Skip to content

Commit

Permalink
fix typos, add code hinting for blocks, remove redundant links, fix b…
Browse files Browse the repository at this point in the history 
…roken links, formatting
  • Loading branch information
@m3mike
m3mike committed Nov 19, 2024
1 parent f39ef74 commit f0cfeab
Show file tree
Hide file tree
Showing 15 changed files with 200 additions and 300 deletions.
14 changes: 0 additions & 14 deletions Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,17 +88,3 @@ Please note that binary files hosted in [Scenario_1](/Enterprise/apt29/Resources
3. Open Outlook and sign in if necessary

---

## Additional Plan Resources

- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
- [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
- [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
- [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
- [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
- [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
- [Archive](/Enterprise/apt29/Archive)
- [Issues](https://github.com/attackevals/ael/issues)
- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)
73 changes: 61 additions & 12 deletions Enterprise/apt29/Emulation_Plan/Scenario_2/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,67 @@ APT29 operations have been separated into two scenarios, with steps and granular

### Contents

* [Step 11 - Initial Breach](#step-11---initial-breach)
* [Step 12 - Fortify Access](#step-12---fortify-access)
* [Step 13 - Local Enumeration](#step-13---local-enumeration)
* [Step 14 - Elevation](#step-14---elevation)
* [Step 15 - Establish Persistence](#step-15---establish-persistence)
* [Step 16 - Lateral Movement](#step-16---lateral-movement)
* [Step 17 - Collection](#step-17---collection)
* [Step 18 - Exfiltration](#step-18---exfiltration)
* [Step 19 - Clean Up](#step-19---clean-up)
* [Step 20 - Leverage Persistence](#step-20---leverage-persistence)
* [Acknowledgements](#acknowledgements)
* [Additional Plan Resources](#additional-plan-resources)
- [Scenario 2](#scenario-2)
- [Preface](#preface)
- [Overview](#overview)
- [Contents](#contents)
- [Pre-requisites](#pre-requisites)
- [Step 11 - Initial Breach](#step-11---initial-breach)
- [Procedures](#procedures)
- [11.A - User Execution: Malicious File (T1204 / T1204.002)](#11a---user-execution-malicious-file-t1204--t1204002)
- [Cited Intelligence](#cited-intelligence)
- [Step 12 - Fortify Access](#step-12---fortify-access)
- [Procedures](#procedures-1)
- [12.A - Indicator Removal on Host: Timestomp (T1099 / T1070.006)](#12a---indicator-removal-on-host-timestomp-t1099--t1070006)
- [12.B - Software Discovery: Security Software Discovery (T1063 / T1518.001)](#12b---software-discovery-security-software-discovery-t1063--t1518001)
- [12.C - Software Discovery (T1518 / T1518.001)](#12c---software-discovery-t1518--t1518001)
- [Cited Intelligence](#cited-intelligence-1)
- [Step 13 - Local Enumeration](#step-13---local-enumeration)
- [Procedures](#procedures-2)
- [13.A - System Information Discovery (T1082)](#13a---system-information-discovery-t1082)
- [13.B - System Network Configuration Discovery (T1016)](#13b---system-network-configuration-discovery-t1016)
- [13.C - System Owner/User Discovery (T1033)](#13c---system-owneruser-discovery-t1033)
- [13.D - Process Discovery (T1057)](#13d---process-discovery-t1057)
- [Cited Intelligence](#cited-intelligence-2)
- [Step 14 - Elevation](#step-14---elevation)
- [Procedures](#procedures-3)
- [14.A - Abuse Elevation Control Mechanism: Bypass User Access Control (T1088 / T1548.002)](#14a---abuse-elevation-control-mechanism-bypass-user-access-control-t1088--t1548002)
- [14.B - OS Credential Dumping: LSASS Memory (T1003 / T1003.001)](#14b---os-credential-dumping-lsass-memory-t1003--t1003001)
- [Cited Intelligence](#cited-intelligence-3)
- [Step 15 - Establish Persistence](#step-15---establish-persistence)
- [Procedures](#procedures-4)
- [15.A - Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1084 / T1546.003)](#15a---event-triggered-execution-windows-management-instrumentation-event-subscription-t1084--t1546003)
- [Cited Intelligence](#cited-intelligence-4)
- [Step 16 - Lateral Movement](#step-16---lateral-movement)
- [Procedures](#procedures-5)
- [16.A - Remote System Discovery (T1018)](#16a---remote-system-discovery-t1018)
- [16.B - System Owner/User Discovery (T1033)](#16b---system-owneruser-discovery-t1033)
- [16.C - Remote Services: Windows Remote Management (T1028 / T1021.006)](#16c---remote-services-windows-remote-management-t1028--t1021006)
- [16.D - OS Credential Dumping (T1003 / T1003.001)](#16d---os-credential-dumping-t1003--t1003001)
- [Cited Intelligence](#cited-intelligence-5)
- [Step 17 - Collection](#step-17---collection)
- [Procedures](#procedures-6)
- [17.A - Email Collection: Local Email Collection (T1114 / T1114.001)](#17a---email-collection-local-email-collection-t1114--t1114001)
- [17.B - Data from Local System (T1005)](#17b---data-from-local-system-t1005)
- [17.C - Obfuscated Files or Information (T1027)](#17c---obfuscated-files-or-information-t1027)
- [Cited Intelligence](#cited-intelligence-6)
- [Step 18 - Exfiltration](#step-18---exfiltration)
- [Procedures](#procedures-7)
- [18.A - Exfiltration Over Alternative Protocol (T1048 / T1567.002)](#18a---exfiltration-over-alternative-protocol-t1048--t1567002)
- [Cited Intelligence](#cited-intelligence-7)
- [Step 19 - Clean Up](#step-19---clean-up)
- [Procedures](#procedures-8)
- [19.A - Indicator Removal on Host: File Deletion (T1107 / T1070.004)](#19a---indicator-removal-on-host-file-deletion-t1107--t1070004)
- [19.B - Indicator Removal on Host: File Deletion (T1107 / T1070.004)](#19b---indicator-removal-on-host-file-deletion-t1107--t1070004)
- [19.C - Indicator Removal on Host: File Deletion (T1107 / T1070.004)](#19c---indicator-removal-on-host-file-deletion-t1107--t1070004)
- [Cited Intelligence](#cited-intelligence-8)
- [Step 20 - Leverage Persistence](#step-20---leverage-persistence)
- [Procedures](#procedures-9)
- [20.A - Persistence Execution (T1085 / T1218.011, T1084 / T1546.003)](#20a---persistence-execution-t1085--t1218011-t1084--t1546003)
- [20.B - Use Alternate Authentication Material: Pass the Ticket (T1097 / T1550.001, T1550.003)](#20b---use-alternate-authentication-material-pass-the-ticket-t1097--t1550001-t1550003)
- [Cited Intelligence](#cited-intelligence-9)
- [Acknowledgements](#acknowledgements)
- [Special thanks to the following public resources](#special-thanks-to-the-following-public-resources)

### Pre-requisites

Expand Down
14 changes: 0 additions & 14 deletions Enterprise/apt29/Emulation_Plan/yaml/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,3 @@ As new files are added, please list them in the below table.
| [APT29.yaml](/Enterprise/apt29/Emulation_Plan/yaml/APT29.yaml) | N/A | Initial Emulation Plan YAML |

---

## Additional Plan Resources

- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
- [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
- [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
- [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
- [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
- [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
- [Archive](/Enterprise/apt29/Archive)
- [Issues](https://github.com/attackevals/ael/issues)
- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)
14 changes: 0 additions & 14 deletions Enterprise/apt29/Intelligence_Summary.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,17 +138,3 @@ ID | Source | Publisher | Date |
16 |[Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/)|[Microsoft](https://www.microsoft.com/)| December 2018 |

---

## Additional Plan Resources

- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
- [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
- [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
- [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
- [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
- [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
- [Archive](/Enterprise/apt29/Archive)
- [Issues](https://github.com/attackevals/ael/issues)
- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)
14 changes: 0 additions & 14 deletions Enterprise/apt29/Operations_Flow.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,3 @@ This scenario begins with a legitimate user clicking on a malicious payload deli
The content to execute this scenario was tested and developed using PoshC2 and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.

---

## Additional Plan Resources

- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
- [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
- [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
- [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
- [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
- [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
- [Archive](/Enterprise/apt29/Archive)
- [Issues](https://github.com/attackevals/ael/issues)
- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)
17 changes: 5 additions & 12 deletions Enterprise/blind_eagle/Resources/Setup/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ The requirements described herein should be considered a bare minimum to execute

## Network Diagram

Below is the domains and infrastructure used to support the setup and execution of the Blind Eagle [Emulation plan](../../Emulation_Plan/).
Below are the domains and infrastructure used to support the setup and execution of the Blind Eagle [Emulation plan](../../Emulation_Plan/).

![Infra](../Screenshots/infrastructurediagram.png)

Expand All @@ -19,7 +19,7 @@ This emulation leveraged the following attacker infrastructure with configuratio
| Windows Attack Platform | 192.168.0.4 | Windows 10 Pro - Build 19044 |
| Web Server | 192.168.0.5 | Ubuntu 20.04 LTS |

#### A note about payloads
### A note about payloads

- This evaluation utilizes payloads that model malware previously used by Blind Eagle.
- These utilities include loaders, injectors, and implants.
Expand All @@ -35,7 +35,7 @@ RDP to your Windows Attack Platform
![defender-off](../Screenshots/windows-av-off.png)
1. Open a PowerShell Prompt and download the Blind Eagle ATTACK Evaluations Library to your chosen directory on your Windows attack machine

```PowerShell
```shell
git clone https://github.com/center-for-threat-informed-defense/blackhat-2023-becoming-a-dark-knight-emulation
```

Expand All @@ -45,7 +45,7 @@ RDP to your Windows Attack Platform
SSH to the web server from either your machine or a separate PowerShell prompt on your Windows Attack Platform:
```
```shell
ssh ubuntu@192.168.0.5
```

Expand Down Expand Up @@ -145,7 +145,7 @@ RDP to the workstation from either your computer or the Windows Attack Machine:

SSH to mail from either your computer or the Windows Attack Machine:

```
```shell
ssh ubuntu@10.1.0.11
```

Expand Down Expand Up @@ -209,10 +209,3 @@ The bancomurcielago website should now be hosted on HTTP port 8000
## Resources

The [Binaries.zip](../Binaries/Binaries.zip) contains all executables in one zip file for easy download. The password is `malware`. :heavy_exclamation_mark: binaries in this folder will only work with the infrastructure configuration described in this document as some payloads need to be built with specific URLs hard coded.
## Additional Plan Resources
- [Intelligence Summary](../../Intelligence_Summary/Intelligence_Summary.md)
- [Operations Flow](../../Operations_Flow/Operations_Flow.md)
- [Emulation Plan](../../Emulation_Plan/README.md)
- [Issues](https://github.com/attackevals/ael/issues)
27 changes: 6 additions & 21 deletions Enterprise/carbanak/Intelligence_Summary.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,37 +30,37 @@ PsExec ([S0029](https://attack.mitre.org/software/S0029/)) | | Remote Execution

## Carbanak ATT&CK Navigator

#### The following behaviors are in scope for an emulation of actions attributed to Carbanak as referenced by [MITRE ATT&CK](https://attack.mitre.org/groups/G0008/) and in the [referenced reporting](#references)
### The following behaviors are in scope for an emulation of actions attributed to Carbanak as referenced by [MITRE ATT&CK](https://attack.mitre.org/groups/G0008/) and in the [referenced reporting](#references)

![/Attack_Layers/Carbanak_G0008.png](/Enterprise/carbanak/Attack_Layers/Carbanak_G0008.png)

## [Scenario 1](/Enterprise/carbanak/Emulation_Plan/Scenario_1/README.md)

#### The following behaviors are in scope for an emulation of actions attributed to Carbanak, as implemented in Scenario 1, in the [referenced reporting](#references)
### The following behaviors are in scope for an emulation of actions attributed to Carbanak, as implemented in Scenario 1, in the [referenced reporting](#references)

![/Attack_Layers/Carbanak_Scenario1.png](/Enterprise/carbanak/Attack_Layers/Carbanak_Scenario1.png)

## [Carbanak](https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0030%2FS0030-enterprise-layer.json)

#### The following behaviors are in scope for an emulation of actions performed by the Carbanak group using Carbanak malware, exclusively based on current intelligence within ATT&CK for the given software
### The following behaviors are in scope for an emulation of actions performed by the Carbanak group using Carbanak malware, exclusively based on current intelligence within ATT&CK for the given software

![/Attack_Layers/Carbanak_S0030.png](/Enterprise/carbanak/Attack_Layers/Carbanak_S0030.png)

## [Mimikatz](https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0002%2FS0002-enterprise-layer.json)

#### The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software
### The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software

![/Attack_Layers/Mimikatz_S0002.png](/Enterprise/carbanak/Attack_Layers/Mimikatz_S0002.png)

## [netsh](https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0108%2FS0108-enterprise-layer.json)

#### The following behaviors are in scope for an emulation of actions performed by Carbanak using netsh, exclusively based on current intelligence within ATT&CK for the given software
### The following behaviors are in scope for an emulation of actions performed by Carbanak using netsh, exclusively based on current intelligence within ATT&CK for the given software

![/Attack_Layers/netsh_S0108.png](/Enterprise/carbanak/Attack_Layers/netsh_S0108.png)

## [PsExec](https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0002%2FS0002-enterprise-layer.json)

#### The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software
### The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software

![/Attack_Layers/PsExec_S0029.png](/Enterprise/carbanak/Attack_Layers/PsExec_S0029.png)
---
Expand Down Expand Up @@ -94,18 +94,3 @@ ID | Source | Publisher | Date |
19 | [Cyberthreats to financial institutions 2020: Overview and predictions](https://securelist.com/financial-predictions-2020/95388/) | [Kaspersky](https://securelist.com/) | December 2019

---

## Additional Plan Resources

- [Intelligence Summary](../Intelligence_Summary.md)
- [Operations Flow](../Operations_Flow.md)
- [Emulation Plan](../Emulation_Plan)
- [Scenario 1 - Infrastructure](../Emulation_Plan/Scenario_1/Infrastructure.md)
- [Scenario 1 - Detections](../Emulation_Plan/Scenario_1)
- [Scenario 2 - Infrastructure](../Emulation_Plan/Scenario_2/Infrastructure.md)
- [Scenario 2 - Protections](../Emulation_Plan/Scenario_2)
- [YAML](../Emulation_Plan/yaml)
- [File Hashes](../hashes)
- [YARA Rules](../yara-rules)
- [Issues](https://github.com/attackevals/ael/issues)
- [Change Log](../CHANGE_LOG.md)
21 changes: 3 additions & 18 deletions Enterprise/carbanak/Operations_Flow.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Carbanak Operations Flow

Please see the formal [Carbanak Intelligence Summary](/Enterprise/carbanak/Intelligence_Summary.md) which includes a break-down of the cited intelligence used for each step of this emulation.
Please see the formal [Carbanak Intelligence Summary](./Intelligence_Summary.md) which includes a break-down of the cited intelligence used for each step of this emulation.

---

Expand All @@ -10,7 +10,7 @@ Please see the formal [Carbanak Intelligence Summary](/Enterprise/carbanak/Intel

---

# Scenario 1
## Scenario 1

Based on [Carbanak Malware](https://attack.mitre.org/software/S0030/), [Ggldr](https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control), and [Mimikatz](https://attack.mitre.org/software/S0002/)

Expand All @@ -20,23 +20,8 @@ This emulation plan is intended to be executed with protections-based capabiliti

---

# Scenario 2
## Scenario 2

This scenario emulates the same Carbanak TTP's as scenario 1; however, changes were made to support environments with protective security controls enabled. This scenario is designed so that specific TTP's are decoupled from dependencies to enable all steps to be executed, even if previous steps are blocked.

---

## Additional Plan Resources

- [Intelligence Summary](../Intelligence_Summary.md)
- [Operations Flow](../Operations_Flow.md)
- [Emulation Plan](../Emulation_Plan)
- [Scenario 1 - Infrastructure](../Emulation_Plan/Scenario_1/Infrastructure.md)
- [Scenario 1 - Detections](../Emulation_Plan/Scenario_1)
- [Scenario 2 - Infrastructure](../Emulation_Plan/Scenario_2/Infrastructure.md)
- [Scenario 2 - Protections](../Emulation_Plan/Scenario_2)
- [YAML](../Emulation_Plan/yaml)
- [File Hashes](../hashes)
- [YARA Rules](../yara-rules)
- [Issues](https://github.com/attackevals/ael/issues)
- [Change Log](../CHANGE_LOG.md)
3 changes: 3 additions & 0 deletions Enterprise/carbanak/Resources/setup/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Setup

See [!badge target="blank" icon="mark-github" text="GitHub Link"](https://github.com/attackevals/ael/tree/49516eb0eb51c7b8f3c2851d612ea5c5467ff2bb/Enterprise/carbanak/Resources/setup) for setup information.
Loading

0 comments on commit f0cfeab

Please sign in to comment.