Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Wizard Spider in the wild. We have adapted the scenario based on tools and resources available at the time. Below is a diagram, scenario overview, step-by-step breakdown, and an infrastructure diagram.

Software Flow Diagram
Software Flow Diagram

# Emulation Scenario

📖 This scenario follows Wizard Spider's multi-phase approach to conducting ransomware operations. Wizard Spider uses the initial access provided through Emotet to deploy their TrickBot malware to gain access to the Domain Controllers. Once access is obtained to the Domain controllers, the Ryuk ransomware is deployed. Characteristics of this campaign include an accelerated timeline, sloppy code, and focus for obtaining control over the Domain Controllers as fast as possible in order to deploy Ryuk.

Phase 1 Wizard Spider uses a phishing campaign to send a malicious document with embedded macros document that the initial access victim, Dorothy, downloads and enables. The macros download and execute Emotet, deploys multiple download links to ensure delivery, and establishes C2 over port 8080. Emotet gains persistence by modifying a registry key and downloads an Outlook scraper to collect Outlook contacts message threads and credentials. Emotet laterally moves via RDP using the credentials, and downloads Trickbot.

Phase 2 TrickBot communicates back to the C2 server over HTTP, and Wizard Spider performs extensive network and system discovery. Wizard Spider conducts privilege escalation with kerberosting using Rubeus. Domain controller access is obtained by RDP’ing using harvested credentials, and ensuring persistence with a registry key that executes TrickBot with user sign-in. Wizard Spider uses AdFind to map active directory for network reconnaissance.

Phase 3 Using RDP connections to the compromised Domain Controller and wbadmin msc console, Wizard Spider uses a batch script to stop and kill all backup services and processes.  Once completed, Ryuk is executed throughout the environment, starting with the backup servers. Ryuk executes automated privilege elevation and defense evasion, and encrypts files recursively.

# Scenario Steps

👣 Steps start at 01 to follow emulation procedures

Steps User Story Software Reporting
Phase 1 : Step 1
(T1204.002)
(T1059.005)​
(T1105)​
(T1059.003)​
(T1027​)
(T1047)​
(T1105)​
(T1218.011)​
(T1071.001)​
(T1573.001)​
Dorothy inadvertently activates a weaponized Emotet Microsoft Office document masquerading as a benign Word document attached to a phishing email. After enabling the macros in Word, the VBscript embedded in the document generates a PowerShell script using the Document_Open() event. The PowerShell script downloads the initial DLL binary as a loader invoked with base64 encoded data, and multiple download links are used to ensure that the initial loader is delivered. The malicious DLL establishes a C2 session with the adversary control server over port 8080.
Analyst Note: the document is pre-positioned in the environment. We do not emulate sending the document to target, as our focus is evaluating their product against post-initial-access TTPs.
Emotet https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html
https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
https://blog.talosintelligence.com/2019/01/return-of-emotet.html
Phase 1: Step 2
(T1547.001)​
Emotet takes steps to gain persistence in the victim environment by modifying a registry key using the RegSetValueExA WinAPI function. Emotet https://www.cynet.com/attack-techniques-hands-on/emotet-vs-trump-deep-dive-analysis-of-a-killer-info-stealer/
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
https://www.us-cert.gov/ncas/alerts/TA18-201A
https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html
Phase 1 : Step 3
(T1082)​
(T1057)​
(T1105)
(T1552)
(T1114.001)
Enumerating local processes, Emotet also uses WinAPI functions and downloads an Outlook scraper DLL from C2. Executing the Outlook scraper in process memory, PowerShell is used to collect emails and contacts from the client, including credentials from another user, bill@oz.local. https://unit42.paloaltonetworks.com/emotet-command-and-control/
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.88_ENG.pdf
https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
Phase 2: Step 4
(T1021.001)
(T1078.002)
(T1105)
(T1071.001)
(T1571)
Leveraging Bill’s credentials located during the email scraping, Emotet RDPs into the Toto host. Wizard Spider then downloads and executes TrickBot to the Toto host using an RDP-mounted network share. The TrickBot agent communicates back to the C2 server over HTTP. TrickBot https://attack.mitre.org/groups/G0102/
https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/
Phase 2: Step 5
(T1082)​
(T1007)
(T1087.001)
(T1087.002)
(T1016)
(T1049)
(T1082)
(T1482)
(T1069)
The adversary leverages TrickBot for extensive system and network discovery, collecting relevant information from the victim machine. TrickBot https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf
https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/
https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
Phase 2: Step 6
(T1105)​
(T1558.003)​
Wizard Spider escalates privileges with kerberoasting, using the public Kerberos abuse tool, Rubeus. They next collect encrypted credentials for the domain admin, vFleming, and decrypt the users credentials offline. 
Analyst Note: offline cracking isn't performed due to time constraints; its also not in scope for the evaluation, so we skip the behavior.
Rubeus https://us-cert.cisa.gov/ncas/alerts/aa20-302a
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://thedfirreport.com/2020/10/08/ryuks-return/
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
Phase 2: Step 7
(T1021.001)​
(T1078.002)​
(T1105)​
(T1547.004)​
(T1069.002)
Using the vfleming user, the adversary RDP’s into the domain controller and downloads a variant of TrickBot using the PowerShell Invoke-WebRequest command. To ensure persistence, Wizard Spider installs a registry key to execute Trickbot when vflemming logs in. Leveraging the AdFind utility for reconnaissance, the adversary enumerates the domain, mapping the network. TrickBot
AdFind
https://us-cert.cisa.gov/ncas/alerts/aa21-076a#:~:text=TrickBot%20uses%20HTTPS%20to%20communicate,logic%20and%20various%20configuration%20files.&text=TrickBot%20downloads%20several%20additional%20files%20and%20saves%20them%20to%20the%20victim
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
Phase 2: Step 8
(T1003.003)​
(T1003.002)​
Employing vssadmin, the adversary copies the active directory database as a volume shadow copy, ntds.dit, and exfiltrates the shadow copy using an RDP-mounted network share. https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
Phase 3: Step 9
(T1105)​
(T1489)​
(T1222.001)​
(T1105)​
(T1490)​
Wizard Spider prepares the environment to deploy Ryuk ransomware, mounting the C$ share of the Toto Host. The adversary uploads two files that stop specific services for system residency and deletes backups and shadow copies to inhibit system recovery. Ryuk https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
Phase 3: Step 10
(T1105)​
(T1134)​
(T1057)​
(T1055.002)​
(T1082)​
(T1083)​
(T1486)​
Using the previously established RDP-network mounted shared, Ryuk is uploaded to the domain controller and executed from CMD. Ryuk escalates privileges, injects into notepad.exe process space and encrypts files on its current host recursively, using a combination of AES and RSA encryption.
Analyst Note: early versions of our Ryuk emulation encrypted the entire filesystem; however, this proces took hours, rather than minutes, so we scaled it back due to time constraints.
Ryuk https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/

# Infrastructure Diagram

Infrastructure Diagram
Infrastructure Diagram