Center releases menuPass Adversary Emulation Plan

Published in

MITRE-Engenuity

5 min readFeb 4, 2021

Written by Jon Baker and Shane Patterson.

We are excited to announce the publication of the Center for Threat-Informed Defense’s (Center) menuPass adversary emulation plan. In September 2020 we announced the establishment of a public library of adversary emulation plans designed to enable red teams and cyber defenders to systematically test their defenses based on real-world adversary Tactics, Techniques, and Procedures (TTPs). We recently migrated the ATT&CK Evaluations APT29 emulation plan to the library to further standardize all of our relevant emulation plans. Today, we added our third emulation plan to the library, and we are sharing a plugin for importing these plans into CALDERA.

This new emulation plan was developed in collaboration with Fujitsu, Siemens, and one additional Center Research Participant. We worked with these participants to select menuPass as the next addition to the Adversary Emulation Plan Library because open-source intel suggests a diversity of TTPs and unique objectives that are not otherwise represented in our library.

Intelligence Summary

Each adversary emulation plan includes a curated summary of available cyber threat intelligence, that includes an overview of the actor (describing who they target, how, and why their activities were possible) as well as the scope of their activity (i.e. breadth of techniques and tools used). The menuPass Intelligence Summary outlines 32 publicly available sources to describe menuPass, their motivations, objectives, and observed target industries.

menuPass is thought to be motivated by collection objectives that align with Chinese national interests. The group is thought to have operated against targets in at least 12 countries but is reported to have most aggressively targeted Managed Service Providers (MSP) and Japanese institutions. menuPass leveraged its unauthorized access to MSP networks to pivot into subscriber networks and pilfer information from organizations in banking and finance, telecommunications, healthcare, manufacturing, consulting, biotechnology, automotive, and energy.

The Intel Summary further describes the typical menuPass operation along with their publicly attributed TTPs and their most often used software, mapped to MITRE ATT&CK®. Finally, the Intelligence Summary provides ATT&CK Navigator layers, separately illustrating menuPass interactive TTPs (seen below) from the TTPs associated with each of their software tools.

Operations Flow

The menuPass Operations Flow chains techniques together into a logical flow of the major steps that commonly occur across menuPass operations. In the case of menuPass, we describe their operations in two major scenarios:

Scenario 1: MSP Subscriber Networks

This scenario is designed to emulate activity attributed to menuPass that is specific to the group’s efforts targeting MSP subscriber networks. This activity was initiated by trusted relationship abuse and leveraged an operational toolkit to accomplish tactical objectives in support of the operational goal of intellectual property theft. The intent of this scenario is to assess your organization’s ability to protect, detect, and defend against execution, tool ingress, discovery, credential access, lateral movement, persistence, collection, and exfiltration.

Scenario 2: IP Theft

This scenario is designed to emulate activity attributed to menuPass that uses a command-and-control framework in support of the operational goal of intellectual property theft. This scenario is intended to assess your organization’s ability to protect, detect, and defend against execution, discovery, privilege escalation, credential access, lateral movement, exfiltration, C2, and persistence using a command-and-control framework.

Emulation Plan

The menuPass Emulation Plan is organized into two scenarios that are aligned with the Operation Flow. Scenario 1 is designed to be representative of publicly reported menuPass efforts targeting MSP subscriber networks. The scenario describes the techniques reported to have been used by menuPass to achieve initial access but ultimately leaves initial access to the interpretation of the individual analyst. It then walks the practitioner through tool ingress, discovery, credential harvesting, lateral movement, and exfiltration.

Scenario 2 is intended to be representative of menuPass activity that relied upon a command-and-control framework to establish C2, conduct discovery, escalate privileges, access credentials, conduct lateral movement, and deploy and persist sustained malware. These scenarios can be executed end-to-end, or individual behaviors can be tested from each scenario. Organizations can also choose to further customize the scenarios and/or behaviors within each emulation plan to better fit their specific environment, priorities, or to be shaped by additional intelligence.

The menuPass YAML file provides a machine-readable version of the overall plan that mirrors the human-readable plan. The intent behind providing this YAML file is to facilitate the programmatic use of the plan content, either with custom-developed tools or off-the-shelf breach and attack simulation (BAS) tools. In addition, the CALDERA team has authored a plugin that converts the YAML file to a CALDERA adversary, enabling users to more easily emulate the menuPass adversary. The plugin will be incorporated into the next CALDERA release and is available here.

Evolving Our Emulation Plan Structure

As we developed the second and third additions to the adversary emulation library, we evolved the basic structure of our plans, expanded our supporting documentation, and added new plan validation capabilities. Our structural changes bring clarity and consistency to the key concepts of each plan and are documented here. As we continue to expand the library, we anticipate further refinement to our structure and documentation.

Feedback

This plan and the library are licensed under the Apache 2.0 license to maximize the use and adaptation of the plan by the community. We welcome your feedback on the menuPass plan as issues on the library’s git repository.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.