search

center-for-threat-informed-defense / adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
https://ctid.io/adversary-emulation
Apache License 2.0
1.6k stars 292 forks source link

Turla - Check Implant Registered Requirement #151

Closed kaylakraines closed 8 months ago

kaylakraines commented 8 months ago

Description

This PR is associated with https://github.com/mitre/emu/pull/38.

These changes ensure that an ability will only be run if the implant tasked in that ability is actively beaconing in. This change has been made to both the Snake & Carbon scenarios.

Type of change

How Has This Been Tested?

Tested on the Alpha Range. Ran through both scenarios to ensure that abilities were run when their requirement was filled (i.e. the implant they were going to task was actively beaconing in). Also, spot checked by killing implants to stop them from beaconing in, and then attempting to run abilities that required those implants. Observed that Caldera skipped those abilities because their requirement wasn't filled.

Checklist:

mchan143 commented 8 months ago

@mehaase fysa this is an update to the Turla Caldera ports that didn't make it into the initial release