ioc[.]one - OSINT Cyber Threat Intelligence Database

SANS Ransomware Summit 2022, Can You Detect This?

Tags

attack-pattern:

Data Credentials - T1589.001 Dns - T1071.004 Dns - T1590.002 Domain Trust Discovery - T1482 Local Accounts - T1078.003 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Regsvr32 - T1218.010 Rundll32 - T1218.011 Scheduled Task - T1053.005 Software - T1592.002 Tool - T1588.002 Connection Proxy - T1090 Powershell - T1086 Regsvr32 - T1117 Remote Access Tools - T1219 Remote Services - T1021 Rundll32 - T1085 Scheduled Task - T1053

Show in Graph

Common Information

Type	Value
UUID	b7f9e8cc-34bb-4a1a-aa5b-fb1279718cf6
Fingerprint	f6c52b8e33b9aca3
Analysis status	DONE
Considered CTI value	0
Text language
Published	June 16, 2022, 2:20 p.m.
Added to db	Sept. 11, 2022, 12:38 p.m.
Last updated	Nov. 17, 2024, 11:40 p.m.
Headline	SANS Ransomware Summit 2022, Can You Detect This?
Title	SANS Ransomware Summit 2022, Can You Detect This?
Detected Hints/Tags/Attributes	84/1/33

Source URLs

	Redirection	Url
Details	Source	https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/

URL Provider

Details	Provider	Source level domain
Details	thedfirreport.com	thedfirreport.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	249	✔	The DFIR Report	https://thedfirreport.com/feed/	2024-08-30 22:08

Attributes

Details	Type	#Events	CTI	Value
Details	Domain	4128		github.com
Details	Domain	74		thedfirreport.com
Details	Domain	24		mega.io
Details	Domain	58		redcanary.com
Details	Domain	18		ufile.io
Details	File	459		regsvr32.exe
Details	File	1018		rundll32.exe
Details	File	2126		cmd.exe
Details	File	1208		powershell.exe
Details	File	59		ntdsutil.exe
Details	File	256		net.exe
Details	File	10		adf.bat
Details	File	6		adfind.bat
Details	File	2		locker.bat
Details	File	17		kill.bat
Details	File	1		def.bat
Details	File	32		start.bat
Details	File	12		shadow.bat
Details	File	3		logdelete.bat
Details	File	1		closeapps.bat
Details	Github username	19		the-dfir-report
Details	Github username	6		countercept
Details	Github username	27		sigmahq
Details	Url	1		https://github.com/the-dfir-report.
Details	Url	1		https://github.com/countercept/chainsaw
Details	Url	1		https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml
Details	Url	1		https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml
Details	Url	3		https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware
Details	Url	1		https://thedfirreport.com/2022/04/25/quantum-ransomware
Details	Url	2		https://github.com/sigmahq/sigma/blob/master/rules/windows/pipe_created/pipe_created_tool_psexec.yml
Details	Url	2		https://github.com/sigmahq/sigma/blob/master/rules/windows/file_event/file_event_win_tool_psexec.yml
Details	Url	1		https://redcanary.com/blog/rclone-mega-extortion
Details	Url	1		https://github.com/the-dfir-report/sigma-rules/blob/main/win_cobaltstrike_operator_bloopers_cmds.yml