Cobalt strike and a pair of socks lead to lockbit ransomware

Intel Name: Cobalt strike and a pair of socks lead to lockbit ransomware

Date of Scan: February 4, 2025

Impact: High

Summary:
This intrusion began in late January 2024 when a user downloaded and executed a file named setup_wm.exe, which mimicked the legitimate Microsoft Windows Media Configuration Utility. The file was actually a Cobalt Strike beacon, establishing an outbound connection upon execution. About 30 minutes later, the beacon ran discovery commands, starting with nltest to locate domain controllers. With elevated permissions from the compromised account, the attacker used SMB and remote services to deploy two proxy tools—SystemBC and GhostSOCKS—onto a domain controller.

More Details