the full breakdown.

Malicious DNS Callback

High
T1071.004 T1568 C2
DNS callback telemetry

Suspicious DNS request to a known-bad domain from an endpoint running an unsigned binary. Traced through full process chain.

View full analysis →

C2 Network Activity

High
T1059.006 T1071.001 C2
C2 network connection telemetry

Python payload making outbound HTTP connections to attacker infrastructure. Triggered by a malicious package install.

View full analysis →

Persistence via Scheduled Task

Medium
T1053.005 Persistence
Add screenshot

Attacker established persistence using schtasks to execute a beacon payload on restart. Identified through scheduled task audit.

Placeholder - Replace with real detection

DNS Tunneling Exfiltration

Medium
T1071.004 Exfiltration
Add screenshot

Anomalous DNS query volume to a newly registered domain. Base64-encoded data in subdomain queries consistent with DNS tunneling.

Placeholder - Replace with real detection