Collection and you will exfiltration

For the a number of the gizmos the attackers closed on, jobs were made to collect and you will exfiltrate comprehensive degrees of data from the team, as well as website name options and you may information and intellectual property. To do so, the newest attackers used both MEGAsync and you will Rclone, that have been rebranded just like the genuine Screen process labels (instance, winlogon.exe, mstsc.exe).

Event domain name advice allowed this new criminals to progress after that inside their attack given that told you pointers you will definitely choose prospective needs for lateral movement otherwise individuals who manage improve criminals dispersed the ransomware cargo. To do this, the brand new crooks again put ADRecon.ps1with several PowerShell cmdlets including the following:

• Get-ADRGPO – becomes category policy objects (GPO) for the a site
• Get-ADRDNSZone – will get every DNS zones and you may details for the a site
• Get-ADRGPLink – gets most of the category rules website links used on a scope of administration inside the a site

While doing so, the fresh new crooks fell and you may made use of ADFind.exe sales to gather details about individuals, servers, business systems, and you can faith suggestions, including pinged those gizmos to test relationships.
Čítať viac