Skip to main content Link Menu Expand (external link) Document Search Copy Copied

The framework focuses on attributes of specific malware families, but many are human operated and therefore a variety of methods could be used to gain access or escalate privileges. This page lists some of the common methods that are being used.

WARNING: This list is not extensive. An attacker could use any method to gain initial access, but you should be looking for the below items as part of your investigation since they are so common.

This page is a work in progress.

Common Initial Access Methods

  • Phishing 1
  • Exploiting Public facing applications 1
  • VPN/RDP access 1
  • Trusted relationships 1
  • Initial Access Brokers 2

Common Downloader Methods

  • Buer Loader 3
  • BazaLoader 3
  • TrickBot 3
  • ZLoader 3
  • IcedID 3

Common Human Operated C2 Methods

  • Installing Cobalt Strike Beacons
  • Using Remote Desktop and stolen credentials
  • Installing other remote access software, such as AnyDesk

Common Discovery Methods

  • Active Directory Discovery
    • ADfind
    • Bloodhound
  • Powertools to collects information about users, networks, and systems in the network
  • Network Scanning to identify targets and shared resources
    • Angry Scanner
    • Advanced Port Scanner

Common Exfiltration Methods

  • Using rclone or scp
  • Sending data to common file sharing domains (SendSpace, MEGA, etc)
  • Sending data to their private servers

Common Propagation Methods

  • Copy EXE to shared folder and execute via PsExec
  • Copy EXE to each computer and launch via RDP
  • Copy EXE to each computer via remote access tools and execute it manually
    • Splashtop
    • Atera
    • LogMeIn
    • TeamViewer
  • Update Group Policy Object on Domain Controller to download and create scheduled task

Common Files To Be Encrypted

Each malware family has its own set of rules to identify files to encrypt. The details are usually not important for DFIR, which is why this is not a category in the framework. But, some examples are included here for those who have not seen them before. Many focus on what files to NOT encrypt in order to make the machine still usable and able to pay the ransom.


The PaloAlto report4 for BlackCat reports these files and folders to skip:

Folders to Skip
system volume information, intel, $windows.~ws, application data, $recycle.bin, mozilla, $windows.~bt, public, msocache, windows, default, all users, tor browser, programdata, boot, config.msi, google, perflogs, appdata, windows.old
Files to Skip
desktop.ini, autorun.inf, ntldr, bootsect.bak, thumbs.db, boot.ini, ntuser.dat, iconcache.db, bootfont.bin, ntuser.ini, ntuser.dat.log
Extensions to Skip
themepack, nls, diagpkg, msi, lnk, exe, cab, scr, bat, drv, rtp, msp, prf, msc, ico, key, ocx, diagcab, diagcfg, pdb, wpx, hlp, icns, rom, dll, msstyles, mod, ps1, ics, hta, bin, cmd, ani, 386, lock, cur, idx, sys, com, deskthemepack, shs, ldf, theme, mpa, nomedia, spl, cpl, adv, icl, msu

LockBit 2

Chuong Dong’s report 5 for LockBit 2 reports these files and folders that are skipped:

Folders to Skip
$Windows.~bt, intel, msocache, $recycle.bin, $windows.~ws, tor browser, boot, windows nt, msbuild, microsoft, all users, system volume information, perflog, google, application data, windows, windows.old, appdata, mozilla,, microsoft shared, internet explorer, common files, opera, windows journal, windows defender, windowsapp, windowspowershell, usoshared, windows security, windows photo viewer
Files to Skip
ntldr, ntuser.dat.log, bootsect.bak, autorun.inf, thumbs.db, iconcache.db, restore-my-files.txt
Extensions to Skip
.386, .cmd, .ani, .adv, .msi, .msp, .com, .nls, .ocx, .mpa, .cpl, .mod, .hta, .prf, .rtp, .rpd, .bin, .hlp, .shs, .drv, .wpx, .bat, .rom, .msc, .spl, .msu, .ics, .key, .exe, .dll, .lnk, .ico, .hlp, .sys, .drv, .cur, .idx, .ini, .reg, .mp3, .mp4, .apk, .ttf, .otf, .fon, .fnt, .dmp, .tmp, .pif, .wav, .wma, .dmg, .iso, .app, .ipa, .xex, .wad, .msu, .icns, .lock, .lockbit, .theme, .diagcfg, .diagcab, .diagpkg, .msstyles, .gadget, .woff, .part, .sfcache, .winmd