Adversary emulation is a specific style of offensive assessment that uses cyber threat intelligence to describe behaviors observed in specific campaigns or malware samples. Using real-world adversaries, the Center for Threat-Informed Defense (Center) maintains this library of adversary emulation plans and maps them to MITRE ATT&CK techniques. The goals of these emulations plans are to enable organizations to evaluate their defensive capabilities and provide red teams a template to emulate adversaries.

Emulation plans provide a step-by-step execution of the adversaries actions based on open-source intelligence reporting and mapped to MITRE ATT&CK techniques. Source code and commands are provided to execute the plan. The library contains two types of adversary emulation plans:

• Full emulation 🥧 - starting with initial access that build on each previous step until the adversary's objective are accomplished

• Micro emulation 🍰 - a focused approach to emulating compound behaviors seen across multiple adversaries

For more information, we have blogs! ✍️

📓 Adversary Emulation Library 📔 Micro Emulation Plans

Coming Soon!

A guide to submitting open-source intelligence contributions, bug requests, feature requests, and new emulation plans (or suggestions).

Coming Soon!

We 💖 feedback! Let us know how using the Adversary Emulation Library has helped you and any snags that you encountered along the way.

📧 Email: ctid@mitre-engenuity.org

🐦 Twitter: https://twitter.com/MITREengenuity

🔗 LinkedIn: https://www.linkedin.com/company/mitre-engenuity/

You can also make issues on this repo and reach out to the maintainers 👩‍💻.