| Scheduled tasks used in BadRabbit ransomware |
Scheduled Task |
TTP |
| 7zip CommandLine To SMB Share Path |
Archive via Utility, Archive Collected Data |
Hunting |
| Allow File And Printing Sharing In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
| Allow Network Discovery In Firewall |
Disable or Modify Cloud Firewall, Impair Defenses |
TTP |
| Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
| BCDEdit Failure Recovery Modification |
Inhibit System Recovery |
TTP |
| Clear Unallocated Sector Using Cipher App |
File Deletion, Indicator Removal |
TTP |
| CMLUA Or CMSTPLUA UAC Bypass |
System Binary Proxy Execution, CMSTP |
TTP |
| Common Ransomware Extensions |
Data Destruction |
Hunting |
| Common Ransomware Notes |
Data Destruction |
Hunting |
| Conti Common Exec parameter |
User Execution |
TTP |
| Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
TTP |
| Deleting Shadow Copies |
Inhibit System Recovery |
TTP |
| Detect RClone Command-Line Usage |
Automated Exfiltration |
TTP |
| Detect Remote Access Software Usage File |
Remote Access Software |
Anomaly |
| Detect Remote Access Software Usage FileInfo |
Remote Access Software |
Anomaly |
| Detect Remote Access Software Usage Process |
Remote Access Software |
Anomaly |
| Detect Renamed RClone |
Automated Exfiltration |
Hunting |
| Detect SharpHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
| Detect SharpHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
| Detect SharpHound Usage |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
| Disable AMSI Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable ETW Through Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Logs Using WevtUtil |
Indicator Removal, Clear Windows Event Logs |
TTP |
| Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
| Excessive Service Stop Attempt |
Service Stop |
Anomaly |
| Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Excessive Usage Of SC Service Utility |
System Services, Service Execution |
Anomaly |
| Execute Javascript With Jscript COM CLSID |
Command and Scripting Interpreter, Visual Basic |
TTP |
| Fsutil Zeroing File |
Indicator Removal |
TTP |
| ICACLS Grant Command |
File and Directory Permissions Modification |
TTP |
| Known Services Killed by Ransomware |
Inhibit System Recovery |
TTP |
| Modification Of Wallpaper |
Defacement |
TTP |
| MS Exchange Mailbox Replication service writing Active Server Pages |
Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services |
TTP |
| Msmpeng Application DLL Side Loading |
DLL Side-Loading, Hijack Execution Flow |
TTP |
| Permission Modification using Takeown App |
File and Directory Permissions Modification |
TTP |
| Powershell Disable Security Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
| Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
TTP |
| Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
TTP |
| Prevent Automatic Repair Mode using Bcdedit |
Inhibit System Recovery |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Recursive Delete of Directory In Batch CMD |
File Deletion, Indicator Removal |
TTP |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Remote Process Instantiation via WMI |
Windows Management Instrumentation |
TTP |
| Revil Common Exec Parameter |
User Execution |
TTP |
| Revil Registry Entry |
Modify Registry |
TTP |
| Rundll32 LockWorkStation |
System Binary Proxy Execution, Rundll32 |
Anomaly |
| Schtasks used for forcing a reboot |
Scheduled Task, Scheduled Task/Job |
TTP |
| Spike in File Writes |
None |
Anomaly |
| Suspicious Event Log Service Behavior |
Indicator Removal, Clear Windows Event Logs |
Hunting |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
| Suspicious wevtutil Usage |
Clear Windows Event Logs, Indicator Removal |
TTP |
| System Processes Run From Unexpected Locations |
Masquerading, Rename System Utilities |
Anomaly |
| UAC Bypass With Colorui COM Object |
System Binary Proxy Execution, CMSTP |
TTP |
| Uninstall App Using MsiExec |
Msiexec, System Binary Proxy Execution |
TTP |
| Unusually Long Command Line |
None |
Anomaly |
| Unusually Long Command Line - MLTK |
None |
Anomaly |
| USN Journal Deletion |
Indicator Removal |
TTP |
| WBAdmin Delete System Backups |
Inhibit System Recovery |
TTP |
| Wbemprox COM Object Execution |
System Binary Proxy Execution, CMSTP |
TTP |
| Windows Disable Change Password Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Lock Workstation Feature Through Registry |
Modify Registry |
Anomaly |
| Windows Disable LogOff Button Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Windows Disable Shutdown Button Through Registry |
Modify Registry |
Anomaly |
| Windows Disable Windows Group Policy Features Through Registry |
Modify Registry |
Anomaly |
| Windows DiskCryptor Usage |
Data Encrypted for Impact |
Hunting |
| Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows Event Log Cleared |
Indicator Removal, Clear Windows Event Logs |
TTP |
| Windows Hide Notification Features Through Registry |
Modify Registry |
Anomaly |
| Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows NirSoft AdvancedRun |
Tool |
TTP |
| Windows Raccine Scheduled Task Deletion |
Disable or Modify Tools |
TTP |
| Windows Registry Modification for Safe Mode Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Windows Remote Access Software Hunt |
Remote Access Software |
Hunting |
| WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| Detect Remote Access Software Usage DNS |
Remote Access Software |
Anomaly |
| Detect Remote Access Software Usage Traffic |
Remote Access Software |
Anomaly |
| Prohibited Network Traffic Allowed |
Exfiltration Over Alternative Protocol |
TTP |
| SMB Traffic Spike |
SMB/Windows Admin Shares, Remote Services |
Anomaly |
| SMB Traffic Spike - MLTK |
SMB/Windows Admin Shares, Remote Services |
Anomaly |
| TOR Traffic |
Proxy, Multi-hop Proxy |
TTP |
| Detect Remote Access Software Usage URL |
Remote Access Software |
Anomaly |
Network
Windows