Simulation Schema#

This project describes two types of simulations:

  • Atomic: A single action taken in order to achieve a particular goal.

  • Campaign: An organized course of action composed of a series of steps to achieve a goal.

Atomic Template Format#

In its simplest structure, an atomic template has the following elements:

schema: "string"
id: "string"
name: "string"
metadata:
  creationDate: "string"
  modificationDate: "string"
  description: "string"
  contributors:
    - "string"
  mitreAttack:
    - technique: "string"
      tactics:
        - "string"
authorization:
  - resource: "string"
    permissionsType: "string"
    permissions:
      - "string"
execution:
  type: "string"
  platform: "string"
  executor: "string"
  parameters:
    "string":
      type: "string"
      description: "string"
      required: bool
      defaultValue: "string"

Property

Required

Description

Value

Example

schema

Yes

Type of simulation. Always atomic in this template.

[string]

‘atomic’

id

Yes

Unique identifier of a atomic action. This follows a GUID format.

[string]

f0b032ec-192b-4193-b8a1-7ba38bced104

name

Yes

Name of atomic action.

[string]

Export AD FS Token Signing Certificate

metadata

No

Metadata of atomic action such as description, contributors, creation date, etc.

metadata

authorization

No

Permissions required to execute simulations. This metadata can be used either before executing an action or during the deployment of the simulation system to make sure the right permissions are granted.

authorization

execution

Yes

Settings and parameters of atomic action.

execution

Atomic Metadata#

Property

Required

Description

Value

Example

creationDate

No

Date when atomic simulation was documented / created.

‘yyyy-mm-dd’

‘2021-08-05’

modificationDate

No

Date when atomic simulation was modified.

‘yyyy-mm-dd’

‘2021-09-08’

description

Yes

Description of atomic simulation

[string]

A threat actor might export the AD FS token signing certificate to sign SAML tokens and impersonate users.

contributors

No

List of people that documented / contributed the atomic simulation.

[array]

Roberto Rodriguez, Jose Rodriguez

mitreAttack

No

Mapping of atomic simulation to MITRE ATT&CK tactics and techniques.

mitreAttack

MITRE ATT&CK Mappings#

Property

Required

Description

Value

Example

technique

No

ATT&CK technique Id.

[string]

‘T1552.004’

tactics

Yes

list of ATT&CK tactics.

[array]

[‘TA0006’]

Authorization context#

Property

Required

Description

Value

Example

resource

Yes

Resource to access.

[string]

https://graph.microsoft.com/

permissionsType

Yes

Type of permission.

[string]

‘Application’

permissions

Yes

List of permissions.

[array]

[‘Application.Read.All’]

Atomic Execution#

execution:
  type: "string"
  platform: "string"
  executor: "string"
  supportingFileUris:
    - "string"

Property

Required

Description

Value

Example

type

Yes

Type of atomic execution.

ScriptModule or ScriptFile

platform

Yes

Where the atomic execution is performed and against to. Azure platform assumes the simulation is executed againts the cloud. WindowsHybridWorker platform assumes it is executed on a Windows endpoint managed by an automation account

‘Azure’ or ‘WindowsHybridWorker’

‘Azure’

executor

Yes

What is going to be used to execute the simulation

‘PowerShell’

‘PowerShell’

supportingFileUris

No

List of Uris to download additional files from

[array]

[https://..,https://..]

Script Module Execution#

execution:
  type: "ScriptModule"
  platform: "string"
  executor: "string"
  module:
    name: "string"
    function: "string"
    scriptUri: "string"
  supportingFileUris:
    - "string"
  parameters:
    "string":
      type: "string"
      description: "string"
      required: bool
      defaultValue: "string"

Script File Execution#

execution:
  type: "ScriptFile"
  platform: "string"
  executor: "string"
  scriptUri: "string"
  supportingFileUris:
    - "string"
  parameters:
    "string":
      type: "string"
      description: "string"
      required: bool
      defaultValue: "string"

Property

Required

Description

Value

Example

module

Yes

module is required if the execution is of type ScriptModule.

ScriptModule

scriptUri

Yes

scriptUri is required if the execution is of type ScriptFile.

[string]

‘https://…’

parameters

Yes

Parameters to pass to the execution

parameters

Script Module#

Property

Required

Description

Value

Example

name

Yes

Name of the module to import.

[string]

‘AADInternals’

function

Yes

Name of the function to use from the module

[string]

‘Export-AADIntADFSCertificates’

scriptUri

No

The location where the module can be imported from. Usually the module or libray is already installed. If not, then you can import it this way.

[string]

‘https://…’

Execution Parameters#

parameters:
  "string":
    type: "string"
    description: "string"
    required: bool
    defaultValue: "string"

Property

Required

Description

Value

Example

[parameter name]

Yes

name of parameter.

parameter properties

‘accessToken’

Parameter Properties#

Property

Required

Description

Value

Example

type

No

Type of parameter

‘string’ or ‘int’ or ‘bool’

‘string’

description

No

Description of the parameter

[string]

Access token used to access the MS Graph API

required

Yes

Is this parameter required or not

[bool]

true

defaultValue

No

Parameter default value

[string]

‘xyz’

Campaign Template Format#

schema: "string"
id: "string"
name: "string"
metadata:
  creationDate: "string"
  modificationDate: "string"
  description: "string"
  contributors:
    - "string"
variables: {}
steps:
  - number: [int]
    [atomic]

Property

Required

Description

Value

Example

schema

Yes

Type of simulation. Always campaign in this template.

[string]

‘campaign’

id

Yes

Unique identifier of campaign. This follows a GUID format.

[string]

f0b032ec-192b-4193-b8a1-7ba38bced104

name

Yes

Name of campaign.

[string]

Golden SAML Campaign

metadata

No

Metadata of campaign such as description, contributors, creation date, etc.

metadata

variables

No

A dictionary of key-value pairs to define variables used ONLY on parameters passed to each step in the simulation

[dictionary]

variables:
varKey: varValue

steps

Yes

Series / array of steps / atomic actions.

steps

Campaign Metadata#

Property

Required

Description

Value

Example

creationDate

No

Date when campaign was documented / created.

‘yyyy-mm-dd’

‘2021-08-05’

modificationDate

No

Date when campaign was modified.

‘yyyy-mm-dd’

‘2021-09-08’

description

Yes

Description of campaign

[string]

This campaign simulates a threat actor exporting AD FS token signing certificates to sign SAML tokens, impersonating privileged users and exfiltrating sensitive information.

contributors

No

List of people that documented / contributed the campaign.

[array]

Roberto Rodriguez, Jose Rodriguez

Campaign Steps#

Property

Required

Description

Value

Example

number

Yes

Step number

[int]

1

atomic properties

Yes

Atomic action.

atomic properties