ATT&CK Evaluations Round 6 Enterprise 2024 (#13)

ATT&CK Evauations Round 6 Enterprise 2024

Co-authored-by: Daniel Matthews <58484522+uruwhy@users.noreply.github.com>
Co-authored-by: Scott Busby <20218365+CodenameSn0w@users.noreply.github.com>
Co-authored-by: Kara Pepper <78662790+kmpepper@users.noreply.github.com>
Co-authored-by: Chris Lenk <clenk@users.noreply.github.com>
Co-authored-by: 5lickRick <37700928+5lickRick@users.noreply.github.com>
Co-authored-by: Rob Shovan <83430825+Voitheia@users.noreply.github.com>
Co-authored-by: coolestcatiknow <cself@mitre.org>
Co-authored-by: Jordan Voss <31215789+jordanVoss@users.noreply.github.com>
Co-authored-by: Michael Butt <869064+m3mike@users.noreply.github.com>
Co-authored-by: Jessie Purser <36976860+jessiepurser@users.noreply.github.com>
Co-authored-by: Christopher Aguila <159798945+caguila44@users.noreply.github.com>
Co-authored-by: Ricky Chen <124005584+HackedRico@users.noreply.github.com>
Co-authored-by: Randy Quang <174381485+randyquang@users.noreply.github.com>
Co-authored-by: iazoy <175045228+iazoy@users.noreply.github.com>
Co-authored-by: supremerobertson <86260966+supremerobertson@users.noreply.github.com>
Co-authored-by: klesprit <93490035+klesprit@users.noreply.github.com>
Co-authored-by: Crystal <101662417+IfLooksCouldKale@users.noreply.github.com>
Co-authored-by: rrustici <131465698+rrustici@users.noreply.github.com>
Co-authored-by: tschechter44 <tschechter@mitre.org>
Co-authored-by: Lex <86126040+alexiacrumpton@users.noreply.github.com>
Co-authored-by: Jonathan Yee <81784737+yee-jonathan@users.noreply.github.com>
Co-authored-by: Allison <175127177+ahenao4@users.noreply.github.com>

Enterprise/cl0p/CTI_Emulation_Resources/CL0P_Scenario_Diagrams.md

@@ -0,0 +1,18 @@
+# Scenario Diagrams
+
+## Operations Flow
+
+![CL0POpsFlow.png](../Resources/assets/CL0POpsFlow.png)
+
+## Infrastructure Diagram
+
+> [!IMPORTANT]
+> The CL0P, DPRK, and LockBit adversaries as well as the Protections micros share an infrastructure configuration.
+>
+> See the [setup documentation](../Resources/setup/README.md) for the [CL0P](../Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.
+
+![ER6Infrastructure](../Resources/setup/assets/evaluations-enterprise-round-6_publish.png)
+
+## Emulation Plan Technique Scope
+
+![Cl0pTechniqueScope.svg](../Resources/assets/Cl0pTechniqueScope.svg)

Enterprise/cl0p/CTI_Emulation_Resources/CL0P_Scenario_Overview.md

@@ -0,0 +1,23 @@
+# Scenario Overview
+
+This scenario involved attackers dropping Cl0P onto a victim admin user’s workstation and the subsequent theft and encryption of files. Included below is an overview of the attack sequence and major activities executed by the threat actor. For more detailed information about red team activities, please refer to the [Cl0P Emulation Plan](../Emulation_Plan/ER6_CL0P_Scenario.md).
+
+The following activity is white carded and takes place outside the bounds of the scenario's official start: The attack began with a victim user receiving a malicious HTML attachment via phishing. Once opened, the HTML page stealthily redirected the user to a compromised website. This prompted the downloading of a document containing malicious macros and the deployment of the Get2loader onto the system. Get2loader is executed and collected essential system information including: the computer and usernames, OS version, and a list of running processes. This data was sent via HTTP post requests to a predetermined command and control (C2) server.
+
+## Overview
+
+1. The scenario starts with the attackers working to maintain persistence by downloading and executing **SDBbot**, a custom remote access Trojan (RAT) backdoor that eventually delivered the final Cl0P ransomware payload. The **SDBbot** installer, a DLL file located in the user's AppData\Roaming directory, stored the RAT component in the system registry. Given that the affected user had admin privileges on a Windows OS newer than version 7, the **SDBbot installer** established persistence through image file execution options injection.
+
+    ![CL0PSoftwareFlowS1.png](../Resources/assets/CL0PSoftwareFlowS1.png)
+
+2. As soon as the victim launched a browser, the **SDBbot loader** read the binary blob from the registry and executed it. This triggered the shellcode to load another DLL, setupapi.dll, which decompressed and executed the **SDBbot RAT** payload directly in memory. Establishing communication over TCP port 443, the RAT sent detailed discovery output, including: domain name, computer name, country code, OS version, user rights, and proxy settings.
+
+    ![CL0PSoftwareFlowS2.png](../Resources/assets/CL0PSoftwareFlowS2.png)
+
+3. The attackers then used **SDBbot** to deploy and execute the **Cl0P** ransomware on the victim's machine. Once unpacked and decompressed, **Cl0P** checked the system's keyboard layout and font settings, avoiding Russian language configurations to evade detection. **Cl0P** then performs a series of actions, including disabling security defenses, stopping various processes, and clearing Windows event logs. Next, the ransomware ran discovery on the target system. Upon locating a nearby Active Directory server, it hijacked the victim's RDP session to infiltrate the server.
+
+    ![CL0PSoftwareFlowS3.png](../Resources/assets/CL0PSoftwareFlowS3.png)
+
+4. **Cl0P** identified and encrypted files of interest using AES encryption, appending the [.]C_I0p extension to each. A ransom note, titled "Readme!_CI0P!.txt," was left behind. To further cripple recovery efforts, the ransomware deleted volume shadow copies, resized shadow copy storage, cleared Windows Event logs, and used bcedit to disable recovery options. Critical processes were terminated using TerminateProcess and netstop, leaving the victim's system in disarray.
+
+    ![CL0PSoftwareFlowS4.png](../Resources/assets/CL0PSoftwareFlowS4.png)

Enterprise/cl0p/CTI_Emulation_Resources/README.md

@@ -0,0 +1,18 @@
+# CL0P
+
+## Adversary Overview
+
+Active since at least 2019, [CL0P](https://attack.mitre.org/software/S0611/) is a sophisticated ransomware family that is associated with the [TA505](https://attack.mitre.org/groups/G0092/) cybercriminal group and possibly FIN11. CL0P employs phishing campaigns to gain initial access, often using macro-enabled documents to deploy malicious loaders. Like most other ransomware families, CL0P leverages “steal, encrypt, and leak” strategy - they identify and encrypt files, append various extensions (e.g., .clop) and leverage threats of data leaks on their Tor site, CL0P^_-LEAKS, to pressure victims into paying ransoms. Recent attacks have exploited vulnerabilities in software such as [MOVEit Transfer](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a) and [GoAnywhere](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a) MFT, leading to significant breaches and prompting U.S. authorities to offer [rewards](https://x.com/RFJ_USA/status/1669740545403437056?prefetchTimestamp=1731528766880) for information on the group's members. CL0P is utilized for financial gain and therefore, has a more randomized approach in its targeting and does not appear to target any particular region or sector. CL0P's adaptive tactics and extensive targeting capabilities make it one of the most formidable ransomware threats today.
+
+## Key Adversary Report References
+
+| Source ID | Report Links |
+| --- | --- |
+1 | [CISA #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a#:~:text=According%20to%20open%20source%20information,%20beginning%20on%20May%2027,%202023,)
+2 | [Proofpoint US Get2 Downloader & SDBbot RAT Analysis](https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader)|
+3 | [Ransomware Spotlight: Clop ](https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-clop)
+4 | [CL0P Ransomware: The Latest Updates](https://cyberint.com/blog/dark-web/cl0p-ransomware/)
+5 | [Investigating CL0P ransomware & MOVEit 2023 breach](https://sectrio.com/blog/deconstructing-cl0p-ransomware-moveit-2023-breach/)
+6 | [Cybereason vs. Cl0p Ransomware](https://www.cybereason.com/blog/research/cybereason-vs.-clop-ransomware)
+7 | [McAfee Blog Clop Ransomware](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/)
+8 | [Palo Alto Threat Assessment: Clop Ransomware](https://unit42.paloaltonetworks.com/clop-ransomware/)