MITRE ATT&CK Breach simulation examples
FortiTester Mitre ATT&CK has the ability to simulate adversarial attacks upon your enterprise network while remaining in a controlled environment. ATT&CK does not just send attacks. It actually can allow your network to simulate what it would be like were it to already be compromised by an attack; for example, the software is already on your network and is collecting your credentials, lateral movements etc.
Topology
FortiTester provides the MITRE ATT&CK framework, allowing enterprises to simulate breaches and measure defense effectiveness against endpoints.
In the following example, you will see how FortiTester can be configured to perform the following:
- Credential Dumping - Uses Mimikatz to dump all windows login across ALL domain machines.
- Scheduled Task - Attacker schedules tasks to run, not just on the desktop, but on a higher value target like Windows Server.
- Exfiltrate - Attacker will extract information/files out of victims' PCs.
- Running Powershell - Run Powershell program on victims' PC, which is a common technique used in attacks.
- Execution via Win API - Use Win API to run code on victims' PC.
For a full video demonstration please visit: https://video.fortinet.com/products/fortitester/4.0
The following are required to run this example:
|
ATT&CK abilities
To view ATT&CK abilities, go to Maintenance > View Abilities. The Viewing Abilities page shows the atomic actions that the adversary is allowed to perform. Steps are the main way in which you can change the behavior of your adversary. Double click any ability, you can see ability details such as the summary, preconditions, and post-conditions, etc.
Also, on Ability Detail page, click Related Abilities beside the ability name, a window is opened showing the step dependency if any.
These attacks are updated according to subscription services. |
ATT&CK has a rich variety of different techniques, as can be seen below.
The ATT&CK Matrix is version 10 by default, but you can choose to view previous versions from the dropdown in the top right corner.
To run a MITRE ATT&CK case:
1. Download lightweighted windows agents onto two hosts. One is on the desktop, the other is on the windows server, yldp.
To install FortiAgent onto windows, administrative rights are required. |
2. Go to Maintenance > Resources to find the agents and download the one for use. These are installed under FortiAgent folders.
Administration rights are required to install the agent. |
3. Download cnfg.yml and place it in the same directory. You also need to edit cofig.yml and fill in the "logging_path" item. Otherwise, the client cannot connect to the server.
4. The installation service will bring up the command box. Run the following command to install FortiAgent:
FortiAgent.exe --startup auto install
Run the following command to start FortiAgent:
FortiAgent.exe start
4. After agents are installed they will appear under Monitor > Agent Monitor in FortiTester.
5. Now install the second agent on the window's server
6. Go to Maintenance > Resources to downloads the agents onto your PC, then go to the FortiAgent folder and install it.
7. After FortiAgent is successfully started on the target hosts, it is listed on Agent Monitor page on FortiTester (ATT&CK > ATT&CK Cases > Monitor). The domain and host configuration specify which domain name this attack will test, as well as which hosts on the domain you are including in the test.
Using attack cases
To run ATT&CK cases, you will need to click on the ATT&CK icon in the GUI upon login, then create a few test cases using the techniques required for this example, as below.
To run an ATT&CK case, go to ATT&CK Cases > ATT&CK Cases and select one of the tests. Then click Run Now.
As FortiTester is running this test, click on the top right for the statistics metric.
Credential_Dumping_Test
Here we see two successful attempts on the DUT. The test uses Mimikatz that dumps passwords from memory.
FortiTester uses the get_computer
function to extract all the hosts available in the domain, including both the desktop and the server, and sensitive information such as logon information, timing, etc.
This credential_dump
attack is across all machines in the domain.
Scheduled_Task_Test
The hacker has the ability to schedule an attack on the victim's computer to run. If you've already run the test before, FortiTester has the ability to save results. The results show, for example, if get_computers
was successful.
After get_computers
and get_credentials
are run, FortiTester can do an xcopy of a file from the desktop to the server, which is a higher value target. The following image shows that it has been successful in scheduling a task on the windows server.
The user may look at the gray box to learn the techniques used. |
Exfiltrate_File_Test
After the test is run successfully, FortiTester will retrieve various files from the user's PC.
PowerShell_Test
Involves get_admin
, which lists all the administrator accounts on the two hosts, including the domain and the local administrator on the victim's PC.
Execution_Through_API
This is similar to PowerShell_Test, where Windows API is used to extract information.
Go to Maintenance > View Abilities to see the dependencies of each tactic and technique.
Summary
Running the tests above shows the power of FortiTester MITRE ATT&CK abilties. You can also view other ATT&CK tactics under Maintenance > View Abilities as below, and see the dependencies of different attacks |