Threat Research

Automating GOAD and Live Malware Labs

Elastic.co
Automating GOAD and Live Malware Labs

This blog describes an automated, scalable cyber-range that uses Ludus to deploy multi-VM labs (GOAD and XZbot) and instruments every host with Elastic Agent/Defend to validate detections against real attacks. It details safe isolation techniques for running a live CVE-2024-3094 backdoor, shows how Elastic SIEM/XDR (Event Analyzer, Session Viewer) surfaces forensic “smoking guns,” and explains AI-driven hunting and response with Attack Discovery, the AI Assistant, and Elastic Workflows. #GOAD #XZbot

Keypoints

  • Ludus automates provisioning of complex, multi-VM cyber ranges (Proxmox/Ansible/Packer) from a single YAML file, enabling repeatable, high-fidelity labs.
  • The integrated build merges GOAD (multi-domain AD lab with Kerberoasting, PrintNightmare, etc.) and XZbot (live CVE-2024-3094 backdoor) to test identity and supply-chain attack paths.
  • Elastic Agent with the Elastic Defend integration is deployed automatically to every VM to provide kernel-level EDR telemetry and feed Elastic Cloud Hosted/Serverless for SIEM/XDR analysis.
  • Ludus testing mode and WireGuard-based management provide granular pinhole egress and out-of-band access to safely grant minimal connectivity for telemetry while containing live malware.
  • Elastic Security features—prebuilt MITRE-mapped detection rules, Event Analyzer, and Session Viewer—enable rapid detection and forensic reconstruction of Windows and Linux attack chains.
  • AI-driven capabilities (Attack Discovery, AI Assistant) accelerate correlation and triage, while Elastic Workflows automates enrichment, response actions, and incident playbooks.
  • The architecture is presented as a repeatable, continuous detection-engineering pipeline to validate and evolve defenses against real-world attacks.

MITRE Techniques

  • [T1110 ] Brute Force – Credential stuffing against the external perimeter to validate breached credentials (‘Result: Valid credentials for a low-privilege domain user.’)
  • [T1068 ] Exploitation for Privilege Escalation – Exploiting PrintNightmare to install a malicious print driver and obtain SYSTEM (‘This vulnerability in the Windows Print Spooler service allows any authenticated user to install a malicious print driver.’)
  • [T1003.006 ] OS Credential Dumping – Using Impacket secretsdump to extract NTLM hashes from SAM and LSASS memory (‘you run Impacket’s secretsdump to pull hashes from the SAM database and LSASS memory.’)
  • [T1558.003 ] Kerberoasting – Requesting Kerberos service tickets for SPNs, taking encrypted TGS offline, and cracking to recover service account plaintext passwords (‘You request Kerberos Service Tickets (TGS) for Service Principal Names (SPNs) in the environment… take the encrypted ticket offline and crack it to reveal the plaintext password.’)
  • [T1505.001 ] SQL Stored Procedures – Abusing MSSQL xp_cmdshell with cracked service credentials to achieve RCE on the database server (‘you abuse the xp_cmdshell stored procedure… giving you Remote Code Execution (RCE) on the database server.’)
  • [T1053.005 ] Scheduled Task – Creating a Windows Scheduled Task to run a beacon binary as SYSTEM for persistence (‘You create a Windows Scheduled Task on the compromised SQL server… configured to execute a beacon binary every day, running as SYSTEM.’)
  • [T1210 ] Exploitation of Remote Services – Triggering the XZ backdoor by manipulating an SSH handshake to bypass authentication and execute commands as root (‘By manipulating the SSH handshake with a specific cryptographic key, you bypass authentication entirely and execute commands as root without leaving standard SSH logs.’)

Indicators of Compromise

  • [Vulnerability/Backdoor ] lab backdoor – CVE-2024-3094 (XZ Backdoor)
  • [Malware/Tool ] lab tooling and exploit – XZbot client (trigger example: xzbot –ssh-addr ’10.X.X.X:22′ -cmd ‘setsid sh -c “echo test”‘), and the ludus_xz_backdoor role
  • [Domain ] Elastic control/data endpoints (used for agent enrollment and ingest) – .fleet.us-central1.gcp.cloud.es.io, .es.us-central1.gcp.cloud.es.io
  • [Hostname/Internal DNS ] simulated internal hosts in the range – castelblack.north.sevenkingdoms.local, braavos.essos.local (and other DNS rewrites like sevenkingdoms.local)
  • [IP Address ] management and VM addresses used in examples – 198.51.100.1 (WireGuard/router), 198.51.100.2 (client), and internal example 10.10.10.11 (plus placeholder 10.X.X.X:22)
  • [File name / Artifact ] example forensic artifacts – ‘invoice.js’ (downloaded file example), beacon binary (scheduled task persistence), and evidence of xp_cmdshell execution

Read more: https://www.elastic.co/security-labs/automating-goad-and-live-malware-labs