Atomic Red Team Adversary Simulation In PowerShell: APT29
Introduction
In this post, I will conduct my second exercise of Adversary Emulation using the Red Canary Atomic Red Team Framework in PowerShell. I will simulate these attacks in my Purple Team Cloud Lab and investigate for the logs on Kibana. My target domain controller is linked to the ELK Stack using Winlogbeat so all logs will appear on my blue team network. If the Atomic Red Team attack logs don’t appear, it’ll be an opportunity to write Sigma rules in a subsequent post to demonstrate how to mature a SIEM’s detections.
I have written a small overview of who APT29 are in Purple Teaming Like a Pro Part 2: Hands-On Adversary Emulation Using CALDERA & Detection In ELK. I’ll include the section where I have discussed who this APT Threat Actor is below:
A Real APT Threat Group: Cozy Bear/APT29
Cozy Bear or APT29 is an APT threat group that has been attributed to the Russian government, and has operated since at least 2008. This group has been attributed to major breaches targeting U.S. governments such as the Democratic National Committee, as well as various international ministries and agencies. APT29 has also been known to “cast a wide net” in terms of targeting, seemingly making this group a universal threat.
APT29 is distinguished by their commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes goals via custom compiled binaries and alternate (at the moment) execution methods such as PowerShell and WMI. Their TTPs vary significantly depending on the target and method of exploitation utilized to gain access . From low and slow targeted techniques to full-on smash-and-grab. They regularly leverage their arsenal of custom malware, and Living off the Land Binaries and Scripts (LOLBAS) with a focus on PowerShell.
What is Atomic Red Team?
Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their defenses and blue team. Reference: redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE’s ATT&CK. (github.com)
For those that want the standard edition of the Atomic Red Team Library, you can click here to download the library on GitHub: redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE’s ATT&CK. (github.com)
To import all of the Atomic Red Team Library via PowerShell, please use the following command: Import-Module C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1 -Force
Example
Invoke-AtomicTest T1485 -TestNumbers 1
To execute this test, you should run -Get-Prereqs as the above Atomic Test needs Mimikatz and PsExec installed on the system to run.
Other commands You Can Use With Invoke-AtomicTest T1485:
- -ShowDetailsBrief: Show all the tests under specific TTP
- -ShowDetails: Show all the tests under specific TTP with all related details
- -CheckPrereqs/Get-Prereqs: Check/download any needed prerequisites (tools to use)
- -PromptForInputArgs: customize options in the execution
- -Cleanup: Remove any created artifacts after execution
VMWare APT29 PowerShell Script
Since APT29 primarily relies on PowerShell, VMWare have compiled a collection of APT29’s most widely-utilized techniques into a single PowerShell script, so that others (like myself) can quickly and easily simulate their malicious TTPs in a controlled environment.
This script is primarily comprised of techniques included within the Red Canary Atomic Red Team framework. It has been customized by VMWare’s VMware Carbon Black Threat Analysis Unit (TAU) to closely-resemble APT29.
APT29 Atomic Red Team Script
Script: tau-tools/apt29.ps1 at master · carbonblack/tau-tools (github.com) Made by: VMware Carbon Black Threat Analysis Unit (TAU)
To Download
- Open PowerShell (Doesn’t need to be as admin)
- Run: Invoke-WebRequest -Uri https://github.com/carbonblack/tau-tools/blob/master/threat_emulation/Invoke-APT29/apt29.ps1 -OutFile .\apt29.ps1;
- Import the script as a module in PowerShell and then call the Invoke-APT29 function with the -help flag. This is to display usage instructions and basic information of the script.
From this point on, we can begin launching simulated attacks. The modules are organized by MITRE TID and can be listed out via the -listTechniques flag.
You are able to also search for terms/tools/etc. using the -search flag. Once you’ve found the attack you’d like to simulate, pass the TID as a flag to see information about the execution steps and technique. Adding -listVariants to the function will highlight the different ways to simulate the attack activity. Once a desired attack is selected, pass the -attack and -variant flags to execute the simulated attack.
Most attack simulation can be executed as admin; some are simulations are designed to escalate privileges like the bypass UAC simulation (T1088). With some attacks, you will require administrative permissions to be executed. These techniques may also be blocked by your endpoint security solution, as the techniques leveraged are well-known within the industry.
Some attacks will modify the system. Changes to the registry, creating or destroying schedule tasks etc. As such, where applicable, attacks come with a -cleanup option, allowing you to remove any persistent data related to the simulation.
It’s possible to execute attacks across remote hosts. To utilise this function, enable PowerShell remoting by passing the -enablePSRemoting flag. There is also a -disablePSRemoting to turn off this functionality.
With PowerShell Remoting enabled, you can execute PS commands on the target host remotely. By default the ‘remote’ attacks will target the localhost, so to ensure accuracy of any simulation, it’s advised to change the script with you own domain information.
Leveraging Invoke-APT29, you can simulate a real well-known and adversary, and become more aware of the security efficacy of your endpoint protection.
