I had the opportunity to speak at the recent ResponderCon, put on by Brian Carrier of BasisTech. I’ll start out by saying that I really enjoyed attending an in-person event after 2 1/2 yrs of virtual events, and that Brian’s idea to do something a bit different (different from OSDFCon) worked out really well. I know that there’ve been other ransomware-specific events, but I’ve not been able to attend them.
As soon as the agenda kicked off, it seemed as though the first four presentations had been coordinated…but they hadn’t. It simply worked out that way. Brian referenced what he thought my content would be throughout his presentation, I referred back to Brian’s content, Allan referred to content from the earlier presentations, and Dennis’s presentation fit right in as if it were a seamless part of the overall theme. Congrats to Dennis, by the way, not only for his presentation, but also on his first time presenting. Ever.
During his presentation, Brian mentioned TheDFIRReport site, at one point referring to a Sodinokibi write-up from March, 2021. That report mentions that the threat actor deployed the ransomware executable to various endpoints by using BITS jobs to download the EXE from the domain controller. My presentation focused less on analysis of the ransomware EXE and more on threat actor behaviors, and Brian’s mention of the above report (twice, as a matter of fact) provided excellent content. In particular, for the BITS deployment to work, the DC would have to (a) have the IIS web server installed and running, and (b) have the BITS server extensions installed/enabled, so that the web server knew how to respond to the BITS client requests. As such, the question becomes, did the victim org have that configuration in place for a specific reason, or did the threat actor modify the infrastructure to meet their own needs?
However, the point is that without pr
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: