Empowering Your Learning Journey

Download the Rocky Linux VM here: https://www.dropbox.com/scl/fo/2cmk4obf8lttgf5ppmi0w/AEGpW9tGCq5HIq8VwuxP7mg?rlkey=bgn898ztlbn771nr1rraxbeu0&st=ixf4vni5&dl=0

Download the windows 10 VM ISO: 

  https://www.dropbox.com/scl/fo/3j1q409i3iqradulbkxwu/h?rlkey=goc6fveoueiuc055lbbrsmynu&st=cgzxvy7d&dl=0

 Lab document – Adversary Simulation – Beyond the Hype 

In this workshop, we will be using MITRE Caldera for Adversary Simulation to observe and understand the attack to build a better defense 

1. Set up the environment! 

2. Connect the target to the server for proof of concept 

3. Detecting the C2 

4. Phishing simulation – can you download from a site? 

5. <not ready yet> Obfuscation of script with UPX 

Setting Up the Environment 

Setting up the initial Caldera Environment 

1.1 Caldera Server Setup

1. Import and Start the Caldera Server: 

· Download or copy the virtual machines from <website> or portable HDD 

• Import the image into your virtualization software (e.g., VMware,      VirtualBox).
• Start the Caldera target machine VM, login with class/Caldera1234!
• Verify that the Caldera web interface is accessible with http://localhost:8888
• Explore the      interface, reviewing the agents, adversaries and their abilities 

If the web interface is not running, open a terminal and run this command from the Caldera directory

python3 server.py --insecure --build

MITRE ATT&CK: Resource Development (TA0042) - Acquiring Infrastructure (T1583.004 Server)

This section focuses on setting up the necessary lab environment, simulating the acquisition of server infrastructure.

Caldera Target Machine Setup

1. Import and Start the Caldera Target Machine: 
   • Locate your Caldera target       machine virtual machine image. 
   • Import the image into your       virtualization software.

MITRE CALDERA Agents: The Foot Soldiers of Automated Adversary Emulation

MITRE CALDERA agents are the operational backbone of its automated adversary emulation platform. These adaptable software programs are deployed to target systems to execute commands and simulate the tactics and techniques of real-world cyber adversaries. Functioning as the hands and feet of the CALDERA server, agents establish a command and control (C2) channel, receive instructions, and carry out tasks to mimic a full-scale cyberattack.

At its core, a CALDERA agent is a lightweight program that communicates with the CALDERA server at regular intervals. This communication, known as "beaconing," allows the agent to fetch new instructions and send back the results of previously executed commands. This process enables security teams to test their defenses against a variety of attack scenarios in a controlled environment.

• Sandcat: This is the default and most       versatile agent, written in the Go programming language. Sandcat's key       advantage is its ability to communicate over multiple protocols,       including HTTP, a common channel for C2 traffic. Its cross-platform       compatibility with Windows, macOS, and Linux makes it a popular choice       for a wide range of emulation exercises.
• Manx: Also developed in Go, the Manx       agent is designed for communication over the Transmission Control       Protocol (TCP). It essentially functions as a reverse shell, providing a       direct command-line interface to the compromised host from the CALDERA       server.
• Ragdoll: For environments where Python       is prevalent, the Ragdoll agent is the go-to choice. It communicates with       the CALDERA server using the HTTP protocol, similar to Sandcat, but with       a Python-based implementation.

Agent Deployment – Deploying a Command-and-Control (C2) to practice 

1. Create an Agent in Caldera: 
   • Log in to your Caldera server by       opening a web browser at http://localhost:8888.
   • Navigate to the       "Agents" section.

• Follow the Caldera interface       instructions to create a new agent payload. Select the appropriate       operating system for your target machine.

• Caldera will display a script       similar to below. Be sure to change the IP address to your Caldera       server

1. Install the Agent on the Target Machine: 
   • Transfer the generated agent       payload to the Caldera target machine. (In a real-world scenario, this       is where initial access techniques come into play.) For the       proof-of-concept, we will work on just installing the agent. 
   • Execute the script agent payload       on the target machine.
   • Verify in the Caldera server       interface that the agent has successfully checked in and is active.
   • Observe the attack in the Caldera       under Agents.

o Observe the attack in the Windows Event Logs. Search through the logs for the IP address of the Caldera server. 

3. Initial Access – Drive-By Compromise (ID:T1189)

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. Multiple ways of delivering exploit code to a browser exist (i.e., Drive-by Target), including:

· A legitimate website is compromised, allowing adversaries to inject malicious code

· Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary

· Malicious ads are paid for and served through legitimate ad providers (i.e., Malvertising)

· Built-in web application interfaces that allow user-controllable content are leveraged for the insertion of malicious scripts or iFrames (e.g., cross-site scripting)

This is where we should start thinking about Defense-in-Depth. The typical attack for visiting a website through a phishing campaign. As we know, the first line of defense is the user education. This would fit into a different framework of administrative, technical, or physical controls. 

With the annual training being part of the administrative controls, what are our technical controls against a phishing site. 

· Proxy Servers and other filtering mechanisms 

· Ability to install software. 

· Running Python on the workstation 

One of the questions to ask is “are we practicing the Principal of Least Privilege” and how to we validate that these controls are in place? 

Applying Defense-in-Depth

If a user does click on a link for a C2  

Enabling Detection for Chrome 

On stand-alone machines, logging is not enabled by default. 

To access error logs for Google Chrome, you'll need to enable logging manually, as Chrome does not generate detailed logs by default. Here is how to do it depending on your operating system:

🪟 On Windows

1. Enable Logging      via Shortcut:
   • Right-click your Chrome shortcut and select       Properties.
   • In the Target field, add this to the end: 
   • --enable-logging --v=1
   • Click Apply and OK, then launch Chrome using that       shortcut.

1. Find the Log      File:
   • Logs are saved to: 
   • C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User       Data\chrome_debug.log
   • This file is overwritten each time Chrome restarts,       so check it before closing the browser.

     

🍎 On macOS

1. Open Terminal      and run: 
2. /Applications/Google\      Chrome.app/Contents/MacOS/Google\ Chrome --enable-logging --v=1
3. The log file      will be located in your user data directory as chrome_debug.log.

🐧 On Linux

• Run Chrome with      the same command-line flags: 
• google-chrome --enable-logging      --v=1
• The log file      will also be named chrome_debug.log in your user data directory.

🔍 Additional Tips

• To view crash      reports, go to: 
• chrome://crashes

Lab: Adversary Simulation - Initial Access and Reconnaissance

This lab will guide you through simulating initial access and reconnaissance techniques, leveraging MITRE Caldera and other tools.

Objectives:

• Understand and simulate T1583      Acquire Infrastructure: .004 Server for resource development.
• Explore methods for agent delivery, specifically      via phishing.
• Practice T1591 Gather Victim      Org Information for reconnaissance.
• Demonstrate T1189 Drive-by      Compromise through a      malicious PDF.
• Obfuscate the script with UPX 

Scenario – phishing email deploying a C2 

4. Phishing attack to embed the link 

o Imbed the link a PDF 

1. Obtain a PDF from the target website with Google Dorking – site:<website> filetype:pdf 

o In Kali, launch the Social Engineering Toolkit (SET) 

o Choose 1) Social Engineering Attack 

o Choose 3 Infectious Media Generator 

o Choose 1) file-format exploits 

o Need IP address of target machine – this could be 0.0.0.0 for now 

o Choose 13)Adobe PDF Embedded EXE Social Engineering 

o Choose 1) Use your own PDF for attack 

5. Obfuscation with UPX 

In Kali machine, use UPX to compress and obfuscate the script 

upx --brute -9 shell.exe -oushell.exe 

1. Scenario      – deploying the agent to the target system. 
   • Set up a simply Python HTTP       server “python3 -m http.server 8000”
   • Disable the firewall with “sudo       systemctl stop firewalld” 

Check the status of the firewall with “sudo systemctl status firewalld” 

1.4 Wazah Server Setup (Optional but Recommended)

1. Import and Start the Wazah Server: 
   • Locate your Wazah server virtual       machine image or installation files.
   • Import the image into your       virtualization software.
   • Start the Wazah server VM.
   • Verify that the Wazah web       interface is accessible and that it can receive logs from your target       machine.

     

Part 2: Initial Access (TA0001) - Phishing (T1566) for Agent Delivery

This section details methods for delivering the Caldera agent to the target machine, specifically through a simulated phishing attack.

2.1 Crafting Phishing Emails

Question: How do we get the agent onto the machine in a realistic scenario?

Answer: Phishing emails are a common method.

1. Craft an Email with a Malicious Link: 
   • Using an email client or a       phishing simulation tool, create an email that appears legitimate.
   • Embed a link in the email that,       when clicked, will lead to the download or execution of your Caldera       agent. This could involve hosting the agent on a web server controlled by       you.
   • Consider social engineering       techniques to entice the victim to click the link (e.g., fake invoice,       urgent notification).

     

Part 3: Reconnaissance (TA0043) - Gather Victim Organization Information (T1591)

This section focuses on gathering publicly available information about the victim organization.

3.1 Google Dorking for Information Gathering

1. Perform Google Dorking: 
   • Open a web browser and navigate       to Google.
   • Use specific Google dorks to       search for sensitive or revealing documents about the target       organization.
   • Example Dork: site:targetsite.com       filetype:pdf (Replace targetsite.com with your simulated target       domain). This dork searches for PDF documents specifically on the target       website.
   • Review the search results for       any information that could be useful for further attacks (e.g., employee       names, internal network diagrams, policies, software versions).

     

Part 4: Initial Access (TA0001) - Drive-by Compromise (T1189) & Obfuscation

This section demonstrates how to embed a malicious link in a document and obfuscate malware.

4.1 Drive-by Compromise with SET Toolkit

1. Embed Client Link in a PDF from the Site: 
   • Using the Google Dorking results       from Part 3, download a legitimate PDF document from the target website.
   • Utilize the Social-Engineer       Toolkit (SET) to create a malicious payload (e.g., a direct link to your       Caldera agent or a payload that initiates a drive-by download).
   • SET can also be used to create a       "fileformat" attack where the malicious payload is embedded       within a seemingly legitimate document.
   • Embed the malicious client link       or payload into the downloaded PDF. This could involve techniques like       embedding an executable or a malicious script that runs when the PDF is       opened.
   • Host the modified PDF on a web       server.
   • Simulate a drive-by download       scenario where a user navigates to a malicious site or clicks a link that       automatically downloads the compromised PDF.

4.2 Obfuscating Malware with UPX

1. Obfuscate the Malware using UPX: 
   • Assuming you have a raw       executable (e.g., your Caldera agent payload) that you want to make less       detectable by antivirus software.
   • Use UPX (a dynamic PE infector)       to obfuscate the malware.
   • Open UPX and load your target       executable.
   • Follow UPX's prompts to select       an obfuscation method or payload. UPX will inject the payload into the       legitimate application, attempting to bypass antivirus signatures.
   • Save the obfuscated executable.
   • (Optional) Test the obfuscated       executable against antivirus software to see its effectiveness.

Here's a re-write of your content for a lab document, formatted with step-by-step guides and including relevant MITRE ATT&CK IDs.

Lab: Adversary Simulation - Initial Access and Reconnaissance

This lab will guide you through simulating initial access and reconnaissance techniques, leveraging MITRE Caldera and other tools.

Objectives:

• Set up a basic Caldera environment.
• Understand and simulate T1583      Acquire Infrastructure: .004 Server for resource development.
• Explore methods for agent delivery, specifically      via phishing.
• Practice T1591 Gather Victim      Org Information for reconnaissance.
• Demonstrate T1189 Drive-by      Compromise through a      malicious PDF.
• Utilize UPX for malware obfuscation.

Part 1: Resource Development (TA0042) - Acquiring Infrastructure (T1583.004 Server)

This section focuses on setting up the necessary lab environment, simulating the acquisition of server infrastructure.

1.1 Caldera Server Setup

1. Import and Start the Caldera Server: 
   • Locate your Caldera server       virtual machine image or installation files.
   • Import the image into your       virtualization software (e.g., VMware, VirtualBox).
   • Start the Caldera server VM.
   • Verify that the Caldera web       interface is accessible.

1.2 Caldera Target Machine Setup

1. Import and Start the Caldera Target Machine: 
   • Locate your Caldera target       machine virtual machine image. This will be the victim machine for our       simulation.
   • Import the image into your       virtualization software.
   • Start the Caldera target machine       VM.

1.3 Agent Deployment

1. Create an Agent in Caldera: 
   • Log in to your Caldera server.
   • Navigate to the       "Agents" section (or similar, depending on Caldera version).
   • Follow the Caldera interface       instructions to create a new agent payload. Select the appropriate       operating system for your target machine.

1. Install the Agent on the Target Machine: 
   • Transfer the generated agent       payload to the Caldera target machine. (In a real-world scenario, this is       where initial access techniques come into play.)
   • Execute the agent payload on the       target machine.
   • Verify in the Caldera server       interface that the agent has successfully checked in and is active.

1.4 Wazah Server Setup (Optional but Recommended)

1. Import and Start the Wazah Server: 
   • Locate your Wazah server virtual       machine image or installation files.
   • Import the image into your       virtualization software.
   • Start the Wazah server VM.
   • Verify that the Wazah web       interface is accessible and that it can receive logs from your target       machine.

     

Part 2: Initial Access (TA0001) - Phishing (T1566) for Agent Delivery

This section details methods for delivering the Caldera agent to the target machine, specifically through a simulated phishing attack.

2.1 Crafting Phishing Emails

Question: How do we get the agent onto the machine in a realistic scenario?

Answer: Phishing emails are a common method.

1. Craft an Email with a Malicious Link: 
   • Using an email client or a       phishing simulation tool, create an email that appears legitimate.
   • Embed a link in the email that,       when clicked, will lead to the download or execution of your Caldera       agent. This could involve hosting the agent on a web server controlled by       you.
   • Consider social engineering       techniques to entice the victim to click the link (e.g., fake invoice,       urgent notification).

     

Part 3: Reconnaissance (TA0043) - Gather Victim Organization Information (T1591)

This section focuses on gathering publicly available information about the victim organization.

3.1 Google Dorking for Information Gathering

1. Perform Google Dorking: 
   • Open a web browser and navigate       to Google.
   • Use specific Google dorks to       search for sensitive or revealing documents about the target       organization.
   • Example Dork: site:targetsite.com       filetype:pdf (Replace targetsite.com with your simulated target       domain). This dork searches for PDF documents specifically on the target       website.
   • Review the search results for       any information that could be useful for further attacks (e.g., employee       names, internal network diagrams, policies, software versions).

     

Part 4: Initial Access (TA0001) - Drive-by Compromise (T1189) & Obfuscation

This section demonstrates how to embed a malicious link in a document and obfuscate malware.

4.1 Drive-by Compromise with SET Toolkit

1. Embed Client Link in a PDF from the Site: 
   • Using the Google Dorking results       from Part 3, download a legitimate PDF document from the target website.
   • Utilize the Social-Engineer       Toolkit (SET) to create a malicious payload (e.g., a direct link to your       Caldera agent or a payload that initiates a drive-by download).
   • SET can also be used to create a       "fileformat" attack where the malicious payload is embedded       within a seemingly legitimate document.
   • Embed the malicious client link       or payload into the downloaded PDF. This could involve techniques like       embedding an executable or a malicious script that runs when the PDF is       opened.
   • Host the modified PDF on a web       server.
   • Simulate a drive-by download       scenario where a user navigates to a malicious site or clicks a link that       automatically downloads the compromised PDF.

4.2 Obfuscating Malware with UPX

1. Obfuscate the Malware using UPX: 
   • Assuming you have a raw       executable (e.g., your Caldera agent payload) that you want to make less       detectable by antivirus software.
   • Use UPX (a dynamic PE infector)       to obfuscate the malware.
   • Open UPX and load your target       executable.
   • Follow UPX's prompts to select       an obfuscation method or payload. UPX will inject the payload into the       legitimate application, attempting to bypass antivirus signatures.
   • Save the obfuscated executable.
   • (Optional) Test the obfuscated       executable against antivirus software to see its effectiveness.