Attack Scenario Schema#
This project describes the campaign schema. A campaign is an organized course of action composed of a series of steps to achieve a goal.
Campaign Template Format#
{
"id": "string",
"name": "string",
"metadata": {
"creationDate": "string",
"modificationDate": "string",
"platform": [],
"description": "string",
"contributors": [
"string"
],
"mitreAttack": []
},
"authorization": [],
"parameters": [],
"variables": {},
"steps": []
}
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
id |
Yes |
Unique identifier of campaign. This follows a GUID format. |
[string] |
f0b032ec-192b-4193-b8a1-7ba38bced104 |
name |
Yes |
Name of campaign. |
[string] |
Golden SAML Campaign |
metadata |
No |
Metadata of campaign such as description, contributors, creation date, etc. |
metadata |
|
authorization |
No |
Permissions required to execute simulations. This metadata can be used either before executing an action or during the deployment of the simulation system to make sure the right permissions are granted. |
authorization |
|
parameters |
No |
A list of key-value pairs to define parameters used. |
[array] |
variables: |
variables |
No |
A dictionary of key-value pairs to define variables used |
[dictionary] |
variables: |
steps |
Yes |
Series / array of steps / atomic actions. |
steps |
Campaign Metadata#
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
creationDate |
No |
Date when campaign was documented / created. |
‘yyyy-mm-dd’ |
‘2021-08-05’ |
modificationDate |
No |
Date when campaign was modified. |
‘yyyy-mm-dd’ |
‘2021-09-08’ |
platform |
yes |
List of platforms. |
[array] |
Azure, AWS, Windows |
description |
Yes |
Description of campaign |
[string] |
This campaign simulates a threat actor exporting AD FS token signing certificates to sign SAML tokens, impersonating privileged users and exfiltrating sensitive information. |
contributors |
No |
List of people that documented / contributed the campaign. |
[array] |
Roberto Rodriguez, Jose Rodriguez |
mitreAttack |
No |
List of dictionaries to represent MITRE attack tactics and techniques mapped to the campaign. |
array |
Mitre Attack#
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
technique |
No |
[string] |
‘T1552.004’ |
|
tactics |
Yes |
list of ATT&CK tactics. |
[array] |
[‘TA0006’] |
Campaign Steps#
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
number |
Yes |
Step number |
[int] |
1 |
steps |
Yes |
Atomic action. |
steps properties |
Steps Template Format#
{
"number": "int",
"name": "string",
"metadata": {
"description": "string",
},
"execution": {
"type": "string",
"platform": "string",
"executor": "string",
"parameters": {
"string": {
"type": "string",
"defaultValue": "string"
}
}
}
}
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
snumber |
Yes |
|
[int] |
1 |
name |
Yes |
Name of atomic action. |
[string] |
Export AD FS Token Signing Certificate |
metadata |
No |
Metadata of atomic action such as description |
metadata |
|
execution |
Yes |
Settings and parameters of atomic action. |
execution |
step Metadata#
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
description |
Yes |
Description of atomic simulation |
[string] |
A threat actor might export the AD FS token signing certificate to sign SAML tokens and impersonate users. |
Step Execution#
{
"execution": {
"type": "string",
"platform": "string",
"executor": "string",
"supportingFileUris": [
"string"
]
}
}
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
type |
Yes |
Type of atomic execution. |
ScriptModule or ScriptFile |
|
platform |
Yes |
Where the atomic execution is performed and against to. |
‘Azure’ or ‘WindowsHybridWorker’ |
‘Azure’ |
executor |
Yes |
What is going to be used to execute the simulation |
‘PowerShell’ |
‘PowerShell’ |
supportingFileUris |
No |
List of Uris to download additional files from |
[array] |
[ |
Script Module Execution Mode#
{
"execution": {
"type": "ScriptModule",
"platform": "string",
"executor": "string",
"module": {
"name": "string",
"version": "string",
"function": "string",
"scriptUri": "string"
},
"supportingFileUris": [
"string"
],
"parameters": {
"string": {
"type": "string",
"description": "string",
"required": "bool",
"defaultValue": "string"
}
}
}
}
Script File Execution Mode#
{
"execution": {
"type": "ScriptFile",
"platform": "string",
"executor": "string",
"scriptUri": "string",
"supportingFileUris": [
"string"
],
"parameters": {
"string": {
"type": "string",
"description": "string",
"required": "bool",
"defaultValue": "string"
}
}
}
}
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
module |
Yes |
|
ScriptModule |
|
scriptUri |
Yes |
|
[string] |
‘https://…’ |
parameters |
Yes |
Parameters to pass to the execution |
parameters |
Script Module#
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
name |
Yes |
Name of the module to import. |
[string] |
‘CloudKatanaAbilities’ |
version |
Yes |
Module version |
[string] |
‘1.3.1’ |
function |
Yes |
Name of the function to use from the module |
[string] |
‘Export-AADIntADFSCertificates’ |
scriptUri |
No |
The location where the module can be imported from. Usually the module or libray is already installed. If not, then you can import it this way. |
[string] |
‘https://…’ |
Execution Parameters#
{
"parameters": {
"string": {
"type": "string",
"defaultValue": "string",
}
}
}
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
[parameter name] |
Yes |
name of parameter. |
parameter properties |
‘accessToken’ |
Parameter Properties#
Property |
Required |
Description |
Value |
Example |
|---|---|---|---|---|
type |
No |
Type of parameter |
‘string’ or ‘int’ or ‘bool’ |
‘string’ |
defaultValue |
No |
Parameter default value |
[string] |
‘xyz’ |