In the post I will explain how one could simulate an Advanced Persistent Threat (APT) using Praetorian’s Purple Team Attack Automation and MITRE’s ATT&CK framework.
How does one go about validating that what has been setup to protect one’s infrastructure is actually useful? Well, one will need to be able to simulate threats. To do that, one needs two things, an environment and tools. In the past few days I have been investigating tools that would allow me to simulate Tactics, Techniques and Procedures (TTPs) of better known APTs to validate some concepts we have been exploring at work.
An obvious choice was MITRE’s CALDERA, ended up disappointed with it, but pleasantly surprised by Praetorian’s Purple Team Attack Automation (shoutout to @Decalage2 for pointing me to it). As per Purple Team Attack Automation (PTAA) documentation, one should make use of Docker to install it, something that I’m not very keen on doing.
I decided to manually install it, in a nutshell, PTAA is Metasploit with extra modules added to it so how hard could it be? That’s also the reason why I liked PTAA so much: the fact that it leverages existing and well maintained software that I use on my workflow.
First thing is to install the dependencies needed to build the Ruby gems required by Metasploit.
Then, clone the source code of rbenv, ruby-build and of PTAA itself. We’ll make use of rbenv as the Metasploit version from which PTAA is based upon, has different requirements from the Metasploit that comes with Kali (e.g., Ruby version). Creating a separate environment makes things easier to manage and avoids problems with version conflicts and the likes.
After the code has been downloaded, we need to create a file that can be used to setup the environment every time we want to make use of PTAA. The rbenv documentation instructs one to use the
.bashrc file. This works well when you have a dedicated user to run the software you’re installing, which is not the case. As such, I prefer to use a specific file that I use only when needed.
PATHvariable as Metasploit
msfdbutility makes use of
Now we have everything ready to install Ruby and the gems needed by Metasploit.
Verify that the environment is properly setup and correct any errors reported.
Finally install the Ruby gems needed by Metasploit using bundler and setup the database.
msfdbutility is in the
postgresgroup, otherwise it will fail.
Now that the environment and PTAA are ready, the next step is to generate the payload that will be used to “infect” a target machine.
Then we can run Metasploit and start a handler to receive the connections from our Meterpreter payload.
Now that we have everything ready, we need to select what PTAA modules we need to run. Since PTAA makes usage of MITRE’s ATT&CK framework we can for each of the defined tactics, select the techniques specific to the APT one wants to simulate and that PTAA supports. For example, if we want to simulate APT28 (because, from Mother Russia with love) on the “Execution” tactic we can select technique T1086 - execution with PowerShell.
Hope this is helpful :D