Activity logs on a server used by the TrickBot trojan in post-compromise stages of an attack show that the actor takes an average of two weeks pivoting to valuable hosts on the network before deploying Ryuk ransomware.
After compromising the network, the attacker starts scanning for live systems that have specific ports open and stealing password hashes from the Domain Admin group.
Manual hacking
Researchers at SentinelOne have detailed the activity observed from logs on a Cobalt Strike server that TrickBot used to profile networks and systems.
Once the actor took interest in a compromised network, they used modules from Cobalt Strike threat emulation software for red teams and penetration testers.
One component is the DACheck script to check if the current user has Domain Admin privileges and check the members of this group. They also used Mimikatz to extract passwords that would help with lateral movement.
The researchers found that discovering computers of interest on the network is done by scanning for live hosts that have specific ports open.
Services like FTP, SSH, SMB, SQL server, remote desktop, and VNC are targeted because they help move to other computers on the network or indicate a valuable target.
Dropping Ryuk
According to SentinelOne’s examination, the threat actor profiles each machine to extract as much useful information as possible. This allows them to take complete control of the network and get access to as many hosts as possible.
Reconnaissance and pivoting stages are followed by planting Ryuk ransomware and deploying it to a ..
Support the originator by clicking the read the rest link below.
