├── FUNDING.yml
├── img
    ├── EDRs.png
    ├── info.png
    ├── info2.png
    ├── mtest.png
    ├── out.png
    ├── socks.png
    ├── vtest.png
    ├── AllTests.png
    ├── socks-test.png
    ├── timeline.png
    ├── tool-header.png
    ├── Template-Menu.png
    ├── diag-T1552-unit.png
    └── test-implemented.png
└── README.rst


/FUNDING.yml:
--------------------------------------------------------------------------------
1 | patreon: TH3xACE
2 | 


--------------------------------------------------------------------------------
/img/EDRs.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/EDRs.png


--------------------------------------------------------------------------------
/img/info.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/info.png


--------------------------------------------------------------------------------
/img/info2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/info2.png


--------------------------------------------------------------------------------
/img/mtest.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/mtest.png


--------------------------------------------------------------------------------
/img/out.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/out.png


--------------------------------------------------------------------------------
/img/socks.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/socks.png


--------------------------------------------------------------------------------
/img/vtest.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/vtest.png


--------------------------------------------------------------------------------
/img/AllTests.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/AllTests.png


--------------------------------------------------------------------------------
/img/socks-test.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/socks-test.png


--------------------------------------------------------------------------------
/img/timeline.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/timeline.png


--------------------------------------------------------------------------------
/img/tool-header.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/tool-header.png


--------------------------------------------------------------------------------
/img/Template-Menu.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/Template-Menu.png


--------------------------------------------------------------------------------
/img/diag-T1552-unit.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/diag-T1552-unit.png


--------------------------------------------------------------------------------
/img/test-implemented.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/TH3xACE/EDR-Test/HEAD/img/test-implemented.png


--------------------------------------------------------------------------------
/README.rst:
--------------------------------------------------------------------------------
  1 | .. raw:: html
  2 | 
  3 |    <h1 align="center">
  4 | 
  5 |    <br class="title">
  6 |    EDR-Test
  7 |    <br>
  8 | 
  9 | .. raw:: html
 10 | 
 11 |    </h1>
 12 | 
 13 | #CobaltStrike #AggresorScript #EDR #MITREAttack #PurpleTeam
 14 | 
 15 | .. contents:: 
 16 |     :local:
 17 |     :depth: 1
 18 | 
 19 | =============
 20 | INTRO
 21 | =============
 22 | 
 23 | **Who said Cobalt Strike was meant to be used only as an offensive tool (Red Team)?**
 24 | 
 25 | As part of our Purple Team activity, I am involved in testing different EDRs solutions to evaluate their detection capabilities by emulating attacks using Techniques, Tactics, and Procedures (TTPs) used by adversaries. I wanted to automate the tests, to make it easier for us as well as to allow us to make a consistent and effective comparison between the different solutions.
 26 | 
 27 | My first consideration was the **Atomic Red Team** project.  It is a really nice project and initiative. Unfortunately, the project did not allow me to meet some of my objectives such as 
 28 | 
 29 | * not to use powershell
 30 | * to have better flexibility
 31 | * some custom (ninja) features
 32 | 
 33 | Link: https://github.com/redcanaryco/atomic-red-team
 34 | 
 35 | After some online research (thanks Dr. Google) to find some other (FREE) alternatives. I came to the conclusion that if I wanted to meet all my objectives, I needed to get my hands dirty. So I decided to go for my own project. But which Programming Language to use? I decided to use Cobalt Strike's Aggressor Script (a superset of the Sleep language) since at that time, I was aiming to improve my coding skills with Aggressor Scripts (.cna) and in addition it would allow me to achieve all my objectives, it was the way to go.
 36 | 
 37 | For those who don't know what I am talking about!
 38 | 
 39 | **What is Cobalt Strike ?**
 40 | 
 41 | Cobalt Strike is a platform for adversary simulations and red team operations. The product is designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors.
 42 | 
 43 | Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response.
 44 | 
 45 | **What is Aggressor Script ?**
 46 | 
 47 | Aggressor Script is a scripting language for red team operations and adversary simulations inspired by scriptable IRC clients and bots. Its purpose is two-fold. You may create long running bots that simulate virtual red team members, hacking side-by-side with you. You may also use it to extend and modify the Cobalt Strike client to suit your needs thru the use of Aggressor Script '.cna' files. 
 48 | 
 49 | =============
 50 | Where to Start ?
 51 | =============
 52 | 
 53 | The answer was as simple as the MITRE ATT&CK® framework. The MITRE ATT&CK® framework, which stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), is a knowledge base for modeling the behavior of a cyber adversary. 
 54 | 
 55 | Link: https://attack.mitre.org/
 56 | 
 57 | The framework was used to build the CNA scripts with the different tests, it should be noted that at the time of the writing, I have not yet implemented all the tests from the framework but only those with high interest and relevant to the objectives were prioritised in the development of the script.
 58 | 
 59 | =============
 60 | Menu
 61 | =============
 62 | 
 63 | Below is the menu where it is possible to either select for unit tests or multiple tests in either a user or admin context. 
 64 | 
 65 | 
 66 |  .. image:: ./img/socks-test.png
 67 |  	:width: 650px
 68 |  	:alt: Project
 69 | 
 70 | The [P] flags indicates that the test makes use of a socks proxy.
 71 | 
 72 | This is a portion of the CNA code for the menu:
 73 | 
 74 |  .. image:: ./img/Template-Menu.png
 75 |  	:width: 500px
 76 | 	:height: 700px
 77 |  	:alt: Project
 78 | 
 79 | 
 80 | =============
 81 | Tests
 82 | =============
 83 | 
 84 |  .. image:: ./img/tool-header.png
 85 |  	:width: 700px
 86 |  	:alt: Project
 87 | 
 88 | The tests are split as follows: 
 89 | --------------------------
 90 | 1. User Unit Test
 91 | 2. Admin Unit Test
 92 | 3. User All Tests
 93 | 4. Admin All Tests
 94 | 
 95 | Tests implemented : More than 60 tests (including variant test**) - 49 unique tests for TTPs
 96 | 
 97 | ** Some tests can be performed using either native windows executable or Cobalt Strike functions or external tools (Python, C#,...).
 98 | 
 99 |  .. image:: ./img/vtest.png
100 |  	:width: 600px
101 |  	:alt: Project
102 | 	
103 | Example of output on Cobalt Strike
104 | 
105 |  .. image:: ./img/out.png
106 |  	:width: 1000px
107 |  	:alt: Project
108 | 	
109 | 
110 | 
111 | The screenshot below shows information about some tests (variant test) (whether proxy is used, a .NET binary, cobalt strike function, Windows binary,...)
112 | 
113 |  .. image:: ./img/info2.png
114 |  	:alt: img-broken  
115 | 
116 | 
117 | Multiple Test
118 | --------------------------
119 | 
120 | The multiple test can be either in the user or admin context. It is also possible to specify the delay between each test (eg. 5 mins).
121 | 
122 |  .. code-block:: console
123 |  
124 |  .. image:: ./img/AllTests.png
125 |  	:width: 400px
126 |  	:alt: img-broken  
127 | 
128 | =============
129 | Timeline
130 | =============
131 | 	
132 | This functionality is important since it can be used to match detection on the EDR console vs TTPs used duirng the test. The time the tests were performed can be use to perform this match.
133 | 
134 |  .. image:: ./img/timeline.png
135 |  	:width: 1000px
136 |  	:alt: img-broken  
137 | 
138 | =============
139 | Comparing EDRs solutions
140 | =============
141 | 
142 | Due to security concerns, I can't provide the solutions that I have tested nor the results but the project below might give you some insight. It should also be noted that the results presented by the below project is relevant at a specific point in time due to the fact that some of the EDRs detection capability have evolved over time.
143 | 
144 | Project: https://attackevals.mitre-engenuity.org/enterprise/participants/?rounds=carbanak_fin7
145 | 
146 |  .. image:: ./img/EDRs.png
147 |  	:width: 1000px
148 |  	:alt: img-broken  
149 | 
150 | Results on comparing the EDRs solution detection capability with reference to TTPs.
151 | 
152 | Link: "https://mitre-evals.kb.europe-west1.gcp.cloud.es.io:9243/app/dashboards#/view/c2184e40-a13a-11eb-9d57-5de8e1bfb5ea?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-15m,to:now))"
153 | 
154 | =============
155 | Note
156 | =============
157 | 
158 | The project EDR-Test is not published online for now but can be shared if you contribute (at least 5 tests - can include variant -> Create a Pull Request) or for sponsors contact me on adblue2017[@]gmail[.]com
159 | 
160 | List of already implemented tests : /img/test-implemented.png
161 | 


--------------------------------------------------------------------------------