This repo contains the source code used to support the MITRE Engenuity's ATT&CK Evaluation team's 2023 BlackHat presentation 🎩 , Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations. Using the Latin American threat actor known as Blind Eagle, the presentation provides an example of how our team develops adversary emulation plans and source code for MITRE Engenuity's ATT&CK Evaluation. This presentation is a point-in-time reference for our process which is constantly evolving.
Based on open-source intelligence, the ATT&CK Evaluation team created the below scenario leveraging techniques seen from Blind Eagle in the wild. We have adapted the scenario based on tools and resources available at the time.
Blind Eagle (APT-C-36, Águila Ciega, ATT&CK Group G0099) is a Spanish-speaking threat actor that has been active since at least 2018.1 The group is believed to be based in South America, given their use of regional Spanish dialects and intimate knowledge of government agencies and other local institutions in the region. Targets are focused on Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors.2 However, this threat actor has also executed operations against victims throughout South America, Europe, the US, and Australia.3 4 While Blind Eagle tends to be largely opportunistic in their motives, they have conducted espionage operations as well.5
Blind Eagle generally relies on commodity RATs, including Imminent Monitor, BitRAT, QuasarRAT, AsyncRAT, LimeRAT, and RemcosRAT.6 7 8 This threat actor's campaigns often leverage spearphishing for initial access and the deployment of encrypted payloads.2 Additional common TTPs used by this threat actor include: use of malicious macros, process injection, and other LOTL techniques.5 9 The group also employs relatively strict targeting, and has been known to use link-shortening services that geoloate victims.3
The Resources Folder contains the emulated software source code.
We provide a script to manage the various methods of obfuscating and encoding payloads. This script uses flags to identify the method of obuscation or encoding for each component of software. Each software contains a ReadMe.md with the specified flag need when executing this script. From the Resources Folder, execute the below command with the correct flag -flag identified in the software's README.md.
python3 utilities/file-ops.py -flag
- Operation Flow - High-level summary of the scenario & infrastructure with diagrams.
- Intelligence Summary - General overview of the Adversary with links to reporting used throughout the scenario.
We would like to formally thank the people that contributed to the content, review, and format of this document. This includes the MITRE Engenuity teams, ATT&CK Evaluation teams, the organizations and people that provided public intelligence and resources. Thank you! 🙌 🥰
We 💖 feedback! Let us know how using ATT&CK Evaluation results has helped you and what we can do better.
Email: ctid@mitre-engenuity.org
LinkedIn: https://www.linkedin.com/company/mitre-engenuity/
Twitter: https://twitter.com/MITREengenuity
This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.
© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number CT0076
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®