Question regarding Fix for APT29 Emulation Plan

[L015H4CK]

Hello there,

it was already stated in issue #84 and in this comment on an issue in the repository for the CALDERA emu-Plugin that the APT 29 emulation plan included in this adversary emulation library is faulty. To summarize: it includes abilities that do not belong there.

My question is, if a fixed version for the APT29 emulation plan does exist somewhere. If not, I will work on it myself. Is anyone interested in the fixed version of the emulation plan? It will probably be split into two seperate scenarios (APT29-Day1.yaml and APT29-Day2.yaml) as well as a completely new APT directory containing the APT3 emulation plan. I will gladly open a pull request as soon as I am done with it but I just wanted to reach out to anyone who might be working on the APT29 emulation plan beforehand.

Best regards.

Additional information

The history of the problem

The "original" APT29 emulation plan was published in the CALDERA evals-plugin. This plugin includes the first round of the MITRE ATT&CK evaluations (APT3) as well as the second round (APT29). In total, it includes 10 different CALDERA adversary profiles. Three of them belong to two different scenarios of APT29 (Day1.A, Day1.B and Day2) and the other seven belong to different phases of APT3.

In January 2021 the content of the above-mentioned repository was ported to this repository and the "old" form was archived. During this port, all adversary profiles were merged into one emulation plan - APT29.yaml. This plan now contains both scenarios for APT29 as well as the abilities for APT3.

Now, when using the CALDERA emu-Plugin (which basically just downloads the emulation plans from this repo and parses them into CALDERA abilities and adversaries) we get one large adversary profile also containing both APT29 scenarios as well the abilities for APT3.

Both scenarios in one emulation plan?

It is quite trivial to see that the APT29 emulation plan contains both scenarios. Scenario 1. Scenario 2

APT3 abilities in APT29 emulation plan?

The ability System Network Configuration Discovery with ID ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 was originally included in the adversary profile for APT3.

It could not be found in the original adversary profile for APT29 Day1.A.

The APT29 emulation plan is this repository contains this specific ability as a substep of step 2 in scenario 1. When parsing a new adversary profile using the emu-plugin, all abilities (also this specific ability) are included there.

Multiple YAML-emulation plans and the emu plugin

The emu plugin is able to parse several YAML files contained in the Emulation_Plan/yaml directory. For each YAML file a separate adversary profile can be parsed.

[L015H4CK]

Hello again,

I took the time and looked into the faulty APT29 emulation plan.
The APT29 emulation plan was split into 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3.

The changes can be seen in my fork master...L015H4CK:adversary_emulation_library:master.

How was it done?

I looked into the original, archived adversary profiles for APT29 and APT3 in the old evals plugin. For every archived profile, for each ability in it I checked the APT29 emulation plan for a matching ability. The matching ability was then copied to the new corresponding emulation plan.

Some interesting notes

• Some abilities were used by used by more than one archived profile. However, the APT29 emulation plan only contained these abilities once (I did not write down which these abilities were..)
• For some abilities the order of execution was changed. I reverted the order of abilities back to the order in the archived adversary profiles
• After extracting all abilities in the APT29 emulation plan, i.e. copying them to a new, corresponding emulation plan, 4 abilities "were left" in it, i.e. they were not used by any of the archived profiles. These extra abilities all had the exact same command that is also originally used by the ability Access Token Manipulation. Furthermore, the names of these extra abilities were also (partially) already used by other abilities. Also, the name and ID of the used techniques were either (Access Token Manipulation, T1134) or (Access Token Manipulation: Token Impersonation/Theft, T1134.001) which does not match the actual name of the ability but the names and IDs of the abilities Access Token Manipulation and Bypass User Account Control.
  • TLDR: 4 extra abilities were included in the APT29 emulation plan. These 4 abilities have different names but all the same command. The names, commands and respective technique names and IDs do not match.
  • The 4 abilities are: Query Registry, Remote File Copy (T1105), Scheduled Task (T1053) and File and Directory Discovery (T1083).
  • Solution: I think the error might originate from the archived ability that was used by the archived APT3 profile since the ability has several names that all correspond with the names of the extra abilities. It looks like this ability was just "copied" to the APT29 emulation Plan 5 times - once for each name. I changed the name of the original ability back to the "long name" including all steps.
  • Note: These abilities all belong to APT3 - not APT29. Still, since I was already touching them I fixed it as well.

Results

With the above described technique I got 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3. The emulation plan for APT3 was moved to a separate directory called apt3 with no additional information about APT3.
The resulting emulation plans are all complete when compared to the original, archived adversary profiles.
Only the emulation plan for APT29-Day2 misses the first ability, which was not included in the APT29 emulation plan. This ability is used as a setup - more info here. I did not check yet, if the missing ability is really needed or if it was removed because it was deprecated or no longer necessary.

Also, I did not find the time yet to run the new emulation plans using CALDERA and its emu plugin. I only checked if CALDERA correctly parses the emulation into adversary profiles and abilities (which it did). I think I will get to run the simulations later this week.

I will happily open a pull request if you are interested in the new emulation plans.

[mticmtic]

Hi L015H4CK, I appreciate the time and research you put into this issue! If you submit a PR, we can take a look to better understand the issue and what was fixed.

[L015H4CK]

Hello Mike, I just created the pull request. If you have any questions regarding the changes please let me know.

[L015H4CK]

Hello again! Is there still a chance the pull request will be reviewed? I am more than willing to pitch in and help or answer any questions about it.

[nism385]

Not sure how I ended up involved with the project. Please remove me, Thank you.

[mehaase]

Hi @L015H4CK, thank you for submitting the PR. We have discussed internally and would like to merge it but we need somebody on our staff to manually verify, and we are stretched thin atm with a lot of other releases this month. Please bear with us while we bring in the right personnel to review your PR.

@nism385 I cannot change your notification settings. Please check if you have “watch” set on this issue or on the whole repo.