The framework focuses on attributes of specific malware families, but many are human operated and therefore a variety of methods could be used to gain access or escalate privileges. This page lists some of the common methods that are being used.

WARNING: This list is not extensive. An attacker could use any method to gain initial access, but you should be looking for the below items as part of your investigation since they are so common.

This page is a work in progress.

Common Initial Access Methods

Phishing ¹
Exploiting Public facing applications ¹
VPN/RDP access ¹
Trusted relationships ¹
Initial Access Brokers ²

Common Downloader Methods

Buer Loader ³
BazaLoader ³
TrickBot ³
ZLoader ³
IcedID ³

Common Human Operated C2 Methods

Installing Cobalt Strike Beacons
Using Remote Desktop and stolen credentials
Installing other remote access software, such as AnyDesk

Common Discovery Methods

Active Directory Discovery
- ADfind
- Bloodhound
Powertools to collects information about users, networks, and systems in the network
Network Scanning to identify targets and shared resources
- Angry Scanner
- Advanced Port Scanner

Common Exfiltration Methods

Using rclone or scp
Sending data to common file sharing domains (SendSpace, MEGA, etc)
Sending data to their private servers

Common Propagation Methods

Copy EXE to shared folder and execute via PsExec
Copy EXE to each computer and launch via RDP
Copy EXE to each computer via remote access tools and execute it manually
- Splashtop
- Atera
- LogMeIn
- TeamViewer
Update Group Policy Object on Domain Controller to download and create scheduled task

Common Files To Be Encrypted

Each malware family has its own set of rules to identify files to encrypt. The details are usually not important for DFIR, which is why this is not a category in the framework. But, some examples are included here for those who have not seen them before. Many focus on what files to NOT encrypt in order to make the machine still usable and able to pay the ransom.

Blackcat

The PaloAlto report⁴ for BlackCat reports these files and folders to skip:

Folders to Skip: system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public, msocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old
Files to Skip: desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log
Extensions to Skip: themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu

LockBit 2

Chuong Dong’s report ⁵ for LockBit 2 reports these files and folders that are skipped:

Folders to Skip: $Windows.~bt, intel, msocache, $recycle.bin, $windows.~ws, tor browser, boot, windows nt, msbuild, microsoft, all users, system volume information, perflog, google, application data, windows, windows.old, appdata, mozilla, microsoft.net, microsoft shared, internet explorer, common files, opera, windows journal, windows defender, windowsapp, windowspowershell, usoshared, windows security, windows photo viewer
Files to Skip: ntldr, ntuser.dat.log, bootsect.bak, autorun.inf, thumbs.db, iconcache.db, restore-my-files.txt
Extensions to Skip: .386, .cmd, .ani, .adv, .msi, .msp, .com, .nls, .ocx, .mpa, .cpl, .mod, .hta, .prf, .rtp, .rpd, .bin, .hlp, .shs, .drv, .wpx, .bat, .rom, .msc, .spl, .msu, .ics, .key, .exe, .dll, .lnk, .ico, .hlp, .sys, .drv, .cur, .idx, .ini, .reg, .mp3, .mp4, .apk, .ttf, .otf, .fon, .fnt, .dmp, .tmp, .pif, .wav, .wma, .dmg, .iso, .app, .ipa, .xex, .wad, .msu, .icns, .lock, .lockbit, .theme, .diagcfg, .diagcab, .diagpkg, .msstyles, .gadget, .woff, .part, .sfcache, .winmd