TL;DR: firedrill is an open-source library from FourCore Labs to build malware simulations easily. We have built a set of four different attack simulations for you to use and build on top of: Ransomware Simulation, Discovery Simulation, a UAC Bypass and a Persistence Simulation.
Organizations invest a whole lot in their security controls and tooling for the security teams to be efficient. They might put in 10s of man-hours tuning a single security control to their needs building out detection rules, identifying best practice configuration and setting up automation. However, the task shouldn't end right here, it is crucial to test the effectiveness of these security systems against attackers. Usually, this is done with pentesting and red teaming activities done either in-house or by external teams. This results in immense value for the organization as its build confidence in security controls against in the event of a real attack.
Read more about firedrill on our blog.
The ransomware simulations consists of typical behaviour of a ransomware.
This includes, in this order:
- Encryption of files on the filesystem (only test files dropped by the binary ).
- Dropping a ransom note on the desktop.
- Changing the system wallapaper through registry keys (and restoring it after some time).
Sandbox Analysis
Sandbox |
---|
Hybrid-Analysis |
Intezer Analyze |
This includes, in this order:
- Encryption of user files on the filesystem (selects 10 files each from the User Desktop and Downloads folder).
- Dropping a ransom note on the desktop.
- Changing the system wallapaper through registry keys (and restoring it after some time).
Sandbox Analysis
Sandbox |
---|
Hybrid-Analysis |
Virus Total |
The discovery simulation consists of simulation of a malware executing three techniques from the Discovery tactic in MITRE ATT&CK, performing reconnaisance of system information which is used for further exploiting the system:
This includes, in this order:
- Discovering the running processes on the system.
- Discovering the peripherals present on the system.
- Discovering the softwares installed on the system with their respective versions.
Sandbox Analysis
Sandbox |
---|
Hybrid-Analysis |
Intezer Analyze |
The UAC Bypass simulation consists of malware using the fodhelper.exe utility available from Windows 10 to achieve local privilege escalation by creating a registry structure to execute arbitrary commands with adminstrator privileges:
This includes, in this order:
- Create a new registry structure in
HKCU:\Software\Classes\ms-settings\
and startnotepad.exe
with admin privileges bypassing UAC.
Sandbox Analysis
Sandbox |
---|
Hybrid-Analysis |
Intezer Analyze |
This is a simulation of a persistence techniques which use registry Run keys to achieve persistence for arbitrary payloads. These keys include: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
, EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
.
This includes, in this order:
- Add a value in the registry key at
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to execute a sample payload embedded in the binary. - Delete the value from
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to bring back it to it's original state for a safe simulation.
Sandbox |
---|
Hybrid-Analysis |
Intezer Analyze |
- Requires Go 1.17+, GNU make.
Mock Ransomware Simulation
$ make mockransomware
$ mockransomware.exe
System Ransomware Simulation
$ make ransomware
$ ransomware.exe
Discovery Simulation
$ make discovery
$ discovery.exe
UAC Bypass Simulation
$ make uac_bypass
$ uac_bypass.exe
Registry Run Key Simulation
$ make registry_run
$ runkeyregistry.exe
$ GOOS=linux make ransomware # and so on