Detecting & Hunting Ransomware Operator Tools
Detecting & Hunting Ransomware Operator Tools
Detecting & Hunting Ransomware Operator Tools
Ryan Chapman
Author | FOR528: Ransomware for Incident Responders
About Me – Ryan Chapman | @rj_chap
incidentresponse.training
General Hunting
Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 4
Ransomware Sucks!
Ransomware-as-a-Service (RaaS)
• Enables anyone to become an affiliate
cmd.exe
at.exe lsass.exe
net.exe ping.exe
AdRecon Endpoints Test ransomware
nltest.exe powershell.exe StealBIT
schtasks.exe taskmgr.exe WMIC
Phishing winrm.exe whoami.exe
winrm.exe Publish stolen files
MetaSploit Linux Servers to extortion site
7-Zip Deploy ransomware: Domain
AdFind
Controller, SCCM, .bat files,
GPO, PSExec, or SMB
Lazagne
Cobalt ESXi
Web Shell Bloodhound WinSCP/
Credential Strike FileZilla
Stuffing/Re-use or Loader Expanded extortion
RDP PowerSploit ecosystem
Delete Shadow Delete
Mimikatz Windows Copies Backups
PSExec Servers
Rclone
LOLBins
Entry Point
Advanced
GMER
IP Scanner Cover tracks: remove or
ProcessHacker Domain Sell stolen data
MEGASync roll over logs
Exploitation TDSSKiller Controller
Initial Access Remote control: RDP, TeamViewer, AnyDesk, Splashtop, Atera, ScreenConnect, etc. Extortion
Recon & Lateral Movement Exfiltration Deployment
Block/alert on these!
• File sharing sites
• anonfiles.com
• dropmefiles.com
• file.io
• mega.io | mega.nz
• qaz.im
• temp.sh
• termbin.com
• transfer.sh
• ufile.io
• See the LOTS project:
• for528.com/lots
AdFind • https://www.joeware.net/freetools/tools/adfind/index.htm
AnyDesk • https://anydesk.com/en/downloads/
rclone • https://rclone.org/downloads/
WinSCP • https://winscp.net/eng/download.php
Security tool
Advanced LOLBAS
disablers
• GMER | gmer.exe • Bring Your Own • sc/net
Vulnerable Driver
• HitmanPro.exe (BYOVD) • tasklist/taskkill
• for528.com/byovd
• for528.com/byovd2
• PCHunter.exe • Get-Service/ Stop-
Service
• DLL Hijacking
• ProcessHacker.exe
• for528.com/hijack • Get-Process/ Stop-
Process
AnyDesk
•%APPDATA%\AnyDesk\ad.trace
•%PROGRAMDATA%\AnyDesk\connection_trace.txt
•%PROGRAMDATA%\AnyDesk\ad_svc.trace
ConnectWise/ScreenConnect
•%SYSTEMROOT%\temp\screenconnect\[version]\
•%PROGRAMDATA%\ScreenConnect Client ([fingerprint])\
•%PROGRAMFILES(x86)%\ScreenConnect Client ([fingerprint])\
•%USERPROFILE%\Documents\ConnectWiseControl\Files\
•%USERPROFILE%\Documents\ConnectWiseControl\captures\
• Scripts written to: %SYSTEMROOT%\temp
TeamViewer
•C:\Program Files\TeamViewer\Connections_incoming.txt
•C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
•C:\Program Files\TeamViewer\TVNetwork.log
•%APPDATA%\TeamViewer\TeamViewer15_Logfile.log
•%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log
Stamatoukos, 2020
• You may also see standard copy or xcopy commands run to copy the
binaries followed by PsExec or WMIC invocation.
NTUSER.DAT\Software\Nico Mak
Computing\WinZip\
NTUSER.DAT\Software\7-Zip\
%LOCALAPPDATA%\Mega Limited
Executable location:
%LOCALAPPDATA%\MEGAsync
%LOCALAPPDATA%\Mega
Log files located in:
Limited\MEGAsync\logs\
• Regex: ^.*COMSPEC.*echo.*pipe.*$
• General: "\%COMSPEC\%" AND echo AND pipe
AUTHOR CONTACT
SANS INSTITUTE
Ryan Chapman
11200 Rockville Pike, Suite 200
[email protected]
N. Bethesda, MD 20852
Twitter: @rj_chap
301.654.SANS(7267)
linkedin.com/in/ryanjchapman/
SANS EMAIL
DFIR RESOURCES GENERAL INQUIRIES: [email protected]
digital-forensics.sans.org REGISTRATION: [email protected]
Twitter: @sansforensics TUITION: [email protected]
PRESS/PR: [email protected]