REvil: the usage of legitimate remote admin tooling
In an incident response engagement involving Sodinokibi (also known as REvil) ransomware, an adversary employed a ScreenConnect service as a backdoor on various systems, allowing direct access without requiring Remote Desktop Protocol (RDP) or authentication. This tactic, used by threat actors such as Static Kitten and Zeppelin, proves to be an efficient and effective means of gaining unauthorized access to a targeted system.
What you get from this white paper:
- Gain insights into the traces left behind by the usage of ScreenConnect remote administration software.
- Explore how these traces can help defenders with building custom detection.
- Get a complete overview of the different detection rules in Sigma, Carbon Black and Yara-L format.