BlackCat
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| Noberus | (Citation: ACSC BlackCat Apr 2022) |
| ALPHV | (Citation: Microsoft BlackCat Jun 2022)(Citation: ACSC BlackCat Apr 2022) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
BlackCat can bypass UAC to escalate privileges.(Citation: Microsoft BlackCat Jun 2022) |
| Enterprise | T1087 | .002 | Account Discovery: Domain Account |
BlackCat can utilize `net use` commands to identify domain users.(Citation: Microsoft BlackCat Jun 2022) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
BlackCat can execute commands on a compromised network with the use of `cmd.exe`.(Citation: Microsoft BlackCat Jun 2022) |
| Enterprise | T1491 | .001 | Defacement: Internal Defacement |
BlackCat can change the desktop wallpaper on compromised hosts.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022) |
| Enterprise | T1561 | .001 | Disk Wipe: Disk Content Wipe |
BlackCat has the ability to wipe VM snapshots on compromised networks.(Citation: Microsoft BlackCat Jun 2022)(Citation: Sophos BlackCat Jul 2022) |
| Enterprise | T1222 | .001 | File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
BlackCat can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.(Citation: Microsoft BlackCat Jun 2022) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
BlackCat can clear Windows event logs using `wevtutil.exe`.(Citation: Microsoft BlackCat Jun 2022) |
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
BlackCat can determine if a user on a compromised host has domain admin privileges.(Citation: Microsoft BlackCat Jun 2022) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1015 | Scattered Spider |
(Citation: CISA Scattered Spider Advisory November 2023) (Citation: MSTIC Octo Tempest Operations October 2023) |
References
- Australian Cyber Security Centre. (2022, April 14). 2022-004: ACSC Ransomware Profile - ALPHV (aka BlackCat). Retrieved December 20, 2022.
- Brandt, Andrew. (2022, July 14). BlackCat ransomware attacks not merely a byproduct of bad luck. Retrieved December 20, 2022.
- Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022.
- CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
- Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.