darkside

T1078Valid Accounts

DarkSide purchased access from initial access brokers and used compromised RDP/VPN credentials to authenticate to victim environments. The Colonial Pipeline attack used a compromised VPN account with no MFA.

T1190Exploit Public-Facing Application

Exploitation of vulnerabilities in internet-facing systems including VPN appliances to gain initial footholds.

T1047Windows Management Instrumentation

WMI leveraged for remote execution of commands and payloads across compromised hosts.

T1059.001Command and Scripting Interpreter: PowerShell

PowerShell used for payload execution, lateral movement, and disabling security tools.

T1068Exploitation for Privilege Escalation

Local privilege escalation exploits used to gain SYSTEM-level access on compromised hosts.

T1027Obfuscated Files or Information

DarkSide payloads are obfuscated with custom packers; configuration encrypted with RSA to hinder analysis.

T1562.001Disable or Modify Tools

Security tools and AV products terminated and disabled before ransomware deployment using batch scripts.

T1003.001OS Credential Dumping: LSASS Memory

Mimikatz used to dump LSASS memory for credential harvesting.

T1003.003OS Credential Dumping: NTDS

NTDS.dit extracted from domain controllers to harvest all domain credentials.

T1046Network Service Discovery

Network scanning to enumerate internal hosts and identify lateral movement targets.

T1482Domain Trust Discovery

Active Directory enumeration using BloodHound and AdFind to map domain trusts and attack paths.

T1021.001Remote Services: Remote Desktop Protocol

RDP used extensively for lateral movement with compromised credentials.

T1021.002Remote Services: SMB/Windows Admin Shares

SMB admin shares used to propagate the ransomware payload to remote hosts.

T1560.001Archive Collected Data: Archive via Utility

7-Zip used to compress stolen data prior to exfiltration.

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone used to exfiltrate stolen data to cloud storage for double extortion via the DarkSide leak site.

T1071.001Application Layer Protocol: Web Protocols

Cobalt Strike beacons communicate over HTTPS; Tor used for victim negotiation portals.

T1219Remote Access Software

TeamViewer and other legitimate remote access tools used as persistent backdoors.

T1486Data Encrypted for Impact

DarkSide uses Salsa20 for file encryption with RSA-1024 for key protection. Partial file encryption for large files. Skips CIS-region machines based on language check. Best known for the Colonial Pipeline attack (May 2021) causing fuel supply disruption across US East Coast. Predecessor to BlackMatter.

T1489Service Stop

Over 400 Windows services and 40+ processes terminated before encryption to maximize file access.

T1490Inhibit System Recovery

Shadow copies deleted via vssadmin and wmic; Windows recovery mode disabled via bcdedit.