“" reg add \ " hklm \ software \ microsoft \ windows defender \ exclusions \ paths \ " / v \ " c : \ windows \ system32 \ svchost. exe \ " / t reg _ dword / d 0 / f " cmd / c " reg add \ " hklm \ software \ policies \ microsoft \ windows defender \ real - time protection \ " / v d…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
99%
“the tragedy that befell the bearer of the name, it ’ s no wonder that “ cephalus ” was used to refer to a ransomware variant. maybe the only question is, why wasn ’ t it used sooner? dll sideloading via sentinelone executable we recently saw two incidents involving cephalus ranso…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
99%
“cephalus ransomware : don ’ t lose your head in mid - august, we came across a ransomware variant called cephalus in two separate incidents. recently, we ’ ve seen a slew of newer ransomware families ( like crux and kawalocker ), and so when we came across a ransom note in these …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
98%
“associated with previous successful cephalus ransomware deployments, in an apparent attempt to provide credence to the claims of data theft, and impart a sense of urgency to contact the threat actors. the linked article from insecureweb from the ransom note was reportedly posted …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
96%
“##re the legitimacy of cephalus as a threat. this signalled a marked difference from the ransom notes that had previously been publicly posted to twitter, which we had outlined in figure 1 above. during the incident involving a huntress customer where the ransomware was successfu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
93%
“##lus ransomware? we came across the name of the ransomware, cephalus, in the ransom note tied to the incident. while no public in - depth analyses have been released specifically about a ransomware variant with the name cephalus, we did find the ransomware referenced on a few we…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
91%
“launched from the user ’ s downloads folder, which then loaded sentinelagentcore. dll. from this, data. bin was subsequently loaded. huntress analysts were unable to collect a copy of the data. bin file from the endpoint. on the endpoint where the ransomware was successfully laun…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1053.005Scheduled Task
86%
“##policy bypass - command " set - mppreference - disablerealtimemonitoring $ false " these commands occur prior to file encryption and ransom note creation. the use of mega cloud storage was also observed in both incidents, and was likely associated with data exfiltration activit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1490Inhibit System Recovery
86%
“##s in a user ’ s downloads folder results in no responses during the same time period. when launched, the ransomware starts off by running a number of embedded commands intended to obviate system recovery. first, the following command appeared as a child process of sentinelbrows…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1080Taint Shared Content
81%
“the tragedy that befell the bearer of the name, it ’ s no wonder that “ cephalus ” was used to refer to a ransomware variant. maybe the only question is, why wasn ’ t it used sooner? dll sideloading via sentinelone executable we recently saw two incidents involving cephalus ranso…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
80%
“- force - erroraction silentlycontinue " powershell - windowstyle hidden - executionpolicy bypass - command " stop - service - name \ " wdnissvc \ " - force - erroraction silentlycontinue " powershell - windowstyle hidden - executionpolicy bypass - command " set - service - name …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1080Taint Shared Content
72%
“cephalus ransomware : don ’ t lose your head in mid - august, we came across a ransomware variant called cephalus in two separate incidents. recently, we ’ ve seen a slew of newer ransomware families ( like crux and kawalocker ), and so when we came across a ransom note in these …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1657Financial Theft
63%
“##re the legitimacy of cephalus as a threat. this signalled a marked difference from the ransom notes that had previously been publicly posted to twitter, which we had outlined in figure 1 above. during the incident involving a huntress customer where the ransomware was successfu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1585.002Email Accounts
58%
“##re the legitimacy of cephalus as a threat. this signalled a marked difference from the ransom notes that had previously been publicly posted to twitter, which we had outlined in figure 1 above. during the incident involving a huntress customer where the ransomware was successfu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1112Modify Registry
56%
“##sablebehaviormonitoring / t reg _ dword / d 1 / f " cmd / c " reg add \ " hklm \ software \ policies \ microsoft \ windows defender \ real - time protection \ " / v disableonaccessprotection / t reg _ dword / d 1 / f " finally, more powershell commands to stop and disable windo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
55%
“launched from the user ’ s downloads folder, which then loaded sentinelagentcore. dll. from this, data. bin was subsequently loaded. huntress analysts were unable to collect a copy of the data. bin file from the endpoint. on the endpoint where the ransomware was successfully laun…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1491.001Internal Defacement
54%
“##re the legitimacy of cephalus as a threat. this signalled a marked difference from the ransom notes that had previously been publicly posted to twitter, which we had outlined in figure 1 above. during the incident involving a huntress customer where the ransomware was successfu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1036.005Match Legitimate Resource Name or Location
47%
“launched from the user ’ s downloads folder, which then loaded sentinelagentcore. dll. from this, data. bin was subsequently loaded. huntress analysts were unable to collect a copy of the data. bin file from the endpoint. on the endpoint where the ransomware was successfully laun…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1491.001Internal Defacement
47%
“associated with previous successful cephalus ransomware deployments, in an apparent attempt to provide credence to the claims of data theft, and impart a sense of urgency to contact the threat actors. the linked article from insecureweb from the ransom note was reportedly posted …”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
42%
“##policy bypass - command " set - mppreference - disablerealtimemonitoring $ false " these commands occur prior to file encryption and ransom note creation. the use of mega cloud storage was also observed in both incidents, and was likely associated with data exfiltration activit…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
39%
“##sablebehaviormonitoring / t reg _ dword / d 1 / f " cmd / c " reg add \ " hklm \ software \ policies \ microsoft \ windows defender \ real - time protection \ " / v disableonaccessprotection / t reg _ dword / d 1 / f " finally, more powershell commands to stop and disable windo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1490Inhibit System Recovery
34%
“##re the legitimacy of cephalus as a threat. this signalled a marked difference from the ransom notes that had previously been publicly posted to twitter, which we had outlined in figure 1 above. during the incident involving a huntress customer where the ransomware was successfu…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1657Financial Theft
34%
“##lus ransomware? we came across the name of the ransomware, cephalus, in the ransom note tied to the incident. while no public in - depth analyses have been released specifically about a ransomware variant with the name cephalus, we did find the ransomware referenced on a few we…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
In mid-August, Huntress saw two incidents that linked back to a ransomware variant called Cephalus, which included DLL sideloading via a legitimate SentinelOne executable.