From 86c12bdff553ff86517dc5a538b1a286f9b50891 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Feb 2018 01:14:08 +0100 Subject: [PATCH] Updated README, renamed files --- README.md | 152 ++++++++++-------- ...seragent.bat => malicious-user-agents.bat} | 0 ...ackconnect.bat => netcat-back-connect.bat} | 0 ...in.bat => active-guest-acccount-admin.bat} | 0 .../js-dropper.bat | 0 5 files changed, 85 insertions(+), 67 deletions(-) rename test-sets/command-and-control/{malicious-useragent.bat => malicious-user-agents.bat} (100%) rename test-sets/command-and-control/{netcat-backconnect.bat => netcat-back-connect.bat} (100%) rename test-sets/defense-evasion/{activ-guest-acccount-admin.bat => active-guest-acccount-admin.bat} (100%) rename test-sets/{command-and-control => defense-evasion}/js-dropper.bat (100%) diff --git a/README.md b/README.md index 88a269d..dc7705c 100644 --- a/README.md +++ b/README.md @@ -76,127 +76,145 @@ The following table shows the different test cases and the expected detection re | Test Case | AV | NIDS | EDR | SM | CA | |---------------------------------------|-----|------|-----|-----|-----| -| Dumps (Pwdump, Dir Listing) | | | | | X | -| Recon Activity (Typical Commands) | | | X | X | X | -| DNS (Cache Injection) | (X) | X | | X | X | -| Eventlog (WCE entries) | | | X | X | X | +| Collect Local Files | | | | | X | +| C2 Connects | (X) | X | X | X | | +| DNS Cache 1 (Cache Injection) | (X) | X | | X | X | +| Malicious User Agents (Malware, RATs) | | X | X | X | | +| Ncat Back Connect (Drop & Exec) | X | | X | X | X | +| LSASS Dump (with Procdump) | | | X | X | X | +| Mimikatz 1 (Drop & Exec) | X | | X | X | X | +| WCE 1 (Eventlog entries) | | | X | X | X | +| Active Guest Account Admin | | | X | X | X | +| Fake System File (Drop & Exec) | | | X | X | X | | Hosts File (AV/Win Update blocks) | (X) | | X | | X | -| Backdoor (StickyKey file/debugger) | | | X | | X | +| Obfuscated JS Dropper | (X) | X | X | X | X | | Obfuscation (RAR with JPG ext) | | | | | (X) | -| Web Shells (a good selection) | X | | (X) | | X | -| Ncat Alternative (Drop & Exec) | X | | X | X | X | -| Remote Execution Tool (Drop) | (X) | | | | X | -| Mimikatz (Drop & Exec) | X | | X | X | X | +| Nbtscan Discovery (Scan & Output) | | X | X | (X) | X | +| Recon Activity (Typical Commands) | | | X | X | X | | PsExec (Drop & Exec) | | | X | X | X | -| At Job Creation | | | X | X | X | +| Remote Execution Tool (Drop) | (X) | | | | X | +| At Job | | | X | X | X | | RUN Key Entry Creation | | | X | X | X | -| System File in Susp Loc (Drop & Exec) | | | X | X | X | -| Guest User (Activation & Admin) | | | X | X | X | -| LSASS Dump (with Procdump) | | | X | X | X | -| C2 Requests | (X) | X | X | X | | -| Malicious User Agent (Malware, RATs) | | X | X | X | | | Scheduled Task Creation | | | X | X | X | -| Nbtscan Discovery (Scan & Output) | | X | X | (X) | X | -| Obfusc. JS (CACTUSTORCH) & Bind Shell | (X) | X | X | X | X | +| StickyKey Backdoor | | | X | | X | +| Web Shells | X | | (X) | | X | + +# Test Sets -# Test Cases +## Collection -## 1. Dumps +### Collect Local Files - drops pwdump output to the working dir - drops directory listing to the working dir -## 2. Recon +## Command and Control -- Executes command used by attackers to get information about a target system +### C2 Connects + +- Uses Curl to access well-known C2 servers -## 3. DNS +### DNS Cache 1 - Looks up several well-known C2 addresses to cause DNS requests and get the addresses into the local DNS cache -## 4. Eventlog +### Malicious User Agents -- Creates Windwows Eventlog entries that look as if WCE had been executed +- Uses malicious user agents to access web sites -## 5. Hosts +### Ncat Back Connect -- Adds entries to the local hosts file (update blocker, entries caused by malware) +- Drops a PowerShell Ncat alternative to the working directory and runs it to back connect to a well-known attacker domain -## 6. Sticky Key Backdoor +## Credential Access -- Tries to replace sethc.exe with cmd.exe (a backup file is created) -- Tries to register cmd.exe as debugger for sethc.exe +### LSASS DUMP -## 7. Obfuscation +- Dumps LSASS process memory to a suspicious folder -- Drops a cloaked RAR file with JPG extension +### Mimikatz-1 -## 8. Web Shells +- Dumps mimikatz output to working directory (fallback if other executions fail) +- Run special version of mimikatz and dump output to working directory +- Run Invoke-Mimikatz in memory (github download, reflection) -- Creates a standard web root directory -- Drops standard web shells to that diretory -- Drops GIF obfuscated web shell to that diretory +### WCE-1 -## 9. Ncat Alternative +- Creates Windwows Eventlog entries that look as if WCE had been executed -- Drops a PowerShell Ncat alternative to the working directory +## Defense Evasion -## 10. Remote Execution Tool +### Active Guest Account Admin -- Drops a remote execution tool to the working directory +- Activates Guest user +- Adds Guest user to the local administrators -## 11. Mimikatz +### Fake System File -- Dumps mimikatz output to working directory (fallback if other executions fail) -- Run special version of mimikatz and dump output to working directory -- Run Invoke-Mimikatz in memory (github download, reflection) +- Drops suspicious executable with system file name (svchost.exe) in %PUBLIC% folder +- Runs that suspicious program in %PUBLIC% folder -## 12. PsExec +### Hosts -- Dump a renamed version of PsExec to the working directory -- Run PsExec to start a command line in LOCAL_SYSTEM context +- Adds entries to the local hosts file (update blocker, entries caused by malware) -## 13. At Job +### JS Dropper -- Creates an at job that runs mimikatz and dumps credentials to file +- Runs obfuscated JavaScript code with wscript.exe and starts decoded bind shell on port 1234/tcp -## 14. RUN Key +### Obfuscation -- Create a suspicious new RUN key entry that dumps "net user" output to a file +- Drops a cloaked RAR file with JPG extension -## 15. System File Suspicious Location +## Discovery -- Drops suspicious executable with system file name (svchost.exe) in %PUBLIC% folder -- Runs that suspicious program in %PUBLIC% folder +### Nbtscan Discovery -## 16. Guest User +- Scanning 3 private IP address class-C subnets and dumping the output to the working directory -- Activates Guest user -- Adds Guest user to the local administrators +### Recon -## 17. LSASS DUMP +- Executes command used by attackers to get information about a target system -- Dumps LSASS process memory to a suspicious folder +## Execution -## 18. C2 Requests +### PsExec -- Uses Curl to access well-known C2 servers +- Dump a renamed version of PsExec to the working directory +- Run PsExec to start a command line in LOCAL_SYSTEM context -## 19. Malicious User Agents +### Remote Execution Tool -- Uses malicious user agents to access web sites +- Drops a remote execution tool to the working directory + +## Lateral Movement + +No test cases yet + +## Persistence + +### At Job -## 20. Scheduled Task Creation +- Creates an at job that runs mimikatz and dumps credentials to file + +### RUN Key + +- Create a suspicious new RUN key entry that dumps "net user" output to a file + +### Scheduled Task Creation - Creates a scheduled task that runs mimikatz and dumps the output to a file -## 21. Nbtscan Discovery +### Sticky Key Backdoor -- Scanning 3 private IP address class-C subnets and dumping the output to the working directory +- Tries to replace sethc.exe with cmd.exe (a backup file is created) +- Tries to register cmd.exe as debugger for sethc.exe -## 22. Obfuscated JS Dropper (CACTUSTORCH) and Bind Shell +### Web Shells -- Runs obfuscated JavaScript code with wscript.exe and starts decoded bind shell on port 1234/tcp +- Creates a standard web root directory +- Drops standard web shells to that diretory +- Drops GIF obfuscated web shell to that diretory # Warning diff --git a/test-sets/command-and-control/malicious-useragent.bat b/test-sets/command-and-control/malicious-user-agents.bat similarity index 100% rename from test-sets/command-and-control/malicious-useragent.bat rename to test-sets/command-and-control/malicious-user-agents.bat diff --git a/test-sets/command-and-control/netcat-backconnect.bat b/test-sets/command-and-control/netcat-back-connect.bat similarity index 100% rename from test-sets/command-and-control/netcat-backconnect.bat rename to test-sets/command-and-control/netcat-back-connect.bat diff --git a/test-sets/defense-evasion/activ-guest-acccount-admin.bat b/test-sets/defense-evasion/active-guest-acccount-admin.bat similarity index 100% rename from test-sets/defense-evasion/activ-guest-acccount-admin.bat rename to test-sets/defense-evasion/active-guest-acccount-admin.bat diff --git a/test-sets/command-and-control/js-dropper.bat b/test-sets/defense-evasion/js-dropper.bat similarity index 100% rename from test-sets/command-and-control/js-dropper.bat rename to test-sets/defense-evasion/js-dropper.bat