Threat Research
LockBit 3.0 TTPs: How Modern Ransomware Evades EDR Detection
May 2025 · 8 min read · Sandeep Mothukuri
Overview
LockBit 3.0 (also known as LockBit Black) represents a significant evolution in ransomware-as-a-service capability. This post breaks down the attack chain observed in a live engagement and the detection opportunities at each stage.
Initial Access: T1566.001 — Spear Phishing
The initial vector in our tracked cases was a macro-enabled Office document delivered via spear phishing. The document used a heavily obfuscated VBA macro to download a Cobalt Strike beacon stager from a compromised WordPress site.
// Elastic EQL — suspicious Office child process
process where event.type == "start" and
process.parent.name in ("WINWORD.EXE","EXCEL.EXE") and
process.name in ("powershell.exe","cmd.exe","wscript.exe")
Defence Evasion: T1562.001 — Impair Defences
LockBit 3.0 uses a signed legitimate driver (BYOVD technique) to terminate EDR processes from kernel level before encryption begins. Detection requires monitoring for unsigned or newly-seen drivers loading at boot.
Impact: T1486 — Data Encrypted for Impact
LockBit 3.0 uses intermittent encryption — only encrypting the first 4KB of each file — allowing it to process a 200GB file share in under 8 minutes while generating less I/O noise than full encryption.
Key Detection Opportunities
- Office child process spawning shell interpreters
- Unsigned driver loaded at system startup (BYOVD)
- Mass file rename events with consistent extension pattern
- Shadow copy deletion via vssadmin or wmic
LockBit 3.0RansomwareMITRE ATT&CKElastic SIEMEDR Evasion
Threat Intel
MITRE ATT&CK T1566: Phishing in 2025 — What's Changed and How to Detect It
Apr 2025 · 6 min read · CT SOC Team
The New Phishing Landscape
AI-generated spear phishing lures have fundamentally changed the economics of targeted phishing. Tools like WormGPT allow threat actors to produce highly personalised, grammatically perfect lures at scale — removing the linguistic tells that trained users previously spotted.
Key TTPs Observed in Q1 2025
QR Code Phishing (Quishing): PDF attachments containing QR codes that bypass email link scanners.
HTML Smuggling: Malicious payloads encoded inside HTML attachments, assembled in the browser — bypassing gateway inspection.
Adversary-in-the-Middle (AiTM): Reverse proxy phishing kits that steal session tokens post-MFA, bypassing traditional MFA entirely.
Elastic Detection Rule
// HTML smuggling via blob URI execution
process where event.type == "start" and
process.name in ("powershell.exe","cmd.exe") and
process.parent.name in ("chrome.exe","msedge.exe") and
process.parent.command_line : "*blob:*"
PhishingAiTMT1566HTML SmugglingQR Phishing
AI Security
AI-Powered SOC: How We Cut False Positives by 73%
Mar 2025 · 10 min read · Sandeep Mothukuri
The False Positive Problem
Alert fatigue is the single biggest failure mode in SOC operations. When analysts see 1,000+ alerts per day, genuine threats get buried. Our goal was to reduce tier-1 alert volume by at least 60% without increasing false negatives.
Elastic ML Anomaly Detection
We use Elastic's built-in ML jobs for three primary behavioural baselines: UEBA, network traffic anomalies, and process ancestry trees. Each builds a statistical model of "normal" and scores deviations.
Tuning Methodology
Raw ML anomaly scores are combined with context enrichment — asset criticality, user role, time-of-day, geo-distance — to produce a composite risk score. Only alerts above 7/10 reach the analyst queue.
Results After 8 Weeks
- 73% reduction in false positive rate vs. rule-only detection
- 3 novel threats detected (zero false negatives vs. rule baseline)
- Analyst mean triage time: 4.2 min vs. 11.8 min baseline
Elastic MLUEBAAlert FatigueAnomaly Detection
SOC Operations
Building Elastic SIEM Detection Rules That Actually Work: A Field Guide
Feb 2025 · 12 min read · Sandeep Mothukuri
Why Most SIEM Rules Fail
Most SIEM rules optimise for coverage (catching everything) rather than fidelity (catching the right things). A rule that fires 500 times per day is not a detection — it's noise.
Rule Design Principles
Specificity over sensitivity: Describe a behaviour so specific that false positives are structurally impossible. Use process ancestry, command-line patterns, and network context together.
Suppression logic: Every production rule should have a tested suppression list for legitimate admin tools.
Enrichment at alert time: Rules should trigger enrichment lookups — threat intel feeds, asset criticality, user risk score — before the alert reaches an analyst.
Example: Detecting Credential Dumping
// LSASS memory access by non-system processes
process where event.type == "start" and
process.name == "lsass.exe" and
process.Ext.memory_region.protection : ("*W*", "*X*") and
not process.parent.executable : ("C:\\Windows\\System32\\*")
Elastic SIEMDetection EngineeringEQLLSASSRule Tuning
DFIR
Ransomware Incident Response Playbook: The First 60 Minutes
Jan 2025 · 9 min read · CT SOC Team
Why the First Hour Determines Outcome
In a ransomware incident, the first 60 minutes are decisive. Speed of containment directly correlates with encrypted systems count, exfiltrated data volume, and recovery cost.
Minutes 0–10: Confirm and Contain
Do not immediately power off affected systems — this destroys volatile forensic evidence. Instead, isolate at the network level: kill switch the VLAN, block the source IP, isolate the affected subnet.
Minutes 10–25: Scope Assessment
Query your SIEM for lateral movement indicators in the prior 72 hours. Look for SMB enumeration, LDAP queries, new scheduled tasks, and outbound connections to known C2 infrastructure.
Minutes 25–45: Evidence Preservation
Capture memory dumps before any remediation begins. Preserve logs to write-once storage. Document every affected system state before any change.
Minutes 45–60: Stakeholder Communication
Notify legal, executive leadership, and regulatory bodies as required. Confirm what is known, what is unknown, and what is being done — no speculation on scope or cause.
Ransomware IRDFIRIncident ResponsePlaybookContainment
Threat Research
Dark Web Monitoring: What OSINT Tells Us About Credential Markets in 2025
Dec 2024 · 7 min read · Sandeep Mothukuri
The Credential Economy
The dark web credential market grew by an estimated 40% in 2024. Infostealer malware (Lumma, RedLine, Raccoon) has become the primary supply mechanism, with stealer logs sold in automated shops within hours of collection.
What We Monitor
Our dark web monitoring tracks over 30 markets and forums for client domain mentions, executive email addresses, corporate credential patterns, and leaked API keys.
Indicators That Predict Targeting
- Domain in IAB network access listings (precedes ransomware by 2–4 weeks)
- Employee credentials in fresh stealer log drops
- Corporate email patterns in combo lists on cracking forums
- Source code or internal documents in paste sites
Response Workflow
On credential exposure: immediate client notification, forced password reset for affected accounts, review of active sessions, and hunt for active use of exposed credentials in the environment over the preceding 90 days.
Dark WebOSINTCredential LeaksStealer LogsIABs