# ATT&CK Evaluations Library

# Overview

The ATT&CK Emulation Library includes a collection of adversary emulation plans used in published ATT&CK Evaluations.

Emulation plans are a comprehensive approach to emulating a specific adversary, e.g. Turla, from initial access through exfiltration. The plans are organized by evaluation and threat actor, and are designed to emulate a real breach from the designated adversary.

# Emulation Plans

Emulation Plans Intelligence Summary Evaluation Results and More Information
ALPHV BlackCat ALPHV BlackCat, also known as Noberus, was a prolific Russian-speaking, ransomware-as-a-service (RaaS) group that emerged in 2021 and was linked to BlackMatter, DarkSide, REvil, and other RaaS groups. Managed Services 2023
APT29 APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation. Enterprise 2019
Carbanak Group Carbanak is a threat group who has been found to manipulate financial assets, such as by transferring funds from bank accounts or by taking over ATM infrastructures. Enterprise 2021
CL0P CL0P is a sophisticated ransomware family that is associated with the TA505 cybercriminal group and possibly FIN11. Enterprise 2024
DPRK Threat actors linked to the Democratic People's Republic of Korea (DPRK) conduct cyber operations primarily targeting financial institutions (cryptocurrency, banking, blockchain) as well as the defense and the technology sectors. Enterprise 2024
FIN7 FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems. Enterprise 2021
LockBit LockBit is a notorious ransomware variant known for its use of sophisticated tools, extortion methods, and high-severity attacks. Enterprise 2024
menuPass Active since at least 2006, (aka APT10) is a threat group believed to be sponsored by the Chinese Ministry of State Security (MSS). Managed Services 2023
Mustang Panda Mustang Panda is a China-based cyber espionage group that has been operating since at least 2017, with some evidence indicating they have been operating since 2011. This adversary is one of the most consistently active and adaptive state-sponsored APTs operating out of China. Historically, Mustang Panda’s campaigns targeted organizations of strategic interest to the Chinese government, namely government entities, nonprofits, and NGOs in South and Southeast Asia, Europe, and the US. However, in more recent years, the group has also impacted high-profile targets including the Vatican, telecommunications providers, and private sector organizations across the world. Enterprise 2025
OilRig OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 and has a history of widespread impact, with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe. Managed Services 2022
Sandworm Sandworm Team is a destructive threat group attributed to Russia's General Staff of the Armed Forces, Main Intelligence Directorate (GRU) that has been reportedly active since 2009. Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns such as Olympic Destroyer, CrashOverride/Industroyer, and NotPetya. Enterprise 2022
Scattered Spider Scattered Spider is a cybercrime group notorious for its advanced social engineering techniques, including Short Message Service (SMS) phishing, Subscriber Identity Module (SIM) swapping, Adversary-in-the-Middle (AiTM) attacks, and Multi-Factor Authentication (MFA) fatigue tactics. The group's complexity is highlighted by its unconventional structure: rather than operating as a single entity, Scattered Spider appears to be a cluster of overlapping threat actors who share tools, techniques, and collaborate through social networks. Enterprise 2025
Turla Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries, and active since at least the early 2000s. Turla leverages novel techniques and custom tooling and open-source tools to elude defenses and persist on target networks... Enterprise 2023
Wizard Spider Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of the Ryuk ransomware. This resulted in "big game hunting" campaigns, focused on targeting large organizations for high-ransom return rates. Enterprise 2022
Blind Eagle Blind Eagle is a South American threat actor focused on Colombia-based institutions, including entities in the financial, manufacturing, and petroleum sectors. Largely opportunistic in their motives, Blind Eagle leverages commodity RATs modified to fit the environment. Research Presentation. Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

# Directory Structure

Each emulation plan focuses on a specific named threat actor. The README of each individual plan provides a curated summary of available cyber threat intelligence, composed of an intelligence overview of the actor (describing who they target, how, and why where possible) as well as the scope of their activity (i.e. breadth of techniques and malware used). All presented information is cited back to relevant publicly available cyber threat intelligence and communicated and annotated via ATT&CK.

Within each emulation plan, the operational flow provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.).

The content to execute the scenario(s) is broken down into step-by-step procedures provided in both human and machine-readable formats. Scenarios can be executed end-to-end or as individual tests. The human-readable formats provide additional relevant background where possible as well as any setup prerequisites, while the machine-readable format is designed to be programmatically parsed (ex: read, reformatted, and ingested into an automated agent, such as CALDERA and/or breach simulation frameworks).

# Notice

Copyright 2020-2025 The MITRE Corporation. Approved for public release. Document number CT0005

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use