# OilRig Setup Procedure

# Emulation Team Infrastructure

1. Linux Attack Platform: Kali Linux 2019.2
2. Mail and Apache Server: Kali Linux 2019.2

# Emulation Team Infrastructure Configuration

This methodology assumes the following static IP address configurations:

# A note about red team payloads

• This evaluation utilizes payloads that model malware previously used by OilRig.
• These utilities include credential dumpers, implants, and file exfiltration.
• The Binaries.zip contains all executables in one zip file for easy download. The password is malware.
  • Implants are configured to connect back to static IP address 192.168.0.4. Build instructions for each payload can be found with source code in their respective directories.

# Linux Attack Platform Setup \ 192.168.0.4

1. Download the OilRig ATTACK Evaluations Library to the /opt/ directory

2. Use the Linux commands below to populate the binaries in the expected directories for the scenario:

   # from oilrig/
   unzip -P malware Resources/Binaries/binaries.zip
   
   # copy VALUEVAULT (b.exe) and TwoFace (contact.aspx) to the payload staging directory for SideTwist
   cp Resources/Binaries/b.exe Resources/payloads/SideTwist
   cp Resources/Binaries/contact.aspx Resources/payloads/SideTwist
   
   # copy RDAT.exe to the payload staging directory for TwoFace
   cp Resources/Binaries/RDAT.exe Resources/payloads/TwoFace

3. Download Mimikatz to the Resources/payloads/TwoFace/ directory. Rename Mimikatz executable as m64.exe.

4. Download Plink to the Resources/payloads/SideTwist/ directory

5. Download PsExec.exe to the Resources/payloads/TwoFace/ directory

6. Install FreeRDP

# Mail and File Server Setup \ 192.168.0.5

1. Install Apache

2. Install Postfix

3. Stage the SideTwist dropper Marketing_Materials.zip to /var/www/html

4. Run the install-configure-postfix.sh bash script as sudo

   sudo ./install-configure-postfix.sh

5. Run the setup-apache-fileserver.sh bash script as sudo

   sudo ./setup-apache-fileserver.sh

Note: You may need to chmod the scripts to allow them to run.

# Target Infrastructure

4 targets, all domain joined to the boombox domain:

1. SQL Server : tested and executed on CentOS 7.9
2. Domain Controller : tested and executed on Windows Server 2k19 - Build 17763
3. Exchange Server : tested and executed on Windows Server 2k19 - Build 17763
4. Exchange Admin Workstation : tested and executed on Windows 10 - Build 17763

# Target Infrastructure Configuration

# Configure Domain Controller diskjockey\ 10.1.0.4

Note: in the scenario, DNS records were manually created to emulate network activity from suspect domains

1. Open Windows Defender, toggle all nobs to the off position.

2. Open PowerShell being sure to select "Run as Administrator" and run the modify-defender.ps1 script:

   .\modify-defender.ps1

3. Create the user accounts as used in the scenario:

   username	groups
   tous	EWS Admins, SQL Admins, Domain Users
   gosta	EWS Admins, Domain Users
   mariam	Domain Users
   shiroyeh	Domain Users
   shiroyeh_admin	Domain Admins

4. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

   .\disable-automatic-updates.ps1

5. In the Administrator Powershell Terminal run the choco-install.ps1 script:

   .\choco-install.ps1

6. In the Administrator Powershell Terminal run the install-packages.ps1 script:

   .\install-packages.ps1

# Configure Workstation theblock\ 10.1.0.5

1. Ensure Microsoft Office is installed and that you're able to edit a document. This will ensure the macros run correctly against the host.

2. Open PowerShell being sure to select "Run as Administrator" and run the modify-defender.ps1 script:

   .\modify-defender.ps1

3. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

   .\disable-automatic-updates.ps1

4. In the Administrator Powershell Terminal run the choco-install.ps1 script:

   .\choco-install.ps1

5. In the Administrator Powershell Terminal run the install-packages.ps1 script:

   .\install-packages.ps1

# Configure EWS Server waterfalls\ 10.1.0.6

1. Setup Exchange Server to host OWA and EAC.

2. Create the "EWS Admins" group, adding tous, gosta

3. Install MSSQL

4. Create a scheduled task to run the sql_connection.bat upon system startup:

   schtasks /create /tn "SQL Connection" /tr <Path to the batch file> /sc onstart /U BOOMBOX\tous

5. Reboot the machine and verify connection in PowerShell:

   netstat -ano | select-string 1433

6. Open Windows Defender, toggle all nobs to the off position.

7. In the same PowerShell window, run the modify-defender.ps1 script:

   .\modify-defender.ps1

8. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

   .\disable-automatic-updates.ps1

9. In the Administrator Powershell Terminal run the choco-install.ps1 script:

   .\choco-install.ps1

10. In the Administrator Powershell Terminal run the install-packages.ps1 script:

    .\install-packages.ps1

# Configure SQL Server endofroad\ 10.1.0.7

1. Install MSSQL and configure data to be stored locally on the C: drive.
2. Create an "SQL Admins" domain group with tous as a member, additionally giving tous access permissions and ownership of the DB.
3. Sign in as tous and create a new database called sitedata.
4. Import the minfac.csv data file to populate the database.
5. Create a backup of the database to the drive for later exfiltration by the adversary

• Note: For the purpose of execution, this directory was C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup\

1. Open Windows Defender, toggle all nobs to the off position.

2. Open PowerShell being sure to select "Run as Administrator" and run the modify-defender.ps1 script:

   .\modify-defender.ps1

3. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

   .\disable-automatic-updates.ps1

4. In the Administrator Powershell Terminal run the choco-install.ps1 script:

   .\choco-install.ps1

5. In the Administrator Powershell Terminal run the install-packages.ps1 script:

   .\install-packages.ps1

6. Open port 1433 in Windows Defender Firewall

7. Add the "SQL Admins" group to Local Administrators