cutaway

OT / ICS Python Testing & Challenge Requirements (USB Transfer Only)

This section defines the minimum Python modules and system dependencies required to support:

• OT protocol testing
• ICS traffic analysis
• Control system security challenges
• Adversary emulation in cyber ranges
• Engineering workstation simulation

cutaway

The following instructions are for running Bloodhound CE in docker via Windows PowerShell.

** WARNING: Your install will be different. Adjust commands accordingly. **

Check the BH CE Docker Compose Instructions First and if you have issues: https://support.bloodhoundenterprise.io/hc/en-us/articles/17468450058267-Install-BloodHound-Community-Edition-with-Docker-Compose

Steps

• Check clean up commands first. To make sure old instances aren't running.
• Use Start up commands to start

cutaway

Started here to manually parse Bloodhound Data with JQ to Create Lists of Potentially Vulnerable Users and Computers

Get JQ for Windows

Windows jq is an executable that is downloaded and the download is JUST the executable and not an installer. For these examples the executable has been moved to the local directory and renamed 'jq.exe'.

Get jq: https://jqlang.github.io/jq/

Summary List of Commands

Set contents to a variable

cutaway

########################
# Get-ServicesExePerms.ps1: Test the permissions for the service executables and directories.
# Author: Don C. Weber (cutaway)
# Date:   20240723
#
########################

$sf = (Get-CimInstance -ClassName Win32_Service).PathName | ForEach-Object { ( ( ( $_ -Split '.exe' )[0] -replace '^"') + '.exe' ).tolower() } | Sort-Object | Get-Unique | ForEach-Object { if ( Test-Path -Path "$_" -PathType Leaf ) { $_ } }

#$rights = @("FullControl","Modify","Write","Read","ReadAndExecute","Synchronize")

cutaway

######################
# Sim-PSEncFiles.ps1: Simulate file encrption using PSRemoting
# Purpose:  This PS script will encrypt all of the files in a target
#           folder to a selected location. The purpose of this script
#           is to perform actions similar to the actions performed by
#           ransomware. These actions will touch a large number of files,
#           create new files with different extension, and encrypt the
#           file to a new location. The original file is not modified
#
# Author: Don C. Weber (cutaway)

cutaway

from mitmproxy import http
import paramiko

# Original Example: https://stackoverflow.com/questions/27369144/use-mitmproxy-to-translate-a-form-key-value-to-a-body-post

DEBUG = False
#DEBUG = True

class GetRTUCreds:
    localhost = '127.0.0.1'

cutaway

PCAPs Resources

• Download PCAPs
	○ Free PCAPS: https://www.netresec.com/?page=PcapFiles
	○ SecRepo: https://www.secrepo.com/
• ICS Port Numbers
	○ IPv4 Multicast Addresses
		§ https://www.iana.org/assignments/multicast-addresses/multicast-addresses.txt

○ Old Digital Bond: https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md

cutaway

Disable Windows Defender
NOTE: These settings may be permeant.

	• Get-MpComputerStatus
	• Set-MpPreference -DisableRealtimeMonitoring $true
	• Set-MpPreference -DisableBehaviorMonitoring $true
	• Set-MpPreference -DisableIntrusionPreventionSystem $true
	• Set-MpPreference -DisableIOAVProtection $true
	• Set-MpPreference -DisableScriptScanning $true
	• Get-MpComputerStatus

cutaway

###########################
# Bash ~/.bashrc
###########################

function CONPS() {
    n=$1
    export PS1='\n$n \D{%F %T}\n> '
}

alias consult00='CONPS Consult00; cd ~/Documents/consult00'

cutaway

#!/bin/bash
ipt4='/sbin/iptables'
ipt6='/sbin/ip6tables'

for i in $ipt4 $ipt6; do
    # Flush Rules
    echo 'Flushing IPTables: ' $i
    $i -F
    $i -X