Detect FIN6 on Sentinel Part 1: Run FIN6 exploit
Hi Medium! Here we are again with a new article about Sentinel.
In this article, we will learn how we can detect FIN6 attack on Sentinel, this exercise is one of the most important ways to learn how to detect APT and high threats on your SIEM, this time our SIEM is Sentinel and we will discover together how we will create simple rules to detect all the phases of the attack.
This exercise is not too complicated, there are a lot of methods used to evade detection and those methods make it harder for us, that does not mean that we cannot detect them, but we need to put more effort into our detection methods in order to catch them, please check the second part of this article via this link ๐
This exercise will be split into more than one article, you will find future articles here attached. For now, letโs start with the content of our article.
Content
What is FIN6
Why FIN6
Hardware
FIN6 attack simulator
Setting up the Environment
Executing FIN6
What is FIN6
FIN6 is a cybercrime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.
Reference: https://attack.mitre.org/groups/G0037/
Why FIN6
FIN6 is a very active group, and learning their old attacks gives you better potential to detect them in the future and to learn their behavior. Personally, I enjoy learning from them new methods and new attack vectors.
Hardware
The lab is not too hard to create, we need to have our Sentinel running on Azure and to make sure that we are collecting the logs (Sysmon logs) from the machine that will be attacked.
As a start, you can follow this guide to create Sentinel: https://learn.microsoft.com/en-us/azure/sentinel/quickstart-onboard
For the lab environment, we will need basically two machines, one that will be used to attack and one as a victim that we will be monitoring. It's preferred to create those machines on Azure also as it will be easier to collect logs from them.
Both machines needeed are the following:
- Windows Server 2019
- Kali Linux
As for how to create those machines, I will leave it for you to do ๐
For how to collect the logs from the victim machine you can check M'hirsi Hamzaโs article on that: Sysmon and log Parse using KQL on Azure Sentinel
FIN6 attack Simulator
For the Simulation of attack, MITRE provided a way to simulate the attack so the organization will be able to test their defenses, please check this article for more details by Jon Baker: Center Releases FIN6 Adversary Emulation Plan
As a first step, if you are not familiar with APT attacks and tactics I advise you to check the Git repo and learn more about the attack that we will be simulating https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Setting up the environment
For the lab emulation, we need to download the scripts on the attacker machine, please follow the steps below, those steps are the same covered by MITRE:
- Download the MITRE ATT&CK Defender Adversary Emulation repository from GitHub https://github.com/maddev-engenuity/AdversaryEmulation/releases
- Select the latest release available and download the source code.
- Transfer the repository folder to both your Kali and Windows Server 2019 VMs. (this will be needed in case a script was blocked or it did not work for you for any reason, for this article, we will focus on how to detect those attacks on Sentinel more than how to do the attack itself, BUT still important to know how to do so ๐)
Once you are on your attacking machine (Kali) you can execute the script:
cd AdversaryEmulation/vm_setup_scripts/kali
sudo ./setup-kali-vm.shWhen the setup process completes, a new user will have been created with the following credentials:
Username: attacker
Password: ATT&CK
From the Windows Server 2019 VM, open an Administrator PowerShell session and execute the setup script:
cd AdversaryEmulation\vm_setup_scripts\windows_server\
.\setup-dc.ps1When the setup process completes, a new user will have been created with the following credentials:
Username: MAD\madAdmin
Password: ATT&CK
Following the doc, it advises taking snapshots of both VMs to preserve the configuration just in case later we need to roll back to a stable version.
Executing Fin6
In this part, we will execute FIN6 following this attack order, basically, we will go through the whole kill chain, based on the document provided by MiTRE we will follow the main 4 steps as follows:
- Step 1 โ Initial Access
- Step 2 โ Discovery
- Step 3 โ Privilege Escalation
- Step 4 โ Collection and Exfiltration
Here is the repo link if needed.
Please follow the previous steps, and execute the attack, once you are done we can move to part 2 of this article to work on catching the attack on sentinel using KQL.
Reference
https://github.com/center-for-threat-informed-defense
Conclusion
As mentioned in the introduction, this exercise is very important to understand how you can detect attacks and understand better where to look when you are working on Windows.
If you have any questions, please do not hesitate and let me know how I can improve my article or if there is a specific subject regarding Sentinel you are looking for, PEACE ๐
