The Invisible Intruder: Deconstructing LockBit Artwork

CyberBrief Project

CyberBrief Project is an audio series that breaks down one creative cyber-attack technique in each episode.

Rather than covering routine threats, each episode focuses on clever methods that repurpose tools in unexpected ways.

Voiced by AI instructors, the series is designed to help listeners understand how attackers think, what they target, and how to spot threats with greater clarity.

This is valuable information for anyone in cybersecurity, especially defenders, and for anyone curious about how real-world cyberattacks start and unfold.

All Episodes

CyberBrief Project

The Invisible Intruder: Deconstructing LockBit

August 11, 2025 • Meni Tasa • Season 1 • Episode 11

"Send me a quick text"

Summary

This episode explores a LockBit ransomware campaign that relied on DLL sideloading and masquerading to operate undetected until the final encryption stage.

The attackers gained access using legitimate remote management tools already present in the environment. They paired trusted, signed applications with malicious DLLs placed in locations where the application would load them first. Masquerading techniques — such as adopting common process names, using standard icons, and placing payloads in system-like directories — allowed their presence to blend seamlessly into normal operations.

Once inside, they escalated privileges, conducted network reconnaissance, stole credentials and Kerberos tickets, and used Group Policy to distribute payloads. The ransomware was ultimately launched under the identity of a trusted process, bypassing many traditional detection points.

Defensive Recommendations

Restrict DLL search paths and enable Safe DLL Search Mode to prevent loading from user-writable or non-standard directories.
Deploy application control policies (e.g., Windows Defender Application Control, AppLocker) to block unapproved binaries and DLLs.
Monitor for legitimate applications loading DLLs from unusual directories or with unexpected hashes.
Audit the use of remote management tools; require MFA, logging, and alerting for unexpected file transfers or executions.
Track Group Policy changes, focusing on script and binary deployments to endpoint systems.
Monitor for obfuscated PowerShell commands that interact with large sets of files or sensitive directories.

Files, Folders, Tools, and Configurations for Defenders

Files and Folders: Watch for legitimate application executables paired with DLLs of the same name in non-standard or writable directories; payloads appearing in ProgramData or user profile subdirectories.
Tools: Remote access tools such as TeamViewer and MeshAgent; service management utilities like NSSM; administrative execution tools like PsExec; and credential theft tools for token manipulation and Kerberos extraction.
Configurations:
- Enforce strict application allowlisting for both executables and DLLs.
- Limit write permissions to directories used by trusted applications.
- Enable command-line logging for PowerShell, PsExec, and similar tools.
- Implement centralized logging and correlation rules to detect legitimate applications initiating encryption or credential theft activity.

Support the show

Thanks for spending a few minutes on the CyberBrief Project.

If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.

You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.

And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support

Your support means a lot.

See you in the next one, and thank you for listening.