UPDATE 03/13/2025: Lockbit 4.0, the most recent iteration of the notorious ransomware family at this time, continues to pose significant threats to organizations worldwide. Researchers have observed this version to have enhanced its techniques related to stealth and adaptability. This can be seen in the inclusion of various evasion techniques, including disabling security features and utilizing obfuscation methods to hinder detection(s). The attack initiates with a modified PowerShell script that executes a secondary script, extracting and deploying a malicious DLL payload. After file encryption, the appending of the ".lockbit" extension and dropping of a ransom note in .txt format mirrors previous iterations of the variant. With new information and research uncovering techniques most recently baked into Lockbit 4.0, threat hunters at Intel 471 have updated the collection with applicable Hunt Packages.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing.
The intent of this Hunt Package is to identify when the wmic command is utilized to delete shadow copies. The provided logic utilizes the Command Line to identify matching activities as to include the wmic command being executed as a standalone command via wmic.exe or by other applications such as Windows Command Prompt or PowerShell. The wmic command utilizes Windows Management Instrumentation (WMI) to delete the ShadowCopy. This activity is commonly done to disrupt restoration and recovery capabilities.
This package identifies activity typically associated to common ransomware notices being created and displayed as the desktop wallpaper.
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
This content is designed to detect User Account Control Bypass attempts abusing common COM interfaces within the registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList. These COM Objects are designed to start at a higher integrity level and can be manipulated to open another process at the same higher level.
This content is designed to detect when the UAC Bypass method is executed via DllHost.exe OR CMSTP.exe.
This package has been designed to capture activity the "CurrentVersion\\ICM\\Calibration" registry key has been modified. This activity was recently seen during a LockBit attack.
This Threat Hunt package identifies the creation or modification of Remote Desktop Protocol (RDP) configuration files (.rdp files) on an endpoint. RDP files can be leveraged by attackers to configure connections with potentially sensitive settings, such as alternate shells or mapped drives, to facilitate unauthorized access or data exfiltration. By looking for the appearance of new or altered .rdp files, this hunt package aims to identify suspicious activity that may indicate a phishing attempt, unauthorized access setup, or lateral movement preparation.
This provided logic is designed to identify when ADFind.exe is executed with common flags and designations related to Active Directory enumeration and reconnaissance. Examples would be utilizing AdFind to enumerate users on a domain or enumerate administrators on a domain in an attempt to identify potential targets within the organization.
This Hunt Package is designed to identify PowerShell commands consistent with malware attempting to force update and deploy a GPO policy. GPO is abused by malware operators to distribute their malware easily across all systems on the domain when the malware successfully compromises a DC in a target environment and reaches sufficient privileges.
This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
This use case is designed to detect when "wevtutil" is used to clear logs to potentially obfuscate malicious events occurring prior to the clean up.
This package has been designed to capture activity when PowerShell CmdLets are executed to modify the "`Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration`" registry key, changing the value for "`\"DisplayCalibrator`". This technique has been observed during LockBit attacks to elevate their privileges on the target system.
This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a "legitimate" file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.
This package is designed to capture the activity surrounding the execution of command line arguments that add a user to default privileged Windows Security Groups (local and domain).
This package is meant to identify when the driver named "mimidrv" is installed on a machine. When downloading Mimikatz and installing it's associated drivers with the command "!+", it will include a signed driver called Mimidrv, which can be used in conjunction with the Mimikatz executable by adding an exclamation point before certain commands. Mimidrv is not widely known or documented, but it enables users to perform actions with a high level of system access, known as "ring 0" privilege.
The provided logic is designed to capture activity when command line arguments are executed to modify the "CurrentVersion\\ICM\\Calibration" registry key. This activity was recently seen during a LockBit attack.
This content is looking for instances where 'fsutil.exe' is being used to zero out a file by writing '0000's to the location of where the file is stored on disk.
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
This package identifies when mshta.exe executes a file that is not a HyperText Application (HTA), VBscript, or JavaScript. This is indicative of possible embedded or appended code in the file argument that is passed that is executable by mshta.exe.
This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.
This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
MegaCMD is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Mega CMD has been utilized to exfiltrate files off of victim machines.
Intel 471 discovered a new Android trojan, FvncBot, that masquerades as a security application for mBank, a major Polish bank. Our Malware Intelligence team analyzed its code, which is new and not based on other leaked malware code.
Lynx Ransomware is rapidly expanding, targeting organizations across North America and Europe with data theft and double extortion, backed by a growing network of skilled affiliates.
Threat actors are increasingly using methods to circumvent multifactor authentication, which poses a risk of account takeover. Here’s a briefing on some types of attacks and defenses to put in place.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.