Contents

APT Simulator Cobalt Strike

Contents

APT Simulator Cobalt Strike#

Metadata#


Contributors	Jose Rodriguez @Cyb3rPandaH
Creation Date	2021/06/11
Modification Date	2021/06/11
Tactics	TA0004,TA0005
Techniques	T1134.002,T1134.001
Tags	None

Dataset Description#

This dataset was created after running the Cobalt Strike module from the APT Simulator tool (https://github.com/NextronSystems/APTSimulator).

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/other/aptsimulator_cobaltstrike.zip

Simulation Metadata#

Tools#

type	Name	Module
Batch Script	APT Simulator	Cobalt Strike

Adversary View#

===========================================================================
    ___    ____  ___________ _                 __      __
  /   |  / __ \/_  __/ ___/(_)___ ___  __  __/ /___ _/ /_____  _____
  / /| | / /_/ / / /  \__ \/ / __ `__ \/ / / / / __ `/ __/ __ \/ ___/
/ ___ |/ ____/ / /  ___/ / / / / / / / /_/ / / /_/ / /_/ /_/ / /
/_/  |_/_/     /_/  /____/_/_/ /_/ /_/\__,_/_/\__,_/\__/\____/_/

Florian Roth, Nextron Systems, v0.9.1, June 2021

Select the test-set that you want to run:

[0] RUN EVERY TEST
[1] Collection
[2] Command and Control
[3] Credential Access
[4] Defense Evasion
[5] Discovery
[6] Execution
[7] Lateral Movement
[8] Persistence
[9] Privilege Escalation

[C] CobaltStrike Beacon Simulation

[A] Apply AV Exclusions in Registry
[S] Settings
[E] Exit

Your selection (then press ENTER): C
===========================================================================
Simulate CobaltStrike Beacon Activity

--- Create some default Named Pipes ...
Creating Named Pipe number 1: MSSE-1337-server

Waiting for 0 seconds, press a key to continue ...
Killing named pipe creator for pipe 1
SUCCESS: The process "CreateNamedPipe.exe" with PID 4748 has been terminated.
Creating Named Pipe number 2 (P2P communication): msagent_fedac123

Waiting for 0 seconds, press a key to continue ...
Killing named pipe creator for pipe 2
SUCCESS: The process "CreateNamedPipe.exe" with PID 4236 has been terminated.
Creating Named Pipe number 3 (Post Exploitation): postex_ssh_fedac123

Waiting for 0 seconds, press a key to continue ...
Killing named pipe creator for pipe 3
SUCCESS: The process "CreateNamedPipe.exe" with PID 7444 has been terminated.
Creating Named Pipe number 3 (Post Exploitation): postex_ssh_fedac123

Waiting for 0 seconds, press a key to continue ...
Killing named pipe creator for pipe 3
SUCCESS: The process "CreateNamedPipe.exe" with PID 512 has been terminated.

--- Simulating GetSystem ...

Waiting for 0 seconds, press a key to continue ...
Copy a service binary file to a suspicious location ...
Using Post-CobaltStrike 4.2 scheme
        1 file(s) copied.
Starting suspicious service
[SC] CreateService SUCCESS
[SC] StartService FAILED 1053:

The service did not respond to the start or control request in a timely fashion.

[SC] ControlService FAILED 1062:

The service has not been started.

[SC] DeleteService SUCCESS

Waiting for 0 seconds, press a key to continue ...
Killing named pipe creator
ERROR: The process "CreateNamedPipe.exe" not found.

--- HTTP Beaconing 1
Simulating HTTP beaconing - this step takes up to an hour to complete

Beacon 1 - HTTP 30s+50//10.0.2.15/pixel.gif
Sending HTTP request ...

C:\Users\APT-Simulator\Documents\APTSimulator-master>

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/other/aptsimulator_cobaltstrike.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://twitter.com/cyb3rops/status/1403253268051107840