All of the color combination used for the website are inside the "Backgrounds" folder. Please check the mock-up to see which color to use.
View MAZE Ransomware
Click to view where Vectra helps
Vectra NDR
EDR
SEIM
1 Initial Access
2 Recon
3 Privilege Escalation
4 Persistence
5 Lateral Movement
6 Exfiltration
7 Command + Control
Attackers identified targets and used spearphishing campaigns to gain access to accounts.
Using the compromised account, attackers establish command and control (C2), which is when credential theft and localized reconnaissance occurs.
Attackers leverage privilege escalation attacks to execute and deploy the ransomware, move laterally, and discover interesting files.
Valid credentials are stolen, while auto-run scripts are deployed to maintain persistence on compromised endpoints.
Within compromised accounts, attackers can roam the network, most commonly creating privilege anomalies or suspicious remote execution (psExec exploits or Teamviewer).
Exfiltration attempts of high value data, prior to encryption by maze, are done in various manners, using FTP or cloud hosting services.
Establishes C2 with hardcoded IP address via HTTP
Issues a shutdown command to victims machine that, upon reboot, will run the ransomware.
1 Initial Access
2 Recon
3 Privilege Escalation
4 Persistence
5 Lateral Movement
6 Exfiltration
7 Command + Control
1
Vectra NDR + SEIM
4
Vectra NDR + SEIM
See threats.
Stop Breaches
earlier in the ATT&CK matrix.
View all
See threats.
Stop Breaches
earlier in the ATT&CK matrix.
Vectra network detection and response (NDR)
Endpoint detection and response (EDR)
Security event and information management (SEIM)
8 Impact
8 Impact
Distribution primarily occurs via exploit kits and malicious email campaign. TTPs vary as MAZE was likely operated by multiple actors.
After initial compromise, both network and active-directory recon is used to identify additional attack progression opportunities.
A combination of automated and manual privilege escalation techniques are used to steal valid credentials, including use of tools like Mimikatz and Bloodhound.
Valid credentials are stolen, while auto-run scripts are deployed to maintain persistence on compromised endpoints.
Lateral movement throughout a compromised environment is enabled through the use of valid, stolen credentials with existing management services and protocols.
Prior to encryption, high value data is commonly exfiltrated using FTP or cloud hosting services.
C2 is established over HTTP protocol, hiding malicious activity inside normal appearing web traffic.
To maximize damage, encryption frequently occurs after data exfiltration has occurred, after which malicious ransomware payloads are deployed to begin encryption.
2 Recon
3 Privilege
Escalation
5 Lateral Movement
6 Exfiltration
7 Command + Control
8 Impact
See threats.
Stop Breaches
earlier in the ATT&CK matrix.
After initial compromise, both network and active-directory recon is used to identify additional attack progression opportunities.
A combination of automated and manual privilege escalation techniques are used to steal valid credentials, including use of tools like Mimikatz and Bloodhound.
Lateral movement throughout a compromised environment is enabled through the use of valid, stolen credentials with existing management services and protocols.
Prior to encryption, high value data is commonly exfiltrated using FTP or cloud hosting services.
C2 is established over HTTP protocol, hiding malicious activity inside normal appearing web traffic.
To maximize damage, encryption frequently occurs after data exfiltration has occurred, after which malicious ransomware payloads are deployed to begin encryption.
1 Initial Access
3 Privilege
Escalation
4 Persistence
8 Impact
Distribution primarily occurs via exploit kits and malicious email campaign. TTPs vary as MAZE was likely operated by multiple actors.
A combination of automated and manual privilege escalation techniques are used to steal valid credentials, including use of tools like Mimikatz and Bloodhound.
Valid credentials are stolen, while auto-run scripts are deployed to maintain persistence on compromised endpoints.
To maximize damage, encryption frequently occurs after data exfiltration has occurred, after which malicious ransomware payloads are deployed to begin encryption.
View MAZE Ransomware ATT&CK progression
Click to view where Vectra helps
Vectra NDR
EDR
SEIM
View all
2 Recon
3 Privilege Escalation
5 Lateral Movement
6 Exfiltration
7 Command + Control
8 Impact
After initial compromise, both network and active-directory recon is used to identify additional attack progression opportunities.
A combination of automated and manual privilege escalation techniques are used to steal valid credentials, including use of tools like Mimikatz and Bloodhound.
Lateral movement throughout a compromised environment is enabled through the use of valid, stolen credentials with existing management services and protocols.
Prior to encryption, high value data is commonly exfiltrated using FTP or cloud hosting services.
C2 is established over HTTP protocol, hiding malicious activity inside normal appearing web traffic.
To maximize damage, encryption frequently occurs after data exfiltration has occurred, after which malicious ransomware payloads are deployed to begin encryption.
1 Initial Access
3 Privilege Escalation
4 Persistence
8 Impact
Distribution primarily occurs via exploit kits and malicious email campaign. TTPs vary as MAZE was likely operated by multiple actors.
A combination of automated and manual privilege escalation techniques are used to steal valid credentials, including use of tools like Mimikatz and Bloodhound.
Valid credentials are stolen, while auto-run scripts are deployed to maintain persistence on compromised endpoints.
To maximize damage, encryption frequently occurs after data exfiltration has occurred, after which malicious ransomware payloads are deployed to begin encryption.
