EnterpriseEvals 2021 Walkthrough DAY1

|1|
Day 1 Introduction
• Emulated Group: Wizard Spider
• Background: Russian-speaking cyber criminal gang associated with
“big game hunting”
• Scenario: Ransomware attack against a notional organization using
malware (Emotet, TrickBot, Ryuk) associated with
Wizard Spider campaigns
© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

|2|
Day 1 Overview
After gaining access
via a maldoc,
Wizard Spider
moves through the
10.0.0.4 environment
collecting &
enumerating
192.168.0.4 information before
deploying
ransomware on the
domain controller.
10.0.0.7 10.0.0.8
|3|
Step 1: Overview
Initial
Compromise:
Wizard Spider gains
access to an initial
victim via a
malicious Word
192.168.0.4 document that
downloads +
executes a payload.
10.0.0.7
|4|
Step 1: Technique Overview

1.A.1 Execution - User Execution: Malicious File (T1204.002)
1.A.2 Execution - Command and Scripting Interpreter: Visual Basic (T1059.005)
1.A.3 Command and Control - Ingress Tool Transfer (T1105)
1.A.4 Execution - Command and Scripting Interpreter: Windows Command Shell (T1059.003)
1.A.5 Defense Evasion - Obfuscated Files or Information (T1027)
1 1.A.6 Execution - Windows Management Instrumentation (T1047)
1.A.7 Execution - Command and Scripting Interpreter: PowerShell (T1059.001)
1.A.9 Defense Evasion - Signed Binary Proxy Execution: Rundll32 (T1218.011)
1.A.10 Command and Control - Application Layer Protocol: Web Protocols (T1071.001)
1.A.11 Command and Control - Encrypted Channel: Symmetric Cryptography (T1573.001)

|5|
Step 1: Initial Compromise

1.A.2 Execution -
1.A.1 Execution - User 1.A.3 Command and
Command and Scripting
Execution: Malicious File Control - Ingress Tool
Interpreter: Visual Basic
(T1204.002) Transfer (T1105)
(T1059.005)
winword.exe
explorer.exe winword.exe loads
downloads C:\
executes VBEUI.DLL, executes
Users\Public\
winword.exe code via AutoOpen()
adb.txt
Activity on dorothy (10.0.0.7) as user judy

|6|

1.A.4 Execution -
Command and Scripting 1.A.5 Defense Evasion - 1.A.6 Execution -
Interpreter: Windows Obfuscated Files or Windows Management
Command Shell Information (T1027) Instrumentation (T1047)
(T1059.003)
winword.exe adb.vbs executes

adb.vbs is
executes cmd.exe powershell.exe
obfuscated
to execute adb.vbs via Win32_Process

|7|

1.A.7 Execution - 1.A.9 Defense Evasion -
1.A.8 Command and
Command and Scripting Signed Binary Proxy
Control - Ingress Tool
Interpreter: PowerShell Execution: Rundll32
Transfer (T1105)
(T1059.001) (T1218.011)
WmiPrvSE.exe
powershell.exe rundll32.exe
spawns
downloads adb.dll executes adb.dll
powershell.exe

|8|

1.A.10 Command and 1.A.11 C2 - Encrypted
Control - Application Channel: Symmetric
Layer Protocol: Web Cryptography
Protocols (T1071.001) (T1573.001)
rundll32.exe
rundll32.exe
connects to
connects to
192.168.0.4 over
192.168.0.4 over
AES-encrypted
protocol HTTP
protocol HTTP

|9|
Step 1: Technique Review

1.A.1 Execution - User Execution: Malicious File (T1204.002)
1.A.2 Execution - Command and Scripting Interpreter: Visual Basic (T1059.005)
1.A.4 Execution - Command and Scripting Interpreter: Windows Command Shell (T1059.003)
1.A.5 Defense Evasion - Obfuscated Files or Information (T1027)
1 1.A.6 Execution - Windows Management Instrumentation (T1047)
1.A.7 Execution - Command and Scripting Interpreter: PowerShell (T1059.001)
1.A.9 Defense Evasion - Signed Binary Proxy Execution: Rundll32 (T1218.011)
1.A.11 Command and Control - Encrypted Channel: Symmetric Cryptography (T1573.001)

| 10 |
Step 2: Overview
Emotet
Persistence:
Wizard Spider
establishes
persistence via a
192.168.0.4 Registry key.
10.0.0.7
| 11 |
2.A.1 Persistence - Boot or Logon Autostart Execution: Registry Run

2
Keys / Startup Folder (T1547.001)

| 12 |
Step 2: Emotet Persistence

2.A.1 Persistence - Boot
or Logon Autostart
Execution: Registry Run
Keys / Startup Folder
(T1547.001)
rundll32.exe adds
the blbdigital
Registry Run key
using
RegSetValueExA()

| 13 |
2.A.1 Persistence - Boot or Logon Autostart Execution: Registry Run

2
Keys / Startup Folder (T1547.001)

| 14 |
Step 3: Overview
Emotet Host
Discovery and
Credential
Collection:
Wizard Spider
enumerates system
info + local
192.168.0.4 processes, then
downloads and
executes an email
10.0.0.7 scraper.

| 15 |
3.A.1 Discovery - System Information Discovery (T1082)
3.A.2 Discovery - Process Discovery (T1057)
3 3.A.3 Command and Control - Ingress Tool Transfer (T1105)
3.A.4 Credential Access - Unsecured Credentials (T1552)
3.A.5 Collection - Email Collection: Local Email Collection (T1114.001)

| 16 |
Step 3: Emotet Host Discovery and Credential Collection

3.A.1 Discovery - System 3.A.2 Discovery -
Information Discovery Process Discovery
(T1082) (T1057)
rundll32.exe
executes rundll32.exe
RtlGetVersion(), executes
GetNativeSystemInfo(), CreateToolhelp32
and Snapshot()
RtlGetNtProductType()

| 17 |
Step 3: Emotet Host Discovery and Credential Collection

3.A.3 Command and 3.A.4 Credential Access - 3.A.5 Collection - Email
Control - Ingress Tool Unsecured Credentials Collection: Local Email
Transfer (T1105) (T1552) Collection (T1114.001)
rundll32.exe
rundll32.exe
spawns cmd.exe the
rundll32.exe spawns cmd.exe then
powershell.exe
downloads powershell.exe
to read
Outlook.dll to search Outlook for
SenderEmailAddress
password strings
values from Outlook

| 18 |
3.A.4 Credential Access - Unsecured Credentials (T1552)
3.A.5 Collection - Email Collection: Local Email Collection (T1114.001)

| 19 |
Step 4: Overview
Move Laterally &

Deploy TrickBot:
Wizard Spider uses
creds to RDP into a
192.168.0.4 new host, the
executes the
Trickbot payload.
10.0.0.7 10.0.0.8
| 20 |
4.A.1 Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)
4.A.2 Defense Evasion - Valid Accounts: Domain Accounts (T1078.002)
4.A.5 Command and Control - Non-Standard Port (T1571)

| 21 |
Step 4: Move Laterally & Deploy TrickBot

4.A.1 Lateral Movement -
4.A.2 Defense Evasion - 4.A.3 Command and
Remote Services:
Valid Accounts: Domain Control - Ingress Tool
Remote Desktop
Accounts (T1078.002) Transfer (T1105)
Protocol (T1021.001)
Adversary connects to User bill

10.0.0.8 using successfully cmd.exe downloads
protocol RDP authenticates into the file uxtheme.exe
(port 3389) 10.0.0.8
Activity on toto (10.0.0.8) as user bill

| 22 |
Step 4: Move Laterally & Deploy TrickBot

4.A.4 Command and Control
- Application Layer 4.A.5 Command and Control
Protocol: Web Protocols - Non-Standard Port (T1571)
(T1071.001)
uxtheme.exe
uxtheme.exe
connects
connects
to 192.168.0.4 over
to 192.168.0.4
protocol HTTP on
over protocol HTTP
port 447

| 23 |
4.A.1 Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)
4.A.5 Command and Control - Non-Standard Port (T1571)

| 24 |
Step 5: Overview
TrickBot
Discovery:
Wizard Spider uses
TrickBot to perform
192.168.0.4 detailed system
discovery.
10.0.0.7 10.0.0.8
| 25 |

5.A.2 Discovery - System Service Discovery (T1007)
5.A.3 Discovery - Account Discovery: Local Account (T1087.001)
5.A.4 Discovery - Account Discovery: Domain Account (T1087.002)
5 5.A.5 Discovery - System Network Configuration Discovery (T1016)
5.A.6 Discovery - System Network Connections Discovery (T1049)
5.A.8 Discovery - Domain Trust Discovery (T1482)
5.A.9 Discovery - Permission Groups Discovery (T1069)

| 26 |
Step 5: TrickBot Discovery

5.A.3 Discovery -
5.A.1 Discovery - 5.A.2 Discovery - System
Account Discovery:
System Information Service Discovery
Local Account
Discovery (T1082) (T1007)
(T1087.001)
cmd.exe executes cmd.exe executes cmd.exe executes

systeminfo sc query net user

| 27 |

5.A.4 Discovery -
5.A.5 Discovery - System 5.A.6 Discovery - System
Account Discovery:
Network Configuration Network Connections
Domain Account
Discovery (T1016) Discovery (T1049)
(T1087.002)
cmd.exe executes cmd.exe executes cmd.exe executes

net user /domain ipconfig netstat

| 28 |

5.A.7 Discovery - System 5.A.9 Discovery -
5.A.8 Discovery - Domain
Information Discovery Permission Groups
Trust Discovery (T1482)
(T1082) Discovery (T1069)
cmd.exe executes
cmd.exe executes
nltest cmd.exe executes
net config
/domain_trusts / whoami /groups
workstation
all_trusts

| 29 |

5.A.2 Discovery - System Service Discovery (T1007)
5.A.3 Discovery - Account Discovery: Local Account (T1087.001)
5.A.4 Discovery - Account Discovery: Domain Account (T1087.002)
5 5.A.5 Discovery - System Network Configuration Discovery (T1016)
5.A.6 Discovery - System Network Connections Discovery (T1049)
5.A.8 Discovery - Domain Trust Discovery (T1482)
5.A.9 Discovery - Permission Groups Discovery (T1069)

| 30 |
Step 6: Overview
Kerberoast the DC:

10.0.0.4 Wizard Spider
performs
Kerberoasting using a
192.168.0.4 public tool, Rubeus, to
obtain domain
admin credentials.
10.0.0.7 10.0.0.8
| 31 |

6
6.A.2 Credential Access - Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)

| 32 |
Step 6: Kerberoast the DC

6.A.2 Credential Access -
6.A.1 Command and
Steal or Forge Kerberos
Tickets: Kerberoasting
Transfer (T1105)
(T1558.003)
cmd.exe executes
uxtheme.exe
rubeus.exe
downloads the file
kerberoast
rubeus.exe
/domain:oz.local

| 33 |

6
6.A.2 Credential Access - Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003)

| 34 |
Step 7: Overview
Lateral Movement
10.0.0.4 to DC:
Wizard Spider moves
to the DC via RDP,
192.168.0.4 downloads and plants
Trickbot then
enumerates the
domain.
10.0.0.7 10.0.0.8
| 35 |
7.A.1 Lateral Movement Remote Services: Remote Desktop Protocol (T1021.001)
7.A.4 Persistence - Boot or Logon Autostart Execution: Winlogon Helper DLL (T1547.004)
7.A.5 Discovery - Permission Groups Discovery: Domain Group (T1069.002)

| 36 |
Step 7: Lateral Movement to DC

7.A.1 Lateral Movement
7.A.2 Defense Evasion -
Remote Services:
Valid Accounts: Domain
Remote Desktop
Accounts (T1078.002)
Protocol (T1021.001)
Adversary connects to User vfleming

10.0.0.4 using successfully
protocol RDP authenticates into
(port 3389) 10.0.0.4
Activity on wizard (10.0.0.4) as user vfleming

| 37 |
Step 7: Lateral Movement to DC

7.A.4 Persistence - Boot 7.A.5 Discovery -
7.A.3 Command and
or Logon Autostart Permission Groups
Execution: Winlogon Discovery: Domain
Transfer (T1105)
Helper DLL (T1547.004) Groups (T1069.002)
powershell.exe powershell.exe
powershell.exe
downloads the file adds the Userinit
executes
uxtheme.exe Registry key using
adfind.exe
Set-ItemProperty

| 38 |
7.A.1 Lateral Movement Remote Services: Remote Desktop Protocol (T1021.001)
7.A.4 Persistence - Boot or Logon Autostart Execution: Winlogon Helper DLL (T1547.004)
7.A.5 Discovery - Permission Groups Discovery: Domain Group (T1069.002)

| 39 |
Step 8: Overview
Dump Active
10.0.0.4 Directory
Database:
Wizard Spider creates
192.168.0.4 a volume shadow copy
to collect ntds.dit.
10.0.0.7 10.0.0.8
| 40 |
8.A.1 Credential Access - OS Credential Dumping: NTDS (T1003.003)

8
8.A.2 Credential Access - OS Credential Dumping: Security Account Manager (T1003.002)

| 41 |
Step 8: Dump Active Directory Database

OS Credential Dumping:
OS Credential Dumping:
Security Account
NTDS (T1003.003)
Manager (T1003.002)
cmd.exe executes cmd.exe executes

vssadmin.exe to reg.exe to save
create a copy of C: HKLM\SYSTEM

| 42 |
8.A.1 Credential Access - OS Credential Dumping: NTDS (T1003.003)

8
8.A.2 Credential Access - OS Credential Dumping: Security Account Manager (T1003.002)

| 43 |
Step 9: Overview
Ryuk Inhibit
System Recovery:
10.0.0.4 Wizard Spider
prepares to run Ryuk
ransomware by
192.168.0.4 deploying payloads
that stop services +
delete backups.
10.0.0.7 10.0.0.8
| 44 |
9.A.2 Impact - Service Stop (T1489)

9.A.3 Defense Evasion - File and Directory Permissions Modification:
9
Windows File and Directory Permissions Modification (T1222.001)
9.A.5 Impact - Inhibit System Recovery (T1490)

| 45 |
Step 9: Ryuk Inhibit System Recovery

9.A.3 Defense Evasion - File
9.A.1 Command and and Directory Permissions
9.A.2 Impact - Service
Control - Ingress Tool Modification: Windows File
Stop (T1489) and Directory Permissions
Transfer (T1105)
Modification (T1222.001)
cmd.exe stops
cmd.Exe executes
various services via
cmd.exe downloads icacls.exe to
net stop, sc
kill.bat modify permissions on
config, and
C: and Z:
taskkill

| 46 |
Step 9: Ryuk Inhibit System Recovery

9.A.4 Command and
9.A.5 Impact - Inhibit
System Recovery (T1490)
Transfer (T1105)
cmd.exe deletes
cmd.exe downloads
system backups via
window.bat
vssadmin and del

| 47 |
9.A.2 Impact - Service Stop (T1489)

9.A.3 Defense Evasion - File and Directory Permissions Modification:
9
Windows File and Directory Permissions Modification (T1222.001)
9.A.5 Impact - Inhibit System Recovery (T1490)

| 48 |
Step 10: Overview
Ryuk Encryption
for Impact:
10.0.0.4 Wizard Spider uploads
and executes Ryuk
which injects into
192.168.0.4 another process then
encrypts files on
two hosts.
10.0.0.7 10.0.0.8
| 49 |
10.A.2 Defense Evasion - Access Token Manipulation (T1134)
10 10.A.4 Defense Evasion - Process Injection: Portable Executable Injection (T1055.002)
10.A.6 Discovery - File and Directory Discovery (T1083)
10.A.7 Impact - Data Encrypted for Impact (T1486)

| 50 |
Step 10: Ryuk Encryption for Impact

10.A.1 Command and 10.A.2 Defense Evasion - 10.A.3 Discovery -
Control - Ingress Tool Access Token Process Discovery
Transfer (T1105) Manipulation (T1134) (T1057)
ryuk.exe adjusts its

cmd.exe downloads token to include ryuk.exe executes
C:\Users\Public\ SE_PRIVILEGE_ENABLED CreateToolhelp32
ryuk.exe via Snapshot()
AdjustTokenPrivileges()

| 51 |

10.A.4 Defense Evasion -
10.A.5 Discovery - 10.A.6 Discovery - File
Process Injection:
System Information and Directory Discovery
Portable Executable
Discovery (T1082) (T1083)
Injection (T1055.002)
ryuk.exe
ryuk.exe injects into ryuk.exe
enumerates drives via
notepad.exe via enumerates files via
GetLogical
WriteProcessMemory() FindFirstFile()
DriveStrings()
and and
CreateRemoteThread() and
FindNextFile()
GetDriveType()

| 52 |

10.A.7 Impact - Data
Encrypted for Impact
(T1486)
notepad.exe
encrypts various files
using AES + RSA
Activity on wizard (10.0.0.4) and toto (10.0.0.8) as user vfleming

| 53 |
10.A.2 Defense Evasion - Access Token Manipulation (T1134)
10 10.A.4 Defense Evasion - Process Injection: Portable Executable Injection (T1055.002)
10.A.6 Discovery - File and Directory Discovery (T1083)
10.A.7 Impact - Data Encrypted for Impact (T1486)

| 54 |
End of Day 1
• Capture breach summary images
Reminder: do not make any

configuration changes before the
start of Day 2

EnterpriseEvals 2021 Walkthrough DAY1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EnterpriseEvals 2021 Walkthrough DAY1

Uploaded by

Copyright:

Available Formats

|1|

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Step 1: Technique Overview

1.A.2 Execution - Command and Scripting Interpreter: Visual Basic (T1059.005)

1.A.3 Command and Control - Ingress Tool Transfer (T1105)

1.A.5 Defense Evasion - Obfuscated Files or Information (T1027)

1 1.A.6 Execution - Windows Management Instrumentation (T1047)

1.A.7 Execution - Command and Scripting Interpreter: PowerShell (T1059.001)

1.A.8 Command and Control - Ingress Tool Transfer (T1105)

1.A.9 Defense Evasion - Signed Binary Proxy Execution: Rundll32 (T1218.011)

1.A.11 Command and Control - Encrypted Channel: Symmetric Cryptography (T1573.001)

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Step 1: Initial Compromise

Activity on dorothy (10.0.0.7) as user judy

Step 1: Initial Compromise

winword.exe adb.vbs executes

Activity on dorothy (10.0.0.7) as user judy

Step 1: Initial Compromise

Activity on dorothy (10.0.0.7) as user judy

Step 1: Initial Compromise

Activity on dorothy (10.0.0.7) as user judy

Step 1: Technique Review

1.A.2 Execution - Command and Scripting Interpreter: Visual Basic (T1059.005)

1.A.3 Command and Control - Ingress Tool Transfer (T1105)

1.A.5 Defense Evasion - Obfuscated Files or Information (T1027)

1 1.A.6 Execution - Windows Management Instrumentation (T1047)

1.A.7 Execution - Command and Scripting Interpreter: PowerShell (T1059.001)

1.A.8 Command and Control - Ingress Tool Transfer (T1105)

1.A.9 Defense Evasion - Signed Binary Proxy Execution: Rundll32 (T1218.011)

1.A.11 Command and Control - Encrypted Channel: Symmetric Cryptography (T1573.001)

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Step 2: Technique Overview

2.A.1 Persistence - Boot or Logon Autostart Execution: Registry Run

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Step 2: Emotet Persistence

Activity on dorothy (10.0.0.7) as user judy

Step 2: Technique Review

2.A.1 Persistence - Boot or Logon Autostart Execution: Registry Run

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Step 3: Technique Overview

3.A.1 Discovery - System Information Discovery (T1082)

3.A.2 Discovery - Process Discovery (T1057)

3 3.A.3 Command and Control - Ingress Tool Transfer (T1105)

3.A.4 Credential Access - Unsecured Credentials (T1552)

3.A.5 Collection - Email Collection: Local Email Collection (T1114.001)

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Step 3: Emotet Host Discovery and Credential Collection

Activity on dorothy (10.0.0.7) as user judy

Step 3: Emotet Host Discovery and Credential Collection

Activity on dorothy (10.0.0.7) as user judy

Step 3: Technique Review

3.A.1 Discovery - System Information Discovery (T1082)

3.A.2 Discovery - Process Discovery (T1057)

3 3.A.3 Command and Control - Ingress Tool Transfer (T1105)

3.A.4 Credential Access - Unsecured Credentials (T1552)

3.A.5 Collection - Email Collection: Local Email Collection (T1114.001)

© 2021 MITRE Engenuity. Approved for limited release (Qualys). TLP:RED

Move Laterally &

Step 4: Technique Overview

4.A.1 Lateral Movement - Remote Services: Remote Desktop Protocol (T1021.001)

4.A.2 Defense Evasion - Valid Accounts: Domain Accounts (T1078.002)

4 4.A.3 Command and Control - Ingress Tool Transfer (T1105)

4.A.5 Command and Control - Non-Standard Port (T1571)