In collaboration with Center Participants, the Center for Threat-Informed Defense (Center) maintains a library of adversary emulation plans to allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.
The library contains two types of adversary emulation plans: full emulation and micro emulation.
Full emulation plans are a comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.
Micro emulation plans are a focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT&CK techniques that are typically performed as part of one adversary action.
Also see our blogs on the Adversary Emulation Library and Micro Emulation Plans.
Available adversary emulation plans are listed below:
| Micro Emulation Plans | Intelligence Summary |
|---|---|
| Active Directory Enumeration | Emulate multiple TA0007 Discovery behaviors through commonly abused interfaces and services such as Active Directory (AD) |
| Data Exfiltration | Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files, as described in TA0010 Exfiltration |
| DLL Sideloading | Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload, as described in T1574.002 Hijack Execution Flow: DLL Side-Loading |
| File Access and File Modification | Emulate file access and modification behaviors commonly associated with TA0009 Collection as well as T1486 Data Encrypted for Impact. (Data source: DS0022 File) |
| Log Clearing | Emulates an adversary clearing Windows Event Log, as described in T1070.001 Indicator Removal: Clear Windows Event Logs |
| Named Pipes | Emulates the creation and use of named pipes commonly abused by malware (Data source: DS0023 Named Pipe) |
| Process Injection | Emulates the compound behavior of T1055 Process Injection followed by execution of arbitrary commands (T1059 Command and Scripting Interpreter) |
| Reflective Loading | Emulates an adversary performing running malicious code within an arbitrary process to perform T1620 Reflective Code Loading |
| Remote Code Execution | Emulates an adversary performing remote code execution against a vulnerable web server as documented in T1190 Exploit Public-Facing Application |
| User Execution | Emulates the compound behavior of delivering a malicious .one, .doc, .lnk, or .iso file (e.g. via T1566.001 Phishing: Spearphishing Attachment) and then executing arbitrary commands after a user invokes the file (T1204.002 User Execution: Malicious File and T1059 Command and Scripting Interpreter). |
| Web Shells | Emulates the compound behavior of planting a web shell (T1505.003 Server Software Component: Web Shell) and then executing arbitrary commands through it (T1059 Command and Scripting Interpreter) |
| Windows Registry | Emulates a few common methods that adversaries use to modify the Windows Registry. (Data Source: DS0024 Windows Registry) |
These adversary emulation plans are based on known-adversary behaviors and designed to empower red teams to manually emulate a specific threat actor in order to test and evaluate defensive capabilities from a threat-informed perspective. This approach empowers defenders to operationalize cyber threat intelligence to better understand and combat real-world adversaries. Rather than focusing on static signatures, these intelligence-driven emulation plans provide a repeatable means to test and tune defensive capabilities and products against the evolving Tactics, Techniques, and Procedures (TTPs) of threat actors and malware.
Adversary emulation enables organizations to view their security through the eyes of a cyber adversary with the goal of improving defenses across the adversary’s lifecycle. As defenders this expands our attention and focus beyond just the final actions of the adversary achieving their operational objective to rather understand and appreciate every distinct behavior (that could have been detected and/or mitigated) leading up to that point.
Each emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. To develop each plan, we research and model each threat actor, focusing not only on what they do (ex: gather credentials from victims) but also how (using what specific tools/utilities/commands?) and when (during what stage of a breach?). We then develop emulation content that mimics the underlying behaviors utilized by the threat actor (i.e. not an exact representation, rather capturing the pertinent elements that accurately generate appropriate test telemetry for defenders). This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.
As is the case with traditional red teaming and penetration testing, adversary emulation is a specific style of offensive assessment performed to help us test and tune our defenses. In this case, our objective is to operationalize cyber threat intelligence describing behaviors observed in specific campaigns or malware samples. From this intelligence, we select and execute a subset of behaviors (and their variations) to assess our defenses from the perspective of the specific threat.
As described in the next section, each emulation plan captures specific threat scenarios. These scenarios can be executed end-to-end, or individual behaviors can be tested. Organizations can also choose to further customize the scenarios and/or behaviors within each emulation plan to better fit their specific environment, priorities, or to be shaped by additional intelligence.
In summary, each full emulation plan should be perceived as input to an offensive assessment/red team. The content can be used as strict instructions to follow, or as just a starting point to be built upon and personalized.
Each emulation plan focuses on a specific named threat actor. The README of each individual plan provides a curated summary of available cyber threat intelligence, composed of an intelligence overview of the actor (describing who they target, how, and why where possible) as well as the scope of their activity (i.e. breadth of techniques and malware used). All presented information is cited back to relevant publicly available cyber threat intelligence and communicated and annotated via ATT&CK.
Within each emulation plan, the operational flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.).
The content to execute the scenario(s) is broken down into step-by-step procedures provided in both human and machine-readable formats. Scenarios can be executed end-to-end or as individual tests. The human-readable formats provide additional relevant background where possible as well as any setup prerequisites, while the machine-readable format is designed to be programmatically parsed (ex: read, reformatted, and ingested into an automated agent, such as CALDERA and/or breach simulation frameworks).
Detailed documenation for our full emulation plan structure can be found here.
Similar to full emulation plans, micro emulation plans are a type of adversary emulation that is designed to help us test and tune our defenses. However, these plans can be executed without a red team and without the need for an offensive assessment. Each plan is still composed of an intelligence overview for the behaviors being emulated, however we are emulating behaviors that are common across multiple adversaries as opposed to a singular adversary.
These plans are easy to execute, with no dependencies needed or special configuration of your environment. All plans can be executed from either a standalone or networked machine. They can be executed manually or integrated into automation software. We have provided an example of how to execute a plan with CALDERA, but these plans can be broadly applied to other platforms.
Each micro plan has default runtime options, however, detailed instructions can be found
on the README for each plan on how to customize execution to fit your specific needs.
We have included the source code and BUILD instructions for each plan, so that they
can be modified and recompiled, as needed.
The micro plans can be downloaded from the Releases page.
The threat landscape changes every day, as new groups/malware emerge and known adversaries adapt and evolve. The Center will continue to populate and maintain this library to match this growth curve through dedicated research efforts that aim to either create or update plans based on a specific adversary.
Please submit issues for any technical questions/concerns or contact [email protected] directly for more general inquiries.
Also see the guidance for contributors if are interested in contributing.
This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
Copyright 2020-2021 MITRE Engenuity. Approved for public release. Document number CT0005
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®
