HIVE Ransomware Attack Research & Analysis | Rapid7 Blog

MITRE Techniques

• [T1021] Remote Services – Used for lateral movement via remote services; ‘The malicious actor began using the remote process execution tool PSExec to execute batch files … which would cause registry changes to enable Remote Desktop sessions (RDP) using reg.exe.’
• [T1021.001] Remote Desktop Protocol – Enabled RDP sessions to facilitate movement across systems; ‘enable Remote Desktop sessions (RDP) using reg.exe.’
• [T1021.002] SMB/Windows Admin Shares – Extended movement across the environment using Windows shares after initial access; ‘lateral movement throughout the victim’s environment using the graphical user interface.’
• [T1027] Obfuscated Files Or Information – Archive encryption and password-protected payload concealment; ‘encrypted archive (int.7z) using 7-Zip’s console executable (7zr.exe) with a simple password.’
• [T1027.009] Embedded Payloads – Payloads embedded within archives and extracted for execution; ‘The ransomware payload(s) from an encrypted archive (int.7z) using 7zr.exe’.
• [T1037] Boot Or Logon Initialization Scripts – Altered boot/logon behavior to run malicious scripts on startup; ‘shell swapped to a batch script (file2.bat)’; ‘Boot behavior to safeboot minimal and then executing a reboot.’
• [T1037.003] Network Logon Script – Scripts executed during logon to achieve persistence; ‘Network Logon Script’ (implied by domain policy/logon scripting actions).
• [T1059] Command And Scripting Interpreter – Heavy use of command-line tools to execute actions; ‘cmd.exe /c …’ and related commands.
• [T1059.001] PowerShell – (Referenced as a scripting/command environment used in some steps; not explicitly shown as PowerShell in visible content.)
• [T1059.003] Windows Command Shell – Direct use of cmd.exe for batch execution; ‘C:WindowsSystem32cmd.exe /c “rdp.bat” …’
• [T1070] Indicator Removal – Deleting or masking backups/points of recovery; ‘delete shadows /all /quiet’ and ‘shadowcopy delete’ commands.
• [T1080] Taint Shared Content – Targeting network shares for encryption; implied via network-wide encryption scope.
• [T1105] Ingress Tool Transfer – Downloading tools/payloads via BitsAdmin; ‘bitsadmin /transfer … /download …’
• [T1112] Modify Registry – Registry edits to enable RDP and persistence; ‘reg add “HKLM System CurrentControlSet Control Terminal Server” …’
• [T1135] Network Share Discovery – Discovering networked hosts to enumerate shares; ‘NetServerEnum’ to identify available Windows hosts.
• [T1136] Create Account – Creating a local administrator account; ‘Creates administrator account on the local system.’
• [T1136.001] Local Account – Local account creation for persistence.
• [T1140] Deobfuscate/Decode Files Or Information – Handling of encoded/decrypted payloads; ‘decompressing archives and decoding payloads.’
• [T1197] BITS Jobs – Use of BITS for background transfers to fetch payloads; ‘BITSAdmin’ usage observed.
• [T1480] Execution Guardrails – Constraints around execution flow to maximize impact.
• [T1484] Domain Policy Modification – Modifying domain/group policies to propagate changes; ‘Modify AD policies.’
• [T1484.001] Group Policy Modification – Specific group policy changes to extend reach.
• [T1485] Data Destruction – Deleting backups/restore points as prelude to encryption.
• [T1486] Data Encrypted For Impact – Encrypting files across local and network shares for impact.
• [T1489] Service Stop – Stopping defender/endpoint services as part of the attack chain.
• [T1490] Inhibit System Recovery – Disabling recovery options to hinder remediation.
• [T1529] System Shutdown/Reboot – Forced reboots to execute the payload in a controlled state.
• [T1547] Boot Or Logon Autostart Execution – Replacing startup shell to ensure persistence and execution.
• [T1560] Archive Collected Data – Archiving payloads and data for staged delivery; ‘Archive Via Utility’.
• [T1560.001] Archive Via Utility – Using 7z to archive before exfiltration or encryption.
• [T1562] Impair Defenses – Disabling or bypassing security tools; safeboot and disablement steps observed.
• [T1562.001] Disable Or Modify Tools – Disabling antivirus/defense mechanisms; ‘no network driver load and no active defenses.’
• [T1562.009] Safe Mode Boot – Forcing safemode boot to evade defenses during encryption.
• [T1570] Lateral Tool Transfer – Transferring tools across systems to enable lateral movement.