The document discusses lessons learned from emulating cyber adversaries. It recommends choosing adversaries based on relevance and intelligence available, and harvesting intelligence from diverse open sources as well as direct investigation. The document emphasizes following adversary techniques closely based on intelligence rather than personal preferences. It stresses balancing accuracy with making the emulation impactful and enjoyable through an iterative process of learning, sharing, and improving.

1. Reaping What They Sow -
Hard Lessons Learned
Emulating Threat Actors
Jamie Williams
@jamieantisocial @MITREATTACK

2. > lsadump::secrets
ATT&CK® & ATT&CK Evals
Padawan to some
amazing people
❤ Halloween & spooky stuff

3. Why Emulate Adversaries?
Variety of offensive assessment
types, each with its own place
Intelligence-driven
approach provides:
- Realism
- Scoping
- Diversity
- Repeatability

4. Learn from Achievements
Source: https://gph.is/1rQtQVc

5. Learn from Achievements
Source: https://gph.is/1rQtQVc

6. Learn from Achievements
Source: https://gph.is/1rQtQVc

7. Learn from Achievements
Source: https://gph.is/1rQtQVc

8. But Also Mistakes
Source: https://giphy.com/gifs/8jzdgXpr9Po1a
Source: www.microsoft.com/security/blog/2020/06/11/blue-teams-helping-red-teams-
a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation/

9. But Also Mistakes
Source: https://giphy.com/gifs/8jzdgXpr9Po1a
Source: www.microsoft.com/security/blog/2020/06/11/blue-teams-helping-red-teams-
a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation/

10. But Also Mistakes
Source: https://giphy.com/gifs/8jzdgXpr9Po1a
Source: www.microsoft.com/security/blog/2020/06/11/blue-teams-helping-red-teams-
a-tale-of-a-process-crash-powershell-and-the-mitre-attck-evaluation/

11. Emulation Recipe
1.Choose an
adversary
2.Research
3.Develop &
Execute Plan
Source: https://giphy.com/gifs/8jzdgXpr9Po1a

12. Lesson One –
One Emulation to
Rule them All?

13. Make Something Special
A lot of great emulation
work going on
across industry
Each emulation has an
opportunity to capture a
unique scenario /
combination of behaviors
Source: https://giphy.com/gifs/l0HlVWsgDwQgGz1io

14. Techniques Are Like Onions

15. Techniques Are Like Onions

16. Techniques Are Like Onions

17. Techniques Are Like Onions

18. Techniques Are Like Onions

19. Techniques Are Like Onions

20. Adversaries Have Layers Too

21. Adversaries Have Layers Too
ADVSTORESHELL
Cannon
certutil
CHOPSTICK
CORESHELL
DealersChoice
Downdelph
Forfiles
Fysbis
HIDEDRV
JHUHUGIT
Koadic
Komplex
LoJax
Mimikatz
OLDBAIT
Responder
USBStealer
Winexe
X-Agent for Android
XAgentOSX
XTunnel
Zebrocy

22. Fish in the Sea
Find the right
adversary for you:
- Relevance
- Variance
- Available Intelligence
Source: https://gph.is/1a55Nwt

23. Lesson Two –
Know Where & How to
Harvest Intelligence

24. Open Source Aplenty
Sources:
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
-https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
-https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
-https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
-https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

25. But…
Do vendors report…
- Routine, “ordinary”?
- Every relevant detail?
- What they don’t see?
Source: https://gph.is/XJ81ub

26. Source: https://www.virustotal.com/gui/file/2baebff87a05a40f661ba9d813154dd730948418b690fc1bf90dec8ce07c296f/details
Get Your Hands Dirty

27. Source: https://www.virustotal.com/gui/file/2baebff87a05a40f661ba9d813154dd730948418b690fc1bf90dec8ce07c296f/details
Get Your Hands Dirty
T1012
T1112
T1134

28. Source: https://www.virustotal.com/gui/file/2baebff87a05a40f661ba9d813154dd730948418b690fc1bf90dec8ce07c296f/details
Get Your Hands Dirty

29. &…Be Soci@l
#TweetTP
Source: https://gph.is/1LEyHSZ

30. &…Be Soci@l
#TweetTP
Source: https://gph.is/1LEyHSZ

31. Lesson Three –
Follow the Yellow
Brick Road

32. You Are Not Your Adversary
Ignore your preferences/
what you would do
Don’t “fix” things that
aren’t broken
Be willing to learn and
try new things
Source: https://giphy.com/gifs/AEMyf9Oj6MpS8

33. Trust Your Intelligence
You have a roadmap
There may be small
gaps to fill,
circle back/ask around
“Would they do this?”
Source: https://giphy.com/gifs/bcZ8T9ctIriAU

34. Important Takeaways
Adversary emulation is
impactful, but also
a lot of fun
Balance of a lot of
delicate skillsets
Not an exact science, so
learn, share, and get better
as you go
Source: https://gph.is/1auqnpt

35. Neat ATT&CK Links
attack.mitre.org
attackevals.mitre.org
mitre-attack.github.io/attack-navigator
attack.mitre.org/resources/sightings
medium.com/mitre-attack
github.com/mitre-attack/attack-arsenal
Source: https://gph.is/1LU389W