Incident Score: Analysis & Impact (LIMAMA1777312775)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating microsoft Teams messages from external accounts posing as IT support, Phishing: Spearphishing Attachment (T1566.001) with moderate to high confidence (70%), supported by evidence indicating fake Mailbox Repair and Sync Utility hosted on AWS S3, and Supply Chain Compromise: Compromise Software Supply Chain (T1195.002) with moderate confidence (60%), supported by evidence indicating supply chain such as true, use of AWS S3 for malware hosting. Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating victims tricked into installing fake Mailbox Repair and Sync Utility, Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (80%), supported by evidence indicating sNOWBELT such as JavaScript-based Chromium extension, and Command and Scripting Interpreter: Python (T1059.006) with moderate to high confidence (80%), supported by evidence indicating sNOWGLAZE such as Python-based WebSocket tunneler. Under the Persistence tactic, the analysis identified Browser Extensions (T1176) with moderate to high confidence (80%), supported by evidence indicating sNOWBELT such as JavaScript-based Chromium extension (MS Heartbeat) and Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (70%), supported by evidence indicating sNOWBASIN such as Persistent backdoor enabling remote command execution. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with high confidence (90%), supported by evidence indicating stolen credentials used for pass-the-hash to compromise domain controllers and OS Credential Dumping: LSASS Memory (T1003.001) with high confidence (90%), supported by evidence indicating extracts LSASS memory via Windows Task Manager. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating sNOWGLAZE masquerades as Microsoft Edge traffic, Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating c2 communication via AES-GCM-encrypted AWS S3 traffic, Hide Artifacts: Email Hiding Rules (T1564.008) with moderate to high confidence (70%), supported by evidence indicating email bombing to overwhelm targets, and Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating fake utility hosted on AWS S3 for credential harvesting. Under the Credential Access tactic, the analysis identified Input Capture: GUI Input Capture (T1056.002) with high confidence (90%), supported by evidence indicating deceptive double-entry password prompt for credential harvesting, OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating fTK Imager used to extract Active Directory databases (NTDS.dit), and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (70%), supported by evidence indicating sNOWBELT such as Chromium extension for credential access. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating internal reconnaissance post-compromise and Remote System Discovery (T1018) with moderate to high confidence (80%), supported by evidence indicating lateral movement to domain controllers. Under the Lateral Movement tactic, the analysis identified Use Alternate Authentication Material: Pass the Hash (T1550.002) with high confidence (90%), supported by evidence indicating pass-the-hash techniques to compromise domain controllers and Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), supported by evidence indicating lateral movement within corporate networks. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating extracts NTDS.dit, registry hives, and LSASS memory and Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating sNOWBASIN enables screenshot capture. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating c2 via AES-GCM-encrypted AWS S3 traffic in 30-minute intervals, Web Service: Bidirectional Communication (T1102.002) with moderate to high confidence (80%), supported by evidence indicating sNOWGLAZE such as WebSocket tunneler for secure proxy, and Dynamic Resolution: Domain Generation Algorithms (T1568.002) with moderate confidence (60%), supported by evidence indicating use of legitimate cloud services (AWS S3, Heroku) for C2. Under the Exfiltration tactic, the analysis identified Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with high confidence (90%), supported by evidence indicating data exfiltrated via asynchronous PUT requests to attacker-controlled S3 buckets and Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating exfiltration via LimeWire and AWS S3. Under the Impact tactic, the analysis identified Defacement: Internal Defacement (T1491.001) with moderate confidence (50%), supported by evidence indicating internal reconnaissance and lateral movement and Data Destruction (T1485) with lower confidence (40%), supported by evidence indicating potential data destruction during lateral movement. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.