B1-66ER (Discovery)

Gather target hardware details for the CPU/GPU and detect if we are running inside a container. Then display python version and list installed python pip packages and their version numbers.

B1-66ER Discovery is part 1 of a multi-part AdversarialAI TTP series that will extended the story of B1-66ER; the machine that started the Second Renaissance sparking the decades long machine war that led to the creation of The Matrix.

This discovery chain provides a foundation to understanding the potential deep learning environment attack surface. Python has been the language of choice for the majority of deep learning applications particularly because of its simple syntax and readability promote rapid testing of complex algorithms and make the language accessible to everyone including non-developers. Many of the popular deep learning software applications have originated from foundational research and academia where rapid development holds more importance over secure software development. As we travel through this multi-part series of B1-66ER, we will highlight some of the insecurities of deep learning software and demonstrate an AdversarialAI attack. This discovery chain will provide us with the details we need to build our attack.

After the release of the B1-66ER Initial Access chain, we made some updates to the Discovery chain. It now checks for Deep Learning Frameworks (Pytorch, Tensorflow, ONNX, Keras, CNTK, and others) then upgrades the agent from the lightweight Stage-1 Schism agent to a Stage-2 PneumaEX agent. The chain will now also install a back-up cron persistence for the Schism agent in the event PneumaEX is discovered or fails.

This chain includes the following resources:(hover over elements to read details)

TTPs
  • View Basic OS Properties
  • List pip Packages
  • Grab python version
  • View detailed CPU information
  • View Nvidia GPU information
  • Docker & LXC detection
  • Install Schism cron persistence
  • Upgrade implant to stage 2 (PneumaEX)
Supported platforms
  • linux
Supported executors
  • sh
Payloads
  • docker-check.py
  • elevate.tar.gz
In The News
Several Malicious Typosquatted Python Libraries Found On PyPI Repository
Threat Intel
Python developers are being targeted with malicious packages on PyPI

Use Prelude chains to test your defense with simulated adversaries.
New chains drop weekly on #TTPtuesday

The Prelude Operator App

Run attack chains in the Prelude Operator app, available on all systems. Defend your organization by mimicking real adversarial attacks, and more.

Download

Operator in Action

Upcoming

Next Chain Drop
6:10:20:53
2021-11-02

More Chains

← Previous

Vulnerable Certificates

2021-10-19
tactics
discovery
collection
command-and-control
Tags
Create a random XOR byte and ingress and XOR a Certify payload to a temporary file on the target system. Bypass AMSI, load, and then run the XOR'd Certify payload in memory.

Next →

JXA Modules

2021-10-05
tactics
discovery
execution
impact
collection
persistence
command-and-control
Tags
surveillance
apt29 scenario 1
apt29
Deploy a script that dynamically resolves various implant modules. Automatically resolve and install an HTTP C2 module. At runtime, tasks are sent to the agent which is able to resolve missing modules, install them, and run both shell and keyword-based TTPs.

Latest Drop

Sequoia

2021-10-26
tactics
discovery
resource-development
privilege-escalation
Tags
Stages a directory in the home folder to hold exploit seq_file directory structure. Performs a kernel version check and checks for vulnerable kernel settings. Discovers available system RAM and checks if it meets exploitation requirements. Finally, ingress the exploit payload and launch a privileged Pneuma agent.