This tool can be used to automatically build an ordered set of attack stages with MITRE ATT&CK techniques executed during each stage.
The output is a set of attack stages that show all possible techniques that an adversary might execute during each stage.
To decide when the different techniques are to be found in such a set, promises
are used as access tokens for execution of techniques. Each technique defines the set of promises required to execute it (think pre-conditions) and the set of promises it provides upon execution (think post-conditions).
Install using pip:
pip install aep
You will also need to clone the aep-data repository, which contains a starting point witch example data:
git clone https://github.com/mnemonic-no/aep-data
If you have checked out the aep-data repository you can run these commands in that repository, since you need access to default dat files.
aep-generate
is where you should start and the other tools are more useful if you start making changes to the
data itself.
$ aep-generate --end-condition objective_exfiltration --include-techniques T1021,T1046,T1583 --technique-bundle incident/UNC2452-Solorigate.json --show-promises
Removed 4 NOP techniques: ['T1036', 'T1036.004', 'T1036.005', 'T1083']
âââââââââââ¤âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤âââââââââââââââââââââââââââââââââââââââââââââ
â stage â techniques â new promises @end-of-stage â
âââââââââââĒâââââââââââââââââââââââââââââââââââââââââââââââââââââââââââĒâââââââââââââââââââââââââââââââââââââââââââââĄ
â 1 â Acquire Infrastructure â exploit_available â
â â Develop Capabilities â info_domain_trust â
â â Develop Capabilities:Malware â infrastructure_botnet â
â â Domain Trust Discovery â infrastructure_certificate â
â â Obtain Capabilities â infrastructure_domain â
â â Obtain Capabilities:Code Signing Certificates â infrastructure_server â
â â Supply Chain Compromise â privileges_user_local â
â â Supply Chain Compromise:Compromise Software Supply Chain â tool_available â
â â â tool_delivery â
âââââââââââŧâââââââââââââââââââââââââââââââââââââââââââââââââââââââââââŧâââââââââââââââââââââââââââââââââââââââââââââ¤
â 2 â Command and Scripting Interpreter â access_filesystem â
â â Command and Scripting Interpreter:PowerShell â code_executed â
â â Command and Scripting Interpreter:Windows Command Shell â defense_evasion â
â â Scheduled Task/Job â file_transfer â
â â â persistence â
âââââââââââŧâââââââââââââââââââââââââââââââââââââââââââââââââââââââââââŧâââââââââââââââââââââââââââââââââââââââââââââ¤
â 3 â Account Discovery â access_network â
â â Application Layer Protocol â adversary_controlled_communication_channel â
â â Application Layer Protocol:Web Protocols â credentials_user_domain â
â â Obfuscated Files or Information [*] â credentials_user_local â
â â Permission Groups Discovery â credentials_user_thirdparty â
â â Process Discovery â info_groupname â
â â Signed Binary Proxy Execution [*] â info_process_info â
â â Signed Binary Proxy Execution:Rundll32 [*] â info_target_employee â
â â Unsecured Credentials â info_username â
â â Unsecured Credentials:Private Keys â â
âââââââââââŧâââââââââââââââââââââââââââââââââââââââââââââââââââââââââââŧâââââââââââââââââââââââââââââââââââââââââââââ¤
â 4 â Account Manipulation:Additional Cloud Credentials [*] â info_cloud_services â
â â Cloud Service Discovery â info_email_address â
â â Dynamic Resolution [*] â info_network_hosts â
â â Dynamic Resolution:Domain Generation Algorithms [*] â info_network_services â
â â Email Collection â privileges_system_local â
â â Email Collection:Remote Email Collection â â
â â Event Triggered Execution â â
â â Ingress Tool Transfer [*] â â
â â Network Service Scanning â â
â â Valid Accounts [*] â â
âââââââââââ§âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ§âââââââââââââââââââââââââââââââââââââââââââââ
[*] Technique does not provide any new promises
FAIL: incomplete attack chain, could not achieve end condition: objective_exfiltration
Show little or unused promises.
aep-promise-usage
ââââââââââââââââââââââââââââââââââââââââ¤âââââââââââââ¤âââââââââââââ
â promise â provides â requires â
ââââââââââââââââââââââââââââââââââââââââĒâââââââââââââĒâââââââââââââĄ
â info_cloud_hosts â 8 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â objective_denial_of_service â 11 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â privileges_users â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â staged_data â 7 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â fast_flux â 0 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â info_network_config â 7 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â waterhole â 0 â 2 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â info_password_policy â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â objective_integrity â 8 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â info_domain_trust â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â infrastructure_trusted_social_media â 6 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â info_system_time â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â credentials_2fa_token â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â infrastructure_domain â 14 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â objective_exfiltration â 15 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â info_cloud_services â 8 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â objective_destruction â 11 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â infrastructure_certificate â 12 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â access_network_intercept â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â infrastructure_trusted_email_account â 6 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â objective_resources_computational â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â objective_extortion â 4 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â persistence â 164 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â info_target_information â 1 â 0 â
ââââââââââââââââââââââââââââââââââââââââŧâââââââââââââŧâââââââââââââ¤
â defense_evasion â 97 â 0 â
ââââââââââââââââââââââââââââââââââââââââ§âââââââââââââ§âââââââââââââ
Show summary based on MITRE ATT&CK technique ID.
aep-technique -t T1001
+++
Data Obfuscation
âââââââââââââââââââ¤âââââââââââââââââ¤ââââââââââââââââââââââ¤âââââââââââââââââââââââââââââââ¤âââââââââââââââââ¤âââââââââââââââââââââââââ
â Provides â Requires â Tactic(s) â Relevant â Conditionals â Subtechniques â
âââââââââââââââââââĒâââââââââââââââââĒââââââââââââââââââââââĒâââââââââââââââââââââââââââââââĒâââââââââââââââââĒâââââââââââââââââââââââââĄ
â defense_evasion â code_executed â Command and Control â authentication_server â â Junk Data â
â â tool_available â â backup_server â â Steganography â
â â tool_delivery â â client â â Protocol Impersonation â
â â â â content_management_server â â â
â â â â database_server â â â
â â â â directory_server â â â
â â â â file_server â â â
â â â â instant_messaging_server â â â
â â â â log_server â â â
â â â â login_server â â â
â â â â mail_server â â â
â â â â name_server â â â
â â â â network_firewall â â â
â â â â network_management_server â â â
â â â â network_router â â â
â â â â print_server â â â
â â â â proxy_server â â â
â â â â software_distribution_server â â â
â â â â virtualization_server â â â
â â â â web_server â â â
âââââââââââââââââââ§âââââââââââââââââ§ââââââââââââââââââââââ§âââââââââââââââââââââââââââââââ§âââââââââââââââââ§âââââââââââââââââââââââââ
aep-bundle -b incident/Ryuk-Bazar-Cobalt-Strike.json
(...)
aep-promise --promise tool_delivery
(...)
Search promises based on specified criterias.
aep-promise-search --help
usage: aep-promise-search [-h] [--config-dir CONFIG_DIR] [--data-dir DATA_DIR]
[--promise-descriptions PROMISE_DESCRIPTIONS]
[--conditions CONDITIONS]
[--technique-promises TECHNIQUE_PROMISES]
[-p PROVIDES] [-np NOTPROVIDES] [-r REQUIRES]
[-nr NOTREQUIRES] [-n NAME]
Search techniques
optional arguments:
-h, --help show this help message and exit
--config-dir CONFIG_DIR
Default config dir with configurations for scio and
plugins
--data-dir DATA_DIR Root directory of data files
--promise-descriptions PROMISE_DESCRIPTIONS
Promise description file (CSV)
--conditions CONDITIONS
Conditions (CSV)
--technique-promises TECHNIQUE_PROMISES
Path for techniques.json. Supports data relative to
root data directory and absolute path
-p PROVIDES, --provides PROVIDES
Search for techniques providing these promises
-np NOTPROVIDES, --notprovides NOTPROVIDES
Search for techniques that does _not_ provide promises
-r REQUIRES, --requires REQUIRES
Search for techniques requires these promises
-nr NOTREQUIRES, --notrequires NOTREQUIRES
Search for techniques that does _not_ require promises
-n NAME, --name NAME Search for techniques whos name contains this string
This step is not necessary, but can be used to change default settings on the tools. Run with:
aep-config user
which will create default settings in ~/.config/aep/config.
The Adversary Emulation Planner is developed in the SOCCRATES innovation project (https://soccrates.eu). SOCCRATES has received funding from the European Unionâs Horizon 2020 Research and Innovation program under Grant Agreement No. 833481.