#
OilRig Setup Procedure
#
Emulation Team Infrastructure
- Linux Attack Platform: Kali Linux 2019.2
- Mail and Apache Server: Kali Linux 2019.2
#
Emulation Team Infrastructure Configuration
This methodology assumes the following static IP address configurations:
#
A note about red team payloads
- This evaluation utilizes payloads that model malware previously used by OilRig.
- These utilities include credential dumpers, implants, and file exfiltration.
- The Binaries.zip contains all executables in one zip file for easy download. The password is
malware.- Implants are configured to connect back to static IP address 192.168.0.4. Build instructions for each payload can be found with source code in their respective directories.
#
Linux Attack Platform Setup \ 192.168.0.4
- Download the OilRig ATTACK Evaluations Library to the
/opt/directory - Use the Linux commands below to populate the binaries in the expected directories for the scenario:
# from oilrig/ unzip -P malware Resources/Binaries/binaries.zip # copy VALUEVAULT (b.exe) and TwoFace (contact.aspx) to the payload staging directory for SideTwist cp Resources/Binaries/b.exe Resources/payloads/SideTwist cp Resources/Binaries/contact.aspx Resources/payloads/SideTwist # copy RDAT.exe to the payload staging directory for TwoFace cp Resources/Binaries/RDAT.exe Resources/payloads/TwoFace - Download Mimikatz to the
Resources/payloads/TwoFace/directory. Rename Mimikatz executable asm64.exe. - Download Plink to the
Resources/payloads/SideTwist/directory - Download PsExec.exe to the
Resources/payloads/TwoFace/directory - Install FreeRDP
#
Mail and File Server Setup \ 192.168.0.5
- Install Apache
- Install Postfix
- Stage the SideTwist dropper
Marketing_Materials.zipto /var/www/html - Run the
install-configure-postfix.shbash script as sudosudo ./install-configure-postfix.sh - Run the
setup-apache-fileserver.shbash script as sudosudo ./setup-apache-fileserver.sh
Note: You may need to chmod the scripts to allow them to run.
#
Target Infrastructure
4 targets, all domain joined to the boombox domain:
- SQL Server : tested and executed on CentOS 7.9
- Domain Controller : tested and executed on Windows Server 2k19 - Build 17763
- Exchange Server : tested and executed on Windows Server 2k19 - Build 17763
- Exchange Admin Workstation : tested and executed on Windows 10 - Build 17763
#
Target Infrastructure Configuration
#
Configure Domain Controller diskjockey\ 10.1.0.4
Note: in the scenario, DNS records were manually created to emulate network activity from suspect domains
Open Windows Defender, toggle all nobs to the off position.
Open PowerShell being sure to select "Run as Administrator" and run the
modify-defender.ps1script:.\modify-defender.ps1Create the user accounts as used in the scenario:
In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1script:.\disable-automatic-updates.ps1In the Administrator Powershell Terminal run the
choco-install.ps1script:.\choco-install.ps1In the Administrator Powershell Terminal run the
install-packages.ps1script:.\install-packages.ps1
#
Configure Workstation theblock\ 10.1.0.5
- Ensure Microsoft Office is installed and that you're able to edit a document. This will ensure the macros run correctly against the host.
- Open PowerShell being sure to select "Run as Administrator" and run the
modify-defender.ps1script:.\modify-defender.ps1 - In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1script:.\disable-automatic-updates.ps1 - In the Administrator Powershell Terminal run the
choco-install.ps1script:.\choco-install.ps1 - In the Administrator Powershell Terminal run the
install-packages.ps1script:.\install-packages.ps1
#
Configure EWS Server waterfalls\ 10.1.0.6
- Setup Exchange Server to host OWA and EAC.
- Create the "EWS Admins" group, adding
tous,gosta - Install MSSQL
- Create a scheduled task to run the
sql_connection.batupon system startup:schtasks /create /tn "SQL Connection" /tr <Path to the batch file> /sc onstart /U BOOMBOX\tous - Reboot the machine and verify connection in PowerShell:
netstat -ano | select-string 1433 - Open Windows Defender, toggle all nobs to the off position.
- In the same PowerShell window, run the
modify-defender.ps1script:.\modify-defender.ps1 - In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1script:.\disable-automatic-updates.ps1 - In the Administrator Powershell Terminal run the
choco-install.ps1script:.\choco-install.ps1 - In the Administrator Powershell Terminal run the
install-packages.ps1script:.\install-packages.ps1
#
Configure SQL Server endofroad\ 10.1.0.7
- Install MSSQL and configure data to be stored locally on the C: drive.
- Create an "SQL Admins" domain group with
tousas a member, additionally giving tous access permissions and ownership of the DB. - Sign in as
tousand create a new database calledsitedata. - Import the
minfac.csvdata file to populate the database. - Create a backup of the database to the drive for later exfiltration by the adversary
- Note: For the purpose of execution, this directory was
C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup\
- Note: For the purpose of execution, this directory was
- Open Windows Defender, toggle all nobs to the off position.
- Open PowerShell being sure to select "Run as Administrator" and run the
modify-defender.ps1script:.\modify-defender.ps1 - In the Administrator Powershell Terminal run the
disable-automatic-updates.ps1script:.\disable-automatic-updates.ps1 - In the Administrator Powershell Terminal run the
choco-install.ps1script:.\choco-install.ps1 - In the Administrator Powershell Terminal run the
install-packages.ps1script:.\install-packages.ps1 - Open port 1433 in Windows Defender Firewall
- Add the "SQL Admins" group to Local Administrators