Initial Access (TA0001) | Execution (TA0002) | Persistence (TA0003) | Privilege Escalation (TA0004) | Defense Evasion (TA0005) | Discovery (TA0007) | Lateral Movement (TA0008) | Exfiltration (TA0010) | Command and Control (TA0011) | Impact (TA0040) |
---|---|---|---|---|---|---|---|---|---|
Phishing: Spearphishing Attachment (T1566.001) A spearphishing email was sent to employees. |
Command and Scripting Interpreter: Windows Command Shell (T1059.003) Qbot was launched through the Windows Command Shell with cmd.exe. |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) Qbot DLL was added to HKCUEY_CURRENT_USER \Software \Microsoft \Windows \CurrentVersion \Run. |
Domain Accounts (T1078.002) Royal ransomware operators used (privileged) domain accounts for lateral movement. |
Obfuscated Files or Information: HTML Smuggling (T1027.006) Password protected file containing an ISO file with a hidden file used in combination with an LNK file to execute Qbot. |
Account Discovery: Local Account (T1087.001) The FindLocalAdmin PowerSploit script was used to find local administrator accounts on workstations/servers. |
Remote Services: SMB/Windows Admin Shares (T1021.002) Remote admin shares C$ were mounted from the Patient 0 workstation. |
Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) Royal ransomware operators used Mega Cloud Storage and Dropbox to exfiltrate data from multiple hosts. |
Application Layer Protocol (T1071) Cobalt Strike uses peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. |
Data Encrypted for Impact (T1486) Royal ransomware encrypted files on systems with the .royal extension. |
Command and Scripting Interpreter: PowerShell (T1059.001) Cobalt Strike was executed through encoded PowerShell commands. |
Create or Modify System Process: Windows Service (T1543.003) Cobalt Strike was installed as a Windows service on multiple systems. |
Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) Royal ransomware operations executed a known UAC bypass that abuses a default scheduled task to launch PowerShell with escalated privileges. |
Domain Accounts (T1078.002) Royal ransomware operators used domain accounts for lateral movement. |
Account Discovery: Domain Account (T1087.002) Users and groups were enumerated with built-in Windows utilities and with AdFind software. |
Use Alternate Authentication Material: Pass the Hash (T1550.002) The Royal ransomware operators leveraged credential hashes from privileged accounts to perform lateral movement. |
Application Layer Protocol: Web Protocols (T1071.001) Qbot and Cobalt Strike used HTTPS traffic for their C2 communication. |
|||
Process Injection (T1055) Qbot and Cobalt Strike were both injected into legitimate Windows processes. |
Domain Trust Discovery (T1482) Domain trust was enumerated with built-in Windows utilities. |
Valid Accounts: Domain Accounts (T1078.002) Several (privileged) domain accounts were used during the attack for lateral movement and deployment of ransomware. |
|||||||
Network Share Discovery (T1135) Network shares were enumerated with PowerSploit software. |
This information is provided by Crocodyli or Ransomware.live