Adversary Emulation System - Flightsim

Emulating the adversary in Internal Pentest assignment is need of current market trend. Today we are going look at tool Flightsim by AlphaSOC

Brief description of tool (straight from GitHub page)
Flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.

Lets grab the latest binary from releases, in our case we have Kali (2018 release) which is connected in clients Internal Infrastructure with Internet access. Looking at help of tool, gives us detailed usage of tool and supported modules.


Below are the modules supported by tool.

Lets take example of c2-dns module. This module generates a list of current C2 destinations from Cybercrime Tracker website and performs DNS requests to each.


Verifying generated traffic in wireshark and respective DNS requests.

Lets look at status of first URL generated by tool : dellobusiness.com on the cybercrime-tracker.net. Aaah, now we have its IP address and family of malware (e.g. Zeus) detected on same.


Clicking on IP address (104.24.99.162) it redirects us to Virustotal, where we can get all information about malicious URLs, Domains, etc associated with IP address.


Below are snippets of other modules too.

C2-IP Module

Spambot Module

Tunnel Module
DGA Module

So what we deduce from above, all the malicious request or network traffic generated by this tool should be flagged as malicious by various security defences (e.g. SIEM). If it not detected or flagged, raise the red flag ;)

Reference :- https://github.com/alphasoc/flightsim

Comments

Post a Comment

Popular Posts