FIN6 Adversary Emulation Plan (TTPs & Tooling)

hey guys hack exploit here back again with another video Welcome Back to the adversary emulation Series in this video we're going to be taking a look at the fin 6 emulation plan now as I mentioned in the previous video we're getting into the Practical stuff now and uh in order to go through um the actual process of emulating an adversary or AP group we're going to need to do this stuff practically and in order to do that we're going to need to set up an environment luckily for you guys or luckily for myself of this is something that I've already done in you know sort of in anticipation for this series um and I've set up the labs that we'll be using not just for finix but also a29 on the Cyber ranges platform which I introduced to you guys um you know I think last year so um and also in a video this year when we're taking look at some red team trade craft around the Apache uh rootkit so uh the link to the Cyber Rangers platform will be in the description section it's absolutely free to uh use or you know you can register an account for free just navigate to app. cyber rangers. com uh once you've created an account and signed in you want to head over to the community/ free section and here you'll have the red team tradecraft playlist that uh has the scenario I covered in one of the previous videos uh not related to what we're doing here directly uh but more importantly we have this one right over here um called miter attack Defender adverse ulation fundamental so in the description section I'll paste a link to this particular playlist again this you know it's completely free and I'll show you what it's based on um and we're going to start off with lab 1. 1 which is you know pretty much covers the actual finix emulation plan now this uh these set of labs um are actually based on you know directly based on the MIT attack uh defender or you know miter Ingenuity team um and the work they did here so this is the GitHub repo that those that these labs are based on um and what we've essentially done what I've done is I've sort of converted them and put them as Labs that you can now access and follow along with uh with me and you know the rest of the videos on the Cyber ranges platform so you don't have to go through this setup cuz you know you do need to set up an active directory environment and stuff like this so this is what it's based off now um as I mentioned lab 1. 1 and I'll go ahead and start it here is uh essentially focused on the uh the threat emulation plan for fin 6 and this is where the um Center for threat informed defense repository comes into play where within this repo again this will be linked in the description section um you know within this repo you're going to have a set of emulation plans for different AP groups or uh thread groups like fin 6 fin 7 apt29 um and you know you may be asking yourself what exactly is this repo about well this is an open library of adverse ulation plans designed to empower organizations to test their defenses based on real world ttps so in the previous video we actually went through the process of creating a plan but now you're going to see what the plan what a real world um adverse regulation plan looks like and as I said we're focusing on fin six in the next video we'll actually be getting started practically using the lab environment on Cyber ranges um you know by gaining initial access and stuff like this so right over here the lab on Cyber ranges you can see it sort of uh walks you through uh navigating the you know adverse ulation Library repo and uh you know going through it understanding what it's all about and then fin six and I I'll now walk you through exactly what a plan or you know what the emulation plan looks like uh what um what emulation plan we will be using uh cuz you can have you know different types of plans depending on the ttps you're looking to emulate and you can actually familiarize yourself with a lab environment where you're going to have a c Linux system here that you can access uh you know in your browser right over here and uh you can also access um there's you know the windows Target which is um is actually a uh domain controller but here's the Cali system and then if you access the um the Windows system right over here which is running Windows Server 2019 um you can just access it right over here on the guacamole dashboard so wind server RDP the credentials are listed in the drop down under Services right over here and uh you can see you have access to the Windows system and

you probably want to give this a few seconds when you initially boot up to you know just uh wait for the group policy client in any case you can familiarize yourself with the lab environment beforehand uh because in the next video we'll sort of be moving quite rapidly or we'll be you know diving straight into the initial access uh phase so that begs the question well what's the emulation plan well right over here on the center for threat informed defense repo under the adversary emulation Library under fin 6 we have a set of files now um this is a phenomenal repository if you want to get an understanding of um you know not just what adversary em um what adversary emulation entails but what a real uh plan looks like so as you can see I'll just briefly describe a couple of key sections uh this repository contains an adverse rul plan for fin 6 this is the first adverse rul plan in a library PL you know that was published by the center for threat informed defense in cooporation with our participants and you can take a look at the blog or you know the actual release there um so as we saw in the previous video fin 6 um is thought to be a financially motivated cyber crime group the group has massively targeted and compromised high volume point of sale systems in the hospitality and Retail sectors at least since at least 2015 uh finix has targeted e-commerce sites and Multinational organizations most of the group's targets have been located in the United States in Europe but include companies in Australia Canada Spain India kazakistan Serbia and China so that's one of the reasons why I wanted to go through finix because you know they've sort of targeted organizations in quite a few countries and also um you know their primary objective is not really an AP group but their primary objective as their name suggests is um you know fin they're financially motivated right now this intelligence sum by the way that's how the repo is sorted um there's also a table of contents but this intelligent summary um or this intelligent summary summarizes 15 publicly available sources uh to describe finix their motivations objectives and observed Target Industries it further describes the typical finix operational flow or attack kill chain along with their publicly attributed ttps mapped to the attack framework um in reviewing the plan you may notice ttps that do not currently map to the attack Frameworks finix group profile uh this information has been provided to the attack team for analysis and potential incorporation so you know quite an important point there whatever you find on the attack website may not be you know uh what is 100% known about the group and you know that's why you should always go through multiple CTI reports or you should expand your cyber threat intelligence uh to different sources so that you get a comprehensive sort of holistic view right of the group that you are seeking to emulate now this is um this is one of the important uh sections here so the operation flow chains techniques together into a logical order remember what I mentioned in the previous video um of the major steps that commonly occur across fin6 operations in case in the case of finix we describe the operations in two major phases phase one uh the primary focus of this phases initial axis and placement within the target environment and exfiltrating uh relevant data identified during this phase so you know for example text files uh resulting from Discovery and credentials this is what we're going to be emulating in the next video uh or I'll break it up into smaller parts but we also have phase two this phase consists of specific uh objectives or effects of the oper um the actual operation so you know the this particular repo provides three potential options for specific objectives based on historical finix operations the finix emulation plan is a human readable step-by-step command by command implementation of finix dtps structurally the plan is organized into two phases as described or defined in the operations flow the human readable plan is accompanied by a machine readable plan implemented in yaml the yaml includes all steps commands and Syntax for both phase one and phase two the yaml template was nuanced um to ensure that each step within the AML is directly coupled with its equivalent in the human readable version so table of contents you have the intelligence summary which is what you'd get you know from basic CTI where you learn about you know the other names of the group The attack group ID as we did in the previous video the objectives and evolution which is actually quite important so what have they been doing since they initially came onto the stage so 2018 2019 Target Industries right over here quite important and then operations this is sort of what I want to focus on um so you can see they've

been known to obtain initial access to Target organizations by using legitimate but compromised credentials and then they have the link to the technique here or sub technique coupled with legitimate remote access applications and spear fishing most recently finix may have been purchasing access to environments that have been previously compromised with trickbot references to that have been added so you know extremely well defined uh you know I'm speaking uh specifically about this um adverse regulation plan and then once in inside the target organization finix uses a variety of open and close Source Red Team Tools custom scripts and commodity malware in support of tactical objectives um and you can go through this uh it's quite an um an excellent breakdown they also have the software that they use uh which is very important because again if you're going to emulate a particular group or adversary you need to be able to have access to the tools that they've been known to use now you don't need to you know be it doesn't need to be onetoone match where you use you know Cobalt strike and Metasploit uh but you know for example if you don't have access to Cobalt strike you know you should be okay with Metasploit um and then right over here you have rans somewhere you probably are not going to do that on a production environment for a client so you know you need to you need to be very nuanced here mimic hats okay there we are and you can see some of the other tools that they've used um you know PS XX stuff like this what you can tell is that they sort of utilize or are very good at um you know um at utilizing native or you know tools that uh are not really uh categorized as malicious I should say you know for Discovery and local enumeration stuff like this and you know you can see there's also other malware that um that is specific to Point of Sales Systems so you know um the important thing or what I'm trying to highlight here is you start off with understanding what ttps you know have been attributed to this particular adversary and then the software that they use and then based on that you then develop the plan you know based on what you have access to in terms of tooling and malware what the client has requested or what restrictions they've essentially put in place Etc and over here you have the references so you know might attack fin six um the report we saw in the previous video by crowd strike uh I think we also took a look at follow the money which is by fire ey um and then we didn't take a look at Pi six but this is very good because I've gone through this before uh but this is essentially as the title suggests intercepting a fin six intrusion where you can you know I think yeah we actually did take a look at it so this will give you a very good idea of the ioc's um and you know what um there we are so we under ioc's you have the IPS uh the networks uh domains the files they've been known to create when exfiltrating which we'll actually do ourselves so uh that'll be quite fun and yeah so that's the intelligence summary if we take a step back and we go here to the table of contents we then have the emulation plan um which um you know is fairly simple to understand but uh we then have we have the infrastructure where you know it's essentially a breakdown of the tools so you know as it says here the following represents a bare minimum but should be operational operationally representative of fin 6's infrastructure and tool set and in terms of you know command and control service it's sort of sorted now in a way that you can understand you have Metasploit um and then you know in terms of cobalt strike they usually have one team server and one redirector for exfiltration um you know phase one they use SSH um phase two you know P POS exfiltration they utilize DNS so you know something like DNS cata I think there we are yeah and then Phase 2 e-commerce exfiltration they utilize uh let's see what do they utilize for this so just python the python HTTP server so there we are um now uh there's you know some very important stuff here but if we go back to the emulation plan and we we'll be exploring this in the next video you know because that's when it become relevant we are going to be emulating phase one primarily cuz phase two you know we don't really have access to any posos uh um or stuff like this what we're going to be doing is initial access um you know by again very basic we'll start off uh simple and then move on to the advanced ones like when we'll be taking a look at apt29 and we'll be creating our own you know payload the uh Stager loader Etc uh but the key focus is going to be on Discovery where you know we'll be emulating you know active directory uh specific Discovery techniques and or sub techniques and then X filtration so this

is what we're going to be emulating and we'll also be doing privilege escalation all of that good stuff um but the bottom line is the objective of this video or this lab is to familiarize yourself firstly with the lab environment so the system you have access to and then uh obviously the actual emulation plan which I will link in the description section so you know you can uh you can get started with that uh I would highly recommend you wait before jumping to the next Lab um because there's a few things I want to point out now uh to test whether you've gone through the threat intelligence or the intelligence summary please take a look at the questions and we can go through a couple of them I'll not go through the ctid specific questions but you know the ones on intelligence so they're very good questions here like uh you know based on the finix intelligence summary what is fin six's primary objective so hm let's see could this be the correct answer uh yes okay let's take a look at the next one so based on fin the finix intelligence summary what ttps as finix used for initial access choose all that apply so it's very important that you go through it because again when we get started with the Practical stuff I'm going to assume you know where we are in terms of the ttps we're emulating so I'm not going to refer back to the plan uh I will you know to a certain extent but you need to understand exactly what TTP we're emulating um and uh you know what tool we're using so on and so forth but uh you can you know you can go through these questions I don't want to answer all of them for you um and yeah so you also have the ransomware tactics so if you go through the um intelligence summary and you know the adversary emulation plan in general then you should be able to answer these questions anyway that's going to be it for this video just wanted to give you a bit of a tease as to what to expect uh just familiarize yourself with the server section or the labs and then um in the next video we'll be going back uh or I should say Yeah in the next video specifically we'll be getting started with uh lab 1. 3 which is now going to be focused on emulating fin 6 so we'll go through initial access uh Discovery privilege escalation all the way to exfiltration and I think I'll break it down into smaller shorter videos so that I sort of highlight each phase of the attack life cycle in its own video so as to not confuse you but that being said that's going to be it for this video if you have any comments or questions leave them in the comment section if you have any feedback you know you can share it in the comment section as well and I will be seeing you guys in the next video oh