Simulation Schema
Contents
Simulation Schema¶
This project describes two types of simulations:
Atomic: A single action taken in order to achieve a particular goal.
Campaign: An organized course of action composed of a series of steps to achieve a goal.
Atomic Template Format¶
In its simplest structure, an atomic template has the following elements:
schema: "string"
id: "string"
name: "string"
metadata:
creationDate: "string"
modificationDate: "string"
description: "string"
contributors:
- "string"
mitreAttack:
- technique: "string"
tactics:
- "string"
authorization:
- resource: "string"
permissionsType: "string"
permissions:
- "string"
execution:
type: "string"
platform: "string"
executor: "string"
parameters:
"string":
type: "string"
description: "string"
required: bool
defaultValue: "string"
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
schema |
Yes |
Type of simulation. Always |
[string] |
‘atomic’ |
id |
Yes |
Unique identifier of a atomic action. This follows a GUID format. |
[string] |
f0b032ec-192b-4193-b8a1-7ba38bced104 |
name |
Yes |
Name of atomic action. |
[string] |
Export AD FS Token Signing Certificate |
metadata |
No |
Metadata of atomic action such as description, contributors, creation date, etc. |
||
authorization |
No |
Permissions required to execute simulations. This metadata can be used either before executing an action or during the deployment of the simulation system to make sure the right permissions are granted. |
||
execution |
Yes |
Settings and parameters of atomic action. |
Atomic Metadata¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
creationDate |
No |
Date when atomic simulation was documented / created. |
‘yyyy-mm-dd’ |
‘2021-08-05’ |
modificationDate |
No |
Date when atomic simulation was modified. |
‘yyyy-mm-dd’ |
‘2021-09-08’ |
description |
Yes |
Description of atomic simulation |
[string] |
A threat actor might export the AD FS token signing certificate to sign SAML tokens and impersonate users. |
contributors |
No |
List of people that documented / contributed the atomic simulation. |
[array] |
Roberto Rodriguez, Jose Rodriguez |
mitreAttack |
No |
Mapping of atomic simulation to MITRE ATT&CK tactics and techniques. |
MITRE ATT&CK Mappings¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
technique |
No |
[string] |
‘T1552.004’ |
|
tactics |
Yes |
list of ATT&CK tactics. |
[array] |
[‘TA0006’] |
Authorization context¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
resource |
Yes |
Resource to access. |
[string] |
|
permissionsType |
Yes |
Type of permission. |
[string] |
‘Application’ |
permissions |
Yes |
List of permissions. |
[array] |
[‘Application.Read.All’] |
Atomic Execution¶
execution:
type: "string"
platform: "string"
executor: "string"
supportingFileUris:
- "string"
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
type |
Yes |
Type of atomic execution. |
||
platform |
Yes |
Where the atomic execution is performed and against to. |
‘Azure’ or ‘WindowsHybridWorker’ |
‘Azure’ |
executor |
Yes |
What is going to be used to execute the simulation |
‘PowerShell’ |
‘PowerShell’ |
supportingFileUris |
No |
List of Uris to download additional files from |
[array] |
[ |
Script Module Execution¶
execution:
type: "ScriptModule"
platform: "string"
executor: "string"
module:
name: "string"
function: "string"
scriptUri: "string"
supportingFileUris:
- "string"
parameters:
"string":
type: "string"
description: "string"
required: bool
defaultValue: "string"
Script File Execution¶
execution:
type: "ScriptFile"
platform: "string"
executor: "string"
scriptUri: "string"
supportingFileUris:
- "string"
parameters:
"string":
type: "string"
description: "string"
required: bool
defaultValue: "string"
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
module |
Yes |
|
||
scriptUri |
Yes |
|
[string] |
‘https://…’ |
parameters |
Yes |
Parameters to pass to the execution |
Script Module¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
name |
Yes |
Name of the module to import. |
[string] |
‘AADInternals’ |
function |
Yes |
Name of the function to use from the module |
[string] |
‘Export-AADIntADFSCertificates’ |
scriptUri |
No |
The location where the module can be imported from. Usually the module or libray is already installed. If not, then you can import it this way. |
[string] |
‘https://…’ |
Execution Parameters¶
parameters:
"string":
type: "string"
description: "string"
required: bool
defaultValue: "string"
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
[parameter name] |
Yes |
name of parameter. |
‘accessToken’ |
Parameter Properties¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
type |
No |
Type of parameter |
‘string’ or ‘int’ or ‘bool’ |
‘string’ |
description |
No |
Description of the parameter |
[string] |
Access token used to access the MS Graph API |
required |
Yes |
Is this parameter required or not |
[bool] |
true |
defaultValue |
No |
Parameter default value |
[string] |
‘xyz’ |
Campaign Template Format¶
schema: "string"
id: "string"
name: "string"
metadata:
creationDate: "string"
modificationDate: "string"
description: "string"
contributors:
- "string"
variables: {}
steps:
- number: [int]
[atomic]
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
schema |
Yes |
Type of simulation. Always |
[string] |
‘campaign’ |
id |
Yes |
Unique identifier of campaign. This follows a GUID format. |
[string] |
f0b032ec-192b-4193-b8a1-7ba38bced104 |
name |
Yes |
Name of campaign. |
[string] |
Golden SAML Campaign |
metadata |
No |
Metadata of campaign such as description, contributors, creation date, etc. |
||
variables |
No |
A dictionary of key-value pairs to define variables used |
[dictionary] |
variables: |
steps |
Yes |
Series / array of steps / atomic actions. |
Campaign Metadata¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
creationDate |
No |
Date when campaign was documented / created. |
‘yyyy-mm-dd’ |
‘2021-08-05’ |
modificationDate |
No |
Date when campaign was modified. |
‘yyyy-mm-dd’ |
‘2021-09-08’ |
description |
Yes |
Description of campaign |
[string] |
This campaign simulates a threat actor exporting AD FS token signing certificates to sign SAML tokens, impersonating privileged users and exfiltrating sensitive information. |
contributors |
No |
List of people that documented / contributed the campaign. |
[array] |
Roberto Rodriguez, Jose Rodriguez |
Campaign Steps¶
Property |
Required |
Description |
Value |
Example |
---|---|---|---|---|
number |
Yes |
Step number |
[int] |
1 |
Yes |
Atomic action. |