Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Turla ATT&CK Evaluations Round 5 2023 #142

Merged
merged 1 commit into from
Sep 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ Available adversary emulation plans are listed below:
| [Wizard Spider](/wizard_spider/) | [Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware. This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates.](/wizard_spider/Intelligence_Summary/Intelligence_Summary.md).. |
| [OilRig](/oilrig/) | [OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 and has a history of widespread impact, with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe...](/oilrig/Intelligence_Summary/Intelligence_Summary.md) |
| [Blind Eagle](/blindEagle/) | [Blind Eagle is a South American threat actor focused on Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors. Largely opportunistic in their motives, Blind Eagle leverages commodity RATs modified to fit the environment...](/blindEagle/Intelligence_Summary/Intelligence_Summary.md) |
| [Turla](/turla/) | [Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries. Turla leverages novel techniques and custom tooling and open-source tools to elude defenses and persist on target networks...](/turla/Intelligence_Summary/Intelligence_Summary.md) |

| Micro Emulation Plans | Intelligence Summary |
|:------:|------|
Expand Down
963 changes: 963 additions & 0 deletions turla/Emulation_Plan/Carbon_Scenario/Carbon_Detections_Scenario.md

Large diffs are not rendered by default.

734 changes: 734 additions & 0 deletions turla/Emulation_Plan/Carbon_Scenario/Carbon_Protections_Scenario.md

Large diffs are not rendered by default.

38 changes: 38 additions & 0 deletions turla/Emulation_Plan/Carbon_Scenario/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Carbon Scenario

For ATT&CK Evaluations Enterprise Round 5, the Carbon scenario was developed to
emulate Turla's utilization of the following software:
- Epic
- Carbon
- PsExec
- Mimikatz
- Keylogger
- Penquin

## [Detections Scenario](./Carbon_Detections_Scenario.md)

This 10 step scenario was created for the Detections portion of ATT&CK
Evaluations Enterprise Round 5, where all prevention mechanisms and protection
tooling is **disabled** to allow the full emulation plan to execute unobstructed.
This allows the scenario to be executed from beginning to end, with each step
building upon the previous. and for telemetry on red team activity to be
gathered in full.

## [Protections Scenario](./Carbon_Protections_Scenario.md)

The scenario created for the Detections portion was modularized into 7 discrete
tests to create the Protections portion of ATT&CK Evaluations Enterprise Round
5, where prevention mechanisms and protection tooling is **enabled**. This
highlights protection capabilities of the deployed solution and encourages
blocks of red team activity as early as possible. For this reason, this
version of the scenario was designed to removes the dependencies between each
step.

## Infrastructure

This scenario was executed on the following infrastructure:

![Carbon Infrastructure Diagram](../../Resources/Images/CarbonInfrastructure.png)

Reference [setup](../../Resources/setup/) for guidance on deploying the
infrastructure used by this scenario.
11 changes: 11 additions & 0 deletions turla/Emulation_Plan/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Turla Emulation Plans

An **emulation plan** is the primary document used to execute the red team scenario during a purple team operation. This document includes red team execution commands, links to source code, ATT&CK techniques leveraged, and CTI reporting references.

When we have multiple emulation plans, we break these plans into scenarios and provide a description of the plan's focus.

| Emulation Plan | CTI Operations Flow | Description |
| ----------------- | ------------------- | ----------- |
| [Carbon Scenario](./Carbon_Scenario/) | [Carbon Operations Flow](../Operations_Flow/Carbon_Operations_Flow.md) | This directory contains the scenarios developed focusing on Turla's usage of Carbon. This plan was used to conduct ATT&CK Evaluations Enterprise Round 5 in 2023 |
| [Snake Scenario](./Snake_Scenario/) | [Snake Operations Flow](../Operations_Flow/Snake_Operations_Flow.md) | This directory contains the scenarios developed focusing on Turla's usage of Snake. This plan was used to conduct ATT&CK Evaluations Enterprise Round 5 in 2023. |
| [Caldera Support Files](./yaml/) | | This directory contains the setup instructions and data for porting the above scenarios into Caldera |
37 changes: 37 additions & 0 deletions turla/Emulation_Plan/Snake_Scenario/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
# Snake Scenario

For ATT&CK Evaluations Enterprise Round 5, the Snake scenario was developed to
emulate Turla's utilization of the following software:
- Epic
- Snake
- PsExec
- Mimikatz
- LightNeuron

## [Detections Scenario](./Snake_Detections_Scenario.md)

This 9 step scenario was created for the Detections portion of ATT&CK
Evaluations Enterprise Round 5, where all prevention mechanisms and protection
tooling is **disabled** to allow the full emulation plan to execute unobstructed.
This allows the scenario to be executed from beginning to end, with each step
building upon the previous. and for telemetry on red team activity to be
gathered in full.

## [Protections Scenario](./Snake_Protections_Scenario.md)

The scenario created for the Detections portion was modularized into 6 discrete
tests to create the Protections portion of ATT&CK Evaluations Enterprise Round
5, where prevention mechanisms and protection tooling is **enabled**. This
highlights protection capabilities of the deployed solution and encourages
blocks of red team activity as early as possible. For this reason, this
version of the scenario was designed to removes the dependencies between each
step.

## Infrastructure

This scenario was executed on the following infrastructure:

![Snake Infrastructure Diagram](../../Resources/Images/SnakeInfrastructure.png)

Reference [setup](../../Resources/setup/) for guidance on deploying the
infrastructure used by this scenario.
Loading
Loading