Release menuPass Emulation Plan (#59)

* Updated terms to match repo name

* Add CI check for APT29 yaml

* Delete changelog.md

No longer required due to new release versioning.  #15

* Update APT29.yaml (#56)

* Create /structure, YAML folders; Minor fixes (#57)

* Update CONTRIBUTING.md

* Create /structure

Reorganized structural documents to be contained in a separate folder

* Update format_dictionary.yaml

* Update README.md

* Create README.md

Added YAML folder for user submitted yaml files for use with the emulation plan

* Update CHANGE_LOG.md

Added day of release

* Update format_dictionary.yaml

Made name and desciption generic

* Update README.md

Corrected link

* Update NOTICE.txt

Corrected copyright year

* Update README.md

Corrected copyright year

* Delete format_dictionary.yaml

Moved to /structure

* Create format_dictionary.yaml

Moved to /structure

* Moved to /yaml folder

* Moved to /yaml folder

* Revert "Moved to /yaml folder"

This reverts commit 33ca2dd.

* Revert "Moved to /yaml folder"

This reverts commit 3e33422.

* Move APT29 yaml to yaml folder

* Move FIN6.yaml to yaml folder

* Update tox to reflect yaml folder

* Navigation Update

Adding nvaigation to reflect new yaml folder structure

* Moving to /yaml folder

* Moving to /yaml folder

* Moved to yaml folder

* Verbiage adjustment for yaml storage

Adjusted verbiage to reflect all yaml files, both Center and community yaml are to be stored in the /yaml folder.

* Minor formatting edits

* Navigation edits to reflect yaml folder

Set navigation to point to the yaml folder with README, instead of a specific yaml file

* Library copyright date inclusion of 2021

With the addition of the APT29 plan in 2021, the overall library copyright has been extended to include 2021 as well.

* Added navigation

Added navigational links to the new /yaml README.md

* Typo correction

* Typo correction

* Navigation update

Corrected navigation to reference /yaml folder readme, instead of a single yaml file

* Add menuPass into Adversary Emulation Library (#58)

* Add menuPass

menuPass addition to the Adversary Emulation Library

* Update Intelligence_Summary.md

* Update README.md

Center aligned emulation plan names

* Update tox.ini

Capitalization correction

* Update menuPass.yaml filename so CI can find it

* Correct menupass.yaml filename (again)

Co-authored-by: sapattersonATmitre <64601265+sapattersonATmitre@users.noreply.github.com>
Co-authored-by: Mark Davidson <mdavidson@mitre.org>

* New OpFlow (#61)

Co-authored-by: Justin Baker <64592089+jwbaker-mitre@users.noreply.github.com>
Co-authored-by: sapattersonATmitre <64601265+sapattersonATmitre@users.noreply.github.com>

CONTRIBUTING.md

@@ -2,7 +2,7 @@
 
 ## How to contribute
 
-Thanks for contributing to the FIN6 Adversary Emulation Plan!
+Thanks for contributing to the Adversary Emulation Library!
 
 You are welcome to comment on issues, open new issues, and open pull requests.
 
@@ -11,9 +11,9 @@ Pull requests should target the **[develop](https://github.com/center-for-threat
 Also, if you contribute any source code, we need you to agree to the following Developer's Certificate of Origin below.
 
 ## Reporting issues with emulation procedures
-  
+
 * Describe (in detail) what should have happened. Include any supporting information that may be helpful in resolving the issue.
-  
+
 * Be sure to include any steps to replicate the issue.
 
 ## Developer's Certificate of Origin v1.1

README.md

@@ -7,12 +7,12 @@ Also see our recent blog on the [Adversary Emulation Library](https://medium.com
 Available adversary emulation plans are listed below:
 
 | Emulation Plan | Intelligence Summary |
-|------|------|
+|:-----:|------|
 | [FIN6](/fin6/) | [FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015...](/fin6/Intelligence_Summary.md) |
 | [APT29](/apt29/) | [APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation...](/apt29/Intelligence_Summary.md) |
+| [menuPass](/menuPass/) | [menuPass is thought to be threat group motivated by collection objectives, with targeting that is consistent with Chinese strategic objectives...](/menuPass/Intelligence_Summary.md) |
 
-
-## Philosophy 
+## Philosophy
 
 These adversary emulation plans are based on known-adversary behaviors and designed to empower red teams to manually emulate a specific threat actor in order to test and evaluate defensive capabilities from a threat-informed perspective. This approach empowers defenders to operationalize cyber threat intelligence to better understand and combat real-world adversaries. Rather than focusing on static signatures, these intelligence-driven emulation plans provide a repeatable means to test and tune defensive capabilities and products against the evolving Tactics, Techniques, and Procedures (TTPs) of threat actors and malware.
 
@@ -34,11 +34,11 @@ In summary, each emulation plan should be perceived as input to an offensive ass
 
 Each emulation plan focuses on a specific named threat actor. The README of each individual plan provides a curated summary of available cyber threat intelligence, composed of an intelligence overview of the actor (describing who they target, how, and why where possible) as well as the scope of their activity (i.e. breadth of techniques and malware used). All presented information is cited back to relevant publicly available cyber threat intelligence and communicated and annotated via [ATT&CK](https://attack.mitre.org/).
 
-Within each emulation plan, the operational flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.). 
+Within each emulation plan, the operational flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.).
 
 The content to execute the scenario(s) is broken down into step-by-step procedures provided in both human and machine-readable formats. Scenarios can be executed end-to-end or as individual tests. The human-readable formats provide additional relevant background where possible as well as any setup prerequisites, while the machine-readable format is designed to be programmatically parsed (ex: read, reformatted, and ingested into an automated agent, such as [CALDERA](https://github.com/mitre/caldera) and/or breach simulation frameworks).
 
-Detailed documenation for our emulation plan structure can be found [here.](/emulation_plan_structure.md) 
+Detailed documenation for our emulation plan structure can be found [here.](/structure/emulation_plan_structure.md)
 
 ## Future Work
 
@@ -50,14 +50,13 @@ Please submit issues for any technical questions/concerns or contact ctid@mitre-
 
 Also see the guidance for contributors if are interested in [contributing.](/CONTRIBUTING.md)
 
-
 ## Liability / Responsible Usage
 
 This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
 
 ## Notice
 
-Copyright 2020 MITRE Engenuity. Approved for public release. Document number CT0005
+Copyright 2020-2021 MITRE Engenuity. Approved for public release. Document number CT0005
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

apt29/CHANGE_LOG.md

@@ -3,6 +3,7 @@
 ## APT29 Emulation Plan
 
 |Version | Date | Change Details |
-|:--- |:---|:---|
-0.1 | April 2020 | ATT&CK Evaluations Release
-1.0 | January 2021 | Adversary Emulation Library Release
+|:---|:---|:---|
+| 0.1 | 21 April 2020 | ATT&CK Evaluations Release
+| 1.0 | 21 January 2021 | Adversary Emulation Library Release
+

apt29/Emulation_Plan/README.md

@@ -31,7 +31,7 @@ We would like to formally thank the people that contributed to the content, revi
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/Emulation_Plan/Scenario_1/Infrastructure.md

@@ -119,7 +119,7 @@ Import-PfxCertificate -Exportable -FilePath "shockwave.local.pfx" -CertStoreLoca
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/Emulation_Plan/Scenario_1/README.md

@@ -545,7 +545,7 @@ Trigger the Startup Folder persistence by logging in to Windows victim 1
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/Emulation_Plan/Scenario_2/Infrastructure.md

@@ -96,7 +96,7 @@ We hope to capture the general structure of what is reported to have been seen b
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/Emulation_Plan/Scenario_2/README.md

@@ -360,7 +360,7 @@ The original victim is rebooted and the legitimate user logs in, emulating ordin
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/Emulation_Plan/APT29.yaml → apt29/Emulation_Plan/yaml/APT29.yaml

@@ -2,7 +2,7 @@
 
 - emulation_plan_details:
     id: 4975696e-1d41-11eb-adc1-0242ac120002
-    adversary_name: APT29 Adversary Emulation Plan
+    adversary_name: APT29
     adversary_description: APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.
     attack_version: 8.1
     format_version: 1.0

apt29/Emulation_Plan/yaml/README.md

@@ -0,0 +1,27 @@
+# Machine-Readable APT29 Emulation Plans
+
+The universal, technology-agnostic version of the APT29 emulation plan YAML has been provided as starting point for machine parsing and execution of the APT29 emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like [CALDERA](https://github.com/mitre/caldera) or other breach simulation frameworks).
+
+## Included Formats
+
+As new files are added, please list them in the below table.
+
+| File | Execution Framework | Notes |
+| --- | --- | --- |
+| [APT29.yaml](/apt29/Emulation_Plan/yaml/APT29.yaml) | N/A | Initial Emulation Plan YAML |
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/apt29/Intelligence_Summary.md)
+- [Operations Flow](/apt29/Operations_Flow.md)
+- [Emulation Plan](/apt29/Emulation_Plan/README.md)
+  - [Scenario 1 - Infrastructure](/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
+  - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
+  - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
+  - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
+  - [YAML](/apt29/Emulation_Plan/yaml)
+- [Archive](/apt29/Archive)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/apt29/CHANGE_LOG.md)

apt29/Intelligence_Summary.md

@@ -147,7 +147,7 @@ ID | Source | Publisher | Date |
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/NOTICE.txt

@@ -1,4 +1,4 @@
-Copyright 2020 MITRE Engenuity. Approved for public release. Document number AT0008.
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number AT0008.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

apt29/Operations_Flow.md

@@ -37,7 +37,7 @@ The content to execute this scenario was tested and developed using PoshC2 and o
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)

apt29/README.md

@@ -31,7 +31,7 @@ We would like to formally thank the people that contributed to the content, revi
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
@@ -42,7 +42,7 @@ This content is only to be used with appropriate prior, explicit authorization f
 
 ## Notice
 
-Copyright 2020 MITRE Engenuity. Approved for public release. Document number AT0008.
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number AT0008.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

fin6/CHANGE_LOG.md

@@ -2,6 +2,6 @@
 
 ## FIN6 Emulation Plan
 
-Version | Date | Change Details |
---- | --- | --- |
-1.0 | 15 September 2020 | Initial Release
+|Version | Date | Change Details |
+|:---|:---|:---|
+| 1.0 | 15 September 2020 | Adversary Emulation Library Release |

fin6/Emulation_Plan/Infrastructure.md

@@ -2,10 +2,12 @@
 
 FIN6 infrastructure is likely comprised of distributed command and control (C2) servers and exfiltration servers.  FIN6 is reported to have conducted C2 over HTTPS.  As such, it would be wise to purchase, associate, and categorize a domain for each redirector.  [Let's Encrypt](https://letsencrypt.org) is a resource for free SSL/TLS certificates.
 
-FIN6 uses separate servers for exfiltration.  They appear to purchase domain names that are similar/relevent to their target organization in order to blend in.  The group may very well use one server to exfiltrate Discovery data during Phase 1, and separate servers to exfiltrate PoS or payment data during Phase 2.  Specific server configuration very much depends on the C2 framework.  
+FIN6 uses separate servers for exfiltration.  They appear to purchase domain names that are similar/relevent to their target organization in order to blend in.  The group may very well use one server to exfiltrate Discovery data during Phase 1, and separate servers to exfiltrate PoS or payment data during Phase 2.  Specific server configuration very much depends on the C2 framework.
 
 Detailing specific infrastructure configuration is beyond the scope of this plan.  Please consult the following resources:
 
+---
+
 ## Infrastructure Configuration
 
 * [Cloud-based Redirectors for Distributed Hacking](https://blog.cobaltstrike.com/2014/14/cloud-based-redirectors-for-distributed-hacking/)
@@ -14,6 +16,8 @@ Detailing specific infrastructure configuration is beyond the scope of this plan
 * [Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
 * [A Deep Dive into Cobalt Strike Malleable C2](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b)
 
+---
+
 ## Emulation Team Systems and Tools
 
 The following represents a bare minimum but should be operationally representative of FIN6 infrastructure and toolset:
@@ -57,4 +61,18 @@ The following represents a bare minimum but should be operationally representati
 
 * ### Phase 2 - E-Commerce Exfiltration
 
-  * HTTP - FIN6 is reported to have exfiltrated payment data resulting from it's Magecart Group 6 activity via HTTP POST.<sup>[10](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/)</sup> In order to emulate this use case (Phase 2 Scenario 2), you will need to set up an exfiltration server capable of receiving HTTP POST requests.  Depending on how you intend to evaluate this scenario, a lightweight solution like Python's http.server may be appropriate.  This activity is further described in Phase 2.
+  * HTTP - FIN6 is reported to have exfiltrated payment data resulting from it's Magecart Group 6 activity via HTTP POST.<sup>[10](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/)</sup> In order to emulate this use case (Phase 2 Scenario 2), you will need to set up an exfiltration server capable of receiving HTTP POST requests.  Depending on how you intend to evaluate this scenario, a lightweight solution like Python's http.server may be appropriate.  This activity is further described in Phase 2.
+
+---
+
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)