Keypoints
- AttackIQ published an assessment template that reproduces Sandworm’s recent post-compromise tactics, techniques, and procedures (TTPs) for testing security controls.
- The template emphasizes attacks against Industrial Control Systems (ICS) and SCADA and models disruptive/destructive behaviors used in prior Ukraine operations.
- Emulated techniques include RunDll32-based execution, Visual Basic scripting, scheduled task persistence, masquerading, discovery commands, LSASS memory dumping, ingress tool transfer, and VSS deletion.
- Detection guidance includes command-line and process monitoring rules for rundll32.exe, comsvcs usage, and schtasks creation via cmd/powershell.
- Mitigation recommendations point to prioritizing detection/prevention for RunDll32 proxy execution, scheduled tasks, and LSASS dumping before expanding to other techniques.
- AttackIQ suggests extending emulation with AD database dumping via ntdsutil.exe to validate controls for credential and domain compromise scenarios.
MITRE Techniques
- [T1218.011] System Binary Proxy Execution: Rundll32 – Use of RunDll32 to execute a DLL export. Quote: (‘RunDll32 is a native system utility that can be used to execute DLL files and call a specific export inside the file.’)
- [T1059.005] Command and Scripting Interpreter: Visual Basic – Execution of VBS via cscript.exe to run scripts. Quote: (‘This scenario will attempt to execute a Visual Basic Script (VBS) via cscript.exe.’)
- [T1053.005] Scheduled Task/Job: Scheduled Task – Creation of a scheduled task using schtasks with observed name qAWZe for persistence. Quote: (‘This scenario creates a new scheduled task using the schtasks utility with the name qAWZe that was observed being used by Sandworm.’)
- [T1036] Masquerading – Renaming or changing file extensions to evade detection using move utility. Quote: (‘This scenario will attempt to modify a file type extension to an alternate file extension once it has landed on the target asset using the move utility.’)
- [T1049] System Network Connections Discovery – Collection of active network connections using netstat. Quote: (‘The native Windows command line tool netstat is used to collect active connections and any listening services running on the host.’)
- [T1016] System Network Configuration Discovery – Gathering network configuration with ipconfig, arp, route, nltest. Quote: (‘The network configuration of the asset is collected using standard Windows utilities like ipconfig, arp, route, and nltest.’)
- [T1083] File and Directory Discovery – Using dir to enumerate files and output to a temporary file. Quote: (‘This scenario uses the native dir command to find files of interest and output to a temporary file.’)
- [T1003.001] OS Credential Dumping: LSASS Memory – Dumping LSASS memory via rundll32.exe and comsvcs.dll MiniDump export to disk. Quote: (‘Uses rundll32.exe with comsvcs.dll to call the MiniDump export that will dump the LSASS process memory to disk.’)
- [T1105] Ingress Tool Transfer – Downloading tools/samples to memory and disk to test delivery controls. Quote: (‘This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.’)
- [T1490] Inhibit System Recovery – Deleting Volume Shadow Copies using vssadmin.exe to inhibit recovery. Quote: (‘This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.’)
Indicators of Compromise
- [File names/executables] used in techniques – rundll32.exe, comsvcs.dll (used to call MiniDump), and other items like vssadmin.exe, ntdsutil.exe.
- [Scheduled task name] persistence indicator – qAWZe (task name created by schtasks to enable recurring execution).
- [Database/registry files] credential/AD dump indicators – NTDS.dit, SYSTEM hive (associated with suggested ntdsutil.exe dump scenario).
- [Command-line patterns] suspicious commands – ‘schtasks /CREATE’ (task creation), ‘vssadmin delete’ (shadow copy deletion).
- [Source URL/domain] reference – https://www.attackiq.com/2024/03/06/emulating-sandworm/ (original assessment template post).
AttackIQ’s template reproduces Sandworm’s post-compromise procedures so defenders can test controls across the full intrusion lifecycle. Execution scenarios include RunDll32 calling a DLL export and VBS execution via cscript.exe; persistence is emulated by creating a scheduled task (schtasks) using the observed task name qAWZe. Defense-evasion is modeled by file extension changes (move), and discovery techniques use built-in Windows utilities (netstat, ipconfig, arp, route, nltest, dir) to enumerate connections, configuration, and files.
Credential-access emulation performs LSASS memory dumping by invoking rundll32.exe with comsvcs.dll to trigger the MiniDump export, producing a dump for off-host analysis; AttackIQ also models ingress tool transfer by downloading samples to memory and disk to test blocking controls. Impact scenarios include executing vssadmin.exe to delete Volume Shadow Copies to inhibit system recovery, and an optional extension recommends using ntdsutil.exe to dump NTDS.dit plus SYSTEM and SECURITY hives to validate detection of AD compromise techniques.
Detection guidance provided includes EDR/SIEM rules for identifying anomalous rundll32.exe invocations (process name and command-line patterns referencing TEMP, .png, %APPDATA%), monitoring for comsvcs usage that references lsass, and alerting on schtasks creation commands issued via cmd.exe or powershell.exe. Prioritize detection/mitigation for RunDll32 proxy execution, scheduled tasks, and LSASS dumping, then expand coverage to the remaining discovery, transfer, and impact techniques to harden controls against disruptive ICS/SCADA-focused operations.
Read more: https://www.attackiq.com/2024/03/06/emulating-sandworm/