Adversary Emulation Planner (AEP)..
Project description
Adversary Emulation Planner
This tool can be used to automatically build an ordered set of attack stages with MITRE ATT&CK techniques executed during each stage.
The output is a set of attack stages that show all possible techniques that an adversary might execute during each stage.
To decide when the different techniques are to be found in such a set, promises are used as access tokens for execution of techniques. Each technique defines the set of promises required to execute it (think pre-conditions) and the set of promises it provides upon execution (think post-conditions).
Installation
Install using pip:
pip install aep
You will also need to clone the aep-data repository, which contains a starting point witch example data:
git clone https://github.com/mnemonic-no/aep-data
Usage/Examples
If you have checked out the aep-data repository you can run these commands in that repository, since you need access to default dat files.
aep-generate is where you should start and the other tools are more useful if you start making changes to the
data itself.
Generate Adversary Emulation Plan
$ aep-generate --end-condition objective_exfiltration --include-techniques T1021,T1046,T1583 --technique-bundle incident/UNC2452-Solorigate.json --show-promises
Removed 4 NOP techniques: ['T1036', 'T1036.004', 'T1036.005', 'T1083']
╒═════════╤══════════════════════════════════════════════════════════╤════════════════════════════════════════════╕
│ stage │ techniques │ new promises @end-of-stage │
╞═════════╪══════════════════════════════════════════════════════════╪════════════════════════════════════════════╡
│ 1 │ Acquire Infrastructure │ exploit_available │
│ │ Develop Capabilities │ info_domain_trust │
│ │ Develop Capabilities:Malware │ infrastructure_botnet │
│ │ Domain Trust Discovery │ infrastructure_certificate │
│ │ Obtain Capabilities │ infrastructure_domain │
│ │ Obtain Capabilities:Code Signing Certificates │ infrastructure_server │
│ │ Supply Chain Compromise │ privileges_user_local │
│ │ Supply Chain Compromise:Compromise Software Supply Chain │ tool_available │
│ │ │ tool_delivery │
├─────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│ 2 │ Command and Scripting Interpreter │ access_filesystem │
│ │ Command and Scripting Interpreter:PowerShell │ code_executed │
│ │ Command and Scripting Interpreter:Windows Command Shell │ defense_evasion │
│ │ Scheduled Task/Job │ file_transfer │
│ │ │ persistence │
├─────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│ 3 │ Account Discovery │ access_network │
│ │ Application Layer Protocol │ adversary_controlled_communication_channel │
│ │ Application Layer Protocol:Web Protocols │ credentials_user_domain │
│ │ Obfuscated Files or Information [*] │ credentials_user_local │
│ │ Permission Groups Discovery │ credentials_user_thirdparty │
│ │ Process Discovery │ info_groupname │
│ │ Signed Binary Proxy Execution [*] │ info_process_info │
│ │ Signed Binary Proxy Execution:Rundll32 [*] │ info_target_employee │
│ │ Unsecured Credentials │ info_username │
│ │ Unsecured Credentials:Private Keys │ │
├─────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────┤
│ 4 │ Account Manipulation:Additional Cloud Credentials [*] │ info_cloud_services │
│ │ Cloud Service Discovery │ info_email_address │
│ │ Dynamic Resolution [*] │ info_network_hosts │
│ │ Dynamic Resolution:Domain Generation Algorithms [*] │ info_network_services │
│ │ Email Collection │ privileges_system_local │
│ │ Email Collection:Remote Email Collection │ │
│ │ Event Triggered Execution │ │
│ │ Ingress Tool Transfer [*] │ │
│ │ Network Service Scanning │ │
│ │ Valid Accounts [*] │ │
╘═════════╧══════════════════════════════════════════════════════════╧════════════════════════════════════════════╛
[*] Technique does not provide any new promises
FAIL: incomplete attack chain, could not achieve end condition: objective_exfiltration
Show Promise Usage
Show little or unused promises.
aep-promise-usage
╒══════════════════════════════════════╤════════════╤════════════╕
│ promise │ provides │ requires │
╞══════════════════════════════════════╪════════════╪════════════╡
│ info_cloud_hosts │ 8 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_denial_of_service │ 11 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ privileges_users │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ staged_data │ 7 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ fast_flux │ 0 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_network_config │ 7 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ waterhole │ 0 │ 2 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_password_policy │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_integrity │ 8 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_domain_trust │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_trusted_social_media │ 6 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_system_time │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ credentials_2fa_token │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_domain │ 14 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_exfiltration │ 15 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_cloud_services │ 8 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_destruction │ 11 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_certificate │ 12 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ access_network_intercept │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ infrastructure_trusted_email_account │ 6 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_resources_computational │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ objective_extortion │ 4 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ persistence │ 164 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ info_target_information │ 1 │ 0 │
├──────────────────────────────────────┼────────────┼────────────┤
│ defense_evasion │ 97 │ 0 │
╘══════════════════════════════════════╧════════════╧════════════╛
Show Techniques
Show summary based on MITRE ATT&CK technique ID.
aep-technique -t T1001
+++
Data Obfuscation
╒═════════════════╤════════════════╤═════════════════════╤══════════════════════════════╤════════════════╤════════════════════════╕
│ Provides │ Requires │ Tactic(s) │ Relevant │ Conditionals │ Subtechniques │
╞═════════════════╪════════════════╪═════════════════════╪══════════════════════════════╪════════════════╪════════════════════════╡
│ defense_evasion │ code_executed │ Command and Control │ authentication_server │ │ Junk Data │
│ │ tool_available │ │ backup_server │ │ Steganography │
│ │ tool_delivery │ │ client │ │ Protocol Impersonation │
│ │ │ │ content_management_server │ │ │
│ │ │ │ database_server │ │ │
│ │ │ │ directory_server │ │ │
│ │ │ │ file_server │ │ │
│ │ │ │ instant_messaging_server │ │ │
│ │ │ │ log_server │ │ │
│ │ │ │ login_server │ │ │
│ │ │ │ mail_server │ │ │
│ │ │ │ name_server │ │ │
│ │ │ │ network_firewall │ │ │
│ │ │ │ network_management_server │ │ │
│ │ │ │ network_router │ │ │
│ │ │ │ print_server │ │ │
│ │ │ │ proxy_server │ │ │
│ │ │ │ software_distribution_server │ │ │
│ │ │ │ virtualization_server │ │ │
│ │ │ │ web_server │ │ │
╘═════════════════╧════════════════╧═════════════════════╧══════════════════════════════╧════════════════╧════════════════════════╛
Technique bundle summary
aep-bundle -b incident/Ryuk-Bazar-Cobalt-Strike.json
(...)
Promise summary
aep-promise --promise tool_delivery
(...)
Search promises
Search promises based on specified criterias.
aep-promise-search --help
usage: aep-promise-search [-h] [--config-dir CONFIG_DIR] [--data-dir DATA_DIR]
[--promise-descriptions PROMISE_DESCRIPTIONS]
[--conditions CONDITIONS]
[--technique-promises TECHNIQUE_PROMISES]
[-p PROVIDES] [-np NOTPROVIDES] [-r REQUIRES]
[-nr NOTREQUIRES] [-n NAME]
Search techniques
optional arguments:
-h, --help show this help message and exit
--config-dir CONFIG_DIR
Default config dir with configurations for scio and
plugins
--data-dir DATA_DIR Root directory of data files
--promise-descriptions PROMISE_DESCRIPTIONS
Promise description file (CSV)
--conditions CONDITIONS
Conditions (CSV)
--technique-promises TECHNIQUE_PROMISES
Path for techniques.json. Supports data relative to
root data directory and absolute path
-p PROVIDES, --provides PROVIDES
Search for techniques providing these promises
-np NOTPROVIDES, --notprovides NOTPROVIDES
Search for techniques that does _not_ provide promises
-r REQUIRES, --requires REQUIRES
Search for techniques requires these promises
-nr NOTREQUIRES, --notrequires NOTREQUIRES
Search for techniques that does _not_ require promises
-n NAME, --name NAME Search for techniques whos name contains this string
Configuration
This step is not necessary, but can be used to change default settings on the tools. Run with:
aep-config user
which will create default settings in ~/.config/aep/config.
About
The Adversary Emulation Planner is developed in the SOCCRATES innovation project (https://soccrates.eu). SOCCRATES has received funding from the European Union’s Horizon 2020 Research and Innovation program under Grant Agreement No. 833481.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
aep-0.1.5.tar.gz
(19.6 kB
view hashes)
