# APT29

This adversary emulation plan is derived from the original APT29 content developed and used in the 2019 ATT&CK Evaluations.

APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation.^1,14 The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020.

The Intelligence Summary summarizes 16 publicly available sources as well as the results of an open call for contributions, to describe APT29, their motivations, objectives, and observed target industries. It further describes a representative APT29 Operational Flow along with their publicly attributed Tactics, Techniques, and Procedures (TTPs) mapped to ATT&CK.

The Operations Flow chains techniques together into a logical order that commonly occur across APT29 operations. In the case of APT29, we break out their operations into two distinct scenarios:

• Scenario 1: This scenario starts with a "smash-and-grab" then rapid espionage mission that focuses on gathering and exfiltrating data, before transitioning to stealthier techniques to achieve persistence, further data collection, credential access, and lateral movement. The scenario ends with the execution of previously established persistence mechanisms.

• Scenario 2: This scenario consists of a stealthier and slower approach to compromising the initial target, establishing persistence, harvesting credentials, then finally enumerating and compromising the entire domain. The scenario ends with a simulated time-lapse where previously established persistence mechanisms are executed.

The APT29 emulation plan is a human-readable, step-by-step / command-by-command implementation of APT29 TTPs. Structurally, the plan is organized into an infrastructure section, and two scenarios, as defined in the Operations Flow. The infrastructure section explains how to prepare the environment to execute both scenarios. The human-readable plan is accompanied by a machine-readable plan implemented in YAML. The YAML includes all steps, commands, and syntax for both Scenario 1 and Scenario 2. The YAML template was nuanced to ensure that each step within the YAML is directly coupled with its equivalent in the human-readable version.

# Resources

Please note that binary files hosted in Scenario_1 and Scenario_2 have been added to password protected zip files. The password for these files is "malware."

# Acknowledgements

We would like to formally thank the people that contributed to the content, review, and format of this document. This includes the MITRE ATT&CK and MITRE ATT&CK Evaluations teams, the organizations and people that provided public intelligence and resources, as well as the following organizations that participated in the community cyber threat intelligence contribution process:

• Kaspersky
• Microsoft
• SentinelOne

# Table of Contents

• Intelligence Summary
• Operations Flow
• Emulation Plan
  • Scenario 1 - Infrastructure
  • Scenario 1
  • Scenario 2 - Infrastructure
  • Scenario 2
  • YAML
• Archive
• Issues
• Change Log

# Liability / Responsible Usage

This content is only to be used with appropriate prior, explicit authorization for the purposes of assessing security posture and/or research.

# Notice

Copyright 2021 MITRE Engenuity. Approved for public release. Document number AT0008.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use