Skip to content

Commit

Permalink
Merge pull request #125 from center-for-threat-informed-defense/updat…
Browse files Browse the repository at this point in the history
…e_micro

add new micro plans
  • Loading branch information
mehaase authored Apr 17, 2023
2 parents 3e3ea44 + 7b83111 commit ee05f95
Show file tree
Hide file tree
Showing 182 changed files with 29,365 additions and 48,550 deletions.
135 changes: 113 additions & 22 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: "Build Micro Plans"
name: "Build"

on:
push:
Expand All @@ -16,14 +16,49 @@ jobs:

steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
with:
go-version: '1.19'

#data_exfil
- name: Make release folders
run: |
mkdir release
mkdir release/DataExfil
mkdir release/DataExfil/Linux
- name: Make build folders
working-directory: ./micro_emulation_plans/src/data_exfil
run: |
mkdir ./build
mkdir ./build/linux
- name: Install data_exfil dependencies
working-directory: ./micro_emulation_plans/src/data_exfil
run:
go get ./...

- name: Build Linux data exfiltration release
working-directory: ./micro_emulation_plans/src/data_exfil
run: |
go build -o build/linux/data_exfil ./cmd/main.go
- name: Copy data_exfil artifacts
run: |
cp ./micro_emulation_plans/src/data_exfil/README*.md release/DataExfil/
cp ./micro_emulation_plans/src/data_exfil/build/linux/* release/DataExfil/Linux
# webshell:
- name: Make release folders
run: mkdir -p ./release/Webshell/Linux
run: |
mkdir release/Webshell
mkdir release/Webshell/Linux
- name: Make build folders
working-directory: ./micro_emulation_plans/src/webshell
run: mkdir -p ./build/linux
run: |
mkdir ./build
mkdir ./build/linux
- name: Build Linux PHP release
working-directory: ./micro_emulation_plans/src/webshell
Expand All @@ -37,29 +72,47 @@ jobs:
- name: Copy webshell artifacts
run: |
cp ./micro_emulation_plans/src/webshell/README*.md ./release/Webshell/
cp ./micro_emulation_plans/src/webshell/build/linux/* ./release/Webshell/Linux
cp ./micro_emulation_plans/src/webshell/README*.md release/Webshell/
cp ./micro_emulation_plans/src/webshell/build/linux/* release/Webshell/Linux
# upload artifacts for use in make-release
- uses: actions/upload-artifact@v3
with:
name: linux-tools
path: ./release
path: release/

windows-build:
name: "Windows Build"
runs-on: "windows-2022"

steps:
# fixes build issue on windows with long file paths
- name: Enable long paths
run: git config --system core.longpaths true

- uses: actions/checkout@v3
- uses: actions/setup-dotnet@v2
with:
dotnet-version: '6.0.300'
- uses: actions/setup-go@v4
with:
go-version: '1.19'

#data_exfil
- name: Install data_exfil dependencies
working-directory: ./micro_emulation_plans/src/data_exfil
run:
go get ./...

- name: Build data_exfil
working-directory: ./micro_emulation_plans/src/data_exfil
run: go build ./cmd/main.go


- name: Make data_exfil folder
run: mkdir release/DataExfil/Windows

- name: Copy data_exfil artifacts
run: |
cp ./micro_emulation_plans/src/data_exfil/README.md release/DataExfil/README.md
cp ./micro_emulation_plans/src/data_exfil/main.exe release/DataExfil/DataExfil.exe
# ad_enum:
- name: Install ad_enum dependencies
working-directory: ./micro_emulation_plans/src/ad_enum
Expand All @@ -80,6 +133,31 @@ jobs:
cp ./micro_emulation_plans/src/ad_enum/README.md release/ActiveDirectoryEnumeration/README.md
cp ./micro_emulation_plans/src/ad_enum/build/ad_enum.exe release/ActiveDirectoryEnumeration/ActiveDirectoryEnumeration.exe
# Apache_rce:
- name: build apache_rce
working-directory: ./micro_emulation_plans/src/apache_rce
run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build

- name: Make apache_rce folder
run: mkdir release/ApacheRCE

- name: Copy apache_rce artifacts
run: |
cp ./micro_emulation_plans/src/apache_rce/build/ApacheEMU.exe release/ApacheRCE/ApacheRCE.exe
# reflective_loading:
- name: build reflective_loading
working-directory: ./micro_emulation_plans/src/reflective_loading
run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build

- name: Make reflective_loading folder
run: mkdir release/ReflectiveLoading

- name: Copy reflective_loading artifacts
run: cp ./micro_emulation_plans/src/reflective_loading/build/reflective_loading.exe release/ReflectiveLoading/reflective_loading.exe


# file_access:
- name: Install file_access dependencies
working-directory: ./micro_emulation_plans/src/file_access
Expand Down Expand Up @@ -137,24 +215,37 @@ jobs:
# user_execution:
- name: Create user_execution release folder
run: mkdir release/UserExecution

# dot_one:
- name: build dot_one
working-directory: ./micro_emulation_plans/src/user_execution/dot_one
run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build

- name: Make dot_one folder
run: mkdir release/UserExecution/DotOne

- name: Copy dot_one artifacts
run: |
cp ./micro_emulation_plans/src/user_execution/dot_one/build/dot_one.exe release/UserExecution/DotOne/dot_one.exe
cp ./micro_emulation_plans/src/user_execution/dot_one/README_dot_one.md release/UserExecution/DotOne/README_dot_one.md
# iso-bypass:
- name: Install iso-bypass dependencies
working-directory: ./micro_emulation_plans/src/user_execution/iso-bypass
# iso_bypass:
- name: Install iso_bypass dependencies
working-directory: ./micro_emulation_plans/src/user_execution/iso_bypass
run: dotnet restore

- name: Build iso-bypass
working-directory: ./micro_emulation_plans/src/user_execution/iso-bypass
- name: Build iso_bypass
working-directory: ./micro_emulation_plans/src/user_execution/iso_bypass
run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build

- name: Make iso-bypass folder
- name: Make iso_bypass folder
run: mkdir release/UserExecution/ISOBypass

- name: Copy iso-bypass artifacts
- name: Copy iso_bypass artifacts
run: |
cp ./micro_emulation_plans/src/user_execution/iso-bypass/README.md release/UserExecution/ISOBypass/README.md
cp ./micro_emulation_plans/src/user_execution/iso-bypass/download.iso release/UserExecution/ISOBypass/download.iso
cp ./micro_emulation_plans/src/user_execution/iso-bypass/build/iso.exe release/UserExecution/ISOBypass/ISOBypass.exe
cp ./micro_emulation_plans/src/user_execution/iso_bypass/README_iso_bypass.md release/UserExecution/ISOBypass/README_iso_bypass.md
cp ./micro_emulation_plans/src/user_execution/iso_bypass/download.iso release/UserExecution/ISOBypass/download.iso
cp ./micro_emulation_plans/src/user_execution/iso_bypass/build/iso.exe release/UserExecution/ISOBypass/ISOBypass.exe
# macros: - unsure if we want to do the commented out stuff, but it should work
- name: Get DLLs
Expand Down Expand Up @@ -196,7 +287,7 @@ jobs:
cp ./micro_emulation_plans/src/user_execution/macros/docs/enable_macros/*.jpg release/UserExecution/Macros/docs/enable_macros
cp ./micro_emulation_plans/src/user_execution/macros/payload_code/whoami.md release/UserExecution/Macros/payload_code/whoami.md
cp ./micro_emulation_plans/src/user_execution/macros/payloads/whoami.docm release/UserExecution/Macros/payloads/whoami.docm
cp ./micro_emulation_plans/src/user_execution/macros/README.md release/UserExecution/Macros/README.md
cp ./micro_emulation_plans/src/user_execution/macros/README_macros.md release/UserExecution/Macros/README.md
# shortcut:
- name: Install shortcut dependencies
Expand All @@ -212,7 +303,7 @@ jobs:

- name: Copy shortcut artifacts
run: |
cp ./micro_emulation_plans/src/user_execution/shortcut/README.md release/UserExecution/Shortcut/README.md
cp ./micro_emulation_plans/src/user_execution/shortcut/README_shortcut.md release/UserExecution/Shortcut/README_shortcut.md
cp ./micro_emulation_plans/src/user_execution/shortcut/build/generate_lnk.exe release/UserExecution/Shortcut/Shortcut.exe
# webshell:
Expand Down
13 changes: 13 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,2 +1,15 @@
.DS_Store

# NuGet Packages
*.nupkg
# NuGet Symbol Packages
*.snupkg
# The packages folder can be ignored because of Package Restore
**/[Pp]ackages/*
# except build/, which is used as an MSBuild target.
!**/[Pp]ackages/build/
# Uncomment if necessary however generally it will be regenerated when needed
#!**/[Pp]ackages/repositories.config
# NuGet v3's project.json files produces more ignorable files
*.nuget.props
*.nuget.targets
19 changes: 12 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,18 @@ Available adversary emulation plans are listed below:

| Micro Emulation Plans | Intelligence Summary |
|:------:|------|
|[Active Directory Enumeration](/micro_emulation_plans/src/ad_enum/)| [Targets compound behaviors associated with TA0007 Discovery using behaviors associated with abuse of Active Directory...](/micro_emulation_plans/src/ad_enum#Micro-Emulation-Plan-Windows-Registry)|
|[File Access](/micro_emulation_plans/src/file_access/) | [Targets the DS0022 File: File Access and DS0022 File: File Modification data sources. It covers file interactions like reading a file and modifying a file’s contents...](/micro_emulation_plans/src/file_access#micro-emulation-plans-file-access) |
|[Named Pipes](/micro_emulation_plans/src/named_pipes/) | [Targets the data source DS0023 Named Pipe. Named pipes are shared memory used for inter-process communication...](/micro_emulation_plans/src/named_pipes#micro-emulation-plan-named-pipes) |
|[Process Injection](/micro_emulation_plans/src/process_injection/) | [Targets compound behaviors related to T1055 Process Injection. Process injection is commonly abused by malware to run code in another process, often to evade defenses...](/micro_emulation_plans/src/process_injection#micro-emulation-plans-process-injection) |
|[User Execution](/micro_emulation_plans/src/user_execution/) | [Targets malicious activity associated with T1204 User Execution. User execution is commonly abused by adversaries as a means of executing malicious payloads...](/micro_emulation_plans/src/user_execution#micro-emulation-plans-user-execution) |
|[Web Shells](/micro_emulation_plans/src/webshell/) | [This micro emulation plan targets malicious activity surrounding T1505.003 Web Shell. Web shells are malware placed on compromised web (or other network-accessible) servers...](/micro_emulation_plans/src/webshell#micro-emulation-plan-web-shells) |
|[Windows Registry](/micro_emulation_plans/src/windows_registry/) | [Targets the data source DS0024 Windows Registry. The Registry is a hierarchical database used by Windows to store critical data for the OS...](/micro_emulation_plans/src/windows_registry#micro-emulation-plan-windows-registry) |
| [File Access and File Modification](/micro_emulation_plans/src/file_access/) | Emulate file access and modification behaviors commonly associated with [TA0009 Collection](https://attack.mitre.org/tactics/TA0009/) as well as [T1486 Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/). (Data source: [DS0022 File](https://attack.mitre.org/datasources/DS0022/)) |
| [Named Pipes](/micro_emulation_plans/src/named_pipes/) | Emulates the creation and use of named pipes [commonly abused by malware](https://labs.withsecure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/) (Data source: [DS0023 Named Pipe](https://attack.mitre.org/datasources/DS0023/)) |
| [Windows Registry](/micro_emulation_plans/src/windows_registry/) | Emulates a few common methods that adversaries use to modify the Windows Registry. (Data Source: [DS0024 Windows Registry](https://attack.mitre.org/datasources/DS0024/)) |
| [Web Shells](/micro_emulation_plans/src/webshell/) | Emulates the compound behavior of planting a web shell ([T1505.003 Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/)) and then executing arbitrary commands through it ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)) |
| [Process Injection](/micro_emulation_plans/src/process_injection/) | Emulates the compound behavior of [T1055 Process Injection](https://attack.mitre.org/techniques/T1055/) followed by execution of arbitrary commands ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)) |
| [User Execution](/micro_emulation_plans/src/user_execution/) | Emulates the compound behavior of delivering a malicious `.one`, `.doc`, `.lnk`, or `.iso` file (e.g. via [T1566.001 Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)) and then executing arbitrary commands after a user invokes the file ([T1204.002 User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) and [T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)). |
| [Active Directory Enumeration](/micro_emulation_plans/src/ad_enum/) | Emulate multiple [TA0007 Discovery](https://attack.mitre.org/tactics/TA0007/) behaviors through commonly abused interfaces and services such as Active Directory (AD)|
|[Reflective Loading](/micro_emulation_plans/src/reflective_loading/) | Emulates an adversary performing running malicious code within an arbitrary process to perform [T1620 Reflective Code Loading](https://attack.mitre.org/techniques/T1620/)
| [Remote Code Execution](/micro_emulation_plans/src/apache_rce/) | Emulates an adversary performing remote code execution against a vulnerable web server as documented in [T1190 Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
| [Log Clearing](/micro_emulation_plans/src/log_clearing) | Emulates an adversary clearing Windows Event Log, as described in [T1070.001 Indicator Removal: Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)
|[Data Exfiltration](/micro_emulation_plans/src/data_exfil/) | Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files, as described in [TA0010 Exfiltration](https://attack.mitre.org/tactics/TA0010/)
|[DLL Sideloading](/micro_emulation_plans/src/dll_sideloading/) | Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload, as described in [T1574.002 Hijack Execution Flow: DLL Side-Loading](https://attack.mitre.org/techniques/T1574/002/)

## Philosophy

Expand Down
Loading

0 comments on commit ee05f95

Please sign in to comment.