Demonstrate a means of testing Win10 security features against MITRE ATT&CK, in a repeatable fashion by D3-3. Ensure that the security function is enabled and somewhat effective against basic, well-known tactics.
MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations.
https://attack.mitre.org/
Windows 10 1809, running Sy's win10 configuration to be tested.
System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Sysmon configuration repository, aligned with MITRE ATT&CK
https://github.com/olafhartong/sysmon-modular
Atomic Red Team allows every security team to test their controls by executing simple "atomic tests" that exercise the same techniques used by adversaries (all mapped to Mitre's ATT&CK).
https://github.com/redcanaryco/atomic-red-team
Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project.
https://github.com/redcanaryco/invoke-atomicredteam
- Use Win10 configured per Sy's instructions / Defender AV disabled
- Install Sysmon to capture granular system events
- Install AtomicRed MITRE ATT&CK tests & Invoke-AtomicRedTeam PowerShell Module
- Update SyBuild to address any failed tests
- Re-run AtomicRed test
-
References:
- Olaf Hartong sysmon config - https://github.com/olafhartong/sysmon-modular
- TrustedSec Sysmon Guide - https://github.com/trustedsec/SysmonCommunityGuide
- Process Access - https://github.com/trustedsec/SysmonCommunityGuide/blob/master/process-access.md
- PS GumShoe (AccessMask) - https://github.com/PSGumshoe/PSGumshoe/tree/sysmon_events
In a command window, as Admin:
Invoke-WebRequest -Uri http://live.sysinternals.com/Sysmon64.exe -OutFile c:\temp\sysmon64.exe
Download sysmon config by Olaf Hartong ( https://github.com/olafhartong/sysmon-modular )
In Powershell, as Admin:
Invoke-WebRequest -Uri https://raw.githubusercontent.com/olafhartong/sysmon-modular/master/sysmonconfig.xml -OutFile c:\temp\sysmonconfig.xml
Load configuration into sysmon and install service
sysmon64 /accepteula -I c:\temp\sysmonconfig.xml
Check the Access Masks from Sysmon
Import-Module ./PSGumshoe.psd1
Get-SysmonAccessMask -AccessMask 0x143A
-
( https://github.com/redcanaryco )
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1')Install-AtomicRedTeam -getAtomics -ForceNote: each time you start a new powershell session, you'll need to load the module, per below. The alternative is to add the module to your powershell profile.
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force -
Format: Invoke-AtomicTest <Tactic #> [options]
Invoke-AtomicTest T1003 -ShowDetailsBriefInvoke-AtomicTest T1003 -TestNumber 2 -ShowDetailsInvoke-AtomicTest T1003 -TestNumber 2 -CheckPrereqInvoke-AtomicTest T1003 -TestNumber 2 -GetPrereqInvoke-AtomicTest T1003 -TestNumber 2Invoke-AtomicTest T1003 -TestNumber 1 -
To enable LSA protection on a single computer:
1. Open the Registry Editor (RegEdit.exe), and navigate to the registry key that is located at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. 2. Set the value of the registry key to: "RunAsPPL"=dword:00000001. 3. Restart the computer. -
Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -ForceInvoke-AtomicTest T1003 -TestNumber 1,2 -GetPrereqInvoke-AtomicTest T1003 -TestNumber 2Invoke-AtomicTest T1003 -TestNumber 1