Tactics, Techniques and Procedures for  Royal



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005) Discovery (TA0007) Lateral Movement (TA0008) Exfiltration (TA0010) Command and Control (TA0011) Impact (TA0040)
Phishing: Spearphishing Attachment (T1566.001)
A spearphishing email was sent to employees.
Command and Scripting Interpreter: Windows Command Shell (T1059.003)
Qbot was launched through the Windows Command Shell with cmd.exe.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
Qbot DLL was added to HKCUEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run.
Domain Accounts (T1078.002)
Royal ransomware operators used (privileged) domain accounts for lateral movement.
Obfuscated Files or Information: HTML Smuggling (T1027.006)
Password protected file containing an ISO file with a hidden file used in combination with an LNK file to execute Qbot.
Account Discovery: Local Account (T1087.001)
The FindLocalAdmin PowerSploit script was used to find local administrator accounts on workstations/servers.
Remote Services: SMB/Windows Admin Shares (T1021.002)
Remote admin shares C$ were mounted from the Patient 0 workstation.
Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002)
Royal ransomware operators used Mega Cloud Storage and Dropbox to exfiltrate data from multiple hosts.
Application Layer Protocol (T1071)
Cobalt Strike uses peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol.
Data Encrypted for Impact (T1486)
Royal ransomware encrypted files on systems with the .royal extension.
Command and Scripting Interpreter: PowerShell (T1059.001)
Cobalt Strike was executed through encoded PowerShell commands.
Create or Modify System Process: Windows Service (T1543.003)
Cobalt Strike was installed as a Windows service on multiple systems.
Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002)
Royal ransomware operations executed a known UAC bypass that abuses a default scheduled task to launch PowerShell with escalated privileges.
Domain Accounts (T1078.002)
Royal ransomware operators used domain accounts for lateral movement.
Account Discovery: Domain Account (T1087.002)
Users and groups were enumerated with built-in Windows utilities and with AdFind software.
Use Alternate Authentication Material: Pass the Hash (T1550.002)
The Royal ransomware operators leveraged credential hashes from privileged accounts to perform lateral movement.
Application Layer Protocol: Web Protocols (T1071.001)
Qbot and Cobalt Strike used HTTPS traffic for their C2 communication.
Process Injection (T1055)
Qbot and Cobalt Strike were both injected into legitimate Windows processes.
Domain Trust Discovery (T1482)
Domain trust was enumerated with built-in Windows utilities.
Valid Accounts: Domain Accounts (T1078.002)
Several (privileged) domain accounts were used during the attack for lateral movement and deployment of ransomware.
Network Share Discovery (T1135)
Network shares were enumerated with PowerSploit software.

This information is provided by Crocodyli or Ransomware.live