Adversary Emulation Planner
This tool can be used to automatically build an ordered set of attack stages with MITRE ATT&CK techniques executed during each stage.
The output is a set of attack stages that show all possible techniques that an adversary might execute during each stage.
To decide when the different techniques are to be found in such a set, promises are used as access tokens for execution of techniques. Each technique defines the set of promises required to execute it (think pre-conditions) and the set of promises it provides upon execution (think post-conditions).
Installation
Install using pip:
pip install aepYou will also need to clone the aep-data repository, which contains a starting point witch example data:
git clone https://github.com/mnemonic-no/aep-dataUsage/Examples
If you have checked out the aep-data repository you can run these commands in that repository, since you need access to default dat files.
aep-generate is where you should start and the other tools are more useful if you start making changes to the
data itself.
Generate Adversary Emulation Plan
$ aep-generate --end-condition objective_exfiltration --include-techniques T1021,T1046,T1583 --technique-bundle incident/UNC2452-Solorigate.json --show-promises
Removed 4 NOP techniques: ['T1036', 'T1036.004', 'T1036.005', 'T1083']
βββββββββββ€βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€βββββββββββββββββββββββββββββββββββββββββββββ
β stage β techniques β new promises @end-of-stage β
βββββββββββͺβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββͺβββββββββββββββββββββββββββββββββββββββββββββ‘
β 1 β Acquire Infrastructure β exploit_available β
β β Develop Capabilities β info_domain_trust β
β β Develop Capabilities:Malware β infrastructure_botnet β
β β Domain Trust Discovery β infrastructure_certificate β
β β Obtain Capabilities β infrastructure_domain β
β β Obtain Capabilities:Code Signing Certificates β infrastructure_server β
β β Supply Chain Compromise β privileges_user_local β
β β Supply Chain Compromise:Compromise Software Supply Chain β tool_available β
β β β tool_delivery β
βββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββ€
β 2 β Command and Scripting Interpreter β access_filesystem β
β β Command and Scripting Interpreter:PowerShell β code_executed β
β β Command and Scripting Interpreter:Windows Command Shell β defense_evasion β
β β Scheduled Task/Job β file_transfer β
β β β persistence β
βββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββ€
β 3 β Account Discovery β access_network β
β β Application Layer Protocol β adversary_controlled_communication_channel β
β β Application Layer Protocol:Web Protocols β credentials_user_domain β
β β Obfuscated Files or Information [*] β credentials_user_local β
β β Permission Groups Discovery β credentials_user_thirdparty β
β β Process Discovery β info_groupname β
β β Signed Binary Proxy Execution [*] β info_process_info β
β β Signed Binary Proxy Execution:Rundll32 [*] β info_target_employee β
β β Unsecured Credentials β info_username β
β β Unsecured Credentials:Private Keys β β
βββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββ€
β 4 β Account Manipulation:Additional Cloud Credentials [*] β info_cloud_services β
β β Cloud Service Discovery β info_email_address β
β β Dynamic Resolution [*] β info_network_hosts β
β β Dynamic Resolution:Domain Generation Algorithms [*] β info_network_services β
β β Email Collection β privileges_system_local β
β β Email Collection:Remote Email Collection β β
β β Event Triggered Execution β β
β β Ingress Tool Transfer [*] β β
β β Network Service Scanning β β
β β Valid Accounts [*] β β
βββββββββββ§βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ§βββββββββββββββββββββββββββββββββββββββββββββ
[*] Technique does not provide any new promises
FAIL: incomplete attack chain, could not achieve end condition: objective_exfiltrationShow Promise Usage
Show little or unused promises.
aep-promise-usage
ββββββββββββββββββββββββββββββββββββββββ€βββββββββββββ€βββββββββββββ
β promise β provides β requires β
ββββββββββββββββββββββββββββββββββββββββͺβββββββββββββͺβββββββββββββ‘
β info_cloud_hosts β 8 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β objective_denial_of_service β 11 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β privileges_users β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β staged_data β 7 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β fast_flux β 0 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β info_network_config β 7 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β waterhole β 0 β 2 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β info_password_policy β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β objective_integrity β 8 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β info_domain_trust β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β infrastructure_trusted_social_media β 6 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β info_system_time β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β credentials_2fa_token β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β infrastructure_domain β 14 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β objective_exfiltration β 15 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β info_cloud_services β 8 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β objective_destruction β 11 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β infrastructure_certificate β 12 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β access_network_intercept β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β infrastructure_trusted_email_account β 6 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β objective_resources_computational β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β objective_extortion β 4 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β persistence β 164 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β info_target_information β 1 β 0 β
ββββββββββββββββββββββββββββββββββββββββΌβββββββββββββΌβββββββββββββ€
β defense_evasion β 97 β 0 β
ββββββββββββββββββββββββββββββββββββββββ§βββββββββββββ§βββββββββββββShow Techniques
Show summary based on MITRE ATT&CK technique ID.
aep-technique -t T1001
+++
Data Obfuscation
βββββββββββββββββββ€βββββββββββββββββ€ββββββββββββββββββββββ€βββββββββββββββββββββββββββββββ€βββββββββββββββββ€βββββββββββββββββββββββββ
β Provides β Requires β Tactic(s) β Relevant β Conditionals β Subtechniques β
βββββββββββββββββββͺβββββββββββββββββͺββββββββββββββββββββββͺβββββββββββββββββββββββββββββββͺβββββββββββββββββͺβββββββββββββββββββββββββ‘
β defense_evasion β code_executed β Command and Control β authentication_server β β Junk Data β
β β tool_available β β backup_server β β Steganography β
β β tool_delivery β β client β β Protocol Impersonation β
β β β β content_management_server β β β
β β β β database_server β β β
β β β β directory_server β β β
β β β β file_server β β β
β β β β instant_messaging_server β β β
β β β β log_server β β β
β β β β login_server β β β
β β β β mail_server β β β
β β β β name_server β β β
β β β β network_firewall β β β
β β β β network_management_server β β β
β β β β network_router β β β
β β β β print_server β β β
β β β β proxy_server β β β
β β β β software_distribution_server β β β
β β β β virtualization_server β β β
β β β β web_server β β β
βββββββββββββββββββ§βββββββββββββββββ§ββββββββββββββββββββββ§βββββββββββββββββββββββββββββββ§βββββββββββββββββ§βββββββββββββββββββββββββTechnique bundle summary
aep-bundle -b incident/Ryuk-Bazar-Cobalt-Strike.json
(...)Promise summary
aep-promise --promise tool_delivery
(...)Search promises
Search promises based on specified criterias.
aep-promise-search --help
usage: aep-promise-search [-h] [--config-dir CONFIG_DIR] [--data-dir DATA_DIR]
[--promise-descriptions PROMISE_DESCRIPTIONS]
[--conditions CONDITIONS]
[--technique-promises TECHNIQUE_PROMISES]
[-p PROVIDES] [-np NOTPROVIDES] [-r REQUIRES]
[-nr NOTREQUIRES] [-n NAME]
Search techniques
optional arguments:
-h, --help show this help message and exit
--config-dir CONFIG_DIR
Default config dir with configurations for scio and
plugins
--data-dir DATA_DIR Root directory of data files
--promise-descriptions PROMISE_DESCRIPTIONS
Promise description file (CSV)
--conditions CONDITIONS
Conditions (CSV)
--technique-promises TECHNIQUE_PROMISES
Path for techniques.json. Supports data relative to
root data directory and absolute path
-p PROVIDES, --provides PROVIDES
Search for techniques providing these promises
-np NOTPROVIDES, --notprovides NOTPROVIDES
Search for techniques that does _not_ provide promises
-r REQUIRES, --requires REQUIRES
Search for techniques requires these promises
-nr NOTREQUIRES, --notrequires NOTREQUIRES
Search for techniques that does _not_ require promises
-n NAME, --name NAME Search for techniques whos name contains this stringConfiguration
This step is not necessary, but can be used to change default settings on the tools. Run with:
aep-config userwhich will create default settings in ~/.config/aep/config.
About
The Adversary Emulation Planner is developed in the SOCCRATES innovation project (https://soccrates.eu). SOCCRATES has received funding from the European Unionβs Horizon 2020 Research and Innovation program under Grant Agreement No. 833481.
