Tactics, Techniques and Procedures for  Blackbasta



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004)
Phishing: Spear phishing Attachment (T1566.001)
Victims receive spear phishing emails with attached malicious zip files - typically password protected. That contains malicious doc including .doc, .pdf, .xls
System Services: Service Execution (T1569.002)
Black Basta has installed and used PsExec to execute payloads on remote hosts.
Create Account (T1136)
Black Basta threat actors created accounts with names such as temp, r, or admin.
Domain Policy Modification: Group Policy Modification (T1484.001)
Black Basta can modify group policy for privilege escalation and defense evasion.
Windows Management Instrumentation (T1047)
Utilizes Invoke-TotalExec to push out the ransomware binary.
Account Manipulation (T1098)
Added newly created accounts to the administrators' group to maintain elevated access.
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)
Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads.
Command and Scripting Interpreter: PowerShell (T1059.001)
Black Basta has encoded PowerShell scripts to download additional scripts.
Create or Modify System Process: Windows Service (T1543.003)
Creates benign-looking services for the ransomware binary.
Create or Modify System Process: Windows Service (T1543.003)
Creates benign-looking services for the ransomware binary.
Hijack Execution Flow: DLL Search Order Hijacking (T1574.001)
Black Basta used Qakbot, which has the ability to exploit Windows 7 Calculator to execute malicious payloads.

This information is provided by Crocodyli or Ransomware.live