William Brown3/5 Persistence & Credential Access
The attacker modified Windows registry settings to maintain access and enable remote administration capabilities.
Subsequently, password guessing activity targeted the local Administrator account and eventually resulted in successful authentication.
ATT&CK:
T1112 – Modify Registry
T1110.001 – Password Guessing
T1078 – Valid Accounts