Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Wizard Spider
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Wizard Spider
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Wizard Spider

Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)
ID: G0102
Associated Groups: Grim Spider, GOLD BLACKBURN, DEV-0193, Periwinkle Tempest, FIN12, ITG23, TEMP.MixMaster, UNC1878
Version: 4.0
Created: 12 May 2020
Last Modified: 12 Mar 2025

Associated Group Descriptions
Name Description
Grim Spider (Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)
GOLD BLACKBURN (Citation: Secureworks Gold Blackburn Mar 2022)
DEV-0193 (Citation: Microsoft Threat Actor Naming July 2023)
Periwinkle Tempest (Citation: Microsoft Threat Actor Naming July 2023)
FIN12 (Citation: Mandiant FIN12 Oct 2021)
ITG23 (Citation: IBM X-Force ITG23 Oct 2021)
TEMP.MixMaster (Citation: FireEye Ryuk and Trickbot January 2019)
UNC1878 (Citation: FireEye KEGTAP SINGLEMALT October 2020)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Wizard Spider has identified domain admins through the use of `net group "Domain admins" /DOMAIN`. Wizard Spider has also leveraged the PowerShell cmdlet `Get-ADComputer` to collect account names from Active Directory data.(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1557 .001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Wizard Spider has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Wizard Spider has archived data into ZIP files on compromised machines.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)
.004 Boot or Logon Autostart Execution: Winlogon Helper DLL

Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Wizard Spider has used macros to execute PowerShell scripts to download malware on victim's machines.(Citation: CrowdStrike Grim Spider May 2019) It has also used PowerShell to execute commands and move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: Mandiant FIN12 Oct 2021)
.003 Command and Scripting Interpreter: Windows Command Shell

Wizard Spider has used `cmd.exe` to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1136 .001 Create Account: Local Account

Wizard Spider has created local administrator accounts to maintain persistence in compromised networks.(Citation: Mandiant FIN12 Oct 2021)
.002 Create Account: Domain Account

Wizard Spider has created and used new accounts within a victim's Active Directory environment to maintain persistence.(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1555 .004 Credentials from Password Stores: Windows Credential Manager

Wizard Spider has used PowerShell cmdlet `Invoke-WCMDump` to enumerate Windows credentials in the Credential Manager in a compromised network.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1074 .001 Data Staged: Local Data Staging

Wizard Spider has staged ZIP files in local directories such as, `C:\PerfLogs\1\` and `C:\User\1\` prior to exfiltration.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1585 .002 Establish Accounts: Email Accounts

Wizard Spider has leveraged ProtonMail email addresses in ransom notes when delivering Ryuk ransomware.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Wizard Spider has exfiltrated victim information using FTP.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Wizard Spider has exfiltrated stolen victim data to various cloud storage providers.(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1222 .001 File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.(Citation: Sophos New Ryuk Attack October 2020)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1070 .004 Indicator Removal: File Deletion

Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Wizard Spider has dumped the lsass.exe memory to harvest credentials with the use of open-source tool LaZagne.(Citation: Mandiant FIN12 Oct 2021)
.002 OS Credential Dumping: Security Account Manager

Wizard Spider has acquired credentials from the SAM/SECURITY registry hives.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

.003 OS Credential Dumping: NTDS

Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database. Wizard Spider has also created a volume shadow copy and used a batch script file to collect NTDS.dit with the use of the Windows utility, ntdsutil.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1588 .002 Obtain Capabilities: Tool

Wizard Spider has utilized tools such as Empire, Cobalt Strike, Cobalt Strike, Rubeus, AdFind, BloodHound, Metasploit, Advanced IP Scanner, Nirsoft PingInfoView, and SoftPerfect Network Scanner for targeting efforts.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Mandiant FIN12 Oct 2021)
.003 Obtain Capabilities: Code Signing Certificates

Wizard Spider has obtained code signing certificates signed by DigiCert, GlobalSign, and COMOOD for malware payloads.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Wizard Spider has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet, Bokbot, TrickBot, or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: Mandiant FIN12 Oct 2021)
.002 Phishing: Spearphishing Link

Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Wizard Spider has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Wizard Spider has used RDP for lateral movement and to deploy ransomware interactively.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)
.002 Remote Services: SMB/Windows Admin Shares

Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk's Return October 2020)

.006 Remote Services: Windows Remote Management

Wizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Wizard Spider has used scheduled tasks to establish persistence for TrickBot and other malware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

Wizard Spider has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Wizard Spider has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.(Citation: DFIR Ryuk's Return October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Wizard Spider has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Wizard Spider has utilized `rundll32.exe` to deploy ransomware commands with the use of WebDAV.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1569 .002 System Services: Service Execution

Wizard Spider has used `services.exe` to execute scripts and executables during lateral movement within a victim's network. Wizard Spider has also used batch scripts that leverage PsExec to execute a previously transferred ransomware payload on a victim's network.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1552 .006 Unsecured Credentials: Group Policy Preferences

Wizard Spider has used PowerShell cmdlets `Get-GPPPassword` and `Find-GPOPassword` to find unsecured credentials in a compromised network group policy.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Wizard Spider has used the `Invoke-SMBExec` PowerShell cmdlet to execute the pass-the-hash technique and utilized stolen password hashes to move laterally.(Citation: Mandiant FIN12 Oct 2021)
Enterprise T1204 .001 User Execution: Malicious Link

Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)
.002 User Execution: Malicious File

Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: CrowdStrike Wizard Spider October 2020)(Citation: Mandiant FIN12 Oct 2021)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)

Software
ID Name References Techniques
S0266 TrickBot (Citation: CrowdStrike Grim Spider May 2019) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Ransomware as a Service) (Citation: Microsoft Totbrick Oct 2017) (Citation: S2 Grupo TrickBot June 2017) (Citation: Sophos New Ryuk Attack October 2020) (Citation: TSPY_TRICKLOAD) (Citation: Totbrick) (Citation: Trend Micro Totbrick Oct 2016) (Citation: TrendMicro Trickbot Feb 2019) Scheduled Task, VNC, System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Permission Groups Discovery, Bootkit, Malicious File, Symmetric Cryptography, Local Account, Windows Service, Spearphishing Link, Spearphishing Attachment, Component Object Model, Password Managers, System Service Discovery, Code Signing, Credentials in Registry, Network Share Discovery, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Remote Access Tools, Masquerading, Process Injection, Email Account, Time Based Evasion, Browser Session Hijacking, Modify Registry, Credentials from Web Browsers, External Proxy, System Network Configuration Discovery, Domain Trust Discovery, File and Directory Discovery, Credentials In Files, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Disable or Modify Tools, Non-Standard Port, Process Hollowing, Credential Stuffing, Obfuscated Files or Information, Uncommonly Used Port, Hidden Window, Windows Command Shell, Software Packing, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Fallback Channels, Credential API Hooking, Firmware Corruption, Commonly Used Port
S0039 Net (Citation: CrowdStrike Ryuk January 2019) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Net Utility) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Savill 1999) (Citation: Sophos New Ryuk Attack October 2020) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) (Citation: Mandiant FIN12 Oct 2021) (Citation: Sophos New Ryuk Attack October 2020) System Owner/User Discovery, Group Policy Discovery, Domain Account, Local Account, Domain Groups, Native API, Archive Collected Data, Domain Trust Discovery, PowerShell, Local Groups, Password Policy Discovery, Remote System Discovery
S0367 Emotet (Citation: CIS Emotet Apr 2017) (Citation: CIS Emotet Dec 2018) (Citation: CrowdStrike Grim Spider May 2019) (Citation: ESET Emotet Nov 2018) (Citation: Geodo) (Citation: Kaspersky Emotet Jan 2019) (Citation: Malwarebytes Emotet Dec 2017) (Citation: Picus Emotet Dec 2018) (Citation: Red Canary Emotet Feb 2019) (Citation: Secureworks Emotet Nov 2018) (Citation: Sophos New Ryuk Attack October 2020) (Citation: Symantec Emotet Jul 2018) (Citation: Talos Emotet Jan 2019) (Citation: Trend Micro Banking Malware Jan 2019) (Citation: Trend Micro Emotet Jan 2019) (Citation: US-CERT Emotet Jul 2018) Scheduled Task, Windows Management Instrumentation, System Owner/User Discovery, Standard Encoding, Embedded Payloads, Password Guessing, Encrypted/Encoded File, Email Collection, Local Email Collection, Malicious File, Symmetric Cryptography, Windows Service, Spearphishing Link, Spearphishing Attachment, Network Sniffing, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Reflective Code Loading, Wi-Fi Discovery, Email Account, SMB/Windows Admin Shares, Archive Collected Data, Credentials from Web Browsers, Binary Padding, LSASS Memory, Masquerade Task or Service, Credentials In Files, Token Impersonation/Theft, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Non-Standard Port, Process Hollowing, Encrypted Channel, Regsvr32, Lateral Tool Transfer, Uncommonly Used Port, Windows Command Shell, Command Obfuscation, Software Packing, Web Protocols, Visual Basic, Ingress Tool Transfer, Malicious Link, Dynamic-link Library Injection, Custom Command and Control Protocol, Commonly Used Port, Local Accounts
S0363 Empire (Citation: CrowdStrike Grim Spider May 2019) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: EmPyre) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: Mandiant FIN12 Oct 2021) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0575 Conti (Citation: CarbonBlack Conti July 2020) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Conti Jan 2021) (Citation: Cybleinc Conti January 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Ransomware as a Service) Service Stop, Taint Shared Content, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, SMB/Windows Admin Shares, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, Process Discovery, Obfuscated Files or Information, Data Encrypted for Impact, Windows Command Shell, Remote System Discovery, Dynamic-link Library Injection, Inhibit System Recovery
S0659 Diavol (Citation: DFIR Diavol Ransomware December 2021) (Citation: FBI Flash Diavol January 2022) (Citation: Fortinet Diavol July 2021) (Citation: Microsoft Ransomware as a Service) System Owner/User Discovery, Service Stop, Network Share Discovery, System Information Discovery, Native API, SMB/Windows Admin Shares, System Network Configuration Discovery, File and Directory Discovery, Internal Defacement, Process Discovery, Disable or Modify Tools, Obfuscated Files or Information, Data Encrypted for Impact, Steganography, Data Destruction, Web Protocols, Remote System Discovery, Ingress Tool Transfer, Inhibit System Recovery
S0504 Anchor (Citation: Anchor_DNS) (Citation: Cyberreason Anchor December 2019) (Citation: Medium Anchor DNS July 2020) (Citation: Microsoft Ransomware as a Service) Scheduled Task, DNS, Windows Service, Cron, Code Signing, System Information Discovery, SMB/Windows Admin Shares, System Network Configuration Discovery, Execution Guardrails, Unix Shell, Obfuscated Files or Information, Non-Application Layer Protocol, Windows Command Shell, File Deletion, Software Packing, Web Protocols, Ingress Tool Transfer, Service Execution, Fallback Channels, NTFS File Attributes
S0024 Dyre (Citation: CrowdStrike Wizard Spider March 2019) (Citation: Dyreza) (Citation: Dyzap) (Citation: Forbes Dyre May 2017) (Citation: Malwarebytes Dyreza November 2015) (Citation: Malwarebytes TrickBot Sep 2019) (Citation: Sophos Dyreza April 2015) (Citation: Symantec Dyre June 2015) Scheduled Task, System Owner/User Discovery, Local Data Staging, Windows Service, System Checks, System Service Discovery, System Information Discovery, Deobfuscate/Decode Files or Information, Process Injection, System Network Configuration Discovery, Exfiltration Over C2 Channel, Software Packing, Web Protocols, Software Discovery, Ingress Tool Transfer, Dynamic-link Library Injection
S0190 BITSAdmin (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft BITSAdmin) Lateral Tool Transfer, BITS Jobs, Ingress Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol
S0359 Nltest (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Nltest Manual) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Sophos New Ryuk Attack October 2020) System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0534 Bazar (Citation: Bazaloader) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: Cybereason Bazar July 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: KEGTAP) (Citation: Microsoft Ransomware as a Service) (Citation: NCC Group Team9 June 2020) (Citation: Team9) Scheduled Task, Windows Management Instrumentation, System Owner/User Discovery, Encrypted/Encoded File, Domain Generation Algorithms, Double File Extension, Match Legitimate Resource Name or Location, Domain Account, Symmetric Cryptography, Local Account, Spearphishing Link, Code Signing, Network Share Discovery, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Shortcut Modification, Time Based Evasion, Winlogon Helper DLL, Process Doppelgänging, System Network Configuration Discovery, Domain Trust Discovery, Indicator Removal, File and Directory Discovery, Masquerade Task or Service, Virtualization/Sandbox Evasion, Web Service, Multi-Stage Channels, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Disable or Modify Tools, Process Hollowing, Asymmetric Cryptography, System Language Discovery, Query Registry, BITS Jobs, Security Software Discovery, Windows Command Shell, Clear Persistence, File Deletion, Software Packing, Web Protocols, Remote System Discovery, Software Discovery, Ingress Tool Transfer, Dynamic API Resolution, Malicious Link, Fallback Channels, System Time Discovery
S0446 Ryuk (Citation: Bleeping Computer - Ryuk WoL) (Citation: CrowdStrike Ryuk January 2019) (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Mandiant FIN12 Oct 2021) (Citation: Microsoft Ransomware as a Service) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) (Citation: Sophos New Ryuk Attack October 2020) Scheduled Task, Match Legitimate Resource Name or Location, Service Stop, Windows File and Directory Permissions Modification, System Information Discovery, Native API, Masquerading, Process Injection, Traffic Signaling, SMB/Windows Admin Shares, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Obfuscated Files or Information, Data Encrypted for Impact, System Language Discovery, Domain Accounts, Windows Command Shell, Access Token Manipulation, Inhibit System Recovery
S0154 Cobalt Strike (Citation: CrowdStrike Wizard Spider October 2020) (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Sophos New Ryuk Attack October 2020) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: Deply Mimikatz) (Citation: FireEye KEGTAP SINGLEMALT October 2020) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Mandiant FIN12 Oct 2021) Keychain, LSA Secrets, Proc Filesystem, Credentials from Password Stores, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials In Files, /etc/passwd and /etc/shadow, Windows Credential Manager
S0097 Ping (Citation: DFIR Ryuk in 5 Hours October 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) (Citation: TechNet Ping) Remote System Discovery
S0632 GrimAgent (Citation: Group IB GrimAgent July 2021) Scheduled Task, System Owner/User Discovery, Standard Encoding, Symmetric Cryptography, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Mutual Exclusion, Time Based Evasion, Binary Padding, System Network Configuration Discovery, File and Directory Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Asymmetric Cryptography, System Language Discovery, System Location Discovery, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Ingress Tool Transfer, Junk Data
S1071 Rubeus (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: GitHub Rubeus March 2023) (Citation: Mandiant FIN12 Oct 2021) AS-REP Roasting, Domain Trust Discovery, Golden Ticket, Silver Ticket, Kerberoasting
S0552 AdFind (Citation: DFIR Ryuk 2 Hour Speed Run November 2020) (Citation: DFIR Ryuk's Return October 2020) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Mandiant FIN12 Oct 2021) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0029 PsExec (Citation: CrowdStrike Grim Spider May 2019) (Citation: FireEye KEGTAP SINGLEMALT October 2020) (Citation: Mandiant FIN12 Oct 2021) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  2. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  3. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  4. The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.
  5. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.
  6. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.
  7. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  8. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  9. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.
  10. Villadsen, O., et al. (2021, October 13). Trickbot Rising - Gang Doubles Down on Infection Efforts to Amass Network Footholds. Retrieved June 15, 2023.
  11. Secureworks Counter Threat Unit. (2022, March 1). Gold Blackburn Threat Profile. Retrieved June 15, 2023.
  12. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  13. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  14. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
  15. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  16. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.