Incident Score: Analysis & Impact (LIMAMA1777312775)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating microsoft Teams messages from external accounts posing as IT support, Phishing: Spearphishing Attachment (T1566.001) with moderate to high confidence (70%), supported by evidence indicating fake Mailbox Repair and Sync Utility hosted on AWS S3, and Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.002) with moderate confidence (60%), supported by evidence indicating malware disguised as legitimate software (MS Heartbeat, Edge traffic). Under the Execution tactic, the analysis identified User Execution: Malicious File (T1204.002) with high confidence (90%), supported by evidence indicating victims tricked into installing fake Mailbox Repair and Sync Utility, Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (80%), supported by evidence indicating sNOWBELT such as JavaScript-based Chromium extension for C2 communication, and Command and Scripting Interpreter: Python (T1059.006) with moderate to high confidence (80%), supported by evidence indicating sNOWGLAZE such as Python-based WebSocket tunneler for proxy. Under the Persistence tactic, the analysis identified Browser Extensions (T1176) with moderate to high confidence (80%), supported by evidence indicating sNOWBELT such as JavaScript-based Chromium extension (MS Heartbeat) and Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (70%), supported by evidence indicating sNOWBASIN such as Persistent backdoor enabling remote command execution. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with high confidence (90%), supported by evidence indicating pass-the-hash techniques to compromise domain controllers and OS Credential Dumping: LSASS Memory (T1003.001) with high confidence (90%), supported by evidence indicating extracts LSASS memory via Windows Task Manager. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating sNOWGLAZE masquerades as Microsoft Edge traffic, Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating c2 communication via AES-GCM-encrypted AWS S3 traffic, and Hide Artifacts: Email Hiding Rules (T1564.008) with moderate to high confidence (70%), supported by evidence indicating email bombing to overwhelm targets before Teams phishing. Under the Credential Access tactic, the analysis identified Input Capture: GUI Input Capture (T1056.002) with high confidence (90%), supported by evidence indicating deceptive double-entry password prompt to harvest credentials, OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating fTK Imager used to extract Active Directory databases (NTDS.dit), and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (70%), supported by evidence indicating sNOWBELT Chromium extension may target browser credentials. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating internal reconnaissance post-compromise and Remote System Discovery (T1018) with moderate to high confidence (80%), supported by evidence indicating lateral movement to domain controllers. Under the Lateral Movement tactic, the analysis identified Use Alternate Authentication Material: Pass the Hash (T1550.002) with high confidence (90%), supported by evidence indicating pass-the-hash techniques to compromise domain controllers and Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (70%), supported by evidence indicating lateral movement within corporate networks. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating extracts NTDS.dit, registry hives, and LSASS memory and Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating sNOWBASIN enables screenshot capture. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating aES-GCM-encrypted AWS S3 traffic for C2 communication, Web Service: Bidirectional Communication (T1102.002) with moderate to high confidence (80%), supported by evidence indicating sNOWGLAZE WebSocket tunneler for secure proxy, and Proxy: External Proxy (T1090.002) with moderate to high confidence (80%), supported by evidence indicating sNOWGLAZE establishes proxy between victim and C2. Under the Exfiltration tactic, the analysis identified Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with high confidence (90%), supported by evidence indicating data exfiltrated via attacker-controlled Amazon S3 buckets, Exfiltration Over C2 Channel (T1041) with moderate to high confidence (80%), supported by evidence indicating asynchronous PUT requests to S3 buckets for credential exfiltration, and Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (70%), supported by evidence indicating data exfiltrated via LimeWire. Under the Impact tactic, the analysis identified Defacement: Internal Defacement (T1491.001) with moderate confidence (60%), supported by evidence indicating potential reputational damage due to GDPR violations. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.