-
Notifications
You must be signed in to change notification settings - Fork 308
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #142 from center-for-threat-informed-defense/turla…
…-attack-evaluations-round-5 Turla ATT&CK Evaluations Round 5 2023
- Loading branch information
Showing
561 changed files
with
413,051 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
963 changes: 963 additions & 0 deletions
963
turla/Emulation_Plan/Carbon_Scenario/Carbon_Detections_Scenario.md
Large diffs are not rendered by default.
Oops, something went wrong.
734 changes: 734 additions & 0 deletions
734
turla/Emulation_Plan/Carbon_Scenario/Carbon_Protections_Scenario.md
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# Carbon Scenario | ||
|
||
For ATT&CK Evaluations Enterprise Round 5, the Carbon scenario was developed to | ||
emulate Turla's utilization of the following software: | ||
- Epic | ||
- Carbon | ||
- PsExec | ||
- Mimikatz | ||
- Keylogger | ||
- Penquin | ||
|
||
## [Detections Scenario](./Carbon_Detections_Scenario.md) | ||
|
||
This 10 step scenario was created for the Detections portion of ATT&CK | ||
Evaluations Enterprise Round 5, where all prevention mechanisms and protection | ||
tooling is **disabled** to allow the full emulation plan to execute unobstructed. | ||
This allows the scenario to be executed from beginning to end, with each step | ||
building upon the previous. and for telemetry on red team activity to be | ||
gathered in full. | ||
|
||
## [Protections Scenario](./Carbon_Protections_Scenario.md) | ||
|
||
The scenario created for the Detections portion was modularized into 7 discrete | ||
tests to create the Protections portion of ATT&CK Evaluations Enterprise Round | ||
5, where prevention mechanisms and protection tooling is **enabled**. This | ||
highlights protection capabilities of the deployed solution and encourages | ||
blocks of red team activity as early as possible. For this reason, this | ||
version of the scenario was designed to removes the dependencies between each | ||
step. | ||
|
||
## Infrastructure | ||
|
||
This scenario was executed on the following infrastructure: | ||
|
||
![Carbon Infrastructure Diagram](../../Resources/Images/CarbonInfrastructure.png) | ||
|
||
Reference [setup](../../Resources/setup/) for guidance on deploying the | ||
infrastructure used by this scenario. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
# Turla Emulation Plans | ||
|
||
An **emulation plan** is the primary document used to execute the red team scenario during a purple team operation. This document includes red team execution commands, links to source code, ATT&CK techniques leveraged, and CTI reporting references. | ||
|
||
When we have multiple emulation plans, we break these plans into scenarios and provide a description of the plan's focus. | ||
|
||
| Emulation Plan | CTI Operations Flow | Description | | ||
| ----------------- | ------------------- | ----------- | | ||
| [Carbon Scenario](./Carbon_Scenario/) | [Carbon Operations Flow](../Operations_Flow/Carbon_Operations_Flow.md) | This directory contains the scenarios developed focusing on Turla's usage of Carbon. This plan was used to conduct ATT&CK Evaluations Enterprise Round 5 in 2023 | | ||
| [Snake Scenario](./Snake_Scenario/) | [Snake Operations Flow](../Operations_Flow/Snake_Operations_Flow.md) | This directory contains the scenarios developed focusing on Turla's usage of Snake. This plan was used to conduct ATT&CK Evaluations Enterprise Round 5 in 2023. | | ||
| [Caldera Support Files](./yaml/) | | This directory contains the setup instructions and data for porting the above scenarios into Caldera | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
# Snake Scenario | ||
|
||
For ATT&CK Evaluations Enterprise Round 5, the Snake scenario was developed to | ||
emulate Turla's utilization of the following software: | ||
- Epic | ||
- Snake | ||
- PsExec | ||
- Mimikatz | ||
- LightNeuron | ||
|
||
## [Detections Scenario](./Snake_Detections_Scenario.md) | ||
|
||
This 9 step scenario was created for the Detections portion of ATT&CK | ||
Evaluations Enterprise Round 5, where all prevention mechanisms and protection | ||
tooling is **disabled** to allow the full emulation plan to execute unobstructed. | ||
This allows the scenario to be executed from beginning to end, with each step | ||
building upon the previous. and for telemetry on red team activity to be | ||
gathered in full. | ||
|
||
## [Protections Scenario](./Snake_Protections_Scenario.md) | ||
|
||
The scenario created for the Detections portion was modularized into 6 discrete | ||
tests to create the Protections portion of ATT&CK Evaluations Enterprise Round | ||
5, where prevention mechanisms and protection tooling is **enabled**. This | ||
highlights protection capabilities of the deployed solution and encourages | ||
blocks of red team activity as early as possible. For this reason, this | ||
version of the scenario was designed to removes the dependencies between each | ||
step. | ||
|
||
## Infrastructure | ||
|
||
This scenario was executed on the following infrastructure: | ||
|
||
![Snake Infrastructure Diagram](../../Resources/Images/SnakeInfrastructure.png) | ||
|
||
Reference [setup](../../Resources/setup/) for guidance on deploying the | ||
infrastructure used by this scenario. |
Oops, something went wrong.