Atomic Friday Notes - 05012020

2020-05-01 13:10:50 -06:00
parent d29abbca2c
commit c0b2785f40
3 changed files with 270 additions and 0 deletions
@@ -0,0 +1,155 @@
+# Atomic Friday - 05-01-2020
+
+## Setup
+
+My environment today is built with DetectionLab.
+
+>This lab has been designed with defenders in mind. Its primary purpose is to allow the user to quickly build a Windows domain that comes pre-loaded with security tooling and some best practices when it comes to system logging configurations. It can easily be modified to fit most needs or expanded to include additional hosts.
+
+
+Get it here:
+https://github.com/clong/DetectionLab
+
+Follow: [@DetectionLab](https://twitter.com/DetectionLab)
+
+
+<img src="https://github.com/clong/DetectionLab/raw/master/img/DetectionLab.png" alt="DetectionLab" width="200"/>
+
+
+We will be working from WIN10 system.
+
+`$PSVersionTable`
+```
+Name                           Value
+----                           -----
+PSVersion                      5.1.18362.1
+PSEdition                      Desktop
+PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
+BuildVersion                   10.0.18362.1
+CLRVersion                     4.0.30319.42000
+...
+```
+
+## Get Invoke-AtomicRedTeam
+
+<img src="https://www.redcanary.com/wp-content/uploads/image2-25.png" alt="Atomic" width="200"/>
+
+https://github.com/redcanaryco/invoke-atomicredteam
+
+```
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')
+Install-AtomicRedTeam -getAtomics
+```
+This will install `invoke-atomicredteam` and download `Atomics` folder from Atomic Red Team.
+
+Note: 
+- `Set-ExecutionPolicy -Scope CurrentUser unrestricted`
+- `set-executionpolicy unrestricted`
+- Disable AV. 
+
+Atomics folder:
+https://github.com/redcanaryco/atomic-red-team/tree/master/atomics
+
+## Before Update
+
+We're going to modify T1086 - BloodHound
+
+https://github.com/redcanaryco/atomic-red-team/tree/23620c707ac1ed89e4207a39488f9214cf3c6e1e/atomics/T1086
+
+## After Update
+
+SharpHound PR
+- https://github.com/redcanaryco/atomic-red-team/pull/955
+- https://github.com/redcanaryco/atomic-red-team/pull/962
+- Added src dir (removed payloads)
+- Added input arguments
+- Added prereqs
+
+
+SharpHound ingestor: 
+https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1
+
+
+## Local Execution
+
+`Invoke-AtomicTest T1086 -ShowDetailsBrief`
+
+```
+PathToAtomicsFolder = C:\AtomicRedTeam\atomics
+
+T1086-1 Mimikatz
+T1086-2 Run BloodHound from local disk
+T1086-3 Run Bloodhound from Memory using Download Cradle
+```
+
+Select test and show details:
+
+`Invoke-AtomicTest T1086 -TestNumbers 2 -ShowDetails`
+
+Check Prerequisits:
+
+`Invoke-AtomicTest T1086 -TestNumbers 2 -CheckPrereqs`
+
+```
+CheckPrereq's for: T1086-2 Run BloodHound from local disk
+Prerequisites not met: T1086-2 Run BloodHound from local disk
+        [*] SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
+
+Try installing prereq's with the -GetPrereqs switch
+```
+
+Get Prerequisits:
+
+`Invoke-AtomicTest T1086 -TestNumbers 2 -GetPrereqs`
+
+```
+GetPrereq's for: T1086-2 Run BloodHound from local disk
+Attempting to satisfy prereq: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
+Prereq successfully met: SharpHound.ps1 must be located at C:\AtomicRedTeam\atomics\T1086\src
+```
+
+Execute:
+
+`Invoke-AtomicTest T1086 -TestNumbers 2`
+
+```
+Import and Execution of SharpHound.ps1 from C:\AtomicRedTeam\atomics\T1086\src
+-----------------------------------------------
+Initializing SharpHound at 4:31 PM on 4/30/2020
+-----------------------------------------------
+
+Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
+
+[+] Creating Schema map for domain WINDOMAIN.LOCAL using path CN=Schema,CN=Configuration,DC=WINDOMAIN,DC=LOCAL
+[+] Cache File not Found: 0 Objects in cache
+
+[+] Pre-populating Domain Controller SIDS
+Status: 0 objects finished (+0) -- Using 81 MB RAM
+Status: 71 objects finished (+71 ∞)/s -- Using 86 MB RAM
+Enumeration finished in 00:00:00.6317770
+Compressing data to C:\Users\VAGRAN~1.WIN\AppData\Local\Temp\20200430163109_BloodHound.zip
+You can upload this file directly to the UI
+
+SharpHound Enumeration Completed at 4:31 PM on 4/30/2020! Happy Graphing!
+
+Done executing test: T1086-2 Run BloodHound from local disk
+```
+
+Where are my reports!?
+
+`-OutputDirectory $env:Temp`
+
+`ls $env:Temp`
+
+`20200430163109_BloodHound.zip`
+
+Time to cleanup
+
+`Invoke-AtomicTest T1086 -TestNumbers 2 -Cleanup`
+
+```
+Command (with inputs):
+Remove-Item C:\AtomicRedTeam\atomics\T1086\src\SharpHound.ps1 -Force -ErrorAction Ignore
+Remove-Item $env:Temp\*BloodHound.zip -Force
+```
+
@@ -0,0 +1,56 @@
+Import-Module /Users/matt.graeber/Documents/GitHub/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1
+
+# Explore the functions exposed in invoke-atomicredteam
+Get-Command -Module Invoke-AtomicRedTeam
+
+# Path to the 
+$AtomicPath = '/Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/T1086/T1086.yaml'
+
+# Get the raw YAML
+$T1086 = Get-Content -Path $AtomicPath -Raw
+
+# Parse the YAML, validate against expected atomic technique/test schema and output appropriate PowerShell object.
+$AtomicTechnique = Get-AtomicTechnique -Path $AtomicPath
+
+# Validate all atomics
+Get-ChildItem -Path /Users/matt.graeber/Documents/GitHub/atomic-red-team/atomics/ -Recurse -Include 'T*.yaml' | Get-AtomicTechnique
+
+# Recreate T1086 test #2
+
+$InputArg1 = New-AtomicTestInputArgument -Name internal_domain -Description 'Specify internal domain name to analyze' -Type String -Default 'windomain.local'
+$InputArg2 = New-AtomicTestInputArgument -Name file_path -Description 'File path for SharpHound payload' -Type String -Default 'PathToAtomicsFolder\T1086\src'
+
+$DependencyArgs = @{
+    Description = 'Validate if SharpHound.ps1 is located in #{file_path}.'
+    PrereqCommand = 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}'
+    GetPrereqCommand = 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"'
+}
+
+$Dependency = New-AtomicTestDependency @DependencyArgs
+
+$TestArgs = @{
+    Name = 'Run BloodHound from local disk'
+    Description = @'
+Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
+
+Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
+'@
+    SupportedPlatforms = 'Windows'
+    ExecutorType = 'PowerShell'
+    ExecutorCommand = @'
+write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
+import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain -OutputDirectory #{output_path}    
+'@
+    ExecutorCleanupCommand = @'
+Remove-Item #{file_path}\SharpHound.ps1 -Force
+Remove-Item #{file_path}\*BloodHound.zip -Force  
+'@
+    InputArguments = $InputArg1, $InputArg2
+    DependencyExecutorType = 'PowerShell'
+    Dependencies = $Dependency
+}
+
+$AtomicTest = New-AtomicTest @TestArgs
+
+# Convert the atomic test to raw YAML. Add to existing technique. Profit
+$AtomicTest | ConvertTo-Yaml
@@ -0,0 +1,59 @@
+# Getting Lateral
+
+Using DetectionLab, we will enable [PSRemoting](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7) on our remote host WEF and execute our Atomic Test on it.
+
+## Setup
+
+On WEF
+
+```
+Enable-PSRemoting
+```
+
+On Win10
+
+Same terminal we used earlier:
+
+`$sess = New-PSSession -ComputerName wef -Credential windomain.local\administrator`
+
+Prompt for credentials
+
+## Let's get Remote (execution)
+
+Wiki - https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Remote)
+
+After you have established the PS session ($sess) you can proceed with test execution as follows.
+
+`Invoke-AtomicTest T1117 -TestNumbers 2 -ShowDetails`
+
+`Invoke-AtomicTest T1003 -TestNumbers 4 -ShowDetails`
+
+### Install any required prerequisites on the remote machine before test execution
+
+`Invoke-AtomicTest T1117 -Session $sess -GetPrereqs`
+
+### execute all atomic tests in technique T1117|T1003 on a remote machine
+
+`Invoke-AtomicTest T1117 -Session $sess -TestNumbers 2`
+
+`Invoke-AtomicTest T1003 -TestNumbers 4 -Session $sess`
+
+## Validate execution
+
+[T1117 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20regsvr32.exe%20earliest%3D-30m%20latest%3Dnow&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588276958.707)
+
+[T1003 Splunk](https://192.168.38.105:8000/en-US/app/search/search?q=search%20host%3Dwef*%20reg.exe%20earliest%3D-30m%20latest%3Dnow%20%7C%20stats%20values(Process_Command_Line)&display.page.search.mode=smart&dispatch.sample_ratio=1&workload_pool=&earliest=-24h%40h&latest=now&sid=1588277661.75&display.page.search.tab=statistics&display.general.type=statistics)
+
+
+## Random Tips
+
+- Add user to "Remote management Users" group.
+
+- Enabling PowerShell remoting on client versions of Windows when the computer is on a public network is normally disallowed, but you can skip this restriction by using the SkipNetworkProfileCheck parameter. For more information, see the description of the SkipNetworkProfileCheck parameter.
+
+- psremoting to a Windows Server will require an Administrator account (I used Administrator above, as example shown)
+
+
+## Reference
+
+- PSRemoting - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7