Breach and Attack Simulation Guide
In case you missed it, Threatcare released an all-new, one-of-a-kind, FREE Breach and Attack Simulation solution to the public a few weeks ago. Since the release, we’ve developed a help center to guide users on their journey into the Breach and Attack Simulation realm. We were fortunate enough to stumble upon an article written by security guru, Mike Ripp. Mike went through the process of executing a BAS on his personal network and took the time to document it all. Like most security experts, Mike used common open source tools, like Snort, to validate the traffic generated by Threatcare was captured properly. We’re sharing his article for the benefit of all of our new Threatcare subscribers. Check it out below!
Testing the Lab Network With the Threatcare Simulation App
by: Mike Ripp
Recently I decided to try out the Threatcare Breach and Attack Simulation app on my lab network. I kept things pretty basic and only tested one of the options from the playbook. The app provides a number of options to simulate attacks and other threats to a network, mostly utilizing MITRE’s ATT&CK framework.
I would like to try out the “Create Playbook” option & see how many different attacks can be made.
For this quick write-up, I will be using the Initial Access tactic to see how my network reacts. After signing into the application, the screenshot above is what the user is brought to. There are a number of options that can be checked out however with this being the free version, not all options are available. Starting a simulation is as simple as clicking on one of the playbooks. It would be interesting to see how the create playbook option would allow the analyst to structure an attack from initial access to command and control.
As usual my IDS of choice is Snort, hopefully, we will get some alerts to fire and not be caught with our pants down.
Snort ready to rock.
After clicking the playbook, the page moves over one tab to “Techniques”. Here we can see in real-time the commands that are used in the simulation.
The kitchen sink of attacks.
As you can hopefully see from the above picture, the attack isn’t limited to just one file or executable. Windows PE’s, Jar files, malicious PDF’s, and even Mimikatz make appearances in this playbook. Luckily my current Windows setup blocked a few of the attempts, let’s see how Snort is holding up.
Two alerts. Let’s check them out.
We know the suspect IP addresses from the Snort alert. We can get more information from our PCAP and Wireshark, but first we can verify some things in Sysmon.
Network Connection Event for our first address.
Second network connection.
We can verify that the traffic we are seeing is indeed the simulated traffic from the Threatcare app. Totally unrelated to the current topic, but I tried out the Windows Defender Exploit Guard rules and added them to Sysmon. I am still trying to understand Exploit Guard and will see if I can utilize the rules on the next post.
With Snort alerting us to the possibility of some executable files, we should be able to extract the files in Wireshark.
Test malicious exe and PDF.
After extracting both test files, we can verify the file types that are suspected of infecting the machine.
The famous “MZ” in the first few bytes tips us off to badness.
While this was a quick post and not meant to be a critique or review of the application, there is a heck of a lot more that could have been done as far as incident response. The Threatcare application allowed for some quick simulation traffic that I am sure would be helpful in large networks, and probably more fun to analyze than my poor lab setting.
These certainly are great times with all of the attack simulation software that is out for defenders and red teamers. For those interested in detection, hunting and the like, these tools are invaluable in getting your feet wet.
— end of article—
Thanks again, Mike!