Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

LockBit 2.0

LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least June 2021 as the successor to LockBit Ransomware. LockBit 2.0 has versions capable of infecting Windows and VMware ESXi virtual machines, and has been observed targeting multiple industry verticals globally.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)
ID: S1199
Type: MALWARE
Platforms: Windows
Created: 24 Jan 2025
Last Modified: 06 Feb 2025

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

LockBit 2.0 can bypass UAC through creating the Registry key `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ICM\Calibration`.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LockBit 2.0 can use a Registry Run key to establish persistence at startup.(Citation: FBI Lockbit 2.0 FEB 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

LockBit 2.0 can use the PowerShell module `InvokeGPUpdate` to modify Group Policy.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

LockBit 2.0 can use the Windows command shell for multiple post-compromise actions on objective.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)

Enterprise T1484 .001 Domain or Tenant Policy Modification: Group Policy Modification

LockBit 2.0 can modify Group Policy to disable Windows Defender and to automatically infect devices in Windows domains.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Enterprise T1564 .003 Hide Artifacts: Hidden Window

LockBit 2.0 can execute command line arguments in a hidden window.(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

LockBit 2.0 can disable firewall rules and anti-malware and monitoring software including Windows Defender.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

LockBit 2.0 can delete log files through the use of wevtutil.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)(Citation: SentinelOne LockBit 2.0)

.004 Indicator Removal: File Deletion

LockBit 2.0 can delete itself from disk after execution.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: Cybereason Lockbit 2.0)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

LockBit 2.0 has the ability to move laterally via SMB.(Citation: Palo Alto Lockbit 2.0 JUN 2022)(Citation: SentinelOne LockBit 2.0)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

LockBit 2.0 can be executed via scheduled task.(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Enterprise T1614 .001 System Location Discovery: System Language Discovery

LockBit 2.0 can check if a targeted machine is using a set of Eastern European languages and exit without infection if so.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Palo Alto Lockbit 2.0 JUN 2022)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.