# Category: Managed-Services

License

ALPHV BlackCat, also known as Noberus, was a prolific Russian-speaking, ransomware-as-a-service (RaaS) group that emerged in 2021 and was linked to...

This scenario involved an ALPHV BlackCat affiliate orchestrating an attack against the subsidiary of a fictitious global pharmaceutical company.

This scenario involved an ALPHV BlackCat affiliate orchestrating an attack against the subsidiary of a fictitious global pharmaceutical company.

This directory contains the emulation plans for a BlackCat affiliate.

Initiate an RDP session to the Kali attack host kraken (176.59.1.18)

The Resources directory contains the following:

This ATT&CK Evaluations Control Server is used to execute behaviors under test during ATT&CK Evaluations.

The Evals C2 server is designed with customization in mind. Developers can easily add new handlers to the C2 server,

The Simple File Server Handler allows file downloads and file uploads.

This guide is a quick overview on how to install and get started with the Golang debugger on VS Code. See the

For guidance on setting up the overall infrastructure used for emulation of ALPHV BlackCat and menuPass, please see

File generator used to populate a target machine with representative files. Uses templates (supplied in the

This Terraform module installs a client vpn. The following resources will be created:

Name

This document covers the infrastructure setup for emulating ATT&CK Evaluations - ALPHV BlackCat and menuPass (2024).

The infrastructure below was used for both ALPHV BlackCat and menuPass (2024).

Traffic Redirectors

This ransomware emulates the BlackCat ransomware family, which is written in Rust and targets Windows and Linux

After BlackCat deploys InfoStealer and successfully recovers credentials from the SQL server, the credentials are then used to remotely deploy...

This C# utility emulates BlackCat's custom utility to query Veeam backup SQL Server to extract passwords.

The Python script aes_base64_log_decryptor.py will decrypt standard AES-base64 encrypted+encoded log files generated by implants and other red team...

License

Active since at least 2006, menuPass (aka APT10) is a threat group believed to be sponsored by the Chinese Ministry of State Security (MSS).

This scenario involved menuPass orchestrating an attack against two subsidiaries of a fictitious global pharmaceutical company.

This scenario involved menuPass orchestrating an attack against two subsidiaries of a fictitious global pharmaceutical company.

This directory contains the emulation plans for menuPass.

Initiate an RDP session to the Windows jumpbox homelander (116.83.1.29)

The Resources directory contains the following:

This ATT&CK Evaluations Control Server is used to execute behaviors under test during ATT&CK Evaluations.

The SodaMaster TCP Handler functions as the server-side counterpart to the SodaMaster implant, and communicates with it over TCP.

The C++ Shellcode Execution Template is used by the C2 server to recompile a payload that will be executed by the SodaMaster implant for each command...

The Evals C2 server is designed with customization in mind. Developers can easily add new handlers to the C2 server,

This Quasar handler links the ATT&CK Evals C2 server with the standalone Quasar C2 server by MaxXor. Note that the Quasar C2 server has been modified...

The Simple File Server Handler allows file downloads and file uploads.

This guide is a quick overview on how to install and get started with the Golang debugger on VS Code. See the

To remove artifacts, run the Cleanup Scripts as from the Kali hosts.

FYAnti Diagram

This is a slightly modified version of Fortra's Impacket at commit 2de29184dc93247829099fcbc52ff256817c6a94

The ALPHV BlackCat and menuPass adversaries share an infrastructure configuration.

This modified fork of Quasar builds on the existing Quasar C2 framework by MaxXor.

SigLoader Diagram

SodaMaster Diagram

WinRAR is used in Step 9 of the Managed Services Round 2 menuPass scenario. The steps below describe how to access and stage the payload for scenario

License

The Resources directory contains the following:

This ATT&CK Evaluations Control Server is used to execute behaviors under test during ATT&CK Evaluations.

The ATT&CK Evaluations Emotet Handler is used to handle communications between the Emotet Client and control server via a REST API.

The ATT&CK Evaluations Exaramel for Linux handler is used to handle communications between the ATT&CK Evaluations Exaramel for Linux client and the...

The ATT&CK Evaluations TrickBot Handler is used to handle communications between the Trickbot Client and control server via a REST API.