From b113a8de6962e2f792f0d1072640e46f83a697e1 Mon Sep 17 00:00:00 2001 From: Mike Cunningham Date: Tue, 10 Oct 2023 10:25:27 -0700 Subject: [PATCH] Update README.md (#144) --- README.md | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/README.md b/README.md index 1609115..b349040 100644 --- a/README.md +++ b/README.md @@ -30,35 +30,35 @@ Plans](https://medium.com/mitre-engenuity/ahhh-this-emulation-is-just-right-intr Available adversary emulation plans are listed below: -| Full Emulation Plans | Intelligence Summary | -| :------------------------------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| [FIN6](/fin6/) | [FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015...](/fin6/Intelligence_Summary.md) | -| [APT29](/apt29/) | [APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation...](/apt29/Intelligence_Summary.md) | -| [menuPass](/menu_pass/) | [menuPass is thought to be threat group motivated by collection objectives, with targeting that is consistent with Chinese strategic objectives...](/menu_pass/Intelligence_Summary.md) | -| [Carbanak Group](/carbanak/) | [Carbanak is a threat group who has been found to manipulate financial assets, such as by transferring funds from bank accounts or by taking over ATM infrastructures...](/carbanak/Intelligence_Summary.md) | -| [FIN7](/fin7/) | [FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems...](/fin7/Intelligence_Summary.md) | -| [Sandworm](/sandworm/) | [Sandworm Team is a destructive threat group attributed to Russia's General Staff of the Armed Forces, Main Intelligence Directorate (GRU) that has been reportedly active since 2009. Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns such as Olympic Destroyer, CrashOverride/Industroyer, and NotPetya...](/sandworm/Intelligence_Summary/Intelligence_Summary.md) | +| Full Emulation Plans | Intelligence Summary | +| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [APT29](/apt29/) | [APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation...](/apt29/Intelligence_Summary.md) | +| [Blind Eagle](/blind_eagle/) | [Blind Eagle is a South American threat actor focused on Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors. Largely opportunistic in their motives, Blind Eagle leverages commodity RATs modified to fit the environment...](/blind_eagle/Intelligence_Summary/Intelligence_Summary.md) | +| [Carbanak Group](/carbanak/) | [Carbanak is a threat group who has been found to manipulate financial assets, such as by transferring funds from bank accounts or by taking over ATM infrastructures...](/carbanak/Intelligence_Summary.md) | +| [FIN6](/fin6/) | [FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015...](/fin6/Intelligence_Summary.md) | +| [FIN7](/fin7/) | [FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems...](/fin7/Intelligence_Summary.md) | +| [menuPass](/menu_pass/) | [menuPass is thought to be threat group motivated by collection objectives, with targeting that is consistent with Chinese strategic objectives...](/menu_pass/Intelligence_Summary.md) | +| [OceanLotus](/ocean_lotus/) | [OceanLotus is a cyber threat actor aligning to the interests of the Vietnamese government. First seen in 2012, OceanLotus targets private corporations in the manufacturing, consumer product, and hospitality sectors as well as foreign governments, political dissidents, and journalists....](/ocean_lotus/Intelligence_Summary/Intelligence_Summary.md) | +| [OilRig](/oilrig/) | [OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 and has a history of widespread impact, with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe...](/oilrig/Intelligence_Summary/Intelligence_Summary.md) | +| [Sandworm](/sandworm/) | [Sandworm Team is a destructive threat group attributed to Russia's General Staff of the Armed Forces, Main Intelligence Directorate (GRU) that has been reportedly active since 2009. Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns such as Olympic Destroyer, CrashOverride/Industroyer, and NotPetya...](/sandworm/Intelligence_Summary/Intelligence_Summary.md) | +| [Turla](/turla/) | [Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries. Turla leverages novel techniques and custom tooling and open-source tools to elude defenses and persist on target networks...](/turla/Intelligence_Summary/Intelligence_Summary.md) | | [Wizard Spider](/wizard_spider/) | [Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware. This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates.](/wizard_spider/Intelligence_Summary/Intelligence_Summary.md).. | -| [OilRig](/oilrig/) | [OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 and has a history of widespread impact, with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe...](/oilrig/Intelligence_Summary/Intelligence_Summary.md) | -| [Blind Eagle](/blind_eagle/) | [Blind Eagle is a South American threat actor focused on Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors. Largely opportunistic in their motives, Blind Eagle leverages commodity RATs modified to fit the environment...](/blind_eagle/Intelligence_Summary/Intelligence_Summary.md) | -| [Turla](/turla/) | [Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries. Turla leverages novel techniques and custom tooling and open-source tools to elude defenses and persist on target networks...](/turla/Intelligence_Summary/Intelligence_Summary.md) | -| [OceanLotus](/ocean_lotus/) | [OceanLotus is a cyber threat actor aligning to the interests of the Vietnamese government. First seen in 2012, OceanLotus, OceanLotus targets private corporations in the manufacturing, consumer product, and hospitality sectors as well as foreign governments, political dissidents, and journalists....](/ocean_lotus/Intelligence_Summary/Intelligence_Summary.md) | + | Micro Emulation Plans | Intelligence Summary | -| :--------------------------------------------------------------------------: | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| --------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| [Active Directory Enumeration](/micro_emulation_plans/src/ad_enum/) | Emulate multiple [TA0007 Discovery](https://attack.mitre.org/tactics/TA0007/) behaviors through commonly abused interfaces and services such as Active Directory (AD) | +| [Data Exfiltration](/micro_emulation_plans/src/data_exfil/) | Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files, as described in [TA0010 Exfiltration](https://attack.mitre.org/tactics/TA0010/) | +| [DLL Sideloading](/micro_emulation_plans/src/dll_sideloading/) | Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload, as described in [T1574.002 Hijack Execution Flow: DLL Side-Loading](https://attack.mitre.org/techniques/T1574/002/) | | [File Access and File Modification](/micro_emulation_plans/src/file_access/) | Emulate file access and modification behaviors commonly associated with [TA0009 Collection](https://attack.mitre.org/tactics/TA0009/) as well as [T1486 Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486/). (Data source: [DS0022 File](https://attack.mitre.org/datasources/DS0022/)) | -| [Named Pipes](/micro_emulation_plans/src/named_pipes/) | Emulates the creation and use of named pipes [commonly abused by malware](https://labs.withsecure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/) (Data source: [DS0023 Named Pipe](https://attack.mitre.org/datasources/DS0023/)) | -| [Windows Registry](/micro_emulation_plans/src/windows_registry/) | Emulates a few common methods that adversaries use to modify the Windows Registry. (Data Source: [DS0024 Windows Registry](https://attack.mitre.org/datasources/DS0024/)) | -| [Web Shells](/micro_emulation_plans/src/webshell/) | Emulates the compound behavior of planting a web shell ([T1505.003 Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/)) and then executing arbitrary commands through it ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)) | -| [Process Injection](/micro_emulation_plans/src/process_injection/) | Emulates the compound behavior of [T1055 Process Injection](https://attack.mitre.org/techniques/T1055/) followed by execution of arbitrary commands ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)) | -| [User Execution](/micro_emulation_plans/src/user_execution/) | Emulates the compound behavior of delivering a malicious `.one`, `.doc`, `.lnk`, or `.iso` file (e.g. via [T1566.001 Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)) and then executing arbitrary commands after a user invokes the file ([T1204.002 User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) and [T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)). | -| [Active Directory Enumeration](/micro_emulation_plans/src/ad_enum/) | Emulate multiple [TA0007 Discovery](https://attack.mitre.org/tactics/TA0007/) behaviors through commonly abused interfaces and services such as Active Directory (AD) | -| [Reflective Loading](/micro_emulation_plans/src/reflective_loading/) | Emulates an adversary performing running malicious code within an arbitrary process to perform [T1620 Reflective Code Loading](https://attack.mitre.org/techniques/T1620/) | -| [Remote Code Execution](/micro_emulation_plans/src/apache_rce/) | Emulates an adversary performing remote code execution against a vulnerable web server as documented in [T1190 Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/) | -| [Log Clearing](/micro_emulation_plans/src/log_clearing) | Emulates an adversary clearing Windows Event Log, as described in [T1070.001 Indicator Removal: Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/) | -| [Data Exfiltration](/micro_emulation_plans/src/data_exfil/) | Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files, as described in [TA0010 Exfiltration](https://attack.mitre.org/tactics/TA0010/) | -| [DLL Sideloading](/micro_emulation_plans/src/dll_sideloading/) | Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload, as described in [T1574.002 Hijack Execution Flow: DLL Side-Loading](https://attack.mitre.org/techniques/T1574/002/) | - +| [Log Clearing](/micro_emulation_plans/src/log_clearing) | Emulates an adversary clearing Windows Event Log, as described in [T1070.001 Indicator Removal: Clear Windows Event Logs](https://attack.mitre.org/techniques/T1070/001/) | +| [Named Pipes](/micro_emulation_plans/src/named_pipes/) | Emulates the creation and use of named pipes [commonly abused by malware](https://labs.withsecure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/) (Data source: [DS0023 Named Pipe](https://attack.mitre.org/datasources/DS0023/)) | +| [Process Injection](/micro_emulation_plans/src/process_injection/) | Emulates the compound behavior of [T1055 Process Injection](https://attack.mitre.org/techniques/T1055/) followed by execution of arbitrary commands ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)) | +| [Reflective Loading](/micro_emulation_plans/src/reflective_loading/) | Emulates an adversary performing running malicious code within an arbitrary process to perform [T1620 Reflective Code Loading](https://attack.mitre.org/techniques/T1620/) | +| [Remote Code Execution](/micro_emulation_plans/src/apache_rce/) | Emulates an adversary performing remote code execution against a vulnerable web server as documented in [T1190 Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/) | +| [User Execution](/micro_emulation_plans/src/user_execution/) | Emulates the compound behavior of delivering a malicious `.one`, `.doc`, `.lnk`, or `.iso` file (e.g. via [T1566.001 Phishing: Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001/)) and then executing arbitrary commands after a user invokes the file ([T1204.002 User Execution: Malicious File](https://attack.mitre.org/techniques/T1204/002/) and [T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)). | +| [Web Shells](/micro_emulation_plans/src/webshell/) | Emulates the compound behavior of planting a web shell ([T1505.003 Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/)) and then executing arbitrary commands through it ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)) | +| [Windows Registry](/micro_emulation_plans/src/windows_registry/) | Emulates a few common methods that adversaries use to modify the Windows Registry. (Data Source: [DS0024 Windows Registry](https://attack.mitre.org/datasources/DS0024/)) | ## Philosophy These adversary emulation plans are based on known-adversary behaviors and designed to