You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
PurpleDome/plugins/default/adversary_emulations/FIN7
Thorsten Sick 6177532133 Some PEP8 cleanup 3 years ago
..
README.md typo fix 3 years ago
fin7_section1.py Some PEP8 cleanup 3 years ago
local_experiment_config.yaml Removed kali config from yaml files. Replaced with a more generic attack_plugin config 3 years ago

README.md

FIN7 adversary emulation

https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin7/Emulation_Plan

Required files

It needs some external files to work. Please download them and put them in this folder

STEP 5: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/samcat.exe https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/uac-samcats.ps1

Machines

See: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Emulation_Plan/Scenario_1/Infrastructure.md

1 hotelmanager

Initial infected machine

Windows 10, Build 18363

User dir: C:\Users\kmitnick.hospitality\AppData\Local\

Tools will be installed on this machine (mimikatz) and could be intercepted by the AV. if you do not want this, de-activate the AV or add exceptions

Required for infection:

5 minutes waiting time !

2 itadmin

Next hacked machine. Lateral movement there through stolen credentials

Windows 10, Build 18363

3 accounting

Has the valuables

Windows 10, 18363

installed:

  • AccountingIQ.exe

hoteldc

Windows Server 2k19 - Build 17763

Attacker is never traversing to it

Decisions

  • We will be using Scenario 1.
  • SQLRat will be replaced by Caldera
  • Parts requiring user interaction are skipped. Maybe added later