Skip to content

mnemonic-no/aep

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Adversary Emulation Planner

This tool can be used to automatically build an ordered set of attack stages with MITRE ATT&CK techniques executed during each stage.

The output is a set of attack stages that show all possible techniques that an adversary might execute during each stage.

To decide when the different techniques are to be found in such a set, promises are used as access tokens for execution of techniques. Each technique defines the set of promises required to execute it (think pre-conditions) and the set of promises it provides upon execution (think post-conditions).

Installation

Install using pip:

pip install aep

You will also need to clone the aep-data repository, which contains a starting point witch example data:

git clone https://github.com/mnemonic-no/aep-data

Usage/Examples

If you have checked out the aep-data repository you can run these commands in that repository, since you need access to default dat files.

aep-generate is where you should start and the other tools are more useful if you start making changes to the data itself.

Generate Adversary Emulation Plan

$ aep-generate --end-condition objective_exfiltration --include-techniques T1021,T1046,T1583 --technique-bundle incident/UNC2452-Solorigate.json --show-promises
Removed 4 NOP techniques: ['T1036', 'T1036.004', 'T1036.005', 'T1083']
╒═════════╤══════════════════════════════════════════════════════════╤════════════════════════════════════════════╕
│   stage │ techniques                                               │ new promises @end-of-stage                 │
╞═════════╪══════════════════════════════════════════════════════════╪════════════════════════════════════════════╡
│       1 │ Acquire Infrastructure                                   │ exploit_available                          │
│         │ Develop Capabilities                                     │ info_domain_trust                          │
│         │ Develop Capabilities:Malware                             │ infrastructure_botnet                      │
│         │ Domain Trust Discovery                                   │ infrastructure_certificate                 │
│         │ Obtain Capabilities                                      │ infrastructure_domain                      │
│         │ Obtain Capabilities:Code Signing Certificates            │ infrastructure_server                      │
│         │ Supply Chain Compromise                                  │ privileges_user_local                      │
│         │ Supply Chain Compromise:Compromise Software Supply Chain │ tool_available                             │
│         │                                                          │ tool_delivery                              │
├─────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│       2 │ Command and Scripting Interpreter                        │ access_filesystem                          │
│         │ Command and Scripting Interpreter:PowerShell             │ code_executed                              │
│         │ Command and Scripting Interpreter:Windows Command Shell  │ defense_evasion                            │
│         │ Scheduled Task/Job                                       │ file_transfer                              │
│         │                                                          │ persistence                                │
├─────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│       3 │ Account Discovery                                        │ access_network                             │
│         │ Application Layer Protocol                               │ adversary_controlled_communication_channel │
│         │ Application Layer Protocol:Web Protocols                 │ credentials_user_domain                    │
│         │ Obfuscated Files or Information [*]                      │ credentials_user_local                     │
│         │ Permission Groups Discovery                              │ credentials_user_thirdparty                │
│         │ Process Discovery                                        │ info_groupname                             │
│         │ Signed Binary Proxy Execution [*]                        │ info_process_info                          │
│         │ Signed Binary Proxy Execution:Rundll32 [*]               │ info_target_employee                       │
│         │ Unsecured Credentials                                    │ info_username                              │
│         │ Unsecured Credentials:Private Keys                       │                                            │
├─────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│       4 │ Account Manipulation:Additional Cloud Credentials [*]    │ info_cloud_services                        │
│         │ Cloud Service Discovery                                  │ info_email_address                         │
│         │ Dynamic Resolution [*]                                   │ info_network_hosts                         │
│         │ Dynamic Resolution:Domain Generation Algorithms [*]      │ info_network_services                      │
│         │ Email Collection                                         │ privileges_system_local                    │
│         │ Email Collection:Remote Email Collection                 │                                            │
│         │ Event Triggered Execution                                │                                            │
│         │ Ingress Tool Transfer [*]                                │                                            │
│         │ Network Service Scanning                                 │                                            │
│         │ Valid Accounts [*]                                       │                                            │
╘═════════╧══════════════════════════════════════════════════════════╧════════════════════════════════════════════╛
[*] Technique does not provide any new promises
FAIL: incomplete attack chain, could not achieve end condition: objective_exfiltration

Show Promise Usage

Show little or unused promises.

aep-promise-usage
╒══════════════════════════════════════╤════════════╤════════════╕
│ promise                              │   provides │   requires │
╞══════════════════════════════════════╪════════════╪════════════╡
│ info_cloud_hosts                     │          8 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_denial_of_service          │         11 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ privileges_users                     │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ staged_data                          │          7 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ fast_flux                            │          0 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_network_config                  │          7 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ waterhole                            │          0 │          2 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_password_policy                 │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_integrity                  │          8 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_domain_trust                    │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_trusted_social_media  │          6 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_system_time                     │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ credentials_2fa_token                │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_domain                │         14 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_exfiltration               │         15 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_cloud_services                  │          8 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_destruction                │         11 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_certificate           │         12 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ access_network_intercept             │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_trusted_email_account │          6 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_resources_computational    │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_extortion                  │          4 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ persistence                          │        164 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_target_information              │          1 │          0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ defense_evasion                      │         97 │          0 │
╘══════════════════════════════════════╧════════════╧════════════╛

Show Techniques

Show summary based on MITRE ATT&CK technique ID.

aep-technique -t T1001
+++
        Data Obfuscation
╒═════════════════╤════════════════╤═════════════════════╤══════════════════════════════╤════════════════╤════════════════════════╕
│ Provides        │ Requires       │ Tactic(s)           │ Relevant                     │ Conditionals   │ Subtechniques          │
╞═════════════════╪════════════════╪═════════════════════╪══════════════════════════════╪════════════════╪════════════════════════╡
│ defense_evasion │ code_executed  │ Command and Control │ authentication_server        │                │ Junk Data              │
│                 │ tool_available │                     │ backup_server                │                │ Steganography          │
│                 │ tool_delivery  │                     │ client                       │                │ Protocol Impersonation │
│                 │                │                     │ content_management_server    │                │                        │
│                 │                │                     │ database_server              │                │                        │
│                 │                │                     │ directory_server             │                │                        │
│                 │                │                     │ file_server                  │                │                        │
│                 │                │                     │ instant_messaging_server     │                │                        │
│                 │                │                     │ log_server                   │                │                        │
│                 │                │                     │ login_server                 │                │                        │
│                 │                │                     │ mail_server                  │                │                        │
│                 │                │                     │ name_server                  │                │                        │
│                 │                │                     │ network_firewall             │                │                        │
│                 │                │                     │ network_management_server    │                │                        │
│                 │                │                     │ network_router               │                │                        │
│                 │                │                     │ print_server                 │                │                        │
│                 │                │                     │ proxy_server                 │                │                        │
│                 │                │                     │ software_distribution_server │                │                        │
│                 │                │                     │ virtualization_server        │                │                        │
│                 │                │                     │ web_server                   │                │                        │
╘═════════════════╧════════════════╧═════════════════════╧══════════════════════════════╧════════════════╧════════════════════════╛

Technique bundle summary

aep-bundle -b incident/Ryuk-Bazar-Cobalt-Strike.json

(...)

Promise summary

aep-promise --promise tool_delivery

(...)

Search promises

Search promises based on specified criterias.

aep-promise-search --help
usage: aep-promise-search [-h] [--config-dir CONFIG_DIR] [--data-dir DATA_DIR]
                          [--promise-descriptions PROMISE_DESCRIPTIONS]
                          [--conditions CONDITIONS]
                          [--technique-promises TECHNIQUE_PROMISES]
                          [-p PROVIDES] [-np NOTPROVIDES] [-r REQUIRES]
                          [-nr NOTREQUIRES] [-n NAME]

Search techniques

optional arguments:
  -h, --help            show this help message and exit
  --config-dir CONFIG_DIR
                        Default config dir with configurations for scio and
                        plugins
  --data-dir DATA_DIR   Root directory of data files
  --promise-descriptions PROMISE_DESCRIPTIONS
                        Promise description file (CSV)
  --conditions CONDITIONS
                        Conditions (CSV)
  --technique-promises TECHNIQUE_PROMISES
                        Path for techniques.json. Supports data relative to
                        root data directory and absolute path
  -p PROVIDES, --provides PROVIDES
                        Search for techniques providing these promises
  -np NOTPROVIDES, --notprovides NOTPROVIDES
                        Search for techniques that does _not_ provide promises
  -r REQUIRES, --requires REQUIRES
                        Search for techniques requires these promises
  -nr NOTREQUIRES, --notrequires NOTREQUIRES
                        Search for techniques that does _not_ require promises
  -n NAME, --name NAME  Search for techniques whos name contains this string

Configuration

This step is not necessary, but can be used to change default settings on the tools. Run with:

aep-config user

which will create default settings in ~/.config/aep/config.

About

The Adversary Emulation Planner is developed in the SOCCRATES innovation project (https://soccrates.eu). SOCCRATES has received funding from the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No. 833481.

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages