managed-services

OilRig

License

managed-services

ATT&CK Evaluations Control Server

This ATT&CK Evaluations Control Server is used to execute behaviors under test during ATT&CK Evaluations.

managed-services

ATT&CK Evaluations Emotet Handler

The ATT&CK Evaluations Emotet Handler is used to handle communications between the Emotet Client and control server via a REST API.

managed-services

ATT&CK Evaluations Exaramel for Linux Handler

The ATT&CK Evaluations Exaramel for Linux handler is used to handle communications between the ATT&CK Evaluations Exaramel for Linux client and the...

managed-services

ATT&CK Evaluations TrickBot Handler

The ATT&CK Evaluations TrickBot Handler is used to handle communications between the Trickbot Client and control server via a REST API.

managed-services

SideTwist handler

The SideTwist C2 handler is the server-side counterpart for the SideTwist implant and is specifically designed to interact with it by sending...

managed-services

OilRig Setup Procedure

Linux Attack Platform: Kali Linux 2019.2

managed-services

Implant Build Script

The provided script will automatically build SideTwist, VALUEVAULT and RDAT from a Kali Linux host.

managed-services

SideTwist Dropper

Included document "GGMS Overview.doc" is SAFE.

managed-services

SideTwist Dropper Tests

These tests expect compilation of a TestProgram.exe. The sample code is provided and can be compiled using gcc:

managed-services

Mimikatz

Mimikatz was used to list all available provider credentials using sekurlsa::logonPasswords and perform Pass-The-Hash via

managed-services

OilRig Scenario Cleanup Procedures

Clean up scripts provided will check and delete all artifacts. The script will also force reboot the host at the end of the script's execution.

managed-services

RDAT

RDAT is a backdoor used by the suspected Iranian threat group OilRig.

managed-services

SideTwist Implant

The SideTwist implant consists of a single executable. In emulated execution, it only executes a single command at a time, waiting to again be called...

managed-services

TWOFACE WebShell Analog

This file does not need to be compiled - it is a self contained (i.e., no code-behind file) C# application in

managed-services

VALUEVAULT

VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer...

managed-services

Scenario Overview

Legend of symbols:

managed-services

DEPENDENCIES

Linux/Mac OS, 64-bit

managed-services

Scenario Infrastructure

We hope to capture the general structure of what is reported to have been seen being used by OilRig.

managed-services

Emulation Scenario 📖

Based on open-source intelligence, the ATT&CK ® Evaluations team created the below scenario leveraging techniques seen from Oilrig in the wild.

managed-services

OilRig Intelligence Summary

Objectives: OilRig is a cyber threat actor whose collection objectives align with the strategic interests of Iran.

# Category: managed-services