Once on this new host the threat actors proceeded to run the net commands to review the Domain Administrators group again. This beacon was then successfully executed via WMI and connected successfully to the threat actors server. Next, they proceeded to transfer a beacon executable over SMB to the remote host’s ProgramData directory. They first attempted this action using a PowerShell beacon and a remote service on the host, but while the script did execute on the remote host, it appeared to fail to connect to the command and control server. The threat actor then moved laterally to a workstation. Windows net commands were run, targeting domain groups and computers, nltest was executed again, and they also used tasklist and ping to investigate a remote host. Using the Cobalt Strike beacon, the threat actors began conducting a new round of discovery activity. Similar activity continued over the second day, but on the third day of the incident, Emotet dropped a Cobalt Strike executable beacon onto the beachhead host. Around one and one-half hours after execution, Emotet began sending spam emails, mailing new malicious attachments to continue spreading. These commands would go on to be repeated daily by the Emotet process. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host.Įmotet, then proceeded to execute a short list of discover commands using the Windows utilities systeminfo, ipconfig, and nltest targeting the network’s domain controllers. The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. We have observed similar traits in previous cases where Emotet and Quantum were seen. The threat actors final actions included data exfiltration using Rclone and domain wide deployment of Quantum Ransomware. Remote access tools were used for command and control, such as Tactical RMM and Anydesk. During this time period, multiple rounds of enumeration and lateral movement occurred using Cobalt Strike. In June of 2022, we observed a threat actor gaining access to an environment via Emotet and operating over a eight day period.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |