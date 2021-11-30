During the third stage of the attack, attackers have consistently focused on understanding the local system and domain that they currently have access to and acquiring credentials to enable lateral movement. Local system reconnaissance is often achieved through built-in tools such as net, whoami, and tasklist.

To facilitate domain reconnaissance, ransomware operators continue to leverage the open-source utility “AdFind”. Out of all ransomware incidents X-Force IR responded to in 2020, AdFind was used in 88% of the attacks. X-Force IR has also observed ransomware operators using the nltest command to acquire a list of domain controllers and privileged accounts prior to performing a more comprehensive Active Directory reconnaissance through AdFind. On several occasions, X-Force IR has observed ransomware operators redirecting the output of AdFind to a series of text files which are then added to an archive and exfiltrated.

While credentials can be harvested by many access trojans, X-Force IR has observed ransomware operators usually leveraging Mimikatz, ZeroLogon, and PrintNightmare to acquire credentials to be used in the remainder of the attack.

In most ransomware attacks X-Force has observed, exploitation of Active Directory is a key linchpin in the attack and presents an opportunity for security defenders to catch and stop ransomware attackers or frustrate their success. Several recommendations for securing Active Directory are included at the end of this blog.

Following Active Directory reconnaissance, ransomware operators commonly move laterally via server message block (SMB) or remote procedure call (RPC) protocols. Credential harvesting may continue on additional systems as required with the goal of acquiring domain administrator privileges.