Test Your Cyberdefense with Hacker’s Mindset (Part 2)



Organizations may have the greatest cybersecurity technology, software, services, policies, and processes in the industry. But how can you be sure, no matter how confident you are, in your overall cybersecurity posture? Cybersecurity testing is all about making sure whether or not your entire security posture is performing properly.

In a nutshell, it goes like this:

  • Prepared for an attack
  • Risks are Identified
  • Amount of errors are Identified

Understanding the Mindset of Hackers plays a crucial role in overcoming cyber-attacks and knowing the overall cybersecurity posture of an organization. We have explained this briefly in our previous blog.

So let’s deep dive into the test environment…

Preparing the Test Environment

1. Setting Up Detection Lab

The Detection Lab is an out-of-the-box lab environment for testing and eliminating blind spots in your defense controls. To carry out its functions, it makes use of Vagrant, VirtualBox, Packer, and a Host Computer. The out-of-the-box lab includes virtual computers that simulate a Domain Controller, an Event Forwarder, a Logger, and a Windows 10 Endpoint, all of which are important components of any infrastructure. You can replicate attacks in this lab and see what you’re missing.

Hardware Requirements: Listed below are my Hardware Specs they recommend this be your minimum hardware too.

  • OS: Windows 10
  • Processor: i7-8750H (12 cores)
  • RAM: DDR4-2666 16GB
  • Storage: M.2 PCIe SSD 512GB (We need 55GB+ of free disk space)

Step 1: Open PowerShell as an administrator.

Command: Start >> Type PowerShell >> (Right Click) >> Run as Administrator.

Step 2: With PowerShell, you must ensure ‘Get-ExecutionPolicy’ is not Restricted

Command: Set-ExecutionPolicy AllSigned

If you did it right, it should show RemoteSigned.

Command: ‘Get-ExecutionPolicy’

Step 3: Install Chocolatey.

Command: Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol= [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString(‘https://chocolatey.org/install.ps1’))

Wait for few minutes

Step 4: Install Git using Chocolatey.

Command: Choco install git –params ‘/GitAndUnixToolsOnPath‘

Step 5: Downloading Vagrant.

Command: choco install vagrant

Step 6: Clone detection lab.

Commands:

mkdir git #making a directory called git
cd git #entering the directory git
mkdir detectionlab #making a directory inside the directory detctionlab
cd detectionlab #entering the directory detectionlab
git clone https://github.com/clong/DetectionLab.git. #cloning the code

Step 7: Install Virtual Box

Command: choco install virtualbox
Will take an hour to half day depending on the internet speed

Step 8: Installing Detection Lab:

Command: .\build.ps1 -ProviderName virtualbox –VagrantOnly

Post Installation Steps:

After you’re done, navigate to the vagrant directory and check if all the hosts are up.

Command:
cd .\DetectionLab\
cd .\Vagrant\
vagrant status

As you can see below, all four virtual machines are up and running.

Windows 10



DC



LOGGER



WEF (WINDOWS EVENT FORWARDER)



WEF (WINDOWS EVENT FORWARDER)

Apart from this, we can also integrate our own solutions So that we can analyze the effectiveness. Red teams can leverage this tool by learning what defenders see and modifying their attacks.

So for that, install your own agent in the WIN10 (example for the reference)



Hence, the set is complete and running, now moving to the next part.

2. Setting Up The “Invoke Atomic Red Team” Tool

Installation of this tool is very easy and involves no complicated steps:

For only installing the execution framework along with the Atomics folder:

Run PowerShell as administrator

Command: IEX (IWR ‘https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1’ -UseBasicParsing);

Install-AtomicRedTeam –getAtomics

If there is an error or Atomic atomic folder already found then run the following command

Command: IEX (IWR ‘https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1’ -UseBasicParsing);

Install-AtomicRedTeam -getAtomics –Force

  • Here you can see the installation is in progress
  • After the completion of installation, as you can see in below image


Hence, all the set-up part is complete. Now, we will proceed further

PERFORMING ATTACKS & ANALYSING THE RESULTS

  • T1003.001 – LSASS Memory: Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory.

Atomic Test #1 – Windows Credential Editor

This Attack is used to dump user credentials using Windows Credential Editor. Steps to perform this attack:

Commands: 

First, we have to get & check the prerequisites 

Invoke-AtomicTest T1003.001 –Getprereqs (command)

After that we have to perform the attack by testnumbers:

Invoke-AtomicTest T1003.001 –Testnumbers 1

ANALYSIS OF THE ATTACK

In EDR



Here we can clearly see in the command line that wce.exe is used, also we can see in the below image that the malicious file is Detected and gets quarantined.



IN SIEM: by looking at the command line shown in the image below we can clearly see that path of output file passwords/hashes at %temp%/wce-output.file.



Atomic Test #2 – Dump LSASS.exe Memory using ProcDump

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump.

Attack commands: Invoke-AtomicTest T1003.001 –Testnumbers 1

Upon successful execution, we have to look for procdump.exe, lsass_dump.dmp

ANALYSIS:

IN EDR 

By looking below we can say that we are able to detect this Attack



IN SIEM



As we can see the command line:

“C:\\Windows\\system32\\cmd.exe\” /c \”C:\\AtomicRedTeam\\atomics\\T1003.001\\bin\\procdump.exe -accepteula -ma lsass.exe C:\\Windows\\Temp\\lsass_dump.dmp\”

Hence, we are able to detect this Attack

  • T1018 – Remote System Discovery: 

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifiers on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.

Atomic Test #1 – Remote System Discovery – net

Identify remote systems with net.exe. Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled.

Command: Invoke-AtomicTest T1018  –Getprereqs 

                     Invoke-AtomicTest T1018  –TestNumbers 1

ANALYSIS:

Here we can clearly see that in the command line these IoCs are being used 

net view /domain

net view

Hence, here we can clearly detect this attack



Atomic Test #4 – Remote System Discovery – ping sweep:

Identify remote systems via ping sweep. Upon successful execution, cmd.exe will perform a loop against the 192.168.1.1/24 network. The output will be via stdout.

Commands: Invoke-AtomicTest T1018  –TestNumbers 4 (simple just put the test numbers)

ANALYSIS:

Here, by looking at the command line we can clearly see that it’s performing a ping sweep

Atomic Test #5 – Remote System Discovery – arp

Identify remote systems via arp.

 Upon successful execution, cmd.exe will execute arp to list out the arp cache. The output will be via stdout.

Attack command: Invoke-AtomicTest T1018  –TestNumbers 5

ANALYSIS:

Here also we can clearly see that, it has been detected



3. T1027 – Obfuscated Files or Information:

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is a common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection.

Atomic Test #2 – Execute base64-encoded PowerShell

Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.

Attack command: Invoke-AtomicTest T1027 –TestNumbers 2 (same as before just update the Testnumbers)

ANALYSIS:

EDR: It was detected by our EDR. We can look at the below command line, there are some encoded Powershell Commands.



SIEM: In SIEM too we can see the encoded command, so the attack has been detected as shown below:

Finally, as we have seen above the commands to run the test are quite simple, the core command is the same, we just have to update the Test numbers. Similarly, one can run all the Available attacks and check the Security Posture & Efficiency of the solutions.

You can leverage SharkStriker’s range of Cyber security services to improve your defense and seek the help of our experts to test your cyber defense. Our ORCA-based MDR service can help in detecting and responding to such attacks in real-time. Standing for Observe, Response, Compliance, and Awareness, ORCA-based services can enable continuous monitoring and centralized visibility for quick detection and real-time response.