The universal, technology-agnostic version of the FIN7 emulation plan YAML has been provided as starting point for machine parsing and execution of the FIN7 emulation plan. This folder will store all versions of this yaml file, including those formatted to work with specific execution runners (such as automated agents like CALDERA or other breach simulation frameworks).
As Scenario 2 uses almost the same content as Scenario 1, but packages it into independent objectives, the YAML contains procedures linked only to the steps from Scenario 1. A table has been provided below to link the procedures within the YAML to the specific Scenario 2 steps.
As new files are added, please list them in the below table.
| File | Execution Framework | Notes |
|---|---|---|
| Fin7.yaml | N/A | Initial Emulation Plan YAML |
A number of procedures within the emulation plan are not present within the YAML file. This is because these procedures integrate with external frameworks or involve interaction with a GUI, which cannot be simple expressed in an automatable format.
The table below lists the steps/procedures that were skipped along with the reason why.
| Step/Procedure | Step Name/Technique | Reason |
|---|---|---|
| 1.A | User Execution: Malicious File | While the initial execution of the VBE payload can be automated, the payload requires the user to click 'OK' on a dialog box in order for the payload to complete successfully. |
| 2.A | SQLRat Execution via Scheduled Task | This procedure involves sending the command get-mac-serial to the RAT through the C2 channel. |
| 2.B | Upload Powershell Stager | This procedure involves sending an upload command to the RAT through the C2 channel. |
| 3.A | Discovery | This procedure involves sending the command enum-system to the RAT through the C2 channel. |
| 8.A | User Monitoring | This procedure relies on a Metasploit module. |
| 10.B.3 | Exfiltrate Credit Card Data | There is currently not a technology-agnostic standard to represent uploads of files back to the C2 server. |
Certain procedures included in the YAML have been modified or have external dependencies that are not captured within the YAML file.
The table below captures these steps/procedures.
| Step/Procedure | YAML Name | Note |
|---|---|---|
| 4.A | Execution of stager.ps1 | An external C2 server needs to be configured to handle the callback from the Meterpreter payload. |
| 6.A | Expand Access | An external C2 server needs to be configured to handle the callback from the Meterpreter payload. |
| 7.A | Privilege Escalation | An external C2 server needs to be configured to handle the callback from the Meterpreter payload. |
| 10.A | Execute Application Shim Persistence | An external C2 server needs to be configured to handle the callback from the Meterpreter payload. |
The procedures in the YAML are mapped directly to the steps in Scenario 1. The table below maps the procedures to the steps of Scenario 2.
| Scenario 2 Step | procedure_step |
procedure id |
|---|---|---|
| 1 | N/A | N/A (All procedures skipped in YAML) |
| 2 | 5.A.1 5.A.2 |
ab937ef4-7c66-4349-ad3b-658c41fcf4c5b15d3014-a5d1-4ec6-934b-d7fe44451192 |
| 3 | 6.A | 9a76889c-9518-4b3e-9c87-6618156015c6 |
| 4 | 7.A | ab48e12f-def0-40a4-b3d9-ad958f45202a |
| 5 | 9.B 10.A |
eb99abcb-93e2-4a3e-bf05-a484839dc8516ec6561b-e535-4fe3-9c20-a52e5982b513 |