TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

The DFIR Report

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

editor · 2025-05-19 · Read original ↗

ATT&CK techniques detected

104 predictions
T1003.001LSASS Memory
100%
"32 - bit and 64 - bit versions ) and its associated drivers and library files on the confluence server, as the system user : - mimikatz. exe - mimidrv. sys - mimilove. exe - mimilib. dll figure : sysmon filecreate events showing mimikatz files being created on the beachhead serve…"
T1021.001Remote Desktop Protocol
99%
"_ unmount. yml ( deletion of existing share ) proc _ creation _ win _ susp _ file _ permission _ modifications. yml ( creation of share ) proc _ creation _ win _ net _ start _ service. yml ( starting lanmanserver and lanmanworkstation ) remote desktop protocol after the threat ac…"
T1021.002SMB/Windows Admin Shares
99%
"##d _ redirect. yml proc _ creation _ win _ hktl _ impacket _ lateral _ movement. yml proc _ creation _ win _ susp _ redirect _ local _ admin _ share. yml create share / enable smbv2 from the beachhead – the threat actor uploaded a tool set that included several exploits as well …"
T1003.001LSASS Memory
99%
"granted access flags 0x1010. each time after running mimikatz, the threat actor used notepad. exe one or more times to view the contents of the “! logs \ result. txt ” file containing the credential hashes dumped by mimikatz. figure : notepad was used to view the mimikatz output …"
T1055.001Dynamic-link Library Injection
99%
"##44946ff67176a48 runassystem. exe 3f7d6e5a541aad1a52beb823f1576f6a 69519da0edeb9ad6ed739982a05b638d3fee20fb 085ad59bb8d32981ea590a7884da55d4b0a3f5e89a9632530c0c8ef2f379e471 defendercontrol. exe 0a50081a6cd37aea0945c91de91c5d97 755309c6d9fa4cd13b6c867cde01cc1e0d415d00 6606d759667…"
T1003.001LSASS Memory
99%
"exe process accessed the local security authority subsystem service ( lsass. exe ) to access credentials, and was granted access. figure : process access event id 10 showing mimikatz. exe accessing lsass. exe the access granted flags 0x1010 translates to : - process _ query _ lim…"
T1055.001Dynamic-link Library Injection
98%
"##d0b defendercontrol. ini c9bc430ea5bd0289cf3a6acdb69efac4 79d3fbde198ffa575904998b92285e3815a860c2 6e5a6629b5ec2eea276fe93553d31f3d23885b214db0a4c2c9201f65180d767f fast. ex _ 127fe6658efb06e77b674fdb9db7d6d5 4790bde7c2d233c07165caaab0f5b7d69a60c950 d5746d9f3284dadf60180f7f7332a…"
T1136.001Local Account
98%
"the process that created the dlls was explorer. exe. reverse - engineering this dll revealed its purpose. it contains a hard - coded username “ crackenn ” and a hard - coded password “ * aaa111cracke ” which are passed to the netuseradd windows api function to add a local user ac…"
T1204.002Malicious File
98%
"the command : figure : pcap showing exploit to run curl and start the downloaded payload the close timing of these events, coupled with the subsequent use of the original ip ( 45. 227. 254 [. ] 124 ) as the intruder ’ s self - hosted anydesk server, strongly suggests these were n…"
T1190Exploit Public-Facing Application
98%
"impact - timeline - diamond model - indicators - detections - mitre att & ck case summary in late june 2024, an unpatched confluence server was compromised via cve - 2023 - 22527, a template injection vulnerability, first from ip address 45. 227. 254 [. ] 124, which just ran whoa…"
T1003.003NTDS
98%
"] py file on github, the purpose of the script is to dump hashes from a remote machine without executing an agent on the remote machine : # description : # performs various techniques to dump hashes from the # remote machine without executing any agent there. # for sam and lsa se…"
T1486Data Encrypted for Impact
97%
"another confluence bites the dust : falling to elpaco - team ransomware another confluence bites the dust : falling to elpaco - team ransomware key takeaways - the threat actor first gained entry by exploiting a known vulnerability ( cve - 2023 - 22527 ) on an internet - facing c…"
T1046Network Service Discovery
97%
"or if it was random vulnerability scanning. netscan on the third day of the intrusion – the threat actor dropped netscan in a users desktop folder on the beachhead while connected to an interactive session via anydesk. shortly after the file was created, the threat actor then ini…"
T1136.001Local Account
96%
"from confluence exploits delivering three metasploit loaders persistence new user accounts created less than one second after the metasploit loader accessed the lsass process, a batch file named u1. bat was created in the confluence folder c : \ program files \ atlassian \ conflu…"
T1190Exploit Public-Facing Application
96%
"and file servers by rdping into them and executing the exe locally after copying it over smb. while some data transfer was observed via the anydesk traffic, there was no evidence of collection or widespread data exfiltration prior to ransomware deployment. if you would like to ge…"
T1021.001Remote Desktop Protocol
96%
"granted to the process. that access flag is used by many sigma rules as an indication of suspicious process access preceding injection. figure : sysmon log : metasploit loader accessing a svchost. exe process with full access 0x1f3fff near the end of the intrusion, the threat act…"
T1547.001Registry Run Keys / Startup Folder
95%
"##s. exe process then executed itself as a child process several more times, about 45 seconds later, with command line arguments “ - e u1 ” and “ - e u2 ” and “ - e watch - pid 5544 -! ” persistence was established by setting the value of the registry windows run key : “ hklm \ \…"
T1486Data Encrypted for Impact
95%
"of accessing and then unlinking vhd contents. commands to halt virtual machine operations ( get - vm | stop - vm ) were also noted. figure : virtual machine discovery commands after encrypting, files were appended with the. elpaco - team extension. following execution on the back…"
T1486Data Encrypted for Impact
95%
"of the confluence server, the threat actor used an anydesk session to drop a file named elpaco - team. exe on the confluence server, but did not immediately execute it. less than one minute later, the threat actor used rdp to connect from the confluence server to a backup server,…"
T1190Exploit Public-Facing Application
94%
"to run “ whoami ” occurred 20 minutes before this intrusion started, and came from ip address 45. 227. 254 [. ] 124, evidenced in the network traffic capture below, and the sysmon event logs from the confluence server at the same time showing whoami. exe starting from parent proc…"
T1486Data Encrypted for Impact
94%
"to a threat actor ’ s controlled server at ip address 45. 227. 254. 124, bypassing anydesk ’ s relay servers. this direct connection method suggests an attempt to evade detection by network security tools that might otherwise monitor traffic routed through anydesk ’ s central inf…"
T1003.001LSASS Memory
94%
"detected in sysmon event id 8. figure : sysmon event id 8 : remote thread created in lsass. exe several sigma rules detected this activity : potential shellcode injection - proc _ access _ win _ susp _ potential _ shellcode _ injection. yml potentially suspicious grantedaccess fl…"
T1003.001LSASS Memory
93%
"movement activity 962fe167 - e48d - 4fd6 - 9974 - 11e5b9a5d6d1 : lsass access from non system account 06d71506 - 7beb - 4f22 - 8888 - e2e5e2ca7fd8 : mimikatz use 4627c6ae - 6899 - 46e2 - aa0c - 6ebcb1becd19 : hacktool - impacket tools execution 8202070f - edeb - 4d31 - a010 - a26…"
T1055.001Dynamic-link Library Injection
93%
"##les \ networkservice \ appdata \ local \ temp \ figure : malicious exe file saved to networkservice temp folder the portable executable file hahlgiddb. exe was unusual in that it only imported two windows api functions : virtualalloc and exitprocess, and contained only the main…"
T1021.002SMB/Windows Admin Shares
92%
"##4c4fd88d94642ad30310c641252 f7e11585ee968ad256be5a2e4c43a73c07034759 6492e765829974c4a636bff0e305261b18eea92fcb1df6fff69890366efc972d detections network sid 2026033 : et web _ specific _ apps apache struts java. lang inbound ognl injection remote code execution attempt sid 2025…"
T1550.002Pass the Hash
91%
"anydesk \ ad. trace ). for each tool / file transfer event initiated via the copy / paste functionality in anydesk, there are a set of corresponding logs that indicate a file transfer has been initiated from the threat actor ’ s machine to the victim machine : this corresponds wi…"
T1055.001Dynamic-link Library Injection
90%
"##loit loader execution the metasploit loader, hahlgiddb. exe, connected to the same ip address that exploited the confluence vulnerability to deliver the payload, 91. 191. 209 [. ] 46 on tcp port 12385 to download the next stage payload. the payload, a portable executable ( pe )…"
T1190Exploit Public-Facing Application
90%
"##4074018 spider _ 32. dll f635d1c916a7c56678f08d1d998e7ce4 35ff55bcf493e1b936dc6e978a981ee2a75543a1 4f4864a1d5f19a3c5552d80483526f3413497835549dce8c61fef116b666fa09 netscan. exe e7aa5608c81ba4fcd8d166501b90fc06 5c714fda5b78726541301672a44eaf886728f88c 5748bfb17e662fb6d197886a69d…"
T1021.006Windows Remote Management
89%
"several privileged groups ) : c : \ windows \ system32 \ net1 user noname slepoy _ 123 / domain / add c : \ windows \ system32 \ net1 group " domain admins " noname / domain / add c : \ windows \ system32 \ net1 group " enterprise admins " noname / domain / add these wmiexec comm…"
T1021.001Remote Desktop Protocol
89%
"##denytsconnections to 0 : reg add " hkey _ local _ machine \ system \ currentcontrolset \ control \ terminal server " / v fdenytsconnections / t reg _ dword / d 0 to guarantee network connectivity, the actor then adjusted windows firewall settings using netsh advfirewall command…"
T1219Remote Access Tools
87%
"unattended access password figure : command line echo to send password “ p @ ssword1 ” to anydesk unattended password prompt. finally – as a part of the observed tradecraft, the threat actor ran a command to get the anydesk id of the newly installed system ( to be able to reconne…"
T1068Exploitation for Privilege Escalation
86%
"objective was to leverage the critical flaw in the netlogon remote protocol to gain domain administrator privileges. the executed commands, aimed to verify successful exploitation by running the whoami command in an elevated context. despite these efforts against the domain contr…"
T1021.002SMB/Windows Admin Shares
86%
"et hunting possible powershell. ps1 script use over smb sid 2025699 : et policy smb executable file transfer sid 2050543 : et exploit atlassian confluence rce attempt observed ( cve - 2023 - 22527 ) m2 sid 2851878 : etpro malware cobalt strike stager payload sid 2035480 : et hunt…"
T1219.002Remote Desktop Software
86%
"exe process, to install anydesk on the system as a service in the programdata directory : sysmon logs captured the creation of the newly installed anydesk service installation triggered several sysmon ‘ filecreate ’ events as well when dropping new configuration files in the ‘ c …"
T1070.004File Deletion
86%
"##ta \ local \ temp \ 5 \ 7zipsfx. 000 \ ”. the 7za. exe file was created and executed. the 7za. exe file then created the rest of the files. - 7za. exe - everything. exe - everything32. dll - dc. exe - elpaco - team. exe - [ email protected ] - gui35. exe - gui40. exe - xdel. ex…"
T1569.002Service Execution
86%
"##4c4fd88d94642ad30310c641252 f7e11585ee968ad256be5a2e4c43a73c07034759 6492e765829974c4a636bff0e305261b18eea92fcb1df6fff69890366efc972d detections network sid 2026033 : et web _ specific _ apps apache struts java. lang inbound ognl injection remote code execution attempt sid 2025…"
T1047Windows Management Instrumentation
84%
"was likely looking for systems vulnerable to the printnightmare ( cve - 2021 - 34527 ) vulnerability. figure : process tree created when checkvuln. bat was run an analysis of the dce / rpc lookup response from the dc indicated that neither of these endpoints seemed to be active a…"
T1555.003Credentials from Web Browsers
83%
"folder that the metasploit loader ran from. figure : sysmon file create log showing nbjlop. dll created by metasploit loader the metasploit loader created a named pipe with the same name as the dll file without the extension, \ \ nbjlop figure : sysmon event id 17 : pipe creation…"
T1047Windows Management Instrumentation
82%
"( netscan being dropped to the desktop, same scanning profile and same targets ). rpcdump ( printnightmare vulnerability discovery ) on the third day of the intrusion, the threat actor attempted to enumerate rcp endpoints available on two ip addresses, both associated with domain…"
T1059.003Windows Command Shell
79%
"##de376b1f80c06d501415dd973dcec 629c9649ced38fd815124221b80c9d9c59a85e74 f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446 processhacker - 2. 39 - setup. exe 54daad58cce5003bee58b28a4f465f49 162b08b0b11827cc024e6b2eed5887ec86339baa 28042dd4a92a0033b8f1d419b9e989c5b…"
T1021.001Remote Desktop Protocol
78%
"of the confluence server, the threat actor used an anydesk session to drop a file named elpaco - team. exe on the confluence server, but did not immediately execute it. less than one minute later, the threat actor used rdp to connect from the confluence server to a backup server,…"
T1574.001DLL
75%
"##b35d6ed91239da2b931b5c37 spn _ nf3. exe 53e2e8ce119e2561bb6065b1a42f1085 d01f72d0a4609be76a83ac76a760485d29be854b e5f985b5a1f4f351616516553295e1224a02219825c35e3c64b55ecdc8a0d699 spider. dll 30a6cd2673ef5b2cb18f142780a5b4a3 1e0ec6994400413c7899cd5c59bdbd6397dea7b5 90cdcf54bbaeb…"
T1080Taint Shared Content
74%
"of the confluence server, the threat actor used an anydesk session to drop a file named elpaco - team. exe on the confluence server, but did not immediately execute it. less than one minute later, the threat actor used rdp to connect from the confluence server to a backup server,…"
T1547.008LSASS Driver
71%
"exe process accessed the local security authority subsystem service ( lsass. exe ) to access credentials, and was granted access. figure : process access event id 10 showing mimikatz. exe accessing lsass. exe the access granted flags 0x1010 translates to : - process _ query _ lim…"
T1134.002Create Process with Token
70%
"this more limited privilege : metasploit ‘ getsystem ’ it appears in this case, the threat actor either attempted to getsystem using all methods, or at the very least attempted several methods that were observed in the logs. with this initial limited privilege, the threat actor a…"
T1003.001LSASS Memory
70%
"##es as authentication for user accounts. most likely, the ntlm hashes came from the output of mimikatz. c : \ windows \ system32 \ cmd. exe secretsdump. exe - hashes : [ hash redacted ] [ username redacted ] @ [ ip address redacted ] in a timespan of less than two minutes, the t…"
T1219Remote Access Tools
68%
"##denytsconnections to 0 : reg add " hkey _ local _ machine \ system \ currentcontrolset \ control \ terminal server " / v fdenytsconnections / t reg _ dword / d 0 to guarantee network connectivity, the actor then adjusted windows firewall settings using netsh advfirewall command…"
T1003OS Credential Dumping
67%
"##es as authentication for user accounts. most likely, the ntlm hashes came from the output of mimikatz. c : \ windows \ system32 \ cmd. exe secretsdump. exe - hashes : [ hash redacted ] [ username redacted ] @ [ ip address redacted ] in a timespan of less than two minutes, the t…"
T1134.001Token Impersonation/Theft
66%
"the documents, this method only requires the sedebugprivilege privilege ( which the network service account does have ), and iterates through all services to find one running under system, then attempts to use reflective dll injection to run the elevator. dll in the memory of tha…"
T1219Remote Access Tools
66%
"- hosted ) servers. the threat actor hosted their own on - prem anydesk server at ip address 45. 227. 254 [. ] 124 ( port 443 ), which was the same ip address that exploited the confluence vulnerability to run “ whoami ” 20 minutes before the metasploit payload was delivered usin…"
T1071.001Web Protocols
65%
"different each time is outlined in a blue box. figure : screenshot from wireshark showing client communication ( in red shading ) and server replies ( in blue shading ) between the victim confluence host and the metasploit server 91. 191. 209 [. ] 46 on port 12385 the network com…"
T1003.001LSASS Memory
65%
"##7d elastic _ windows _ trojan _ metasploit _ a91a6571 impacket _ keyword impacket _ lateral _ movement impacket _ tools _ generic _ 1 impacket _ tools _ rpcdump impacket _ tools _ secretsdump impacket _ tools _ wmiexec mimikatz _ memory _ rule _ 1 sekoia _ ransomware _ win _ ek…"
T1055.001Dynamic-link Library Injection
64%
"##7d elastic _ windows _ trojan _ metasploit _ a91a6571 impacket _ keyword impacket _ lateral _ movement impacket _ tools _ generic _ 1 impacket _ tools _ rpcdump impacket _ tools _ secretsdump impacket _ tools _ wmiexec mimikatz _ memory _ rule _ 1 sekoia _ ransomware _ win _ ek…"
T1210Exploitation of Remote Services
64%
"et hunting possible powershell. ps1 script use over smb sid 2025699 : et policy smb executable file transfer sid 2050543 : et exploit atlassian confluence rce attempt observed ( cve - 2023 - 22527 ) m2 sid 2851878 : etpro malware cobalt strike stager payload sid 2035480 : et hunt…"
T1021.002SMB/Windows Admin Shares
63%
"actor managed to compromise a domain administrator account, granting them widespread access and control within the target environment. that domain admin account was likely compromised through lsass dumping, as evidenced by later use of ntlm hashes during lateral movement. the thr…"
T1080Taint Shared Content
63%
"another confluence bites the dust : falling to elpaco - team ransomware another confluence bites the dust : falling to elpaco - team ransomware key takeaways - the threat actor first gained entry by exploiting a known vulnerability ( cve - 2023 - 22527 ) on an internet - facing c…"
T1219.002Remote Desktop Software
63%
"unattended access password figure : command line echo to send password “ p @ ssword1 ” to anydesk unattended password prompt. finally – as a part of the observed tradecraft, the threat actor ran a command to get the anydesk id of the newly installed system ( to be able to reconne…"
T1087.002Domain Account
62%
"” ), hinting at the possibility of manual input, though the direct attribution of this specific activity to the primary threat actor is uncertain. this was followed by several commands used to perform directory listings under the ‘ c : \ users \ ’ path to identify valid account n…"
T1219.002Remote Desktop Software
62%
"- hosted ) servers. the threat actor hosted their own on - prem anydesk server at ip address 45. 227. 254 [. ] 124 ( port 443 ), which was the same ip address that exploited the confluence vulnerability to run “ whoami ” 20 minutes before the metasploit payload was delivered usin…"
T1190Exploit Public-Facing Application
59%
"et hunting possible powershell. ps1 script use over smb sid 2025699 : et policy smb executable file transfer sid 2050543 : et exploit atlassian confluence rce attempt observed ( cve - 2023 - 22527 ) m2 sid 2851878 : etpro malware cobalt strike stager payload sid 2035480 : et hunt…"
T1219Remote Access Tools
57%
"impact - timeline - diamond model - indicators - detections - mitre att & ck case summary in late june 2024, an unpatched confluence server was compromised via cve - 2023 - 22527, a template injection vulnerability, first from ip address 45. 227. 254 [. ] 124, which just ran whoa…"
T1555.003Credentials from Web Browsers
56%
"pipe creation events after removing the extension from the dll filename and removing the backslashes from the pipe name. in the investigation of this case, such a query yielded clean results including only the metasploit activity, even though there were many dll file creation eve…"
T1021.001Remote Desktop Protocol
55%
"option and launched a rdp session with the backup server : sigma rule to detect mstsc. exe being spawned by netscan. exe command and control metasploit and meterpreter metasploit was used to exploit the confluence server and deliver a meterpreter executable payload via curl, whic…"
T1059.001PowerShell
53%
"##0 times in less than 10 minutes. most of the process access events targeted lsass. exe ( granted access 0x40 ) and svchost. exe ( granted access 0x40 and 0x121411 ) process access granted 0x40 means process _ dup _ handle which is required to call the duplicatehandle windows ap…"
T1550.002Pass the Hash
51%
"detected in sysmon event id 8. figure : sysmon event id 8 : remote thread created in lsass. exe several sigma rules detected this activity : potential shellcode injection - proc _ access _ win _ susp _ potential _ shellcode _ injection. yml potentially suspicious grantedaccess fl…"
T1057Process Discovery
51%
"account - t1136 create process with token - t1134. 002 data encrypted for impact - t1486 disable or modify system firewall - t1562. 004 disable or modify tools - t1562. 001 exploitation for privilege escalation - t1068 exploit public - facing application - t1190 ingress tool tran…"
T1219Remote Access Tools
50%
"granted to the process. that access flag is used by many sigma rules as an indication of suspicious process access preceding injection. figure : sysmon log : metasploit loader accessing a svchost. exe process with full access 0x1f3fff near the end of the intrusion, the threat act…"
T1563.002RDP Hijacking
49%
"granted to the process. that access flag is used by many sigma rules as an indication of suspicious process access preceding injection. figure : sysmon log : metasploit loader accessing a svchost. exe process with full access 0x1f3fff near the end of the intrusion, the threat act…"
T1204.002Malicious File
49%
"##322fc9af36be96e0ec696daac2929bb802 sharpprintnightmare _ nf3. exe ee8d08b380bf3d3fe9961a0ab428549f 8900b1ef864eb390bf99b801d78a0b8dbd5d90b6 ff547a7803cd989f9f09a22323ec3f7079266b9a20a07f2c6f353547318ff172 spn. exe 44c031e3c922e711f7e3784f6d90b10f 5f13d476e9fabdf2ac6f805a98d62f3…"
T1190Exploit Public-Facing Application
49%
"another confluence bites the dust : falling to elpaco - team ransomware another confluence bites the dust : falling to elpaco - team ransomware key takeaways - the threat actor first gained entry by exploiting a known vulnerability ( cve - 2023 - 22527 ) on an internet - facing c…"
T1059.003Windows Command Shell
48%
"execute metasploit loader one difference between the first metasploit process and the second is that on the second attempt, the metasploit loader created a cmd. exe process with no command line arguments, then proceeded to access that process and was granted access 0x1fffff, whic…"
T1041Exfiltration Over C2 Channel
48%
"to a threat actor ’ s controlled server at ip address 45. 227. 254. 124, bypassing anydesk ’ s relay servers. this direct connection method suggests an attempt to evade detection by network security tools that might otherwise monitor traffic routed through anydesk ’ s central inf…"
T1547.008LSASS Driver
48%
"detected in sysmon event id 8. figure : sysmon event id 8 : remote thread created in lsass. exe several sigma rules detected this activity : potential shellcode injection - proc _ access _ win _ susp _ potential _ shellcode _ injection. yml potentially suspicious grantedaccess fl…"
T1486Data Encrypted for Impact
47%
"above to the new folder, while also creating new files in that folder : - svhostss. exe - everything. ini - everything2. ini - everything32. dll - everything64. dll - global _ options. ini the svhostss. exe file hash matched the hash of the elpaco - team. exe file that was extrac…"
T1550.002Pass the Hash
47%
"actor managed to compromise a domain administrator account, granting them widespread access and control within the target environment. that domain admin account was likely compromised through lsass dumping, as evidenced by later use of ntlm hashes during lateral movement. the thr…"
T1219Remote Access Tools
47%
"the default local “ administrators ” group. the security event log recorded the user creation, enabling, modification, and password set events for user “ noname ” in event id 4720, 4722, 4738, and 4724. although it wasn ’ t observed during this intrusion, event id 4741, which rec…"
T1071.001Web Protocols
45%
"##7c73c47c62d70c546b62c8e1cc707841ec10e3 c3405d9c9d593d75d773c0615254e69d0362954384058ee970a3ec0944519c37 u1. bat 9a875116622272a7f0fb32ce6cc12040 02c264691764f3c7ab9492dcb443e52b0ee66229 15348e1401fe18b83e30a7e7f6b4de40b9981a0e133c22958324a89c188f2c49 wmiexec. exe 47e001253af200…"
T1003OS Credential Dumping
44%
"##91025107382 dda90a452cc1540657606e5d40d304b1e58da751 6b93e585479a3c5b9a8edbe2b11a8371cb028e8b196acb1c16a425e8d8530cd7 hahlgiddb. exe 77ef2cad0de20482a6bb6cfcdc5d94d1 f46fa1fbab35f0d697ea896e81c4504de0487e57 abbe5619e1d7a08f807b57d0949a7f97108a546a415778f25ed35f31ee2cd2f5 secret…"
T1219Remote Access Tools
44%
"exe process, to install anydesk on the system as a service in the programdata directory : sysmon logs captured the creation of the newly installed anydesk service installation triggered several sysmon ‘ filecreate ’ events as well when dropping new configuration files in the ‘ c …"
T1134.001Token Impersonation/Theft
44%
"rpcss process which itself contains handles to nt authority \ system tokens. using the access to the rpcss process, one of these tokens is selected and duplicated. shortly after the creation of this named pipe, the metasploit payload ( hahlgiddb. exe ) was observed creating two c…"
T1543.003Windows Service
44%
"exe process, to install anydesk on the system as a service in the programdata directory : sysmon logs captured the creation of the newly installed anydesk service installation triggered several sysmon ‘ filecreate ’ events as well when dropping new configuration files in the ‘ c …"
T1068Exploitation for Privilege Escalation
44%
"rpcss process which itself contains handles to nt authority \ system tokens. using the access to the rpcss process, one of these tokens is selected and duplicated. shortly after the creation of this named pipe, the metasploit payload ( hahlgiddb. exe ) was observed creating two c…"
T1219Remote Access Tools
43%
"another confluence bites the dust : falling to elpaco - team ransomware another confluence bites the dust : falling to elpaco - team ransomware key takeaways - the threat actor first gained entry by exploiting a known vulnerability ( cve - 2023 - 22527 ) on an internet - facing c…"
T1190Exploit Public-Facing Application
43%
"“ sessionresume _ ” and end in 8 random ascii letters : discovery several discovery methods were observed in use throughout the attack chain to assist the threat actor in enumerating information about the environment. many of the discovery commands were issued as a direct result …"
T1080Taint Shared Content
42%
"to a threat actor ’ s controlled server at ip address 45. 227. 254. 124, bypassing anydesk ’ s relay servers. this direct connection method suggests an attempt to evade detection by network security tools that might otherwise monitor traffic routed through anydesk ’ s central inf…"
T1003.006DCSync
41%
"] py file on github, the purpose of the script is to dump hashes from a remote machine without executing an agent on the remote machine : # description : # performs various techniques to dump hashes from the # remote machine without executing any agent there. # for sam and lsa se…"
T1003OS Credential Dumping
40%
"its working # if they are not available ( e. g. remote registry, even if it is # disabled ). after the work is done, things are restored to the # original state. the command - line arguments handled by the version of the secretsdump [. ] py that was embedded in the secretsdump. e…"
T1055.001Dynamic-link Library Injection
40%
"exe process accessed the local security authority subsystem service ( lsass. exe ) to access credentials, and was granted access. figure : process access event id 10 showing mimikatz. exe accessing lsass. exe the access granted flags 0x1010 translates to : - process _ query _ lim…"
T1021.001Remote Desktop Protocol
40%
"actor managed to compromise a domain administrator account, granting them widespread access and control within the target environment. that domain admin account was likely compromised through lsass dumping, as evidenced by later use of ntlm hashes during lateral movement. the thr…"
T1003OS Credential Dumping
40%
"granted access flags 0x1010. each time after running mimikatz, the threat actor used notepad. exe one or more times to view the contents of the “! logs \ result. txt ” file containing the credential hashes dumped by mimikatz. figure : notepad was used to view the mimikatz output …"
T1078Valid Accounts
39%
"actor managed to compromise a domain administrator account, granting them widespread access and control within the target environment. that domain admin account was likely compromised through lsass dumping, as evidenced by later use of ntlm hashes during lateral movement. the thr…"
T1021.002SMB/Windows Admin Shares
39%
"several privileged groups ) : c : \ windows \ system32 \ net1 user noname slepoy _ 123 / domain / add c : \ windows \ system32 \ net1 group " domain admins " noname / domain / add c : \ windows \ system32 \ net1 group " enterprise admins " noname / domain / add these wmiexec comm…"
T1078Valid Accounts
39%
"of the confluence server, the threat actor used an anydesk session to drop a file named elpaco - team. exe on the confluence server, but did not immediately execute it. less than one minute later, the threat actor used rdp to connect from the confluence server to a backup server,…"
T1190Exploit Public-Facing Application
37%
"##79b0d c7440e621d1c5e90ca4963a4b3b52d27bac05a44248ca88dd51510489d1171bb rce - exploit - runasuser. bat 09ba9214257381231934a0115d7af8be 89e3247d2940d78ab13f060761f0c79afa806f39 22436fe549d791caa3007b567d28d51c8c75869519019c40564af4de53490fa2 step2 - runasuser. bat 6fbf6350c52d2f…"
T1003.004LSA Secrets
36%
"granted access flags 0x1010. each time after running mimikatz, the threat actor used notepad. exe one or more times to view the contents of the “! logs \ result. txt ” file containing the credential hashes dumped by mimikatz. figure : notepad was used to view the mimikatz output …"
T1210Exploitation of Remote Services
35%
"focusing on privilege escalation. the threat actor first performed several unsuccessful attempts using various named pipe impersonation and token duplication techniques, they then successfully escalated to system using the rpcss variant of named pipe impersonation. this allowed t…"
T1134.001Token Impersonation/Theft
35%
"focusing on privilege escalation. the threat actor first performed several unsuccessful attempts using various named pipe impersonation and token duplication techniques, they then successfully escalated to system using the rpcss variant of named pipe impersonation. this allowed t…"
T1134Access Token Manipulation
34%
"this more limited privilege : metasploit ‘ getsystem ’ it appears in this case, the threat actor either attempted to getsystem using all methods, or at the very least attempted several methods that were observed in the logs. with this initial limited privilege, the threat actor a…"
T1021.002SMB/Windows Admin Shares
34%
"focusing on privilege escalation. the threat actor first performed several unsuccessful attempts using various named pipe impersonation and token duplication techniques, they then successfully escalated to system using the rpcss variant of named pipe impersonation. this allowed t…"
T1564.006Run Virtual Instance
33%
"of accessing and then unlinking vhd contents. commands to halt virtual machine operations ( get - vm | stop - vm ) were also noted. figure : virtual machine discovery commands after encrypting, files were appended with the. elpaco - team extension. following execution on the back…"
T1190Exploit Public-Facing Application
32%
"- hosted ) servers. the threat actor hosted their own on - prem anydesk server at ip address 45. 227. 254 [. ] 124 ( port 443 ), which was the same ip address that exploited the confluence vulnerability to run “ whoami ” 20 minutes before the metasploit payload was delivered usin…"
T1059.012Hypervisor CLI
31%
"of accessing and then unlinking vhd contents. commands to halt virtual machine operations ( get - vm | stop - vm ) were also noted. figure : virtual machine discovery commands after encrypting, files were appended with the. elpaco - team extension. following execution on the back…"
T1134.001Token Impersonation/Theft
31%
"this more limited privilege : metasploit ‘ getsystem ’ it appears in this case, the threat actor either attempted to getsystem using all methods, or at the very least attempted several methods that were observed in the logs. with this initial limited privilege, the threat actor a…"
T1059.001PowerShell
30%
"pipe creation events after removing the extension from the dll filename and removing the backslashes from the pipe name. in the investigation of this case, such a query yielded clean results including only the metasploit activity, even though there were many dll file creation eve…"

Summary

Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP address 45.227.254[.]124, which just ran whoami and exited. Shortly thereafter, a different IP address used the same exploit, running curl to deploy a Metasploit payload […]

The post Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware appeared first on The DFIR Report.