-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
408 changed files
with
23,447 additions
and
32 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
# Threat Simulation Indexes | ||
|
||
Each Threat Simulation Index is a curated list of test cases derived from the threat groups of interest for members of a given industry using MITRE-tracked intelligence. Security Risk Advisors (SRA) collaborates with experts in threat intelligence and cyber defense at targeted organizations to identify priorities for defense testing. | ||
|
||
One of the goals of each Threat Simulation Index is to allow organizations to compare objective defense scores against peers. Visit the [Defense Success Metric blog post on SRA.io](https://sra.io/blog/the-road-to-benchmarked-mitre-attck-alignment-defense-success-metrics/) for more information. | ||
|
||
### Release Cycle | ||
|
||
Indexes are released once per year. Throughout the year, an Index may receive minor quality of life changes but will not deviate significantly from the initial release. New yearly releases start fresh and are not designed to be compatible with previous releases. Overlap between Indexes in the same industry for different years is incidental, as is overlap across industries. | ||
|
||
## 2023 Indexes | ||
|
||
The following Indexes are available for 2023: | ||
|
||
- [Financial Services](fs-index-2023/) | ||
- [Retail & Hospitality](rh-index-2023/) | ||
- [Health](h-index-2023/) | ||
|
||
### Composition | ||
|
||
Expand the below section to view Index group compositions | ||
|
||
<details> | ||
<summary>Expand</summary> | ||
|
||
**Financial Services** | ||
|
||
- [APT28](https://attack.mitre.org/groups/G0007/) | ||
- [APT29](https://attack.mitre.org/groups/G0016/) | ||
- [APT41](https://attack.mitre.org/groups/G0096/) | ||
- [Bazar](https://attack.mitre.org/software/S0534/) | ||
- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum) | ||
- [LAPSUS$](https://attack.mitre.org/groups/G1004/) | ||
- [QakBot](https://attack.mitre.org/software/S0650/) | ||
|
||
**Retail & Hospitality** | ||
|
||
- [APT41](https://attack.mitre.org/groups/G0096/) | ||
- [Conti](https://attack.mitre.org/software/S0575/) | ||
- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum) | ||
- [FIN7](https://attack.mitre.org/groups/G0046/) | ||
- [LAPSUS$](https://attack.mitre.org/groups/G1004/) | ||
- [QakBot](https://attack.mitre.org/software/S0650/) | ||
|
||
**Health** | ||
|
||
- [APT41](https://attack.mitre.org/groups/G0096/) | ||
- [Bazar](https://attack.mitre.org/software/S0534/) | ||
- [BlackTech](https://attack.mitre.org/groups/G0098/) | ||
- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum) | ||
- [Conti](https://attack.mitre.org/software/S0575/) | ||
- [Kimsuky](https://attack.mitre.org/groups/G0094/) | ||
- [QakBot](https://attack.mitre.org/software/S0650/) | ||
|
||
</details> | ||
|
||
## Intent & Use | ||
|
||
Indexes are designed to be used by human operators as part of simulated attack scenarios such as purple teams. Operators should have general familiarity with attacker techniques, payload generation, and infrastructure management. | ||
|
||
Individual Index requirements can be found in that Index's folder in the REQUIREMENTS.md file. | ||
|
||
Indexes can be imported directly into [VECTR](https://vectr.io) using the merged YAML document for that Index. | ||
|
||
### Additional Notes | ||
|
||
- Operators are free to use their payload generation procedures of choice as long as the resulting payload(s) complies with the general description provided by the test case and its associated documentation. | ||
- Where possible, Operators should avoid using default settings for their tools. This includes, but is not limited to: shellcode, C2 traffic signatures, and default artifacts | ||
- Some test cases can be performed through alternative execution methods. However, Operators should exercise caution in methods that produce significantly different detection artifacts for the core behaviors. For example, executing a .NET payload via an `execute-assembly` style harness is generally acceptable whereas substituting one credential dumping method for another should be avoided. | ||
|
||
## Development Process | ||
|
||
Test cases are based on MITRE-tracked intelligence and the general process for determining test cases for inclusion is as follows: | ||
|
||
1. Identify initial list of groups with principal members | ||
2. Map groups to MITRE-tracked groups and filter out non-MITRE groups | ||
3. Review intelligence report for each group | ||
1. Remove anything produced before the look-back period of two years | ||
2. Remove reports that do not provide enough information for simulation purposes | ||
3. Cut groups lacking intelligence | ||
4. Extract TTP information from intelligence reports then develop full test cases for each | ||
1. Exclude TTPs that likely do not act as worthwhile simulation candidates | ||
5. Filter out items from list to balance plan composition | ||
|
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
# v1.0 (January 2024) | ||
|
||
- Initial release | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
# Infrastructure | ||
|
||
- Mail server/relay to send emails | ||
- Proxy/VPN | ||
- Proxy/VPN in non-standard geolocation | ||
- HTTP/S file hosting server | ||
- Command-and-control server(s) with HTTPS and HTTP channels | ||
- Accounts for : Cloud storage provider (exfil), remote assistance service (if applicable) | ||
- C3, or similar server for C2 over a webservice (and appropriate credentials for that service) | ||
- Domain(s) and certificate(s) for infrastructure | ||
|
||
# Payloads | ||
|
||
|#|Test Case|Payload|Notes| | ||
|---|---|---|---| | ||
|1|Attachment - Zipped macro|Macro-enabled Office doc in ZIP|| | ||
|2|Attachment - ISO|ISO|| | ||
|3|Load known-abusable kernel driver|Windows driver|refer to notebook for example drivers + hashes| | ||
|4|DLL execution using Rundll32|DLL|| | ||
|5|Sideload a DLL into a legitimate application|DLL|can be shared with #4 as long as exported functions are as expected| | ||
|6|Register Security Service Provider (SSP) in LSASS|SSP DLL|refer to notebook for instructions on creating DLL| | ||
|7|<Exfiltration>|Sensitive data|Use dlptest.com for sample data| | ||
|8|Macro - Remote Template|Office document that loads remotely-hosted macro-enabled template|| | ||
|
||
# Tools/Scripts | ||
|
||
- Remote assistance tool such as TeamViewer, GoTo, or AnyConnect | ||
- SharpHound : https://github.com/BloodHoundAD/SharpHound | ||
- Net Scan : https://www.softperfect.com/products/networkscanner/ | ||
- C3 : https://github.com/WithSecureLabs/C3 | ||
- Mimikatz : https://github.com/gentilkiwi/mimikatz | ||
- Nanodump : https://github.com/fortra/nanodump | ||
- Rubeus : https://github.com/GhostPack/Rubeus | ||
- SharpDPAPI : https://github.com/GhostPack/SharpDPAPI | ||
- ProcDump : https://learn.microsoft.com/en-us/sysinternals/downloads/procdump | ||
- File encryptor : https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor | ||
- AADInternals : https://github.com/Gerenios/AADInternals | ||
|
||
|
Oops, something went wrong.