OnWeek: Project Standup and Feature Development

[terrancedejesus]

OnWeek Dates: May 8-12th

Overview

This is the very first issue for SWAT! As an Elastic OnWeek project, the goal of this issue is to scope obtainable work to be completed for the week regarding the standup and development of SWAT. In addition to tool development, a testing lab will need to be created for Google Workspace and GCP.

This OnWeek requires both Threat Research and Developer hats to be successful.

Project Roles

Threat Research Role: Responsible for surveying Google Workspace threat landscape, previous campaigns abusing or targeting GWS, known vulnerabilities, etc. This will be critical to determining what technique simulation should be built into the tool for OnWeek and how to accomplish them within the lab and via the tool. A good start is the Google Workspace Detection Rules from Elastic.

Developer Role: Responsible for developing the SWAT tool feature enhancements, bugs and working with Threat Researcher roles to understand technique simulation to develop the capability within the tool.

Important References

Google Workspace Lab Google Workspace Detection Rules SWAT Documentation - Wiki | GDoc

#### Lab Setup
- [x] Create Domain Registered to Google Workspace
- [x] Setup Google Workspace and Purchase License
- [x] Setup Cloud Stack with Google Workspace Integration Linked to Organization
- [x] Setup Elastic Agent and Confirm Logging from Google Workspace and GCP
- [x] Enable Required Google Workspace APIs and Create SWAT Credentials
- [x] Document Lab Setup and Requirements

#### Modular Shell Framework
- [x] Develop Modular Skeleton for SWAT Code
- [x] Determine How to Setup Debugger for Shell Application
- [x] Develop Logging Capabilities for SWAT
- [x] Develop Google Workspace Administration Capabilities for SWAT
- [x] Develop Cleanup Capability in SWAT
- [x] Develop Autocompletion
- [x] Load Possible `emulate` Commands
- [x] `help` on emulate commands shows parameter options

#### ATT\&CK Technique Simulations with SWAT
- [ ] https://github.com/elastic/SWAT/issues/4
- [ ] https://github.com/elastic/SWAT/issues/5
- [ ] https://github.com/elastic/SWAT/issues/6
- [ ] https://github.com/elastic/SWAT/issues/3

#### OnWeek Deliverables
- [x] 3-5 Minute Video Demo

[terrancedejesus]

⚡ May 9, 2023 Update

This is just a brief update of what has been accomplished so far based on everyones hard work. Reminder we are tracking everything in the #1 or the gdoc. Whatever you prefer.

Lab Setup

• Licensed Google Workspace organization with users for everyone (creds shared in DMs)
• Licensed GCP environment with service accounts (creds for GWS work for access)
• Elastic Stack deployment with GWS logging ingestion (accounts created and creds shared in DMs)

SWAT Documentation

• SWAT documentation has been created. Feel free to adjust if you need to.

SWAT Framework

• Modularized att&ck usage
• Added coverage command to review existing ATT&CK coverage by SWAT
• Added emulate command to emulate specific techniques
• Started T1098 (persistence - additional cloud roles) module for first goal

Adversary Behavior Analysis

• @seth-goodwin has done a killer job of reviewing the existing threat landscape for CSPs and GWS regarding apps script, piv. esc., and more
• @DefSecSentinel has created some really nice attack scenarios that will be used to scope what we want SWAT to do before demo

Existing Goals

• Figure out dynamic imports from folders
• Dev and finish T1098
• Determine playbook for priv. esc and how to programmatically do so
• Add more issues from exercises in Phishing frontier blog
• Review code for enhancements, cleanliness, etc.

[terrancedejesus]

⚡ May 10, 2023 Update

There has been some incredible progress made on the SWAT project so far this week. Thanks everyone for all the effort and work so far.

Recap

• SWAT Wiki is up and documented with everything so far
• Lab has been setup and is being used by everyone at the moment
• GDoc has been updated to match Wiki in case people prefer the doc
• SWAT is in a "working" state and emulation code is now in the works to be developed for each issue.
• Several awesome new issues for emulation modules have been created with very good context and "story"

Feedback

• ATT&CK technique ID usage -> we hope to have auto-complete and the coverage command help users identify better details about what they would like to emulate
• Potential OAuth/Org collision -> we are reviewing credential usage to ensure this collision does not happen if a user has multiple GWS sessions across different orgs
• In collaboration with BrATwurst, emulate endpoint cookie retrieval -> this is achievable with Tango payload, which is a C2 payload and a stretch goal atm
• SWAT should have a "weaponize" capability -> this is achievable but will require access to two separate GWS environments, still exploring possibilities but is achievable

Existing Goals

• https://github.com/elastic/SWAT/issues/5
• https://github.com/elastic/SWAT/issues/6
• Some existing code cleanup and additional functionality
• Develop capability to use two separate GWS org accounts to emulate external adversary
• Develop capability to pull data from API and show in shell

[terrancedejesus]

⚡ May 11, 2023 Update

Today I will be reviewing some of the enhancements submitted by @brokensound77 for the core of SWAT and implementing some quick wins. Hopefully this only takes the first half of the morning. At 1PM EST, I will be sending out a meeting invite to everyone.

The agenda is the following:

• Quick Recap of the Week: ~15 mins
• Basic Tool Usage and Features "so far": ~20 mins
• Develop our first module, test and review data: ~30 mins

After the meeting I will leave the zoom room open and be in there for the rest of the week. Feel free to come and go as you please!

The demo for May 15th, 2023 is expected to be ~5 minutes long so we will only be able to demo 1 actual emulation. This does not limit our effort though for the rest of the week.

[terrancedejesus]

⚡ May 12, 2023 Update

Today is officially the last day of OnWeek 😢

First I would like to thank everyone for a job well done and all the contributions, 4AM sessions, scholarly documentation review and more! A few moments ago, I dropped in chat a video of a simple "emulation" from swat for adding a user account (t1136) by a third-party desktop application with the help of SWAT. Breadcrumbs are user license assigned + OAuth token for third-party desktop application.

From this I also learned I have to get some bug-fixing code merged into main for us to build more modules. I apologize for the oversight on passing an active authentication session into each module for use. I will get this in ASAP. Accomplishments 🥳

• Researched Google Workspace threats, abuse and more
• Discovered playbooks for intrusion and adversary emulation
• Stood up Google Workspace Lab + Elastic Stack SIEM monitoring
• Developed Modular CLI Shell tool for post-compromise abuse named SWAT
• Built a solid-starting repository for the tool and documentation
• Successfully emulated at least one ATT&CK technique (T1136)
• Collaborated with BrATwurst project team for browser monitoring (will be huge for Tango payload development)

What's Left 🤷🏽

We have accomplished a lot! The SWAT tool still has a long way to go, but for OnWeek purposes we will be able to demonstrate at least 1 decent emulation module. I will not be using the user account creation module for the demo, but instead shift attention to building out one of the phishing modules for the OnWeek demo.

• Develop phishing module for OnWeek Demo
• Create Demo and share for feedback

If I can finish the phishing module and have a demo available by this afternoon, I am hoping to setup our final meeting to discuss for feedback and anything else anyone has.

Post-OnWeek

I invite anyone and everyone to continue contributing to SWAT if they have interest, whether that be via research, new module requests, new feature requests, etc. (No bug bounties, sorry pockets are shallow 😓)

[terrancedejesus]

Closing this as complete!