Merge pull request #125 from center-for-threat-informed-defense/updat…

…e_micro add new micro plans
center-for-threat-informed-defense · Apr 17, 2023 · ee05f95 · ee05f95
2 parents 3e3ea44 + 7b83111
commit ee05f95
Show file tree

Hide file tree

Showing 182 changed files with 29,365 additions and 48,550 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,4 +1,4 @@
-name: "Build Micro Plans"
+name: "Build"
 
 on:
   push:
@@ -16,14 +16,49 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.19'
+
+    #data_exfil
+    - name: Make release folders
+      run: |
+        mkdir release
+        mkdir release/DataExfil
+        mkdir release/DataExfil/Linux
+
+    - name: Make build folders
+      working-directory: ./micro_emulation_plans/src/data_exfil
+      run: |
+        mkdir ./build
+        mkdir ./build/linux
+        
+    - name: Install data_exfil dependencies
+      working-directory: ./micro_emulation_plans/src/data_exfil
+      run:
+        go get ./...
+
+    - name: Build Linux data exfiltration release
+      working-directory: ./micro_emulation_plans/src/data_exfil
+      run: |
+        go build -o build/linux/data_exfil ./cmd/main.go
+
+    - name: Copy data_exfil artifacts
+      run: |
+        cp ./micro_emulation_plans/src/data_exfil/README*.md release/DataExfil/
+        cp ./micro_emulation_plans/src/data_exfil/build/linux/* release/DataExfil/Linux
 
     # webshell:
     - name: Make release folders
-      run: mkdir -p ./release/Webshell/Linux
+      run: |
+        mkdir release/Webshell
+        mkdir release/Webshell/Linux
 
     - name: Make build folders
       working-directory: ./micro_emulation_plans/src/webshell
-      run: mkdir -p ./build/linux
+      run: |
+        mkdir ./build
+        mkdir ./build/linux
 
     - name: Build Linux PHP release
       working-directory: ./micro_emulation_plans/src/webshell
@@ -37,29 +72,47 @@ jobs:
 
     - name: Copy webshell artifacts
       run: |
-        cp ./micro_emulation_plans/src/webshell/README*.md ./release/Webshell/
-        cp ./micro_emulation_plans/src/webshell/build/linux/* ./release/Webshell/Linux
+        cp ./micro_emulation_plans/src/webshell/README*.md release/Webshell/
+        cp ./micro_emulation_plans/src/webshell/build/linux/* release/Webshell/Linux
 
     # upload artifacts for use in make-release
     - uses: actions/upload-artifact@v3
       with:
         name: linux-tools
-        path: ./release
+        path: release/
 
   windows-build:
     name: "Windows Build"
     runs-on: "windows-2022"
 
     steps:
-    # fixes build issue on windows with long file paths
-    - name: Enable long paths
-      run: git config --system core.longpaths true
-
     - uses: actions/checkout@v3
     - uses: actions/setup-dotnet@v2
       with:
         dotnet-version: '6.0.300'
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.19'
 
+      #data_exfil  
+    - name: Install data_exfil dependencies
+      working-directory: ./micro_emulation_plans/src/data_exfil
+      run:
+        go get ./...
+
+    - name: Build data_exfil
+      working-directory: ./micro_emulation_plans/src/data_exfil
+      run: go build ./cmd/main.go
+
+
+    - name: Make data_exfil folder
+      run: mkdir release/DataExfil/Windows
+
+    - name: Copy data_exfil artifacts
+      run: |
+        cp ./micro_emulation_plans/src/data_exfil/README.md release/DataExfil/README.md
+        cp ./micro_emulation_plans/src/data_exfil/main.exe release/DataExfil/DataExfil.exe
+  
     # ad_enum:
     - name: Install ad_enum dependencies
       working-directory: ./micro_emulation_plans/src/ad_enum
@@ -80,6 +133,31 @@ jobs:
         cp ./micro_emulation_plans/src/ad_enum/README.md release/ActiveDirectoryEnumeration/README.md
         cp ./micro_emulation_plans/src/ad_enum/build/ad_enum.exe release/ActiveDirectoryEnumeration/ActiveDirectoryEnumeration.exe
 
+    # Apache_rce:
+    - name: build apache_rce
+      working-directory: ./micro_emulation_plans/src/apache_rce
+      run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build
+
+    - name: Make apache_rce folder
+      run: mkdir release/ApacheRCE
+
+    - name: Copy apache_rce artifacts
+      run: |
+        cp ./micro_emulation_plans/src/apache_rce/build/ApacheEMU.exe release/ApacheRCE/ApacheRCE.exe
+
+
+    # reflective_loading:
+    - name: build reflective_loading
+      working-directory: ./micro_emulation_plans/src/reflective_loading
+      run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build
+
+    - name: Make reflective_loading folder
+      run: mkdir release/ReflectiveLoading
+
+    - name: Copy reflective_loading artifacts
+      run: cp ./micro_emulation_plans/src/reflective_loading/build/reflective_loading.exe release/ReflectiveLoading/reflective_loading.exe
+
+
     # file_access:
     - name: Install file_access dependencies
       working-directory: ./micro_emulation_plans/src/file_access
@@ -137,24 +215,37 @@ jobs:
     # user_execution:
     - name: Create user_execution release folder
       run: mkdir release/UserExecution
+
+    # dot_one:
+    - name: build dot_one
+      working-directory: ./micro_emulation_plans/src/user_execution/dot_one
+      run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build
+
+    - name: Make dot_one folder
+      run: mkdir release/UserExecution/DotOne
+
+    - name: Copy dot_one artifacts
+      run: |
+        cp ./micro_emulation_plans/src/user_execution/dot_one/build/dot_one.exe release/UserExecution/DotOne/dot_one.exe
+        cp ./micro_emulation_plans/src/user_execution/dot_one/README_dot_one.md release/UserExecution/DotOne/README_dot_one.md 
 
-    # iso-bypass:
-    - name: Install iso-bypass dependencies
-      working-directory: ./micro_emulation_plans/src/user_execution/iso-bypass
+    # iso_bypass:
+    - name: Install iso_bypass dependencies
+      working-directory: ./micro_emulation_plans/src/user_execution/iso_bypass
       run: dotnet restore
 
-    - name: Build iso-bypass
-      working-directory: ./micro_emulation_plans/src/user_execution/iso-bypass
+    - name: Build iso_bypass
+      working-directory: ./micro_emulation_plans/src/user_execution/iso_bypass
       run: dotnet publish --configuration Release -p:PublishSingleFile=true -p:RuntimeIdentifier=win-x64 -o ./build
 
-    - name: Make iso-bypass folder
+    - name: Make iso_bypass folder
       run: mkdir release/UserExecution/ISOBypass
 
-    - name: Copy iso-bypass artifacts
+    - name: Copy iso_bypass artifacts
       run: |
-        cp ./micro_emulation_plans/src/user_execution/iso-bypass/README.md release/UserExecution/ISOBypass/README.md
-        cp ./micro_emulation_plans/src/user_execution/iso-bypass/download.iso release/UserExecution/ISOBypass/download.iso
-        cp ./micro_emulation_plans/src/user_execution/iso-bypass/build/iso.exe release/UserExecution/ISOBypass/ISOBypass.exe
+        cp ./micro_emulation_plans/src/user_execution/iso_bypass/README_iso_bypass.md release/UserExecution/ISOBypass/README_iso_bypass.md
+        cp ./micro_emulation_plans/src/user_execution/iso_bypass/download.iso release/UserExecution/ISOBypass/download.iso
+        cp ./micro_emulation_plans/src/user_execution/iso_bypass/build/iso.exe release/UserExecution/ISOBypass/ISOBypass.exe
 
     # macros: - unsure if we want to do the commented out stuff, but it should work
     - name: Get DLLs
@@ -196,7 +287,7 @@ jobs:
         cp ./micro_emulation_plans/src/user_execution/macros/docs/enable_macros/*.jpg release/UserExecution/Macros/docs/enable_macros
         cp ./micro_emulation_plans/src/user_execution/macros/payload_code/whoami.md release/UserExecution/Macros/payload_code/whoami.md
         cp ./micro_emulation_plans/src/user_execution/macros/payloads/whoami.docm release/UserExecution/Macros/payloads/whoami.docm
-        cp ./micro_emulation_plans/src/user_execution/macros/README.md release/UserExecution/Macros/README.md
+        cp ./micro_emulation_plans/src/user_execution/macros/README_macros.md release/UserExecution/Macros/README.md
 
     # shortcut:
     - name: Install shortcut dependencies
@@ -212,7 +303,7 @@ jobs:
 
     - name: Copy shortcut artifacts
       run: |
-        cp ./micro_emulation_plans/src/user_execution/shortcut/README.md release/UserExecution/Shortcut/README.md
+        cp ./micro_emulation_plans/src/user_execution/shortcut/README_shortcut.md release/UserExecution/Shortcut/README_shortcut.md
         cp ./micro_emulation_plans/src/user_execution/shortcut/build/generate_lnk.exe release/UserExecution/Shortcut/Shortcut.exe
 
     # webshell:

diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,15 @@
 .DS_Store
 
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
diff --git a/README.md b/README.md
@@ -25,13 +25,18 @@ Available adversary emulation plans are listed below:
 
 | Micro Emulation Plans | Intelligence Summary |
 |:------:|------|
-|[Active Directory Enumeration](/micro_emulation_plans/src/ad_enum/)| [Targets compound behaviors associated with TA0007 Discovery using behaviors associated with abuse of Active Directory...](/micro_emulation_plans/src/ad_enum#Micro-Emulation-Plan-Windows-Registry)|
-|[File Access](/micro_emulation_plans/src/file_access/) | [Targets the DS0022 File: File Access and DS0022 File: File Modification data sources. It covers file interactions like reading a file and modifying a file’s contents...](/micro_emulation_plans/src/file_access#micro-emulation-plans-file-access) |
-|[Named Pipes](/micro_emulation_plans/src/named_pipes/) | [Targets the data source DS0023 Named Pipe. Named pipes are shared memory used for inter-process communication...](/micro_emulation_plans/src/named_pipes#micro-emulation-plan-named-pipes) |
-|[Process Injection](/micro_emulation_plans/src/process_injection/) | [Targets compound behaviors related to T1055 Process Injection. Process injection is commonly abused by malware to run code in another process, often to evade defenses...](/micro_emulation_plans/src/process_injection#micro-emulation-plans-process-injection) |
-|[User Execution](/micro_emulation_plans/src/user_execution/) | [Targets malicious activity associated with T1204 User Execution. User execution is commonly abused by adversaries as a means of executing malicious payloads...](/micro_emulation_plans/src/user_execution#micro-emulation-plans-user-execution) |
-|[Web Shells](/micro_emulation_plans/src/webshell/) | [This micro emulation plan targets malicious activity surrounding T1505.003 Web Shell. Web shells are malware placed on compromised web (or other network-accessible) servers...](/micro_emulation_plans/src/webshell#micro-emulation-plan-web-shells) |
-|[Windows Registry](/micro_emulation_plans/src/windows_registry/) | [Targets the data source DS0024 Windows Registry. The Registry is a hierarchical database used by Windows to store critical data for the OS...](/micro_emulation_plans/src/windows_registry#micro-emulation-plan-windows-registry) |
+| [File Access and File Modification](/micro_emulation_plans/src/file_access/) | Emulate file access and modification behaviors commonly associated with [TA0009 Collection](https://attack.mitre.org/tactics/TA0009/) as well as [T1486 Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/). (Data source: [DS0022 File](https://attack.mitre.org/datasources/DS0022/))   |
+|            [Named Pipes](/micro_emulation_plans/src/named_pipes/)            | Emulates the creation and use of named pipes [commonly abused by malware](https://labs.withsecure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/) (Data source: [DS0023 Named Pipe](https://attack.mitre.org/datasources/DS0023/))  |
+|       [Windows Registry](/micro_emulation_plans/src/windows_registry/)       | Emulates a few common methods that adversaries use to modify the Windows Registry. (Data Source: [DS0024 Windows Registry](https://attack.mitre.org/datasources/DS0024/))   |
+|              [Web Shells](/micro_emulation_plans/src/webshell/)              | Emulates the compound behavior of planting a web shell ([T1505.003 Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/)) and then executing arbitrary commands through it ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/))  |
+|      [Process Injection](/micro_emulation_plans/src/process_injection/)      | Emulates the compound behavior of [T1055 Process Injection](https://attack.mitre.org/techniques/T1055/) followed by execution of arbitrary commands ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/))   |
+|         [User Execution](/micro_emulation_plans/src/user_execution/)         | Emulates the compound behavior of delivering a malicious `.one`, `.doc`, `.lnk`, or `.iso` file (e.g. via [T1566.001 Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)) and then executing arbitrary commands after a user invokes the file ([T1204.002 User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) and [T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)). |
+|     [Active Directory Enumeration](/micro_emulation_plans/src/ad_enum/)      | Emulate multiple [TA0007 Discovery](https://attack.mitre.org/tactics/TA0007/) behaviors through commonly abused interfaces and services such as Active Directory (AD)|
+|[Reflective Loading](/micro_emulation_plans/src/reflective_loading/) | Emulates an adversary performing running malicious code within an arbitrary process to perform [T1620 Reflective Code Loading](https://attack.mitre.org/techniques/T1620/)
+| [Remote Code Execution](/micro_emulation_plans/src/apache_rce/) | Emulates an adversary performing remote code execution against a vulnerable web server as documented in [T1190 Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/)
+| [Log Clearing](/micro_emulation_plans/src/log_clearing) | Emulates an adversary clearing Windows Event Log, as described in [T1070.001 Indicator Removal: Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/)
+|[Data Exfiltration](/micro_emulation_plans/src/data_exfil/) | Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files, as described in [TA0010 Exfiltration](https://attack.mitre.org/tactics/TA0010/)
+|[DLL Sideloading](/micro_emulation_plans/src/dll_sideloading/) | Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload, as described in [T1574.002 Hijack Execution Flow: DLL Side-Loading](https://attack.mitre.org/techniques/T1574/002/)
 
 ## Philosophy