Full Report
Gain insight into the latest attack trends, techniques, and procedures our Incident Response experts are actively facing with the brand new TTP Briefing, a report built on frontline threat intelligence from our global incident response (IR) investigations, enriched by noteworthy detections from our SOC.
Analysis Summary
Here is the summary structured according to your requirements, based on the provided article excerpt:
# Tool/Technique: AnyDesk
## Overview
A commercial remote access tool frequently observed being used by threat actors to establish persistence following initial compromise.
## Technical Details
- Type: Attack Tool
- Platform: Windows (Inferred, as common in corporate incidents)
- Capabilities: Remote desktop control, command execution, persistence mechanism.
- First Seen: Not specified in the article (Common commercial tool).
## MITRE ATT&CK Mapping
*Analysis suggests mapping for Remote Access Tools used for persistence:*
- TA0003 - Persistence
- T1543.003 - Create or Modify System Process: Windows Service
- T1021 - Remote Services (General category for remote access)
## Functionality
### Core Capabilities
- Establishing remote connectivity to compromised machines.
- Being leveraged by threat actors to maintain unauthorized access (persistence).
### Advanced Features
- Not detailed from the attacker's perspective, but as a legitimate tool, it offers screen sharing, file transfer, and remote control.
## Indicators of Compromise
- File Hashes: N/A
- File Names: AnyDesk (referencing the binary execution)
- Registry Keys: N/A
- Network Indicators: N/A (Specific C2 details not provided)
- Behavioral Indicators: Execution and configuration of legitimate remote access/management software for adversarial purposes.
## Associated Threat Actors
- Unspecified, but used broadly across various observed incidents reported in the TTP Briefing period (Jan-May).
## Detection Methods
- Behavioral detection identifying unexpected execution or configuration changes associated with remote access tools.
- Signature-based detection for known files/hashes of the threat actor's deployed variant (if customized).
## Mitigation Strategies
- Strict network segmentation and access control lists (ACLs) to limit who can communicate with known remote management software ports.
- Monitoring and restricting the installation/execution of unapproved administrative tools like AnyDesk, MeshAgent, and ScreenConnect.
- Implementing application allow-listing policies.
## Related Tools/Techniques
- MeshAgent
- ScreenConnect
***
# Tool/Technique: RClone
## Overview
A command-line program used primarily for copying and synchronizing files and directories to and from various cloud storage providers; observed being used by threat actors for data exfiltration.
## Technical Details
- Type: Attack Tool (Legitimate utility used maliciously)
- Platform: Cross-platform (Commonly used on Windows systems in IR cases)
- Capabilities: Transferring data between local systems and cloud storage endpoints.
- First Seen: Not specified in the article.
## MITRE ATT&CK Mapping
*Mapping related to data movement and exfiltration:*
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- T1048 - Exfiltration Over Alternative Protocol (If cloud storage protocols are considered alternative to direct C2)
## Functionality
### Core Capabilities
- Moving data securely to cloud storage services controlled by the adversary.
- Facilitating large-scale data staging prior to exfiltration.
### Advanced Features
- Ability to handle encryption and use multiple supported cloud services seamlessly.
## Indicators of Compromise
- File Hashes: N/A
- File Names: RClone (referencing the binary execution)
- Registry Keys: N/A
- Network Indicators: Connections to known cloud storage infrastructure domains (Requires specific investigation).
- Behavioral Indicators: Suspicious bulk file operations targeting sensitive data directories followed by outbound network activity to cloud services.
## Associated Threat Actors
- Unspecified, observed broadly across various incidents.
## Detection Methods
- Behavioral detection focusing on the execution of RClone outside of approved IT department procedures.
- Monitoring outbound network connections initiated by RClone.
## Mitigation Strategies
- Network egress filtering to restrict communication with non-business critical cloud storage services.
- Monitoring file system utilization metrics for suspicious high-volume file activity.
## Related Tools/Techniques
- WinSCP
***
# Tool/Technique: WinSCP
## Overview
A popular graphical and command-line SFTP, FTP, SCP, and WebDAV client for Windows, identified in IR investigations as a tool used for data exfiltration.
## Technical Details
- Type: Attack Tool (Legitimate utility used maliciously)
- Platform: Windows
- Capabilities: Secure file transfer client facilitating data staging and exfiltration.
- First Seen: Not specified in the article.
## MITRE ATT&CK Mapping
*Mapping related to data movement and exfiltration:*
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel (if using SFTP/SCP over standard internet channels)
## Functionality
### Core Capabilities
- Securely transferring sensitive files off the compromised network.
### Advanced Features
- Support for multiple secure protocols (SFTP/SCP).
## Indicators of Compromise
- File Hashes: N/A
- File Names: WinSCP (referencing the binary execution)
- Registry Keys: N/A
- Network Indicators: N/A (Traffic typically blends with legitimate SCP/SFTP traffic)
- Behavioral Indicators: Execution of the WinSCP client targeting external server addresses/credentials not registered in organizational controls.
## Associated Threat Actors
- Unspecified, observed broadly across various incidents.
## Detection Methods
- Application whitelisting to prevent unauthorized execution of file transfer utilities.
- Monitoring for connections to external SFTP/SCP servers from endpoints.
## Mitigation Strategies
- Restricting execution privileges for users who do not require file transfer capabilities.
- Monitoring outbound connections on ports commonly associated with SFTP (e.g., TCP/22).
## Related Tools/Techniques
- RClone
***
# Tool/Technique: Mimikatz and LSASS Dumping
## Overview
The use of the well-known credential access tool Mimikatz, often in conjunction with techniques to dump the contents of the Local Security Authority Subsystem Service (LSASS) process memory, observed during the escalation stage of intrusions.
## Technical Details
- Type: Attack Tool / Technique
- Platform: Windows
- Capabilities: Extracting plaintext passwords, hashes, PINs, and Kerberos tickets from memory.
- First Seen: N/A (Classic technique)
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003 - OS Credential Dumping
- T1003.001 - OS Credential Dumping: LSASS Memory
## Functionality
### Core Capabilities
- Harvesting credentials from various processes, focusing heavily on the LSASS process memory space.
### Advanced Features
- Bypassing user-mode API hooking by targeting raw memory structures.
## Indicators of Compromise
- File Hashes: N/A (Often run in memory or dropped transiently)
- File Names: ProcDump, specific Mimikatz modules, common names for memory dumps (e.g., *.dmp)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Direct process memory access attempts on LSASS by unauthorized processes; creation of large memory dump files.
## Associated Threat Actors
- Ubiquitous across many threat groups.
## Detection Methods
- Monitoring for system calls that allow read access to the LSASS process handle (e.g., `OpenProcess` with `PROCESS_VM_READ`).
- Detection of known Mimikatz signatures or memory artifacts.
## Mitigation Strategies
- Credential Guard (Windows feature) to protect LSASS isolation.
- Implementing Privilege Access Workstations (PAWs) to limit where credential harvesting can occur.
- Removing local administrator rights from typical user accounts.
## Related Tools/Techniques
- Credentials Abuse (General Tactic)
***
# Technique: Living-off-the-Land Binaries (LOLBins) Utilization
## Overview
The adversary practice of leveraging legitimate, built-in operating system tools (LOLBins) to perform malicious actions such as lateral movement, deployment of other tools, or evading detection, noted in 18% of analyzed cases.
## Technical Details
- Type: Technique
- Platform: Windows (primarily)
- Capabilities: Executing malicious payloads, establishing persistence, moving laterally, or deploying software without introducing new executables.
- First Seen: N/A (Long-standing technique)
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (Often covers LOLBins)
- TA0008 - Lateral Movement
- T1021 - Remote Services (When used with native tools)
## Functionality
### Core Capabilities
- Avoiding signature-based detection by using trusted, signed, and whitelisted binaries.
- Performing post-exploitation activities covertly.
### Advanced Features
- Chain execution of multiple LOLBins to achieve complex objectives (e.g., reconnaissance, moving files, and establishing beacons).
## Indicators of Compromise
- File Hashes: N/A
- File Names: Powershell.exe, cmd.exe, bitsadmin.exe, certutil.exe, mshta.exe, etc.
- Registry Keys: N/A
- Network Indicators: Inbound/outbound traffic associated with legitimate utilities performing suspicious actions (e.g., BITSAdmin downloading payloads).
- Behavioral Indicators: Unusual parent-child process relationships (e.g., Word spawning cmd.exe, or PowerShell executing encoded commands).
## Associated Threat Actors
- Virtually all advanced threat actors leverage LOLBins.
## Detection Methods
- Behavioral analysis focusing on command-line arguments and context (e.g., PowerShell running heavily encoded scripts).
- Monitoring for execution anomalies of trusted binaries.
## Mitigation Strategies
- Strict application control/allow-listing policies.
- Monitoring command-line parameters and argument strings for suspicious content.
- Restricting access to high-risk LOLBins for standard user contexts.
## Related Tools/Techniques
- PowerShell Abuse (TA0006.T1059.001)
***
# Malware Families/Variants Mentioned
## Overview
Specific ransomware families exhibiting increased activity during the reporting period.
## Technical Details
- Type: Malware Family (Ransomware and BEC components)
- Platform: Varied (Likely Windows targets for ransomware payload)
- Capabilities: Data encryption, extortion, and business email compromise.
- First Seen: Qilin (More recent), Medusa, Play (Specific dates not provided).
## MITRE ATT&CK Mapping
*Ransomware generally requires:*
- TA0011 - Impact (General)
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- **Qilin, Medusa, Play:** Encrypting files across targeted networks.
- **BEC:** Deception, financial fraud instruction modification via compromised email.
### Advanced Features
- Evasion techniques specific to each ransomware variant.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Qilin, Medusa, Play variants (specific file names/hashes not listed)
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Mass file modification/encryption events; email spoofing/account takeover activity.
## Associated Threat Actors
- Threat groups associated with Qilin, Medusa, and Play.
## Detection Methods
- Endpoint Detection specialized in ransomware behavior patterns.
- SOC monitoring for mailbox rule changes or anomalous logins associated with BEC.
## Mitigation Strategies
- Comprehensive offline/immutable backups for ransomware recovery.
- Strong email authentication (DMARC, DKIM, SPF) and robust email security configuration to prevent BEC.
## Related Tools/Techniques
- Business Email Compromise (BEC) - (Most common incident type at 41%)