# OilRig Setup Procedure

# Emulation Team Infrastructure

  1. Linux Attack Platform: Kali Linux 2019.2
  2. Mail and Apache Server: Kali Linux 2019.2

# Emulation Team Infrastructure Configuration

This methodology assumes the following static IP address configurations:

Red Team System IP Address
Linux Attack Platform 192.168.0.4
Mail and Apache Server 192.168.0.5

# A note about red team payloads

  • This evaluation utilizes payloads that model malware previously used by OilRig.
  • These utilities include credential dumpers, implants, and file exfiltration.
  • The Binaries.zip contains all executables in one zip file for easy download. The password is malware.
    • Implants are configured to connect back to static IP address 192.168.0.4. Build instructions for each payload can be found with source code in their respective directories.

# Linux Attack Platform Setup \ 192.168.0.4

  1. Download the OilRig ATTACK Evaluations Library to the /opt/ directory

  2. Use the Linux commands below to populate the binaries in the expected directories for the scenario:

    # from oilrig/
    unzip -P malware Resources/Binaries/binaries.zip
    
    # copy VALUEVAULT (b.exe) and TwoFace (contact.aspx) to the payload staging directory for SideTwist
    cp Resources/Binaries/b.exe Resources/payloads/SideTwist
    cp Resources/Binaries/contact.aspx Resources/payloads/SideTwist
    
    # copy RDAT.exe to the payload staging directory for TwoFace
    cp Resources/Binaries/RDAT.exe Resources/payloads/TwoFace
  3. Download Mimikatz to the Resources/payloads/TwoFace/ directory. Rename Mimikatz executable as m64.exe.

  4. Download Plink to the Resources/payloads/SideTwist/ directory

  5. Download PsExec.exe to the Resources/payloads/TwoFace/ directory

  6. Install FreeRDP

# Mail and File Server Setup \ 192.168.0.5

  1. Install Apache

  2. Install Postfix

  3. Stage the SideTwist dropper Marketing_Materials.zip to /var/www/html

  4. Run the install-configure-postfix.sh bash script as sudo

    sudo ./install-configure-postfix.sh
  5. Run the setup-apache-fileserver.sh bash script as sudo

    sudo ./setup-apache-fileserver.sh

Note: You may need to chmod the scripts to allow them to run.

# Target Infrastructure

4 targets, all domain joined to the boombox domain:

  1. SQL Server : tested and executed on CentOS 7.9
  2. Domain Controller : tested and executed on Windows Server 2k19 - Build 17763
  3. Exchange Server : tested and executed on Windows Server 2k19 - Build 17763
  4. Exchange Admin Workstation : tested and executed on Windows 10 - Build 17763

# Target Infrastructure Configuration

Target System Hostname IP Address
SQL Server endofroad 10.1.0.7
Domain Controller diskjockey 10.1.0.4
Exchange Server waterfalls 10.1.0.6
Exchange Admin Workstation theblock 10.1.0.5

# Configure Domain Controller diskjockey\ 10.1.0.4

Note: in the scenario, DNS records were manually created to emulate network activity from suspect domains

  1. Open Windows Defender, toggle all nobs to the off position.

  2. Open PowerShell being sure to select "Run as Administrator" and run the modify-defender.ps1 script:

    .\modify-defender.ps1
  3. Create the user accounts as used in the scenario:

    username groups
    tous EWS Admins, SQL Admins, Domain Users
    gosta EWS Admins, Domain Users
    mariam Domain Users
    shiroyeh Domain Users
    shiroyeh_admin Domain Admins
  4. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

    .\disable-automatic-updates.ps1
  5. In the Administrator Powershell Terminal run the choco-install.ps1 script:

    .\choco-install.ps1
  6. In the Administrator Powershell Terminal run the install-packages.ps1 script:

    .\install-packages.ps1

# Configure Workstation theblock\ 10.1.0.5

  1. Ensure Microsoft Office is installed and that you're able to edit a document. This will ensure the macros run correctly against the host.

  2. Open PowerShell being sure to select "Run as Administrator" and run the modify-defender.ps1 script:

    .\modify-defender.ps1
  3. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

    .\disable-automatic-updates.ps1
  4. In the Administrator Powershell Terminal run the choco-install.ps1 script:

    .\choco-install.ps1
  5. In the Administrator Powershell Terminal run the install-packages.ps1 script:

    .\install-packages.ps1

# Configure EWS Server waterfalls\ 10.1.0.6

  1. Setup Exchange Server to host OWA and EAC.

  2. Create the "EWS Admins" group, adding tous, gosta

  3. Install MSSQL

  4. Create a scheduled task to run the sql_connection.bat upon system startup:

    schtasks /create /tn "SQL Connection" /tr <Path to the batch file> /sc onstart /U BOOMBOX\tous
  5. Reboot the machine and verify connection in PowerShell:

    netstat -ano | select-string 1433
  6. Open Windows Defender, toggle all nobs to the off position.

  7. In the same PowerShell window, run the modify-defender.ps1 script:

    .\modify-defender.ps1
  8. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

    .\disable-automatic-updates.ps1
  9. In the Administrator Powershell Terminal run the choco-install.ps1 script:

    .\choco-install.ps1
  10. In the Administrator Powershell Terminal run the install-packages.ps1 script:

    .\install-packages.ps1

# Configure SQL Server endofroad\ 10.1.0.7

  1. Install MSSQL and configure data to be stored locally on the C: drive.
  2. Create an "SQL Admins" domain group with tous as a member, additionally giving tous access permissions and ownership of the DB.
  3. Sign in as tous and create a new database called sitedata.
  4. Import the minfac.csv data file to populate the database.
  5. Create a backup of the database to the drive for later exfiltration by the adversary
  • Note: For the purpose of execution, this directory was C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Backup\
  1. Open Windows Defender, toggle all nobs to the off position.

  2. Open PowerShell being sure to select "Run as Administrator" and run the modify-defender.ps1 script:

    .\modify-defender.ps1
  3. In the Administrator Powershell Terminal run the disable-automatic-updates.ps1 script:

    .\disable-automatic-updates.ps1
  4. In the Administrator Powershell Terminal run the choco-install.ps1 script:

    .\choco-install.ps1
  5. In the Administrator Powershell Terminal run the install-packages.ps1 script:

    .\install-packages.ps1
  6. Open port 1433 in Windows Defender Firewall

  7. Add the "SQL Admins" group to Local Administrators