Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Turtle‘s Enhanced Realworld Tests ( updated )
Message
<blockquote data-quote="ShenguiTurmi" data-source="post: 1061843" data-attributes="member: 99409"><p><h3>Enhanced Realworld Test EP5 (2023.10)</h3><p></p><p>Previous Tests:</p><p>EP1&2 are not released here</p><p>EP3: <a href="https://malwaretips.com/threads/turtle%E2%80%98s-enhanced-realworld-test-updated.126546/post-1026903" target="_blank">45AVs VS CobaltStrike</a></p><p>EP4: <a href="https://malwaretips.com/threads/turtle%E2%80%98s-enhanced-realworld-tests-updated.126546/post-1045049" target="_blank">Discussion Thread - Turtle‘s Enhanced Realworld Test EP4 (2023.06)</a></p><p></p><p>Test result (√ means protection success, × means protection failure):</p><p>[ATTACH=full]279264[/ATTACH]</p><p>[ATTACH=full]279265[/ATTACH]</p><p>[ATTACH=full]279266[/ATTACH]</p><p>[ATTACH=full]279267[/ATTACH]</p><p></p><p>We've done similar tests 4 times before today, but we've used very popular penetration frameworks and have always focused on simulating the pre-penetration period.</p><p>Today I wanted to make a slight change, after referring to MITRE's testing methodology and slightly considering the ATT&CK matrix, let's lean back a bit on the simulation period</p><p>In the meantime, I've learned and used two niche attack frameworks that are used by very few people and may be able to simulate the effects of hackers' homebrew tools</p><p></p><p>The two penetration frameworks we will use in this test are Nimbo-C2 and PowerHub.</p><p>Nimbo-C2, as before, will take on the task of landing and gaining privileges in the first and middle stages of the infiltration, while the addition of PowerHub aims to simulate data theft and lateral movement in the middle and late stages.</p><p>Since the simulation of the whole infiltration cycle has been adjusted rather drastically, using the previous go-live success and performing a single task for scoring is obviously not appropriate</p><p>So in this test I redesigned the scoring method to 20 points, but considering that I'm a rookie simulation, it's impossible for me to compare my skills with a real APT organization, so the passing line is still a full point</p><p>Among them, Nimbo-C2 and PowerHub will generate 5 Payloads respectively, and 1 point will be deducted if each Payload is successfully executed and connected to C2, besides, I designed 5 infiltration purposes respectively, and 1 point will be deducted if the infiltration purpose is accomplished.</p><p></p><p>Here is the exact distribution of the total 20 points for this test:</p><p>Execute Group-A:</p><p>01. Nimbo-C2 generated exe sample, I did not make any additional changes to the code except for modifying the AES-Key and IV, and customizing the path to the persistence target.</p><p>02. Nimbo-C2 generated exe sample, obfuscated by Codevirtual virtualization</p><p>03. Nimbo-C2 generated exe sample, mutated by VMP, without virtualization</p><p>04. Nimbo-C2 generated dll sample, designed to be executed directly by regsvr32, I didn't make any additional changes to the code except for modifying the AES-Key and IV, and customizing the path to the persistence target.</p><p>05. Nimbo-C2 generated dll sample, designed to be executed directly by regsvr32, obfuscated by Codevirtual virtualization.</p><p>for infiltration purposes:</p><p>06. Screenshot, get the screen display when the sample is running</p><p>07. Keylogging, after opening the simulated keylogging to obtain the password operation</p><p>08. UAC bypass, the use of Windows design flaws to obtain administrator privileges, in order to facilitate the further completion of the subsequent objectives</p><p>09. Patch AMSI, for group B (PowerHub) to create conditions for the operation of the fileless Payload</p><p>10. Dump LSASS, by Dumping the process of key credentials, to obtain more information, as well as to prepare for lateral movement</p><p>Execute Group-B:</p><p>11. PowerHub generated powershell sample, coded for direct use</p><p>12. PowerHub-generated powershell sample, using zc001's development obfuscate (with known flaws, clearly detectable)</p><p>13. PowerHub-generated powershell sample, encoded and then encrypted with DH algorithm to encrypt script content, but no obfuscation done</p><p>14. PowerHub-generated powershell sample, using am0nsec's development obfuscate</p><p>15. PowerHub-generated powershell sample, using Matt Graber's development obfuscate</p><p>Penetration purposes:</p><p>16. GSI, get some information about the system (mainly used here to confirm that the script ran successfully)</p><p>17. Code download, get the code for the post-penetration tool from the C2 server in preparation for lateral movement</p><p>18. Code execution, the execution of the code obtained in the previous step (this test does not include the simulation of the actual lateral movement, only run the lateral movement tool)</p><p>19. Steal Edge browser cryptographic library key</p><p>20. Steal Steam SSFN Cookie</p></blockquote><p></p>
[QUOTE="ShenguiTurmi, post: 1061843, member: 99409"] [HEADING=2]Enhanced Realworld Test EP5 (2023.10)[/HEADING] Previous Tests: EP1&2 are not released here EP3: [URL='https://malwaretips.com/threads/turtle%E2%80%98s-enhanced-realworld-test-updated.126546/post-1026903']45AVs VS CobaltStrike[/URL] EP4: [URL='https://malwaretips.com/threads/turtle%E2%80%98s-enhanced-realworld-tests-updated.126546/post-1045049']Discussion Thread - Turtle‘s Enhanced Realworld Test EP4 (2023.06)[/URL] Test result (√ means protection success, × means protection failure): [ATTACH type="full" alt="QQ截图20231021113909.png"]279264[/ATTACH] [ATTACH type="full" alt="QQ截图20231021113923.png"]279265[/ATTACH] [ATTACH type="full" alt="QQ截图20231021113937.png"]279266[/ATTACH] [ATTACH type="full" alt="QQ截图20231021113947.png"]279267[/ATTACH] We've done similar tests 4 times before today, but we've used very popular penetration frameworks and have always focused on simulating the pre-penetration period. Today I wanted to make a slight change, after referring to MITRE's testing methodology and slightly considering the ATT&CK matrix, let's lean back a bit on the simulation period In the meantime, I've learned and used two niche attack frameworks that are used by very few people and may be able to simulate the effects of hackers' homebrew tools The two penetration frameworks we will use in this test are Nimbo-C2 and PowerHub. Nimbo-C2, as before, will take on the task of landing and gaining privileges in the first and middle stages of the infiltration, while the addition of PowerHub aims to simulate data theft and lateral movement in the middle and late stages. Since the simulation of the whole infiltration cycle has been adjusted rather drastically, using the previous go-live success and performing a single task for scoring is obviously not appropriate So in this test I redesigned the scoring method to 20 points, but considering that I'm a rookie simulation, it's impossible for me to compare my skills with a real APT organization, so the passing line is still a full point Among them, Nimbo-C2 and PowerHub will generate 5 Payloads respectively, and 1 point will be deducted if each Payload is successfully executed and connected to C2, besides, I designed 5 infiltration purposes respectively, and 1 point will be deducted if the infiltration purpose is accomplished. Here is the exact distribution of the total 20 points for this test: Execute Group-A: 01. Nimbo-C2 generated exe sample, I did not make any additional changes to the code except for modifying the AES-Key and IV, and customizing the path to the persistence target. 02. Nimbo-C2 generated exe sample, obfuscated by Codevirtual virtualization 03. Nimbo-C2 generated exe sample, mutated by VMP, without virtualization 04. Nimbo-C2 generated dll sample, designed to be executed directly by regsvr32, I didn't make any additional changes to the code except for modifying the AES-Key and IV, and customizing the path to the persistence target. 05. Nimbo-C2 generated dll sample, designed to be executed directly by regsvr32, obfuscated by Codevirtual virtualization. for infiltration purposes: 06. Screenshot, get the screen display when the sample is running 07. Keylogging, after opening the simulated keylogging to obtain the password operation 08. UAC bypass, the use of Windows design flaws to obtain administrator privileges, in order to facilitate the further completion of the subsequent objectives 09. Patch AMSI, for group B (PowerHub) to create conditions for the operation of the fileless Payload 10. Dump LSASS, by Dumping the process of key credentials, to obtain more information, as well as to prepare for lateral movement Execute Group-B: 11. PowerHub generated powershell sample, coded for direct use 12. PowerHub-generated powershell sample, using zc001's development obfuscate (with known flaws, clearly detectable) 13. PowerHub-generated powershell sample, encoded and then encrypted with DH algorithm to encrypt script content, but no obfuscation done 14. PowerHub-generated powershell sample, using am0nsec's development obfuscate 15. PowerHub-generated powershell sample, using Matt Graber's development obfuscate Penetration purposes: 16. GSI, get some information about the system (mainly used here to confirm that the script ran successfully) 17. Code download, get the code for the post-penetration tool from the C2 server in preparation for lateral movement 18. Code execution, the execution of the code obtained in the previous step (this test does not include the simulation of the actual lateral movement, only run the lateral movement tool) 19. Steal Edge browser cryptographic library key 20. Steal Steam SSFN Cookie [/QUOTE]
Insert quotes…
Verification
Post reply
Top
