Annually, a number of safety answer suppliers – together with Sophos – join MITRE’s ATT&CK Evaluations: Enterprise, a full-scale cyber assault emulation masking a number of situations primarily based on real-world risk actors and their ways, instruments, and procedures.
The analysis is designed to supply a practical (and clear – the outcomes are publicly obtainable) appraisal of safety options’ performances, primarily based on end-to-end assault chains which embrace preliminary entry, persistence, lateral motion, and affect. Emulations usually embrace a multi-device ‘buyer’ surroundings, full with endpoints, servers, domain-joined gadgets, and Energetic Listing-managed customers.
2024 marked the fourth yr of Sophos taking part, and to have a good time we wished to supply some perception into what this yr’s evaluation entailed, and to indicate how true to life it really is. Particularly, we’ll dive into the realism of the tooling, nuances within the testing methodology, and Sophos’ safety and detection capabilities. Whereas we are able to’t cowl every part (every state of affairs has 20-40 steps!), we’ll focus on a variety, highlighting the depth and accuracy of the emulations.
For the 2024 analysis, MITRE chosen two risk classes, Ransomware and the Democratic Individuals’s Republic of Korea (DPRK). The previous, as has been the case for a very long time, is likely one of the largest cyber safety threats within the business, and continues to evolve (for instance, the rise in distant encryption). The latter can also be very related, given the proliferation of state-sponsored espionage assaults related to the area.
MITRE constructed three situations round these classes: an assault by a DPRK-affiliated risk actor targeted on MacOS (following risk actors concentrating on MacOS in a number of campaigns, a pattern that appears set to proceed), and assaults by associates of two ransomware teams (Cl0p and LockBit).
DPRK
The DPRK state of affairs was easy however practical, primarily based on the stream of the JumpCloud provide chain compromise: an attacker compromises a tool, establishes a persistent agent, and steals credentials. Menace actors affiliated with the DPRK are identified to interrupt their assaults into discrete levels and preserve backdoors for launching future assaults.
Preliminary entry
Whereas the analysis presumes a provide chain assault, the state of affairs itself concerned a consumer downloading and executing a malicious Ruby script (our evaluation confirmed a consumer execution path of Ruby). In a real-world provide chain assault, pre-installed software program would doubtless mechanically execute the script. Nonetheless, that is nonetheless a believable and significant strategy – DPRK-affiliated attackers will use social engineering to persuade customers to run a script, as current incidents present.
Simply as within the JumpCloud assault, MITRE’s Ruby script (referred to as begin.rb, thematically just like the identify of the true script: init.rb) downloads and executes a first-stage C2 agent (a Mach-O binary), masquerading as a docker-related element. It’s value noting that reverse-engineering real JumpCloud samples just isn’t attainable; to our data, the real-world samples usually are not publicly obtainable. As with all MITRE ATT&CK Evaluations, the malware used was custom-built for the evaluation.
Persistence
The primary-stage C2 agent then downloaded a second-stage backdoor (often known as ‘STRATOFEAR’ within the real-world JumpCloud assault), which established persistence in a lot the identical manner as the real article, through LaunchDaemons (/Library/LaunchDaemons/us.zoom.ZoomHelperTool.plist).
Determine 1: Establishing persistence through ZoomHelperTool.plist
As with the Ruby script within the Preliminary Entry section, MITRE designed the backdoor to intently emulate the true factor. The backdoor was dropped in the identical location (/Library/Fonts), and had a really comparable identify (the true model was named ArialUnicode.ttf.md5, whereas the analysis model was pingfang.ttf.md5; each ‘Arial’ and ‘pingfang’ are names of real fonts).
As in the true JumpCloud assault, the ‘risk actor’ was stealthy and evasive, eradicating the first-stage implant recordsdata from the system in a short time. Within the emulation, they achieved this with an rm -f
Like the real STRATOFEAR, the MITRE backdoor used encrypted configuration recordsdata, with a shell-out openssl enc -d command and a hardcoded password. Once more, utilizing a direct API-based technique could be stealthier, however we don’t know if the JumpCloud risk actor took that strategy.
A fast notice on take a look at security: For its C2 infrastructure, MITRE makes use of domains that work inside the confines of the take a look at surroundings, however usually are not publicly resolvable through DNS. Nevertheless, they do resolve to public IP addresses. Which means the community visitors appears like real C2 exercise, however the domains usually are not reachable outdoors the take a look at surroundings.
Affect
As within the JumpCloud assault, the risk actor’s objective is to gather information, together with system data, credentials, and delicate data held within the Keychain. MITRE’s STRATOFEAR backdoor was trustworthy to the unique, in that it downloaded and executed further modules from the C2 server to hold out the theft. Just like the modules downloaded by the true STRATOFEAR, these have been written to a .tmp file within the /tmp listing, every named with a string of six random alphanumeric characters.
Within the analysis, MITRE’s STRATOFEAR downloaded /non-public/tmp/rhkA2f.tmp, a module with the power to learn MacOS keychain recordsdata.
Determine 2: The ExecuteModule operate in MITRE’s STRATOFEAR pattern, utilizing dlopen/dlsym to name an ‘Initialize’ operate
This state of affairs ended with the backdoor amassing the information; the analysis didn’t contain any precise exfiltration. Whereas some may name this out as a difficulty with the methodology – credentials are sometimes solely helpful if exfiltrated – we might argue that it’s a minor one. Should you, as an incident responder, can observe credential theft, you’ll concentrate on the potential affect and the related malicious exercise.
Cl0p
The second state of affairs concerned an emulation of an assault by the Cl0p ransomware group (also called TA505), a prolific risk actor. Right here, the stream of the assault intently mimicked – for probably the most half – that of a 2019 incident, involving a downloader, a persistent RAT, subtle course of injection, and abuse of a trusted course of – finally resulting in a ransomware payload.
Preliminary entry
Whereas a lot of the state of affairs was trustworthy to the 2019 real-world marketing campaign, the preliminary entry stage was barely completely different. As in 2019, the risk actor used a DLL to put in a persistent RAT. However whereas the real-world assault concerned malicious Workplace paperwork containing an embedded DLL, which was loaded dynamically into the Workplace course of, the MITRE state of affairs concerned a consumer interactively operating cmd.exe and executing the DLL through rundll32.exe.
This DLL was already current on the host, having been downloaded through a curl command from a separate interactive cmd.exe (this step was not included within the state of affairs) following preliminary entry over RDP. It’s value noting that this technique of preliminary entry is quite common amongst ransomware teams and different threats actors, notably when buying stolen credentials/entry through preliminary entry brokers (IABs). In a single very distinguished case, nonetheless, Cl0p additionally abused a zero-day vulnerability within the MOVEit file switch software (CVE-2023-34362).
Whereas it’s very believable that an attacker would achieve direct distant entry to the compromised host, the state of affairs may maybe have included the ingress of the DLL tooling for a extra full emulation.
Persistence
As within the 2019 marketing campaign, the MITRE ‘risk actor’ loaded the persistent RAT SDBbot by compromising the trusted winlogon.exe course of, utilizing Picture File Execution Choices (IFEO) injection with a ‘VerifierDLL’ key.
SDBbot makes use of encrypted strings and a mutex to protect its start-up. As with the DPRK state of affairs, the MITRE pattern used a similar-but-different identify for the mutex (‘windows_7_windows_10_check_running_once_mutex’ within the real-world assault, ‘win10x64_check_running_once’ for the analysis).
Determine 3: Disassembly of MITRE’s SDBbot pattern. Word the mutex identify and the decryption operate
In MITRE’s implementation of SDBbot, the important thing materials is a repeat of the identical 16 incrementing bytes from 0 to fifteen. This isn’t as safe as a genuinely random 128-byte string – however it’s adequate to obfuscate the strings used to reference API names and information fields past trivial static evaluation strategies. MITRE used this technique of string obfuscation all through the Cl0p state of affairs, in addition to within the LockBit state of affairs mentioned beneath.
MITRE’s pattern was loaded through a reflective loader, overwriting picture reminiscence in setupapi.dll. Because the RAT exists in customary ‘picture’ reminiscence, it’s tougher to detect than if it have been in dynamically-allocated heap reminiscence. It is a subtle injection technique, designed to evade trendy defenses. MITRE’s strategy introduced one other problem when it got here to detecting the exercise of the installer (the rundll32 course of) dropping the SDBbot loader element. The installer dropped the loader to a %TEMP% location, however created a symbolic hyperlink to that path within the SYSTEM folder, and the IFEO registry key was set as much as level to the SYSTEM folder path – thereby creating an extra layer of abstraction between the dropper and the persistent RAT.
Determine 4: The symbolic hyperlink for the msverload.dll loader
The usage of the ‘VerifierDLLs’ technique added additional complexity to the execution stream, because the loader (msverload.dll) was loaded into the winlogon.exe course of area previous to the method’s entry level. It then used VirtualAlloc to inject and execute embedded shellcode, and VirtualProtect to make the in any other case RX picture reminiscence of setupapi.dll writeable, earlier than overwriting its contents with the SDBbot RAT. The reminiscence permissions have been later reset to RX, as a way to make the code seem like ‘common’ picture reminiscence – as a DLL would seem when loaded straight from disk.
Determine X: MITRE’s SDBbot is loaded, and overwrites the module of the in any other case respectable setupapi.dll IMAGE reminiscence, with reminiscence protections reset to PAGE_EXECUTE_READ
Our detection technique right here concerned a number of facets: it’s suspicious to have C2 exercise originating from a winlogon course of, and C2 exercise in itself is a standard reminiscence scan set off (as we mentioned in a weblog on this subject in 2023). Reminiscence scans additionally detected a shellcode sample. The suspicious C2 occasion enabled Sophos Detection to seize the information exfiltration habits, and we famous that the exfiltration technique – utilizing SDBbot and sending information over the C2 channel – was adopted by Cl0p in 2020.
Determine 6: Detecting exfiltration throughout the Cl0p state of affairs
Affect
MITRE’s implementation of the Cl0p ransomware pattern (sysmonitor.exe, downloaded through SBDbot) was modelled very intently on a real-world pattern from 2019. Similar to the true factor, MITRE’s pattern used GetKeyboardLayout to test for layouts utilized in Russia, Georgia, and Azerbaijan (to keep away from concentrating on any methods utilizing them). It additionally employed an similar comparability for the GetDC/GetTextCharset APIs, used to attain the identical goal.
Determine 7: MITRE’s Cl0p pattern calling GetDC and GetTextCharset to test for contaminated hosts in Russia, Georgia, or Azerbaijan
We additionally famous different near-exact matches in habits and methodology, notably when it got here to how the ransomware handled shadow volumes and trying to kill numerous companies on compromised hosts.
Many ransomware households will try to delete shadow volumes, to forestall their targets from restoring information, after which resize the shadow storage, in order that no additional shadow volumes could be created. Nevertheless, the 2019 Cl0p ransomware carried out the latter step in a particular manner, biking via a hardcoded record of drives (from C to H). MITRE’s pattern emulated this habits precisely.
Determine 8: MITRE’s implementation of Cl0p biking via numerous drives to resize the shadow storage
Furthermore, like many ransomware variants, Cl0p ransomware iterates via an inventory of varied companies – together with safety companies and companies that will comprise key information to be encrypted – and makes an attempt to terminate them through web cease.
MITRE’s pattern employed the identical record utilized by the real Cl0p ransomware, in the identical order – albeit it excluded safety companies, presumably to forestall any disruption to the take a look at.
Determine 9: Sophos detection, displaying the web cease instructions utilized in MITRE’s Cl0p pattern
For its file encryption, the MITRE malware used AES, appending a particular marker (“Cl1pCl0p!?”) to the information inside the encrypted recordsdata. This was an identical strategy to the true malware, which used a marker of “Clop^ ”. Nevertheless, whereas the 2019 samples used the advapi32.dll CryptAcquireContextW API for cryptographic algorithm assist, the MITRE model employed the open-source CryptoPP library – a extra trendy strategy utilized by many ransomware households as we speak.
LockBit
LockBit, like Cl0p, is a prolific ransomware group, albeit one considerably disrupted by legislation enforcement businesses in February 2024. Nonetheless, attributable to a LockBit builder leaked in 2022, risk actors proceed to deploy its ransomware. MITRE’s LockBit state of affairs included TTPs identified to be utilized by some LockBit associates (as with the Cl0p state of affairs, it’s value noting that whereas the habits of ransomware binaries will typically be constant throughout assaults, since these are developed and distributed centrally, associates could have extra flexibility of their approaches, and so their playbooks – and subsequent TTPs and IOCs – could differ). These TTPS included the preliminary entry technique, the usage of ThunderShell and PsExec, and numerous evasion methods.
Preliminary entry
The MITRE ‘risk actor’ started their assault by authenticating over an externally-facing TightVNC service (a respectable distant administration instrument), utilizing credentials that had beforehand been compromised. Ransomware-as-a-Service (RaaS) associates generally receive preliminary entry on this manner, utilizing previously-compromised companies and credentials which are offered on cybercrime boards by IABS, as famous earlier with the Cl0p state of affairs.
As soon as the attacker gained entry, they executed numerous discovery instructions, which aligned with instructions that we regularly observe early on in a RaaS assault, together with:
nltest /dclist:cmdkey /record web group “Area Admins” /area web group “Enterprise Admins” /area web localgroup Directors /area powershell /c "get-wmiobject Win32_Service |where-object { $_.PathName -notmatch "C:Home windows" -and $_.State -eq "Working"} | select-object identify, displayname, state, pathname
These instructions are virtually similar to these noticed throughout a 2022 LockBit assault.
The execution of cmd.exe throughout a distant interactive session was a key indicator of assault right here, as was a TightVNC connection and distant interactive logon from a suspicious IP handle.
Determine 10: Investigating suspicious exercise throughout the preliminary entry stage
Persistence
To keep up a foothold within the surroundings, the risk actor then deployed a PowerShell distant entry shell often known as ThunderShell. As CISA notes, it is a instrument identified for use by LockBit associates, enabling them to keep up persistence if the preliminary entry technique is misplaced. Right here, we have been in a position to monitor recurring community connections to establish ‘beaconing’ habits, and flag processes and connections deemed suspicious.
The MITRE ‘attacker’ established additional persistence via the winlogon automated logon registry key. This motion did deviate barely from what we might anticipate in a real-world state of affairs; in our expertise, risk actors usually enumerate these keys to doubtlessly establish plaintext credentials.
Affect
MITRE opted to emulate the bespoke LockBit exfiltration instrument StealBit, which RaaS associates use to carry out double extortion (a method utilized by many different ransomware teams) – permitting them to exfiltrate delicate information to a distant server earlier than it’s encrypted.
MITRE’s model of StealBit (named connhost.exe), identical to the true factor, used a PEB “BeingDebugged” flag to test for hooked up debuggers, and in addition carried out dynamic API decision utilizing LoadLibraryExA and GetProcAddress – with resolved DLLs saved as XOR-obfuscated filenames. It is a very comparable strategy to the true StealBit malware.
After exfiltration, the MITRE ‘risk actor’ deployed an emulated model of the principle LockBit executable to encrypt information and self-replicate throughout the surroundings.
As with the real-world model, MITRE’s LockBit pattern used a number of evasive strategies, together with dynamic API decision utilizing an in-memory API hashing algorithm (to maintain API names hidden from static evaluation), and anti-debugging through NtSetInformationThread. We documented each of those strategies in our evaluation of LockBit 3.0 in 2022, though it’s value noting that MITRE’s implementation used DJB2 hashing. This differs from the unique LockBit strategy (a {custom} implementation utilizing a ROR-based hashing technique with a seed key), however the finish consequence is similar, whereas additionally stopping the introduction of a identified IOC which we and different distributors could have beforehand detected.
Determine 11: MITRE’s model of LockBit used an implementation of the DJB2 hashing algorithm. This was a fancy implementation, and we famous that MITRE appeared to have gone to nice lengths to duplicate the performance of the real LockBit binary
Sophos detected this exercise utilizing CryptoGuard, though we must always notice that as this explicit take a look at was operating in monitor-only mode, CryptoGuard didn’t roll again the encryption. In one other, separate take a look at, targeted on protections, encryption exercise resulted within the encrypted recordsdata being rolled again to their unique state, even throughout distant encryption emulations.
Determine 12: CryptoGuard thumbprint data displaying the detection of ransomware exercise and the creation of a ransom notice
2024 marked the fourth yr that Sophos has participated in MITRE’s ATT&CK Evaluations: Enterprise. As in earlier years, the deal with end-to-end assault chains and realism has made the analysis a particularly worthwhile train in assessing our capabilities and people of different distributors. We additionally welcome MITRE’s emphasis on transparency.
Like every type of emulation, a lot of the worth of those evaluations comes from how correct and practical their situations are. Whereas we did notice that MITRE’s checks deviated from real-world assaults in a couple of, minor cases – typically attributable to unavoidable constraints – the general resemblance to identified campaigns and risk actors was very robust.
Clear, practical evaluations, during which a number of distributors take part, profit not solely distributors themselves, but additionally clients, and, because of this, wider society. We sit up for persevering with to take part in these evaluations sooner or later, and to reporting our ideas and findings wherever attainable.