This activity involves a DLL sideloading attack through API SbieDll_Hook, loading tools such as Cobalt Strike Stager, Cobalt Strike Beacon, the Havoc framework, and NetSpy. Threat actors, in this case, encrypted the payload from imfsb.ini, then used CVE-2019-0803 to run shellcode in an effort to terminate the processes from processlist.txt, and finally sent the Mimikatz for credential dumping.

Click here to read the full alert.