Incident Score: Analysis & Impact (BLE1776666261)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating citrixBleed2 vulnerability (CVE-2025-5777) in NetScaler appliances and External Remote Services (T1133) with moderate to high confidence (80%), supported by evidence indicating malicious ScreenConnect clients for persistence. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (70%), supported by evidence indicating scheduled task TPMProfiler launches qemu-system-x86_64.exe and System Services: Service Execution (T1569.002) with moderate to high confidence (80%), supported by evidence indicating qemu-system-x86_64.exe runs under SYSTEM account. Under the Persistence tactic, the analysis identified Scheduled Task/Job: Scheduled Task (T1053.005) with high confidence (90%), supported by evidence indicating scheduled task TPMProfiler launches QEMU VM and Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (70%), supported by evidence indicating qEMU VM disguised as benign files (vault.db, bisrv.dll). Under the Privilege Escalation tactic, the analysis identified Process Injection (T1055) with moderate confidence (60%), supported by evidence indicating qEMU VM runs under SYSTEM account and Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate confidence (50%), supported by evidence indicating registry changes weaken credential protections. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Run Virtual Instance (T1564.006) with high confidence (95%), supported by evidence indicating qEMU-based VMs evade endpoint security tools on host, Indicator Removal: Timestomp (T1070.006) with moderate confidence (60%), supported by evidence indicating minimal forensic traces left by VM-based operations, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), supported by evidence indicating defender exclusions tampered with, vulnerable drivers exploited. Under the Credential Access tactic, the analysis identified OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating extract Active Directory databases via shadow copies, Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003) with moderate to high confidence (70%), supported by evidence indicating kerberos brute-forcing tools deployed in VM, and Brute Force: Password Spraying (T1110.003) with moderate confidence (60%), supported by evidence indicating credential harvesting via QEMU VM. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating bloodHound used for Active Directory mapping and Network Service Discovery (T1046) with moderate to high confidence (70%), supported by evidence indicating browse network shares using legitimate tools (Notepad, Paint). Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate confidence (60%), supported by evidence indicating lateral movement via host interaction and Remote Services: Windows Remote Management (T1021.006) with moderate to high confidence (70%), supported by evidence indicating sSH tunnels and Chisel for C2 communication. Under the Command and Control tactic, the analysis identified Proxy: External Proxy (T1090.002) with moderate to high confidence (80%), supported by evidence indicating wireGuard obfuscators and Chisel for tunneling, Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating adaptixC2, Metasploit, and Rclone deployed in VM, and Protocol Tunneling (T1572) with high confidence (90%), supported by evidence indicating sSH tunnels from non-standard ports for C2. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating rclone used for data movement and exfiltration and Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002) with moderate to high confidence (70%), supported by evidence indicating sSH tunnels for data exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (95%), supported by evidence indicating payoutsKing ransomware deployed via QEMU VM and Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating shadow copies created and exploited. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.