TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion

editor · 2025-09-29 · Read original ↗

ATT&CK techniques detected

93 predictions
T1218.011Rundll32
100%
“d & up = % d & direction = % s counter = % d & type = % d & guid = % s & os = % d & arch = % d & username = % s & group = % lu & ver = % d. % d & up = % d & direction = % s abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789 + / https : / / workspacin. cloud / live / h…”
T1055.001Dynamic-link Library Injection
100%
“##nc / backconnect component used by icedid, and prior cases involving icedid infection. a few minutes later, latrodectus spawned dllhost. exe to likely inject the backconnect payload with process _ all _ access ( 0x1fffff ) access rights. the granted access rights provide full c…”
T1555.003Credentials from Web Browsers
99%
“module to accommodate recent browser security enhancements. the stealer had the hardcoded time of when the stealer module was built – 00 : 39 : 18 mar 29 2024. similar to the latrodectus loader component, the stealer module dynamically resolved windows apis by iterating through t…”
T1053.005Scheduled Task
99%
“code decompresses the decrypted data before loading it. the backdoor implemented a persistent command and control system that establishes covert communication between an infected machine and a remote threat actor controlled server while creating a scheduled task for persistence. …”
T1071.001Web Protocols
99%
“gw [. ] aws - use1 [. ] cloud - ara [. ] tyk [. ] io uncertain - kitten - gw [. ] aws - euc1 [. ] cloud - ara [. ] tyk [. ] io erbolsan [. ] com samderat200 [. ] com dauled [. ] com kasymdev [. ] com kasym500 [. ] com brute ratel ip addresses 95. 164. 68. 73 138. 124. 183. 215 91…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
98%
“between them, hinting that there may have been a mistake in the first config file dropped by the threat actor. the first execution had a syntax error with specifying the drive to exfiltrate files from ( threat actor added an extra colon to the drive ), and the second execution sh…”
T1071.001Web Protocols
98%
“c : \ windows \ system32 \ rundll32. exe % s 12345 & stiller = cobalt strike beacon configuration ( system. dl _ | cron801. dl _ ) version : 4. 6 socket : 80 beacon type : http maxgetsize : 2105681 url : hxxp : / / 45. 129. 199 [. ] 214 / vodeo / wg01ck01 jitter : 49 encryption k…”
T1053.005Scheduled Task
97%
“strike communication patterns. the following day the sys. dll cobalt strike beacon was executed on two additional servers after connections to those hosts were made via rdp. persistence registry run key persistence was first established after initial access on day one via a regis…”
T1055.012Process Hollowing
96%
“are the decrypted brute ratel c4 ( brc4 ) c2s and rc4 key to decrypt the gathered information on the infected system that is sent to the c2. the subsequent yara rule triggered during a scan of the process memory for brute ratel : on day five, the threat actor deployed a new brute…”
T1059.001PowerShell
96%
“0x1010 permissions and another instance of the same process requesting 0x1fffff seconds later. this cycle repeated three times in total during the intrusion, each time facilitated via a cobalt strike beacon process. veeam - get - creds on day 26 of the intrusion, the threat actor…”
T1003.001LSASS Memory
95%
“the campaign ( day three ) to list directories on the beachhead. after listing files in directories, the threat actor focused their attention on the file unattend. xml, an answer file. answer files are used to control the configuration of windows while setting it up from an image…”
T1548.002Bypass User Account Control
95%
“runas command – a built - in windows feature that allows running programs under different user credentials. by calling this service, they were able to authenticate as the domain admin account found in the unattend. xml file and escalate their privileges from a regular user to ful…”
T1055.001Dynamic-link Library Injection
95%
“n / nzoqjd9mme hxxp [ : / / ] 94 [. ] 232 [. ] 249 [. ] 186 / vodeo / vid _ wg01ck01 hxxp [ : / / ] 94 [. ] 232 [. ] 249 [. ] 186 / vodeo / wg01ck01 later the cron801. dl _ file was renamed system. dl _ and deployed to several hosts, this is covered further in the lateral movemen…”
T1059.001PowerShell
93%
“##c : outbound network connection initiated by script interpreter ed74fe75 - 7594 - 4b4b - ae38 - e38e3fd2eb23 : outbound rdp connections over non - standard tools 85b0b087 - eddf - 4a2b - b033 - d771fa2b9775 : powershell download and execution cradles 3dfd06d2 - eaf4 - 4532 - 95…”
T1005Data from Local System
93%
“discovery commands and attempted to organize their adfind output : net view redacted wmic / node : redacted logicaldisk list brief % windir % \ system32 \ cmd. exe / c ping - n 1 redacted move % userprofile % \ ad _ users. txt % userprofile % \ pictures \ attrib % userprofile % \…”
T1210Exploitation of Remote Services
92%
“##moting although the threat actor ran discovery commands just under an hour from the initial access, the first lateral movement attempt came three days into the intrusion when the threat actor attempted to execute the system. dl _ cobalt strike beacon on a domain controller via …”
T1219Remote Access Tools
91%
“##remotethread api. latrodectus, a downloader first identified by proofpoint researchers in november 2023, is attributed to the same threat actors responsible for developing icedid. approximately six hours later, the process running latrodectus established a connection to 193. 16…”
T1204.002Malicious File
91%
“##r - i40 _ 53b043910 - 86g91352u7972 - 6495q3. js, first reported on x by @ cryptolaemus1 in the following post : the malware was first uploaded to virustotal on may 9, 2024, prior to operation endgame. this operation occurred between may 27 and 29, 2024, during which law enforc…”
T1218.007Msiexec
90%
“( compatible ; msie 7. 0 ; windows nt 5. 1 ; tob 1. 1 ) mozilla / 4. 0 ( compatible ; msie 7. 0 ; windows nt 5. 1 ; tob 1. 1 ) content - type : application / x - www - form - urlencoded post get clearurl urls command error xkxp7pkhnkqxuokr2dl00qsra6hx0xvq31jtd7ewuqj4rxwthwelbzfbo…”
T1057Process Discovery
90%
“- t1003. 001 malicious file - t1204. 002 masquerading - t1036 network service discovery - t1046 network share discovery - t1135 non - standard port - t1571 powershell - t1059. 001 process injection - t1055 registry run keys / startup folder - t1547. 001 remote desktop protocol - …”
T1003.004LSA Secrets
89%
“the campaign ( day three ) to list directories on the beachhead. after listing files in directories, the threat actor focused their attention on the file unattend. xml, an answer file. answer files are used to control the configuration of windows while setting it up from an image…”
T1134Access Token Manipulation
88%
“##14 - a2f4 - 49cd - a3a8 - 3f071eddf028 : windows _ trojan _ cobaltstrike _ 3dc22d14 663fc95d - 2472 - 4d52 - ad75 - c5d86cfc885f : windows _ trojan _ cobaltstrike _ 663fc95d 8d5963a2 - 54a9 - 4705 - 9f34 - 0d5f8e6345a2 : windows _ trojan _ cobaltstrike _ 8d5963a2 b54b94ac - 6ef…”
T1047Windows Management Instrumentation
88%
“##32 \ cmd. exe / c wmic. exe / node : localhost / namespace : \ \ root \ securitycenter2 path antivirusproduct get displayname | findstr / v / b / c : displayname | | echo no antivirus installed c : \ windows \ system32 \ cmd. exe / c whoami / groups c : \ windows \ system32 \ c…”
T1087.002Domain Account
88%
“four, the injected cobalt strike beacon used systeminfo to query for system information. the threat actor then executed disk command via backconnect to query disk information. the cobalt strike injected processes then executed reconnaissance commands and leveraged adfind for acti…”
T1087.002Domain Account
88%
“following the metasploit shell deployment attempt on the second domain controller, the threat actor initiated an additional round of adfind reconnaissance from the beachhead host : adfind. exe - b dc = domain, dc = local - f ( objectcategory = person ) > adflogs \ domain. local _…”
T1055.001Dynamic-link Library Injection
87%
“restrictions requiring different execution approaches : " cmd. exe " / c powershell - nop - w hidden - c " iex ( new - object net. webclient ). downloadstring ( ' hxxp : / / 127. 0. 0 [. ] 1 : 11664 / ' ) " powershell - nop - w hidden - c " iex ( new - object net. webclient ). do…”
T1134Access Token Manipulation
85%
“runas command – a built - in windows feature that allows running programs under different user credentials. by calling this service, they were able to authenticate as the domain admin account found in the unattend. xml file and escalate their privileges from a regular user to ful…”
T1204.002Malicious File
85%
“originally published as a threat brief to customers in feb 2025 the dfir report services - private threat briefs : 20 + private dfir reports annually. - threat feed : focuses on tracking command and control frameworks like cobalt strike, metasploit, sliver, etc. - all intel : inc…”
T1059.003Windows Command Shell
84%
“##cf367be6bd5e80021e3bd3232ac309a 203eda879dbdb128259cd658b22c9c21c66cbcfa1e2f39879c73b4dafb84c592 run. bat c8ea31665553cbca19b22863eea6ca2c ba99cd73b74c64d6b1257b7db99814d1dc7d76b1 411dfb067a984a244ff0c41887d4a09fbbcd8d562550f5d32d58a6a6256bd7b2 start. vbs 4b3e9c9e018659d1cf04da…”
T1059.001PowerShell
83%
“restrictions requiring different execution approaches : " cmd. exe " / c powershell - nop - w hidden - c " iex ( new - object net. webclient ). downloadstring ( ' hxxp : / / 127. 0. 0 [. ] 1 : 11664 / ' ) " powershell - nop - w hidden - c " iex ( new - object net. webclient ). do…”
T1046Network Service Discovery
82%
“##category = group ) > adflogs \ domain. local _ ad _ group. txt although the threat actor attempted to compress the collected data, forensic analysis did not identify any created zip archives on the system. " 7z. exe " a - mx1 - r0 adflogs. zip adflogs the threat actor returned …”
T1134Access Token Manipulation
80%
“access token manipulation - t1134 archive via utility - t1560. 001 bypass user account control - t1548. 002 credentials from web browsers - t1555. 003 credentials in files - t1552. 001 domain accounts - t1078. 002 domain account - t1087. 002 domain groups - t1069. 002 domain trus…”
T1071.001Web Protocols
80%
“of the intrusion. the first was observed on day four, where the cron801. dl _ file was dropped on the beachhead host under c : \ programdata from the injected explorer. exe process containing latrodectus and was then executed twice by leveraging backconnect. rundll32 cron801. dl …”
T1021.001Remote Desktop Protocol
79%
“in the exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration. despite that, no further final actions on objectives were performed until they were evicted from the network. timeline diamond model indicators atomic rdp client name vps…”
T1566.001Spearphishing Attachment
79%
“from a single click : how lunar spider enabled a near two - month intrusion from a single click : how lunar spider enabled a near two - month intrusion key takeaways - the intrusion began with a lunar spider linked javascript file disguised as a tax form that downloaded and execu…”
T1555.003Credentials from Web Browsers
79%
“server addresses, port numbers, usernames, and encrypted passwords. additionally, it targeted the registry path hkcu \ software \ microsoft \ windows nt \ currentversion \ windows messaging subsystem \ profiles to extract legacy email configurations from older windows mail, outlo…”
T1482Domain Trust Discovery
79%
“% s ", " subproc " : [ ] } / c ipconfig / all c : \ windows \ system32 \ cmd. exe / c systeminfo c : \ windows \ system32 \ cmd. exe / c nltest / domain _ trusts c : \ windows \ system32 \ cmd. exe / c nltest / domain _ trusts / all _ trusts c : \ windows \ system32 \ cmd. exe / …”
T1048Exfiltration Over Alternative Protocol
76%
“actor dropped a data exfiltration toolkit in the programdata directory. this included a vbscript launcher ( start. vbs ), batch automation script ( run. bat ), renamed rclone ( sihosts. exe ), and rclone configuration file ( rclone. conf ). this toolkit automated the theft of sen…”
T1210Exploitation of Remote Services
76%
“##e - 2020 - 1472 ) exploit with capabilities for credential harvesting and remote code execution. during the intrusion the threat actor used zero. exe to move laterally between devices in the network. the executable was executed on the beachhead host and targeted a second domain…”
T1003OS Credential Dumping
76%
“threat actor actions. on the 26th day of the intrusion the threat actor returned to the backup server and used a powershell script to dump credentials from the backup server software. two days later on the backup server they appeared again and dropped a network scanning tool, rus…”
T1021.001Remote Desktop Protocol
76%
“##e - 2020 - 1472 ) exploit with capabilities for credential harvesting and remote code execution. during the intrusion the threat actor used zero. exe to move laterally between devices in the network. the executable was executed on the beachhead host and targeted a second domain…”
T1486Data Encrypted for Impact
74%
“0x1010 permissions and another instance of the same process requesting 0x1fffff seconds later. this cycle repeated three times in total during the intrusion, each time facilitated via a cobalt strike beacon process. veeam - get - creds on day 26 of the intrusion, the threat actor…”
T1055.012Process Hollowing
72%
“threat actor expanded their tooling and heavily utilized both brute ratel and cobalt strike for process injection. using the sysmon eventid 8, createremotethread, multiple instances of process injection were identified for both long - term and short - term sacrificial processes. …”
T1071Application Layer Protocol
72%
“the beachhead host the threat actor leaked their source hostname during the authentication process. vps2day - 32220le the threat actor ’ s hostname implies that the infrastructure used by them was provided via a german hosting company vps2day, which seems to be operating under th…”
T1071.001Web Protocols
70%
“##3aymyketaaqxsjd8ipotiexvlllpswxyh9xz / kc1widaqab ( rsa ) httpposturi : / vodeo / vid _ wg01ck01 user agent : mozilla / 5. 0 ( windows nt 6. 2 ; wow64 ) applewebkit / 537. 36 ( khtml, like gecko ) chrome / 51. 0. 2704. 106 safari / 537. 36 malleablec2instructions : remove 4338 …”
T1071.001Web Protocols
69%
“communication using the backconnect protocol. more specifically, connections from explorer. exe and dllhost. exe were performed toward two different ip addresses. additionally, these ip ’ s have been categorized with moderate confidence related to icedid backconnect, which common…”
T1059.001PowerShell
69%
“: renamed adfind execution 5bb68627 - 3198 - 40ca - b458 - 49f973db8752 : rundll32 execution without parameters 152f3630 - 77c1 - 4284 - bcc0 - 4cc68ab2f6e7 : shell open registry keys manipulation 3b6ab547 - 8ec2 - 4991 - b9d2 - 2b06702a48d7 : suspicious powershell download and e…”
T1069.002Domain Groups
69%
“adfind. exe - subnets - f ( objectcategory = subnet ) > ad _ subnets. txt adfind. exe - gcb - sc trustdmp > ad _ trustdmp. txt adfind. exe - f " & ( objectcategory = computer ) ( operatingsystem = * server * ) " - csv > ad _ servers. csv continued discovery and network testing : …”
T1552.002Credentials in Registry
67%
“server addresses, port numbers, usernames, and encrypted passwords. additionally, it targeted the registry path hkcu \ software \ microsoft \ windows nt \ currentversion \ windows messaging subsystem \ profiles to extract legacy email configurations from older windows mail, outlo…”
T1087.002Domain Account
67%
“##name > \ pictures \ ad _ users. txt / setowner " < local user > " / t / c icacls c : \ users \ < username > \ pictures \ ad _ users. txt / setowner " < domain > \ < local user > " / t / c icacls " c : \ users \ < username > \ pictures \ ad _ users. txt " / reset / t after runni…”
T1018Remote System Discovery
65%
“in the exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration. despite that, no further final actions on objectives were performed until they were evicted from the network. timeline diamond model indicators atomic rdp client name vps…”
T1059.001PowerShell
65%
“php ) was obfuscated and embedded within the resource file name lsassa $ from the decrypted resource file lsassa & &. after successfully transmitting the victim data, the backdoor waits for a server response containing executable commands. when commands are received from the remo…”
T1134.001Token Impersonation/Theft
63%
“/ f / d " cmd. exe / c powershell - nop - w hidden - c " iex ( new - object net. webclient ). downloadstring ( ' hxxp : / / 127. 0. 0 [. ] 1 : 11664 / ' ) " reg add " hkcu \ software \ classes \ ms - settings \ shell \ open \ command " / v delegateexecute / f / d " cmd. exe / c p…”
T1482Domain Trust Discovery
62%
“ps1 script is publicly available on github. upon executing the script, the threat actor would have obtained any plaintext usernames and passwords stored in the veeam credential manager. these credentials are typically used to authenticate to remote systems for backup operations. …”
T1059.001PowerShell
62%
“ps1 script is publicly available on github. upon executing the script, the threat actor would have obtained any plaintext usernames and passwords stored in the veeam credential manager. these credentials are typically used to authenticate to remote systems for backup operations. …”
T1555Credentials from Password Stores
61%
“server addresses, port numbers, usernames, and encrypted passwords. additionally, it targeted the registry path hkcu \ software \ microsoft \ windows nt \ currentversion \ windows messaging subsystem \ profiles to extract legacy email configurations from older windows mail, outlo…”
T1204.002Malicious File
61%
“from a single click : how lunar spider enabled a near two - month intrusion from a single click : how lunar spider enabled a near two - month intrusion key takeaways - the intrusion began with a lunar spider linked javascript file disguised as a tax form that downloaded and execu…”
T1071.001Web Protocols
60%
“##3222bed6ada911c6 1a8ebf914ebea34402eecbf0985f05ae413663708d2fcc842fc27057ac5ec4ed sys. dll ad3c52316e0059c66bc1dd680cf9edad 8dfa63c0bb611e18c8331ed5b89decf433ac394a 100e03eb4e9dcdab6e06b2b26f800d47a21d338885f5dc1b42c56a32429c9168 cobalt strike system. dl _ or cron801. dl _ 4953…”
T1055.003Thread Execution Hijacking
60%
“209 : 443 ( avtechupdate [. ] com ) before injecting itself into the sihost. exe process. after the attempted uac bypass, the cobalt strike stager was executed in memory with the c2 pointing to resources. avtechupdate [. ] com / samlss / vm. ico. shortly after, the sihost. exe pr…”
T1055Process Injection
59%
“threat actor expanded their tooling and heavily utilized both brute ratel and cobalt strike for process injection. using the sysmon eventid 8, createremotethread, multiple instances of process injection were identified for both long - term and short - term sacrificial processes. …”
T1134.001Token Impersonation/Theft
58%
“209 : 443 ( avtechupdate [. ] com ) before injecting itself into the sihost. exe process. after the attempted uac bypass, the cobalt strike stager was executed in memory with the c2 pointing to resources. avtechupdate [. ] com / samlss / vm. ico. shortly after, the sihost. exe pr…”
T1547.001Registry Run Keys / Startup Folder
58%
“strike communication patterns. the following day the sys. dll cobalt strike beacon was executed on two additional servers after connections to those hosts were made via rdp. persistence registry run key persistence was first established after initial access on day one via a regis…”
T1059.007JavaScript
57%
“2024, shows a malicious ad as the initial access used to lure a victim to download the malicious javascript file. given the similarity of that report and our initial malware behavior we assess that this we likely the same method used for our case as well. the heavily obfuscated j…”
T1055.001Dynamic-link Library Injection
57%
“php ) was obfuscated and embedded within the resource file name lsassa $ from the decrypted resource file lsassa & &. after successfully transmitting the victim data, the backdoor waits for a server response containing executable commands. when commands are received from the remo…”
T1055.001Dynamic-link Library Injection
57%
“209 : 443 ( avtechupdate [. ] com ) before injecting itself into the sihost. exe process. after the attempted uac bypass, the cobalt strike stager was executed in memory with the c2 pointing to resources. avtechupdate [. ] com / samlss / vm. ico. shortly after, the sihost. exe pr…”
T1021.002SMB/Windows Admin Shares
56%
“##category = group ) > adflogs \ domain. local _ ad _ group. txt although the threat actor attempted to compress the collected data, forensic analysis did not identify any created zip archives on the system. " 7z. exe " a - mx1 - r0 adflogs. zip adflogs the threat actor returned …”
T1222.001Windows Permissions
55%
“users. txt minutes later, the compromised explorer. exe process spawned dllhost. exe, indicating resumption of the backconnect vnc activity observed previously. the dllhost. exe process subsequently executed a windows shell command to open the “ this pc ” interface on the beachhe…”
T1204.002Malicious File
54%
“of the intrusion. the first was observed on day four, where the cron801. dl _ file was dropped on the beachhead host under c : \ programdata from the injected explorer. exe process containing latrodectus and was then executed twice by leveraging backconnect. rundll32 cron801. dl …”
T1204.002Malicious File
54%
“2024, shows a malicious ad as the initial access used to lure a victim to download the malicious javascript file. given the similarity of that report and our initial malware behavior we assess that this we likely the same method used for our case as well. the heavily obfuscated j…”
T1555.003Credentials from Web Browsers
52%
“threat actor expanded their tooling and heavily utilized both brute ratel and cobalt strike for process injection. using the sysmon eventid 8, createremotethread, multiple instances of process injection were identified for both long - term and short - term sacrificial processes. …”
T1078.002Domain Accounts
51%
“on day three, the threat actor discovered and accessed an unattend. xml windows answer file containing plaintext domain administrator credentials left over from an automated deployment process. this provided the threat actor with immediate high - privilege access to the domain en…”
T1485Data Destruction
49%
“in the exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration. despite that, no further final actions on objectives were performed until they were evicted from the network. timeline diamond model indicators atomic rdp client name vps…”
T1055.001Dynamic-link Library Injection
48%
“##64 : % windir % \ sysnative \ gpupdate. exe spawnto _ x86 : % windir % \ syswow64 \ gpupdate. exe proxy _ behavior : use ie settings watermark : 987654321 jitter : 49 processinject _ minallocation : 19836 processinject _ allocationmethod : ntmapviewofsection computed rustscan. …”
T1041Exfiltration Over C2 Channel
46%
“. exe was a. net malware that was deployed on the fourth day. it attempted to communicate with its c2 server every 250 seconds. additionally, each post request contained the hostname of the infected workstation and the username of the compromised user, which were sent to the serv…”
T1548Abuse Elevation Control Mechanism
46%
“runas command – a built - in windows feature that allows running programs under different user credentials. by calling this service, they were able to authenticate as the domain admin account found in the unattend. xml file and escalate their privileges from a regular user to ful…”
T1564.003Hidden Window
45%
“restrictions requiring different execution approaches : " cmd. exe " / c powershell - nop - w hidden - c " iex ( new - object net. webclient ). downloadstring ( ' hxxp : / / 127. 0. 0 [. ] 1 : 11664 / ' ) " powershell - nop - w hidden - c " iex ( new - object net. webclient ). do…”
T1055Process Injection
43%
“##64 : % windir % \ sysnative \ gpupdate. exe spawnto _ x86 : % windir % \ syswow64 \ gpupdate. exe proxy _ behavior : use ie settings watermark : 987654321 jitter : 49 processinject _ minallocation : 19836 processinject _ allocationmethod : ntmapviewofsection computed rustscan. …”
T1003OS Credential Dumping
42%
“from a single click : how lunar spider enabled a near two - month intrusion from a single click : how lunar spider enabled a near two - month intrusion key takeaways - the intrusion began with a lunar spider linked javascript file disguised as a tax form that downloaded and execu…”
T1134Access Token Manipulation
42%
“##f9dd : signature _ base _ hktl _ cobaltstrike _ sleepmask _ jul22 a7dae4c7 - 672e - 58fb - 8542 - 90fa90d991a4 : trellix _ arc _ malw _ cobaltrike 113ba304 - 261f - 5c59 - bc56 - 57515c239b6d : volexity _ trojan _ win _ cobaltstrike 4110d879 - 8d36 - 4004 - 858d - e62400948920 …”
T1134.001Token Impersonation/Theft
41%
“access token manipulation - t1134 archive via utility - t1560. 001 bypass user account control - t1548. 002 credentials from web browsers - t1555. 003 credentials in files - t1552. 001 domain accounts - t1078. 002 domain account - t1087. 002 domain groups - t1069. 002 domain trus…”
T1486Data Encrypted for Impact
40%
“in the exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration. despite that, no further final actions on objectives were performed until they were evicted from the network. timeline diamond model indicators atomic rdp client name vps…”
T1110Brute Force
38%
“##e38abdc740f000596e374b6842902653aeafb6c63011388ebb22ec13e28 bruteratel upfilles. dll ccb6d3cb020f56758622911ddd2f1fcb 4a013f752c2bf84ca37e418175e0d9b6f61f636d f4cb6b684ea097f867d406a978b3422bbf2ecfea39236bf3ab99340996b825de bruteratel wscadminui. dll d7bd590b6c660716277383aa23c…”
T1055.012Process Hollowing
36%
“##e, specifically invoking the exported function stow to initiate malicious execution. brute ratel on day one, the loader upfilles. dll began execution on the beachhead host by resolving three apis ( virtualalloc, loadlibrarya, getprocessaddress ) via the following hashing algori…”
T1134.002Create Process with Token
36%
“209 : 443 ( avtechupdate [. ] com ) before injecting itself into the sihost. exe process. after the attempted uac bypass, the cobalt strike stager was executed in memory with the c2 pointing to resources. avtechupdate [. ] com / samlss / vm. ico. shortly after, the sihost. exe pr…”
T1071Application Layer Protocol
36%
“of the intrusion. the first was observed on day four, where the cron801. dl _ file was dropped on the beachhead host under c : \ programdata from the injected explorer. exe process containing latrodectus and was then executed twice by leveraging backconnect. rundll32 cron801. dl …”
T1055.001Dynamic-link Library Injection
36%
“threat actor expanded their tooling and heavily utilized both brute ratel and cobalt strike for process injection. using the sysmon eventid 8, createremotethread, multiple instances of process injection were identified for both long - term and short - term sacrificial processes. …”
T1069.002Domain Groups
35%
“following the metasploit shell deployment attempt on the second domain controller, the threat actor initiated an additional round of adfind reconnaissance from the beachhead host : adfind. exe - b dc = domain, dc = local - f ( objectcategory = person ) > adflogs \ domain. local _…”
T1048Exfiltration Over Alternative Protocol
34%
“1472 ) vulnerability to attempt additional lateral movement to a second domain controller. after that they then tried to execute metasploit laterally to that domain contoller via a remote service. however they were unable to establish a command and control channel from this actio…”
T1134.002Create Process with Token
34%
“runas command – a built - in windows feature that allows running programs under different user credentials. by calling this service, they were able to authenticate as the domain admin account found in the unattend. xml file and escalate their privileges from a regular user to ful…”
T1048Exfiltration Over Alternative Protocol
34%
“in the exfiltration section, on the twentieth day, the threat actor successfully performed data exfiltration. despite that, no further final actions on objectives were performed until they were evicted from the network. timeline diamond model indicators atomic rdp client name vps…”
T1003OS Credential Dumping
33%
“0x1010 permissions and another instance of the same process requesting 0x1fffff seconds later. this cycle repeated three times in total during the intrusion, each time facilitated via a cobalt strike beacon process. veeam - get - creds on day 26 of the intrusion, the threat actor…”
T1055.001Dynamic-link Library Injection
33%
“##e, specifically invoking the exported function stow to initiate malicious execution. brute ratel on day one, the loader upfilles. dll began execution on the beachhead host by resolving three apis ( virtualalloc, loadlibrarya, getprocessaddress ) via the following hashing algori…”
T1218.011Rundll32
33%
“2024, shows a malicious ad as the initial access used to lure a victim to download the malicious javascript file. given the similarity of that report and our initial malware behavior we assess that this we likely the same method used for our case as well. the heavily obfuscated j…”

Summary

Key Takeaways Private Threat Briefs: 20+ private DFIR reports annually.   Contact us today for pricing or a demo!   Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Command and Control Exfiltration Impact Timeline Diamond Model Indicators Detections MITRE ATT&CK   Case Summary The intrusion […]

The post From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion appeared first on The DFIR Report.