Integrating Adversary Emulation using Infection Monkey with Azure Sentinel
When I was preparing for my Azure Security Engineer Associate certification, I was introduced to the world of Azure Sentinel which is a cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. As I’m interested in Blue teaming and inclined towards adversary emulation, I thought of integrating infection monkey with Azure Sentinel.
The objective of this article is to use infection monkey which is an open source attack simulation tool for adversary emulation and Azure Sentinel as the SIEM. Best part of infection monkey is that it does not impact server or network stability, i.e., it doesn’t mess up during the environment and it is based on Mitre ATT&CK.
As we know, the Mitre ATT&CK matrix is a database of attack techniques that adversaries use in real life and Infection Monkey maps the actions to MITRE ATT&CK knowledge base. Infection Monkey documentation can be found here .
So lets get Started..
In this demo we would be deploying Infection Monkey from the Azure Marketplace
When clicked on Create an Azure Linux VM (Standard D2s, V3–2vcpus with 8 GB memory is preferred) here virtual machine would be created with preconfigured infection monkey.
Once the instance is created, make sure ports 5000 is accessible for inbound TCP traffic as monkey C&C is accessed on port 5000
After the instance is created, infection monkey can be accessed using https://{public-ip-address}:5000
To complete the test environment setup, we need virtual machines, for this I have created windows 10, windows 7,kali Linux and Ubuntu machines in the same subnet as that of infection monkey.
There are lot of configuration options available in infection monkey, some of them are :
1. Which mitre attack we want to enable/disable (few of them are mandatory)
2. Which exploits are to be used
3. For Brute force attacks, credentials could be provided which will be used by monkey during pen test. This can also be related to a use case that if there is a credential leak in any one of the machine in the network then what would be the impact?
4. We can target a Specific set of IPs, subnets or hosts to be included or excluded during the tests
5. Scan depth allows the number of hops (compromised machines) monkey can make
6. Specific commands that needs to be run on a machine post attack
Select “Run on Monkey Island Server”. Now Based on the above configuration the tests will start
Based on the configuration provided in infection monkey, adversary emulation is started. When the test is “In Progress” simultaneously we can view the “infection map”, it gives the pictorial view of the machines that are being covered as part of the test.
Meanwhile as the test continues, we can configure Azure Sentinel. Use “Security Events” connector and install the agent on Virtual machines in which infection monkey is performing the adversary emulation, so that security events could be analyzed by sentinel
Based on the number of events it may take 20–60 minutes for the events to be sent to and analyzed by sentinel. Now under the hunting section in azure sentinel, there are multiple pre build queries mapped to each MITRE Attack Technique. These Queries are based on specific Event ID.
Once the monkey completes the tests, in infection map the red lines show indicate the machines for which the exploitation was successful.
For example from test3 machine an SSH brute force exploit to test5 machine was successful, which would be represented as follows, when we select the test5 machine in infection map further details are displayed, regarding the attack
Detailed log of the attack vectors and exploits used along which exploits were successful is also displayed in the log. Here is where I suppose infection monkey is better than regular vulnerability scanners. I.e.., it doesn’t just scan and report the vulnerability. It tries to exploits the vulnerability and provides a detailed report on the same.
Report shows the machines that were breached by the monkey
Following report gives details on MITRE techniques used by the monkey
Lets explore one exploit performed by the monkey, here we provided the most frequently used usernames and passwords in the configuration file and used brute force for SSH login, one of the username and password was accepted by finalimtest3 machine
Now we need to verify if sentinel was able to capture it?
In Azure Sentinel, If we navigate to MITRE Query, host with new logins, we would observe that there was a security event that was captured.
Verifying the results with the timestamp gives further details about the process name which is sshd and the machine impacted which is finalimtest5
Similarly few other sentinel log analysis provides details on new user logins
Also in Linux machines if commands which trigger the process names such as sudo ,cron were executed.
This was a short demo on how we can emulate adversary behavior using infection monkey and can capture the same using azure sentinel SIEM solution.
Hope it helps !! Happy Leaning !!
