Professional Documents
Culture Documents
Day 1 Introduction
• Emulated Group: Wizard Spider
• Background: Russian-speaking cyber criminal gang associated with
“big game hunting”
• Scenario: Ransomware attack against a notional organization using
malware (Emotet, TrickBot, Ryuk) associated with
Wizard Spider campaigns
Day 1 Overview
After gaining access
via a maldoc,
Wizard Spider
moves through the
10.0.0.4 environment
collecting &
enumerating
192.168.0.4 information before
deploying
ransomware on the
domain controller.
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
|3|
Step 1: Overview
Initial
Compromise:
Wizard Spider gains
access to an initial
victim via a
malicious Word
192.168.0.4 document that
downloads +
executes a payload.
10.0.0.7
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
|4|
1.A.4 Execution - Command and Scripting Interpreter: Windows Command Shell (T1059.003)
1.A.10 Command and Control - Application Layer Protocol: Web Protocols (T1071.001)
winword.exe
explorer.exe winword.exe loads
downloads C:\
executes VBEUI.DLL, executes
Users\Public\
winword.exe code via AutoOpen()
adb.txt
WmiPrvSE.exe
powershell.exe rundll32.exe
spawns
downloads adb.dll executes adb.dll
powershell.exe
rundll32.exe
rundll32.exe
connects to
connects to
192.168.0.4 over
192.168.0.4 over
AES-encrypted
protocol HTTP
protocol HTTP
1.A.4 Execution - Command and Scripting Interpreter: Windows Command Shell (T1059.003)
1.A.10 Command and Control - Application Layer Protocol: Web Protocols (T1071.001)
Step 2: Overview
Emotet
Persistence:
Wizard Spider
establishes
persistence via a
192.168.0.4 Registry key.
10.0.0.7
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 11 |
rundll32.exe adds
the blbdigital
Registry Run key
using
RegSetValueExA()
Step 3: Overview
Emotet Host
Discovery and
Credential
Collection:
Wizard Spider
enumerates system
info + local
192.168.0.4 processes, then
downloads and
executes an email
10.0.0.7 scraper.
rundll32.exe
executes rundll32.exe
RtlGetVersion(), executes
GetNativeSystemInfo(), CreateToolhelp32
and Snapshot()
RtlGetNtProductType()
rundll32.exe
rundll32.exe
spawns cmd.exe the
rundll32.exe spawns cmd.exe then
powershell.exe
downloads powershell.exe
to read
Outlook.dll to search Outlook for
SenderEmailAddress
password strings
values from Outlook
Step 4: Overview
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 20 |
4.A.4 Command and Control - Application Layer Protocol: Web Protocols (T1071.001)
uxtheme.exe
uxtheme.exe
connects
connects
to 192.168.0.4 over
to 192.168.0.4
protocol HTTP on
over protocol HTTP
port 447
4.A.4 Command and Control - Application Layer Protocol: Web Protocols (T1071.001)
Step 5: Overview
TrickBot
Discovery:
Wizard Spider uses
TrickBot to perform
192.168.0.4 detailed system
discovery.
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 25 |
cmd.exe executes
cmd.exe executes
nltest cmd.exe executes
net config
/domain_trusts / whoami /groups
workstation
all_trusts
Step 6: Overview
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 31 |
cmd.exe executes
uxtheme.exe
rubeus.exe
downloads the file
kerberoast
rubeus.exe
/domain:oz.local
Step 7: Overview
Lateral Movement
10.0.0.4 to DC:
Wizard Spider moves
to the DC via RDP,
192.168.0.4 downloads and plants
Trickbot then
enumerates the
domain.
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 35 |
7.A.4 Persistence - Boot or Logon Autostart Execution: Winlogon Helper DLL (T1547.004)
powershell.exe powershell.exe
powershell.exe
downloads the file adds the Userinit
executes
uxtheme.exe Registry key using
adfind.exe
Set-ItemProperty
7.A.4 Persistence - Boot or Logon Autostart Execution: Winlogon Helper DLL (T1547.004)
Step 8: Overview
Dump Active
10.0.0.4 Directory
Database:
Wizard Spider creates
192.168.0.4 a volume shadow copy
to collect ntds.dit.
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 40 |
Step 9: Overview
Ryuk Inhibit
System Recovery:
10.0.0.4 Wizard Spider
prepares to run Ryuk
ransomware by
192.168.0.4 deploying payloads
that stop services +
delete backups.
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 44 |
cmd.exe stops
cmd.Exe executes
various services via
cmd.exe downloads icacls.exe to
net stop, sc
kill.bat modify permissions on
config, and
C: and Z:
taskkill
cmd.exe deletes
cmd.exe downloads
system backups via
window.bat
vssadmin and del
Ryuk Encryption
for Impact:
10.0.0.4 Wizard Spider uploads
and executes Ryuk
which injects into
192.168.0.4 another process then
encrypts files on
two hosts.
10.0.0.7 10.0.0.8
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED
| 49 |
ryuk.exe
ryuk.exe injects into ryuk.exe
enumerates drives via
notepad.exe via enumerates files via
GetLogical
WriteProcessMemory() FindFirstFile()
DriveStrings()
and and
CreateRemoteThread() and
FindNextFile()
GetDriveType()
notepad.exe
encrypts various files
using AES + RSA
End of Day 1
• Capture breach summary images