We hope to capture the general structure of what is reported to have been seen being used by Wizard Spider. Scenarios 1 and 2 share the same infrastructure; however, Scenario 1 was built to exercise detective-only security controls, and thus protective security controls are to be disabled to complete the evaluation. Scenario 2 was built to exercise protective security controls, which may be enabled while completing the evaluation.
The requirements described herein should be considered a bare minimum to execute the scenario. If you have the time and resources to remain true-to-form, you may elect to stand up multiple of each of these servers, non-contiguous IP space, etc. If you are not concerned with emulating Wizard Spider to this degree, this level of effort is not necessary. You could for instance, phish, serve payload, and exfil from/to the same server.
Please note that binary executable files hosted in Resources have been added to password protected zip files. The password for these files is "malware." We provide a script to automatically decrypt these files:
cd wizard_spider
python3 Resources/utilities/crypt_executables.py -i ./ -p malware --decrypt
Note, there is no change of infrastructure between Scenario 1 and Scenario 2.
- Linux Attack Platform: tested and executed on Kali Linux 2019.1
This methodology assumes the following static IP address configurations:
Red Team System | IP Address |
---|---|
Linux Attack Platform | 192.168.0.4 |
-
This evaluation utilizes a combination of modified open-source and custom utilities that are representative of Ryuk ransomeware.
-
These utilities include credential dumpers, variants of process injection techniques, and file encryption.
-
Some pre-compiled payloads are available in the resources directory; however, they are configured to connect back to static IP address 192.168.0.4.
- Download the wizard_spider repository to the home directory
3 targets, all domain joined:
-
Domain Controller: tested and executed on Windows Server 2k19 - Build 17763.
-
User machine 1: tested and executed on Windows 10 - Build 19042.
-
User machine 2: tested and executed on Windows 10 - Build 19042.
Target System | Hostname | IP Address |
---|---|---|
Domain Controller | wizard | 10.0.0.4 |
User machine 1 | dorothy | 10.0.0.7 |
User machine 2 | Toto | 10.0.0.8 |
RDP into domain controller
xfreerdp +clipboard /u:oz\\vfleming /p:"q27VYN8xflPcYumbLMit" /v:10.0.0.4 /drive:X,wizard_spider/Resources/setup
Open Windows Defender, toggle all nobs to the off position. Also go to App and Browser control and turn off Smart Screen.
Open PowerShell being sure to select "Run as Administrator":
cd \\TSCLIENT\X
Set-Executionpolicy bypass -force
.\install_adfind.ps1
.\install_firefox.ps1
.\create_domain_users.ps1
.\give_rdp_permissions.ps1
.\setup_spn.ps1
.\enable-winrm.ps1
.\disable-defender.ps1
.\file_generator\generate-files.exe -d "C:\Users\Public\" -c 100 --seed "EVALS" --noprompt
.\file_generator\generate-files.exe -d "C:\Users\" -c 50 --seed "EVALS" --noprompt
Next we need to download Microsoft Visual C++ Redistributable. Open FireFox; close all spurious prompts / decline everything.
Go to the following page:
Download and install the 32-bit and 64-bit versions.
Reboot the workstation
Restart-Computer -Force
-
RDP into Dorothy
xfreerdp +clipboard /u:oz\\vfleming /p:"q27VYN8xflPcYumbLMit" /v:10.0.0.7 /drive:X,wizard_spider/Resources/setup
-
Open Windows Defender, toggle all nobs to the off position.
-
Configure Outlook and office?
-
Open PowerShell being sure to select "Run as Administrator":
cd \\TSCLIENT\X Set-Executionpolicy bypass -force .\give_rdp_permissions.ps1 .\enable-winrm.ps1 .\disable-defender.ps1 .\file_generator\generate-files.exe -d "C:\Users\Public\" -c 100 --seed "EVALS" --noprompt .\file_generator\generate-files.exe -d "C:\Users\" -c 50 --seed "EVALS" --noprompt .\file_generator\generate-files.exe -d "C:\Users\" -c 50 --seed "EVALS" --noprompt
For local testing:
.\install_msoffice.ps1
Open Word and Outlook; surpress all spurious prompts.
Close Word and outlook.
.\setup_outlook.ps1
-
Next we need to download Microsoft Visual C++ Redistributable.
Open Edge; close all spurious prompts / decline everything.
Go to this page:
Download and install the 32-bit and 64-bit versions.
-
Reboot the workstation
Restart-Computer -Force
-
Log back into Dorothy as user judy
xfreerdp +clipboard /u:oz\\judy /p:"Passw0rd!" /v:10.0.0.7
Open an Administrator CMD.exe
Run this command to take ownership of a privileged directory:
takeown /f "C:\Windows\*" /r /d y icacls "C:\Windows\*" /grant judy:(OI)(CI)F /T
-
Sign out of the RDP session.
-
RDP into Toto
xfreerdp +clipboard /u:oz\\vfleming /p:"q27VYN8xflPcYumbLMit" /v:10.0.0.8 /drive:X,wizard_spider/Resources/setup
-
Open Windows Defender, toggle all nobs to the off position.
-
Open PowerShell being sure to select "Run as Administrator":
cd \\TSCLIENT\X Set-Executionpolicy bypass -force .\give_rdp_permissions.ps1 .\enable-winrm.ps1 .\disable-defender.ps1 .\file_generator\generate-files.exe -d "C:\Users\Public\" -c 100 --seed "EVALS" --noprompt .\file_generator\generate-files.exe -d "C:\Users\" -c 50 --seed "EVALS" --noprompt .\file_generator\generate-files.exe -d "C:\Users\" -c 50 --seed "EVALS" --noprompt
-
Reboot the workstation
Restart-Computer -Force
A network diagram is available here that displays the domains and infrastructure that was used to support the setup and execution of the Emulation plan.