Open L015H4CK opened 1 year ago
Hello again,
I took the time and looked into the faulty APT29 emulation plan. The APT29 emulation plan was split into 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3.
The changes can be seen in my fork https://github.com/center-for-threat-informed-defense/adversary_emulation_library/compare/master...L015H4CK:adversary_emulation_library:master.
I looked into the original, archived adversary profiles for APT29 and APT3 in the old evals plugin. For every archived profile, for each ability in it I checked the APT29 emulation plan for a matching ability. The matching ability was then copied to the new corresponding emulation plan.
Access Token Manipulation
. Furthermore, the names of these extra abilities were also (partially) already used by other abilities. Also, the name and ID of the used techniques were either (Access Token Manipulation
, T1134
) or (Access Token Manipulation: Token Impersonation/Theft
, T1134.001
) which does not match the actual name of the ability but the names and IDs of the abilities Access Token Manipulation
and Bypass User Account Control
.
Query Registry
, Remote File Copy (T1105)
, Scheduled Task (T1053)
and File and Directory Discovery (T1083)
.With the above described technique I got 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3. The emulation plan for APT3 was moved to a separate directory called apt3
with no additional information about APT3.
The resulting emulation plans are all complete when compared to the original, archived adversary profiles.
Only the emulation plan for APT29-Day2 misses the first ability, which was not included in the APT29 emulation plan. This ability is used as a setup - more info here. I did not check yet, if the missing ability is really needed or if it was removed because it was deprecated or no longer necessary.
Also, I did not find the time yet to run the new emulation plans using CALDERA and its emu plugin. I only checked if CALDERA correctly parses the emulation into adversary profiles and abilities (which it did). I think I will get to run the simulations later this week.
I will happily open a pull request if you are interested in the new emulation plans.
Hi L015H4CK, I appreciate the time and research you put into this issue! If you submit a PR, we can take a look to better understand the issue and what was fixed.
Hello Mike, I just created the pull request. If you have any questions regarding the changes please let me know.
Hello again! Is there still a chance the pull request will be reviewed? I am more than willing to pitch in and help or answer any questions about it.
Not sure how I ended up involved with the project. Please remove me, Thank you.
Hi @L015H4CK, thank you for submitting the PR. We have discussed internally and would like to merge it but we need somebody on our staff to manually verify, and we are stretched thin atm with a lot of other releases this month. Please bear with us while we bring in the right personnel to review your PR.
@nism385 I cannot change your notification settings. Please check if you have “watch” set on this issue or on the whole repo.
Hello there,
it was already stated in issue https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues/84 and in this comment on an issue in the repository for the CALDERA emu-Plugin that the APT 29 emulation plan included in this adversary emulation library is faulty. To summarize: it includes abilities that do not belong there.
My question is, if a fixed version for the APT29 emulation plan does exist somewhere. If not, I will work on it myself. Is anyone interested in the fixed version of the emulation plan? It will probably be split into two seperate scenarios (APT29-Day1.yaml and APT29-Day2.yaml) as well as a completely new APT directory containing the APT3 emulation plan. I will gladly open a pull request as soon as I am done with it but I just wanted to reach out to anyone who might be working on the APT29 emulation plan beforehand.
Best regards.
Additional information
The history of the problem
The "original" APT29 emulation plan was published in the CALDERA evals-plugin. This plugin includes the first round of the MITRE ATT&CK evaluations (APT3) as well as the second round (APT29). In total, it includes 10 different CALDERA adversary profiles. Three of them belong to two different scenarios of APT29 (Day1.A, Day1.B and Day2) and the other seven belong to different phases of APT3.
In January 2021 the content of the above-mentioned repository was ported to this repository and the "old" form was archived. During this port, all adversary profiles were merged into one emulation plan - APT29.yaml. This plan now contains both scenarios for APT29 as well as the abilities for APT3.
Now, when using the CALDERA emu-Plugin (which basically just downloads the emulation plans from this repo and parses them into CALDERA abilities and adversaries) we get one large adversary profile also containing both APT29 scenarios as well the abilities for APT3.
Both scenarios in one emulation plan?
It is quite trivial to see that the APT29 emulation plan contains both scenarios. Scenario 1. Scenario 2
APT3 abilities in APT29 emulation plan?
The ability
System Network Configuration Discovery
with IDee08a427-1e1d-4d8a-aeb1-978a7fcf9087
was originally included in the adversary profile for APT3.It could not be found in the original adversary profile for APT29 Day1.A.
The APT29 emulation plan is this repository contains this specific ability as a substep of step 2 in scenario 1. When parsing a new adversary profile using the emu-plugin, all abilities (also this specific ability) are included there.
Multiple YAML-emulation plans and the emu plugin
The emu plugin is able to parse several YAML files contained in the
Emulation_Plan/yaml
directory. For each YAML file a separate adversary profile can be parsed.