Defence Impairment Olympics

Huntress analyzed a multi-stage attack on a web server, likely exploiting Adobe ColdFusion CVEs (CVE-2023-26360, CVE-2023-29298, CVE-2023-29300). The threat actor uploaded steganographic webshells hiding payloads inside image files, then executed a comprehensive defence impairment script (i.bat) that disabled IIS logging, tampered with Microsoft Defender via PowerShell and registry edits, killed Sysmon/Filebeat/SentinelOne/Cortex processes, used IFEO debugger hijacking to neutralize monitoring tools, enabled WDigest plaintext credential caching, and ran Mimikatz to dump credentials. The attacker also removed the ModSecurity WAF module, used WMI Event Consumers to clear Windows Event Logs, and deleted CLSID registry keys to cripple OS functionality. The post includes full command listings, IoCs with SHA256 hashes, and mitigation guidance including patching, proper logging, and complete remediation during incident response.

Nguồn: https://www.huntress.com/blog/mimikatz-credential-dumping-defence-impairment. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.