GithubHelp home page GithubHelp logo

nikodemeus / firedrill Goto Github PK

View Code? Open in Web Editor NEW

This project forked from fourcorelabs/firedrill

0.0 0.0 0.0 843 KB

firedrill is a malware simulation harness for evaluating your security controls

Home Page: https://www.fourcore.vision/blogs/firedrill-open-source-attack-simulation

License: MIT License

Makefile 1.49% Go 97.81% Shell 0.16% C 0.54%

firedrill's Introduction

🧯firedrill: A malware simulation harness

goreleaser

TL;DR: firedrill is an open-source library from FourCore Labs to build malware simulations easily. We have built a set of four different attack simulations for you to use and build on top of: Ransomware Simulation, Discovery Simulation, a UAC Bypass and a Persistence Simulation.

Organizations invest a whole lot in their security controls and tooling for the security teams to be efficient. They might put in 10s of man-hours tuning a single security control to their needs building out detection rules, identifying best practice configuration and setting up automation. However, the task shouldn't end right here, it is crucial to test the effectiveness of these security systems against attackers. Usually, this is done with pentesting and red teaming activities done either in-house or by external teams. This results in immense value for the organization as its build confidence in security controls against in the event of a real attack.

firedrill

Read more about firedrill on our blog.

Ransomware Simulation

The ransomware simulation consists of typical behaviour of a ransomware.

This includes, in this order:

  • Encryption of files on the filesystem (only test files dropped by the binary and ).
  • Dropping a ransom note on the desktop.
  • Changing the system wallapaper through registry keys (and restoring it after some time).

Sandbox Analysis

Sandbox
Hybrid-Analysis
Intezer Analyze

Discovery Simulation

The discovery simulation consists of simulation of a malware executing three techniques from the Discovery tactic in MITRE ATT&CK, performing reconnaisance of system information which is used for further exploiting the system:

This includes, in this order:

  • Discovering the running processes on the system.
  • Discovering the peripherals present on the system.
  • Discovering the softwares installed on the system with their respective versions.

Sandbox Analysis

Sandbox
Hybrid-Analysis
Intezer Analyze

UAC Bypass Simulation

The UAC Bypass simulation consists of malware using the fodhelper.exe utility available from Windows 10 to achieve local privilege escalation by creating a registry structure to execute arbitrary commands with adminstrator privileges:

This includes, in this order:

  • Create a new registry structure in HKCU:\Software\Classes\ms-settings\ and start notepad.exe with admin privileges bypassing UAC.

Sandbox Analysis

Sandbox
Hybrid-Analysis
Intezer Analyze

Registry Run Key Persistence Simulation

This is a simulation of a persistence techniques which use registry Run keys to achieve persistence for arbitrary payloads. These keys include: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, EY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce.

This includes, in this order:

  • Add a value in the registry key at HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to execute a sample payload embedded in the binary.
  • Delete the value from HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to bring back it to it's original state for a safe simulation.
Sandbox
Hybrid-Analysis
Intezer Analyze

Usage

  • Requires Go 1.17+, GNU make.

Windows

Ransomware Simulation

$ make ransomware
$ ransomware.exe

Discovery Simulation

$ make discovery
$ discovery.exe

UAC Bypass Simulation

$ make uac_bypass
$ uac_bypass.exe

Registry Run Key Simulation

$ make registry_run
$ runkeyregistry.exe

Linux/bash

$ GOOS=windows make ransomware # and so on

firedrill's People

Contributors

arush15june avatar achilles4828 avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.