Mordor Labs 😈 — Part 3: Executing ATT&CK APT29 Evaluations Emulation Plan 📕 -Day2

Published in

Open Threat Research

9 min readMay 3, 2020

Building the environment for scenario two is very easy and takes around 30–45 mins. Once the environment is set up, you will still have to set up your computer to authenticate via certificates with point-to-site VPN.

This post is part of a three-part series where I share my experience deploying the ATT&CK APT29 evaluation environment via Azure Resource Manager (ARM) templates and collecting free telemetry produced after executing the emulation plans for each scenario.

In this post, I share a few steps to connect to the environment via a point-ti-site VPN and a quick video showing every single step taken following day 2 emulation plan.

The other two parts can be found in the following links:

Pre-Requirements

I highly recommend to read the first part of this series. That should be helpful to understand the infrastructure in more details and the reason why we need to create self-signed certificates to authenticate to the environment.

Mordor Labs 😈 — Part 1: Deploying ATT&CK APT29 Evals Environments via ARM Templates 🚀 to Create Detection Research Opportunities 🌎!

Connect to the Environment

This was already explained in the first post, but I believe it would be good to go through this again. If you already did this part, feel free to skip to the “Preparing for Emulation Plan (Day 2)” section of this post.

Once the environment deploys successfully, you will have to download a VPN config file from Azure, update it with your client certificate and key, import it to your OpenVPN client, and connect!

Download VPN Client config from Azure

Go to your Azure Portal > Resource Group Name > Virtual Network Gateway > Point-to-site-configuration and click on Download VPN Client.

Update VPN Client Config

Once it downloads, you will have a compressed file with a few file configs in it. The environment I put together uses OpenVPN as the VPN client protocol. Therefore, we are going to update the OpenVPN\vpnconfig.opvn file and insert the Client Certificate and Private Key to it. Open with your favorite editor. I use Visual Studio Code.

I first comment out lines 20–21because TunnelBlick handles that for you.

#log openvpn.log
#verb 3

Then, I modified lines 71–76 (These are official steps BTW). You need to copy the contents of your self-signed client certificate and paste it between <cert></cert> as shown below:

# P2S client certificate
# Please fill this field with a PEM formatted client certificate
# Alternatively, configure 'cert PATH_TO_CLIENT_CERT' to use input from a PEM certificate file.
<cert>
-----BEGIN CERTIFICATE-----
MJVADC....
-----END CERTIFICATE-----
</cert>

Next, you have to do something similar but with your client private key. Open your client private key file and copy the contents of it and paste it between <key></key> as shown below:

# P2S client certificate private key
# Please fill this field with a PEM formatted private key of the client certificate.
# Alternatively, configure 'key PATH_TO_CLIENT_KEY' to use input from a PEM key file.
<key>
-----BEGIN RSA PRIVATE KEY-----
M...
-----END RSA PRIVATE KEY-----
</key>

That’s it! You are ready to connect to the environment. Open your OpenVPN Client and drag and drop the client VPN config that we just edited or double-click on it depending on what VPN client app you are using. Finally, connect!

Preparing for Emulation Plan (Day 2)

I recommend to connect to every endpoint that you are going to use, disable Windows Defender, and get ready to execute the emulation plan. This plan calls to RDP to every box involved as a Domain Admin. For this scenario, I use dmevals\mscott as specified in the emulation plan document I shared. Get familiarized with the following resources to know how to prepare for it:

I also put together a document from those two resources and added some context related to the environment that I built to share with the community. You can use it as an online document or download from here. The document also comes with instructions to perform additional post-deployment steps.

RDP to SCRANTON (10.0.1.4) , UTICA (10.0.1.5) & NEWYORK (10.0.0.4)

RDP as dmevals\mscottto all endpoints with password abc123!D@t3M1k3. If you want more information about the available domain users and their password, it is here.

Launch PoshC2

ssh to TEMSERVER box (192.168.0.4)

LOCAL@LAPTOP ~ % 
LOCAL@LAPTOP ~ % ssh wardog@192.168.0.4                       
wardog@192.168.0.4's password:wardog@TEAMSERVER:~$

Launch PoshC2 with the following command.

sudo docker run -ti --rm -p 443:443 -v  /opt/PoshC2_Project:/opt/PoshC2_Project -v /opt/PoshC2:/opt/PoshC2 -e  PAYLOAD_COMMS_HOST=https://192.168.0.4 --name poshc2 poshc2  /usr/bin/posh-server

Update PoshC2 Files

Follow the set up steps in the online document.

Open /opt/PoshC2/resources/modules/stepFifteen_wmi.ps1. Copy the PowerShell command one-liner created under the “Execution via Command Prompt” section. From “powershell” to the last character of the encoded commands. Paste it as a value for CommandLineTemplate.

Do the same for stepForteen_bypassUAC.ps1. In “ “ after -Value

Copy the Posh_v4_x64.dll file out of the PoshC2 docker container.

Copy that to your local computer

Move the file over to your Patient Zero vm (UTICA) and run the commands specified in the document.

In C:\programdata\victim folder, open the schemas file. paste the contents of blob to the variable $bin

Paste the base64 blob from the Powershell one liner from PoshC2 to the value of $enc_ps variable.

Copy make_lnk, schemas, and the 2016_* files over to the desktop

Copy MITRE-ATTACK-EVALS to C:\users\dschrute\Documents\

Right click on make_lnk script and run with PowerShell. That should create a powershell script which will be used for initial access.

🚨 Wait, before executing that script..! 😉 🛑

Get Ready to Collect Security Events

One of the main goals for this deployment is to collect all the data generated at the host and network layer to be able to share it with the community.

Collect Endpoints Events from Azure Event hub

Install Kafkacat in your local computer (version 1.4.0+) or VM.

Create a Kafkacat config in your local computer or VM

I created a Kafkacat config template here.
Add the values required from Azure Event hub. I got the following values and pasted them in the config file. Event Hub namespace (Get it from the Event Hub resource) and Event Hub Connection String (You can get it following these steps.)

Next, wherever kafkacat is installed, run Kafkacat in Consumer mode as shown below:

kafkacat -b <EVENTHUB-NAMESPACE>.servicebus.windows.net:9093 -t evh-apt29 -F kafkacat.conf -C -o end > evals_apt29_day2_manual_$(date +%F%H%M%S).json

-b : Bootstrap broker(s) (host[:port]). Your Event Hub Namespace
-t : Topic to consume events from. The name of you Event Hub.
-F : Read configuration properties from the Kafkacat.conf file.
-C: Consumer Mode : Consume/Collect events.
-o : Offset to start consuming from (i.e. end).

I usually run it first for a few seconds and then stop it to see if it could connect to the Azure event hub and if I get data from it.

Capture PCAPs leveraging Azure Network Watcher Extension

As I mentioned in the previous post, I put together a script to start capturing PCAPs leveraging the Azure network watcher extension installed on every Windows endpoint. It is in the scripts folder of the mordor-labs project.

Usage: Start-Packet-Capture.sh [option...]-r     Resource Group Name
   -s     Storage Account Name
   -c     Computer Names (e.g VM01,VM02)Examples:
 Start-Packet-Capture.sh -r resourcegroup01 -s storageaccount01 -c VM01,VM02

Since the victims are SCRANTON and NASHUA, those are the only computers I want PCAPs from.

Locally in your computer with Azure CLI installed and set up run:

bash Start-Packet-Capture.sh -r <RESOURCE-GROUP-NAME> -s <AZURE-STORAGE-ACCOUNT> -c UTICA,SCRANTON,NEWYORK

If you go to Azure Portal > Network Watcher > Packet Capture , you will see both endpoints PCAP sessions running (We can only collect 1GB at the time)

You are now ready to execute APT29 — Day 2 emulation plan 🍻. I took a lot of screenshots for each step, but I thought it would be better to make a video of me running the emulation plan and share it with you 😆. I can share some images of how it all starts, but the rest is a video I uploaded to the Open Threat Research YouTube channel that I manage.

Initial Access (Day 2)

Double click the PowerShell script in the desktop

The following screen will show up

You will get a call back in your PoshC2 server

Start PoshC2 Client

In a separate terminal (TEAMSERVER) run the following command

sudo docker run -ti --rm -v /opt/PoshC2_Project:/opt/PoshC2_Project -v  /opt/PoshC2:/opt/PoshC2 --name poshc2-client poshc2 /usr/bin/posh

Enter a new username

and you are ready to execute emulation plan Day 2. Follow the steps in the online document or offline one from here

Stopping Security Event Collection

Stopping Azure PCAPs

Go to Azure Portal > Network Watcher > Packet Capture, and stop one by one.

Stopping Kafkacat Collection

All you have to do is CTRL+C on the terminal where you are running the collection from. If you check your Azure Event Hub, you will see that events were collected as they were being ingested 😉. Collection started around 3:30 AM. I did some tests before that. I love to see how practical and flexible this is 😱