Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Wizard Spider in the wild. We have adapted the scenario based on tools and resources available at the time. Below is a diagram,
#
Emulation Scenario
📖 This scenario follows Wizard Spider's multi-phase approach to conducting ransomware operations. Wizard Spider uses the initial access provided through Emotet to deploy their TrickBot malware to gain access to the Domain Controllers. Once access is obtained to the Domain controllers, the Ryuk ransomware is deployed. Characteristics of this campaign include an accelerated timeline, sloppy code, and focus for obtaining control over the Domain Controllers as fast as possible in order to deploy Ryuk.
Phase 1 Wizard Spider uses a phishing campaign to send a malicious document with embedded macros document that the initial access victim, Dorothy, downloads and enables. The macros download and execute Emotet, deploys multiple download links to ensure delivery, and establishes C2 over port 8080. Emotet gains persistence by modifying a registry key and downloads an Outlook scraper to collect Outlook contacts message threads and credentials. Emotet laterally moves via RDP using the credentials, and downloads Trickbot.
Phase 2 TrickBot communicates back to the C2 server over HTTP, and Wizard Spider performs extensive network and system discovery. Wizard Spider conducts privilege escalation with kerberosting using Rubeus. Domain controller access is obtained by RDP’ing using harvested credentials, and ensuring persistence with a registry key that executes TrickBot with user sign-in. Wizard Spider uses AdFind to map active directory for network reconnaissance.
Phase 3 Using RDP connections to the compromised Domain Controller and wbadmin msc console, Wizard Spider uses a batch script to stop and kill all backup services and processes. Once completed, Ryuk is executed throughout the environment, starting with the backup servers. Ryuk executes automated privilege elevation and defense evasion, and encrypts files recursively.
#
Scenario Steps
👣 Steps start at 01 to follow emulation procedures
#
Infrastructure Diagram