Tactics, Techniques and Procedures for  Threeam



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005) Discovery (TA0007) Exfiltration (TA0010) Impact (TA0040)
Create Account (T1136)
The threat actor using the 3AM ransomware performed account creation to ensure persistence.
Bypass User Account Control (T1548.002)
The threat actor may use Cobalt Strike for a series of known techniques to bypass Windows UAC.
Disable or Modify System Firewall Settings (T1562.004)
The threat actor uses commands to set the discovery policy of other hosts on the network, altering the Firewall policy.
Network Share Discovery (T1135)
The threat actor executed reconnaissance commands like 'whoami, netstat, quser, net view, and net share' to enumerate other servers.
Exfiltration Over Alternative Protocol (T1048)
The threat actor used the 'Wput' tool to exfiltrate files from the victim to their own server via FTP.
Inhibit System Recovery (T1490)
The 3AM ransomware deletes volume shadow copies on the disk and backups through the commands presented in the analysis.
Service Execution (T1543.003)
The threat actor used PsExec to take advantage of a Windows service to escalate from administrator privileges to SYSTEM.
Clear Windows Event Logs (T1070.001)
The executable clears Windows event logs after its execution.
Group Policy Discovery (T1615)
The threat actor used commands like 'gpresult' to dump applied policy settings on the computer for a user (Group Policy).
Data Encrypted for Impact (T1486)
The ransomware encrypts files and appends the '.threeamtime' extension after encryption.
Remote System Discovery (T1018)
Utilizes Advanced IP Scanner and MASSCAN to discover remote systems.

This information is provided by Crocodyli or Ransomware.live