AI-built ransomware toolkit automates EDR evasion, AD discovery

Key Points:

• A new AI-built ransomware toolkit is being used by threat actors to automate Active Directory discovery and evade EDR solutions.
• The toolkit has been tested against EDR products from Sophos, CrowdStrike, and Microsoft, with indications of successful evasion techniques in a customer environment.
• Organizations should enhance their EDR configurations and conduct thorough assessments to detect potential misuse of automated tools.

Technical Details: The toolkit utilizes Python scripts to generate payloads primarily in Rust and Go, employing various evasion techniques. The development process is human-driven, with AI assisting in coding and testing against over 70 techniques.

MITRE ATT&CK Techniques:

• T1078 - Valid Accounts (Defense Evasion)
• T1016 - System Network Configuration Discovery (Discovery)
• T1046 - Network Service Scanning (Discovery)
• T1203 - Exploit Public-Facing Application (Initial Access)

IOCs Mentioned: None mentioned