Adversary Emulation
Mainly using open-source tools.
Environment Creation
In most exercises, there should be some kind of 'range' of which we can run our attacks without affecting the main production environment. This is where the development of a simulated testbed is required.
Vagrant
Vagrant is an open-source software project developed by Hashicorp that enables the building and maintaining of portable virtual software development environments.
In layman terms, it allows for us to script the spinning up of Virtual Machines using providers like VirutalBox or VMWare automatically and quickly using a Vagrantfile
script.
Recently, Hashicorp has basically made their software closed source. In the meantime, we can use the OpenTF Foundation's implementation of Infrastructure as Code, which is an (always) open source alternative :D
The VMs can then be provisioned with startup scripts to download the necessary packages and files from our host machine or the Internet. The syntax of this software is super easy to understand, and it's relatively stable (although sometimes prone to bugs and resetting is required).
To install this, we can use the choco
package manager to do so on Windows:
Here's a quick example of a setting up a Linux machine with some tools:
The vm.box
option can be changed to whatever we want based on the available boxes from Hashicorp's Vagrant Cloud library:
The provisioning is done through putting files from our host machine to the VM, and we can also run scripts like setup.sh
from our machine. If we want to create and run our VM, just head to the directory with the Vagrantfile
and relevant files, and then run:
This would download the image from the Vagrant Cloud and set up the VM for us. If we want to stop or destroy the VM, we can do so accordingly:
The above Vagrantfile
sets up the machines on one host machine, so it is ideal if we do not have or want to use Cloud providers to host our machines. However, take note that setting up multiple VMs is hardware intensive and requires lots of space and RAM, so change the v.memory
and v.cpus
according to your needs.
The fast provisioning and destruction of VMs using Vagrant makes it great for setting up environments quickly for adversary emulation, malware analysis or just general testing without affecting our host machine. There are loads of Github repositories out there for stuff like Windows Reverse Engineering or Malware Analysis ready to go.
Terraform
Terraform is another open-source software tool created by Hashicorp. The main difference between this and Vagrant is that Terraform is able to deploy infrastructure using services like AWS a bit easier, and do all the same stuff that Vagrant can do.
I won't delve into Terraform scripts too much, since the documentation by Hashicorp is pretty comprehensive and easy to use.
Automated Adversary
Now that we have provisioned our simulated enterprise environment, we need a way to simulate our adversary based on our threat model (ie. if you are a financial institution, emulate FIN groups instead of groups that target OT / ICS sectors).
One tool I have used is called Caldera, which a free software developed by MITRE that allows for automated threat emulation:
Alternatively, red teams can do this manually if desired (but automated just saves loads of time).
Caldera is a software that contains a C2 server with a REST API and web interface, as well as various plugins that include agents, reporting, collection of existing TTPs and much more. For example, Sandcat is one of the plugins, which provides a Golang based beacon to create agents on hosts:
Will include:
Creating adversary profiles based on threat intel
Deploying agents and running operations
Scythe2Caldera script that I made! For automating creation of adversary profiles based of the Community Threats Repository maintainted by SCYTHE for Purple Teaming.
Documentation
Open-Source Vectr (how to please upper management with clear documentation lol).