Analytics Story: BlackSuit Ransomware

Date: 2024-08-26 ID: 4c7bef12-679f-433c-92dd-d9feccc1432b Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story covers the tactics, techniques, and procedures (TTPs) associated with BlackSuit ransomware, as observed in a December 2023 intrusion. The story encompasses the full attack lifecycle, from initial access via Cobalt Strike beacons to lateral movement, credential access, and ultimately the deployment of BlackSuit ransomware. It aims to help security teams detect and respond to similar attacks by focusing on key behaviors such as Cobalt Strike activity, use of tools like ADFind and Sharphound, and the final ransomware deployment phase.

Why it matters

In December 2023, a sophisticated intrusion culminating in the deployment of BlackSuit ransomware was observed. The attack began with the execution of a Cobalt Strike beacon, which initially communicated through CloudFlare to conceal the true C2 server. The threat actors leveraged various tools throughout the intrusion, including Sharphound, Rubeus, SystemBC, and ADFind, alongside built-in Windows utilities. The attackers conducted extensive reconnaissance and lateral movement, using techniques such as AS-REP Roasting, Kerberoasting, and accessing LSASS memory for credential theft. They deployed multiple Cobalt Strike beacons across the environment and utilized RDP for further lateral movement. SystemBC was employed on a file server, providing additional command and control capabilities and proxy functionality. After a period of intermittent activity spanning 15 days, the threat actors executed their final objective. They used ADFind for additional discovery, ran the Get-DataInfo.ps1 PowerShell script to gather system information, and ultimately deployed the BlackSuit ransomware. The ransomware binary (qwe.exe) was distributed via SMB to remote systems through admin shares, and executed manually via RDP sessions. Upon execution, the ransomware deleted shadow copies before encrypting files across the compromised systems. This analytic story provides detections for various stages of this attack, including Cobalt Strike beacon activity, use of reconnaissance tools, suspicious PowerShell executions, and indicators of ransomware deployment. By monitoring for these behaviors, security teams can potentially detect and mitigate BlackSuit ransomware attacks before they reach their final, destructive stage.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash Hunting
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Create Remote Thread into LSASS LSASS Memory, OS Credential Dumping TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect SharpHound Command-Line Arguments Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Detect SharpHound File Modifications Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Randomly Generated Windows Service Name Create or Modify System Process, Windows Service Hunting
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
System Information Discovery Detection System Information Discovery TTP
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material TTP
Windows AD Abnormal Object Access Activity Account Discovery, Domain Account Anomaly
Windows AD Privileged Object Access Activity Account Discovery, Domain Account TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Privilege Escalation Suspicious Process Elevation Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation System Process Without System Parent Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Remote Create Service Create or Modify System Process, Windows Service Anomaly
Windows Remote Services Rdp Enable Remote Desktop Protocol, Remote Services TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4662 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4738 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1