Context:
This case describes a multi-stage Warlock ransomware intrusion leveraging exploitation of public-facing applications (Microsoft SharePoint) to gain initial access. Following successful exploitation, the attackers established persistence through the deployment of web shells, enabling continuous remote access to the compromised environment.
Over a dwell time of approximately two weeks, the adversaries performed credential access, privilege escalation, and lateral movement across the environment. Defense evasion techniques included the use of BYOVD (Bring Your Own Vulnerable Driver) to disable security controls.
The attack concluded with data exfiltration and ransomware deployment, demonstrating a structured and redundant attack chain with multiple fallback mechanisms for persistence and C2.
Mitre ATT&CK Mapping
| Tactic |
Technique ID |
Technique Name |
Context |
| Initial Access |
T1190 |
Exploit Public-Facing Application |
The attacker exploited a vulnerable SharePoint server to gain initial access and execute remote code. |
| Execution |
T1059.001 |
Command and Scripting Interpreter: PowerShell |
PowerShell was used to execute malicious commands and deploy payloads after initial access. |
| Persistence |
T1505.003 |
Server Software Component: Web Shell |
A web shell was deployed to maintain persistent access and enable remote command execution. |
| Privilege Escalation |
T1068 |
Exploitation for Privilege Escalation |
A vulnerable component was abused to elevate privileges on the compromised system. |
| Defense Evasion |
T1027 |
Obfuscated Files or Information |
Obfuscated scripts and fileless techniques were used to evade detection and execute payloads in memory. |
| Defense Evasion |
T1562.001 |
Impair Defenses: Disable or Modify Tools |
Security tools were disabled or modified, including through the use of a vulnerable driver (BYOVD), to reduce visibility and allow malicious activity to continue undetected. |
| Credential Access |
T1003.006 |
OS Credential Dumping: DCSync |
The attacker performed a DCSync attack to extract credentials from Active Directory. |
| Discovery |
T1087.002 |
Account Discovery: Domain Account |
Domain accounts were enumerated to identify privileged users and lateral movement targets. |
| Lateral Movement |
T1021 |
Remote Services |
The attacker moved laterally using SMB, RDP, and WinRM to access additional systems. |
| Command and Control |
T1071 |
Application Layer Protocol |
The attacker established command and control using legitimate protocols and tools, blending malicious traffic with normal network activity. |
| Exfiltration |
T1567.002 |
Exfiltration to Cloud Storage |
Data was exfiltrated to external cloud services using legitimate tools. |
| Impact |
T1486 |
Data Encrypted for Impact |
Ransomware was deployed to encrypt files and disrupt operations. |
References
https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html
Context:
This case describes a multi-stage Warlock ransomware intrusion leveraging exploitation of public-facing applications (Microsoft SharePoint) to gain initial access. Following successful exploitation, the attackers established persistence through the deployment of web shells, enabling continuous remote access to the compromised environment.
Over a dwell time of approximately two weeks, the adversaries performed credential access, privilege escalation, and lateral movement across the environment. Defense evasion techniques included the use of BYOVD (Bring Your Own Vulnerable Driver) to disable security controls.
The attack concluded with data exfiltration and ransomware deployment, demonstrating a structured and redundant attack chain with multiple fallback mechanisms for persistence and C2.
Mitre ATT&CK Mapping
References
https://www.trendmicro.com/en_us/research/26/c/dissecting-a-warlock-attack.html