Incident Score: Analysis & Impact (SOLSONCIS1776457498)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), supported by evidence indicating initial access via exposed SonicWall VPNs, SolarWinds Web Help Desk (CVE-2025-26399), External Remote Services (T1133) with high confidence (90%), supported by evidence indicating cisco SSL VPN exploits and exposed VPNs used for initial access, and Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (80%), supported by evidence indicating microsoft Teams phishing tricking employees into installing QuickAssist. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (70%), supported by evidence indicating scheduled task (TPMProfiler) used to deploy hidden Alpine Linux VM and User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating employees tricked into installing QuickAssist via Teams phishing. Under the Persistence tactic, the analysis identified Scheduled Task/Job: Scheduled Task (T1053.005) with high confidence (90%), supported by evidence indicating scheduled task (TPMProfiler) used to deploy QEMU-based VM, Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (80%), supported by evidence indicating installs service (AppMgmt) and creates local admin user (CtxAppVCOMService), and Event Triggered Execution: Accessibility Features (T1546.008) with moderate confidence (60%), supported by evidence indicating screenConnect deployed for persistence in STAC3725 campaign. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with moderate to high confidence (80%), supported by evidence indicating harvests NTDS.dit, SAM, and SYSTEM hives for Active Directory credentials and Access Token Manipulation: Create Process with Token (T1134.002) with moderate to high confidence (70%), supported by evidence indicating tools like Impacket and KrbRelayx used for credential harvesting. Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with high confidence (90%), supported by evidence indicating terminates security tools via low-level system calls, Process Injection: Process Hollowing (T1055.012) with moderate to high confidence (80%), supported by evidence indicating qEMU VMs used to execute malicious payloads evading endpoint security, and Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating virtual disks disguised as databases or DLLs. Under the Credential Access tactic, the analysis identified OS Credential Dumping: Security Account Manager (T1003.002) with high confidence (90%), supported by evidence indicating exfiltrates SAM and SYSTEM hives via SMB and Rclone, OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating exfiltrates NTDS.dit for Active Directory credential harvesting, and Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003) with moderate to high confidence (70%), supported by evidence indicating bloodHound.py and Impacket used for AD reconnaissance. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating bloodHound.py used for Active Directory reconnaissance and Remote System Discovery (T1018) with moderate to high confidence (70%), supported by evidence indicating metasploit and Impacket tools used for network discovery. Under the Lateral Movement tactic, the analysis identified Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate to high confidence (80%), supported by evidence indicating exfiltrates NTDS.dit, SAM, and SYSTEM hives via SMB and Use Alternate Authentication Material: Pass the Ticket (T1550.003) with moderate to high confidence (70%), supported by evidence indicating krbRelayx used for lateral movement in AD environments. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating harvests NTDS.dit, SAM, SYSTEM hives, and PII from compromised systems. Under the Command and Control tactic, the analysis identified Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating tools like AdaptixC2, Chisel, BusyBox, and Rclone deployed in QEMU VM and Proxy: Internal Proxy (T1090.001) with moderate to high confidence (80%), supported by evidence indicating reverse SSH tunnels established for covert remote access. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrates data via Rclone to remote SFTP servers and Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002) with moderate to high confidence (80%), supported by evidence indicating data exfiltrated via FTP in STAC3725 campaign. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), supported by evidence indicating aES-256 (CTR) + RSA-4096 encryption used for ransomware and Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating anti-analysis techniques and intermittent file encryption. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.