Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Sandworm in the wild. We have adapted the scenario based on tools and resources available at the time. Below is a diagram,
#
Emulation Scenario
📖 In our scenario, a group of developers from the Holtzman organization decided to use an open-source tool called Weirdingway to monitor their development pipeline by pass budget constraints. Years pass and the Weirdingway software became baked into the developer’s environment. Some time later, Sandworm identified a vulnerability in a specific version of the Weirdingway project that exposes a webpage to the open internet. Sandworm began searching for this exposed webpage and identified the Holtzman organization as running the Weirdingway software with the vulnerable version.
Exploiting the vulnerability (due to enviornment limitiations we use SSH and deploy the P.A.S. Webshell emulation), Sandworm establishes persistence with a P.A.S. webshell v3.1.4. After conducting initial discovery, Sandworm downloads the Linux/Exaramel software, modifies the permissions, and executes gaining C2 communications. Exaramel installs two persistence mechanisms (cron & systemd) then exfiltrates the /etc/shadow, bash history, and SSH keys. Performing offline password cracking, Sandworm obtains credentials for Frank Herbert on the Gammu host.
Sandworm uploads Exaramel to the Gammu host using smbclient with valid credentials collected from the offline password cracking on the previous host, Caladan. Using a bind shell with psexec, persistence is established via registry keys and credential collection tools. The legitimate user Frank Herbert, fherbert, logs in to their computer via RDP and goes about their workday. Sandworm collects Frank’s credentials with keylogging deployed as a part of their OraDump Credential Collection toolkit. Sandworm conducts local host and network discovery, specifically looking for open RDP sessions.
Using credentials from an active RDP session on Gammu, Sandworm RDPs into the Arrakis host as Paul Atreides, patreides. After additional discovery, the Arrakis host is determined the ideal location to deploy NotPetya. NotPetya is uploaded to the Active Directory and executed. NotPetya creates a scheduled task, searches for connected devices, dumps credentials, copies itself to discovered hosts, and executes itself. While moving laterally, NotPetya searches for files with specific file extensions, encrypts the files, clears windows event logs and executes the scheduled task to reboot.
#
Scenario Steps
👣 Steps start at 11 to follow emulation procedures
#
Infrastructure Diagram