top of page

The Fall of xxxcompany, our real customer.

Trung Le
Jul 29
1 min read

Initial Access

The attacker discovered an outdated plugin on a public WordPress subdomain. They used a command-line scan to identify vulnerabilities.

ree

Remote Code Execution

Once the vulnerable plugin was confirmed, a crafted PHP shell (shell.php) was uploaded via the file handler.

ree

Then accessed with.

ree

Persistence

A scheduled task was created to run a hidden user account every time the system rebooted.

ree

Privilege Escalation

Using the PrintNightmare vulnerability (CVE-2021-34527), they exploited remote print service to run malicious DLLs.

ree

Defense Evasion

They disabled Defender and cleared logs

ree

Credential Access

Dumped LSASS memory and extracted credentials

ree

Discovery

Mapped domain with BloodHound and PowerView.

ree

Lateral Movement

Used PsExec and WMI to hop to internal machines

ree

Collection

ree

Command and Control (C2)

Maintained persistence via encrypted Cobalt Strike beacons over DNS

ree

Exfiltration

Data was tunneled out during non-working hours

ree

Impact – Ransomware Deployment

Finally, ransomware payload was executed across the network

ree

All files were encrypted. A ransom note appeared:

ree

Recent Posts

How to Adopt a Secure by Design Approach in Your Projects

How to Adopt a Secure by Design Approach in Your Projects

Understanding the Latest CISA Advisories for Industrial Control Systems

The rising cyber threats, protecting industrial control systems (ICS) is more crucial than ever. The Cybersecurity and Infrastructure...

What It Means for Salesforce Users and Security Practices

In a shocking revelation, a hacker group has claimed responsibility for the theft of nearly 1 billion records from Salesforce, a leading...

Comments

bottom of page