Skip to content
llpiper edited this page Jun 2, 2023 · 12 revisions

Adversary Emulation Library 📚

In collaboration with Center Participants, the Center for Threat-Informed Defense (Center) maintains a library of adversary emulation plans to allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.

The library contains two types of adversary emulation plans: full emulation and micro emulation.

Full emulation plans are a comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.

Micro emulation plans are a focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT&CK techniques that are typically performed as part of one adversary action.

Also see our blogs on the Adversary Emulation Library and Micro Emulation Plans.

Available adversary emulation plans are listed on the README, as well as how to get started using them.

Contributing to the Adversary Emulation Library

Thanks for contributing to the Adversary Emulation Library! You are welcome to comment on issues, open new issues, and open pull requests.

Pull requests should target the develop branch of the repository.

Also, if you contribute any source code, we need you to agree to the following Developer's Certificate of Origin below.

Intelligence Contributions

We are also seeking intelligence contributions, e.g., additional techniques, variations on one already covered, examples of techniques in use, log data, and other technical information. Review our for current Requests for Information.

Developer's Certificate of Origin v1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
    have the right to submit it under the open source license
    indicated in the file; or

(b) The contribution is based upon previous work that, to the best
    of my knowledge, is covered under an appropriate open source
    license and I have the right under that license to submit that
    work with modifications, whether created in whole or in part
    by me, under the same open source license (unless I am
    permitted to submit under a different license), as indicated
    in the file; or

(c) The contribution was provided directly to me by some other
    person who certified (a), (b) or (c) and I have not modified
    it.

(d) I understand and agree that this project and the contribution
    are public and that a record of the contribution (including all
    personal information I submit with it, including my sign-off) is
    maintained indefinitely and may be redistributed consistent with
    this project or the open source license(s) involved.
Clone this wiki locally