Threat actor workflow
Minutes
Hours to Weeks
Hours to Weeks
Hours to Weeks
Hours to Weeks
Hours to Weeks
Days to Months
- Initial Access
- Phishing
- Credential stuffing/RDP
- Exploitation
- Web Shell/Loader
- Entry Point
Common process:
- at.exe
- net.exe
- nltest.exe
- schtasks.exe
- winrm.exe
- Recon
- AdFind
- AdRecon
- Advanced IP Scanner
- WMIC
- Bloodhound
Common process:
- cmd.exe
- lsass.exe
- ping.exe
- powershell.exe
- taskmgr.exe
- whoami.exe
- winrm.exe
- Privilege escalation
- Cobalt Strike
- Mimikatz
- LoLBins
- PowerSploit
- MetaSploit
- Lazagne
Common process:
- GMER
- ProcessHacker
- TDSSKiller
- Lateral movement
- RDP
- TeamViewer
- Anydesk
- Splashtop
- Atera
- ScreenConnect
Common target:
- Endpoints
- Windows servers
- Linux servers
- ESXi
- Domain Controller
- Exfiltration
- StealBIT
- 7-zip
- WinSCP
- FileZilla
- Rclone
- MEGASync
- Deployment
- Test ransomware
- Deploy ransomware
- Delete Shadow Copies
- Delete Backups
- Cover tracks: Remove or roll over logs
Common deploy ways:
- Domain Controller
- SCCM
- .bat file
- GPO
- PSExec
- SMB
- Extortion
- Publish stolen files to extortion sites
- Expanded extortion ecosystem
- Sell stolen data
Ransomware groups
Untitled
Ransomware group sites
Dark web forums (Sell access & data news)
Latest Ransomware news