APTSimulator - testing anti-APT threats


     
    APT Simulator is a framework for checking security tools and actions for investigating incidents in a Windows environment that mimics the activity of an information system intruder. It is a good platform for training Blue Team teams to counter modern threats.


    The main purpose:


    • Testing threat detection / compromise tools.
    • Verify that security breaches are detected.
    • Check SOC / SIEM monitoring tools.
    • Forensic data exfiltration environment.

    APT (advanced persistent threat); also a targeted cyber attack is an adversary with a modern level of specialized knowledge and significant resources that allow him to create opportunities to achieve goals through various attack vectors (for example, information, physical and phishing) These goals typically include establishing and expanding your presence within the information technology infrastructure of the target organization to fulfill your intentions of extracting information, disrupting or Creating noise critical aspects of the task, program, or service, or to take a stand, allowing to implement these intentions in the future, the APT, as "a threat to the sustainability of development": to pursue their goals repeatedly for a long time;. adapts to the efforts of the defenders to put up resistance to the threat; has the intention to maintain the level of penetration in the target infrastructure required for the implementation of intentions.


    image

    It is such attacks that are the most "advanced" and, as a rule, technologically sophisticated. In contrast to conventional attacks, it is a consolidation and hidden presence in the system that allows attackers to interact with hacked infrastructure and expand their area of ​​presence in the corporate environment.


    The following table shows compromise markers and expected detection results:


    • AV = Antivirus
    • NIDS = Network Intrusion Detection System
    • EDR = Agents on the "endpoints" - AWP, servers (Endpoint Detection and Response)
    • SM = Security Monitoring Systems
    • CA = Compromise Assessment

    Test caseAVNidsEDRSmCA
    Local File CollectionX
    Connection to C&C serversXXXX
    DNS cache poisoningXXXX
    Malicious User-Agent (droppers, trojans)XXX
    Netcat Back ConnectXXXX
    WMI backdoorXXX
    Dump LSASSXXX
    Using MimikatzXXXX
    Using WCEXXX
    Activating guest access and escalating privilegesXXX
    Sub system filesXXX
    Hosts ModificationXXX
    Obfuscated JS dropperXXXXX
    Obfuscated Files (RAR> JPG)X
    C-Class Subnet ScanningXXXX
    System Information Collection CommandsXXX
    Running PsExecXXX
    Malware deliveryXX
    At tasks for collecting dataXXX
    Adding RUN Parameters to the RegistryXXX
    Creating tasks in the scheduler (can be used as backdoors)XXX
    StickyKey backdoorXX
    Using the UserInitMprLogonScript Registry KeyXXX
    Web shellsXXX
    WMI backdoorsXX

    Caution: the framework contains tools and executable files that can damage the integrity and stability of your system. Use them only on test or demo systems or stands.


    The system interface is a “classic” pseudographic shell familiar to users of the Metasploit Framework, Empire, SET, and many others.



    The main tools are available from the context menu of the program. There is the possibility of starting the toolkit from the context menu, as well as individual utilities.


    → Project page on github .


    For those who do not have their own environment for monitoring malicious activity, I suggest using the HELK-Hunting ELK (Elasticsearch, Logstash, Kibana) - a monitoring environment for checking and visualizing data from compromised hosts.


    image


    This system is a platform for detecting threats, which is a set of tools and utilities for analysis and visualization in the form of a docker container.


    image


    → Project page on github .


    Using these two tools will help to improve skills in identifying modern threats, investigating incidents and developing means and measures of operational counteraction.


    Also popular now: