APTSimulator - testing anti-APT threats
APT Simulator is a framework for checking security tools and actions for investigating incidents in a Windows environment that mimics the activity of an information system intruder. It is a good platform for training Blue Team teams to counter modern threats.
The main purpose:
- Testing threat detection / compromise tools.
- Verify that security breaches are detected.
- Check SOC / SIEM monitoring tools.
- Forensic data exfiltration environment.
APT (advanced persistent threat); also a targeted cyber attack is an adversary with a modern level of specialized knowledge and significant resources that allow him to create opportunities to achieve goals through various attack vectors (for example, information, physical and phishing) These goals typically include establishing and expanding your presence within the information technology infrastructure of the target organization to fulfill your intentions of extracting information, disrupting or Creating noise critical aspects of the task, program, or service, or to take a stand, allowing to implement these intentions in the future, the APT, as "a threat to the sustainability of development": to pursue their goals repeatedly for a long time;. adapts to the efforts of the defenders to put up resistance to the threat; has the intention to maintain the level of penetration in the target infrastructure required for the implementation of intentions.
It is such attacks that are the most "advanced" and, as a rule, technologically sophisticated. In contrast to conventional attacks, it is a consolidation and hidden presence in the system that allows attackers to interact with hacked infrastructure and expand their area of presence in the corporate environment.
The following table shows compromise markers and expected detection results:
- AV = Antivirus
- NIDS = Network Intrusion Detection System
- EDR = Agents on the "endpoints" - AWP, servers (Endpoint Detection and Response)
- SM = Security Monitoring Systems
- CA = Compromise Assessment
Test case | AV | Nids | EDR | Sm | CA |
---|---|---|---|---|---|
Local File Collection | X | ||||
Connection to C&C servers | X | X | X | X | |
DNS cache poisoning | X | X | X | X | |
Malicious User-Agent (droppers, trojans) | X | X | X | ||
Netcat Back Connect | X | X | X | X | |
WMI backdoor | X | X | X | ||
Dump LSASS | X | X | X | ||
Using Mimikatz | X | X | X | X | |
Using WCE | X | X | X | ||
Activating guest access and escalating privileges | X | X | X | ||
Sub system files | X | X | X | ||
Hosts Modification | X | X | X | ||
Obfuscated JS dropper | X | X | X | X | X |
Obfuscated Files (RAR> JPG) | X | ||||
C-Class Subnet Scanning | X | X | X | X | |
System Information Collection Commands | X | X | X | ||
Running PsExec | X | X | X | ||
Malware delivery | X | X | |||
At tasks for collecting data | X | X | X | ||
Adding RUN Parameters to the Registry | X | X | X | ||
Creating tasks in the scheduler (can be used as backdoors) | X | X | X | ||
StickyKey backdoor | X | X | |||
Using the UserInitMprLogonScript Registry Key | X | X | X | ||
Web shells | X | X | X | ||
WMI backdoors | X | X |
Caution: the framework contains tools and executable files that can damage the integrity and stability of your system. Use them only on test or demo systems or stands.
The system interface is a “classic” pseudographic shell familiar to users of the Metasploit Framework, Empire, SET, and many others.
The main tools are available from the context menu of the program. There is the possibility of starting the toolkit from the context menu, as well as individual utilities.
→ Project page on github .
For those who do not have their own environment for monitoring malicious activity, I suggest using the HELK-Hunting ELK (Elasticsearch, Logstash, Kibana) - a monitoring environment for checking and visualizing data from compromised hosts.
This system is a platform for detecting threats, which is a set of tools and utilities for analysis and visualization in the form of a docker container.
→ Project page on github .
Using these two tools will help to improve skills in identifying modern threats, investigating incidents and developing means and measures of operational counteraction.