Full Report
Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as … Read More
Analysis Summary
# Incident Report: Cobalt Strike and SOCKS Proxies Leading to LockBit Ransomware
## Executive Summary
This intrusion, commencing with a user-executed Cobalt Strike beacon disguised as a legitimate utility in late January 2024, evolved over eleven days into a full-scale LockBit ransomware deployment. Attackers successfully established command and control via SystemBC proxies, escalated privileges, disabled security controls like Windows Defender, and exfiltrated data via multiple cloud and FTP services before encrypting the environment.
## Incident Details
- Discovery Date: **Between January 27, 2024, and the final impact.** (Precise discovery date not explicitly stated, but activity started late January 2024)
- Incident Date: **Late January 2024** (Initial execution noted)
- Affected Organization: **Undisclosed**
- Sector: **Undisclosed**
- Geography: **Undisclosed**
## Timeline of Events
### Initial Access
- **Date/Time:** Late January 2024
- **Vector:** User execution of a malicious file.
- **Details:** A user downloaded and executed `setup_wm.exe`, which was a Cobalt Strike beacon masquerading as the legitimate Microsoft Windows Media Configuration Utility. An outbound connection was immediately established.
### Lateral Movement
- **Date/Time:** Approximately 30 minutes post-initial execution (Discovery phase).
- **Vector:** Leveraged SMB and remote services utilizing the initially compromised user's elevated permissions.
- **Details:** Deployed SystemBC and GhostSOCKS proxies onto a domain controller. Later moved laterally to a file server using remote services with the same initial account, deploying a separate PowerShell beacon and additional proxies. Used WMI commands remotely to disable Defender.
### Data Exfiltration/Impact
- **Date/Time:** Throughout the 11-day intrusion window.
- **Details:** Attackers attempted initial data transfers via FTP, which failed, before successfully exfiltrating data using Rclone to **MEGA.io**. A second successful FTP exfiltration occurred later.
- **Date/Time:** 11th day of intrusion.
- **Impact:** **LockBit ransomware was deployed across the entire environment.**
### Detection & Response
- **How it was discovered:** Initial detection noted Windows Defender flagging SystemBC and GhostSOCKS on the domain controller (though one proxy, SystemBC, remained active). Registry modifications to Windows Defender settings indicated adversary activity.
- **Response actions taken:** Not explicitly listed, but implied actions involved handling the ransomware event and cleaning established persistence mechanisms.
## Attack Methodology
- **Initial Access:** Masquerading/Malicious File Execution (Cobalt Strike beacon disguised as Windows Media Configuration Utility).
- **Persistence:** Created scheduled tasks to re-execute SystemBC and GhostSOCKS proxies; Cobalt Strike beacon access.
- **Privilege Escalation:** Implied via the initial user having elevated permissions, which allowed immediate deployment onto a domain controller. Code injection into `WUAUCLT.exe` process.
- **Defense Evasion:** Disabled Windows Defender real-time monitoring via registry modification (Local Group Policy Editor examination noted) and WMI commands. Used proxy tools (SystemBC/GhostSOCKS) for C2.
- **Credential Access:** Extracted credentials from the LSASS process. Discovered credentials stored in a sensitive document on a file share.
- **Discovery:** Executed `nltest` to locate domain controllers; used `Task Manager` and `Local Group Policy Editor`.
- **Lateral Movement:** Used SMB and remote services (leveraging compromised credentials) to reach the file server; used RDP over established proxy tunnels.
- **Collection:** Loaded Seatbelt and SharpView CLR modules into memory; explored file shares.
- **Exfiltration:** Used Rclone for initial cloud exfiltration (MEGA.io) and leveraged subsequent FTP transfers.
- **Impact:** Data encryption via LockBit ransomware deployment.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Sensitive documents containing stored credentials were discovered and data was exfiltrated (type/volume not quantified).
- **Operational:** Complete operational disruption due to LockBit ransomware deployment across the environment on the 11th day.
- **Reputational:** Dependent on public disclosure, but implied significant impact due to ransomware.
## Indicators of Compromise
*(Note: Indicators are listed as provided in the source, defanged based on instructions)*
- **Network indicators:** Cobalt Strike C2 communication channels (varied C2 servers noted).
- **File indicators:** `setup_wm.exe`, Cobalt Strike PowerShell beacon, SystemBC proxy, GhostSOCKS proxy.
- **Behavioral indicators:** Elevated System Shell Spawned From Uncommon Parent Location, NTDS Abuse, Registry modification of Windows Defender settings, Process Injection into `WUAUCLT.exe`.
## Response Actions
- **Containment measures:** Initial detection/blocking of proxy tools by Windows Defender, although SystemBC evaded complete blocking. Implied isolation of compromised hosts following ransomware deployment.
- **Eradication steps:** Removal of SystemBC/GhostSOCKS scheduled tasks and subsequent cleanup post-ransomware event (details unstated).
- **Recovery actions:** Recovery from LockBit encryption (details unstated).
## Lessons Learned
- Persistent threats successfully leveraged legitimate-looking execution methods to gain high-level access.
- Advanced evasion techniques were successful, including deploying proxies (SystemBC/GhostSOCKS) and disabling core security features like Windows Defender.
- The actor successfully used multiple exfiltration channels (FTP, MEGA.io) after initial attempts failed.
## Recommendations
- Implement stronger controls restricting the execution of unfamiliar or user-downloaded programs, even if they display legitimate icons/names (improving execution control).
- Review and harden Windows Defender configurations; ensure real-time monitoring and tamper protection are fully enforced across GPOs and local settings.
- Enhance monitoring for proxy tool exploitation (e.g., SystemBC) and unusual scheduled task creation, especially those tied to network services.
- Implement network segmentation to limit lateral movement capabilities once an initial host is compromised.