#
Scenario Infrastructure
We hope to capture the general structure of what is reported to have been seen being used by OilRig.
The requirements described herein should be considered a bare minimum to execute the scenario. If you have the time and resources to remain true-to-form, you may elect to stand up multiple of each of these servers, non-contiguous IP space, etc. If you are not concerned with emulating OilRig to this degree, this level of effort is not necessary. You could for instance, phish, serve payload, and exfil from/to the same server.
#
Resources
The Binaries.zip contains all executables in one zip file for easy download. The password is malware
.
This scenario also utilizes Mimikatz
, Plink
and PsExec
as payloads:
#
Emulation Team Infrastructure
- Linux Attack Platform: Kali Linux 2019.2
- Mail and File Server: Kali Linux 2019.2
#
Emulation Team Infrastructure Configuration
This methodology assumes the following static IP address configurations:
#
A note about red team payloads
- This evaluation utilizes payloads that model malware previously used by OilRig.
- These utilities include credential dumpers, implants, and file exfiltration.
- The Binaries.zip contains all executables in one zip file for easy download. The password is
malware
.- Implants are configured to connect back to static IP address 192.168.0.4. Build instructions for each payload can be found with source code in their respective directories.
#
Linux Attack Platform Setup \ 192.168.0.4
Download the OilRig ATTACK Evaluations Library to the
/opt/
directoryUse the Linux commands below to populate the binaries in the expected directories for the scenario:
# from oilrig/ unzip -P malware Resources/Binaries/binaries.zip # copy VALUEVAULT (b.exe) and TwoFace (contact.aspx) to the payload staging directory for SideTwist cp Resources/Binaries/b.exe Resources/payloads/SideTwist cp Resources/Binaries/contact.aspx Resources/payloads/SideTwist # copy RDAT.exe to the payload staging directory for TwoFace cp Resources/Binaries/RDAT.exe Resources/payloads/TwoFace
Download Mimikatz to the
Resources/payloads/TwoFace/
directory. Rename Mimikatz executable asm64.exe
.Download Plink to the
Resources/payloads/SideTwist/
directoryDownload PsExec.exe to the
Resources/payloads/TwoFace/
directoryInstall FreeRDP
#
Mail and File Server Setup \ 192.168.0.5
Install Apache
Install Postfix
Stage the SideTwist dropper
Marketing_Materials.zip
to /var/www/htmlRun the
install-configure-postfix.sh
bash script as sudosudo ./install-configure-postfix.sh
Run the
setup-apache-fileserver.sh
bash script as sudosudo ./setup-apache-fileserver.sh
Note: You may need to chmod the scripts to allow them to run.
#
Target Infrastructure
4 targets, all domain joined to the boombox
domain:
- SQL Server : tested and executed on CentOS 7.9
- Domain Controller : tested and executed on Windows Server 2k19 - Build 17763
- Exchange Server : tested and executed on Windows Server 2k19 - Build 17763
- Exchange Admin Workstation : tested and executed on Windows 10 - Build 17763
#
Target Infrastructure Configuration
#
Configure Domain Controller diskjockey
\ 10.1.0.4
Note: in the scenario, DNS records were manually created to emulate network activity from suspect domains
Open Windows Defender, toggle all nobs to the off position.
Open PowerShell being sure to select "Run as Administrator" and run the
modify-defender.ps1
script:.\modify-defender.ps1
Create the user accounts as used in the scenario:
In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1
script:.\disable-automatic-updates.ps1
In the Administrator Powershell Terminal run the
choco-install.ps1
script:.\choco-install.ps1
In the Administrator Powershell Terminal run the
install-packages.ps1
script:.\install-packages.ps1
#
Configure Workstation theblock
\ 10.1.0.5
Ensure Microsoft Office is installed and that you're able to edit a document. This will ensure the macros run correctly against the host.
Open PowerShell being sure to select "Run as Administrator" and run the
modify-defender.ps1
script:.\modify-defender.ps1
In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1
script:.\disable-automatic-updates.ps1
In the Administrator Powershell Terminal run the
choco-install.ps1
script:.\choco-install.ps1
In the Administrator Powershell Terminal run the
install-packages.ps1
script:.\install-packages.ps1
#
Configure EWS Server waterfalls
\ 10.1.0.6
Setup Exchange Server to host OWA and EAC.
Create the "EWS Admins" group, adding
tous
,gosta
Install MSSQL
Create a scheduled task to run the
sql_connection.bat
upon system startup:schtasks /create /tn "SQL Connection" /tr <Path to the batch file> /sc onstart /U BOOMBOX\tous
Reboot the machine and verify connection in PowerShell:
netstat -ano | select-string 1433
Open Windows Defender, toggle all nobs to the off position.
In the same PowerShell window, run the
modify-defender.ps1
script:.\modify-defender.ps1
In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1
script:.\disable-automatic-updates.ps1
In the Administrator Powershell Terminal run the
choco-install.ps1
script:.\choco-install.ps1
In the Administrator Powershell Terminal run the
install-packages.ps1
script:.\install-packages.ps1
#
Configure SQL Server endofroad
\ 10.1.0.7
- Install MSSQL and configure data to be stored locally on the C: drive.
- Create an "SQL Admins" domain group with
tous
as a member, additionally giving tous access permissions and ownership of the DB. - Sign in as
tous
and create a new database calledsitedata
. - Import the
minfac.csv
data file to populate the database. - Create a backup of the database to the drive for later exfiltration by the adversary
- Note: For the purpose of execution, this directory was
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup\
Open Windows Defender, toggle all nobs to the off position.
Open PowerShell being sure to select "Run as Administrator" and run the
modify-defender.ps1
script:.\modify-defender.ps1
In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1
script:.\disable-automatic-updates.ps1
In the Administrator Powershell Terminal run the
choco-install.ps1
script:.\choco-install.ps1
In the Administrator Powershell Terminal run the
install-packages.ps1
script:.\install-packages.ps1
Open port 1433 in Windows Defender Firewall
Add the "SQL Admins" group to Local Administrators
#
Additional Plan Resources
#
Network Diagram
A network diagram is available that displays the domains and infrastructure that was used to support the setup and execution of the Emulation plan.