Autowin is a framework that helps organizations simulate custom attack scenarios in order to improve detection and response capabilities.
Check out all the techniques we developed. Each one has a readme.md file, so you can better understand what they do and how to create a custom scenario.
Autowin's entire architechture is based around Mitre ATT&CK Framework to facilitate not only the creation of the modules, but also the communication between those who test and those who get tested.
Right now we are not releasing a built version of this project, but you can easily build it yourself using Visual Studio.
This is a project in development and new techniques are developed every day. Currently available techniques:
| MID | Technique |
|---|---|
| T1003-001 | OS Credential Dumping: LSASS Memory |
| T1037-001 | Boot or Logon Initialization Scripts: Logon Script |
| T1046 | Network Service Scanning |
| T1053-005 | Scheduled Tasks |
| T1059-001 | Powershell |
| T1059-003 | Command and Scripting Interpreter: Windows Command Shell |
| T1059-005 | Visual Basic Script |
| T1059-007 | Javascript/JScript |
| T1087-000 | Account Discovery |
| T1110-000 | Brute Force |
| T1543-003 | Create or Modify System Process: Windows Service |
| T1547-001 | Registry Run Keys / Startup Folder |
| T1219 | Remote Access Software |
| T1036-004 | Masquerading: Masquerade Task or Service |
| T1027 | Obfuscated Files or Information |
| T1021-001 | RDP |
| T1135 | Network Share Discovery |
| T1547-005 | Boot or Logon Autostart Execution: Security Support Provider |
| T1550-003 | Use Alternate Authentication Material: Pass the Ticket |
| T1558-001 | Steal or Forge Kerberos Tickets: Golden Ticket |
| T1558-003 | Steal or Forge Kerberos Tickets: Kerberoasting |
[!] Techniques with the "000" suffix are modules that contains multiple subtechniques as execution methods. Modules without any sort of suffix are singular execution method techniques that do not contain any subtechnique.
Autowin currently supports three execution methods:
TO DO
You can use the "flow" method to execute techniques that are part of an specific scenario.
AutoWin.exe --flow attack_scenario.flowImagine that you want to create a scenario where the attacker enumerates all local users (T1087-000) and tries to brute force their password (T1110-000), you could achieve this by creating the following attack flow:
{
"Campaign": "Brute Force or Password Spray local Users",
"Datetime": "2020-07-30 10:00:00",
"Techniques": {
"1": {
"Technique": "T1087-000",
"EntryData" : {
"output":"users.txt"
},
"Parameters" : [
"net",
"local"
]
},
"2": {
"Technique": "T1110-000",
"Parameters" : [
"local",
"users.txt",
"password.txt"
]
}
}
}For this example, you must provide a password.txt file contaning the passwords that will be tested against the users.
The framework currently uses the public folder (C:\Users\Public) as it's default artifact/resource dropping location. Techniques use that path automatically whenever possible, so you don't have to worry about it. If your simulation requires a specific directory, you can pass the "Workfolder" parameter in your attack flow file, before declaring your techniques:
{
"Campaign": "Just an example",
"Datetime": "2020-07-30 10:00:00",
"Workfolder": "C:\\temp\\",
"Techniques": {
...You can also change the path inside the technique scope, as showed in the previous scenario by the variable "output".
TO DO
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as necessary.