You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
PurpleDome/plugins/default/adversary_emulations/FIN7/README.md

65 lines
1.5 KiB
Markdown

# FIN7 adversary emulation
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin7/Emulation_Plan
# Required files
It needs some external files to work. Please download them and put them in this folder
STEP 5:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/samcat.exe
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/uac-samcats.ps1
# Machines
See: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Emulation_Plan/Scenario_1/Infrastructure.md
## 1 hotelmanager
Initial infected machine
Windows 10, Build 18363
User dir: C:\Users\kmitnick.hospitality\AppData\Local\
Tools will be installed on this machine (mimikatz) and could be intercepted by the AV. if you do not want this, de-activate the AV or add exceptions
Required for infection:
* RTF
* VBA
* MSHTA
* winword
* verclsid https://redcanary.com/blog/verclsid-exe-threat-detection/
* tasksched
5 minutes waiting time !
## 2 itadmin
Next hacked machine. Lateral movement there through stolen credentials
Windows 10, Build 18363
## 3 accounting
Has the valuables
Windows 10, 18363
installed:
* AccountingIQ.exe
## hoteldc
Windows Server 2k19 - Build 17763
Attacker is never traversing to it
## Decisions
* We will be using Scenario 1.
* SQLRat will be replaced by Caldera
* Parts requiring user interaction are skipped. Maybe added later