Merge pull request #3 from SecurityRiskAdvisors/v1.0.2

V1.0.2

fs-index-2024/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v1.0.2
+
+- Misc cleanup
+
 # v1.0.1
 
 - Fix for Winlogon command

fs-index-2024/fs-index-2024-v1.0.1-layer.json → fs-index-2024/fs-index-2024-v1.0.2-layer.json

@@ -1,10 +1,10 @@
 {
-    "description": "Financial Services Threat Simulation Index 2024 v1.0.1",
+    "description": "Financial Services Threat Simulation Index 2024 v1.0.2",
     "domain": "enterprise-attack",
     "layout": {
         "layout": "flat"
     },
-    "name": "Financial Services Threat Simulation Index 2024 v1.0",
+    "name": "Financial Services Threat Simulation Index 2024 v1.0.2",
     "selectSubtechniquesWithParent": false,
     "selectTechniquesAcrossTactics": false,
     "techniques": [
@@ -3149,4 +3149,4 @@
             "techniqueID": "T1659"
         }
     ]
-}
+}

fs-index-2024/fs-index-2024-v1.0.1-notebook.md → fs-index-2024/fs-index-2024-v1.0.2-notebook.md

@@ -53,6 +53,13 @@ When using a browser, you can override the user agent string by using an extensi
 
 You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
 
+## Suspicious connections - Service use
+
+### Prerequisites
+
+- A valid session token(s) for the user
+  - Retrieve via browser cookie dumping, exporting from the browser web developer console, a browser extension, or another suitable method
+
 # Defense Evasion
 
 ## Malicious kernel driver use - load known-abusable driver
@@ -242,6 +249,16 @@ Alternatively, you can use the VBScript file from `modexp`: https://modexp.wordp
 
 - Delete the dump file
 
+## Browser credential dumping - Chromium-based via SharpChrome
+
+https://github.com/GhostPack/SharpDPAPI
+
+### Prerequisites
+
+- kill all processes for the target browser
+- compiled binary 
+	- using Visual Studios: -> load solution file -> set to "Release" -> build
+
 ## DCSync - via Mimikatz
 
 The DCSync attack mimics normal replication behavior between DCs, allowing for remote extraction of credentials
@@ -299,6 +316,8 @@ If loading manually, first set the path to the compiled SSP DLL into a variable
 PS> $DllName = "{{ ssp_dll_path }}"
 ```
 
+where `ssp_dll_path` is the absolute path to the SSP DLL.
+
 Then load the SSP into LSASS
 
 ```
@@ -331,6 +350,12 @@ $StructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
 $Secur32::AddSecurityPackage($DllName, $StructPtr)
 ```
 
+### Notes
+
+- You can verify that the DLL was loaded into LSASS using one of the following methods:
+  - Use perfmon: (as admin) `perfmon /res` -> CPU -> Select checkbox for `lsass.exe` -> Associated Modules -> look for SSP DLL
+  - Use tasklist: (as admin) `tasklist /fi "imagename eq lsass.exe" /m` -> look for SSP DLL
+
 ### Cleanup
 
 - The SSP will be removed on system reboot or after manually calling DeleteSecurityPackage()
@@ -343,9 +368,25 @@ $Secur32::AddSecurityPackage($DllName, $StructPtr)
 
 ## GPO Modifications - General guidance
 
+### Guidance
+
+To modify a new domain GPO via the Group Policy Editor:
+
+1. Log onto domain controller as domain admin
+2. Open the Server Manager -> Tools -> Group Policy Management
+3. On the left menu -> Expand the forest/domains sections then locate the target domain
+4. Expand the target domain and locate the "Group Policy Objects" folder
+5. Right-click the folder -> New -> Enter a name
+6. Locate the newly created GPO -> right-click -> GPO Status -> Un-check enabled
+7. Edit the GPO's setting(s) as desired
+
+### Cleanup
+
+Delete the GPO if using a new GPO, otherwise revert any settings changes
+
 ### Notes
 
-- Create a new group policy object to avoid modifying production policies. Additionally, consider disabling the policy before modifying it. 
+Create a new group policy object to avoid modifying production policies. Additionally, consider disabling the policy before modifying it. 
 
 # Lateral Movement
 
@@ -425,10 +466,10 @@ Use AADInternals to create a backdoor federation domain for persisting access to
 
 ### Prerequisites
 
-- Permissions to modify domain authentication settings
-  - and an access token for the user with these permissions, referred to as `$at` in example commands. To retrieve a token, use `$at=Get-AADIntAccessTokenForAADGraph -Credentials (get-credential)` and proceed through the prompts
 - AADInternals installed
   - `Install-Module AADInternals`
+- Permissions to modify domain authentication settings
+  - and an access token for the user with these permissions, referred to as `$at` in example commands. To retrieve a token, use `$at=Get-AADIntAccessTokenForAADGraph -Credentials (get-credential)` and proceed through the prompts
 - A target verified domain in Azure AD
   - To add a domain, Go to Azure AD -> custom domain names -> add -> set the provided DNS records for your domain -> wait for the verification to compelete
 - A user with an immutable ID set

fs-index-2024/fs-index-2024-v1.0.1.yml → fs-index-2024/fs-index-2024-v1.0.2.yml

@@ -1,9 +1,12 @@
+metadata:
+  prefix: FSI
+  bundle: Financial Services Index 2024 v1.0.2
 Initial Access:
 - name: Attachment - ISO
   description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
   platforms:
   guidance:
-  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ rcpt }} -From {{ sender }} -Attachments {{ attachment }}
   block:
   - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
   detect:
@@ -20,7 +23,7 @@ Initial Access:
   description: Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email.
   platforms:
   guidance:
-  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ rcpt }} -From {{ sender }} -Attachments {{ attachment }}
   block:
   - Malicious email blocked/quarantined or attachment inside email stripped by email gateway
   detect:
@@ -53,7 +56,6 @@ Initial Access:
   description: Perform a password spray against an external employee login portal using a list of potential users and a single password
   platforms:
   guidance:
-  - Burp -> intruder
   block:
   - Portal protected with secure MFA solution
   - IdP blocks bulk automated requests
@@ -75,6 +77,7 @@ Initial Access:
   guidance:
   block:
   - Suspicious logins originating from select geolocations are blocked
+  - If using Entra Conditional Access Policies, use managed device enforcement and token binding features to restrict sign-ins to approved devices
   detect:
   - Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
   controls:
@@ -130,7 +133,8 @@ Defense Evasion:
   platforms:
   - windows
   guidance:
-  - "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+  - CMD> sc.exe create {{ gen_svc_name }} type= kernel start= demand error= normal binpath= c:\windows\System32\Drivers\{{ sys_file }} displayname= {{ gen_svc_name }}
+  - CMD> sc.exe start {{ gen_svc_name }}
   block:
   - Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
   - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
@@ -152,7 +156,7 @@ Defense Evasion:
   platforms:
   - windows
   guidance:
-  - cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+  - cmd> rundll32 {{ dll }},{{ export }} {{ args }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   - Payload on disk deleted/quarantined by endpoint security tool
@@ -197,7 +201,9 @@ Defense Evasion:
   platforms:
   - windows
   guidance:
-  - "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+  - CMD> copy {{ application }} .
+  - CMD> move {{ dll }} {{ expected_dll }}
+  - CMD> {{ application }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   detect:
@@ -245,7 +251,7 @@ Defense Evasion:
   metadata:
     id: cbd9070f-03fa-455f-af46-99e8d41146ac
     tid: T1484
-    tactic: TA0003
+    tactic: TA0005
     x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
     isv: 1
 Discovery:
@@ -254,7 +260,7 @@ Discovery:
   platforms:
   - windows
   guidance:
-  - cmd> nltest.exe /dclist:{{ domain }}
+  - cmd> nltest.exe /dclist:{{ domain_fqdn }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   detect:
@@ -339,10 +345,10 @@ Discovery:
   platforms:
   - windows
   guidance:
-  - cmd> {{ netscan_binary }}
+  - cmd> {{ ext_netscan }}
   block:
   - Network security controls block source generating a large volume of connection requests
-  - Block the installation and use of unapproved third-party utilities via application control software
+  - Block the installation and/or use of unapproved applications via application control software
   detect:
   - Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
   controls:
@@ -363,7 +369,11 @@ Discovery:
   platforms:
   - windows
   guidance:
-  - CMD> systeminfo ipconfig tasklist sc query wmic product get
+  - CMD> systeminfo
+  - CMD> ipconfig
+  - CMD> tasklist
+  - CMD> sc query
+  - CMD> wmic product get
   block:
   - ''
   detect:
@@ -419,7 +429,7 @@ Command and Control:
   platforms:
   guidance:
   block:
-  - Block the installation and use of unapproved third-party utilities via application control software
+  - Block the installation and/or use of unapproved applications via application control software
   - Connections to known remote access service domains/IPs are blocked
   - Remote access connection attempts originating from users outside of the tenant are blocked
   detect:
@@ -479,7 +489,7 @@ Credential Access:
   platforms:
   - windows
   guidance:
-  - cmd> nanodump.exe --duplicate -w {{ out_file }}
+  - cmd> nanodump.exe --duplicate -w {{ gen_outfile }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   - Enable Credential Guard to prevent traditional process dumping of LSASS
@@ -492,14 +502,16 @@ Credential Access:
     id: 8eeb3c12-dc2e-4791-aff5-e81501312886
     tid: T1003.001
     tactic: TA0006
+    x_tools:
+    - https://github.com/fortra/nanodump
     x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
     isv: 1
 - name: Dump LSASS memory using builtin comsvcs.dll
   description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
   platforms:
   - windows
   guidance:
-  - shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+  - shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ pidof_lsass }} {{ gen_outfile }}  full
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   - Enable Credential Guard to prevent traditional process dumping of LSASS
@@ -520,11 +532,11 @@ Credential Access:
   platforms:
   - windows
   guidance:
-  - CMD> procdump -ma lsass.exe dump
+  - CMD> procdump -ma lsass.exe {{ gen_outfile }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   - Enable Credential Guard to prevent traditional process dumping of LSASS
-  - Block the installation and use of unapproved third-party utilities via application control software
+  - Block the installation and/or use of unapproved applications via application control software
   detect:
   - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
   controls:
@@ -587,7 +599,7 @@ Credential Access:
   platforms:
   - windows
   guidance:
-  - (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+  - (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain_fqdn }} /user:{{ domain_user }}
   block:
   - ''
   detect:
@@ -726,7 +738,7 @@ Lateral Movement:
   platforms:
   - windows
   guidance:
-  - CMD> psexec -s \{{ target }} {{ command }}
+  - CMD> psexec -s \\{{ target }} {{ command }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   - Host-based firewalls prevent direct communications over common ports/protocols
@@ -794,7 +806,7 @@ Persistence:
   platforms:
   - windows
   guidance:
-  - cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+  - cmd> schtasks.exe /create /sc daily /tn {{ gen_task_name }} /tr {{ command }} /st 20:00
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   detect:
@@ -814,7 +826,7 @@ Persistence:
   platforms:
   - windows
   guidance:
-  - CMD> sc create {{ service_name }} binPath= "{{ command }}"
+  - CMD> sc create {{ gen_svc_name }} binPath= "{{ command }}"
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   detect:
@@ -854,7 +866,7 @@ Persistence:
   platforms:
   - azuread
   guidance:
-  - PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+  - PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ gen_device_name }} -DeviceType "purple" -OSVersion "1"
   block:
   - 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
   detect:
@@ -877,7 +889,7 @@ Persistence:
   platforms:
   - azuread
   guidance:
-  - PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+  - PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ attacker_domain }}"
   block:
   - ''
   detect:
@@ -888,7 +900,7 @@ Persistence:
   metadata:
     id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
     tid: T1484.002
-    tactic: TA0003
+    tactic: TA0005
     x_tools:
     - AADInternals
     x_references:
@@ -982,7 +994,7 @@ Collection:
   description: Capture an image of the user's screen
   platforms:
   guidance:
-  - "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+  - shell> {{ screenshot_tool }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   detect:
@@ -1002,7 +1014,7 @@ Collection:
   platforms:
   - windows
   guidance:
-  - "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+  - shell> {{ keylog_tool }}
   block:
   - Suspicious process execution/behavior blocked by endpoint security tool
   detect:
@@ -1017,6 +1029,3 @@ Collection:
     - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
     x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
     isv: 1
-metadata:
-  prefix: FSI
-  bundle: Financial Services Index 2024 v1.0.1

h-index-2024/CHANGELOG.md

@@ -1,3 +1,7 @@
+# v1.0.2
+
+- Misc cleanup
+
 # v1.0.1
 
 - Fix for Winlogon command

h-index-2024/h-index-2024-v1.0.1-layer.json → h-index-2024/h-index-2024-v1.0.2-layer.json

@@ -1,10 +1,10 @@
 {
-    "description": "Health Threat Simulation Index 2024 v1.0.1",
+    "description": "Health Threat Simulation Index 2024 v1.0.2",
     "domain": "enterprise-attack",
     "layout": {
         "layout": "flat"
     },
-    "name": "Health Threat Simulation Index 2024 v1.0",
+    "name": "Health Threat Simulation Index 2024 v1.0.2",
     "selectSubtechniquesWithParent": false,
     "selectTechniquesAcrossTactics": false,
     "techniques": [
@@ -3165,4 +3165,4 @@
             "techniqueID": "T1659"
         }
     ]
-}
+}