“gains to deploy ransomware. lockbit with the impressive joint international takedown efforts to disrupt the lockbit ransomware group, many are asking how “ lockbit ” is still relevant. the lockbit deployments that we ’ ve seen are invoked with an encryptor that looks to be compil…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
99%
“##util downloaded ransomware. msi payloads, which they also made persistent via startup folders. the ransom note from the threat actor who deployed the msi has been included as well. ransomware anti - forensics ransomware actors also tried to remove event logs via wevtutil. exe c…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1219Remote Access Tools
93%
“##nect \ \ files \ \ ta. exe - c : \ windows \ spsrv. exe we also observed a configuration file dropped to c : \ \ programdata \ \ jwrapper - remote access \ \ jwappssharedconfig \ \ serviceconfig. xml, which revealed it was configured to communicate to the public ipv4 91. 92. 24…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1021.001Remote Desktop Protocol
82%
“##nect \ \ files \ \ ta. exe - c : \ windows \ spsrv. exe we also observed a configuration file dropped to c : \ \ programdata \ \ jwrapper - remote access \ \ jwappssharedconfig \ \ serviceconfig. xml, which revealed it was configured to communicate to the public ipv4 91. 92. 24…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
81%
“between the adversaries we observed involved them downloading further tools and payloads. for example, an adversary leveraged powershell ’ s invoke - webrequest ( iwr ) to call on additional payloads for their ssh persistent tunnel. we also observed an adversary download the simp…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1105Ingress Tool Transfer
78%
“between the adversaries we observed involved them downloading further tools and payloads. for example, an adversary leveraged powershell ’ s invoke - webrequest ( iwr ) to call on additional payloads for their ssh persistent tunnel. we also observed an adversary download the simp…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1136.001Local Account
60%
“access. creating new users our soc observed a number of adversaries prioritize creating their own users, once they landed on a machine, using naming conventions that would attempt to fly under the radar, as well as add these to highly privileged groups. persistent reverse shell t…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
58%
“’ t commit to pairing this new exploit with new tradecraft. it ’ s worth driving this point home : most of the post - compromise activities we have documented in this article aren ’ t novel, original, or outstanding. most threat actors simply don ’ t know what to do beyond the sa…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1588.006Vulnerabilities
50%
“’ t commit to pairing this new exploit with new tradecraft. it ’ s worth driving this point home : most of the post - compromise activities we have documented in this article aren ’ t novel, original, or outstanding. most threat actors simply don ’ t know what to do beyond the sa…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
41%
“strike beacons from their external infrastructure. specifically, this threat actor saved their beacon as a. pdf on a web server, renaming it to a. dat on the targeted machine. transfer. sh interestingly, we observed an adversary mass download cryptocurrency miners using the tempo…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!