Adversary Emulations Using Mitre Caldera and Wazuh EDR — Part II: Discovery.

Intro

Intro

(Part I — Payload execution available here)

The “Discovery Adversary Emulation” is included in Mitre Caldera and can be executed against any of the agents registered on the C2 server.

All the abilities included in this adversary are based on PowerShell executions where command obfuscation is available, masking the command line parameters.

Discovery — Abilities Included

It’s a “simple” adversary emulation but helpful in testing telemetry collection from the endpoint and spotting anomalies during its execution.

As part of the lab setup, the following components were used:

• C2 Server: Mitre Caldera.
• Adversary Emulation: Discovery.
• EPDR: F-Secure EPP + Wazuh EDR.
• SIEM: Wazuh.

It’s important to highlight that, although there’s a software protection solution installed in the endpoint (F-Secure EPP), the fact that all the abilities used in the adversary emulation leverage Powershell execution, none of the PowerShell instances run during the simulation were stopped by the EPP’s application protection engine.

Adversary Emulation — Execution

Abilities Included:

Mitre Caldera — Discovery Atomic Tests

• Identify active user
• Find local users
• Identify local users
• Snag broadcast IP
• Find user processes
• View admin shares
• Discover domain controller
• Discover antivirus programs
• Permission Groups Discovery
• Identify Firewalls
• Discover Mail Server
• Get Chrome Bookmarks

Each one of these abilities is commanded for execution at regular intervals dictated by the C2 Server

C2 Beacon and Command Executions

In each step the endpoint sends back to the C2 server the information collected. The “debrief” plugin included in Mitre Caldera allows the visualisation of the chain of events and the artifacts collected on the endpoint.

Mitre Caldera — Discovery Debrief

Events and Alerts.

What should be detected on the endpoint and what alerts would be expected:

• Communication with the C2 Server.
• Powershell and child processes executed from a non-interactive shell.
• Powershell executed bypassing the execution policy.
• Powershell executed with command line obfuscation.

As part of Wazuh rules defined in the manager, the correlation of several Sysmon anomalies can raise an alert with higher rule level assigned to indicate several anomalies detected on the same endpoint.

Events and Alerts — SOCFortress Platform

EDR — Sysmon Anomalies and Correlation Rule Triggered.

Powershell anomaly

Powershell anomaly

C2 — EDR Communication.

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html