Red Team and Open-Source Mitre’s ATT&CK Framework Test Tools

download

One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The frameworkclassifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.

Adversarial Tactics, Techniques & Common Knowledge

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.

https://attack.mitre.org/wiki/Main_Page

Video: Post-Exploit Threat Modeling with ATT&CK

 

cso_mitre_open-source_attck_test_tools_1400px-100754760-orig

 

Red Team Automation (RTA)

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation as needed.

Where possible, RTA attempts to perform the actual malicious activity described. In other cases, the RTAs will emulate all or parts of the activity. For example, some lateral movement will by default target local host (though with parameters typically allow for multi-host testing). In other cases, executables such as cmd.exe or python.exe will be renamed to make it appeas as if a Windows binary is doing non-standard activities.

Introduction: https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation

Download: https://github.com/endgameinc/RTA

CALDERA

CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.

Introduction: https://www.mitre.org/research/technology-transfer/open-source-software/caldera

Download: https://github.com/mitre/caldera

Atomic Red Team

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.

Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.

Introduction: https://www.redcanary.com/blog/atomic-red-team-testing/

Download: https://github.com/redcanaryco/atomic-red-team

Metta

Metta is an information security preparedness tool.

This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.

Introduction: https://medium.com/uber-security-privacy/uber-security-metta-open-source-a8a49613b4a

Download: https://github.com/uber-common/metta

Reference:

https://www.csoonline.com/article/3268545/data-breach/4-open-source-mitre-attandck-test-tools-compared.html 

 

Advertisements

Invoke-Adversary – Simulating Adversary Operations


Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth.

Warning

Update 4/14/2018 – In the original script 3rd party tools were downloaded by the script automatically. I believe that the original disclaimers were enough, but decided to change it due to the feedback I got, and now the script ask the users to download the 3rd party tools by themselves – with additional warnings and hash file checking.

This script is provided AS IS without warranty of any kind.

The script should be used for authorized testing and/or educational purposes only with no exceptions. By using the script Windows system’s security and stability (including but not limited to: passwords dump, disabling security features, etc.) may be affected so DON’T RUN IT ON PRODUCTION systems.

The script is my own, based on other researchers’ public domain knowledge and not related to Microsoft in any form.

 

“Kill Chain”, or What happens during a targeted cybersecurity attack?

Cybersecurity kill chain is a framework developed by Lockheed Martin for identification and prevention of cyber intrusions activity. As attacks may occur in stages, you as defender can put optics and controls to detect or disrupt the entire process.

The stages of the Kill Chain are:

  • Reconnaissance – an attacker is probing for a weakness or bad configuration
  • Weaponization – an attacker is building a payload that can be delivered to the victim (can be a PDF  file or an Office document)
  • Delivery– Sending the payload via e-mail, web link or removable media
  • Exploit– The payload will execute on the victim’s network
  • Installation– The payload will download additional remote access tools and install them to maintain persistence
  • Command and Control– A channel is created between the victim and the attacker
  • Actions– The intended goal is executed (encrypt files, exfiltration of data, etc.)

On top of that model, Mitre, a not-for-profit organization, developed a enhanced model for cyber adversarial behavior, called “Adversarial Tactics, Techniques, and Common Knowledge” (ATT&CK™) Matrix.

Currently, the MITRE ATT&CK™ Matrix provides the most comprehensive framework for adversarial techniques and tactics that enterprises encounter daily.

Technique Description
Persistence Techniques for persistent presence on compromised system
Privilege Escalation Techniques for adversary to obtain a higher level of permissions
Defense Evasion Techniques adversary may use to evade detection or avoid other defenses
Credential Access Techniques resulting in access to or control over system, domain, or service credentials
Discovery Techniques that allow the adversary to gain knowledge about the system and internal network
Lateral Movement Techniques that enable an adversary to access and control remote systems on a network
Execution Techniques that result in execution of adversary-controlled code on a local or remote system
Collection Techniques used to identify and gather information
Exfiltration Techniques that result or aid in the adversary removing files and information from a target network
Command and Control Techniques that represents how adversaries communicate with systems under their control within a target network

 

Many companies are using Security Information and Event Management (SIEM), Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) products to monitor and protect their environments. What seems to be missing is a tool that can generate a real data that represents real-world targeted attacks.

Invoke-Adversary is a PowerShell script that uses a set of functions to simulate post-compromise adversarial behavior within Windows Enterprise networks.

By using Invoke-Adversary script you can:

  • Assess your security monitoring tools and practices
  • Evaluate Endpoint detection agents

Setup

Requirements for deploying:

Usage

  • The simplest way to run the script is to open an elevated (run as Administrator) PowerShell ISE window and press F5.

  • The script will start and the first thing you need to do is to read the disclaimer and accept the terms by typing yes

 

  • Now you can select any test case by choosing its number on the menu

  • Choose which test you want to run by choosing its number on the menu

Screenshots

 

What are the tactics

Defense Evasion

  • Disable network interface – Disables a network adapter and causes loss of network connectivity
  • Disable Windows Defender AV – Turn off real-time protection, scanning all downloaded files and attachments, behavior monitoring, network protection and privacy mode
  • Add local firewall rule exceptions – Add fictitious rule “Invoke-APT Test Rule” to Windows Advanced Firewall
  • Turn off Windows Firewall – Turn off Windows Advanced Firewall
  • Clear Security Log – clears the security log using wevtutil command

Persistence Tactics

  • Accessibility Features – “Hijack” sethc.exe with cmd.exe using “Image File Execution Options”
  • AppInit DLLs – Adds entry for pserver32.dll under AppInit_DLLs
  • Application Shimming – Create registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842562ef-8d28-411d-a67d-ab75ef611fe8}.sdb
  • Create local user – A new user (user name is: support_388945a0)
  • Create local Administrator – A new user created (user name is: Lost_337fde69_81a9) and added to local Administrators group
  • Create New Service – new service (WindowsHealth) is created
  • Create New Service (Unquoted Path) – same as previous, just with unquoted path
  • Registry Run Keys [HKLM] – New run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  • Registry Run Keys [HKCU] – New run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks – new scheduled task (OfficeUpdaterA) is created

Credential Access

  1. Mimikatz – Logonpasswords – Download mimikatz to a random file name and execute it with the following arguments “privilege::debug” “sekurlsa::logonpasswords” “exit” (credit: https://twitter.com/gentilkiwi)
  2. PowerShell Mimikatz – Run Invoke-Mimikatz.ps1  (credit: https://twitter.com/josephbialek?lang=en)
  3. PowerShell Encoded Mimikatz – Run Invoke-Mimikatz.ps1 with encoded PowerShell command line
  4. Capture Lsass Memory Dump – Using Windows Error Reporting to capture lsass memory (credit: https://twitter.com/mattifestation)
  5. Capture Lsass Memory Dump (Prodump) – Download Prodump to a random file and capture lsass memory
  6. Copy Local SAM File (via Invoke-NinjaCopy) – Run Invoke-NinjaCopy to copy C:\Windows\System32\config\sam file (credit: https://twitter.com/josephbialek?lang=en)

Discovery Tactics

  1. Account Discovery – running net commands to discover local and domain users and groups
  2. Network Service Scanning – ports scan (1-1024) on user selected host
  3. System Owner Discovery – whoami command
  4. System Time Discovery – Running “net time” and “w32tm.exe /tz” commands
  5. Service Discovery – List of all services
  6. Network Connections Discovery – netstat

Command and Control

  1. Commonly used Ports – Trying to connect to user selected host
  2. Uncommonly used Ports – Trying to connect to user selected host using uncommon ports  (credit: Florian Roth)
  3. Web Service – Create a new post at pastebin and upload BITS service information
  4. DNS – Well-Known Blacklisted IP Address – Resolving top 10 malicious IP addresses (credit: Florian Roth)
  5. Connect – Well-Known Blacklisted IP Address – Connecting to top 10 malicious IP addresses (credit: Florian Roth)

Execution

  1. PSExec (random file name) – Rename PSEec to random file name and execute it (credit:  https://twitter.com/markrussinovich)
  2. PSExec (Remote) – Running psexec on user selected host
  3. PowerShell API call – Native API call from PowerShell
  4. Self Delete (batch file) – self deleting batch file
  5. WMI Process Execution – use the WMI command-line (WMIC) utility

Collection

  1. Screen Capture – screen capture (credit: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/)

AppLocker ByPasses

  1. Regsvr32 – Regsvr32 technique (credit: https://twitter.com/subTee)

Original Post: https://blogs.technet.microsoft.com/motiba/2018/04/09/invoke-adversary-simulating-adversary-operations/

Up ↑