MITRE ATT&CK TECHNIQUES ASSOCIATED WITH LOCKBIT 3.

0 RANSOMWARE

Tactic Technique Technique ID Description

Initial Access Valid Accounts T1078 LockBit 3.0 actors obtain and abuse credentials of existing
accounts for initial access.
Initial Access Exploit External Remote T1133 LockBit 3.0 actors exploit RDP to gain access to victim
Services networks.
Initial Access Drive-by Compromise T1189 LockBit 3.0 actors gain access through a user visiting a
website during normal browsing.
Initial Access Exploit Public-Facing T1190 LockBit 3.0 actors exploit vulnerabilities in internet-facing
Application systems.
Initial Access Phishing T1566 LockBit 3.0 actors use phishing and spearphishing techniques.
Execution Execution TA0002 LockBit 3.0 launches commands during its execution.
Execution Software Deployment Tools T1072 LockBit 3.0 uses Chocolatey, a command-line package
manager for Windows.
Persistence Valid Accounts T1078 LockBit 3.0 uses compromised user accounts for persistence.
Persistence Boot or Logo Autostart T1547.001 LockBit 3.0 enables automatic logon for persistence and
Execution privilege escalation.
Privilege Escalation Privilege Escalation TA0004 LockBit 3.0 attempts to escalate privileges if current account
privileges are insu icient.
Privilege Escalation Boot or Logo Autostart T1547.001 LockBit 3.0 enables automatic logon for privilege escalation.
Execution
Defense Evasion Obfuscated Files or T1027 LockBit 3.0 sends encrypted host and bot information to C2
Information servers.
Defense Evasion Indicator Removal: File T1070.004 LockBit 3.0 deletes itself from the disk.
Deletion
Defense Evasion Execution Guardrails: T1480.001 LockBit 3.0 only decrypts its main component with the correct
Environmental Keying password.
Credential Access OS Credential Dumping: T1003.001 LockBit 3.0 dumps LSASS.exe contents using Microsoft
LSASS Memory Sysinternals ProDump.
Discovery Network Service Discovery T1046 LockBit 3.0 uses SoftPerfect Network Scanner to scan target
networks.
Discovery System Information Discovery T1082 LockBit 3.0 enumerates system information like hostname,
configuration, domain, etc.
 MITRE ATT&CK TECHNIQUES ASSOCIATED WITH LOCKBIT 3.0 RANSOMWARE

Tactic Technique Technique ID Description

Discovery System Location Discovery:
System Language Discovery
Lateral Movement Remote Services: Remote
Desktop Protocol
Command and Control Application Layer Protocol:
File Transfer Protocols
Command and Control Protocol Tunnel
Exfiltration Exfiltration
Exfiltration Exfiltration Over Web Service
Impact Data Destruction
Impact Data Encrypted for Impact
Impact Service Stop
Impact Inhibit System Recovery
Impact Defacement: Internal
Defacement
Command and Control Protocol Tunnel
Exfiltration Exfiltration
Exfiltration Exfiltration Over Web Service
Impact Data Destruction
Impact Data Encrypted for Impact
T1614.001 LockBit 3.0 avoids infecting machines with specific language
settings.
T1021.001 LockBit 3.0 uses Splashtop remote-desktop software for
lateral movement.
T1071.002 LockBit 3.0 uses FileZilla for C2.
T1572 LockBit 3.0 uses Plink to automate SSH actions on Windows.
TA0010 LockBit 3.0 uses a custom exfiltration tool called Stealbit to
steal data from the target network.
T1567 LockBit 3.0 uses publicly available file sharing services and
rclone for data exfiltration.
T1485 LockBit 3.0 deletes log files and empties the recycle bin.
T1486 LockBit 3.0 encrypts data on target systems.
T1489 LockBit 3.0 terminates processes and services.
T1490 LockBit 3.0 deletes volume shadow copies on disk.
T1491.001 LockBit 3.0 changes the host system's wallpaper and icons.
T1572 LockBit 3.0 uses Plink to automate SSH actions on Windows.
TA0010 LockBit 3.0 uses a custom exfiltration tool called Stealbit to
steal data from the target network.
T1567 LockBit 3.0 uses publicly available file sharing services and
rclone for data exfiltration.
T1485 LockBit 3.0 deletes log files and empties the recycle bin.
T1486 LockBit 3.0 encrypts data on target systems.