-
Notifications
You must be signed in to change notification settings - Fork 313
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question regarding Fix for APT29 Emulation Plan #118
Comments
Hello again, I took the time and looked into the faulty APT29 emulation plan. The changes can be seen in my fork master...L015H4CK:adversary_emulation_library:master. How was it done?I looked into the original, archived adversary profiles for APT29 and APT3 in the old evals plugin. For every archived profile, for each ability in it I checked the APT29 emulation plan for a matching ability. The matching ability was then copied to the new corresponding emulation plan. Some interesting notes
ResultsWith the above described technique I got 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3. The emulation plan for APT3 was moved to a separate directory called Also, I did not find the time yet to run the new emulation plans using CALDERA and its emu plugin. I only checked if CALDERA correctly parses the emulation into adversary profiles and abilities (which it did). I think I will get to run the simulations later this week. I will happily open a pull request if you are interested in the new emulation plans. |
Hi L015H4CK, I appreciate the time and research you put into this issue! If you submit a PR, we can take a look to better understand the issue and what was fixed. |
Hello Mike, I just created the pull request. If you have any questions regarding the changes please let me know. |
Hello again! Is there still a chance the pull request will be reviewed? I am more than willing to pitch in and help or answer any questions about it. |
Not sure how I ended up involved with the project. Please remove me, Thank you. |
Hi @L015H4CK, thank you for submitting the PR. We have discussed internally and would like to merge it but we need somebody on our staff to manually verify, and we are stretched thin atm with a lot of other releases this month. Please bear with us while we bring in the right personnel to review your PR. @nism385 I cannot change your notification settings. Please check if you have “watch” set on this issue or on the whole repo. |
Hello there,
it was already stated in issue #84 and in this comment on an issue in the repository for the CALDERA emu-Plugin that the APT 29 emulation plan included in this adversary emulation library is faulty. To summarize: it includes abilities that do not belong there.
My question is, if a fixed version for the APT29 emulation plan does exist somewhere. If not, I will work on it myself. Is anyone interested in the fixed version of the emulation plan? It will probably be split into two seperate scenarios (APT29-Day1.yaml and APT29-Day2.yaml) as well as a completely new APT directory containing the APT3 emulation plan. I will gladly open a pull request as soon as I am done with it but I just wanted to reach out to anyone who might be working on the APT29 emulation plan beforehand.
Best regards.
Additional information
The history of the problem
The "original" APT29 emulation plan was published in the CALDERA evals-plugin. This plugin includes the first round of the MITRE ATT&CK evaluations (APT3) as well as the second round (APT29). In total, it includes 10 different CALDERA adversary profiles. Three of them belong to two different scenarios of APT29 (Day1.A, Day1.B and Day2) and the other seven belong to different phases of APT3.
In January 2021 the content of the above-mentioned repository was ported to this repository and the "old" form was archived. During this port, all adversary profiles were merged into one emulation plan - APT29.yaml. This plan now contains both scenarios for APT29 as well as the abilities for APT3.
Now, when using the CALDERA emu-Plugin (which basically just downloads the emulation plans from this repo and parses them into CALDERA abilities and adversaries) we get one large adversary profile also containing both APT29 scenarios as well the abilities for APT3.
Both scenarios in one emulation plan?
It is quite trivial to see that the APT29 emulation plan contains both scenarios. Scenario 1. Scenario 2
APT3 abilities in APT29 emulation plan?
The ability
System Network Configuration Discovery
with IDee08a427-1e1d-4d8a-aeb1-978a7fcf9087
was originally included in the adversary profile for APT3.It could not be found in the original adversary profile for APT29 Day1.A.
The APT29 emulation plan is this repository contains this specific ability as a substep of step 2 in scenario 1. When parsing a new adversary profile using the emu-plugin, all abilities (also this specific ability) are included there.
Multiple YAML-emulation plans and the emu plugin
The emu plugin is able to parse several YAML files contained in the
Emulation_Plan/yaml
directory. For each YAML file a separate adversary profile can be parsed.The text was updated successfully, but these errors were encountered: