Day 19 : Creating an Attack Diagram
Now that the network infrastructure and endpoints are in place, it's time to simulate an attack onto our exposed SSH Ubuntu and RDP Windows servers. But before committing to an attack, a thorough attack plan needs to be in place. To do that, today I will be creating an attack diagram to visualize all the phases on the attack simulation.
Attack Diagram overview
Just as I created the network diagram on day 1, I will be using draw.io to create the attack diagram.
Nodes used in the Attack Diagram
Throughout the making of this diagram, I will be using the following nodes:
Creating an Attack Diagram
The attack will take place in 6 phases, with a section of the diagram visualizing it as follows:
Phase 1 - Initial Access
In phase 1, I will be performing a brute force attack onto the Windows RDP server and aim to succeed in gaining access through correct credentials.
Phase 2 - Discovery
In this phase, I will use PowerShell on the Windows server to perform network discovery commands such as whoami, ipconfig, net user, net group etc.
Phase 3 - Defense Evasion
To avoid detection by Windows Defender, in this phase I'll use RDP to disable Windows Defender.
Phase 4 - Execution
In this phase, I will use PowerShell to download the Mythic Agent from the Mythic Server using Invoke Expression (IEX) followed by executing the Mythic agent.
Phase 5 - Command and Control
In this phase, I will execute the downloaded Mythic Agent to establish a Command and Control (C2) channel.
Phase 6 - Exfiltration
For this project, I will perform exfiltration on a dummy file called Passwords.txt which will involve copying this file from the target machine (Windows server) onto the Attacker Laptop.
Conclusion
With invaluable guidance from Mr. Stevens at MYDFIR (his website) and his YT video outlining day 19 of the 30-Day SOC Challenge, I created an attack diagram using draw.io to visualize the attacks that I will be simulating onto my exposed Windows RDP/Ubuntu SSH server.