Adversary Emulations Using Mitre Caldera and Wazuh EDR — Part II: Discovery.
(Part I — Payload execution available here)
The “Discovery Adversary Emulation” is included in Mitre Caldera and can be executed against any of the agents registered on the C2 server.
All the abilities included in this adversary are based on PowerShell executions where command obfuscation is available, masking the command line parameters.
It’s a “simple” adversary emulation but helpful in testing telemetry collection from the endpoint and spotting anomalies during its execution.
As part of the lab setup, the following components were used:
- C2 Server: Mitre Caldera.
- Adversary Emulation: Discovery.
- EPDR: F-Secure EPP + Wazuh EDR.
- SIEM: Wazuh.
It’s important to highlight that, although there’s a software protection solution installed in the endpoint (F-Secure EPP), the fact that all the abilities used in the adversary emulation leverage Powershell execution, none of the PowerShell instances run during the simulation were stopped by the EPP’s application protection engine.
Adversary Emulation — Execution
- Identify active user
- Find local users
- Identify local users
- Snag broadcast IP
- Find user processes
- View admin shares
- Discover domain controller
- Discover antivirus programs
- Permission Groups Discovery
- Identify Firewalls
- Discover Mail Server
- Get Chrome Bookmarks
Each one of these abilities is commanded for execution at regular intervals dictated by the C2 Server
In each step the endpoint sends back to the C2 server the information collected. The “debrief” plugin included in Mitre Caldera allows the visualisation of the chain of events and the artifacts collected on the endpoint.
Events and Alerts.
What should be detected on the endpoint and what alerts would be expected:
- Communication with the C2 Server.
- Powershell and child processes executed from a non-interactive shell.
- Powershell executed bypassing the execution policy.
- Powershell executed with command line obfuscation.
As part of Wazuh rules defined in the manager, the correlation of several Sysmon anomalies can raise an alert with higher rule level assigned to indicate several anomalies detected on the same endpoint.
Events and Alerts — SOCFortress Platform