Understanding the Phobos affiliate structure and activity

MITRE Techniques

• [T1021.001] Remote Desktop Protocol – The attackers enabled RDP as part of post-compromise persistence and access. Quote: “Finally, the script configures various Registry entries responsible for enabling RDP and disabling network-level authentication.”
• [T1112] Modify Registry – The attackers disable UAC and adjust registry keys to enable persisted access and privileges. Quote: “The script disables User Account Control (UAC) on the system by setting the following Registry entry.”
• [T1548.002] Bypass User Account Control – Accessibility feature abuse to spawn SYSTEM-level cmd without authentication. Quote: “enable the accessibility features present on the Windows logon screen to spawn a SYSTEM-level command prompt without requiring previous authentication.”
• [T1562.001] Impair Defenses – Uninstalling endpoint protection software to minimize detection. Quote: “the attacker attempted to uninstall endpoint protection software on compromised hosts to minimize detection.”
• [T1070.001] Clear Windows Event Logs – Batch file to wipe event logs to hinder forensics. Quote: “One batch file clears Windows event logs on compromised systems to minimize forensic artifacts and make detection more difficult.”
• [T1490] Inhibit System Recovery – Deleting Volume Shadow Copies to impede recovery. Quote: “delete Volume shadow copies, likely to make recovery following Phobos deployment more difficult.”
• [T1486] Data Encrypted for Impact – Phobos encrypts files after defenses are disabled. Quote: “deploy the Phobos ransomware, encrypting the files in the server.”
• [T1003.001] OS Credential Dumping – Use of Mimikatz/LaZagne for credential access. Quote: “includes the LaZagne and Mimikatz utilities.”
• [T1046] Network Service Scanning – Network scanning to find open services for lateral movement. Quote: “Network Scanner (NS.exe): An executable used to scan the network for open services and move laterally over the network.”