#
Turla Setup Procedure
Turla Setup Procedure Emulation Team Infrastructure Configuration Linux Attack Platform Setup Move Unzipped Binaries into Payloads Download Required Binary Files
#
Emulation Team Infrastructure Configuration
See Getting Started for information on setting up the overall range.
#
Linux Attack Platform Setup
See Setup RedTeam for information on setting up the attack platform.
#
Move Unzipped Binaries into Payloads
A zip of the scenario binaries have been included here. The
binaries.zip can be unzipped to the expected directory location using the
following command and password malware
:
# from the turla directory
unzip Resources/Binaries/binaries.zip -d Resources/payloads
❗ Snake has not been included in this binaries.zip. Please visit the following resources for building Snake and its components:
#
Download Required Binary Files
- Download and extract the PSTools directory
- Copy
PSExec.exe
to theResources/payloads/carbon
directory - Copy
PSExec.exe
to theResources/payloads/snake
directory
- Copy
- Download pscp.exe and copy it to the
Resources/payloads/carbon
directory - Download plink.exe and copy it to the
Resources/payloads/carbon
directory - Download mimikatz
- Update the Mimikatz source code with the PTH adjustments then recompile
- Copy
mimikatz.exe
to theResources/payloads/carbon
andResources/payloads/snake
directory
The Resources/payloads
directory should be setup to match the following:
├── Resources
│ ├── payloads
│ │ ├── carbon
│ │ │ ├── PsExec.exe
│ │ │ ├── carbon_installer_2.exe
│ │ │ ├── carbon_installer_3.exe
│ │ │ ├── mimikatz.exe
│ │ │ ├── hsperfdata.zip
│ │ │ ├── keylogger.exe
│ │ │ ├── password_spray.bat
│ │ │ ├── plink.exe
│ │ │ ├── pscp.exe
│ │ ├── epic
│ │ │ ├── dropper.exe
│ │ │ ├── snake.exe (needs compiling)
│ │ ├── snake
│ │ │ ├── PsExec.exe
│ │ │ ├── installer_v2.exe (needs compiling)
│ │ │ ├── installer_v3.exe (needs compiling)
│ │ │ ├── ln_transport_agent.dll
│ │ │ ├── mimikatz.exe
│ │ │ ├── msiex.ps1
│ │ │ ├── n_installer_aux.dll
│ │ │ ├── rules.xml
│ │ │ ├── winmail.dat
│ │ ├── wordpress
│ │ │ ├── EPICDropper_http.exe
│ │ │ ├── EPICDropper_https.exe
As part of infrastructure setup, EPICDropper_http.exe
and
EPICDropper_https.exe
should be staged on a Wordpress server and renamed to
NTFVersion.exe
and NFVersion_5e.exe
, respectively.