Public reports about cyberattacks often present a polished picture—threat actors working methodically through a well-planned playbook with every action perfectly executed.
This perception leads many to believe that modern attackers operate with machine-like precision, seamlessly moving from one objective to another without facing obstacles.
However, this narrative masks a much different reality that becomes clear when examining the actual evidence left behind on compromised systems.
A closer look at Windows Event Logs and endpoint detection and response (EDR) telemetry reveals something far more human: threat actors struggle, experiment, make mistakes, and adapt when their plans fall short.
.webp)
This indicated the attacker had found a vulnerability allowing arbitrary command execution without requiring a web shell upload. The threat actor then issued standard enumeration commands: netstat, user account checks, and network configuration queries.
When attempting to download malware using certutil.exe—a common Living Off The Land binary technique—Windows Defender blocked the command.
Rather than abandoning the approach, the threat actor transferred a file named 815.exe through an unknown mechanism and tried executing it three times before finally succeeding, only to face isolation after the executable was identified as a Golang-written Trojan.
In subsequent incidents, the attackers learned from failure. They issued PowerShell commands to add exclusions for common malware file extensions before deploying malware:
- powershell -command Add-MpPreference -ExclusionPath C -ExclusionExtension .exe, .bin, .dll -Force*
This adaptation proved critical, as it demonstrated threat actors modifying behavior based on previous setbacks, even as they continued reusing the same flawed persistence mechanisms that failed in earlier attempts.