T1078
Initial Access
Valid Accounts
Compromised accounts can enable remote access. Defenders should monitor impossible travel, first-seen devices, and unusual administrator sessions.
Loading ThreatScope content
LockBit is represented as a ransomware ecosystem focused on financial extortion, affiliate-driven intrusions, data theft pressure, and file encryption impact.
Motivation and analyst context
LockBit is represented as a ransomware ecosystem focused on financial extortion, affiliate-driven intrusions, data theft pressure, and file encryption impact.
Sectors and regions in this local profile
Mapped behavior for defensive monitoring
Compromised accounts can enable remote access. Defenders should monitor impossible travel, first-seen devices, and unusual administrator sessions.
Lateral movement is modeled defensively through unusual remote session patterns and access to systems outside normal user behavior.
Data theft pressure can precede impact. Analysts should review bulk archive creation, outbound transfer anomalies, and DLP events.
File encryption is represented as an impact-stage behavior. Detection should focus on abnormal rename bursts and backup access changes.
Families and tooling names for defensive awareness
Impact-stage ransomware family represented for defensive monitoring and incident response planning.
Grouped category for theft-oriented tooling without operational implementation details.
Represents legitimate tooling that may require monitoring when used outside approved administrative context.
Safe, defanged, or documentation-range indicators
| Type | Value | Confidence | Note | Action |
|---|---|---|---|---|
Domain | files-recovery[.]example | Medium | Defanged example domain for ransomware-themed table content. | |
IP | 198.51.100.22 | Medium | Documentation-range IP address used as a safe placeholder. | |
SHA256 | 9aa54df1b643028c5ed32a910f7bb8c141214d942ab41d29fb3f7b02c70237de | High | Mock payload hash for defensive UI demonstration. |
Recent campaign activity from local mock data
Mock campaign cluster where remote access anomalies precede file share enumeration and data staging alerts.
Analyst note covering suspicious administrative sessions, archive creation, and high-volume access to sensitive repositories.
Safe SOC analyst guidance for monitoring and triage