In late August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID.
IcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion.
The threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of malicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment.
Group Policy was used to distribute Cobalt Strike beacons at login to a specific privileged user group.
The threat actor utilized a suite of tools to support their activities, deploying Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind.
This case had a TTR (time to ransomware) of 29 days.
