Sign up to save your podcasts
Or
Share The Invisible Intruder: Deconstructing LockBit
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Invisible Intruder: Deconstructing LockBit
"Send me a quick text"
This episode explores a LockBit ransomware campaign that relied on DLL sideloading and masquerading to operate undetected until the final encryption stage.
The attackers gained access using legitimate remote management tools already present in the environment. They paired trusted, signed applications with malicious DLLs placed in locations where the application would load them first. Masquerading techniques — such as adopting common process names, using standard icons, and placing payloads in system-like directories — allowed their presence to blend seamlessly into normal operations.
Once inside, they escalated privileges, conducted network reconnaissance, stole credentials and Kerberos tickets, and used Group Policy to distribute payloads. The ransomware was ultimately launched under the identity of a trusted process, bypassing many traditional detection points.
Defensive Recommendations
- Restrict DLL search paths and enable Safe DLL Search Mode to prevent loading from user-writable or non-standard directories.
- Deploy application control policies (e.g., Windows Defender Application Control, AppLocker) to block unapproved binaries and DLLs.
- Monitor for legitimate applications loading DLLs from unusual directories or with unexpected hashes.
- Audit the use of remote management tools; require MFA, logging, and alerting for unexpected file transfers or executions.
- Track Group Policy changes, focusing on script and binary deployments to endpoint systems.
- Monitor for obfuscated PowerShell commands that interact with large sets of files or sensitive directories.
Files, Folders, Tools, and Configurations for Defenders
- Files and Folders: Watch for legitimate application executables paired with DLLs of the same name in non-standard or writable directories; payloads appearing in ProgramData or user profile subdirectories.
- Tools: Remote access tools such as TeamViewer and MeshAgent; service management utilities like NSSM; administrative execution tools like PsExec; and credential theft tools for token manipulation and Kerberos extraction.
- Configurations:
- Enforce strict application allowlisting for both executables and DLLs.
- Limit write permissions to directories used by trusted applications.
- Enable command-line logging for PowerShell, PsExec, and similar tools.
- Implement centralized logging and correlation rules to detect legitimate applications initiating encryption or credential theft activity.
Support the show
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.
View all episodes
By Meni Tasa"Send me a quick text"
This episode explores a LockBit ransomware campaign that relied on DLL sideloading and masquerading to operate undetected until the final encryption stage.
The attackers gained access using legitimate remote management tools already present in the environment. They paired trusted, signed applications with malicious DLLs placed in locations where the application would load them first. Masquerading techniques — such as adopting common process names, using standard icons, and placing payloads in system-like directories — allowed their presence to blend seamlessly into normal operations.
Once inside, they escalated privileges, conducted network reconnaissance, stole credentials and Kerberos tickets, and used Group Policy to distribute payloads. The ransomware was ultimately launched under the identity of a trusted process, bypassing many traditional detection points.
Defensive Recommendations
- Restrict DLL search paths and enable Safe DLL Search Mode to prevent loading from user-writable or non-standard directories.
- Deploy application control policies (e.g., Windows Defender Application Control, AppLocker) to block unapproved binaries and DLLs.
- Monitor for legitimate applications loading DLLs from unusual directories or with unexpected hashes.
- Audit the use of remote management tools; require MFA, logging, and alerting for unexpected file transfers or executions.
- Track Group Policy changes, focusing on script and binary deployments to endpoint systems.
- Monitor for obfuscated PowerShell commands that interact with large sets of files or sensitive directories.
Files, Folders, Tools, and Configurations for Defenders
- Files and Folders: Watch for legitimate application executables paired with DLLs of the same name in non-standard or writable directories; payloads appearing in ProgramData or user profile subdirectories.
- Tools: Remote access tools such as TeamViewer and MeshAgent; service management utilities like NSSM; administrative execution tools like PsExec; and credential theft tools for token manipulation and Kerberos extraction.
- Configurations:
- Enforce strict application allowlisting for both executables and DLLs.
- Limit write permissions to directories used by trusted applications.
- Enable command-line logging for PowerShell, PsExec, and similar tools.
- Implement centralized logging and correlation rules to detect legitimate applications initiating encryption or credential theft activity.
Support the show
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.