Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Wizard Spider
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Wizard Spider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
ID: G0102
Associated Groups: UNC1878, TEMP.MixMaster, Grim Spider
Version: 2.0
Created: 12 May 2020
Last Modified: 14 Oct 2021

Associated Group Descriptions
Name Description
UNC1878 (Citation: FireEye KEGTAP SINGLEMALT October 2020)
TEMP.MixMaster (Citation: FireEye Ryuk and Trickbot January 2019)
Grim Spider (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Wizard Spider has identified domain admins through the use of “net group ‘Domain admins’” commands.(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Wizard Spider has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.(Citation: CrowdStrike Grim Spider May 2019) It has also used PowerShell to execute commands and move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
.003 Command and Scripting Interpreter: Windows Command Shell

Wizard Spider has used cmd.exe to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Wizard Spider has exfiltrated victim information using FTP.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.(Citation: Sophos New Ryuk Attack October 2020)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
.003 OS Credential Dumping: NTDS

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Enterprise T1588 .002 Obtain Capabilities: Tool

Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
.003 Obtain Capabilities: Code Signing Certificates

Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Wizard Spider has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
.002 Phishing: Spearphishing Link

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
.002 Remote Services: SMB/Windows Admin Shares

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk's Return October 2020)

.006 Remote Services: Windows Remote Management

Wizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.(Citation: DFIR Ryuk's Return October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Wizard Spider has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1569 .002 System Services: Service Execution

Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)
Enterprise T1204 .001 User Execution: Malicious Link

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)
.002 User Execution: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: CrowdStrike Wizard Spider October 2020)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Software
ID Name References Techniques
S0266 TrickBot (Citation: CrowdStrike Grim Spider May 2019) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016) (Citation: Microsoft Totbrick Oct 2017) (Citation: S2 Grupo TrickBot June 2017) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Totbrick) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019) (Citation: TSPY_TRICKLOAD) System Information Discovery, System Owner/User Discovery, Component Object Model, Scheduled Task, Uncommonly Used Port, Bootkit, Browser Session Hijacking, Native API, PowerShell, Exfiltration Over C2 Channel, Fallback Channels, VNC, Obfuscated Files or Information, Windows Service, Software Packing, Credentials In Files, Malicious File, Symmetric Cryptography, Local Account, Network Share Discovery, Standard Encoding, Spearphishing Link, Data from Local System, Disable or Modify Tools, Permission Groups Discovery, Credentials in Registry, Process Discovery, Email Account, Time Based Evasion, Remote Access Software, Windows Command Shell, Masquerading, Firmware Corruption, Deobfuscate/Decode Files or Information, Remote System Discovery, Non-Standard Port, Password Managers, Modify Registry, Code Signing, Credential Stuffing, File and Directory Discovery, Credential API Hooking, System Service Discovery, Ingress Tool Transfer, Process Injection, Commonly Used Port, External Proxy, Process Hollowing, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Web Protocols, Credentials from Web Browsers, Domain Trust Discovery, System Network Configuration Discovery, Spearphishing Attachment
S0039 Net (Citation: CrowdStrike Ryuk January 2019) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Microsoft Net Utility) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Savill 1999) (Citation: Sophos New Ryuk Attack October 2020) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: Sophos New Ryuk Attack October 2020) Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0367 Emotet (Citation: CIS Emotet Apr 2017) (Citation: CIS Emotet Dec 2018) (Citation: CrowdStrike Grim Spider May 2019) (Citation: ESET Emotet Nov 2018) (Citation: Geodo) (Citation: Kaspersky Emotet Jan 2019) (Citation: Malwarebytes Emotet Dec 2017) (Citation: Picus Emotet Dec 2018) (Citation: Red Canary Emotet Feb 2019) (Citation: Secureworks Emotet Nov 2018) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Symantec Emotet Jul 2018) (Citation: Talos Emotet Jan 2019) (Citation: Trend Micro Banking Malware Jan 2019) (Citation: Trend Micro Emotet Jan 2019) (Citation: US-CERT Emotet Jul 2018) Archive Collected Data, Asymmetric Cryptography, Credentials In Files, Password Guessing, Windows Management Instrumentation, Non-Standard Port, Custom Command and Control Protocol, SMB/Windows Admin Shares, Malicious File, Local Accounts, Registry Run Keys / Startup Folder, Spearphishing Link, Exfiltration Over C2 Channel, Exploitation of Remote Services, Commonly Used Port, Scheduled Task, Credentials from Web Browsers, PowerShell, Visual Basic, Uncommonly Used Port, Malicious Link, Obfuscated Files or Information, LSASS Memory, Network Sniffing, Windows Command Shell, Spearphishing Attachment, Email Account, Software Packing, Process Discovery, Dynamic-link Library Injection, Local Email Collection, Windows Service
S0363 Empire (Citation: CrowdStrike Grim Spider May 2019) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: EmPyre) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0575 Conti (Citation: CarbonBlack Conti July 2020) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Conti Jan 2021) (Citation: Cybleinc Conti January 2020) SMB/Windows Admin Shares, Network Share Discovery, Deobfuscate/Decode Files or Information, Service Stop, File and Directory Discovery, System Network Configuration Discovery, Data Encrypted for Impact, Remote System Discovery, Obfuscated Files or Information, Inhibit System Recovery, System Network Connections Discovery, Dynamic-link Library Injection, Taint Shared Content, Windows Command Shell, Process Discovery, Native API
S0024 Dyre (Citation: CrowdStrike Wizard Spider March 2019) (Citation: Dyreza) (Citation: Dyzap) (Citation: Forbes Dyre May 2017) (Citation: Malwarebytes Dyreza November 2015) (Citation: Malwarebytes TrickBot Sep 2019) (Citation: Sophos Dyreza April 2015) (Citation: Symantec Dyre June 2015) System Network Configuration Discovery, System Owner/User Discovery, System Checks, Local Data Staging, Ingress Tool Transfer, Dynamic-link Library Injection, Scheduled Task, Deobfuscate/Decode Files or Information, Web Protocols, System Information Discovery, Software Packing, Process Injection, Software Discovery, Windows Service, Exfiltration Over C2 Channel, System Service Discovery
S0359 Nltest (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Nltest Manual) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Sophos New Ryuk Attack October 2020) Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0534 Bazar (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Bazar July 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: KEGTAP) (Citation: NCC Group Team9 June 2020) (Citation: Team9) File and Directory Discovery, Domain Trust Discovery, Asymmetric Cryptography, Domain Account, Remote System Discovery, Malicious Link, Network Share Discovery, Process Injection, BITS Jobs, Windows Command Shell, PowerShell, Obfuscated Files or Information, Security Software Discovery, Virtualization/Sandbox Evasion, Process Doppelgänging, Clear Persistence, Disable or Modify Tools, Indicator Removal, Data from Local System, Dynamic API Resolution, System Language Discovery, System Time Discovery, Process Discovery, Multi-Stage Channels, Query Registry, Match Legitimate Name or Location, Software Discovery, Symmetric Cryptography, Winlogon Helper DLL, Masquerade Task or Service, System Network Configuration Discovery, Time Based Evasion, System Owner/User Discovery, Code Signing, File Deletion, Fallback Channels, Web Protocols, Spearphishing Link, Ingress Tool Transfer, Local Account, Scheduled Task, Web Service, Double File Extension, Deobfuscate/Decode Files or Information, Windows Management Instrumentation, Process Hollowing, Native API, Shortcut Modification, Registry Run Keys / Startup Folder, System Information Discovery, Software Packing, Domain Generation Algorithms
S0446 Ryuk (Citation: Bleeping Computer - Ryuk WoL) (Citation: CrowdStrike Ryuk January 2019) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Sophos New Ryuk Attack October 2020) Obfuscated Files or Information, Disable or Modify Tools, Native API, Process Discovery, SMB/Windows Admin Shares, File and Directory Discovery, Inhibit System Recovery, System Language Discovery, Domain Accounts, Windows Command Shell, Match Legitimate Name or Location, Service Stop, Windows File and Directory Permissions Modification, Scheduled Task, System Information Discovery, Traffic Signaling, Data Encrypted for Impact, Process Injection, Masquerading, Registry Run Keys / Startup Folder, System Network Configuration Discovery, Access Token Manipulation
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Sophos New Ryuk Attack October 2020) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0097 Ping (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: TechNet Ping) Remote System Discovery
S0632 GrimAgent (Citation: Group IB GrimAgent July 2021) Registry Run Keys / Startup Folder, Windows Command Shell, Scheduled Task, Data from Local System, System Owner/User Discovery, Asymmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, System Network Configuration Discovery, Standard Encoding, Symmetric Cryptography, Native API, System Language Discovery, Time Based Evasion, System Location Discovery, Clear Persistence, Deobfuscate/Decode Files or Information, Junk Data, File Deletion, Obfuscated Files or Information, Web Protocols, System Information Discovery, Exfiltration Over C2 Channel, Binary Padding
S0552 AdFind (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: CrowdStrike Grim Spider May 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  2. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  3. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  4. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  5. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  6. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  7. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  8. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  9. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  10. Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.
  11. Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.
  12. Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.
  13. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  14. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  15. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.