/firedrill

firedrill is a malware simulation harness for evaluating your security controls

Primary LanguageGoMIT LicenseMIT

🧯firedrill: A malware simulation harness

goreleaser

TL;DR: firedrill is an open-source library from FourCore Labs to build malware simulations easily. We have built a set of four different attack simulations for you to use and build on top of: Ransomware Simulation, Discovery Simulation, a UAC Bypass and a Persistence Simulation.

Organizations invest a whole lot in their security controls and tooling for the security teams to be efficient. They might put in 10s of man-hours tuning a single security control to their needs building out detection rules, identifying best practice configuration and setting up automation. However, the task shouldn't end right here, it is crucial to test the effectiveness of these security systems against attackers. Usually, this is done with pentesting and red teaming activities done either in-house or by external teams. This results in immense value for the organization as its build confidence in security controls against in the event of a real attack.

firedrill

Read more about firedrill on our blog.

Ransomware Simulation

The ransomware simulation consists of typical behaviour of a ransomware.

This includes, in this order:

  • Encryption of files on the filesystem (only test files dropped by the binary and ).
  • Dropping a ransom note on the desktop.
  • Changing the system wallapaper through registry keys (and restoring it after some time).

Sandbox Analysis

Sandbox
Hybrid-Analysis
Intezer Analyze

Discovery Simulation

The discovery simulation consists of simulation of a malware executing three techniques from the Discovery tactic in MITRE ATT&CK, performing reconnaisance of system information which is used for further exploiting the system:

This includes, in this order:

  • Discovering the running processes on the system.
  • Discovering the peripherals present on the system.
  • Discovering the softwares installed on the system with their respective versions.

Sandbox Analysis

Sandbox
Hybrid-Analysis
Intezer Analyze

UAC Bypass Simulation

The UAC Bypass simulation consists of malware using the fodhelper.exe utility available from Windows 10 to achieve local privilege escalation by creating a registry structure to execute arbitrary commands with adminstrator privileges:

This includes, in this order:

  • Create a new registry structure in HKCU:\Software\Classes\ms-settings\ and start notepad.exe with admin privileges bypassing UAC.

Sandbox Analysis

Sandbox
Hybrid-Analysis
Intezer Analyze

Registry Run Key Persistence Simulation

This is a simulation of a persistence techniques which use registry Run keys to achieve persistence for arbitrary payloads. These keys include: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce.

This includes, in this order:

  • Add a value in the registry key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to execute a sample payload embedded in the binary.
  • Delete the value from HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to bring back it to it's original state for a safe simulation.
Sandbox
Hybrid-Analysis
Intezer Analyze

Usage

  • Requires Go 1.17+, GNU make.

Windows

Ransomware Simulation

$ make ransomware
$ ransomware.exe

Discovery Simulation

$ make discovery
$ discovery.exe

UAC Bypass Simulation

$ make uac_bypass
$ uac_bypass.exe

Registry Run Key Simulation

$ make registry_run
$ runkeyregistry.exe

Linux/bash

$ GOOS=windows make ransomware # and so on