If an adversary focused on the fictional Dunder Mifflin office, how could they approach an offensive cyber operation?
We spend a lot of time watching television.
Especially in recent months, with the pandemic shutting down our typical social gatherings, we’re opting for more entertainment on TV, not less. Whether you love it or hate it, television shows capture our attention and dominate much of the “water cooler” talk in the modern, virtual office place.
This got me thinking: what if an adversary attempted to infiltrate one of the fictional offices from a popular television show?
This may end up as a blog series, as there are a few shows I’d like to complete this table-top exercise against. Let me know which show you’d like to see next!
What would happen if an adversary attempted to gain a foothold into Dunder Mifflin, the fictional company featured in “The Office”?
Step #1: Reconnaissance
An adversary would likely start by obtaining a blueprint of the Scranton, Pa., office space. They could gain this by watching the show, scouring the internet or gaining access through a company tour. Andy seems like the perfect character to trick into giving us a personal tour.
Sketching it out, the adversary - let’s call them APT-TV - would likely have the following layout:
At this point, APT-TV would start outlining its goals:
Obtain the financial records from the accounting department
Ransomware Michael’s computer
Not get caught
Based on Open Source Intelligence (OSINT) practices, APT-TV has many options at hand. They’ve seen all 9 seasons of the show and have a solid understanding of what makes each character tick. They’re poised and ready to proceed.
Step #2: Initial access
From watching the show, APT-TV knows that Darryl spends a good chunk of time in the 1st floor warehouse, which has an open garage door to the parking lot. Because he splits his time between the warehouse and the main office, he’s a prime target.
Grabbing a handful of rubber duckies, APT-TV writes a ducky script and compiles a Pneuma implant on each of the USB drives:
This ducky script will:
Pop open a terminal
Switch over to a PowerShell terminal
Execute a hidden command to download and execute the agent connecting to a remote Operator instance over a raw TCP port
Close the terminal to avoid suspicion
It’s time to act: the clock just ticked to 8:30 a.m. and the warehouse staff will begin filtering in within the hour. APT-TV slinks into the parking lot, dropping a few USBs in strategic locations, based on where Darryl tends to park and walk. They are labelled with alluring tags, such as “winning lottery numbers” and “getting workplace comp”.
With the drives dropped, APT-TV sets up shop in the local Chili’s restaurant because the WiFi is strong and it provides a good cover to any attribution attempts later on.
I’m not sure if Dunder Mifflin has an incident response team but let’s say yes.
Step #3: Lateral movement
It’s 9:46 a.m., and APT-TV opens up Operator, checking out the red range:
With an agent stealthily running in the background of Darryl’s Macbook computer, let’s revisit APT-TV’s status:
Now it’s time for the threat actor to move laterally, aiming first to get into the accounting department.
The obvious target is Kevin. Fun-loving guy - but not too bright and has a tendency of browsing to websites that are known to be bloated with viruses. This means there’s likely already an exploited vulnerability waiting for us on his desktop computer, so the first thing to do is an ARP scan (to locate his IP address) followed up with a port scan (to see what ports are wide open). APT-TV opens a reverse shell to Darry’s computer and starts entering the commands:
After several variations of NMAP port scanning, pinging the host and attempting to de-authenticate the machine with the office router… APT-TV uncovers an interesting finding: port 5985 is the only open port available, which is running WinRM, presumably for the “IT guy” to do remote patching. Kevin has probably required a lot of this.
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.
Trying a basic WinRM login attempt, with the password of “password” - APT-TV is in. Immediately, they start another Pnuema implant, this time running HTTP. Gaining multiple foot holds into the environment helps ensure persistence if things go wrong.
Now it’s time to steal whatever sensitive data/files which exist in the accounting department. APT-TV enumerates the files available on Kevin’s computer with the following TTP:
This uncovers a trove of interesting files, all modified in the last 24 hours. So APT-TV designs an exfiltration adversary profile on the fly and attempts to steal them all:
With the files safely stolen, it’s time to turn the attention on the final target: Michael Scott.
APT-TV needs to do a second lateral movement, in order to land on Michael’s computer. From a prior ARP scan, they found that he’s running Arch Linux (what?!). This could mean he’s leveraging Pacman to build his own unpredictable system with no obvious ways in. No big deal. APT-TV knows Michael is the self-proclaimed “king of email forwards”, so that’s the way in.
Taking a known phishing attempt off the shelf, APT-TV embeds a drive-by download of the Pneuma agent into a link and clicks send:
Within seconds, beacon number three arrives. Michael Scott has been hooked.
To complete the operation, APT-TV needs to conduct a “smash-and-grab” ransomware attack. The important company files have already been stolen (thanks Kevin!) and now it’s time to inflict damage.
Once again, pulling up Operator, APT-TV flips through the ransomware TTPs:
Opting for the GOransom binary - a custom ransomware attack built by Prelude to mimic a real-world event - APT-TV adds the matching TTPs to a new adversary profile and clicks Deploy.
Within seconds, all of the files on Michael’s computer have been encrypted with a newly generated cryptographic key.
Operator, by design, only encrypts copies of existing files - not the original. So the GOransom binary is quite safe to run in the real world. But this is a fictional world, so we’re having some fun.
Quickly deleting all agents from the three infected machines (to make attribution a bit tougher), APT-TV then swiftly closes their laptops and exits Chili’s. This is in fact the place business happens:
I hope you enjoyed this fictional offensive cyber operation, between APT-TV and the Dunder Mifflin office from ‘The Office.’ I’d love to hear your thoughts on other shows we could use to highlight various offensive security strategies!
This is great David! Almost broke out the popcorn. Was thinking about rubber ducky drive labels to add to the list like: “company salaries”, “scheduled layoffs”, “termination list”. I was kinda disappointed with IT’s lack of security on that remote setup (probably based on a true story, unfortunately). I was ready for a brute force password spray using rockyou.txt or similar but dang it was just “too easy”;). I didn’t know you could use nmap inside Operator’s reverse shell. Keep em coming!