Mocksum – Simulate and Plant Realistic Artifacts
Mocksum is a module that provides access to a collection of files that mimic malware samples via MD5 hash collisions. The files downloaded via Mocksum allow you to simulate and plant realistic artifacts during training sessions, incident response drills or red team engagements. Without the risk of handling real malware. In a nutshell, these artifacts are harmless files that produce the same MD5 checksum as real malicious files. In many cases, the harmless artifacts also get detected by anti-virus software.
The Most Relevant Commands
- Invoking Mocksum
The module can be invoked with “use mocksum” directly from the BT3 command-line interface. You should note that the BT3 command prompt changes based on the current module in use.
Mocksum module ready for use after invocation
- Module version check
The current module version can be checked with the “version” command.
Mocksum version command output
- Module help overview
Mocksum supports a range of general commands, which can be displayed with “help”.
List of commands supported by the module
- Module material list
Mock files available for use can be listed with “show mockfiles”. If a content subscription account is already authenticated, the command will retrieve mock file information from the online library. More targeted mock file listing can be achieved with “show mockfiles cloud”, “show mockfiles disk”, “show mockfiles free” and “show mockfiles premium”. These commands will present all mock files available online, mock files found locally on your computer, mock files which can be downloaded for free, and mock files which can be downloaded with the use of content credits respectively.
Example with available mock files in the cloud
- Material search
Available mock files can be easily found with the “search” command. Searches use the mock file name or its description as criterion.
Search results presented by the module
- Material information
Detailed information about a given mock file can be shown with the “info” command. The expected command argument is the mock file to present. Note that mock files downloaded to your local disk will have a “.mock” extension, while those online do not.
Details about a PCAP file found on disk
- Material download
Authenticated content subscription accounts will have access to the Blue Team Training Toolkit online library, with both free and premium training content. Premium online training content has a price, which will be deducted from the user’s existing content credit balance. Premium downloads require users to have enough credit balance in order to complete the download. Free online content, on the other hand, can be downloaded without restrictions. Downloading online resources can be done with the “download” command, and the material name provided as an argument.
Successful material download
- Material download history
The training material download history associated with your subscription account can be retrieved with “show downloads”.
Material download history
- Module network interfaces overview
Available network interfaces can be displayed with the “show interfaces” command. This has been included in order to provide a more homogeneous command list among the different BT3 modules.
Listing available network interfaces
- Module option list
This module currently provides access to the mock file library and it has no configurable options.
- Module execution
This module currently provides access to the mock file library and it cannot be run.
Once a mock file has been downloaded to your disk, you may plant it in your training environment. Multiple possibilities and goals can be accomplished with mock files, such as:
Mock files could be used as flags, which let the blue team know that a (simulated) malicious file has been found.
- Mastering log correlation and third party threat intelligenceMock files have MD5 hash collisions that mimic real malware samples. By calculating their checksums, your blue team can find real information about the mimicked malware sample in different sources. This kind of practice can allow the blue team to master event investigation, get used to using third party threat intelligence services, or correlate in-house logs (e.g. Centralized anti-malware solution).
For a more realistic experience, mock files can be renamed to “.exe” (Windows) or “.bin” (Linux). Since the mock files are not malicious files, there is no risk if the files are accidentally executed.