The SafeBreach Hacker's Playbook™ already contains simulations for attacks described in US-CERT Alert (AA18-284A), which highlights the use of publicly available tools used for malicious purposes in recent cyber incidents around the world.
Thanks to the depth of the Hacker's Playbook™, some of the techniques described in this alert were simulated based on past campaigns, so existing customers have already been validating their defenses against these attacks.
These common attacks have been proven across health, finance, government, and defense industries. Their widespread availability presents a challenge for network defense and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks. To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:
Existing playbook methods related to AA18-284A
Playbook #176 China Chopper POST command:
- Network Controls - Are network security controls in place to prevent China Chopper command and control (C2) communication?
Playbook #1051 - China Chopper install
- Endpoint Controls - Are endpoint security controls or hardening in place to prevent saving the China Chopper webshell to local disk?
Playbook #794 - Run Mimikatz on host
- Endpoint Controls - Are endpoint security controls or hardening in place to prevent the Mimikatz malware from extracting plain text passwords from Windows machines?
Playbook #1220 - Fileless Mimikatz injection using PowerShell
- Endpoint Controls - Are endpoint security controls or hardening in place to prevent the extraction of plain text passwords from Windows machines via malicious PowerShell commands?
Additional breach methods added recently include: