# powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/
# powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/
# TODO: Add a new machine in config as <itadmin> ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error
# TODO: Add a new machine in config as <itadmin> ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error
@ -244,7 +245,9 @@ class FIN7Plugin(AttackPlugin):
defstep7(self):
defstep7(self):
self.attack_logger.vprint(
self.attack_logger.vprint(
f"{CommandlineColors.OKBLUE}Step 7: Setup User Monitoring{CommandlineColors.ENDC}",1)
f"{CommandlineColors.OKBLUE}Step 7 on itadmin: Setup User Monitoring{CommandlineColors.ENDC}",1)
# Start situation: Step 6 executed a meterpreter in hollow.exe We can fake that to be able to start with step 7 directly
# This is meterpreter !
# This is meterpreter !
# Emulating DLL hijacking functionality of BOOSTWRITE
# Emulating DLL hijacking functionality of BOOSTWRITE
@ -296,30 +299,69 @@ class FIN7Plugin(AttackPlugin):
# Scenario target is the fake payment application AccountingIQ.exe
# Scenario target is the fake payment application AccountingIQ.exe
# Machine is rebooted
# TODO: Machine is rebooted
# shim dll329.dll is activated https://attack.mitre.org/techniques/T1546/011/
# TODO: shim dll329.dll is activated https://attack.mitre.org/techniques/T1546/011/
# AccountingIQ injects into SyncHost.exe, rundll32.exe communicates to C2
# TODO: AccountingIQ injects into SyncHost.exe, rundll32.exe communicates to C2
# debug.exe is downloaded from C2, does process discovery https://attack.mitre.org/techniques/T1105/
# TODO: debug.exe(pillowMint.exe) is downloaded from C2, does process discovery https://attack.mitre.org/techniques/T1105/
# send 7za.exe to target. Zip stolen data, exfiltrate
# TODO: send 7za.exe to target. Zip stolen data, exfiltrate
# Compiling
# i686-w64-mingw32-gcc is for 32 bit
# x86_64-w64-mingw32-gcc is for 64 bit
# Important: pillowMint is not very complex and looks for the data at a fixed address. As we a re-compiling AccountIQ.exe and the data address does not match the expected one we will just get garbage.
self.attacker_machine_plugin.remote_run("sudo apt -y install powershell")# Microsoft powershell
self.attacker_machine_plugin.remote_run("sudo apt -y install g++-multilib libc6-dev-i386")# 32 bit support
self.attacker_machine_plugin.remote_run("cd tool_factory; git clone https://github.com/monoxgas/sRDI")# To generate PIC
defrun(self,targets):
defrun(self,targets):
""" Run the command
""" Run the command
@paramtargets:Alistoftargets
@paramtargets:Alistoftargets
"""
"""
self.step1()
# self.step1()
self.step2()
# self.step2()
self.step3()# Done and works
# self.step3() # DONE and works
self.step4()# Partial - with a hack
# self.step4() # PARTIAL - with a hack. Needs compilation of babymetal: Needs a powershell to execute on the build system. And this one needs system access
self.step5()# Done and quite ok
# self.step5() # DONE and quite ok
self.step6()
# self.step6() # Hollow.exe has to be generated
self.step7()
# self.step7() # Will need compilation of an attack tool Boostwrite
self.step8()
# self.step8() # Migration and credential collection, on itadmin
self.step9()
# self.step9() # on accounting, shim persistence bin329.tmp needs to be generated
self.step10()
self.step10()# on accounting, AccountingIQ.c needs compilation. But just once.