Incident Score: Analysis & Impact (MIC1777004961)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (90%), supported by evidence indicating phishing messages via Microsoft Teams, posing as IT helpdesk staff and Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.002) with moderate to high confidence (70%), supported by evidence indicating fake Mailbox Repair and Sync Utility hosted on AWS S3 bucket. Under the Execution tactic, the analysis identified User Execution: Malicious Link (T1204.001) with high confidence (90%), supported by evidence indicating victims accepted a Teams chat from an external account, Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (80%), supported by evidence indicating sNOWBELT (JavaScript extension) establishes persistence, and Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (70%), supported by evidence indicating sNOWBASIN executes shell commands. Under the Persistence tactic, the analysis identified Browser Extensions (T1176) with high confidence (90%), supported by evidence indicating sNOWBELT malware disguised as MS Heartbeat Chromium extension and Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate to high confidence (80%), supported by evidence indicating windows Startup shortcuts, scheduled tasks for persistence. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with moderate to high confidence (80%), supported by evidence indicating pass-the-Hash to authenticate to domain controllers and Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate confidence (60%), supported by evidence indicating fake Health Check prompted users to re-enter passwords. Under the Defense Evasion tactic, the analysis identified Masquerading: Match Legitimate Name or Location (T1036.005) with high confidence (90%), supported by evidence indicating sNOWBELT disguised as MS Heartbeat, AutoHotkey as RegSrvc.exe, Subvert Trust Controls: Code Signing (T1553.002) with moderate to high confidence (70%), supported by evidence indicating abused legitimate external collaboration features in Teams, and Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating c2 traffic blended with legitimate encrypted web traffic via Heroku. Under the Credential Access tactic, the analysis identified Input Capture: GUI Input Capture (T1056.002) with high confidence (90%), supported by evidence indicating fake Health Check prompted users to re-enter passwords, OS Credential Dumping: LSASS Memory (T1003.001) with high confidence (90%), supported by evidence indicating dumping LSASS memory via Task Manager to extract password hashes, OS Credential Dumping: Security Account Manager (T1003.002) with high confidence (90%), supported by evidence indicating extracted SAM, SYSTEM, and SECURITY hives using FTK Imager, and OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating extracted Active Directory databases (NTDS.dit). Under the Discovery tactic, the analysis identified Network Service Discovery (T1046) with moderate to high confidence (80%), supported by evidence indicating scanned networks for open ports (135, 445, 3389). Under the Lateral Movement tactic, the analysis identified Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate to high confidence (80%), supported by evidence indicating used PsExec to move laterally and Use Alternate Authentication Material: Pass the Hash (T1550.002) with high confidence (90%), supported by evidence indicating pass-the-Hash to authenticate to domain controllers. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating captures screenshots, exfiltrates files via SNOWBASIN and Data from Information Repositories: Sharepoint (T1213.002) with moderate confidence (60%), supported by evidence indicating targeted enterprise networks, likely including internal repositories. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating c2 via Heroku server (wss such as //sad4w7h913-b4a57f9c36eb.herokuapp.com), Web Service: Bidirectional Communication (T1102.002) with moderate to high confidence (80%), supported by evidence indicating sNOWGLAZE routes traffic via SOCKS proxy to Heroku C2, and Fallback Channels (T1008) with moderate to high confidence (70%), supported by evidence indicating dGA-based S3 URLs for C2 (SNOWBELT). Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrated data via LimeWire and cloud-based C2 channels and Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) with moderate to high confidence (80%), supported by evidence indicating abused AWS S3 for payload delivery and exfiltration. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.