b0822522c6 | 3 years ago | |
---|---|---|
.. | ||
README.md | 3 years ago | |
fin7_section1.py | 3 years ago | |
local_experiment_config.yaml | 3 years ago |
README.md
FIN7 adversary emulation
Required files
It needs some external files to work. Please download them and put them in this folder
STEP 5: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/samcat.exe https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/uac-samcats.ps1
Machines
1 hotelmanager
Initial infected machine
Windows 10, Build 18363
User dir: C:\Users\kmitnick.hospitality\AppData\Local\
Tools will be installed on this machine (mimikatz) and could be intercepted by the AV. if you do not want this, de-activate the AV or add exceptions
Required for infection:
- RTF
- VBA
- MSHTA
- winword
- verclsid https://redcanary.com/blog/verclsid-exe-threat-detection/
- tasksched
5 minutes waiting time !
2 itadmin
Next hacked machine. Lateral movement there through stolen credentials
Windows 10, Build 18363
3 accounting
Has the valuables
Windows 10, 18363
installed:
- AccountingIQ.exe
hoteldc
Windows Server 2k19 - Build 17763
Attacker is never traversing to it
Decisions
- We will be using Scenario 1.
- SQLRat will be replaced by Caldera
- Parts requiring user interaction are skipped. Maybe added later