Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

This DFIR report documents an 11-day intrusion starting in January 2024 where initial access was achieved via a trojanized 'setup_wm.exe' that deployed a Cobalt Strike beacon. The intruder used discovery and credential theft (LSASS access, Seatbelt/SharpView), deployed proxies (SystemBC, GhostSOCKS) for persistent C2, performed large-scale data exfiltration using rclone (to Mega.io and FTP servers), and ultimately deployed LockBit ransomware (ds.exe) across the environment using WMI, PsExec and BITSAdmin, achieving full encryption in approximately 239 hours; the report includes TTP mapping (ATT&CK), network detections, YARA/Sigma matches, and extensive IOCs (domains, IPs, file hashes).