2024 indexes

README.md

@@ -8,13 +8,14 @@ One of the goals of each Threat Simulation Index is to allow organizations to co
 
 Indexes are released once per year. Throughout the year, an Index may receive minor quality of life changes but will not deviate significantly from the initial release. New yearly releases start fresh and are not designed to be compatible with previous releases. Overlap between Indexes in the same industry for different years is incidental, as is overlap across industries.
 
-## 2023 Indexes
+## 2024 Indexes
 
-The following Indexes are available for 2023:
+The following Indexes are available for 2024:
 
-- [Financial Services](fs-index-2023/)
-- [Retail & Hospitality](rh-index-2023/)
-- [Health](h-index-2023/)
+- [Financial Services](fs-index-2024/)
+- [Retail & Hospitality](rh-index-2024/)
+- [Health](h-index-2024/)
+- [OT](ot-index-2024/)
 
 ### Composition
 
@@ -25,32 +26,44 @@ Expand the below section to view Index group compositions
 
 **Financial Services**
 
-- [APT28](https://attack.mitre.org/groups/G0007/)
-- [APT29](https://attack.mitre.org/groups/G0016/)
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Clop](https://attack.mitre.org/software/S0611)
+- [Lazarus](https://attack.mitre.org/groups/G0032/)
 - [APT41](https://attack.mitre.org/groups/G0096/)
-- [Bazar](https://attack.mitre.org/software/S0534/)
-- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
-- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
-- [QakBot](https://attack.mitre.org/software/S0650/)
+- SocGholish
+
 
 **Retail & Hospitality**
 
-- [APT41](https://attack.mitre.org/groups/G0096/)
-- [Conti](https://attack.mitre.org/software/S0575/)
-- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
-- [FIN7](https://attack.mitre.org/groups/G0046/)
-- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
-- [QakBot](https://attack.mitre.org/software/S0650/)
+- BianLian
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Clop](https://attack.mitre.org/software/S0611)
 
 **Health**
 
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Clop](https://attack.mitre.org/software/S0611)
 - [APT41](https://attack.mitre.org/groups/G0096/)
-- [Bazar](https://attack.mitre.org/software/S0534/)
-- [BlackTech](https://attack.mitre.org/groups/G0098/)
-- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
-- [Conti](https://attack.mitre.org/software/S0575/)
-- [Kimsuky](https://attack.mitre.org/groups/G0094/)
-- [QakBot](https://attack.mitre.org/software/S0650/)
+- SocGholish
+- [Mustang Panda](https://attack.mitre.org/groups/G0129/)
+- Dark Angels
+- BianLian
+
+**OT**
+
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Lazarus](https://attack.mitre.org/groups/G0032/)
+- [Mustang Panda](https://attack.mitre.org/groups/G0129/)
+- Dark Angels
+- [Sandworm](https://attack.mitre.org/groups/G0034)
 
 </details>
 
@@ -72,13 +85,12 @@ Indexes can be imported directly into [VECTR](https://vectr.io) using the merged
 
 Test cases are based on MITRE-tracked intelligence and the general process for determining test cases for inclusion is as follows:
 
-1. Identify initial list of groups with principal members
-2. Map groups to MITRE-tracked groups and filter out non-MITRE groups
-3. Review intelligence report for each group
-    1. Remove anything produced before the look-back period of two years
+1. Identify initial list of groups and TTPs with principal members
+2. Collect then review intelligence report for each group
+    1. Remove anything produced before the look-back period of one year
     2. Remove reports that do not provide enough information for simulation purposes
     3. Cut groups lacking intelligence
-4. Extract TTP information from intelligence reports then develop full test cases for each
+3. Extract TTP information from intelligence reports then develop full test cases for each
     1. Exclude TTPs that likely do not act as worthwhile simulation candidates
-5. Filter out items from list to balance plan composition
+4. Filter out items from list to balance plan composition
 

archived/2023/README.md

@@ -0,0 +1,84 @@
+# Threat Simulation Indexes
+
+Each Threat Simulation Index is a curated list of test cases derived from the threat groups of interest for members of a given industry using MITRE-tracked intelligence. Security Risk Advisors (SRA) collaborates with experts in threat intelligence and cyber defense at targeted organizations to identify priorities for defense testing.  
+
+One of the goals of each Threat Simulation Index is to allow organizations to compare objective defense scores against peers. Visit the [Defense Success Metric blog post on SRA.io](https://sra.io/blog/the-road-to-benchmarked-mitre-attck-alignment-defense-success-metrics/) for more information.
+
+### Release Cycle
+
+Indexes are released once per year. Throughout the year, an Index may receive minor quality of life changes but will not deviate significantly from the initial release. New yearly releases start fresh and are not designed to be compatible with previous releases. Overlap between Indexes in the same industry for different years is incidental, as is overlap across industries.
+
+## 2023 Indexes
+
+The following Indexes are available for 2023:
+
+- [Financial Services](fs-index-2023/)
+- [Retail & Hospitality](rh-index-2023/)
+- [Health](h-index-2023/)
+
+### Composition
+
+Expand the below section to view Index group compositions
+
+<details>
+  <summary>Expand</summary>
+
+**Financial Services**
+
+- [APT28](https://attack.mitre.org/groups/G0007/)
+- [APT29](https://attack.mitre.org/groups/G0016/)
+- [APT41](https://attack.mitre.org/groups/G0096/)
+- [Bazar](https://attack.mitre.org/software/S0534/)
+- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
+- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
+- [QakBot](https://attack.mitre.org/software/S0650/)
+
+**Retail & Hospitality**
+
+- [APT41](https://attack.mitre.org/groups/G0096/)
+- [Conti](https://attack.mitre.org/software/S0575/)
+- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
+- [FIN7](https://attack.mitre.org/groups/G0046/)
+- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
+- [QakBot](https://attack.mitre.org/software/S0650/)
+
+**Health**
+
+- [APT41](https://attack.mitre.org/groups/G0096/)
+- [Bazar](https://attack.mitre.org/software/S0534/)
+- [BlackTech](https://attack.mitre.org/groups/G0098/)
+- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
+- [Conti](https://attack.mitre.org/software/S0575/)
+- [Kimsuky](https://attack.mitre.org/groups/G0094/)
+- [QakBot](https://attack.mitre.org/software/S0650/)
+
+</details>
+
+## Intent & Use
+
+Indexes are designed to be used by human operators as part of simulated attack scenarios such as purple teams. Operators should have general familiarity with attacker techniques, payload generation, and infrastructure management.
+
+Individual Index requirements can be found in that Index's folder in the REQUIREMENTS.md file.
+
+Indexes can be imported directly into [VECTR](https://vectr.io) using the merged YAML document for that Index.
+
+### Additional Notes
+
+- Operators are free to use their payload generation procedures of choice as long as the resulting payload(s) complies with the general description provided by the test case and its associated documentation.
+- Where possible, Operators should avoid using default settings for their tools. This includes, but is not limited to: shellcode, C2 traffic signatures, and default artifacts
+- Some test cases can be performed through alternative execution methods. However, Operators should exercise caution in methods that produce significantly different detection artifacts for the core behaviors. For example, executing a .NET payload via an `execute-assembly` style harness is generally acceptable whereas substituting one credential dumping method for another should be avoided.
+
+## Development Process
+
+Test cases are based on MITRE-tracked intelligence and the general process for determining test cases for inclusion is as follows:
+
+1. Identify initial list of groups with principal members
+2. Map groups to MITRE-tracked groups and filter out non-MITRE groups
+3. Review intelligence report for each group
+    1. Remove anything produced before the look-back period of two years
+    2. Remove reports that do not provide enough information for simulation purposes
+    3. Cut groups lacking intelligence
+4. Extract TTP information from intelligence reports then develop full test cases for each
+    1. Exclude TTPs that likely do not act as worthwhile simulation candidates
+5. Filter out items from list to balance plan composition
+

fs-index-2024/CHANGELOG.md

@@ -0,0 +1,4 @@
+# v1.0 (January 2024)
+
+- Initial release
+

fs-index-2024/REQUIREMENTS.md

@@ -0,0 +1,39 @@
+# Infrastructure
+
+- Mail server/relay to send emails
+- Proxy/VPN 
+- Proxy/VPN in non-standard geolocation
+- HTTP/S file hosting server 
+- Command-and-control server(s) with HTTPS and HTTP channels
+- Accounts for : Cloud storage provider (exfil), remote assistance service (if applicable)
+- C3, or similar server for C2 over a webservice (and appropriate credentials for that service)
+- Domain(s) and certificate(s) for infrastructure
+
+# Payloads
+
+|#|Test Case|Payload|Notes|
+|---|---|---|---|
+|1|Attachment - Zipped macro|Macro-enabled Office doc in ZIP||
+|2|Attachment - ISO|ISO||
+|3|Load known-abusable kernel driver|Windows driver|refer to notebook for example drivers + hashes|
+|4|DLL execution using Rundll32|DLL||
+|5|Sideload a DLL into a legitimate application|DLL|can be shared with #4 as long as exported functions are as expected|
+|6|Register Security Service Provider (SSP) in LSASS|SSP DLL|refer to notebook for instructions on creating DLL|
+|7|<Exfiltration>|Sensitive data|Use dlptest.com for sample data|
+|8|Macro - Remote Template|Office document that loads remotely-hosted macro-enabled template||
+
+# Tools/Scripts
+
+- Remote assistance tool such as TeamViewer, GoTo, or AnyConnect
+- SharpHound : https://github.com/BloodHoundAD/SharpHound
+- Net Scan : https://www.softperfect.com/products/networkscanner/
+- C3 : https://github.com/WithSecureLabs/C3
+- Mimikatz : https://github.com/gentilkiwi/mimikatz
+- Nanodump : https://github.com/fortra/nanodump
+- Rubeus : https://github.com/GhostPack/Rubeus
+- SharpDPAPI : https://github.com/GhostPack/SharpDPAPI
+- ProcDump : https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+- File encryptor : https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+- AADInternals : https://github.com/Gerenios/AADInternals
+
+