Aut0.W1n

December 31, 2020 ยท View on GitHub

Autowin is a framework that helps organizations simulate custom attack scenarios in order to improve detection and response capabilities.

Check out all the techniques we developed. Each one has a readme.md file, so you can better understand what they do and how to create a custom scenario.

Autowin's entire architechture is based around Mitre ATT&CK Framework to facilitate not only the creation of the modules, but also the communication between those who test and those who get tested.

Build

Right now we are not releasing a built version of this project, but you can easily build it yourself using Visual Studio.

Techniques

This is a project in development and new techniques are developed every day. Currently available techniques:

MIDTechnique
T1003-001OS Credential Dumping: LSASS Memory
T1037-001Boot or Logon Initialization Scripts: Logon Script
T1046Network Service Scanning
T1053-005Scheduled Tasks
T1059-001Powershell
T1059-003Command and Scripting Interpreter: Windows Command Shell
T1059-005Visual Basic Script
T1059-007Javascript/JScript
T1087-000Account Discovery
T1110-000Brute Force
T1543-003Create or Modify System Process: Windows Service
T1547-001Registry Run Keys / Startup Folder
T1219Remote Access Software
T1036-004Masquerading: Masquerade Task or Service
T1027Obfuscated Files or Information
T1021-001RDP
T1135Network Share Discovery
T1547-005Boot or Logon Autostart Execution: Security Support Provider
T1550-003Use Alternate Authentication Material: Pass the Ticket
T1558-001Steal or Forge Kerberos Tickets: Golden Ticket
T1558-003Steal or Forge Kerberos Tickets: Kerberoasting

[!] Techniques with the "000" suffix are modules that contains multiple subtechniques as execution methods. Modules without any sort of suffix are singular execution method techniques that do not contain any subtechnique.

Usage

Autowin currently supports three execution methods:

Full

TO DO

Flow

You can use the "flow" method to execute techniques that are part of an specific scenario.

AutoWin.exe --flow attack_scenario.flow

Imagine that you want to create a scenario where the attacker enumerates all local users (T1087-000) and tries to brute force their password (T1110-000), you could achieve this by creating the following attack flow:

{
    "Campaign": "Brute Force or Password Spray local Users",
    "Datetime": "2020-07-30 10:00:00",
    "Techniques": {
        "1": {
            "Technique": "T1087-000",
            "EntryData" : {
                "output":"users.txt"
            },
            "Parameters" : [
                "net",
                "local"
            ]
        },
        "2": {
            "Technique": "T1110-000",
            "Parameters" : [
                "local",
                "users.txt",
                "password.txt"
            ]
        }
    }
}

For this example, you must provide a password.txt file contaning the passwords that will be tested against the users.

The framework currently uses the public folder (C:\Users\Public) as it's default artifact/resource dropping location. Techniques use that path automatically whenever possible, so you don't have to worry about it. If your simulation requires a specific directory, you can pass the "Workfolder" parameter in your attack flow file, before declaring your techniques:

{
    "Campaign": "Just an example",
    "Datetime": "2020-07-30 10:00:00",
    "Workfolder": "C:\\temp\\",
    "Techniques": {
     ...

You can also change the path inside the technique scope, as showed in the previous scenario by the variable "output".

Debug

TO DO

Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Please make sure to update tests as necessary.

License

MIT