Solutions

Solutions

Cyber Force Platform Deploy continuous security improvement
Elite Cyber Skills Development Dynamically develop elite cyber ops teams
Stack Optimizer Make key cyber ROI and governance decisions
Rapid Range The fastest way to build a high-fidelity cyber range
Cyber Score Establish benchmarks and gather evidence
Professional Services Accelerate deployment, development, integrations and readiness
Verticals

Verticals

Government Protect sensitive data
Global Cyber Defense Train the way you fight
Critical Infrastructure Keep critical systems available
Financial Services Build client trust and confidence
Insurance Safeguard your investments
Energy Protect the nation's power supply
Partners

Partners

Why Partner with SimSpace
Partner Types
Partner Program
Resources

Resources

Analyst Reports
Blogs
Calculators
Case Studies
Catalogs
Datasheets
Demos
Infographics
Videos
Webinars
Whitepapers
Company

Company

Leadership Enabling organizations to realize continuous security improvement
Locations SimSpace has a global footprint with offices around the world
Careers Find your career at SimSpace
Events Events, happenings and webinars
News In the news
Fresh Phish Cybersecurity with a side of humor
Request a demo
Solutions
Cyber Force Platform >
Deploy continuous security improvement
Elite Cyber Skills Development >
Dynamically develop elite cyber ops teams
Stack Optimizer >
Make key cyber ROI and governance decisions
Rapid Range >
The fastest way to build a high-fidelity cyber range
Cyber Score >
Establish benchmarks and gather evidence
Professional Services >
Accelerate deployment, development, integrations and readiness
Verticals
Government >
Protect sensitive data
Global Cyber Defense >
Train the way you fight
Critical Infrastructure >
Keep critical systems available
Financial Services >
Build client trust and confidence
Insurance >
Safeguard your investments
Energy >
Protect the nation's power supply
Partners
Why Partner with SimSpace >
Partner Types >
Partner Program >
Resources
Analyst Reports >
Blogs >
Calculators >
Case Studies >
Catalogs >
Datasheets >
Demos >
Infographics >
Videos >
Webinars >
Whitepapers >
Company
Leadership >
Enabling organizations to realize continuous security improvement
Locations >
SimSpace has a global footprint with offices around the world
Careers >
Find your career at SimSpace
Events >
Events, happenings and webinars
News >
In the news
Fresh Phish >
Cybersecurity with a side of humor
Request a demo

SimSpace Attack Catalog

FILTER
DURATION
9 minutes
10 minutes
11 minutes
13 minutes
16 minutes
20 minutes
32 minutes
ALLANITE
11 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim and utilizes privileged credentials to add registry keys and create new hidden users with administrator-level permissions.

MITRE Tactics and Sub-techniques

  • Account Manipulation (T1098)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Create Account: Local Account (T1136.001)
  • Create or Modify System Process: Windows Service (T1543.003)
  • Drive-By Compromise (T1189)
  • Hide Artifacts: Hidden Users (T1564.002)
  • User Execution (T1024)
  • Valid Accounts: Domain Accounts (T1078.002)
Learn More
APT19
9 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim and drops a malicious binary to disk after performing several discovery actions. The automated attacker takes advantage of two Windows LOLBins before exiting.

MITRE Tactics and Sub-techniques

  • Application Layer Protocol: Web Protocols (T1071.001)
  • Drive-By Compromise (T1189)
  • Ingress Tool Transfer (T1105)
  • Signed Binary Proxy Execution: Rundll32 (T1218.011)
  • System Information Discovery (T1082)
  • User Execution (T1024)
  • Valid Accounts: Domain Accounts (T1078.002)
Learn More
APT29 (Russia)
9 minutes
Read moreShow less

DESCRIPTION

Inspired by APT29. An automated attack meant to emulate an APT actor with the common names Solorigate, SUNBURST, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, and APT29. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Service Discovery (T1007)
  • System Network Configuration Discovery (T1016)
  • Process Discovery (T1057)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Valid Accounts: Local Accounts (T1078)
  • System Information Discovery (T1082)
  • Account Discovery: Domain Account (T1087.002)
  • Automated Collection (T1119)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Archive Collected Data: Archive Via Utility (T1560.001)
  • Impair Defenses: Disable Windows Event Logging (T1562.002)
  • Impair Defenses: Disable Or Modify System Firewall (T1562.004)
  • Exfiltration Over Web Service (T1567)
Learn More
APT3 Inspired Scenario
9 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim and collects a vast amount of data before elevating privileges. Several files are exfiltrated, persistence is obtained, and the automated attacker moves laterally to another victim. On the next victim, more data is staged and exfiltrated. The automated attacker then clears its tracks.

MITRE Tactics and Sub-techniques

  • Account Discovery: Domain Account (T1087.002)
  • Account Manipulation (T1098)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Create Account: Local Account (T1136)
  • Data Staged: Local Data Staging (T1074.001)
  • Drive-By Compromise (T1189)
  • Exfiltration Over Web Service (T1567)
  • Indicator Removal On Host (T1070)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Phishing: Spearphishing Link (T1566.002)
  • Process Discovery (T1057)
  • Remote Services (T1021)
  • Remote System Discovery (T1018)
  • Scheduled Task/Job (T1053)
  • Software Discovery: Security Software Discovery (T1518.001)
  • System Information Discovery (T1082)
  • System Network Configuration Discovery (T1016)
  • System Network Connections Discovery (T1049)
  • System Owner User Discovery (T1033)
  • Taint Shared Content (T1080)
  • User Execution (T1204)
  • Valid Accounts: Local Accounts (T1078)
Learn More
APT41 (China)
11 minutes
Read moreShow less

DESCRIPTION

Inspired by APT41. An automated attack meant to emulate an APT actor with the common names WICKED PANDA and APT41. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Windows Management Instrumentation (T1047)
  • Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Obfuscated Non C2 Protocol (T1048.003)
  • System Network Connections Discovery (T1049)
  • Indicator Removal On Host: Clear Windows Event Logs (T1070.001)
  • Indicator Removal On Host: File Deletion (T1070.004)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Account Manipulation (T1098)
  • Network Share Discovery (T1135)
  • Create Account: Local Account (T1136)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Create Or Modify System Process: Windows Service (T1543.003)
  • Archive Collected Data: Archive Via Utility (T1560.001)
  • Exfiltration Over Web Service (T1567)
  • System Services: Service Execution (T1569.002)
Learn More
Beaconer Deployment
5 minutes
Read moreShow less

DESCRIPTION

Gains access to a host via a spearphishing link. Opens a bypass session on that host, collects information, and deploys a beaconer.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote System Discovery (T1018)
  • System Owner User Discovery (T1033)
  • System Network Connections Discovery (T1049)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Account Discovery: Domain Account (T1087.002)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Phishing: Spearphishing Link (T1566.002)
Learn More
Bronze Butler (China)
20 minutes
Read moreShow less

DESCRIPTION

Implements an automated attack meant to emulate an APT actor with the common names Bronze Butler, Tick, Nian, and StalkerPanda. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • Scheduled Task/Job (T1053)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Indicator Removal On Host: File Deletion (T1070.004)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • File And Directory Discovery (T1083)
  • Account Discovery: Domain Account (T1087.002)
  • Screen Capture (T1113)
  • System Time Discovery (T1124)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Archive Collected Data: Archive Via Utility (T1560.001)
  • Exfiltration Over Web Service (T1567)
Learn More
Chimera (China)
32 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with the common names Chimera and CyCraft. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Service Discovery (T1007)
  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • System Network Connections Discovery (T1049)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Indicator Removal On Host: Clear Windows Event Logs (T1070.001)
  • Indicator Removal On Host: File Deletion (T1070.004)
  • Indicator Removal On Host: Timestomp (T1070.006)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Account Discovery: Local Account (T1087.001)
  • Account Discovery: Domain Account (T1087.002)
  • Email Collection: Local Email Collection (T1114.001)
  • System Time Discovery (T1124)
  • Network Share Discovery (T1135)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Browser Bookmark Discovery (T1217)
  • Domain Trust Discovery (T1482)
  • Exfiltration Over Web Service (T1567)
Learn More
Domain Controller Service Disruption and Exfiltration
5 minutes
Read moreShow less

DESCRIPTION

Gains initial access in the network via a phishing email link. It utilizes the domain administrator credentials on the initial access host, and then uses those with schtasks-based lateral movement techniques to move laterally from the initial access host to the Domain Controller (DC). The scenario exfiltrates data from both the initial access and lateral host victims. It also disrupts the availability of the infrastructure by killing a ‘critical’ process on the DC.

MITRE Tactics and Sub-techniques

  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Windows Management Instrumentation (T1047)
  • System Network Connections Discovery (T1049)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Account Discovery: Domain Account (T1087.002)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Service Stop (T1489)
  • Boot Or Logon Autostart Execution: Registry Run Keys Startup Folder (T1547.001)
  • Archive Collected Data: Archive Via Utility (T1560.001)
  • Phishing: Spearphishing Link (T1566.002)
  • Exfiltration Over Web Service (T1567)
Learn More
Dragonfly
38 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim and immediately elevates its privileges before performing numerous discovery commands on the local system. After modifying security settings and adding registry keys, the automated attacker creates new accounts, establishes persistence, and opens a backdoor for future access.

MITRE Tactics and Sub-techniques

  • Account Discovery: Domain Account (T1087.002)
  • Account Manipulation (T1098)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Create Account: Local Account (T1136.001)
  • Create or Modify System Process: Windows Service (T1543.003)
  • Drive-By Compromise (T1189)
  • File and Directory Discovery (T1083)
  • Impair Defenses: Disable or Modify System Firewall (T1562.004)
  • Modify Registry (T1112)
  • Network Share Discovery (T1135)
  • Process Discovery (T1057)
  • Software Discovery: Security Software Discovery (T1518.001)
  • System Information Discovery (T1082)
  • System Network Configuration Discovery (T1016)
  • System Network Connections Discovery (T1049)
  • System Owner/User Discovery (T1033)
  • System Services: Service Execution (T1569.002)
  • User Execution (T1024)
  • Valid Accounts: Domain Accounts (T1078.002)
Learn More
GALLIUM (China)
17 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with the common names Operation Soft Cell and GALLIUM. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • Data From Local System (T1005)
  • System Network Configuration Discovery (T1016)
  • Remote System Discovery (T1018)
  • System Owner User Discovery (T1033)
  • System Network Connections Discovery (T1049)
  • Indicator Removal On Host: File Deletion (T1070.004)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Valid Accounts: Local Accounts (T1078)
  • System Information Discovery (T1082)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Archive Collected Data (T1560)
  • Exfiltration Over Web Service (T1567)
Learn More
Hopi
13 minutes
Read moreShow less

DESCRIPTION

An automated attack that is unique and not attributed to a specific threat actor. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery
Learn More
Host-Based Artifact Dropper w/ Multiple File Exfil
39 minutes
Read moreShow less

DESCRIPTION

Attempts to gain access to a lateral host, potentially on a different subnet. Achieves persistence on the initial access host in two ways and the lateral host in one way. Exfiltrates data from the lateral host through two different channels and intentionally leaves behind a variety of artifacts for Blue Team detection and forensic analysis.

MITRE Tactics and Sub-techniques

  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • System Owner User Discovery (T1033)
  • System Network Connections Discovery (T1049)
  • Scheduled Task/Job (T1053)
  • Scheduled Task/Job: Scheduled Task (T1053.005)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Data Staged: Local Data Staging (T1074.001)
  • Valid Accounts: Local Accounts (T1078)
  • Taint Shared Content (T1080)
  • Account Discovery: Domain Account (T1087.002)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Boot Or Logon Autostart Execution: Registry Run Keys Startup Folder (T1547.001)
  • Phishing: Spearphishing Link (T1566.002)
Learn More
Initial Access VNC Recon
8 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim and drops remote access software. The automated attacker collects sensitive data from the unsuspecting target and quickly covers its tracks before exiting.

MITRE Tactics and Sub-techniques

  • Application Layer Protocol: Web Protocols (T1071.001)
  • Deobfuscate/Decode Files or Information (T1140)
  • Drive-By Compromise (T1189)
  • Hide Artifacts (T1564)
  • Indicator Removal on Host: File Deletion (T1070.004)
  • Ingress Tool Transfer (T1105)
  • Remote Access Software (T1219)
  • Screen Capture (T1113)
  • User Execution (T1024)
Learn More
Lazarus Group (North Korea)
16 minutes
Read moreShow less

DESCRIPTION

Inspired by APT38. Implements an automated attack meant to emulate an APT actor with operations known as Lazarus Group. Attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • System Time Discovery (T1124)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Phishing: Spearphishing Link (T1566.002)
  • Exfiltration Over Web Service (T1567)
Learn More
Leviathan – Variant 1
10 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with common names Leviathan, Kryptonite Panda, and Gadolinium. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Owner User Discovery (T1033)
  • Process Discovery (T1057)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Internal Spearphishing (T1534)
  • Phishing: Spearphishing Link (T1566.002)
  • Exfiltration Over Web Service (T1567)
Learn More
Leviathan – Variant 2
9 minutes
Read moreShow less

DESCRIPTION

Inspired by an advanced persistent threat (APT) actor with the common names APT40, MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, Leviathan, and TEMP.Periscope. Implements a series of tactics, techniques, and procedures typically used by the threat actor commonly described as Leviathan. The actor infiltrates via a phishing link, moves laterally via a remote scheduled task, and exfiltrates data from that lateral host via a shared drive.

MITRE Tactics and Sub-techniques

  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • Scheduled Task/Job (T1053)
  • Scheduled Task/Job: Scheduled Task (T1053.005)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Valid Accounts: Local Accounts (T1078)
  • Taint Shared Content (T1080)
  • Create Account: Local Account (T1136)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Phishing: Spearphishing Link (T1566.002)
  • Exfiltration Over Web Service (T1567)
Learn More
menuPass Inspired Scenario
9 minutes
Read moreShow less

DESCRIPTION

Inspired by an advanced persistent threat (APT) actor with the common names menuPass, Cicada, POTASSIUM, Stone Panda, Red Apollo, CVNX, APT10, and HOGFISH. Implements a series of tactics, techniques, and procedures typically used by the threat actor commonly known as APT10. The actor infiltrates via a phishing link, moves laterally, and exfiltrates data from that lateral host.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • System Network Connections Discovery (T1049)
  • Scheduled Task/Job (T1053)
  • Scheduled Task/Job: Scheduled Task (T1053.005)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Indicator Removal On Host: File Deletion (T1070.004)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Data Staged: Local Data Staging (T1074.001)
  • Valid Accounts: Local Accounts (T1078)
  • System Information Discovery (T1082)
  • Account Discovery: Domain Account (T1087.002)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Phishing: Spearphishing Link (T1566.002)
  • Exfiltration Over Web Service (T1567)
Learn More
Montezuma
30 minutes
Read moreShow less

DESCRIPTION

An automated attack that is unique and not attributed to a specific threat actor. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • Remote Services: Smb Windows Admin Shares (T1021.002)
  • Scheduled Transfer (T1029)
  • System Owner User Discovery (T1033)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Data Staged (T1074)
  • Data Staged: Local Data Staging (T1074.001)
  • System Information Discovery (T1082)
  • Clipboard Data (T1115)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Archive Collected Data (T1560)
  • Exfiltration Over Web Service (T1567)
Learn More
Mustang Panda (China)
9 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with the common names TA416, RedDelta, BRONZE PRESIDENT, and Mustang Panda. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Network Connections Discovery (T1049)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Data Staged: Local Data Staging (T1074.001)
  • Valid Accounts: Local Accounts (T1078)
  • System Information Discovery (T1082)
  • File And Directory Discovery (T1083)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery (T1518)
  • Exfiltration Over Web Service (T1567)
Learn More
OilRig (Iran)
9 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with the common names OilRig, APT34, and Helix Kitten. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Indicator Removal On Host (T1070)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Phishing: Spearphishing Link (T1566.002)
Learn More
Operation Wocao (China)
30 minutes
Read moreShow less

DESCRIPTION

Implements an automated attack meant to emulate an APT actor with the common name Operation Wocao. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Service Discovery (T1007)
  • Query Registry (T1012)
  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • Remote Services: Smb Windows Admin Shares (T1021.002)
  • Windows Management Instrumentation (T1047)
  • System Network Connections Discovery (T1049)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Indicator Removal On Host: Clear Windows Event Logs (T1070.001)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • File And Directory Discovery (T1083)
  • Account Discovery: Domain Account (T1087.002)
  • System Time Discovery (T1124)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Impair Defenses: Disable Or Modify System Firewall (T1562.004)
  • Exfiltration Over Web Service (T1567)
Learn More
Patchwork (India)
10 minutes
Read moreShow less

DESCRIPTION

Inspired by Patchwork group. An automated attack meant to emulate an APT actor with the common name Patchwork (named after the threat actor using code copy/pasted from various online forms, similar to a patchwork quilt). Attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Scheduled Task/Job (T1053)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Phishing: Spearphishing Link (T1566.002)
  • Exfiltration Over Web Service (T1567)
Learn More
Ransomware
7 minutes
Read moreShow less

DESCRIPTION

Searches for a target computer with valuable files. Deploys persistence, downloads ransomware, and executes ransomware on a specific file. Uses initial access, discovery, persistence, lateral movements, and command line.

MITRE Tactics and Sub-techniques

  • Data from Local System (T1005)
  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • Remote Services: SMB/Windows Admin Shares (T1021.002)
  • Obfuscated Files or Information (T1027)
  • Obfuscated Files or Information: Binary Padding (T1027.001)
  • Process Discovery (T1057)
  • Command and Scripting Interpreter (T1059)
  • Data Staged (T1074)
  • Ingress Tool Transfer Technique (T1105)
  • Brute Force (T1110)
  • Brute Force: Password Cracking (T1110.002)
  • User Execution (T1204)
  • User Execution: Malicious File (T1204.002)
  • Data Encrypted for Impact (T1486)
  • Impair Defenses (T1562)
  • Impair Defenses: Disable or Modify Tools (T1562.001)
  • Impair Defenses: Disable Windows Event Logging (T1562.002)
  • Hide Artifacts (T1564)
  • Hide Artifacts: Hidden Files and Directories (T1564.001)
  • Phishing (T1566)
  • Phishing: Spearphishing Attachment (T1566.001)
  • Lateral Tool Transfer (T1570)
Learn More
Reconnaissance by an Insider Threat
3 minutes
Read moreShow less

DESCRIPTION

Emulates an insider threat model with a valid user already on the system. The malicious user opens a reverse shell session on the initial host, and then uses it to enumerate information about the host and the network it resides on.

MITRE Tactics and Sub-techniques

  • System Service Discovery (T1007)
  • Application Window Discovery (T1010)
  • Query Registry (T1012)
  • System Network Configuration Discovery (T1016)
  • Remote System Discovery (T1018)
  • System Network Connections Discovery (T1049)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Account Discovery: Domain Account (T1087.002)
  • Peripheral Device Discovery (T1120)
  • System Time Discovery (T1124)
  • Network Share Discovery (T1135)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Virtualization Sandbox Evasion (T1497)
Learn More
Tropic Trooper
11 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim and quickly establishes persistence before dropping a custom toolkit. The automated attacker performs several discovery operations to uncover sensitive data.

MITRE Tactics and Sub-techniques

  • Application Layer Protocol: Web Protocols (T1071.001)
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001)
  • Deobfuscate/Decode Files or Information (T1140)
  • Drive-By Compromise (T1189)
  • File and Directory Discovery (T1083)
  • Hide Artifacts: Hidden Files and Directories (T1564.001)
  • Ingress Tool Transfer (T1105)
  • Network Share Discovery (T1135)
  • Process Discovery (T1057)
  • Software Discovery (T1518)
  • System Information Discovery (T1082)
  • User Execution (T1024)
Learn More
Turla (Russia)
17 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with the common names Turla, Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, and Krypton. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • System Service Discovery (T1007)
  • Query Registry (T1012)
  • System Network Configuration Discovery (T1016)
  • Remote System Discovery (T1018)
  • Remote Services: Net Use (T1021)
  • System Network Connections Discovery (T1049)
  • Process Discovery (T1057)
  • Permission Groups Discovery: Local Groups (T1069.001)
  • Permission Groups Discovery: Domain Groups (T1069.002)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Peripheral Device Discovery (T1120)
  • System Time Discovery (T1124)
  • Drive By Compromise (T1189)
  • Password Policy Discovery (T1201)
  • User Execution (T1204)
  • Software Discovery: Security Software Discovery (T1518.001)
  • Exfiltration Over Web Service (T1567)
Learn More
Ubiquitous Freedom
20 minutes
Read moreShow less

DESCRIPTION

An automated attack that is unique and not attributed to a specific threat actor. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols. This scenario includes common discovery and lateral movement techniques, along with VM detection via LoLbin commands.

MITRE Tactics and Sub-techniques

  • Application Window Discovery (T1010)
  • System Network Configuration Discovery (T1016)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • System Owner User Discovery (T1033)
  • Scheduled Task/Job (T1053)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • System Information Discovery (T1082)
  • Email Collection: Email Forwarding Rule (T1114.003)
  • Peripheral Device Discovery (T1120)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Virtualization Sandbox Evasion: System Checks (T1497.001)
  • Virtualization Sandbox Evasion: User Activity Based Checks (T1497.002)
  • Virtualization Sandbox Evasion: Time Based Evasion (T1497.003)
  • Exfiltration Over Web Service (T1567)
Learn More
Waning Spade
19 minutes
Read moreShow less

DESCRIPTION

In this scenario, a C2 agent lands on a low-level victim, performs basic discovery operations, and drops a tool to disk. Multiple privilege escalations allow for persistence as the SYSTEM user.

MITRE Tactics and Sub-techniques

  • Application Layer Protocol: Web Protocols (T1071.001)
  • BITS Jobs (T1197)
  • Drive-By Compromise (T1189)
  • Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)
  • Ingress Tool Transfer (T1105)
  • Software Discovery (T1518)
  • System Information Discovery (T1082)
  • User Execution (T1024)
  • Valid Accounts: Domain Accounts (T1078.002)
Learn More
Wizard Spider (Russia)
9 minutes
Read moreShow less

DESCRIPTION

An automated attack meant to emulate an APT actor with the common names UNC1878, TEMP.MixMaster, Grim Spider, and Wizard Spider. The attack attempts to exfiltrate victim’s data through C2 channels and alternative protocols.

MITRE Tactics and Sub-techniques

  • Remote System Discovery (T1018)
  • Remote Services (T1021)
  • Remote Services: Net Use (T1021)
  • Windows Management Instrumentation (T1047)
  • Application Layer Protocol: Web Protocols (T1071.001)
  • Valid Accounts: Domain Accounts (T1078)
  • Account Discovery: Domain Account (T1087.002)
  • System Time Discovery (T1124)
  • Drive By Compromise (T1189)
  • User Execution (T1204)
  • Domain Trust Discovery (T1482)
Learn More