#ThreatThursday - MAZE

    Adam Mashinchi
    by Adam Mashinchi
    October 01, 2020

    Welcome to another edition of #ThreatThursday. This week we are excited to kick off Cybersecurity Awareness Month looking at MAZE, a ransomware threat which emerged around May 2019, predominantly affecting organizations in the USA. MAZE, like other ransomware, also has an extortion component, where exfiltration of the original data also occurs in addition to the encryption/ransom component. This week, we will walk through the variety of CTI analysis which has been conducted on MAZE in addition to creating and sharing an Adversary Emulation Plan. We hope you enjoy it.

    Cyber Threat Intelligence

    When looking at the variety of cyber threat intelligence available for the MAZE threat, we are given a crystallene example of the ways that CTI can be incredibly specific regarding some details, while simultaneously being sparse with other details. For example this report gives very explicit details regarding the phishing attacks conducted to compromise systems with MAZE. Another report goes into amazing detail about the processes and memory games which the MAZE binaries are observed to play. And yet another report gives us details regarding the authors, and their ransom management software. However, even with the excellent information provided in these reports and others, there are some details which still elude us when attempting to replicate the explicit behaviors of the MAZE threat.

    For an explicit example of the discrepancy between CTI analysis, and explicit behaviors we can take the following sentence as an example:

    “Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment …”

    The above is certainly useful in regards to gaining insight into a threat actor’s general behaviors and goals; but leaves us wanting when attempting to re-create the explicit behavior utilized by the threat actor.

    There are some very practical and interesting artifacts which CTI provides us, and which allow us to leave some interesting IOC’s on endpoints when emulating the MAZE Threat. For example: we have through these reports a litany of example PDB paths which we can use when generating custom binaries, and we also have explicit details about the content of the ransom notes left by MAZE. These details are critical for IR and Purple team events, and provide even more realism to our Adversary Emulation Plan.

    Adversary Emulation Plan

    Reviewing the Cyber Threat Intelligence report and MITRE ATT&CK mapping, we organize the TTPs by Tactic and create a threat profile for MAZE:





    MAZE ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, MAZE operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies. (https://attack.mitre.org/software/S0449/)

    Command and Control

    T1071 - Application Layer Protocol

    T1105 - Ingress Tool Transfer

    T1219 - Remote Access Software


    T1059 - Command and Scripting Interpreter

    T1059.001 - PowerShell

    T1059.003 - Windows Command Shell

    T1053 - Scheduled Task/Job

    T1053.005 - Scheduled Task

    Defense Evasion

    T1078 - Valid Accounts

    T1078.003 - Local Accounts

    T1112 - Modify Registry

    Credential Access

    T1003 - OS Credential Dumping

    T1003.001 - LSASS Memory


    T1007 - System Service Discovery

    T1012 - Query Registry

    T1016 - System Network Configuration Discovery

    T1033 - System Owner/User Discovery

    T1057 - Process Discovery

    T1082 - System Information Discovery

    T1083 - File and Directory Discovery

    T1087 - Account Discovery

    T1124 - System Time Discovery

    T1518 - Software Discovery

    T1518.001 - Security Software Discovery

    Privilege Escalation



    T1547 - Boot or Logon Autostart Execution

    T1547.001 - Registry Run Keys / Startup Folder


    T1005 - Data from Local System

    T1074 - Data Staged

    T1074.001 - Local Data Staging

    T1560 - Archive Collected Data

    T1560.002 - Archive via Library


    T1041 - Exfiltration Over C2 Channel


    T1485 - Data Destruction

    T1486 - Data Encrypted for Impact

    Lost in the MAZE?

    For the sake of our Adversary Emulation of MAZE, we focused more heavily on what could be executed on a specific endpoint, in that specific user’s space of privilege; rather than focusing on initial access method, various privilege escalation techniques, and propagation. The rationale for this was to have the ability to quickly and easily conduct an execution event on a single endpoint, to see which (if any) of our defensive triggers might be lit up by MAZE’s variety of Discovery and Impact operations. 

    The hope is that some combination of the actions on objective we are conducting, ranging from compressing of files to the use of encryption, would trigger some combination of alarms for a AV, EDR, or Log Monitoring perspective.

    With those goals in mind, we created the following SCYTHE Threat template, available in our Community Threats repository: https://github.com/scythe-io/community-threats/tree/master/MAZE 


    MAZE is a fascinating threat from both an analysis and emulation perspective as it, once again, forces the collective information security community into simultaneously knowing a great deal about a threat actor, while also having minimal details regarding the way it explicitly performs its behaviors. However the variety of discovery techniques, blended with the exfiltration and ransomware behaviors, makes for what can be seens as a bit of a “kitchen sink” from a malware perspective. The realities of the information contrast between CTI sources, and the reliance on signituring of payloads and IP/Domains, gives defenders a wide range of IOC’s to act on, while still left feeling lacking from a threat emulation perspective.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io

    Adam Mashinchi
    Post by Adam Mashinchi
    October 1, 2020