Skip to content
Cat edited this page Sep 15, 2023 · 12 revisions

Adversary Emulation Library πŸ“š

Adversary emulation is a specific style of offensive assessment that uses cyber threat intelligence to describe behaviors observed in specific campaigns or malware samples. Using real-world adversaries, the Center for Threat-Informed Defense (Center) maintains this library of adversary emulation plans and maps them to MITRE ATT&CK techniques. The goals of these emulations plans are to enable organizations to evaluate their defensive capabilities and provide red teams a template to emulate adversaries.


Emulation plans provide a step-by-step execution of the adversaries actions based on open-source intelligence reporting and mapped to MITRE ATT&CK techniques. Source code and commands are provided to execute the plan. The library contains two types of adversary emulation plans:

  • Full emulation πŸ₯§ - starting with initial access that build on each previous step until the adversary's objective are accomplished

  • Micro emulation 🍰 - a focused approach to emulating compound behaviors seen across multiple adversaries

For more information, we have blogs! ✍️

πŸ““ Adversary Emulation Library πŸ“” Micro Emulation Plans


Getting Started πŸ—ΊοΈ

Coming Soon!

A guide to submitting open-source intelligence contributions, bug requests, feature requests, and new emulation plans (or suggestions).

Frequently asked questions ❓

Coming Soon!

Connect with Us πŸ“Ÿ

We πŸ’– feedback! Let us know how using the Adversary Emulation Library has helped you and any snags that you encountered along the way.

πŸ“§ Email: [email protected]

🐦 Twitter: https://twitter.com/MITREengenuity

πŸ”— LinkedIn: https://www.linkedin.com/company/mitre-engenuity/

You can also make issues on this repo and reach out to the maintainers πŸ‘©β€πŸ’».

Clone this wiki locally