Incident Score: Analysis & Impact (SOLSONCIS1776457498)

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (90%), with evidence including initial access via exposed SonicWall VPNs, solarWinds Web Help Desk (CVE-2025-26399), and cisco SSL VPN exploits, Phishing: Spearphishing Link (T1566.002) with moderate to high confidence (80%), supported by evidence indicating microsoft Teams phishing, tricking employees into installing QuickAssist, and External Remote Services (T1133) with high confidence (90%), supported by evidence indicating exposed SonicWall VPNs, Cisco SSL VPN exploits. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Unix Shell (T1059.004) with moderate to high confidence (80%), supported by evidence indicating tools inside the VM include BusyBox, Chisel, and Rclone, User Execution: Malicious File (T1204.002) with moderate to high confidence (70%), supported by evidence indicating microsoft Teams phishing (QuickAssist installation), and System Services: Service Execution (T1569.002) with moderate to high confidence (80%), supported by evidence indicating installs a service (AppMgmt) in STAC3725 campaign. Under the Persistence tactic, the analysis identified Scheduled Task/Job: Scheduled Task (T1053.005) with high confidence (90%), supported by evidence indicating deploy hidden Alpine Linux VM via scheduled task (TPMProfiler), Create Account: Local Account (T1136.001) with moderate to high confidence (80%), supported by evidence indicating creates a local admin user (CtxAppVCOMService), Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (80%), supported by evidence indicating installs a service (AppMgmt) for persistence, and Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003) with moderate to high confidence (70%), supported by evidence indicating screenConnect deployed for persistence in STAC3725. Under the Privilege Escalation tactic, the analysis identified Valid Accounts: Domain Accounts (T1078.002) with moderate to high confidence (80%), supported by evidence indicating harvests NTDS.dit, SAM, and SYSTEM hives for credentials and Exploitation for Privilege Escalation (T1068) with moderate to high confidence (70%), supported by evidence indicating exploits CVE-2025-26399, CVE-2025-5777 for initial access. Under the Defense Evasion tactic, the analysis identified Hide Artifacts: Run Virtual Instance (T1564.006) with high confidence (90%), supported by evidence indicating leverages QEMU emulator to deploy hidden Alpine Linux VMs, Masquerading: Match Legitimate Name or Location (T1036.005) with moderate to high confidence (80%), supported by evidence indicating disguises virtual disks as databases or DLLs, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), supported by evidence indicating terminates security tools via low-level system calls. Under the Credential Access tactic, the analysis identified OS Credential Dumping: Security Account Manager (T1003.002) with high confidence (90%), supported by evidence indicating exfiltrates SAM and SYSTEM hives via SMB and Rclone, OS Credential Dumping: NTDS (T1003.003) with high confidence (90%), supported by evidence indicating exfiltrates NTDS.dit for Active Directory credentials, and Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003) with moderate to high confidence (70%), supported by evidence indicating tools like Impacket, KrbRelayx, BloodHound.py used for AD reconnaissance. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating bloodHound.py used for Active Directory reconnaissance and Remote System Discovery (T1018) with moderate to high confidence (70%), supported by evidence indicating tools like Metasploit used for network discovery. Under the Lateral Movement tactic, the analysis identified Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate to high confidence (80%), supported by evidence indicating exfiltrates NTDS.dit, SAM, SYSTEM hives via SMB and Lateral Tool Transfer (T1570) with moderate to high confidence (70%), supported by evidence indicating uses Rclone for data exfiltration to remote SFTP servers. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating exfiltrates NTDS.dit, SAM, SYSTEM hives, and PII. Under the Command and Control tactic, the analysis identified Proxy: Internal Proxy (T1090.001) with moderate to high confidence (80%), supported by evidence indicating reverse SSH tunnels for persistence and remote access, Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating tools like AdaptixC2, Chisel, BusyBox deployed inside VM, and Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (70%), supported by evidence indicating uses ScreenConnect for persistence and remote access. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltrates data via Rclone to remote SFTP servers and Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002) with moderate to high confidence (80%), supported by evidence indicating data exfiltration via FTP in STAC3725 campaign. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with high confidence (90%), supported by evidence indicating aES-256 (CTR) + RSA-4096 encryption, intermittent file encryption and Inhibit System Recovery (T1490) with moderate to high confidence (70%), supported by evidence indicating ransomware tactics include anti-analysis techniques. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.