Incident Score: Analysis & Impact (SOLSONCIS1776457498)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating initial access via exposed SonicWall VPNs, SolarWinds Web Help Desk (CVE-2025-26399), External Remote Services (T1133) with high confidence (90%), supported by evidence indicating cisco SSL VPN exploits and exposed NetScaler ADC/Gateway (CVE-2025-5777), and Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (80%), supported by evidence indicating microsoft Teams phishing tricking employees into installing QuickAssist. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Unix Shell (T1059.004) with moderate to high confidence (80%), supported by evidence indicating tools inside QEMU VM include BusyBox and reverse SSH tunnels, User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating employees tricked into installing QuickAssist via Teams phishing, and Windows Management Instrumentation (T1047) with moderate confidence (60%), supported by evidence indicating scheduled task (TPMProfiler) used to deploy hidden Alpine Linux VM. Under the Persistence tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (80%), supported by evidence indicating installs a service (AppMgmt) and creates local admin user (CtxAppVCOMService), Scheduled Task/Job: Scheduled Task (T1053.005) with high confidence (90%), supported by evidence indicating scheduled task (TPMProfiler) disguises virtual disks as databases or DLLs, and Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003) with moderate confidence (60%), supported by evidence indicating qEMU-based VM deployment via scheduled tasks. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with moderate to high confidence (80%), supported by evidence indicating harvests NTDS.dit, SAM, and SYSTEM hives for Active Directory credentials and Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate to high confidence (70%), supported by evidence indicating creates local admin user (CtxAppVCOMService) for privilege escalation. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Run Virtual Instance (T1564.006) with high confidence (90%), supported by evidence indicating leverages QEMU emulator to deploy hidden Alpine Linux VMs, Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating disguises virtual disks as databases or DLLs, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (70%), supported by evidence indicating terminates security tools via low-level system calls. Under the Credential Access tactic, the analysis identified OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating exfiltrates NTDS.dit, SAM, and SYSTEM hives via SMB and Rclone and Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003) with moderate to high confidence (70%), supported by evidence indicating tools like Impacket and KrbRelayx used for credential harvesting. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating bloodHound.py used for Active Directory reconnaissance and Remote System Discovery (T1018) with moderate to high confidence (70%), supported by evidence indicating metasploit and Impacket tools used for network discovery. Under the Lateral Movement tactic, the analysis identified Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate to high confidence (80%), supported by evidence indicating exfiltrates NTDS.dit, SAM, and SYSTEM hives via SMB and Lateral Tool Transfer (T1570) with moderate to high confidence (70%), supported by evidence indicating tools like Chisel and Rclone used for lateral movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating harvests NTDS.dit, SAM, SYSTEM hives, and PII from compromised systems. Under the Command and Control tactic, the analysis identified Proxy: Internal Proxy (T1090.001) with moderate to high confidence (80%), supported by evidence indicating reverse SSH tunnels established via QEMU VM for covert remote access and Ingress Tool Transfer (T1105) with moderate to high confidence (70%), supported by evidence indicating tools like AdaptixC2, Chisel, and Metasploit installed inside VM. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrates data via Rclone to remote SFTP servers and SMB and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate to high confidence (70%), supported by evidence indicating rclone used for data exfiltration to remote servers. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), supported by evidence indicating payouts King employs AES-256 (CTR) + RSA-4096 encryption for ransomware and Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating intermittent file encryption and anti-analysis techniques used. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.