# Machine-Readable FIN7 Emulation Plan

The universal, technology-agnostic version of the FIN7 emulation plan YAML has been provided as starting point for machine parsing and execution of the FIN7 emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like CALDERA or other breach simulation frameworks).

As Scenario 2 uses almost the same content as Scenario 1, but packages it into independent objectives, the YAML contains procedures linked only to the steps from Scenario 1. A table has been provided below to link the procedures within the YAML to the specific Scenario 2 steps.

# Included Formats

As new files are added, please list them in the below table.

File Execution Framework Notes
Fin7.yaml N/A Initial Emulation Plan YAML

# Skipped Procedures

A number of procedures within the emulation plan are not present within the YAML file. This is because these procedures integrate with external frameworks or involve interaction with a GUI, which cannot be simply expressed in an automatable format.

The table below lists the steps/procedures that were skipped along with the reason why.

Step/Procedure Step Name/Technique Reason
1.A User Execution: Malicious File While the initial execution of the VBE payload can be automated, the payload requires the user to click 'OK' on a dialog box in order for the payload to complete successfully.
2.A SQLRat Execution via Scheduled Task This procedure involves sending the command get-mac-serial to the RAT through the C2 channel.
2.B Upload Powershell Stager This procedure involves sending an upload command to the RAT through the C2 channel.
3.A Discovery This procedure involves sending the command enum-system to the RAT through the C2 channel.
8.A User Monitoring This procedure relies on a Metasploit module.
10.B.3 Exfiltrate Credit Card Data There is currently not a technology-agnostic standard to represent uploads of files back to the C2 server.

# Procedures to Note

Certain procedures included in the YAML have been modified or have external dependencies that are not captured within the YAML file.

The table below captures these steps/procedures.

Step/Procedure YAML Name Note
4.A Execution of stager.ps1 An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
6.A Expand Access An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
7.A Privilege Escalation An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
10.A Execute Application Shim Persistence An external C2 server needs to be configured to handle the callback from the Meterpreter payload.

# Scenario 2 Procedure Mapping

The procedures in the YAML are mapped directly to the steps in Scenario 1. The table below maps the procedures to the steps of Scenario 2.

Scenario 2 Step procedure_step procedure id
1 N/A N/A (All procedures skipped in YAML)
2 5.A.1
5.A.2
ab937ef4-7c66-4349-ad3b-658c41fcf4c5
b15d3014-a5d1-4ec6-934b-d7fe44451192
3 6.A 9a76889c-9518-4b3e-9c87-6618156015c6
4 7.A ab48e12f-def0-40a4-b3d9-ad958f45202a
5 9.B
10.A
eb99abcb-93e2-4a3e-bf05-a484839dc851
6ec6561b-e535-4fe3-9c20-a52e5982b513