Add network connection activity to the DLL Side-loading micro plan

center-for-threat-informed-defense / adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.

https://ctid.io/adversary-emulation

Apache License 2.0

1.6k stars 292 forks source link

Add network connection activity to the DLL Side-loading micro plan #129

Closed Cyb3r-Monk closed 1 year ago

Cyb3r-Monk commented 1 year ago

It would be great if DLL Side-loading micro plan contain few HTTP requests to a legitimate website (as a parameter or embedded in the code) to simulate C2 behavior.

mticmtic commented 1 year ago

Hi @Cyb3r-Monk, our original intent was to capture the side-loading and any follow on behavior (discovery commands, in this instance). The specifics of the follow on behavior isn't as important as the combination of side-loading and the follow on behavior. With that said, we will add it to the backlog and see if we can get to it soon.

cat-alyst commented 1 year ago

Added this to the backlog, going to close this issue. @Cyb3r-Monk Thank you for the suggestion! 🤩 We will tag you in the PR for contribution credit.

Cyb3r-Monk commented 1 year ago

Awesome, thanks! 🤩