Invoke-Adversary – Simulating Adversary Operations

Invoke-Adversary is a PowerShell script that helps you to evaluate security products and monitoring solutions based on how well they detect advanced persistent threats. I was inspired to write this script after seeing APTSimulator excellent tool from Florian Roth.

Update 4/17/2018: The script is temporally removed while I resolve an issue. I will update as soon as I have update. Thanks for your patience and understanding!

Warning

Update 4/14/2018 - In the original script 3rd party tools were downloaded by the script automatically. I believe that the original disclaimers were enough, but decided to change it due to the feedback I got, and now the script ask the users to download the 3rd party tools by themselves - with additional warnings and hash file checking.

This script is provided AS IS without warranty of any kind.

The script should be used for authorized testing and/or educational purposes only with no exceptions. By using the script Windows system's security and stability (including but not limited to: passwords dump, disabling security features, etc.) may be affected so DON'T RUN IT ON PRODUCTION systems.

The script is my own, based on other researchers' public domain knowledge and not related to Microsoft in any form.

"Kill Chain", or What happens during a targeted cybersecurity attack?

Cybersecurity kill chain is a framework developed by Lockheed Martin for identification and prevention of cyber intrusions activity. As attacks may occur in stages, you as defender can put optics and controls to detect or disrupt the entire process.

The stages of the Kill Chain are:

• Reconnaissance – an attacker is probing for a weakness or bad configuration
• Weaponization – an attacker is building a payload that can be delivered to the victim (can be a PDF  file or an Office document)
• Delivery- Sending the payload via e-mail, web link or removable media
• Exploit- The payload will execute on the victim's network
• Installation- The payload will download additional remote access tools and install them to maintain persistence
• Command and Control- A channel is created between the victim and the attacker
• Actions- The intended goal is executed (encrypt files, exfiltration of data, etc.)

On top of that model, Mitre, a not-for-profit organization, developed a enhanced model for cyber adversarial behavior, called "Adversarial Tactics, Techniques, and Common Knowledge" (ATT&CK™) Matrix.

Currently, the MITRE ATT&CK™ Matrix provides the most comprehensive framework for adversarial techniques and tactics that enterprises encounter daily.

Many companies are using Security Information and Event Management (SIEM), Endpoint Protection Platform (EPP) and Endpoint Detection & Response (EDR) products to monitor and protect their environments. What seems to be missing is a tool that can generate a real data that represents real-world targeted attacks.

Invoke-Adversary is a PowerShell script that uses a set of functions to simulate post-compromise adversarial behavior within Windows Enterprise networks.

By using Invoke-Adversary script you can:

• Assess your security monitoring tools and practices
• Evaluate Endpoint detection agents

Setup

Requirements for deploying:

• PowerShell version 3.0 and above
• Windows 7 (some test cases will work only on Windows 10) and above
• Download Invoke-Adversary.ps1 file from https://github.com/MotiBa/Invoke-Adversary/tree/master 

Usage

• The simplest way to run the script is to open an elevated (run as Administrator) PowerShell ISE window and press F5.

• The script will start and the first thing you need to do is to read the disclaimer and accept the terms by typing yes

• Now you can select any test case by choosing its number on the menu

• Choose which test you want to run by choosing its number on the menu

Screenshots

What are the tactics

Defense Evasion

• Disable network interface - Disables a network adapter and causes loss of network connectivity
• Disable Windows Defender AV – Turn off real-time protection, scanning all downloaded files and attachments, behavior monitoring, network protection and privacy mode
• Add local firewall rule exceptions – Add fictitious rule "Invoke-APT Test Rule" to Windows Advanced Firewall
• Turn off Windows Firewall – Turn off Windows Advanced Firewall
• Clear Security Log - clears the security log using wevtutil command

Persistence Tactics

• Accessibility Features – "Hijack" sethc.exe with cmd.exe using "Image File Execution Options"
• AppInit DLLs – Adds entry for pserver32.dll under AppInit_DLLs
• Application Shimming – Create registry value under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842562ef-8d28-411d-a67d-ab75ef611fe8}.sdb
• Create local user – A new user (user name is: support_388945a0)
• Create local Administrator – A new user created (user name is: Lost_337fde69_81a9) and added to local Administrators group
• Create New Service – new service (WindowsHealth) is created
• Create New Service (Unquoted Path) – same as previous, just with unquoted path
• Registry Run Keys [HKLM] – New run key under HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
• Registry Run Keys [HKCU] - New run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Scheduled tasks - new scheduled task (OfficeUpdaterA) is created

Credential Access

1. Mimikatz – Logonpasswords – Download mimikatz to a random file name and execute it with the following arguments "privilege::debug" "sekurlsa::logonpasswords" "exit" (credit: https://twitter.com/gentilkiwi)
2. PowerShell Mimikatz – Run Invoke-Mimikatz.ps1  (credit: https://twitter.com/josephbialek?lang=en)
3. PowerShell Encoded Mimikatz - Run Invoke-Mimikatz.ps1 with encoded PowerShell command line
4. Capture Lsass Memory Dump – Using Windows Error Reporting to capture lsass memory (credit: https://twitter.com/mattifestation)
5. Capture Lsass Memory Dump (Prodump) - Download Prodump to a random file and capture lsass memory
6. Copy Local SAM File (via Invoke-NinjaCopy) – Run Invoke-NinjaCopy to copy C:\Windows\System32\config\sam file (credit: https://twitter.com/josephbialek?lang=en)

Discovery Tactics

1. Account Discovery – running net commands to discover local and domain users and groups
2. Network Service Scanning – ports scan (1-1024) on user selected host
3. System Owner Discovery – whoami command
4. System Time Discovery – Running "net time" and "w32tm.exe /tz" commands
5. Service Discovery – List of all services
6. Network Connections Discovery – netstat

Command and Control

1. Commonly used Ports – Trying to connect to user selected host
2. Uncommonly used Ports - Trying to connect to user selected host using uncommon ports  (credit: Florian Roth)
3. Web Service – Create a new post at pastebin and upload BITS service information
4. DNS - Well-Known Blacklisted IP Address – Resolving top 10 malicious IP addresses (credit: Florian Roth)
5. Connect - Well-Known Blacklisted IP Address – Connecting to top 10 malicious IP addresses (credit: Florian Roth)

Execution

1. PSExec (random file name) – Rename PSEec to random file name and execute it (credit:  https://twitter.com/markrussinovich)
2. PSExec (Remote) – Running psexec on user selected host
3. PowerShell API call – Native API call from PowerShell
4. Self Delete (batch file) – self deleting batch file
5. WMI Process Execution - use the WMI command-line (WMIC) utility

Collection

1. Screen Capture – screen capture (credit: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/)

AppLocker ByPasses

1. Regsvr32 - Regsvr32 technique (credit: https://twitter.com/subTee)