Merge pull request #142 from center-for-threat-informed-defense/turla…

…-attack-evaluations-round-5

Turla ATT&CK Evaluations Round 5 2023

README.md

@@ -23,6 +23,7 @@ Available adversary emulation plans are listed below:
 | [Wizard Spider](/wizard_spider/) | [Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware. This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates.](/wizard_spider/Intelligence_Summary/Intelligence_Summary.md).. |
 | [OilRig](/oilrig/) | [OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 and has a history of widespread impact, with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe...](/oilrig/Intelligence_Summary/Intelligence_Summary.md) |
 | [Blind Eagle](/blindEagle/) | [Blind Eagle is a South American threat actor focused on Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors. Largely opportunistic in their motives, Blind Eagle leverages commodity RATs modified to fit the environment...](/blindEagle/Intelligence_Summary/Intelligence_Summary.md) |
+| [Turla](/turla/) | [Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries. Turla leverages novel techniques and custom tooling and open-source tools to elude defenses and persist on target networks...](/turla/Intelligence_Summary/Intelligence_Summary.md) |
 
 | Micro Emulation Plans | Intelligence Summary |
 |:------:|------|

turla/Emulation_Plan/Carbon_Scenario/README.md

@@ -0,0 +1,38 @@
+# Carbon Scenario
+
+For ATT&CK Evaluations Enterprise Round 5, the Carbon scenario was developed to
+emulate Turla's utilization of the following software:
+- Epic
+- Carbon
+- PsExec
+- Mimikatz
+- Keylogger
+- Penquin
+
+## [Detections Scenario](./Carbon_Detections_Scenario.md)
+
+This 10 step scenario was created for the Detections portion of ATT&CK
+Evaluations Enterprise Round 5, where all prevention mechanisms and protection
+tooling is **disabled** to allow the full emulation plan to execute unobstructed.
+This allows the scenario to be executed from beginning to end, with each step
+building upon the previous. and for telemetry on red team activity to be
+gathered in full. 
+
+## [Protections Scenario](./Carbon_Protections_Scenario.md)
+
+The scenario created for the Detections portion was modularized into 7 discrete
+tests to create the Protections portion of ATT&CK Evaluations Enterprise Round
+5, where prevention mechanisms and protection tooling is **enabled**. This
+highlights protection capabilities of the deployed solution and encourages
+blocks of red team activity as early as possible. For this reason, this
+version of the scenario was designed to removes the dependencies between each
+step.
+
+## Infrastructure
+
+This scenario was executed on the following infrastructure:
+
+![Carbon Infrastructure Diagram](../../Resources/Images/CarbonInfrastructure.png)
+
+Reference [setup](../../Resources/setup/) for guidance on deploying the
+infrastructure used by this scenario.

turla/Emulation_Plan/README.md

@@ -0,0 +1,11 @@
+# Turla Emulation Plans
+
+An **emulation plan** is the primary document used to execute the red team scenario during a purple team operation. This document includes red team execution commands, links to source code, ATT&CK techniques leveraged, and CTI reporting references.
+
+When we have multiple emulation plans, we break these plans into scenarios and provide a description of the plan's focus. 
+
+| Emulation Plan | CTI Operations Flow | Description |
+| ----------------- | ------------------- | ----------- |
+| [Carbon Scenario](./Carbon_Scenario/) | [Carbon Operations Flow](../Operations_Flow/Carbon_Operations_Flow.md) | This directory contains the scenarios developed focusing on Turla's usage of Carbon. This plan was used to conduct ATT&CK Evaluations Enterprise Round 5 in 2023 |
+| [Snake Scenario](./Snake_Scenario/) | [Snake Operations Flow](../Operations_Flow/Snake_Operations_Flow.md) | This directory contains the scenarios developed focusing on Turla's usage of Snake. This plan was used to conduct ATT&CK Evaluations Enterprise Round 5 in 2023. |
+| [Caldera Support Files](./yaml/) |  | This directory contains the setup instructions and data for porting the above scenarios into Caldera |

turla/Emulation_Plan/Snake_Scenario/README.md

@@ -0,0 +1,37 @@
+# Snake Scenario
+
+For ATT&CK Evaluations Enterprise Round 5, the Snake scenario was developed to
+emulate Turla's utilization of the following software:
+- Epic
+- Snake
+- PsExec
+- Mimikatz
+- LightNeuron
+
+## [Detections Scenario](./Snake_Detections_Scenario.md)
+
+This 9 step scenario was created for the Detections portion of ATT&CK
+Evaluations Enterprise Round 5, where all prevention mechanisms and protection
+tooling is **disabled** to allow the full emulation plan to execute unobstructed.
+This allows the scenario to be executed from beginning to end, with each step
+building upon the previous. and for telemetry on red team activity to be
+gathered in full. 
+
+## [Protections Scenario](./Snake_Protections_Scenario.md)
+
+The scenario created for the Detections portion was modularized into 6 discrete
+tests to create the Protections portion of ATT&CK Evaluations Enterprise Round
+5, where prevention mechanisms and protection tooling is **enabled**. This
+highlights protection capabilities of the deployed solution and encourages
+blocks of red team activity as early as possible. For this reason, this
+version of the scenario was designed to removes the dependencies between each
+step.
+
+## Infrastructure
+
+This scenario was executed on the following infrastructure:
+
+![Snake Infrastructure Diagram](../../Resources/Images/SnakeInfrastructure.png)
+
+Reference [setup](../../Resources/setup/) for guidance on deploying the
+infrastructure used by this scenario.