The five-day job: A BlackByte ransomware intrusion case study | Microsoft Security Blog

MITRE Techniques

• [T1190] Exploit Public-Facing Application – Exploiting the ProxyShell vulnerabilities on unpatched Exchange Servers to gain initial access. ‘exploiting the ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 on unpatched Microsoft Exchange Servers.’
• [T1505.003] Web Shell – Creating web shells to obtain remote control on affected servers. ‘Create web shells to obtain remote control on affected servers.’
• [T1547.001] Registry Run Keys/Startup Folder – Using registry Run keys to execute payload at sign-in. ‘the threat actor created the following registry run keys to run a payload each time a user signs in.’
• [T1055.012] Process Hollowing – Employing process hollowing and the use of vulnerable drivers to evade defenses. ‘Process hollowing and the use of vulnerable drivers for defense evasion.’
• [T1059.003] Windows Command Shell – Execution flows and commands such as ‘cmd.exe /c ping 1.1.1.1 -n 10 > nul & Del explorer.exe /F /Q’ showing command-line usage for execution/evasion.
• [T1046] Network Service Discovery – NetScan used to perform network enumeration. ‘network discovery tool NetScan being used by the threat actor to perform network enumeration.’
• [T1018/ T1069.002] Active Directory Discovery – AdFind used for Active Directory reconnaissance. ‘execution of AdFind (SHA-256: f157090f…), an Active Directory reconnaissance tool.’
• [T1003] Credential Dumping – Mimikatz likely used to obtain credentials for privileged accounts. ‘presence of likely usage of the credential theft tool Mimikatz …’
• [T1021.001] Remote Services – RDP for lateral movement to other servers. ‘Remote Desktop Protocol (RDP) … to obtain access to other servers.’
• [T1021.006] Remote Services: PowerShell Remoting – PowerShell remoting used for lateral movement. ‘PowerShell remoting to obtain access to other servers.’
• [T1071.001] Web Protocols – Cobalt Strike beacon communicates with a C2 server over HTTP(S). ‘C2 channel: 109.206.243.59:443.’
• [T1567.002] Exfiltration to Cloud Storage – Data exfiltration to Mega NZ via Mega’s API. ‘to the MEGA NZ using the platform’s API at: hxxps://g.api.mega.co.nz’
• [T1074] Data Staged – Data staging/exfiltration activities and log file creation. ‘log files … C:ExchangeMSExchLog.log’.
• [T1486] Data Encrypted for Impact – BlackByte 2.0 encrypts files across the environment. ‘encryption across the environment’ with 8-digit key requirement.
• [T1490] Inhibit System Recovery – Modifying/destroying volume shadow copies to hinder recovery. ‘Modification of volume shadow copies … to destroy volume shadow copies.’
• [T1562.001] Impair Defenses – Disabling security tools (e.g., Defender). ‘Tamper protection … was not enabled’ and backdoor ran with Defender present.
• [T1562.004] Disable/Modify System Firewall – Modifying or disabling Windows Firewall rules. ‘cmd /c netsh advfirewall set allprofiles state off’ etc.
• [T1070.006] Timestomping – Anti-forensics: timestomping file times. ‘timestomping (sets the file time of encrypted and ReadMe file to 2000-01-01 00:00:00)’.