mirror of https://github.com/avast/PurpleDome
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
65 lines
1.5 KiB
Markdown
65 lines
1.5 KiB
Markdown
# FIN7 adversary emulation
|
|
|
|
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin7/Emulation_Plan
|
|
|
|
# Required files
|
|
|
|
It needs some external files to work. Please download them and put them in this folder
|
|
|
|
STEP 5:
|
|
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/samcat.exe
|
|
https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Resources/Step5/uac-samcats.ps1
|
|
|
|
# Machines
|
|
|
|
See: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin7/Emulation_Plan/Scenario_1/Infrastructure.md
|
|
|
|
## 1 hotelmanager
|
|
|
|
Initial infected machine
|
|
|
|
Windows 10, Build 18363
|
|
|
|
User dir: C:\Users\kmitnick.hospitality\AppData\Local\
|
|
|
|
Tools will be installed on this machine (mimikatz) and could be intercepted by the AV. if you do not want this, de-activate the AV or add exceptions
|
|
|
|
Required for infection:
|
|
|
|
* RTF
|
|
* VBA
|
|
* MSHTA
|
|
* winword
|
|
* verclsid https://redcanary.com/blog/verclsid-exe-threat-detection/
|
|
* tasksched
|
|
|
|
5 minutes waiting time !
|
|
|
|
## 2 itadmin
|
|
|
|
Next hacked machine. Lateral movement there through stolen credentials
|
|
|
|
Windows 10, Build 18363
|
|
|
|
## 3 accounting
|
|
|
|
Has the valuables
|
|
|
|
Windows 10, 18363
|
|
|
|
installed:
|
|
* AccountingIQ.exe
|
|
|
|
|
|
## hoteldc
|
|
|
|
Windows Server 2k19 - Build 17763
|
|
|
|
Attacker is never traversing to it
|
|
|
|
## Decisions
|
|
|
|
* We will be using Scenario 1.
|
|
* SQLRat will be replaced by Caldera
|
|
* Parts requiring user interaction are skipped. Maybe added later
|