Open L015H4CK opened 1 year ago
Added two more fixes for APT29 Day2 Scenario. I committed the changes to the same PR since they fix errors that persist through the splitting of the faulty APT29 emulation plan.
Problem 1: The payload stepFourteen_credDump.ps1
was only loaded but the wmidump
function was never executed.
Fix: Added line wmidump;
to APT29-Day2.yaml (see https://github.com/center-for-threat-informed-defense/adversary_emulation_library/pull/120/commits/0827921854dfc28d3e5c84935e14b51fd6045c19).
Problem 2: Step 16.C also included commands for step 16.D (see emulation plan) Fix: Renamed procedure step to 16.C-16.D (see https://github.com/center-for-threat-informed-defense/adversary_emulation_library/pull/120/commits/0827921854dfc28d3e5c84935e14b51fd6045c19).
This pull request should fix the faulty APT29 Emulation Plan by splitting it into four separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3. The splitting was performed by looking at the respective archived adversary profiles. The emulation plan for APT3 was moved to a new directory (with no further information about APT3).
The underlying issue and its solution was described in much detail in https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues/118. For more information see the linked issue and feel free to ask me.
Changes:
APT29.yaml
Note: Even though the contribution guidelines state that pull request should target the
develop
branch, this pull request targets the main branch since all other recent pull request did so as well and the develop branch has not been touched for over a year. Sorry if this is wrong.