.md .pdf

repository open issue suggest edit

Contents

Simulation Schema

This project describes two types of simulations:

• Atomic: A single action taken in order to achieve a particular goal.

• Campaign: An organized course of action composed of a series of steps to achieve a goal.

Schemas

• Atomic Template Format

• Campaign Template Format

Atomic Template Format

In its simplest structure, an atomic template has the following elements:

schema: "string"
id: "string"
name: "string"
metadata:
  creationDate: "string"
  modificationDate: "string"
  description: "string"
  contributors:
    - "string"
  mitreAttack:
    - technique: "string"
      tactics:
        - "string"
authorization:
  - resource: "string"
    permissionsType: "string"
    permissions:
      - "string"
execution:
  type: "string"
  platform: "string"
  executor: "string"
  parameters:
    "string":
      type: "string"
      description: "string"
      required: bool
      defaultValue: "string"

Property	Required	Description	Value	Example
schema	Yes	Type of simulation. Always atomic in this template.	[string]	‘atomic’
id	Yes	Unique identifier of a atomic action. This follows a GUID format.	[string]	f0b032ec-192b-4193-b8a1-7ba38bced104
name	Yes	Name of atomic action.	[string]	Export AD FS Token Signing Certificate
metadata	No	Metadata of atomic action such as description, contributors, creation date, etc.	metadata
authorization	No	Permissions required to execute simulations. This metadata can be used either before executing an action or during the deployment of the simulation system to make sure the right permissions are granted.	authorization
execution	Yes	Settings and parameters of atomic action.	execution

Atomic Metadata

Property	Required	Description	Value	Example
creationDate	No	Date when atomic simulation was documented / created.	‘yyyy-mm-dd’	‘2021-08-05’
modificationDate	No	Date when atomic simulation was modified.	‘yyyy-mm-dd’	‘2021-09-08’
description	Yes	Description of atomic simulation	[string]	A threat actor might export the AD FS token signing certificate to sign SAML tokens and impersonate users.
contributors	No	List of people that documented / contributed the atomic simulation.	[array]	Roberto Rodriguez, Jose Rodriguez
mitreAttack	No	Mapping of atomic simulation to MITRE ATT&CK tactics and techniques.	mitreAttack

MITRE ATT&CK Mappings

Property	Required	Description	Value	Example
technique	No	ATT&CK technique Id.	[string]	‘T1552.004’
tactics	Yes	list of ATT&CK tactics.	[array]	[‘TA0006’]

Authorization context

Property	Required	Description	Value	Example
resource	Yes	Resource to access.	[string]	https://graph.microsoft.com/
permissionsType	Yes	Type of permission.	[string]	‘Application’
permissions	Yes	List of permissions.	[array]	[‘Application.Read.All’]

Atomic Execution

execution:
  type: "string"
  platform: "string"
  executor: "string"
  supportingFileUris:
    - "string"

Property	Required	Description	Value	Example
type	Yes	Type of atomic execution.	ScriptModule or ScriptFile
platform	Yes	Where the atomic execution is performed and against to. Azure platform assumes the simulation is executed againts the cloud. WindowsHybridWorker platform assumes it is executed on a Windows endpoint managed by an automation account	‘Azure’ or ‘WindowsHybridWorker’	‘Azure’
executor	Yes	What is going to be used to execute the simulation	‘PowerShell’	‘PowerShell’
supportingFileUris	No	List of Uris to download additional files from	[array]	[https://..,https://..]

Script Module Execution

execution:
  type: "ScriptModule"
  platform: "string"
  executor: "string"
  module:
    name: "string"
    function: "string"
    scriptUri: "string"
  supportingFileUris:
    - "string"
  parameters:
    "string":
      type: "string"
      description: "string"
      required: bool
      defaultValue: "string"

Script File Execution

execution:
  type: "ScriptFile"
  platform: "string"
  executor: "string"
  scriptUri: "string"
  supportingFileUris:
    - "string"
  parameters:
    "string":
      type: "string"
      description: "string"
      required: bool
      defaultValue: "string"

Property	Required	Description	Value	Example
module	Yes	module is required if the execution is of type ScriptModule.	ScriptModule
scriptUri	Yes	scriptUri is required if the execution is of type ScriptFile.	[string]	‘https://…’
parameters	Yes	Parameters to pass to the execution	parameters

Script Module

Property	Required	Description	Value	Example
name	Yes	Name of the module to import.	[string]	‘AADInternals’
function	Yes	Name of the function to use from the module	[string]	‘Export-AADIntADFSCertificates’
scriptUri	No	The location where the module can be imported from. Usually the module or libray is already installed. If not, then you can import it this way.	[string]	‘https://…’

Execution Parameters

parameters:
  "string":
    type: "string"
    description: "string"
    required: bool
    defaultValue: "string"

Property	Required	Description	Value	Example
[parameter name]	Yes	name of parameter.	parameter properties	‘accessToken’

Parameter Properties

Property	Required	Description	Value	Example
type	No	Type of parameter	‘string’ or ‘int’ or ‘bool’	‘string’
description	No	Description of the parameter	[string]	Access token used to access the MS Graph API
required	Yes	Is this parameter required or not	[bool]	true
defaultValue	No	Parameter default value	[string]	‘xyz’

Campaign Template Format

schema: "string"
id: "string"
name: "string"
metadata:
  creationDate: "string"
  modificationDate: "string"
  description: "string"
  contributors:
    - "string"
variables: {}
steps:
  - number: [int]
    [atomic]

Property	Required	Description	Value	Example
schema	Yes	Type of simulation. Always campaign in this template.	[string]	‘campaign’
id	Yes	Unique identifier of campaign. This follows a GUID format.	[string]	f0b032ec-192b-4193-b8a1-7ba38bced104
name	Yes	Name of campaign.	[string]	Golden SAML Campaign
metadata	No	Metadata of campaign such as description, contributors, creation date, etc.	metadata
variables	No	A dictionary of key-value pairs to define variables used ONLY on parameters passed to each step in the simulation	[dictionary]	variables: varKey: varValue
steps	Yes	Series / array of steps / atomic actions.	steps

Campaign Metadata

Property	Required	Description	Value	Example
creationDate	No	Date when campaign was documented / created.	‘yyyy-mm-dd’	‘2021-08-05’
modificationDate	No	Date when campaign was modified.	‘yyyy-mm-dd’	‘2021-09-08’
description	Yes	Description of campaign	[string]	This campaign simulates a threat actor exporting AD FS token signing certificates to sign SAML tokens, impersonating privileged users and exfiltrating sensitive information.
contributors	No	List of people that documented / contributed the campaign.	[array]	Roberto Rodriguez, Jose Rodriguez

Campaign Steps

Property	Required	Description	Value	Example
number	Yes	Step number	[int]	1
atomic properties	Yes	Atomic action.	atomic properties

References:

• https://docs.microsoft.com/en-us/azure/templates/microsoft.resources/deploymentscripts?tabs=json

• https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/syntax

• https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows

• https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

• https://attack.mitre.org/techniques/enterprise/

previous

Design Principles

next

Request Simulations