Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR

    Protect your Microsoft 365 identities and email environments.

    Managed ITDR

    Protect your Microsoft 365 identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    What Gets Overlooked Gets Exploited

    Most days, nothing happens. But one day, something will.

    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    Huntress Lands on the Microsoft Marketplace
    Huntress Cybersecurity
    Huntress Lands on the Microsoft Marketplace
    Huntress Cybersecurity
    How Huntress & DEFCERT Are Streamlining CMMC Assessment Prep
    Huntress Cybersecurity
    How Huntress & DEFCERT Are Streamlining CMMC Assessment Prep
    Huntress Cybersecurity
    Live Hacking Into Microsoft 365 with Kyle Hanslovan
    Huntress Cybersecurity
    Live Hacking Into Microsoft 365 with Kyle Hanslovan
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Datto
    Datto
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportContact
Search
Close search
Get a Demo
Start for Free
HomeBlog
Utilizing ASNs for Hunting & Response
Published:
May 8, 2025

Utilizing ASNs for Hunting & Response

By:
Anton Ovrutsky
Dray Agha
Josh Allman
Share icon
Glitch effectGlitch effectGlitch effect

Whether responding to incidents or hunting through large and complex data sets, IP addresses usually feature fairly heavily as a key analysis data point. 

When looking at lateral movement cases, for example, knowing what IP address a particular login originated from is a key piece of information. Likewise, when looking at something like a VPN intrusion, IP addresses are also critical in establishing incident narratives and “ground truth.” 

IP addresses alone only tell you part of the story, however, and we must rely on data enrichment to establish where a particular IP address is located, where the IP address is hosted, and whether a particular IP address is associated with known-bad or confirmed malicious activity.

Another key piece of data when it comes to IP addresses is the AS (autonomous system) to which an IP belongs. Depending on investigative or hunting context, an IP address belonging to a residential ISP (internet service provider) versus a hosting provider may change analyst conclusions. 

It is within this context in which the blog is situated. In it, we’ll cover what exactly ASNs are, how they can be utilized in hunting and incident response workflows, and provide real-life examples of how we used ASNs to unravel intrusions and locate malicious activity in partner networks.  


What are ASNs? 

These days, when we think of “the internet,” we typically think of some kind of abstract “cloud” found in a diagram. 

This abstraction, however, belies a complex series of networks that all communicate with one another and make up what we know of as the internet. 

To paraphrase Cloudflare, autonomous systems (AS) can be thought of as groupings of networks that have a unified routing policy.

We love Cloudflare’s analogy here: 

“Imagine an AS as being like a town's post office.”

Each internet “post office” has a number attached to it: the ASN, or autonomous system number. 

Each external IP address belongs to a particular ASN or “post office.” For example, my home IP address belongs to the ASN AS812, which belongs to Rogers Communications Canada.

Armed with knowledge regarding what ASNs are, let’s now take a look at how this data point can be utilized and generated.


How are ASNs utilized?

Now that we know that an ASN is like an address, the next step is to utilize this information in the context of threat hunting or incident investigation. 

When we hear phrases such as “data enrichment” or “IP enrichment,” what’s often meant by these phrases is enriching the IP address with metadata such as its ASN information and/or its geolocation. 

As an example, we can check out the IP enrichment information provided by ipinfo.io for one of Google’s DNS servers: 


Figure 1: Image showing IP enrichment information for Google’s DNS server

We can see from the image above that one enriched IP address provides us with a bunch of useful information. 

We know where the IP address is located (Mountain View, California, USA), and we also know which ASN the IP belongs (AS15169 Google LLC).

Now, place yourself in the shoes of an analyst who’s been asked to review a set of firewall logs. How would you be able to tell which connections may be malicious or at least suspicious? 

One way to accomplish this is to enrich these IP addresses with the type of metadata outlined above, and use that information to detect any anomalies. 

ASNs are a critical data point in these types of investigations, as geographic data alone may not tell you the full story. 

Let’s take a look at some concrete and real-world examples of how the Huntress Tactical Response team utilizes ASN telemetry to unravel intrusions. 


The case of remote desktop compromise

This case started out with the Huntress SOC detecting lateral movement and domain enumeration. 

This is a relatively common set of signals to receive, and when lateral movement is involved, the network is typically isolated to prevent the spread of unauthorized access. 

Once the network was isolated and reports issued, the Tactical Response team began to look at the available telemetry to identify the initial access vector. We focus heavily on this investigative aspect, as knowing where intrusions originated helps our partners lock down their environment in a tactful and risk-based manner. 

Based on the available telemetry, the compromise appeared to originate from the partner's remote desktop gateway host. 

This is not enough information, however, and we needed to understand who “patient zero” was and when exactly the account was compromised, so that the partner (and us) understood the full scope of the incident. 

Remote desktop gateway logs were available for this case, and these logs contained IP information. However, as we outlined earlier in this blog, an IP alone isn’t enough to go on. We need to enrich this information and then analyze it. 

When we enriched the IPs with ASN information, the compromised account was evident, along with information regarding when exactly the account was compromised and from where.


Figure 2: Search illustrating normal versus abnormal ASNs

As we can see in the above image, the first time block of telemetry shows the user in question authenticating from residential ISPs such as Comcast and Rogers. 

In contrast, later authentications for the same user account start occurring from more suspicious ASNs such as “LeaseWeb,” “BLNWX,” and “Datacamp Limited.” 

Without this ASN enrichment in place, it would be difficult—if not outright impossible—to flag this account compromise. For data sets containing thousands of authentication events, checking each IP manually is not feasible. 

In this case, we were able to provide the partner with a full picture of the intrusion, including the initial access vector. With this information, the partner could now communicate to their client the need for stronger authentication controls such as multi-factor authentication (MFA) in a manner which is backed up by hard telemetry and data. A win all around! 

At this point in the blog, astute readers who possess some incident response background may be wondering, “What about IP geolocations?” “Isn’t that a great data point as well?”

Like all things in life, the answer to the above question is a bit complicated. Let’s break it down by looking at another case of password spraying a RADIUS device. 


The RADIUS password spray

In this case, a partner had a RADIUS device that utilized Microsoft Entra for MFA. 

The user would authenticate to the RADIUS device, which is connected to the partner networks’ Active Directory domain, and the MFA prompt would be handled by Entra. 

In this case, the partner was alerted by their users to an unexpected MFA prompt. Upon investigation, it was discovered that about 60 accounts were targeted. Successful authentication occurred on the RADIUS side, but thankfully no user accepted the unexpected MFA prompts.

This case is interesting for a number of reasons. 

First, it demonstrates how critical context is when looking at authentication-related compromise. 

Had an analyst only looked at the RADIUS logs in isolation, without understanding how AuthN and AuthZ were configured in the environment, all the logins would appear to be successful. 

Only with additional Entra telemetry, we were able to correlate the RAIDUS logins to their corresponding Entra authentication events, and were able to confirm that none of the logins succeeded on the Entra side. 

Secondly, and more relevant to this blog, the case illustrates the limitations of IP geolocation when dealing with cloud-based incidents. 

Looking at users’ authentication events on the RAIDUS end with the IP information geolocated, everything appears normal. The user is historically authenticating from the United States in and around the cities flagged in the screenshot below. 


Figure 3: Search showing a user’s geolocation pattern appearing normal without ASN data

It was only after adding ASN enrichment to these events that we discovered that the account was indeed compromised:

Figure 4: Search showing users geolocation pattern in addition to ASN data

When looking at geolocation alone, all appeared normal. However, when adding ASN enrichments, “Stark Industries” and “ROUTERHOSTING” all stood out as malicious. 

This case is an excellent reminder of not relying on one data point alone—such as geolocations—when making determinations regarding whether a particular event is malicious or benign. 

ASNs are critical data points when investigating VPN device compromise. 


VPN compromise case

If you’ve read our previous blogs, it should come as no surprise that VPN compromise accounts for a large portion of the cases that tactical response covers. 

When investigating VPN compromise, ASN enrichment is invaluable and critical to our investigative workflow.

Let’s look at one example. 

In this case, Huntress received the following signals for the affected network: 

Figure 5: Image showing initial signals received for an intrusion

We can see a common pattern of the threat actor going after credentials in two distinct ways:

  • Through registry dumping
  • Through browser login history theft

The command line arguments utilized for the above techniques indicated that lateral movement was at play for this particular incident as well, so the network was isolated to prevent further threat actor progress. 

When we analyzed the Windows event logs for the affected network, the authentication patterns indicated compromise through a VPN appliance. This is a very common occurrence and a popular method of initial access, as previously mentioned. 

Upon reviewing the VPN logs, two logins stood out immediately. 

Both logins utilized the super_admin profile, and each occurred within one second from the other, but with different IP addresses. 

This is an unusual authentication pattern for a VPN appliance, especially for a user account that has Administrative privileges to the device. 

When we checked both IP addresses for their ASN values, our confidence level that these authentication events were malicious increased, as both IPs belonged to the same ASN: DigitalOcean.

It should be noted that the DigitalOcean ASN isn’t inherently evil or nefarious, and administrators may be utilizing machines hosted in DigitalOcean for their legitimate operations.

In this case, however, the observed authentication patterns in combination with the DigitalOcean ASN values found in the VPN logs was enough to, at the very least, bubble this up to the partner where it was (unfortunately) confirmed as malicious behavior. 

Figure 6: Logs from VPN appliance showing IPs belonging to suspicious ASNs


Conclusion 

ASNs are a critical data point when conducting hunting and investigations. 

Often, malicious activity can be identified via its associated ASN value alone. 

Conversely, ASN values can also be used as additional data points within hunts and investigations to either help confirm or deny malicious activity. 

As we’ve shown in this blog, ASN enrichment is critical when conducting investigations for a myriad of services, including RDGs, Firewall/RADIUS devices and VPN appliances. 

This blog only scratches the surface in terms of ASN utility as a critical telemetry data point. The mind map below presents some further ideas for utilizing ASN values in your own hunting and investigation adventures, and it provides a list of ASN values that we’ve observed recently as linked to malicious behavior. 

Figure 7: Mind map of ASN telemetry and investigative steps




Categories
Threat Analysis
Summarize this postClose Speech Bubble
ChatGPTClaudePerplexityGoogle AI

See Huntress in action

Our platform combines a suite of powerful managed detection and response tools for endpoints and Microsoft 365 identities, science-backed security awareness training, and the expertise of our 24/7 Security Operations Center (SOC).

Book a Demo
Share
Facebook iconTwitter X iconLinkedin iconDownload icon
Glitch effect

You Might Also Like

  • Hunting for M365 Password Spraying

    Join Huntress Threat Hunters as they unpack the password-spraying techniques of threat actors, exposing how they target everything from small businesses to giants like Microsoft.

  • Analyzing Initial Access Across Today's Business Environment

    Learn more about the initial access techniques observed by the Huntress SOC and Tactical Response teams! Gain valuable insights to help you protect your environment.

  • I Wish I Was a Little Bit Taller: Dealing with Imperfection in Intrusions

    See how the Huntress Tactical Response team tackles security telemetry gaps. We share real-world techniques for working with missing logs, degraded telemetry, and cloud logging challenges to uncover critical insights and improve investigations.

  • Information to Insights: Intrusion Analysis Methodology

    Transform raw Windows event data into actionable insights. Learn expert methodologies for intrusion analysis, authentication events, credential dumping, and RDP activity to stay ahead of threats.

  • Brute Force or Something More? Ransomware Initial Access Brokers Exposed

    Discover how a seemingly simple brute force attack led to the uncovering of a suspected ransomware-as-a-service operation. This ecosystem appears to be leveraged by initial access brokers, driving an illicit and complex network of cybercrime.

  • Boring Isn’t Harmless: The Risks Behind Common Cyberattack Tradecraft

    Don’t underestimate basic attacker tradecraft tactics. Learn how common cybersecurity tradecraft succeeds and get practical tips from the Huntress SOC to shut it down.

  • Mommy, Does Santa Like NordVPN?

    Huntress Managed ITDR uncovers risks behind popular VPNs and proxies like NordVPN, Mullvad, and more—helping you steer clear of hackers this holiday season.

  • Exploring the Value of Indicators In Small Business Defense

    Discover how leveraging technical indicators can boost cybersecurity effectiveness and empower small business defense. Read on for practical insights.

Sign Up for Huntress Updates

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.
Privacy • Terms
By submitting this form, you accept our Terms of Service & Privacy Policy
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 215k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy