 and welcome to DEF CON Red Team Village. My name is Georgia Chiyes, and this talk is titled Deep Dive into Adversary Emulation, ransomware edition. And what we're gonna look at is an attack that we saw in July, 2020, against the Garmin organization. It brought all their services down, asking to pay a ransom. The particular adversary that was attributed to this attack is Evil Corp. And they used a ransomware called Wasted Locker. So we're gonna talk about how we can emulate a ransomware attack against an organization in a professional manner, so that we can test our detective and preventive controls and answer the question that most CSOs want to know. Can this happen to us? I hope you enjoy, and I'm available to answer any questions. As mentioned, my name is Georgia Chiyes. I'm the Chief Technology Officer at Scythe. I'm also the author of the Purple Team Exercise Framework that we recently released and made available to everyone for free on our website. I co-created the C2 Matrix with Bryson Bort and Adam Mash, and it is a framework of various different command and control frameworks with their capabilities and their features. We'll cover that a little bit in this deck. Before joining Scythe, I worked at Citigroup for 10 years running the offensive security team. I started as a vulnerability assessment analyst, then introduced penetration testing, and eventually created the red team about five years ago. We then created a purple team function and began doing adversary emulations across the globe and working with various regulators, which led to the creation of a global framework with the Global Financial Markets Association titled Thread-Led Penetration Testing. So we'll cover a lot of that here as well. That's also a free framework. I teach for SANS, I've taught for SANS for the past 10 years, mostly the pen test curriculum and also some of the cloud courses. But if you've ever taken or have the GCiH or the G-Pen shout out to you, I also have a two day red team exercise and adversary emulation course. While at Citigroup, I was part of the CVSS working group and I was a voting member where we released version three and 3.1. Version four is in the works and I'm also working on another working group now as I'm no longer a voting member of CVSS on what's called the exploit predictability scoring system. We're trying to identify what vulnerabilities will be exploited versus ones that will or not, even if they have similar CVSS scores. It's a very interesting project and if you'd like to join, it is a working group as part of FIRST as well. I really believe in ISSA and giving back to a community. ISSA is the Information Systems Security Association. They might have a chapter in your location. Definitely go out. I actually found two of my jobs before working at Citi. I worked at Terramark and the Security Operations Center, found that job through there as well as my job at Citi. So definitely a network and give back to the community. A long long ago, I wrote a book on Windows 7. So I am a published author. Hopefully no one's using that operating system. So here's our agenda for today. We're gonna cover some definitions because as any red team talk, we have to argue about definitions and really want to use the same language in the industry and hopefully help the industry use the same language. So we're gonna cover things like red teaming, purple teaming and adversary emulation. Then we're gonna talk about ransomware. And ransomware is something that we've all heard about. And while many of us find this annoying and not sophisticated, we're actually seeing an uptick in the sophistication level where it isn't just about gaining initial access and impacting the target systems, but it also involves moving laterally and exfiltrating information prior to requesting a ransom. So we're gonna cover our usual steps when we talk about adversary emulation, starting with cyber threat intelligence. We wanna learn about various attacks. In this case, we're gonna talk about Garmin and Evil Corp using a piece of malware called Wasted Locker. It's the attack that affected Garmin in July 2020. We're gonna understand that attack. We're going to create an adversary emulation plan around it. Then we're going to perform it. So it should be a lot of fun. Then of course, we're gonna talk about defending against ransomware. Now the first thing I want to cover is definitions. And we published this ethical hacking maturity model to kind of show a blueprint of how many organizations are maturing in their offensive security. Now this doesn't mean that every organization is the same. This is really based on my experiences and on experiences of organizations I've talked to, whether they're SANS students or other people in the industry that have asked about this particular subject. So most organizations start over on the left side with vulnerability scanning. Here's where you run a scan against an IP or a web app and you get back a list of vulnerabilities based on signatures. Vulnerability assessment is when you look at the output of that vulnerability scan and you give it a real risk rating where you actually calculate if the risk is there, you verify the vulnerability and you prioritize what needs to get fixed. Penetration testing then involves the exploitation of vulnerabilities. And this can involve finding vulnerabilities that the vendor didn't know about where we call those ODES or it could also mean gaining access to a target system and learning and really calculating that business risk. Unfortunately in the industry, pen testing got very scoped down. We weren't allowed to move laterally to other hosts. We weren't allowed to do social engineering and things like that. And that's where the red team came in. The red team started testing people, process and technology. Purple teaming is where we work together, the red team with the blue team. And adversary emulation is a cyber threat intelligence led assessment generally carried out by the red team. And it can be a full knowledge or zero knowledge assessment in which case it would be a purple team or a red team engagement. Now as I mentioned, these don't necessarily mean that it's the steps you must take to get to where you wanna go. This is just an example that you can use with your senior management to explain to them how your organization has matured and there is an arrow there at the end which means that I'm sure this will continue to evolve. Every organization is different. And of course, don't stop doing the previous step just because you're doing red team and purple team engagements doesn't mean you're not doing vulnerability scanning anymore. There's an entire article on this if you'd like to read more about it. The reason we're here is to talk about adversary emulation. And that can be defined as a type of red team exercise. So there's many different types of red team engagement. This is one of those types. And in this type, we are going to emulate adversary tactics, techniques and procedures or adversary behavior. We understand those behaviors by leveraging cyber threat intelligence. And just like the malicious actors, we're going to have an objective which would be very similar to objective of that actor. So in this case, we are putting TTPs together in an attack chain for testing of these various scenarios. And it's really going to answer the question if the target organization is ready for a real sophisticated attack. Most of the time the effort here is manual. There are a number of tools or some automation that you can build around doing TTPs. My company site does some of this. So we'll cover that a little later. But it's mostly manual because you can't really automate an entire red team. You actually need people, which is very important. So as I mentioned, an adversary emulation is a type of red team exercise. There's different types. And a red team can be defined as the practice of looking at a problem or situation from the perspective of an adversary, which means that you can do a lot with that. It could be physical pen testing. It could be doing phishing simulations for awareness training or it could be testing one or creating a new TTP. In this case, we're going to talk about adversary emulation, but we want to differentiate the whole red team from pen testing. For example, in a pen test, you're generally finding and attacking preventive controls, the lack of patching, or maybe you find a vulnerability that the vendor doesn't know about. In red teaming, our goals are different. Our goals are to make the blue team better, to train, to test and measure people process and technology and to test assumptions. The effort here, as I mentioned, is pretty manual. There's a lot of tools, so we'll cover some of those in the C2 matrix and in this talk. And the frequency is really based on intelligence. I'm sure many of you this week heard about black hat and DEF CON and saw some new techniques. So we might want to be testing those out as soon as we're back at the office. The frequency really depends. We are seeing red team engagements being required by various regulators. And the customer here is the blue team. We want to work with the blue team. Now, there is a difference between internal and external teams. Internal red teams will do an engagement and then they might have to repeat that engagement multiple times to ensure that the operations teams and the blue teams are trained and have the right detections in place. That means that they have to do a lot of retesting. They might not like that. They're also privileged. They're insiders. They have information. They've probably done other red team engagements and exercises so they know what works and what doesn't work. So really internal red teams should be seen more as a sparring partner to the blue team. They should have collaboration and get along. External teams are a little different. They offer a different perspective. Since they're coming from the outside, they don't have that insider knowledge. They'll be able to emulate an external malicious actor by performing and doing things like reconnaissance and learning more and seeing what's out there to see if they can breach that perimeter or get internal access. There's other types though, where external teams could be brought in in an assumed breach perspective. We'll talk about that a little bit more. And these are mostly snapshot engagements. They come in once a year. They do the test. They leave a report. Maybe they do a red team reveal or a replay and then they don't come back for at least a year. So it's very snapshot and point in time oriented. So why don't we move towards a purple team, especially for those internal teams? Your job is to make the blue team better, to test and measure and improve people process and technology. You don't have to do these zero knowledge engagements all the time. You might only have to do it maybe every three months or every six months or once a year. The rest of the time, you can spend it in a purple team faction working and collaborating with the blue team. It is an efficient way of doing a lot of these adversary emulations. So what is a purple team? A purple team is a virtual or functional team where various teams actually come together and collaborate to improve the defensive security posture in a method that is more efficient than your standard red team engagement that results in a report. Here we use cyber threat intelligence to understand a malicious threat actor. Generally, this team could be an internal, in which case it would have a lot of insider information and really understand the target organization or it can be an external cyber threat intelligence team. But the point is that they would provide a threat actor that has the capability, the intent and the opportunity to attack that organization. Then the red team consumes this information and creates an adversary emulation plan. You then tabletop this. You have a discussion with all the parties involved. The blue team can be the security operation center, a managed security service provider, a hunt team, or an incident response team, digital forensics, right? All of those are part of the blue team. You have this tabletop and you say, for these particular TTPs, this is our expected defenses. And then you emulate that. When you red team shows the blue team what they're doing, they emulate it. It's a full knowledge engagement. The blue team will then go and look for indicators of compromise or indicators of this behavior. And then both teams work together to say, okay, we believe that this is good enough detection or we can improve this detection by tuning these various tools. And then you repeat that over and over for various different TTPs. You can repeat that to train people. You can ensure that the processes are working, maybe a handoff between a security operation center analyst to a level two analyst or to an incident response person all works efficiently. And of course, you're also tuning your technology. Did you say purple? And yes, purple is very hot right now. And it's because of the efficiencies. Now, anything we do in offensive is to bring business value. So regardless of what you're calling this, if it's a red team engagement with no knowledge or a purple team engagement, we always want to bring business value. So as usual, we start with frameworks and methodologies. And that's very important for us because if you're going to sell doing an adversary emulation, especially a ransomware one, to your organization, you better have a good plan. And one of the things that does that is a framework and a methodology. Now, one of the ones that we recently released through Scythe is the purple team exercise framework. This covers cyber threat intelligence, covers sponsorships, covers getting the people in the process and getting everything ready for that exercise. And you can see over here on the right, kind of the life cycle there. We start with cyber threat intelligence, we do preparation, we execute the exercise, and then we have lessons learned. There's a number of different methodologies that you can use. One of the original ones was the cyber kill chain by Lockheed Martin, which was seven steps showing senior management, kind of how an attack works. That has matured. Paul Poles came out with the unified cyber kill chain, which goes way more in depth, really liked that one and shout out to Paul. And then we have financials that have a number of different regulations. The Bank of England has CBest, the European Central Bank, the ECB has Tiber EU, which is threat intelligence-based ethical red teaming. The Monetary Authority of Singapore and the Association of Banks of Singapore have red team adversarial attack simulation exercises, Hong Kong Monetary Authority has the intelligence-led cyber attack simulation testing, and then we all came together and I was a co-author with the Global Financial Markets Association to create a framework for the regulatory use of pen testing in the financial services industry. So there's many frameworks out there that you can use and leverage that are free and open source, pick one and use that one that way you can show that you are professional. And then for testing, of course we're gonna use MITRE attack, which stands for Adversaries, Tactics, Techniques, and Common Knowledge. And it really is a common knowledge or a common language that allows the cyber threat intelligence team to work with the blue team, the incident response teams, and the red teams all speaking the same language. So as something occurs in the wild, something like Garmin hack, which we'll cover right now, the forensics team goes in there, understands what happens, and then they give us cyber threat intelligence. The cyber threat intelligence team will create these reports, which we will then consume, and then we can map all these back to MITRE attack. Now, of course, everyone's seen the MITRE attack framework. On the top, we have our tactics. Those are the adversary goals. Under those, we have our techniques, which now have sub techniques and also procedures. And the procedure level is the lowest level you can get. So it's very good to use frameworks like these. In this case, we're going to talk about ransomware. And there is a particular tactic that covers ransomware, and that's called the impact tactic. It's TA0040. According to MITRE, that impact is the adversaries trying to manipulate, interpret, or destroy your system and data. So really is trying to disrupt availability or compromise integrity by destroying and tampering your data. So generally, this is used kind of to achieve that end goal. And over here on the right, you have an example of just some of the techniques and sub techniques. So data manipulation would be the technique. And then you have stored data manipulation, transmitted data manipulation and runtime data manipulation as sub techniques. You can then click on those and see procedures for different ones. But this is really one of the main objectives is to impact the system to then in ransomware, request money for that particular access back to your systems. So let's talk about ransomware. Generally, what we see is threat actors trying to go out and get initial access to a target system or network, and then encrypt files. And if you want those files back, you have to pay a ransom. So a lot of this is very opportunist in that it's a drive-by type of compromise anyone in your organization visits a web page, whether they clicked on it or they got there through links or whatnot. And that tries to compromise their system. From there, the malware will try to run and encrypt files. Now we're seeing three different methods of encrypting files. One is reading the file and create an encrypted version of that file replacing the original file with the encrypted one. The other one uses raw disk access for encryption. And then the third one is open the file and then encrypt the contents of the file and then save the file itself. So different ways of doing this. Sometimes we see organizations stealing those files. Not all of them steal it. So you go on the target system, you encrypt the files, you steal them, and then you post the ransom note. So some of those do that. And then of course, they download some sort of ransom note saying, now you need to pay if you want access to your files. And of course, the main actors goal and objective here is to get paid, get money, generally in some sort of cryptocurrency. So let's talk about Garmin. On July 22nd, a lot of folks started posting that they could not connect to Garmin. Garmin is a company that specializes in GPS. They also have fitness trackers and a number of other services, as you can see on the screen. And all that Garmin was saying is that they're currently experiencing an outage. Now this outage lasted a number of days. So rumors started going around that this was ransomware. And now by the time you're watching this, we obviously have quite a bit of information about this that we're gonna go over. But you can see here on the right, a lot of services were down. One that was quite interesting is Fly Garmin. So a number of planes actually use Garmin devices for their tracking and their GPS. And those planes would not be able to fly because they didn't have tracking. So you can see here, it definitely impacted a lot of people, it was a global outage. So given the timeliness of this, this is the malicious threat, the organization that we are going to learn from. We have learned now that the malicious actor is in a threat group called Evil Corp. And in this particular case, they use a ransomware malware known as Wasted Locker. So let's learn a little bit about this. So Evil Corp, and in this particular attack, would first get initial access through Drive by Sites. That means they compromised a legitimate website first and whenever anyone visited this particular website, they would download Sock Gullish. And that would trigger a number of different actions. So in this case, and we're thinking from a red team perspective, we won't be able to emulate this particular TTP because we're not gonna have permission to compromise a third party. So in this case, we will have to simulate what happens and get that initial access through some other method. And then once Sock Gullish ran, it is a SIP file with malicious JavaScript that was masquerading as a browser update. That's another TTP in Mitre attack. Then a second JavaScript file would profile the computer to see where it was, gain some situational awareness and then it used PowerShell to download additional discovery related PowerShell scripts like PowerView, which we've heard quite a bit about. It's a free script that you can get straight from GitHub. Then once the attacker had access to execute PowerShell, they gained network access and would drop a cobalt strike malware. Cobalt strike is a command and control framework, which we'll cover here or we'll actually demo it because we're gonna emulate all of this. And unfortunately, cobalt strike has been used by malicious threat actors before because an early version of it was leaked. With a cobalt strike command and control established, then they lived off the land to do some things like steal credentials, escalate privileges and move laterally. So there's a more sophisticated threat actor that doesn't just get on one system and drops around somewhere. It was moving laterally up until the point where it would deploy the wasted locker ransomware. So evil corp is at the adversary and the wasted locker is the ransomware that would actually encrypt the files and request the ransom. So PowerShell was used to download and execute a loader from a domain that was publicly reported to be delivering cobalt strike as part of these attacks. Then injected a payload, in this case, cobalt strike uses its payload is called beacon and that is used to execute commands. It injects into other processes. It elevates the privilege and then it could upload and download other files in which case it would do that for this particular malware. The privilege escalation, this particular attack against Garmin seemed to be with the software licensing user interface tool which is a command line tool that comes with the operating system. We call these living off of the land because it's a tool that's already there. They would use that to escalate privileges. Then we've learned as well from the cyber threat intelligence that the attackers would use WMI which is Windows Management Instrumentation Command Line Utility. This is also a living off the land tool. It comes with all versions of Windows to execute commands on remote computers such as adding new users or executing additional PowerShell. Then the attackers launched a legitimate command line tool for managing Windows Defender to disable Defender and the scanning of new files. In the event that this malware they were using would get caught they would disable this part. That's another MITRE attack TTP. And then lastly they would use PSXAC to move laterally and deploy the wasted locker ransomware which begins the encryption process and would also delete the shadow vulnerability. So all of this is cyber threat intel that we have pulled together for emulation. This is what wasted locker look like. It is interesting because it creates a file. The encrypted file is called the particular file name and then the extension had the organization name and wasted at the end. And then it would get a ransomware note that was a text file and then it would be called wasted underscore info. And here you could see this particular message. So all of this is important for us as we plan what we're going to do. Now none of the cyber threat intelligence I read had MITRE attack mapping neither for EvilCorp as a threat actor or a group or wasted locker as a ransomware. So I had to manually extract these TTPs from the cyber threat intelligence and then create MITRE attack navigation layer. So I've done that and here you can see a screenshot on the right of the impact portion. This is what the wasted locker ransomware does. And there you can see that the JSON layer is available for you to take a look. So let's take a look at that one right now. Here is the MITRE attack layer that I created. A nice feature of attack navigator is that you can give it a JSON file. So you see up here this is hosted on GitHub and we give it the URL. This URL here is the site GitHub where I post community threats. And in this case it has this layer which it renders it here. So we can see the initial access was drive by compromise. We can see execution through PowerShell JavaScript. We can see user execution through a malicious file, service execution as well as WMI. We can see some privilege escalation, defensivation and then we have to scroll over to the right thanks to all the sub techniques to see other things such as discovery of local accounts and domain accounts, system owner and user discovery, lateral movements, command and control through HTTPS using asymmetric crypto and a web protocol over HTTPS. And then over on the right we see the data destruction, data encryption, store data manipulation and stopping that service. So I went through all that cyber threat intelligence and I pulled this out which allows me to create a much better plan for what we are going to try to do here in this red team exercise that emulates evil corp and the wasted locker malware. So planning is very important, right? We started with cyber threat intelligence. We learned about the Garmin hack. We learned about evil corp. We learned about the wasted locker malware and we map that all to Mitre attack. Now let's talk about planning. What are the goals and objectives here? In this case, we want to determine if an attack like Garmin would work in our target environment. We also wanna decide are we gonna do this as a red team exercise or a purple team exercise? Given we are in the red team village, we'll do as a red team exercise. I'm going to emulate all the steps and then later on we'll see what the blue team was able to catch or prevent. It's very important to have an exercise coordinator and a project manager. That way, even though it is a zero knowledge engagement, they communicate what is happening to the target organization, to the blue team trusted agents. Those are folks within the organization that know the exercise is happening but are not going to tell the players that this is happening because if they know that this is an exercise, their behavior will change, which means your measurement of that particular testing will also change. Next, we want to do assume breach or a full end to end exercise. In this case, we know through cyber threat intelligence that the initial access was through a compromised third party site. So that's not something you're going to be allowed to emulate. So let's go with an assume breach. And an assume breach is a more efficient way of doing this, especially for mature organizations that know that they're going to get breached, right? At any given time, there will most likely be some explorers and vulnerability or someone inside the target organizations going to click on something, right? So for this instance, we're going to go with the assume breach because we want to really get to a ransomware part, right? We want to focus on that and not focus on the initial access. As usual, there's going to be rules of engagement. So don't encrypt or actually ransom any business data, right? Create new files, encrypt those and or exfiltrate them based on this threat actor. In this particular case, it didn't look like Evil Corp actually exfiltrated the data. So we're going to create a plan that does exactly that, that creates new files, a lot of new files, encrypts them, downloads a ransom note and then that way we've emulated in a safe manner so that the target organization, one, approves this exercise and two, we will be able to answer the question, can this happen to us without introducing risk? And then lastly, we have to talk about attack infrastructure. So for attack infrastructure, the red team needs to determine what tool they're going to use. Well, this actually was pretty easy because the cyber threat intelligence told us that they use Cobalt Strike. So what we can do is use the C2 matrix and it's a Google sheet of a number of different C2s and it shares all the different capabilities that each of these have. So if we hadn't heard about Cobalt Strike, we can take a look at that particular one and learn about it here. We can find the ideal C2. Now for the malware creation part, we might have to use a different tool to create something that does the same thing that wasted locker does because Cobalt Strike doesn't have those particular features. The C2 matrix also has a slingshot virtual machine which allows you to get started and test eight of these C2s without having to install them. You just download the virtual machine and you can use them. And there's also a how to site where you can learn how to use all of these. So I'll show that shortly. In this case, we know we need to use Cobalt Strike. So Cobalt Strike is a commercial command and control framework. It's available on cobaltstrike.com and unfortunately it was leaked. And that means that malicious actors have their hands on it. And it has a MITRE attack page as well. Software 0154. And within there, you can see a number of different malicious actors that have used this. This here comes from MITRE attack which they haven't added EvilCorp as a group nor have they correlated EvilCorp as having used Cobalt Strike either. But I'll work with the MITRE team to get that added. And then on the right, there's a screenshot straight from Cobalt Strike's website as to all of the various different features that this particular product has. So that is our initial access and getting to the point where we can deploy our malware. Now for deploying our malware, we're gonna use Scythe. And that's because Scythe specializes in creating custom controlled synthetic malware that will run in a production environment without introducing risk. It's also a tool that allows you to emulate known threat actors and automate a lot of those TTPs. Now, obviously I work at Scythe and I have the cool hoodie as you can see. So we went with that one to show you how cool and how easy it is to create this particular malware. Also, I couldn't figure out how to create something like ransomware so easily with any of the other C2s. But if you have any C2s that you think do this, definitely let me know. So Scythe is also a command and control framework. It's a pretty easy installer. It installs on Windows. It allows multiple channels for command and control. In this case, we know we have to use HTTPS, which it has. And then it builds automation. So not only do we want to drop this synthetic malware that does what Wasted Locker does, we wanna automate that, right? It's gonna create files, it's gonna encrypt files, it's gonna download a ransom note. All of that needs to be done all in one. So it really allows us to do that. And it has a variety of integrations with a number of different tools like Vector for tracking red and purple team. Exercises, Plex Track, if you use that in your corporation, and integration for purple teams with Splunk and really any Sim. So it's really a great tool for doing this particular ransomware malware that we want to do. Is it even possible to emulate ransomware? Well, I've hinted at all of this as we get up to this slide. And the answer is of course it is. The secret is to not encrypt or destroy real production data, right? You had that already in your plan and it will get approved because you're not impacting the target systems, you're not impacting production. So instead of encrypting real files, what we're gonna do is first create new files and then encrypt them, expel trait them if this particular threat actor did, which EvilCorp did not, and then download a ransom note. So this method will ensure that no data is ever at risk of being encrypted or destroyed or leaked out. And over on the right, you can see the steps here. This is the malware that I've created with Scythe. It's going to load a number of different things into memory, which Wasted Locker also did, was it loaded everything into memory so that it wouldn't get caught. Then we're going to create a directory on our desktop called EvilCorp. Within there, we're gonna create 55 meg files. So we have a lot of volume there. And then we're going to encrypt that. And the password we chose in this case is EvilCorp in LeetSpeak. And then we're going to download a ransom note from a PaySpin that I created that's very similar to the ransom note from Wasted Locker. And we're gonna put that in the desktop so that it shows. And then of course we're gonna shut down and clean up after ourselves. So let's take a look. We're gonna start with our sans slingshot C2 main tricks edition virtual machine. It is running on a separate network with a Windows 10 victim system. Again, we're gonna focus on the actual ransomware payload and not so much on the initial access and lateral movement, but because it did use Cobalt Strike, let's go ahead and start with that. In this case, I have Cobalt Strike installed in slash op slash Cobalt Strike. I'm gonna start a team server. You have to start that with pseudo and I'm just going to put a basic password in there. My IP is 192.168.116.6. So we'll start that up. Then on another window, I will start the Cobalt Strike client. You don't need pseudo for that. And here we will connect. So this is Cobalt Strike. The first thing we're gonna do, like in any other command control framework is set up a listener. I'm gonna click add. And we're gonna use port 8080 just because we have something else running. We have Apache running on port 80. Now that we have the listener, we are going to create an attack. As the threat Intel told us, they use PowerShell for that. So we'll do exactly that. So what we're gonna do is move over that payload to the system where we will execute it from. And we copy and paste that into a standard command prompt and here we see it has checked in. Now that we have access on this target system, we can do the things that EvilCorp did, which was escalate privileges and move laterally, et cetera. In this case, we wanna focus more on impact, which is on the ransomware. So let's go over and create the wasted locker synthetic malware. So I'm over here in site. I'm going to threat catalog and I've already imported the wasted locker campaign. So here we see that it will do everything that we discussed, which was load run, file, crypt downloader. It will create an EvilCorp directory on the desktop. It will create five files all with that wasted extension. And it will encrypt them, then it will download a message. And then it'll shut down. Now we will download that 32-bit executable onto our Linux system, so that we then use CobaltStrike to upload it and execute it. Now we will upload the file into the CusersGeorge directory. And now we will execute it. You should see that execution out here. And there's the check-in. It's going to go through and load all these modules. If we observe the directory here on the victim system, we will see it create the folder EvilCorp, create the files, encrypt those files, and then download a ransom note from PasteBit. There's the EvilCorp folder. It will now create all these files and then encrypt them, and then download the ransom note. And here we see the ransom note was downloaded. And there is the ransom note, very similar to what was used in Garmin. So as you can see, we use CobaltStrike to get that initial access with a PowerShell script, and then use CobaltStrike to dump this executable, which is synthetic malware created with Scythe to emulate a ransomware attack inside a professional enterprise network without introducing any risk. How do we defend against ransomware? Well, before, we just had to worry about that initial access on preventive controls because ransomware would find its way into any system and then encrypt it, even with user-level privileges. But now we're seeing these more sophisticated attacks like EvilCorp's on Garmin, where it's getting access, the threat actor gets access to a system, does privilege escalation, moves laterally, does defensiveation, executes a number of different ways, and then drops their encryption. So there's a number of different ways to defend against this, very similar to your other adversary emulations that didn't have the ransomware type impact. We're now seeing those there. So there's a number of different ways to defend against this. I did an excellent interview with Olaf from Falconforce on using things like Sysmon. Because we are calling all those encryption APIs, you should be able to detect that, especially if a whole bunch of systems do it. Now US cert just recently released these tips and there's a number of other resources here. I do wanna point out another organization that was recently breached called CWT. They are a enterprise, a corporate travel organization. And their chats with the malicious actor were leaked. In this case, they actually paid $4 million to get access to their files. And the chat was leaked, the link is there for the entire thread, if you wanna read it. But here you can see quite a bit of advice that was given to the target organization after the malicious work was done and they got paid. They gave them some advice as to what to do, which is very similar advice to a lot of the things that we find in our adversary emulations. So obviously there's a lot more ransomware than just wasted locker. These are just a few with their links to Mitre Attack, as well as an interesting service I saw called Shadow Intelligence, which tells you about a number of different ransomware attacks. So definitely check them out. Now, if this interests you, we have a threat Thursday. So every Thursday we choose an adversary. We introduce an adversary, we consume cyber threat intelligence, map it to Mitre Attack, create that navigator layer just like we did here. Then we create an adversary emulation plan. We share that plan in our community GitHub. We emulate the adversary and show it on a video and we talk about how to defend against this. So this is all free for the community. A lot of it is with Scythe, but a lot of the living off the land, you'll be able to do it without using Scythe. Another thing I wanted to mention is to save the day. I know you all like free conferences. So we are hosting a free conference called Unicon, our very own unicorn conference. Yes, I work at Scythe where we have unicorns. And that is gonna be on August 20th. We're doing some very cool stuff and creating an ecosystem for the community. So we have an SDK that allows you to create your own adversary TTPs. Think of it of creating a bug bounty, but for TTPs for adversary behaviors. You can create these modules and put them up in this marketplace where you can share them for free or sell them and make some money off of them. So all of that is possible through our marketplace and we will be releasing that at Unicon. The way it works is that you use the SDK, which is completely free. You create a TTP, you add it into the marketplace and then any Scythe user will be able to grab it or pay you for it and then run these adversary emulations in their environment and hopefully detect the different behaviors that you've created. And if not, they'll be able to test and hopefully improve it. So it's a ecosystem of sharing, offensive techniques so that organizations can better defend themselves. I went through a number of different references. So here is the slide. Obviously, I didn't do all of this on my own. Big shout out to the folks that did the Cyber Threat Intelligence for Igubol Corp and Wasted Locker. I did the MITRE attack mapping and as I mentioned, all of that is shared for you and hopefully you found all of this useful. So with that, thank you very much for your time. I really appreciate it. Hopefully you learned something here today. And...