logo
        • Who We Are

        • Learn more about MITRE Engenuity’s journey as a hub for transformative innovation.

        • How We Engage

        • We forge innovative partnerships to generate whole-of-nation solutions to complex technological problems.

        • Contact Us

        • Connect with a member of the MITRE Engenuity team and ensure your inquiry gets to the right people.

        • Cybersecurity

        • We are relentlessly advancing the art of threat-informed defense, anchored by a belief that we can improve our defenses with a systemic application of a deep understanding of adversary tradecraft and technology.

        • ATT&CK Evaluations

        • We offer objective analysis of cyber products and features – see our latest results.

        • Center for Threat-Informed Defense

        • Read more about the cutting-edge research and development being done with input from our participant organizations, featuring some of the top security operations centers.

        • Developing tomorrow's cyber workforce today.
        • News & Insights

        • We are leading the leading edge of innovation. Explore the latest news, insights, R&D, and special projects from our advanced tech experts and partners.

        • Subscribe to Our Newsletters

        • Our tech foundation is addressing the complex problems that face our nation today. Find out how you can join our efforts as we spur innovation for public good.

          Subscribe

Center for Threat-Informed Defense:
Adversary Emulation Library

A set of common emulation plans

The Adversary Emulation Library includes a collection of adversary emulation plans that allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.

Why Use Adversary Emulation Plans?

Adversary Emulation mimics the behavior of real world threat actors in a safe and repeatable manner. Executing adversary emulation in your environment helps you answer questions such as:

  • How do we build a resilient defense that is not based on static (and easily evaded) IOCs?
  • How well do we detect, mitigate, respond to, or prevent against threat actor X?
  • Are we collecting the right data and running the right queries to detect technique Y?
  • How do we build the experience and skills on our team to defend against real-world threats?
  • How do we tune our tools and processes to maximize efficacy against real-world threats?

Adversary Emulation Plans

The library contains two types of adversary emulation plans: full emulation and micro emulation.

Atomic testing vs microevaluation.

Full Emulation Plans

A comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.

Micro Emulation plans

A focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT&CK techniques that are typically performed as part of one adversary action.

Also see our blogs on the Adversary Emulation Library and Micro Emulation Plans.

Full Emulation Plans

APT29

APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation. The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020.

Blind Eagle

Blind Eagle is a suspected South American threat actor that has been active since at least 2018. Targets are typically Colombian government institutions, as well as entities in the financial, manufacturing, and petroleum sectors.

Carbanak

Not to be confused with FIN7, Carbanak is a threat group that has been active since at least 2013. Using malware that shares its name, Carbanak has been known to target financial institutions, as well as private customers.

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. Seen as early as 2015, this group has aggressively targeted and compromised point of sale systems in the hospitality and retail sectors

FIN7

Not be confused with the Carbanak Group, FIN7 is a financially motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since 2013. FIN7 traditionally attacks point of sale systems but has recently shifted to ransomware.

menuPass

menuPass is thought to be motivated by collection objectives that align with Chinese national interests. menuPass has targeted healthcare, defense, energy, within Japan and USA.

OceanLotus

OceanLotus is a cyber threat actor aligning to the interests of the Vietnamese government. First seen in 2012, OceanLotus targets private corporations in the manufacturing, consumer product, and hospitality sectors as well as foreign governments, political dissidents, and journalists.

OilRig

OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe.

Sandworm

Responsible for the Ukranian power outage of 2017, Sandworm is a destructive threat group attributed to Russia’s General Staff of the Armed Forces, Main Intelligence Directorate (GRU). Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns.

Turla

Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries.1 The group has targeted government agencies, diplomatic missions, military groups, research and education facilities, critical infrastructure sectors, and media organizations.

Wizard Spider

Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of Ryuk ransomware.

Micro Emulation Plans

Active Directory Enumeration

Active Directory Enumeration Emulates multiple Discovery behaviors through commonly abused interfaces and services such as Active Directory (AD). 

Data Exfiltration

Data Exfiltration Emulates the compound behaviors of an adversary finding, staging, archiving, and extracting sensitive files. 

DLL Sideloading

DLL Sideloading Emulates an adversary executing an otherwise legitimate/benign application in order to hijack its modules/libraries to instead inject their malicious payload.  

File Access and File Modification

File Access and File Modification Emulates file access and modification behaviors commonly associated with Collection as well as Data Encrypted for Impact.

Log Clearing

Log Clearing Emulates an adversary clearing Windows Event Log.  

Named Pipes

Named Pipes Emulates the creation and use of named pipes commonly abused by malware.

Process Injection

Process Injection Emulates the compound behavior of Process Injection followed by execution of arbitrary commands.

Reflective Loading

Reflective Loading Emulates an adversary running malicious code within an arbitrary process to perform Reflective Code Loading. 

Remote Code Execution

Remote Code Execution Emulates an adversary performing remote code execution against a vulnerable web server as documented. 

User Execution

User Execution Emulates the compound behavior of delivering a malicious .one, .doc, .lnk, or .iso file (e.g. via Spearphishing Attachment) and then executing arbitrary commands after a user invokes the file.

Web Shells

Web Shells Emulates the compound behavior of planting a web shell and then executing arbitrary commands through it.

Windows Registry

Windows Registry Emulates a few common methods that adversaries use to modify the Windows Registry.