Threat Overview - LockBit Ransomware
UPDATE 03/13/2025: Lockbit 4.0, the most recent iteration of the notorious ransomware family at this time, continues to pose significant threats to organizations worldwide. Researchers have observed this version to have enhanced its techniques related to stealth and adaptability. This can be seen in the inclusion of various evasion techniques, including disabling security features and utilizing obfuscation methods to hinder detection(s). The attack initiates with a modified PowerShell script that executes a secondary script, extracting and deploying a malicious DLL payload. After file encryption, the appending of the ".lockbit" extension and dropping of a ransom note in .txt format mirrors previous iterations of the variant. With new information and research uncovering techniques most recently baked into Lockbit 4.0, threat hunters at Intel 471 have updated the collection with applicable Hunt Packages.
LockBit Ransomware Emerging Threat Hunt Collection
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Related Hunt Packages
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Possible Delayed Execution in CommandLine Argument Using Ping.exe and Loopback Address
This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing.
Windows Management Instrumentation (WMI) Call to delete ShadowCopy via WMIC Command
The intent of this Hunt Package is to identify when the wmic command is utilized to delete shadow copies. The provided logic utilizes the Command Line to identify matching activities as to include the wmic command being executed as a standalone command via wmic.exe or by other applications such as Windows Command Prompt or PowerShell. The wmic command utilizes Windows Management Instrumentation (WMI) to delete the ShadowCopy. This activity is commonly done to disrupt restoration and recovery capabilities.
RansomWare Desktop Wallpaper Notifications
This package identifies activity typically associated to common ransomware notices being created and displayed as the desktop wallpaper.
Potential Exfiltration - Common Rclone Arguments
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
UAC Bypass Attempt via Elevated COM Abuse
This content is designed to detect User Account Control Bypass attempts abusing common COM interfaces within the registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList. These COM Objects are designed to start at a higher integrity level and can be manipulated to open another process at the same higher level.
UAC Bypass Method - Cmstplua COM (Process Execution)
This content is designed to detect when the UAC Bypass method is executed via DllHost.exe OR CMSTP.exe.
Display Calibrator Registry Key Modification - Potential UAC Bypass Attempt
This package has been designed to capture activity the "CurrentVersion\\ICM\\Calibration" registry key has been modified. This activity was recently seen during a LockBit attack.
Remote Desktop Protocol Configuration File Created
This Threat Hunt package identifies the creation or modification of Remote Desktop Protocol (RDP) configuration files (.rdp files) on an endpoint. RDP files can be leveraged by attackers to configure connections with potentially sensitive settings, such as alternate shells or mapped drives, to facilitate unauthorized access or data exfiltration. By looking for the appearance of new or altered .rdp files, this hunt package aims to identify suspicious activity that may indicate a phishing attempt, unauthorized access setup, or lateral movement preparation.
Active Directory Discovery and Reconnaissance - ADFind.exe Execution
This provided logic is designed to identify when ADFind.exe is executed with common flags and designations related to Active Directory enumeration and reconnaissance. Examples would be utilizing AdFind to enumerate users on a domain or enumerate administrators on a domain in an attempt to identify potential targets within the organization.
Force Group Policy Update across entire Domain - Powershell
This Hunt Package is designed to identify PowerShell commands consistent with malware attempting to force update and deploy a GPO policy. GPO is abused by malware operators to distribute their malware easily across all systems on the domain when the malware successfully compromises a DC in a target environment and reaches sufficient privileges.
Methods for Downloading Files with PowerShell
This threat hunt package identifies instances where PowerShell is being used to download files from external sources, a common technique used in malware delivery and lateral movement. The hunt examines various methods by which PowerShell can be leveraged for file downloads, including the use of cmdlets such as Invoke-WebRequest (iwr), Invoke-RestMethod (irm), and Start-BitsTransfer (sbt), as well as direct utilization of .NET classes like System.Net.WebClient and HttpClient. The package also checks for potentially suspicious use of aliases (curl, wget) and other common executables that invoke PowerShell scripts to download malicious payloads.
Wevtutil Cleared Log
This use case is designed to detect when "wevtutil" is used to clear logs to potentially obfuscate malicious events occurring prior to the clean up.
Potential UAC Bypass via Display Calibrator Registry Key - Powershell Script Block Logging
This package has been designed to capture activity when PowerShell CmdLets are executed to modify the "`Software\\Microsoft\\Windows NT\\CurrentVersion\\ICM\\Calibration`" registry key, changing the value for "`\"DisplayCalibrator`". This technique has been observed during LockBit attacks to elevate their privileges on the target system.
Suspicious Executable or Scripts Launched in Common Configuration or System Related Folders
This Hunt Package is intended to identify when suspicious executables or scripts are launched in common configuration or system function related folders. This behavior can be indicative of an adversary attempting to hide their payload as a "legitimate" file or script. A common technique used by various threat actors, including APT groups, to evade detection and maintain persistence on a compromised system is to create such files within the common system folders.
User Added to Default Privileged Windows Security Groups
This package is designed to capture the activity surrounding the execution of command line arguments that add a user to default privileged Windows Security Groups (local and domain).
Mimikatz Driver Installed
This package is meant to identify when the driver named "mimidrv" is installed on a machine. When downloading Mimikatz and installing it's associated drivers with the command "!+", it will include a signed driver called Mimidrv, which can be used in conjunction with the Mimikatz executable by adding an exclamation point before certain commands. Mimidrv is not widely known or documented, but it enables users to perform actions with a high level of system access, known as "ring 0" privilege.
Display Calibrator Registry Key Modification - Command Line Arguments
The provided logic is designed to capture activity when command line arguments are executed to modify the "CurrentVersion\\ICM\\Calibration" registry key. This activity was recently seen during a LockBit attack.
Zeroing Out a File with 'fsutil.exe'
This content is looking for instances where 'fsutil.exe' is being used to zero out a file by writing '0000's to the location of where the file is stored on disk.
Suspicious bcdedit Activity - Potential Ransomware
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
Mshta Executing Embedded or Appended Code
This package identifies when mshta.exe executes a file that is not a HyperText Application (HTA), VBscript, or JavaScript. This is indicative of possible embedded or appended code in the file argument that is passed that is executable by mshta.exe.
Local Data Staging - ADFind.exe
This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.
Excessive Windows Discovery CommandLine Arguments - Potential Malware Installation
This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
Mega CMD activity potential data exfiltration
MegaCMD is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Mega CMD has been utilized to exfiltrate files off of victim machines.
