Last active
December 16, 2022 14:53
-
-
Save invictus-ir/c92a47fa3064f7a6775c6add9357d86b to your computer and use it in GitHub Desktop.
Royal ransomware TTPs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Tactic | Technique | Procedure | |
|---|---|---|---|
| Initial Access (TA0001) | Phishing: Spearphishing Attachment | A spearphishing email was sent to employees | |
| Execution (TA0002) | Command and Scripting Interpreter: Windows Command Shell | Qbot was launched through the Windows Command Shell with cmd.exe. | |
| Execution (TA0001) | Command and Scripting Interpreter: PowerShell | Cobalt Strike was executed through encoded PowerShell commands. | |
| Persistence (TA0003) | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Qbot DLL was added to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | |
| Persistence (TA0003) | Create or Modify System Process: Windows Service | Cobalt Strike was installed as a Windows service on multiple systems. | |
| Privilege Escalation (TA0004) | Domain Accounts | Royal ransomware operators used (privileged) domain accounts for lateral movement | |
| Privilege Escalation (TA0004) | Abuse Elevation Control Mechanism: Bypass User Account Control | Royal ransomware operations executed a known UAC bypass that abuses a default scheduled tasks to launch PowerShell with escalated privileges. | |
| Defense Evasion (TA0005) | Obfuscated Files or Information: HTML Smuggling | Password protected file containing ISO file with hidden file used in combination with a LNK file to execute Qbot | |
| Defense Evasion (TA0005) | Domain Accounts | Royal ransomware operators used domain accounts for lateral movement | |
| Defense Evasion (TA0005) | Process Injection | Qbot and Cobalt Strike were both injected into legitimate Windows processes. | |
| Discovery (TA0007) | Account Discovery: Local Account | The FindLocalAdmin PowerSploit script was used to find local administrator accounts on workstations/servers | |
| Discovery (TA0007) | Account Discovery: Domain Account | Users and groups were unemerated with built-in Windows utilities and with AdFind software. | |
| Discovery (TA0007) | Domain Trust Discovery | Domain trust was enumerated with built-in Windows utilities. | |
| Discovery (TA0007) | Network Share Discovery | Network shares were unemerated with PowerSploit software. | |
| Lateral Movement (TA0008) | Remote Services: SMB/Windows Admin Shares | Remote admin shares C$ were mounted from the Patient 0 workstation | |
| Lateral Movement (TA0008) | Use Alternate Authentication Material: Pass the Hash | The Royal ransomware operators leveraged credential hashes from privileged accounts to perform lateral movement. | |
| Lateral Movement (TA0008) | Valid Accounts: Domain Accounts | Several (privileged) domain accounts were used during the attack for lateral movement and deployment of ransomware. | |
| Command and Control (TA0011) | Application Layer Protocol | Cobalt Strike uses peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. | |
| Command and Control (TA0011) | Application Layer Protocol: Web Protocols | Qbot and Cobalt Strike used HTTPS traffic for their C2 communication. | |
| Exfiltration (TA0010) | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Royal ransomware operators used Mega Cloud Storage and Dropbox to exfiltrate data from multiple hosts. | |
| Impact (TA0040) | Data Encrypted for Impact | Royal ransomware encrypted files on systems with the .royal extension |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Initial commit