# Machine-Readable FIN7 Emulation Plan

The universal, technology-agnostic version of the FIN7 emulation plan YAML has been provided as starting point for machine parsing and execution of the FIN7 emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like CALDERA or other breach simulation frameworks).

As Scenario 2 uses almost the same content as Scenario 1, but packages it into independent objectives, the YAML contains procedures linked only to the steps from Scenario 1. A table has been provided below to link the procedures within the YAML to the specific Scenario 2 steps.

# Included Formats

As new files are added, please list them in the below table.

File	Execution Framework	Notes
Fin7.yaml	N/A	Initial Emulation Plan YAML

# Skipped Procedures

A number of procedures within the emulation plan are not present within the YAML file. This is because these procedures integrate with external frameworks or involve interaction with a GUI, which cannot be simply expressed in an automatable format.

The table below lists the steps/procedures that were skipped along with the reason why.

Step/Procedure	Step Name/Technique	Reason
1.A	User Execution: Malicious File	While the initial execution of the VBE payload can be automated, the payload requires the user to click 'OK' on a dialog box in order for the payload to complete successfully.
2.A	SQLRat Execution via Scheduled Task	This procedure involves sending the command `get-mac-serial` to the RAT through the C2 channel.
2.B	Upload Powershell Stager	This procedure involves sending an upload command to the RAT through the C2 channel.
3.A	Discovery	This procedure involves sending the command `enum-system` to the RAT through the C2 channel.
8.A	User Monitoring	This procedure relies on a Metasploit module.
10.B.3	Exfiltrate Credit Card Data	There is currently not a technology-agnostic standard to represent uploads of files back to the C2 server.

# Procedures to Note

Certain procedures included in the YAML have been modified or have external dependencies that are not captured within the YAML file.

The table below captures these steps/procedures.

Step/Procedure	YAML Name	Note
4.A	Execution of stager.ps1	An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
6.A	Expand Access	An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
7.A	Privilege Escalation	An external C2 server needs to be configured to handle the callback from the Meterpreter payload.
10.A	Execute Application Shim Persistence	An external C2 server needs to be configured to handle the callback from the Meterpreter payload.

# Scenario 2 Procedure Mapping

The procedures in the YAML are mapped directly to the steps in Scenario 1. The table below maps the procedures to the steps of Scenario 2.

Scenario 2 Step	`procedure_step`	procedure `id`
1	N/A	N/A (All procedures skipped in YAML)
2	5.A.1 5.A.2	`ab937ef4-7c66-4349-ad3b-658c41fcf4c5` `b15d3014-a5d1-4ec6-934b-d7fe44451192`
3	6.A	`9a76889c-9518-4b3e-9c87-6618156015c6`
4	7.A	`ab48e12f-def0-40a4-b3d9-ad958f45202a`
5	9.B 10.A	`eb99abcb-93e2-4a3e-bf05-a484839dc851` `6ec6561b-e535-4fe3-9c20-a52e5982b513`