SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (AA18-284A) which highlights the use of publicly available tools used for malicious purposes in recent cyber incidents around the world.

As announced in a previous bulletin, some of the techniques described in this alert were previously simulated, thanks to the depth of the Hacker's Playbook™, so existing customers have already been validating their defenses against these attacks. As always, SafeBreach Labs continued to investigate the alert, and has identified and developed additional simulations to help our customers validate their security against the tools described in this alert. These additional methods are described below.

SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks. To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly developed playbook methods related to AA18-284A

Playbook #1687 - Email JBiFrost RAT:

  • Email Controls - Are email security controls in place to scan and identify malicious the JBiFrost RAT?

Playbook #1685 Transfer of malware over HTTP/S

  • Network Controls - Are security controls in place to prevent the download and transfer of the JBiFrost RAT?

Playbook #1685 - Write to disk of JBiFrost RAT

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent saving the JBiFrost RAT to local disk?

Playbook #1689 - China Chopper dropper install

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent saving the China Chopper webshell (i.e., specific sample 5001ef50c7e869253a7c152a638eab8a) to local disk?

Existing playbook methods related to AA18-284A

Playbook #1056, #181 - Initial install and CMD execution of Gh0st RAT

  • Network Controls - Are network security controls in place to prevent Gh0st RAT command and control (C2) communication?

Playbook #1042, #264 - Meterpreter File Execution via HTTP/S

  • Network Controls - Are network security controls in place to prevent Meterpreter command and control (C2) communication?

Playbook #262 - Meterpreter Keep Alive via HTTP/S

  • Network Controls - Are network security controls in place to prevent keep alive command to Meterpreter?

Playbook #263 - Meterpreter System32 Removal via HTTP/s

  • Network Controls - Are network security controls in place to prevent malicious commands to Meterpreter?

Playbook #176 China Chopper POST command:

  • Network Controls - Are network security controls in place to prevent China Chopper command and control (C2) communication?

Playbook #1051 - China Chopper install

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent saving the China Chopper webshell to local disk?

Playbook #794 - Run Mimikatz on host

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent the Mimikatz malware from extracting plain text passwords from Windows machines?

Playbook #1220 - Fileless Mimikatz injection using PowerShell

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent the extraction of plain text passwords from Windows machines via malicious PowerShell commands?

Additional breach methods added recently include:








Subscribe to blog post