MITRE recently conducted its second ATT&CK exercise in their ongoing annual series of Endpoint Security Efficacy testing and evaluation. This test focuses on assessing the behavioral capabilities of multiple endpoint security vendors against a simulated adversary, based closely around well-documented, real-world threat actors. Prevention is not a focus for this test, so assumed compromise and the ability to learn as much about the adversaries post-exploitation activity is the primary focus. Each year a new threat actor is selected and emulated as closely as possible based on what is publicly known about the adversary.
For 2019, the infamous (APT29) was selected as the group to emulate in the ATT&CK evaluation. They are a unique Russian adversary that is most well-known for the (compromise of the Democratic National Committee) beginning in the summer of 2015. The group has been active for just under a decade and is known by many aliases, such as YTTRIUM, The Dukes, Cozy Bear, and CozyDuke. Their tactics vary significantly depending on the target and method of exploitation utilized to gain access – ranging anywhere from low and slow targeted techniques to full-on smash-and-grab; regularly leveraging custom malware and Living off the Land Binaries and Scripts (LOLBas) with a heavy focus on PowerShell.
Given the primary reliance on PowerShell and related techniques, I’ve compiled a collection of APT29’s most widely-utilized techniques into a single PowerShell script, so that others can quickly, easily, and safely simulate a majority of this adversaries techniques as they relate to MITRE ATT&CK. This script is primarily comprised of techniques included within the (Red Canary Atomic Red Team framework), though many have been customized to more closely-resemble APT29. This is augmented by custom attack scenarios and techniques that VMware Carbon Black Threat Analysis Unit (TAU) developed while preparing for the latest MITRE ATT&CK evaluation round:
To get started with the script, simply import the script as a module and then call the Invoke-APT29 function with the -help flag, to display usage instructions and basic information.
To view high-level information about APT29 as documented on (MITRE’s website) call Invoke-APT29 with the -about flag.
From here, you can begin launching simulated attacks. The modules are organized by MITRE TID and can be listed out via the -listTechniques flag.
You can also search for terms/tools/etc. via the -search flag. Once you’ve found the attack you’d like to simulate, pass the TID as a flag to view information about the technique and execution instructions. Appending -listVariants to the function will highlight the different ways to simulate the attack activity. Once a desired attack is selected, pass the -attack and -variant # flags to execute the simulated attack.
Most simulations can be executed within administrative permissions, and some are designed to elevate permissions, such as the UAC example above. However, some attacks will require administrative access in order to be successful. These techniques may also be blocked by your endpoint security solution, as the techniques leveraged are well-known within the industry.
Some of the attacks will make changes to the system, such as modifying the registry, creating a scheduled task, etc. As such, where applicable, attacks come with a -cleanup option, allowing you to remove any persistent data related to the simulation.
While this script is mainly focused on simulations across a single endpoint, it is possible to execute attacks across remote hosts and highlight how lateral movement can affect the telemetry of your endpoint security solution. To get started, you can enable PowerShell remoting by passing the -enablePSRemoting flag. There is also a -disablePSRemoting to turn off this functionality.
With PSRemoting enabled, you can now execute PowerShell commands on the target host remotely. By default the ‘remote’ attacks will target the localhost, so to more accurately simulate this activity it is recommended to modify the script with your unique domain information.
To take this a step further, the script implements multiple methods for obtaining a reverse shell for popular command and control tools, such as (Metasploit) and (Empire) , along with some of the more popular (LOLBas) options such as Rundll32 and MSHTA. To leverage these, set the -shell flag and desired option.
By default, none of these are weaponized / configured as these must be customized to your own C2. However, attack examples are made available, which are meant to be expanded upon.
Once a shell is established, you can continue to leverage Invoke-APT29.ps1 by importing the script into your beacon. For example, within Cobalt Strike this can be done with PowerShell-Import and Powerpick. This can be accomplished with similar platforms in various ways.
Most importantly, following the execution of various attack simulations, you’ll want to check your endpoint security solution to measure your overall security efficacy and ensure that you are able to detect the activities performed.
Leveraging Invoke-APT29, you can simulate a well-known and documented adversary and understand the security efficacy of your endpoint protection solution.
Video Demo