Link updates

Enterprise/apt29/Archive/CALDERA_DIY/evals/README.md

@@ -166,7 +166,7 @@ After completing all adversary steps outlined above, RDPing into the target host
 
 ## Issues?
 
-Please consult the [common problems](https://caldera.readthedocs.io/en/latest/Common-problems.html) page on the CALDERA Read the Docs page.
+Please consult the [common problems](https://caldera.readthedocs.io/en/2.6.63/Common-problems.html) page on the CALDERA Read the Docs page.
 If you're still having issues, please open a git issue on the evals plugin page and follow the guidelines within ISSUES.md for reporting issues.
 
 ## Acknowledgements

Enterprise/blind_eagle/Intelligence_Summary/intelligence_summary.md

@@ -41,6 +41,6 @@ The group also employs relatively strict targeting, and has been known to link-s
 
 We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.
 
-Email: <evals@mitre-engenuity.org><br>
-Twitter: <https://twitter.com/MITREengenuity><br>
-LinkedIn: <https://www.linkedin.com/company/mitre-engenuity/><br>
+Email: <evals@mitre.org><br>
+Twitter: <https://x.com/MITREcorp><br>
+LinkedIn: <https://www.linkedin.com/showcase/attack-evaluations/><br>

Enterprise/blind_eagle/README.md

@@ -70,8 +70,8 @@ We would like to formally thank the people that contributed to the content, revi
 We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.
 
 Email: <ctid@mitre-engenuity.org><br>
-LinkedIn: <https://www.linkedin.com/company/mitre-engenuity/><br>
-Twitter: <https://twitter.com/MITREengenuity><br>
+LinkedIn: <https://www.linkedin.com/showcase/attack-evaluations/><br>
+Twitter: <https://x.com/MITREcorp><br>
 
 ## Liability / Responsible Usage
 

Enterprise/carbanak/Emulation_Plan/Scenario_1/README.md

@@ -648,7 +648,7 @@ The attacker begins targeting the CFO user from the domain controller. First, th
 
 ## Step 7 - Setup Persistence
 
-Using the information gained in the previous step, the attacker laterally moves to the CFO workstation. They upload **plink.exe** to the domain controller ([T1105](https://attack.mitre.org/techniques/T1105/)), and use it to setup a reverse SSH tunnel to the attacker platform ([T1572](https://attack.mitre.org/techniques/T1572/), [T1021.004](https://attack.mitre.org/techniques/T1021/004/)). The attacker then connects to the DC through this SSH tunnel using RDP ([T1021.001](https://attack.mitre.org/techniques/T1021/001/)). Once on the DC, they execute **qwinsta** to confirm that the CFO user is not logged into their machine ([T1033](https://attack.mitre.org/techniques/T10033/)), after which they RDP into the CFO workstation using domain admin credentials ([T1078.002](https://attack.mitre.org/techniques/T1078/002/)). Lastly, the attacker establishes persistence on the CFO workstation by downloading a reverse shell, writing a starter file, and then adding a Registry Run Key to automatically execute the starter file ([T1547.001](https://attack.mitre.org/techniques/T1547/001/)).
+Using the information gained in the previous step, the attacker laterally moves to the CFO workstation. They upload **plink.exe** to the domain controller ([T1105](https://attack.mitre.org/techniques/T1105/)), and use it to setup a reverse SSH tunnel to the attacker platform ([T1572](https://attack.mitre.org/techniques/T1572/), [T1021.004](https://attack.mitre.org/techniques/T1021/004/)). The attacker then connects to the DC through this SSH tunnel using RDP ([T1021.001](https://attack.mitre.org/techniques/T1021/001/)). Once on the DC, they execute **qwinsta** to confirm that the CFO user is not logged into their machine ([T1033](https://attack.mitre.org/techniques/T1033/)), after which they RDP into the CFO workstation using domain admin credentials ([T1078.002](https://attack.mitre.org/techniques/T1078/002/)). Lastly, the attacker establishes persistence on the CFO workstation by downloading a reverse shell, writing a starter file, and then adding a Registry Run Key to automatically execute the starter file ([T1547.001](https://attack.mitre.org/techniques/T1547/001/)).
 
 ### Procedures
 

Enterprise/cl0p/Emulation_Plan/ER6_CL0P_Scenario.md

@@ -29,7 +29,7 @@ handlers are enabled:
   * SDBbot
 
     ```bash
-    cd CL0P/Resources/control_server
+    cd cl0p/Resources/control_server
     sudo go build -o controlServer main.go
     sudo ./controlServer -c config/cl0p.yml
     ```
@@ -43,7 +43,7 @@ Horizontally". Within the new terminal, change directory to the location of the
 evalsC2client.py and **use this terminal for tasking implants**.
 
   ```bash
-  cd CL0P/Resources/control_server
+  cd cl0p/Resources/control_server
   ```
 
 * :arrow_right: Initiate an RDP session to the Windows jumpbox

Enterprise/cl0p/Emulation_Plan/README.md

@@ -11,4 +11,4 @@ pertaining to each scenario step.
 
 | Red Team Playbook | CTI Operations Flow | Description |
 | ----------------- | ------------------- | ----------- |
-| [ER6_CL0P_Scenario.md](./ER6_CL0P_Scenario.md) | [CL0P_Scenario_Overview.md](../CTI_Emulation_resources/CL0P_Scenario_Overview.md) | This contains the scenario developed to emulate TTPs of CL0P in Round 6 of ATT&CK Evaluations for Enterprise |
+| [ER6_CL0P_Scenario.md](./ER6_CL0P_Scenario.md) | [CL0P_Scenario_Overview.md](../CTI_Emulation_Resources/CL0P_Scenario_Overview.md) | This contains the scenario developed to emulate TTPs of CL0P in Round 6 of ATT&CK Evaluations for Enterprise |

Enterprise/cl0p/README.md

@@ -49,9 +49,9 @@ participated in the community cyber threat intelligence contribution process:
 We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you
 and what we can do better.
 
-- Email: <evals@mitre-engenuity.org>
-- Twitter: <https://twitter.com/MITREengenuity>
-- LinkedIn: <https://www.linkedin.com/company/mitre-engenuity/>
+- Email: <evals@mitre.org>
+- Twitter: <https://x.com/MITREcorp>
+- LinkedIn: <https://www.linkedin.com/showcase/attack-evaluations/>
 
 ## Liability / Responsible Usage
 

Enterprise/cl0p/Resources/Cl0p/README.md

@@ -43,7 +43,7 @@ Cl0p is a ransomware tool used to find and encrypt files of interest.
   - Uses the mutex name `Best-Fan-666`
   - Checks if the mutex already exists via `WaitForSingleObject` API call
     - If so, terminates early and self-deletes
-- Attempts to kill certain services related to backups or security products via the `net stop` command<sup>[1](https://www.securin.io/blog/all-about-clop-ransomware/),[2](https://www.cybereason.com/blog/research/cybereason-vs.-clop-ransomware),[3](https://sectrio.com/deconstructing-cl0p-ransomware-moveit-2023-breach/),[4](https://unit42.paloaltonetworks.com/clop-ransomware/)</sup>
+- Attempts to kill certain services related to backups or security products via the `net stop` command<sup>[1](https://www.securin.io/articles/all-about-clop-ransomware/),[2](https://www.cybereason.com/blog/research/cybereason-vs.-clop-ransomware),[3](https://sectrio.com/deconstructing-cl0p-ransomware-moveit-2023-breach/),[4](https://unit42.paloaltonetworks.com/clop-ransomware/)</sup>
   - `SQLAgent$SYSTEM_BGC`
   - `SQLAgent$ECWDB2`
   - `"Zoolz 2 Service"`
@@ -366,7 +366,7 @@ python3 aes_base64_log_decryptor.py --xor -i cbug.log  -o decrypted.log -k `a44e
 
 ## CTI
 
-1. <https://www.securin.io/blog/all-about-clop-ransomware/>
+1. <https://www.securin.io/articles/all-about-clop-ransomware/>
 1. <https://www.cybereason.com/blog/research/cybereason-vs.-clop-ransomware>
 1. <https://sectrio.com/deconstructing-cl0p-ransomware-moveit-2023-breach/>
 1. <https://unit42.paloaltonetworks.com/clop-ransomware/>

Enterprise/cl0p/Resources/sdbbot/README.md

@@ -182,7 +182,7 @@ When compiled in debug mode, the SDBBot RAT will create a log file in the image
 
 #### Decoding the log file
 
-The log file is base64 encoded and XOR encrypted. The log file decryptor can be found here: [log_decryptor](../../../Resources/log_decryptor/)
+The log file is base64 encoded and XOR encrypted. The log file decryptor can be found here: [log_decryptor](../log_decryptor/)
 
 The XOR key used to decrypt the log file is `0x0F, 0x00, 0x00, 0x0D`:
 
@@ -464,11 +464,6 @@ Stub targets are located in the [tests directory](tests/stubs).
 | Application Verifier | [Microsoft](https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/application-verifier) |
 | Application Verifier | [Sensepost](https://sensepost.com/blog/2020/masquerading-windows-processes-like-a-doubleagent./) |
 
-## Cleanup
-
-A cleanup script has been provided to remove any artifacts left behind by SDBBOT. This cleanup
-script can be found here: [CL0P Cleanup](../cleanup/cl0p_cleanup.ps1)
-
 ### Artifacts removed
 - SDBBot log `mswinsdr64.log`
 - CL0P log `Favbug.txt`

Enterprise/dprk/CTI_Emulation_Resources/DPRK_Scenario_Diagrams.md

@@ -9,9 +9,9 @@
 > [!IMPORTANT]
 > The CL0P, DPRK, and LockBit adversaries as well as the Protections micros share an infrastructure configuration.
 >
-> See the [setup documentation](../../CL0P/Resources/setup/README.md) for the [CL0P](../../CL0P/Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.
+> See the [setup documentation](../../cl0p/Resources/setup/README.md) for the [CL0P](../../cl0p/Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.
 
-![ER6Infrastructure](../../CL0P/Resources/setup/assets/evaluations-enterprise-round-6_publish.png)
+![ER6Infrastructure](../../cl0p/Resources/setup/assets/evaluations-enterprise-round-6_publish.png)
 
 ## Emulation Plan Technique Scope
 

Enterprise/dprk/Defense_Measures/DPRK_Detections.md

@@ -1,6 +1,6 @@
 # DPRK Detection Analysis 
 
-This guide covers key detection criteria for DPRK-related malware activity as emulated by the ([Enterprise Round 6 Emulation Plan](../DPRK/Emulation_Plan/ER6_DPRK_Scenario.md)), such as `FULLHOUSE.DOORED` and `STRATOFEAR`. The focus is on recognizing tool transfers, masquerading, system modifications, and encrypted communications.
+This guide covers key detection criteria for DPRK-related malware activity as emulated by the ([Enterprise Round 6 Emulation Plan](../Emulation_Plan/ER6_DPRK_Scenario.md)), such as `FULLHOUSE.DOORED` and `STRATOFEAR`. The focus is on recognizing tool transfers, masquerading, system modifications, and encrypted communications.
 
 
 ### Key Findings

Enterprise/dprk/README.md

@@ -37,9 +37,9 @@ walkthrough of the DPRK red team emulation plan
 We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you
 and what we can do better.
 
-- Email: <evals@mitre-engenuity.org>
-- Twitter: <https://twitter.com/MITREengenuity>
-- LinkedIn: <https://www.linkedin.com/company/mitre-engenuity/>
+- Email: <evals@mitre.org>
+- Twitter: <https://x.com/MITREcorp>
+- LinkedIn: <https://www.linkedin.com/showcase/attack-evaluations/>
 
 ## Liability / Responsible Usage
 

Enterprise/dprk/Resources/FULLHOUSE.DOORED/README.md

@@ -217,7 +217,7 @@ FULLHOUSE.DOORED will create a log file `fdlog.log` in the current working direc
 
 #### Decrypting the log file
 
-Use the [log_decryptor](../../../Resources/log_decryptor/) decrypt the log file:
+Use the [log_decryptor](../log_decryptor/) decrypt the log file:
 
 ```bash
 python3 aes_base64_log_decryptor.py -i fdlog.log -o dec_fdlog.log -k FEEDCAFE --xor

Enterprise/dprk/Resources/setup/README.md

@@ -4,4 +4,4 @@
 
 The CL0P, DPRK, and LockBit adversaries as well as the Protections micros share an infrastructure configuration.
 
-See the [setup documentation](../../../CL0P/Resources/setup/README.md) for the [CL0P](../../../CL0P/Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.
+See the [setup documentation](../../../cl0p/Resources/setup/README.md) for the [CL0P](../../../cl0p/Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.

Enterprise/lockbit/CTI_Emulation_Resources/LockBit_Scenario_Diagrams.md

@@ -9,9 +9,9 @@
 > [!IMPORTANT]
 > The CL0P, DPRK, and LockBit adversaries as well as the Protections micros share an infrastructure configuration.
 >
-> See the [setup documentation](../../CL0P/Resources/setup/README.md) for the [CL0P](../../CL0P/Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.
+> See the [setup documentation](../../cl0p/Resources/setup/README.md) for the [CL0P](../../cl0p/Resources/setup/README.md) adversary infrastructure setup for guidance on setting up the shared infrastructure configuration.
 
-![ER6Infrastructure](../../CL0P/Resources/setup/assets/evaluations-enterprise-round-6_publish.png)
+![ER6Infrastructure](../../cl0p/Resources/setup/assets/evaluations-enterprise-round-6_publish.png)
 
 ## Emulation Plan Technique Scope
 

Enterprise/lockbit/Defense_Measures/LockBit_Detections.md

@@ -1,6 +1,6 @@
 # LOCKBIT Detection Analysis 
 
-This guide covers key detection criteria for LOCKBIT-related malware activity as emulated by the ([Enterprise Round 6 Emulation Plan](../LockBit/Emulation_Plan/ER6_LockBit_Scenario.md)), such as STEALBIT and THUNDERSHELL. The focus is on External Remote Services (T1133) via VNC, Valid Accounts (T1078) for credential theft, and Command and Scripting (T1059) through Windows Shell. Further stages involve Credential Access (T1555), Process Discovery (T1057), and Inhibit System Recovery (T1490) by disabling Windows recovery features. Notably, LOCKBIT uses Encryption (T1486) for impact, targeting files and shares.
+This guide covers key detection criteria for LOCKBIT-related malware activity as emulated by the ([Enterprise Round 6 Emulation Plan](../Emulation_Plan/ER6_LockBit_Scenario.md)), such as STEALBIT and THUNDERSHELL. The focus is on External Remote Services (T1133) via VNC, Valid Accounts (T1078) for credential theft, and Command and Scripting (T1059) through Windows Shell. Further stages involve Credential Access (T1555), Process Discovery (T1057), and Inhibit System Recovery (T1490) by disabling Windows recovery features. Notably, LOCKBIT uses Encryption (T1486) for impact, targeting files and shares.
 
 ### Key Findings