ioc[.]one - OSINT Cyber Threat Intelligence Database

Dropping Files on a Domain Controller Using CVE-2021-43893 | Rapid7 Blog

Tags

cmtmf-attack-pattern:	Forced Authentication
attack-pattern:	Data Data Destruction - T1662 Data Destruction - T1485 Dll Search Order Hijacking - T1574.001 Domains - T1583.001 Domains - T1584.001 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Python - T1059.006 Server - T1583.004 Server - T1584.004 Windows Service - T1543.003 Tool - T1588.002 Dll Search Order Hijacking - T1038 Forced Authentication - T1187 Sudo - T1169 Data Destruction

Show in Graph

Common Information

Type	Value
UUID	93adc348-8c2f-4233-8124-2776e2df6452
Fingerprint	840a2915fd26f8d1
Analysis status	DONE
Considered CTI value	2
Text language
Published	Feb. 14, 2022, 3:30 p.m.
Added to db	Jan. 18, 2023, 11:37 p.m.
Last updated	Nov. 17, 2024, 6:55 p.m.
Headline	Dropping Files on a Domain Controller Using CVE-2021-43893
Title	Dropping Files on a Domain Controller Using CVE-2021-43893 \| Rapid7 Blog
Detected Hints/Tags/Attributes	65/2/35

Source URLs

	Redirection	Url
Details	Source	https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-controller-using-cve-2021-43893/

URL Provider

Details	Provider	Source level domain
Details	rapid7.com	www.rapid7.com

Attributes

Details	Type	#Events	Value
Details	CVE	2	cve-2021-43893
Details	CVE	2	cve-2021-43217
Details	CVE	10	cve-2021-41379
Details	Domain	27	responder.py
Details	Domain	5	petitpotam.py
Details	Domain	1	okhuman.ninja
Details	Domain	1	vulnerable.okhuman.ninja
Details	Domain	23	ntlmrelayx.py
Details	Domain	1	yet.okhuman.ninja
Details	Domain	1	yeet.okhuman.ninja
Details	File	3	efslsaext.dll
Details	File	25	responder.py
Details	File	5	petitpotam.py
Details	File	37	icacls.exe
Details	File	4	fveapi.dll
Details	File	1	cdpsgshims.dll
Details	File	1	c:\r7.txt
Details	File	1	r7.txt
Details	File	1	blankspace.exe
Details	File	1	c:\python27\fveapi.dll
Details	File	1	dll_inject64.dll
Details	File	312	calc.exe
Details	File	24	c:\windows\system32\calc.exe
Details	File	22	ntlmrelayx.py
Details	md5	33	aad3b435b51404eeaad3b435b51404ee
Details	md5	19	31d6cfe0d16ae931b73c59d7e0c089c0
Details	md5	1	6aa01bb4a68e7fd8650cdeb6ad2b63ec
Details	md5	1	430ef7587d6ac4410ac8b78dd5cc2bbe
Details	IPv4	10	10.0.0.4
Details	IPv4	8	10.0.0.6
Details	IPv4	17	10.0.0.5
Details	IPv4	15	10.0.0.3
Details	IPv4	3	10.0.0.12
Details	Microsoft Patch Numbers	6	KB5005413
Details	Windows Registry Key	1	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EFS\AllowOpenRawDL