fix(md): Resolve broken links, formatting, redundant listings (#10)

* add readme pages to resource directories to fix broken links

* bump retype version to latest

* update precommit hook versions

* move overview on default page to separate heading

* remove unused pre-commit hooks

* fix manifest newline

* use mark-github for links, it looks better

Add another resources readme for sandworm

* update categories for managed services and enterprise

* last of missing resources pages causing broken links

* updated setup -> Infrastructure Setup for clarity

* broken links, typos, reformats

* cleanup of categories and category links

* remove redundant table of contents

* fix typos, add code hinting for blocks, remove redundant links, fix broken links, formatting

* more broken links

.gitignore

@@ -53,4 +53,4 @@ Icon
 .AppleDesktop
 Network Trash Folder
 Temporary Items
-.apdisk
+.apdisk

.markdownlint.json

@@ -4,4 +4,4 @@
     "MD024": {
         "siblings_only": true
     }
-}
+}

.pre-commit-config.yaml

@@ -1,13 +1,9 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.1.0
+    rev: v5.0.0
     hooks:
       - id: check-yaml
       - id: end-of-file-fixer
       - id: trailing-whitespace
-      - id: debug-statements
       - id: check-toml
       - id: check-merge-conflict
-      - id: detect-aws-credentials
-      - id: detect-private-key
-

Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md

@@ -108,20 +108,4 @@ Import-PfxCertificate -Exportable -FilePath "shockwave.local.pfx" -CertStoreLoca
 
 ##### Add RTLO character and place rcs.3aka3.doc on Windows Victim-1
 
-- See [payload_configs.md](/Enterprise/apt29/Resources/Scenario_1/payload_configs.md) for instructions on how to update [cod.3aka3.scr](/Enterprise/apt29/Resources/Scenario_1/cod.3aka3.scr)
-
----
-
-### Additional Plan Resources
-
-- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  - [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  - [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  - [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  - [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-- [Archive](/Enterprise/apt29/Archive)
-- [Issues](https://github.com/attackevals/ael/issues)
-- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)
+- See [payload_configs.md](../../Resources/Scenario_1/payload_configs.md) for instructions on how to update [cod.3aka3.scr](../../Resources/Scenario_1/cod.3aka3.scr)

Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md

@@ -88,17 +88,3 @@ Please note that binary files hosted in [Scenario_1](/Enterprise/apt29/Resources
 3. Open Outlook and sign in if necessary
 
 ---
-
-## Additional Plan Resources
-
-- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  - [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  - [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  - [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  - [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-- [Archive](/Enterprise/apt29/Archive)
-- [Issues](https://github.com/attackevals/ael/issues)
-- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)

Enterprise/apt29/Emulation_Plan/Scenario_2/README.md

@@ -15,18 +15,67 @@ APT29 operations have been separated into two scenarios, with steps and granular
 
 ### Contents
 
-* [Step 11 - Initial Breach](#step-11---initial-breach)
-* [Step 12 - Fortify Access](#step-12---fortify-access)
-* [Step 13 - Local Enumeration](#step-13---local-enumeration)
-* [Step 14 - Elevation](#step-14---elevation)
-* [Step 15 - Establish Persistence](#step-15---establish-persistence)
-* [Step 16 - Lateral Movement](#step-16---lateral-movement)
-* [Step 17 - Collection](#step-17---collection)
-* [Step 18 - Exfiltration](#step-18---exfiltration)
-* [Step 19 - Clean Up](#step-19---clean-up)
-* [Step 20 - Leverage Persistence](#step-20---leverage-persistence)
-* [Acknowledgements](#acknowledgements)
-* [Additional Plan Resources](#additional-plan-resources)
+- [Scenario 2](#scenario-2)
+  - [Preface](#preface)
+  - [Overview](#overview)
+    - [Contents](#contents)
+    - [Pre-requisites](#pre-requisites)
+    - [Step 11 - Initial Breach](#step-11---initial-breach)
+      - [Procedures](#procedures)
+        - [11.A - User Execution: Malicious File (T1204 / T1204.002)](#11a---user-execution-malicious-file-t1204--t1204002)
+      - [Cited Intelligence](#cited-intelligence)
+    - [Step 12 - Fortify Access](#step-12---fortify-access)
+      - [Procedures](#procedures-1)
+        - [12.A - Indicator Removal on Host: Timestomp (T1099 / T1070.006)](#12a---indicator-removal-on-host-timestomp-t1099--t1070006)
+        - [12.B - Software Discovery: Security Software Discovery (T1063 / T1518.001)](#12b---software-discovery-security-software-discovery-t1063--t1518001)
+        - [12.C - Software Discovery (T1518 / T1518.001)](#12c---software-discovery-t1518--t1518001)
+      - [Cited Intelligence](#cited-intelligence-1)
+    - [Step 13 - Local Enumeration](#step-13---local-enumeration)
+      - [Procedures](#procedures-2)
+        - [13.A - System Information Discovery (T1082)](#13a---system-information-discovery-t1082)
+        - [13.B - System Network Configuration Discovery (T1016)](#13b---system-network-configuration-discovery-t1016)
+        - [13.C - System Owner/User Discovery (T1033)](#13c---system-owneruser-discovery-t1033)
+        - [13.D - Process Discovery (T1057)](#13d---process-discovery-t1057)
+      - [Cited Intelligence](#cited-intelligence-2)
+    - [Step 14 - Elevation](#step-14---elevation)
+      - [Procedures](#procedures-3)
+        - [14.A - Abuse Elevation Control Mechanism: Bypass User Access Control (T1088 / T1548.002)](#14a---abuse-elevation-control-mechanism-bypass-user-access-control-t1088--t1548002)
+        - [14.B - OS Credential Dumping: LSASS Memory (T1003 / T1003.001)](#14b---os-credential-dumping-lsass-memory-t1003--t1003001)
+      - [Cited Intelligence](#cited-intelligence-3)
+    - [Step 15 - Establish Persistence](#step-15---establish-persistence)
+      - [Procedures](#procedures-4)
+        - [15.A - Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1084 / T1546.003)](#15a---event-triggered-execution-windows-management-instrumentation-event-subscription-t1084--t1546003)
+      - [Cited Intelligence](#cited-intelligence-4)
+    - [Step 16 - Lateral Movement](#step-16---lateral-movement)
+      - [Procedures](#procedures-5)
+        - [16.A - Remote System Discovery (T1018)](#16a---remote-system-discovery-t1018)
+        - [16.B - System Owner/User Discovery (T1033)](#16b---system-owneruser-discovery-t1033)
+        - [16.C - Remote Services: Windows Remote Management (T1028 / T1021.006)](#16c---remote-services-windows-remote-management-t1028--t1021006)
+        - [16.D - OS Credential Dumping (T1003 / T1003.001)](#16d---os-credential-dumping-t1003--t1003001)
+      - [Cited Intelligence](#cited-intelligence-5)
+    - [Step 17 - Collection](#step-17---collection)
+      - [Procedures](#procedures-6)
+        - [17.A - Email Collection: Local Email Collection (T1114 / T1114.001)](#17a---email-collection-local-email-collection-t1114--t1114001)
+        - [17.B - Data from Local System (T1005)](#17b---data-from-local-system-t1005)
+        - [17.C - Obfuscated Files or Information (T1027)](#17c---obfuscated-files-or-information-t1027)
+      - [Cited Intelligence](#cited-intelligence-6)
+    - [Step 18 - Exfiltration](#step-18---exfiltration)
+      - [Procedures](#procedures-7)
+        - [18.A - Exfiltration Over Alternative Protocol (T1048 / T1567.002)](#18a---exfiltration-over-alternative-protocol-t1048--t1567002)
+      - [Cited Intelligence](#cited-intelligence-7)
+    - [Step 19 - Clean Up](#step-19---clean-up)
+      - [Procedures](#procedures-8)
+        - [19.A - Indicator Removal on Host: File Deletion (T1107 / T1070.004)](#19a---indicator-removal-on-host-file-deletion-t1107--t1070004)
+        - [19.B - Indicator Removal on Host: File Deletion (T1107 / T1070.004)](#19b---indicator-removal-on-host-file-deletion-t1107--t1070004)
+        - [19.C - Indicator Removal on Host: File Deletion (T1107 / T1070.004)](#19c---indicator-removal-on-host-file-deletion-t1107--t1070004)
+      - [Cited Intelligence](#cited-intelligence-8)
+    - [Step 20 - Leverage Persistence](#step-20---leverage-persistence)
+      - [Procedures](#procedures-9)
+        - [20.A - Persistence Execution (T1085 / T1218.011, T1084 / T1546.003)](#20a---persistence-execution-t1085--t1218011-t1084--t1546003)
+        - [20.B - Use Alternate Authentication Material: Pass the Ticket (T1097 / T1550.001, T1550.003)](#20b---use-alternate-authentication-material-pass-the-ticket-t1097--t1550001-t1550003)
+      - [Cited Intelligence](#cited-intelligence-9)
+    - [Acknowledgements](#acknowledgements)
+      - [Special thanks to the following public resources](#special-thanks-to-the-following-public-resources)
 
 ### Pre-requisites
 
@@ -350,19 +399,3 @@ The original victim is rebooted and the legitimate user logs in, emulating ordin
 * State of the Hack S2E01: #NoEasyBreach REVISITED (<https://www.fireeye.com/blog/products-and-services/2019/02/state-of-the-hack-no-easy-breach-revisited.html>)
 * Use PowerShell to Interact with the Windows API (<https://devblogs.microsoft.com/scripting/use-powershell-to-interact-with-the-windows-api-part-1>)
 * Yet another sdclt UAC bypass (<http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass>)
-
----
-
-### Additional Plan Resources
-
-* [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-* [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-* [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  * [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  * [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  * [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  * [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  * [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-* [Archive](/Enterprise/apt29/Archive)
-* [Issues](https://github.com/attackevals/ael/issues)
-* [Change Log](/Enterprise/apt29/CHANGE_LOG.md)

Enterprise/apt29/Emulation_Plan/yaml/README.md

@@ -11,17 +11,3 @@ As new files are added, please list them in the below table.
 | [APT29.yaml](/Enterprise/apt29/Emulation_Plan/yaml/APT29.yaml) | N/A | Initial Emulation Plan YAML |
 
 ---
-
-## Additional Plan Resources
-
-- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  - [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  - [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  - [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  - [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-- [Archive](/Enterprise/apt29/Archive)
-- [Issues](https://github.com/attackevals/ael/issues)
-- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)

Enterprise/apt29/Intelligence_Summary.md

@@ -138,17 +138,3 @@ ID | Source | Publisher | Date |
 16 |[Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers](https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/)|[Microsoft](https://www.microsoft.com/)| December 2018 |
 
 ---
-
-## Additional Plan Resources
-
-- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  - [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  - [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  - [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  - [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-- [Archive](/Enterprise/apt29/Archive)
-- [Issues](https://github.com/attackevals/ael/issues)
-- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)

Enterprise/apt29/Operations_Flow.md

@@ -27,17 +27,3 @@ This scenario begins with a legitimate user clicking on a malicious payload deli
 The content to execute this scenario was tested and developed using PoshC2 and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors.
 
 ---
-
-## Additional Plan Resources
-
-- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  - [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  - [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  - [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  - [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-- [Archive](/Enterprise/apt29/Archive)
-- [Issues](https://github.com/attackevals/ael/issues)
-- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)

Enterprise/apt29/README.md

@@ -1,13 +1,12 @@
 ---
 category: enterprise
-route: /enterprise/apt29
 ---
 
 # APT29
 
 This adversary emulation plan is derived from the original [APT29](https://attack.mitre.org/groups/G0016/) content developed and used in the [2019 ATT&CK Evaluations](https://attackevals.mitre-engenuity.org/APT29/).
 
-APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation.<sup>[1](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf),[14](https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf)</sup>  The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020.
+APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation.<sup>[1](https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf),[14](https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf)</sup> The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020.
 
 The Intelligence Summary summarizes 16 publicly available sources as well as the results of an [open call for contributions](https://medium.com/mitre-attack/open-invitation-to-share-cyber-threat-intelligence-on-apt29-for-adversary-emulation-plan-831c8c929f31), to describe APT29, their motivations, objectives, and observed target industries. It further describes a representative APT29 Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK.
 
@@ -21,7 +20,7 @@ The APT29 emulation plan is a human-readable, step-by-step / command-by-command
 
 ## Resources
 
-Please note that binary files hosted in [Scenario_1](/Enterprise/apt29/Resources/Scenario_1) and [Scenario_2](/Enterprise/apt29/Resources/Scenario_2) have been added to password protected zip files.  The password for these files is "malware."
+Please note that binary files hosted in [Scenario_1](./Resources/Scenario_1/) and [Scenario_2](./Resources/Scenario_2) have been added to password protected zip files. The password for these files is "malware."
 
 ## Acknowledgements
 
@@ -31,20 +30,6 @@ We would like to formally thank the people that contributed to the content, revi
 - Microsoft
 - SentinelOne
 
-## Table of Contents
-
-- [Intelligence Summary](/Enterprise/apt29/Intelligence_Summary.md)
-- [Operations Flow](/Enterprise/apt29/Operations_Flow.md)
-- [Emulation Plan](/Enterprise/apt29/Emulation_Plan/README.md)
-  - [Scenario 1 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_1/Infrastructure.md)
-  - [Scenario 1](/Enterprise/apt29/Emulation_Plan/Scenario_1/README.md)
-  - [Scenario 2 - Infrastructure](/Enterprise/apt29/Emulation_Plan/Scenario_2/Infrastructure.md)
-  - [Scenario 2](/Enterprise/apt29/Emulation_Plan/Scenario_2/README.md)
-  - [YAML](/Enterprise/apt29/Emulation_Plan/yaml)
-- [Archive](/Enterprise/apt29/Archive)
-- [Issues](https://github.com/attackevals/ael/issues)
-- [Change Log](/Enterprise/apt29/CHANGE_LOG.md)
-
 ## Liability / Responsible Usage
 
 This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.

Enterprise/apt29/Resources/README.md

@@ -1,3 +1,3 @@
 # Resources
 
-Please note that binary files hosted in [Scenario_1](/Enterprise/apt29/Resources/Scenario_1) and [Scenario_2](/Enterprise/apt29/Resources/Scenario_2) have been added to password protected zip files.  The password for these files is `malware`.
+Please note that binary files hosted in [Scenario_1](../Resources/Scenario_1) and [Scenario_2](../Resources/Scenario_2) have been added to password protected zip files. The password for these files is `malware`.

Enterprise/apt29/Resources/Scenario_1/README.md

@@ -0,0 +1,3 @@
+# Scenario 1
+
+See [!badge target="blank" icon="mark-github" text="GitHub Link"](https://github.com/attackevals/ael/tree/49516eb0eb51c7b8f3c2851d612ea5c5467ff2bb/Enterprise/apt29/Resources/Scenario_1) for additional information.

Enterprise/apt29/Resources/Scenario_2/README.md

@@ -0,0 +1,3 @@
+# Scenario 2
+
+See [!badge target="blank" icon="mark-github" text="GitHub Link"](https://github.com/attackevals/ael/tree/49516eb0eb51c7b8f3c2851d612ea5c5467ff2bb/Enterprise/apt29/Resources/Scenario_2) for additional information.