Threat Actor Installed EDR on Their Systems, Revealing Workflows and Tools Used

A recent incident uncovered how a threat actor inadvertently exposed its entire operational workflow by installing a popular endpoint detection and response (EDR) agent on their own attacking infrastructure.

The scenario unfolded when the adversary, while evaluating various security platforms, triggered alerts that led Huntress analysts to investigate unusual telemetry data.

Initial observations of system activity and browser history hinted at sophisticated reconnaissance efforts, prompting researchers to delve deeper into the artifacts collected by the EDR system.

Within hours of deployment, the agent recorded a range of interactions indicative of malicious intent.

Huntress analysts noted that the unique machine identifier had appeared in prior compromise investigations, immediately flagging the host as adversarial.

Subsequent correlation of authentication logs and telemetry data revealed patterns of credential theft, session token refreshes, and automated tooling execution.

Researchers identified attempts to access rotated session tokens and found evidence of automated phishing campaigns orchestrated through bespoke scripts.

The impact of this accidental installation cannot be overstated. For the first time, defenders gained granular visibility into the day-to-day routines of a live threat operator, from reconnaissance through to active exploitation.

The threat actor’s day typically began with passive external scanning, later transitioning to targeted exploitation of identified organizations.

Detailed browser history entries showed extensive use of both public and subscription-based services for reconnaissance, as well as the deployment of residential proxy services to anonymize traffic and evade detection.

Over the course of a three-month period, the EDR telemetry captured a clear evolution in the attacker’s workflow.

Early activities focused on researching banking institutions and third-party vendors, whereas later stages revealed the adoption of automated workflows for phishing message generation.

Huntress researchers identified a gradual shift toward more programmatic tool usage, with the adversary scripting repetitive tasks to increase operational efficiency.

Infection Mechanism and Persistence Tactics

A deeper look into the infection mechanism uncovers how the threat actor achieved initial access and maintained a foothold within target environments.

The adversary leveraged stolen session cookies extracted from Telegram Desktop cookie files using a simple Python script. The script, executed via:-

from roadtx import PrtAuth

auth = PrtAuth(token_file="victim_cookie.json")
session = auth.acquire()
print(session)

This reveals how the attacker automated primary refresh token extraction for Microsoft Entra and Office 365 services.

Once valid tokens were obtained, they were used to authenticate into victim accounts without triggering multifactor authentication or alerting endpoint defenses.

Persistence was achieved by deploying scheduled tasks that regularly renewed session tokens and executed reconnaissance scripts. These tasks were registered in the Windows Task Scheduler under inconspicuous names to blend with legitimate processes.

Huntress analysts identified these entries and observed periodic outbound connections to attacker-controlled C2 servers, confirming ongoing control.

This rare visibility into real-world threat actor behavior provided invaluable insights for defenders. By dissecting the infection and persistence techniques, security teams can craft targeted detection rules and harden authentication workflows against similar token-based attacks.

The collaboration between telemetry-driven analysis and manual artifact review underscores the importance of comprehensive EDR solutions in modern security operations.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.