Intel Name: Cobalt strike and a pair of socks lead to lockbit ransomware
Date of Scan: February 4, 2025
Impact: High
Summary: This intrusion began in late January 2024 when a user downloaded and executed a file named setup_wm.exe, which mimicked the legitimate Microsoft Windows Media Configuration Utility. The file was actually a Cobalt Strike beacon, establishing an outbound connection upon execution. About 30 minutes later, the beacon ran discovery commands, starting with nltest to locate domain controllers. With elevated permissions from the compromised account, the attacker used SMB and remote services to deploy two proxy tools—SystemBC and GhostSOCKS—onto a domain controller.