Read on Twitter
I was hesitant to share this adhoc thread, but I am inspired by the community stepping up to share what they can and not sure I will turn around a blog quickly on this. I saw Bazar -> Ryuk in <5 hours today. With this type of activity, it is critical to get as far left... (1/x)
... as possible on the timeline. One thing I have noticed is that upon initial execution, some of the loaders automatically perform domain recon (possibly to assist targeting) and this creates a great early detection opportunity on the network and the endpoint. (2/x)
...You can hate on signature based detection all you want, but predictable / programmatic interaction early in the chain is ripe for picking (and low cost). For the network, you can identify the SAMR comms. For the endpoint, these processes (and parents) present a signal (3/x)
Once interactive, I saw them rapidly enumerate the domain further with built in commands and ADFind, executed via a .bat script, dropped to a subdir in temp. They gained an extremely rapid awareness of the environment in a semi-efficient manner.... (4/x)
They would stage additional tools into various directories (Windows\\Temp, \\Perflogs, \\ProgramData) and execute using RegSvr32 to proxy execution. For lat movement and execution across systems, they leveraged wmic process call create. Process + RPC Calls + file artifacts (5/x)
For C2 & Staging, comms were mostly over SSL with self-signed certs. 205.185.121[.]134 -> idriverrs[.]com (and sub domains). 81.17.28[.]105 -> idrivehepler[.]com. Known indicators from yesterday. Saw typical pentest tools used. (6/x)
![For C2 & Staging, comms were mostly over SSL with self-signed certs. 205.185.121[.]134 -> idriverrs[.]com (and sub domains). 81.17.28[.]105 -> idrivehepler[.]com. Known indicators from yesterday. Saw typical pentest tools used. (6/x)](https://pbs.twimg.com/media/EliYMHYXEAQ-c5e.jpg "For C2 & Staging, comms were mostly over SSL with self-signed certs. 205.185.121[.]134 -> idriverrs[.]com (and sub domains). 81.17.28[.]105 -> idrivehepler[.]com. Known indicators from yesterday. Saw typical pentest tools used. (6/x)")
Once they made their splash, they went ahead and went full-on interactive by RDPing into various systems, planting more files, stopping services, and eventually executing RYUK to encrypt. It should be noted that a few times, they ruthlessly hijacked RDP sessions from a user (7/x)
This is raw, not finished intel but it corroborates what has been shared (h/t @x04steve @Wanna_VanTa @likethecoins @GossiTheDog @SElovitz and many more, tag it up). Hope to spend more time polishing and highlighting DET/Investigation info soon. Also 
Azure Sentinel / Sysmon.
Azure Sentinel / Sysmon.
