otx.alienvault.com
Open in
urlscan Pro
99.86.4.91
Public Scan
URL:
https://otx.alienvault.com/pulse/6213b41428f6075711b0261d/edit?utm_userid=swimlanecyou&utm_content=email&utm_campaign=new_p...
Submission: On February 23 via api from US — Scanned from DE
Submission: On February 23 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
× * Browse * Scan Endpoints * Create Pulse * Submit Sample * API Integration * Login | Sign Up All * Login | Sign Up * Share Actions Subscribers (176289) Suggest Edit Clone Embed Download Report Spam QBOT AND ZEROLOGON LEAD TO FULL DOMAIN COMPROMISE * Created 2 days ago by AlienVault * Public * TLP: White In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot payload, the malware established C2 connectivity and created persistence on the beachhead. Successful exploitation of the Zerologon vulnerability (CVE-2020-1472) allowed the threat actors to obtain domain admin privileges. This level of access was abused to deploy additional Cobalt Strike beacons and consequently pivot to other sensitive hosts within the network. The threat actor then exfiltrated sensitive documents from the environment before being evicted from the network. Reference: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ Tags: cobalt strike, qbot, cve20201472, cobalt strike, zerologon Malware Families: Cobalt Strike , QBot Att&ck IDs: T1547 - Boot or Logon Autostart Execution , T1218 - Signed Binary Proxy Execution , T1574 - Hijack Execution Flow , T1018 - Remote System Discovery , T1021 - Remote Services , T1027 - Obfuscated Files or Information , T1033 - System Owner/User Discovery , T1053 - Scheduled Task/Job , T1055 - Process Injection , T1059 - Command and Scripting Interpreter , T1068 - Exploitation for Privilege Escalation , T1069 - Permission Groups Discovery , T1087 - Account Discovery , T1135 - Network Share Discovery , T1210 - Exploitation of Remote Services , T1482 - Domain Trust Discovery , T1518 - Software Discovery , T1550 - Use Alternate Authentication Material , T1569 - System Services Endpoint Security Scan your endpoints for IOCs from this Pulse! Learn more * Indicators of Compromise (27) * Related Pulses (35) * Comments (0) * History (0) COMMENTS You must be logged in to leave a comment. Refresh Comments * © Copyright 2022 AlienVault, Inc. * Legal * Status