Adversary Simulation
Adversary simulation involves emulating the tactics, techniques, and procedures (TTPs) of real threat actors. By replicating how APT groups operate, red teams provide realistic assessments of an organization's ability to detect and respond to actual threats.
MITRE ATT&CK Framework
The MITRE ATT&CK framework is the industry standard for categorizing adversary behavior. It provides:
- Tactics: The "why" — objectives like Initial Access, Persistence, Privilege Escalation
- Techniques: The "how" — specific methods like Spearphishing (T1566) or Pass-the-Hash (T1550.002)
- Procedures: The "details" — exact implementation by specific threat groups
Selecting an Adversary to Emulate
Choose a threat actor based on your organization's threat model:
APT29 (Cozy Bear)
Origin: Russia | Target: Government, Think Tanks
Characteristics:
- • Spearphishing with malicious links
- • WMI for persistence and lateral movement
- • PowerShell obfuscation
- • Credential dumping with Mimikatz
FIN7 (Carbanak)
Origin: Eastern Europe | Target: Financial, Retail
Characteristics:
- • Malicious Word documents with macros
- • JSSpy and Carbanak backdoor
- • Point-of-sale malware
- • ATM jackpotting
APT28 (Fancy Bear)
Origin: Russia | Target: Military, Government
Characteristics:
- • Zero-day exploits (Adobe, Microsoft)
- • X-Agent and Sofacy backdoors
- • Credential harvesting via fake login pages
- • IoT device compromise (routers, IP cameras)
Lazarus Group
Origin: North Korea | Target: Crypto, Banks
Characteristics:
- • Watering hole attacks
- • Custom implants (FALLCHILL, ELECTRICFISH)
- • SWIFT network compromise
- • Cryptocurrency theft
Use ATT&CK Navigator
https://mitre-attack.github.io/attack-navigator/) lets you visualize techniques used by specific groups. Export a heatmap showing which techniques to prioritize in your simulation.
Building an Adversary Emulation Plan
Document the exact sequence of techniques you'll use:
# Example: APT29 Emulation Plan
## Objective
Exfiltrate sensitive financial documents from file server
## Initial Access (TA0001)
- T1566.002: Spearphishing Link
- Target: Finance team
- Payload: HTA file delivered via Dropbox link
- C2: HTTPS beacon to compromised WordPress site
## Execution (TA0002)
- T1059.001: PowerShell
- Download and execute Mimikatz in memory
- Use Empire or Covenant for C2
## Persistence (TA0003)
- T1053.005: Scheduled Task
- Create task for daily beacon callback
- T1547.001: Registry Run Key
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
## Privilege Escalation (TA0004)
- T1078.002: Domain Accounts
- Harvest credentials from memory
- Use Pass-the-Hash for lateral movement
## Lateral Movement (TA0008)
- T1021.002: SMB/Windows Admin Shares
- Use harvested admin creds to access file server
- T1550.002: Pass the Hash
- Impacket psexec.py for remote execution
## Collection (TA0009)
- T1005: Data from Local System
- Search for .xlsx, .docx, .pdf on file server
## Exfiltration (TA0010)
- T1041: Exfiltration Over C2 Channel
- Transfer files via HTTPS beacon
- Rate limit to 50KB/hour to avoid detection
## Success Criteria
- Access to file server achieved: YES/NO
- Data exfiltrated: YES/NO
- Detected by blue team: YES/NO (at which phase)
- Time to detection: _____ hoursTools for Adversary Emulation
🔴 Atomic Red Team
Library of small, atomic tests mapped to ATT&CK techniques. Execute individual techniques quickly.
Invoke-AtomicTest T1003.001 -ShowDetails 🔵 Caldera
Automated adversary emulation platform by MITRE. Chain techniques together for full campaigns.
⚫ SCYTHE
Commercial adversary emulation platform with APT campaign templates.
🟠 APTSimulator
Lightweight tool to simulate APT activity for testing detection rules.
Measure Detection Coverage