This emulation was created for the 2023 BlackHat presentation 🎩 , Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations. This presentation focused how to combine CTI and red development team capabilities for adversary emulation.
The ATT&CK Evaluation team created the below scenario leveraging techniques seen from Blind Eagle in the wild based on open-source reporting. We have adapted the scenario based on tools and resources available at the time. This emulation was researched, developed, and presented with one Windows SME Red Team developer, one CTI Analyst, and one Technical lead in 2 months while working on other work 50% of their time. Our goal was to provide a simpler emulation example when faced with limited resources. Therefore, this emulation is less complicated than other emulations represented in the ATTACK Evaluations Library.
This page contains a high-level overview of our Blind Eagle scenario and related diagram, as well as the full 5-step plan created by our CTI analyst.
#
Emulation Scenario 📖
This scenario follows Blind Eagle's cyberattack against a Colombian target. Blind Eagle will gain initial access via user execution of a link in a file sent via spearphishing. Once execution is obtained and persistence installed, Blind Eagle downloads and executes the AsyncRAT for additional actions on objective. Characteristics of this campaign include social engineering, open-source modified RATs, exploitation of a single workstation, and theft of browser credentials.