Day 19

Creating an Attack Diagram

On Day 19 of the MyDFIR 30-Day SOC Analyst Challenge, I focused on creating an attack diagram to map out a hypothetical attack plan against a target machine. This diagram visualizes the steps involved in gaining initial access, executing commands, and eventually exfiltrating data.

Tools Used

  • Draw.io: Used to build the attack diagram.
  • Kali Linux: The attacker’s machine running offensive tools.
  • Mythic C2: Command and control (C2) server hosted on a cloud provider (Vultr).
  • Windows Server: The target machine to be compromised.

Attack Phases

Initial Access (Phase 1):

  • Objective: Gain access to the target machine.
  • Method: Use an RDP brute force attack from the attacker’s machine (Kali Linux) to the target Windows Server.
  • Outcome: A successful login will allow us to move to the next phase.

Discovery (Phase 2):

  • Objective: Gather information about the target system.
  • Commands:
    • whoami – to determine current user privileges.
    • ipconfig – to inspect network configurations.
    • net user and net group – to get information about the users and groups on the system.
  • Goal: Learn about the target environment and identify potential vulnerabilities or opportunities for privilege escalation.

Defense Evasion (Phase 3):

  • Objective: Bypass or disable security mechanisms on the target machine.
  • Method: Disable Windows Defender to ensure smooth execution of the Mythic C2 agent.
  • Execution: With an established RDP session, the Windows Defender is disabled using administrative privileges.

Execution (Phase 4):

  • Objective: Deliver and execute the payload on the target machine.
  • Method: Use PowerShell’s Invoke-Expression (IEX) command to download the Mythic agent from the Mythic C2 server.
  • Outcome: The agent will be installed on the target Windows Server, enabling further control.

Command and Control (C2) (Phase 5):

  • Objective: Establish a persistent connection between the target machine and the attacker’s C2 server.
  • Outcome: Once the Mythic agent is executed, a C2 session is established, allowing the attacker to control the target machine remotely.

Exfiltration (Phase 6):

  • Objective: Steal sensitive information from the compromised system.
  • Method: Download a fake password file (passwords.txt) from the Windows server to simulate the extraction of sensitive data.
  • Outcome: The exfiltrated file is transferred back to the attacker’s machine via the established C2 session.

Diagram Summary

The attack diagram clearly maps out the flow of the attack, starting from the initial RDP brute force attempt to the final exfiltration of data. By breaking down the attack into these six phases, I was able to visualize each step of the process, ensuring a structured and organized approach to the simulation.

This diagram not only helps in understanding the attack path but also serves as a blueprint for conducting penetration testing or red teaming exercises in a SOC environment.

Contact