This project aims to expand the impact of the Adversary Emulation Library by developing easy-to-execute emulation content that targets specific behaviors and challenges facing defenders. Rather than modeling full-scope breach scenarios, these micro emulation plans focus on smaller, more specific combinations of techniques. (We call these short sequences "compound behaviors" because they involve more than one adversary technique.) The plans produce signals similar to real adversary techniques (but without the harmful effects) to enable blue teams to safely test and evaluate their detective and preventative controls.
These micro emulation plans are optimized for ease-of-use (most are click-to-run) but are also flexible enough to integrate with breach and attack simulation (BAS) tools. (See the CALDERA example.)
Table Of Contents:
| Micro Emulation Plan | Description |
|---|---|
| File Access and File Modification | Emulates file access and modification behaviors commonly associated with TA0009 Collection as well as T1486 Data Encrypted for Impact. (Data source: DS0022 File) |
| Named Pipes | Emulates the creation and use of named pipes commonly abused by malware (Data source: DS0023 Named Pipe) |
| Windows Registry | Emulates a few common methods that adversaries use to modify the Windows Registry. (Data Source: DS0024 Windows Registry) |
| Web Shells | Emulates the compound behavior of planting a web shell (T1505.003 Server Software Component: Web Shell) and then executing arbitrary commands through it (T1059 Command and Scripting Interpreter) |
| Process Injection | Emulates the compound behavior of T1055 Process Injection followed by execution of arbitrary commands (T1059 Command and Scripting Interpreter) |
| User Execution | Emulates the compound behavior of delivering a malicious .one, .doc, .lnk, or .iso file (e.g. via T1566.001 Phishing: Spearphishing Attachment) and then executing arbitrary commands after a user invokes the file (T1204.002 User Execution: Malicious File and T1059 Command and Scripting Interpreter). |
| Active Directory Enumeration | Emulate multiple TA0007 Discovery behaviors through commonly abused interfaces and services such as Active Directory (AD) |
| Reflective Loading | Emulates an adversary performing running malicious code within an arbitrary process to perform T1620 Reflective Code Loading |
| Remote Code Execution | Emulates an adversary performing remote code execution against a vulnerable web server as documented in T1190 Exploit Public-Facing Application |
| Log Clearing | Emulates an adversary clearing Windows Event Log, as described in T1070.001 Indicator Removal: Clear Windows Event Logs |
| Data Exfiltration | Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files, as described in TA0010 Exfiltration |
| DLL Sideloading | Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload, as described in T1574.002 Hijack Execution Flow: DLL Side-Loading |
Abstraction matters. We are HUGE fans of using threat-informed adversary emulation to inspire, prioritize, and direct security testing and tuning. We celebrate the community adoption and investment in this approach, but also recognize that not all organizations have the resources to build and execute large emulation plans.
Community projects such as Atomic Red Team™ have greatly reduced the cost of entry, but we recognize an opportunity for a middle ground between atomic tests and full-scope emulation plans. There is a need for adversary emulation plans that focus on evaluating collection of specific data sources or security controls for short sequences of commonly observed adversary behaviors. These micro emulation plans answer questions such as:
Are we collecting the right data about [data source]?
How well do we detect or prevent [a particular part of an intrusion]?
We hope that these plans offer both actionable resources as well as inspiration for future research and micro emulation plan development.
Code and documentation for each micro emulation plan are available in
/src. The README file for each plan is structured the same and
includes:
- Description of Emulated Behaviors (What are we doing?)
- CTI / Background (Why you should care?)
- Execution Instructions / Resources (How you can use this plan)
- Execution Demo (What successful execution looks like)
- Defensive Lessons Learned (Detection and mitigation guidance)
All micro emulation plans were designed to be simple to execute. Hard-coded parameters for each module enable double-click default execution, which can also be tailored via provided command-line arguments or interactive menus provided by the module.
For each plan, a compiled and ready to execute binary (within a .zip archive)
as well as source code and build/customization instructions are available.
We encourage users to review the README documentation for each plan then
consider opportunities for testing and related improvements within their
organization.
We welcome your feedback and contributions to help advance Micro Emulation. Please see the guidance for contributors if are you interested in contributing or simply reporting issues.
Please submit issues for any technical questions/concerns or contact ctid@mitre-engenuity.org directly for more general inquiries.
Copyright 2023 MITRE Engenuity.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
This project makes use of ATT&CK®