TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Hide Your RDP: Password Spray Leads to RansomHub Deployment

editor · 2025-06-30 · Read original ↗

ATT&CK techniques detected

57 predictions
T1078Valid Accounts
100%
“##16 valid accounts - t1078 visual basic - t1059. 005 windows command shell - t1059. 003 windows service - t1543. 003 internal case # tb33490 # pr36501”
T1486Data Encrypted for Impact
99%
“files. the transfer occurred over port 443, but the traffic was confirmed to be sftp. on the fifth day the threat actor returned via splashtop installed on one of the backup servers. from there they performed another network sweep using netscan. they then used rdp to connect to s…”
T1003.001LSASS Memory
99%
“do not indicate a full sync of all ad accounts, but likely the threat actor was checking to see if their privileged account existed across all domains and share the same password. with a command similar to : lsadump : : dcsync / domain : child. domain. example / user : domainadmi…”
T1003.001LSASS Memory
99%
“##2fe167 - e48d - 4fd6 - 9974 - 11e5b9a5d6d1 : lsass access from non system account d9047477 - 0359 - 48c9 - b8c7 - 792cedcdc9c4 : pua - nircmd execution as local system 4e2ed651 - 1906 - 4a59 - a78a - 18220fca1b22 : pua - nircmd execution e37db05d - d1f9 - 49c8 - b464 - cee1a4b1…”
T1486Data Encrypted for Impact
98%
“calculated to be : 2. 03 gb this volume aligns with the targeted exfiltration of data over a 40 - minute time frame. while no sysmon file create events were observed for the rclone configuration file, it was able be seen from the mft and ntfs artifacts that can be extracted from …”
T1003.001LSASS Memory
98%
“4fd6 - 9974 - 11e5b9a5d6d1 : lsass access from non system account d0d2f720 - d14f - 448d - 8242 - 51ff396a334e : hacktool - generic process access 1c67a717 - 32ba - 409b - a45d - 0fb704a73a81 : system network connections discovery via net. exe private rules : suspicious ntfs syml…”
T1021.001Remote Desktop Protocol
98%
“environment for initial or persistent access. direct rdp access from day one and initial access, the threat actor was observed continuously using rdp to maintain access to the compromised environment. they used it to establishing interactive sessions throughout which they could e…”
T1003OS Credential Dumping
97%
“##tutil cl system cmd. exe / c wevtutil cl application credential access as we observe in most of our intrusions, once the threat actor gained access to the rdp - exposed beachhead host via password spraying, they leveraged well - known credential harvesting tools, specifically m…”
T1110.003Password Spraying
97%
“note linking the ransom to the ransomhub group was dropped. the time to ransomware ( ttr ) for this intrusion was around 118 hours over six calendar days. analysts analysis and reporting completed by @ tas _ kmanager, @ iiamaleks and uc2 initial access the threat actor ’ s first …”
T1110.003Password Spraying
97%
“hide your rdp : password spray leads to ransomhub deployment hide your rdp : password spray leads to ransomhub deployment key takeaways - initial access was via a password spray attack against an exposed rdp server, targeting numerous accounts over a four - hour period. - mimikat…”
T1486Data Encrypted for Impact
97%
“any hyper - v virtual machines running on the system, delete shadow copies, and events from a few windows event channels. in addition, it leveraged built - in lateral movement capabilities to propagate to other hosts in the network through smb, the - only - local flag was used to…”
T1046Network Service Discovery
96%
“the - land discovery command sequence on other hosts and servers advanced ip scanner the threat actor downloaded the advanced ip scanner from the official website, this can be observed from the zeek / suricata logs, specifically with the rule “ et adware _ pup ip scanner tool upd…”
T1080Taint Shared Content
95%
“files. the transfer occurred over port 443, but the traffic was confirmed to be sftp. on the fifth day the threat actor returned via splashtop installed on one of the backup servers. from there they performed another network sweep using netscan. they then used rdp to connect to s…”
T1486Data Encrypted for Impact
94%
“the intrusion the threat actor did not clear all files they dropped, but they did pay special attention to specifically return to the file servers some 20 hours after exfiltration activity to remove the rclone related files discussed in the exfiltration section. along with the ex…”
T1021.001Remote Desktop Protocol
94%
“hours, the threat actor attempted logins against multiple accounts using known malicious ips ( based on osint ). several hours later they then logged in via rdp with one of the previously compromised users and ran a series of discovery commands, including various net commands to …”
T1021.001Remote Desktop Protocol
93%
“and subnet associations in active directorydsa. msc – manage users, groups, computers, and organizational units ( ous ) within an active directory domain lateral movement rdp initial lateral movement within the victim network was achieved through the use of the remote desktop pro…”
T1485Data Destruction
91%
“the intrusion the threat actor did not clear all files they dropped, but they did pay special attention to specifically return to the file servers some 20 hours after exfiltration activity to remove the rclone related files discussed in the exfiltration section. along with the ex…”
T1059.001PowerShell
89%
“script, rcl. bat. more details on this script will be explored on the exfiltration section. batch script rcl. bat was a batch script used to execute a rclone job. it receives further instructions on which files to exfiltrate from a file named include. txt. more details on this sc…”
T1219Remote Access Tools
89%
“##m installations - endpoint detection logs or memory forensics the forensic methods for extracting and interpreting this data are consistent with guidance outlined in synacktiv ’ s forensic analysis of legitimate rats, which describes how splog. txt supports attribution and beha…”
T1078.003Local Accounts
88%
“time > 11600 [ handler ] tf1, 32 - 200, 0x00026dd0 ( 0x00002ecc ) < 1 > < redacted date > < redacted time > 11600 [ handler ] save logon user < redacted domain admin > at time < redacted date > < redacted time > < 1 > < redacted date > < redacted time > 11600 [ handler ] save log…”
T1080Taint Shared Content
88%
“calculated to be : 2. 03 gb this volume aligns with the targeted exfiltration of data over a 40 - minute time frame. while no sysmon file create events were observed for the rclone configuration file, it was able be seen from the mft and ntfs artifacts that can be extracted from …”
T1080Taint Shared Content
87%
“any hyper - v virtual machines running on the system, delete shadow copies, and events from a few windows event channels. in addition, it leveraged built - in lateral movement capabilities to propagate to other hosts in the network through smb, the - only - local flag was used to…”
T1021.001Remote Desktop Protocol
86%
“##m installations - endpoint detection logs or memory forensics the forensic methods for extracting and interpreting this data are consistent with guidance outlined in synacktiv ’ s forensic analysis of legitimate rats, which describes how splog. txt supports attribution and beha…”
T1049System Network Connections Discovery
86%
“tools like advanced ip scanner and softperfect ’ s netscan, and microsoft management console applets. the classics, living - off - the - land commands living - off - the - land discovery command sequence in the beachhead rdp server the threat actor utilized these commands to perf…”
T1059.001PowerShell
86%
“##74cfeb3df72daabdf10e09f161ed1ffd21271 detections network etpro info observed atera remote access application activity domain in tls sni et info splashtop domain ( splashtop. com ) in tls sni et info splashtop domain in dns lookup ( splashtop. com ) etpro info observed splashtop…”
T1070.004File Deletion
81%
“the intrusion the threat actor did not clear all files they dropped, but they did pay special attention to specifically return to the file servers some 20 hours after exfiltration activity to remove the rclone related files discussed in the exfiltration section. along with the ex…”
T1486Data Encrypted for Impact
81%
“tools execution : 8bf0aaee - e44e - 4455 - 81d1 - d46fb42ae889 use of rclone to exfiltrate data over an ssh channel : 7019b8b4 - d23e - 4d35 - b5fa - 192ffb8cb3ee yara binaryalert _ hacktool _ windows _ mimikatz _ copywrite binaryalert _ hacktool _ windows _ mimikatz _ files dite…”
T1190Exploit Public-Facing Application
72%
“##6db480387c9ebc20 ec45ebd938e363e36cacb42e968a960fbe4e21ced511f0ea2c0790b743ff3c67 amd64. exe 6f3a658fc32b4a378716ac167ebaf5ac 19138d3c197ee1e59756d1f4fc3fd66809f44c1b 25117dcb2d852df15fe44c5757147e7038f289e6156b0f6ab86d02c0e97328cb netscan. exe a768244ca664349a6d1af84a712083c0 …”
T1482Domain Trust Discovery
72%
“tools like advanced ip scanner and softperfect ’ s netscan, and microsoft management console applets. the classics, living - off - the - land commands living - off - the - land discovery command sequence in the beachhead rdp server the threat actor utilized these commands to perf…”
T1550.002Pass the Hash
72%
“hours, the threat actor attempted logins against multiple accounts using known malicious ips ( based on osint ). several hours later they then logged in via rdp with one of the previously compromised users and ran a series of discovery commands, including various net commands to …”
T1567.002Exfiltration to Cloud Storage
68%
“file servers to facilitate the exfiltration of data via sftp. rclone was dropped along with multiple helper files that aided its execution : the nocmd. vbs file contained a set of vbs commands intended to execute the rcl. bat script. set wshshell = createobject ( " wscript. shell…”
T1018Remote System Discovery
66%
“tools like advanced ip scanner and softperfect ’ s netscan, and microsoft management console applets. the classics, living - off - the - land commands living - off - the - land discovery command sequence in the beachhead rdp server the threat actor utilized these commands to perf…”
T1486Data Encrypted for Impact
64%
“script, rcl. bat. more details on this script will be explored on the exfiltration section. batch script rcl. bat was a batch script used to execute a rclone job. it receives further instructions on which files to exfiltrate from a file named include. txt. more details on this sc…”
T1021.001Remote Desktop Protocol
62%
“tools like advanced ip scanner and softperfect ’ s netscan, and microsoft management console applets. the classics, living - off - the - land commands living - off - the - land discovery command sequence in the beachhead rdp server the threat actor utilized these commands to perf…”
T1048.003Exfiltration Over Unencrypted Non-C2 Protocol
61%
“*. pst *. msg *. edb *. mbox the following diagram visually demonstrates the execution chain of rclone : during the execution of rclone, outbound connections were observed to 38. 180. 245. 207 : 443. despite the port number, this traffic was in fact sftp traffic being used to tra…”
T1048Exfiltration Over Alternative Protocol
61%
“tools execution : 8bf0aaee - e44e - 4455 - 81d1 - d46fb42ae889 use of rclone to exfiltrate data over an ssh channel : 7019b8b4 - d23e - 4d35 - b5fa - 192ffb8cb3ee yara binaryalert _ hacktool _ windows _ mimikatz _ copywrite binaryalert _ hacktool _ windows _ mimikatz _ files dite…”
T1047Windows Management Instrumentation
59%
“ports are 135 ( rpc ), 445 ( smb ), 3389 ( rdp ) and 137 ( netbios ) from the same workstation, captured by sysmon event id 22, the tool was observed also making dns requests for hosts around the network. during these executions, an artifact of netscan share enumeration was obser…”
T1486Data Encrypted for Impact
59%
“##ware operation, numerous windows shell commands were executed. more details on this will be explored on the impact and defense evasion sections. the threat actor also executed common discovery commands such as nslookup, net and more. more details on this will be explored on the…”
T1046Network Service Discovery
58%
“ports are 135 ( rpc ), 445 ( smb ), 3389 ( rdp ) and 137 ( netbios ) from the same workstation, captured by sysmon event id 22, the tool was observed also making dns requests for hosts around the network. during these executions, an artifact of netscan share enumeration was obser…”
T1003OS Credential Dumping
57%
“hours, the threat actor attempted logins against multiple accounts using known malicious ips ( based on osint ). several hours later they then logged in via rdp with one of the previously compromised users and ran a series of discovery commands, including various net commands to …”
T1080Taint Shared Content
53%
“##ware operation, numerous windows shell commands were executed. more details on this will be explored on the impact and defense evasion sections. the threat actor also executed common discovery commands such as nslookup, net and more. more details on this will be explored on the…”
T1003.001LSASS Memory
51%
“##tutil cl system cmd. exe / c wevtutil cl application credential access as we observe in most of our intrusions, once the threat actor gained access to the rdp - exposed beachhead host via password spraying, they leveraged well - known credential harvesting tools, specifically m…”
T1567.002Exfiltration to Cloud Storage
48%
“to additional hosts targeting backup servers, file servers, hypervisors, and more domain controllers. they utilized mimikatz across several of these hosts outputting csv files named for the child domains the hosts belonged to. based on the logs we assess this activity was likely …”
T1087.002Domain Account
46%
“checking the documents on the file share servers and network shares. they were checking pdf and document files, utilizing viewers such as google chrome and microsoft edge for pdf files and windows wordpad for doc files. documents accessed by the threat actor the threat actor was …”
T1087.002Domain Account
44%
“tools like advanced ip scanner and softperfect ’ s netscan, and microsoft management console applets. the classics, living - off - the - land commands living - off - the - land discovery command sequence in the beachhead rdp server the threat actor utilized these commands to perf…”
T1021.001Remote Desktop Protocol
43%
“##ware operation, numerous windows shell commands were executed. more details on this will be explored on the impact and defense evasion sections. the threat actor also executed common discovery commands such as nslookup, net and more. more details on this will be explored on the…”
T1563.002RDP Hijacking
43%
“##m installations - endpoint detection logs or memory forensics the forensic methods for extracting and interpreting this data are consistent with guidance outlined in synacktiv ’ s forensic analysis of legitimate rats, which describes how splog. txt supports attribution and beha…”
T1078Valid Accounts
39%
“note linking the ransom to the ransomhub group was dropped. the time to ransomware ( ttr ) for this intrusion was around 118 hours over six calendar days. analysts analysis and reporting completed by @ tas _ kmanager, @ iiamaleks and uc2 initial access the threat actor ’ s first …”
T1564.006Run Virtual Instance
38%
“any hyper - v virtual machines running on the system, delete shadow copies, and events from a few windows event channels. in addition, it leveraged built - in lateral movement capabilities to propagate to other hosts in the network through smb, the - only - local flag was used to…”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
37%
“environment for initial or persistent access. direct rdp access from day one and initial access, the threat actor was observed continuously using rdp to maintain access to the compromised environment. they used it to establishing interactive sessions throughout which they could e…”
T1003OS Credential Dumping
35%
“note linking the ransom to the ransomhub group was dropped. the time to ransomware ( ttr ) for this intrusion was around 118 hours over six calendar days. analysts analysis and reporting completed by @ tas _ kmanager, @ iiamaleks and uc2 initial access the threat actor ’ s first …”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
34%
“to additional hosts targeting backup servers, file servers, hypervisors, and more domain controllers. they utilized mimikatz across several of these hosts outputting csv files named for the child domains the hosts belonged to. based on the logs we assess this activity was likely …”
T1078Valid Accounts
34%
“successful logons. the threat actor selected a user and performed a login, about four hours after the successful logon occurrences from the password spray activities. the user will be referred as initial access user from this point in this report. note that the threat actor is us…”
T1564.006Run Virtual Instance
33%
“calculated to be : 2. 03 gb this volume aligns with the targeted exfiltration of data over a 40 - minute time frame. while no sysmon file create events were observed for the rclone configuration file, it was able be seen from the mft and ntfs artifacts that can be extracted from …”
T1071.001Web Protocols
32%
“##2e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c nocmd. vbs 8e0b1f8390acb832dbf3abadeb7e5fd3 02e6ff95949fdf341daee846820d40289ab65985 4775dfb24f85f5d776f538018a98cc6a9853a1840f5c00b7d0c54695f03a11d9 rcl. bat 1cc1534b70b8d2b99b69a721c83e586a 6ac2d77631f775797cd0029e199a5d…”
T1552Unsecured Credentials
32%
“##tutil cl system cmd. exe / c wevtutil cl application credential access as we observe in most of our intrusions, once the threat actor gained access to the rdp - exposed beachhead host via password spraying, they leveraged well - known credential harvesting tools, specifically m…”
T1654Log Enumeration
31%
“##cate _ may21 susp _ gobfuscate _ may21 mitre att & ck clear windows event logs - t1070. 001 data encrypted for impact - t1486 dcsync - t1003. 006 domain account - t1087. 002 domain groups - t1069. 002 domain trust discovery - t1482 exfiltration over alternative protocol - t1048…”

Summary

Key Takeaways Case Summary This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted logins against multiple accounts using known malicious IPs (based on OSINT). Several hours later they then logged in via RDP with one of the previously […]

The post Hide Your RDP: Password Spray Leads to RansomHub Deployment appeared first on The DFIR Report.