Skip to content

Latest commit

 

History

History
43 lines (27 loc) · 3.23 KB

Operations_Flow.md

File metadata and controls

43 lines (27 loc) · 3.23 KB

APT29 Operations Flow

Please see the formal APT29 Intelligence Summary which includes a break-down of the cited intelligence used for each step of this emulation.


/Emulation_Plan/OpFlow_Diagram.png


Scenario 1

Based on CosmicDuke, MiniDuke, SeaDuke/SeaDaddy, CozyDuke/CozyCar, and HAMMERTOSS

This scenario begins with a legitimate user clicking on a malicious payload delivered via a "spray and pray" spearphishing campaign. The attacker immediately kicks off a "smash-and-grab", rapid espionage mission, gathering and exfiltrating data. After initial exfiltration, the attacker realizes the value of the victim and subsequently deploys a stealthier toolkit, changing TTPs and eventually moving laterally through the rest of the environment. The scenario ends with the execution of previously established persistence mechanisms.

The content to execute this scenario was tested and developed using Pupy, Meterpreter, and other custom/modified scripts and payloads. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.


Scenario 2

Based on PowerDuke, POSHSPY, CloudDuke, and more recent (2016-2018) TTPs

This scenario begins with a legitimate user clicking on a malicious payload delivered via a targeted spearphishing campaign. The attacker employs a methodical approach to compromising the initial target, establishing persistence, gathering credential material, then finally enumerating and compromising the entire domain. Data is exfiltrated to attacker controlled cloud storage. The scenario ends with a simulated time-lapse where previously established persistence mechanisms are executed.

The content to execute this scenario was tested and developed using PoshC2 and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.


Additional Plan Resources