Emulating Threat Activity from OilRig

  |  Source: 
MITRE Engenuity

Emulating Threat Activity from OilRig

The MITRE Engenuity team created an emulation plan focusing on the Iranian threat group, OilRig. While the emulation was conducted with managed service providers, the scenario used for the plan were based on intelligence gathered from OilRig's tactics, techniques, and procedures (TTPs). Intelligence is cited throughout the 10-step emulation plan, beginning at the initial compromise stage and ending with data collection and exfiltration. An overview of the plan detailed by MITRE Engenuity, "This round focused on OilRig’s use of custom web shells and evasion techniques. The adversary has shown sophistication in campaigns through their organized resource development, unique data exfiltration methods, and use of customized toolsets to persistently access servers. While OilRig may leverage more common techniques compared to other threat actors, the group’s distinctive characteristics are rooted in their PowerShell-based operations and diverse arsenal of backdoors." The operational flow stayed consistent across each vendor however, for realism, MITRE Engenuity executed their activity around different time intervals and mixed in benign activity. Results shared from vendors all provided valuable insight into the activity executed by MITRE as well as the view from the vendor's console. The emulation plan is an excellent reference for security defenders to create threat detection analytics and execute an OilRig-style cyberattack.

Get trending threats published weekly by the Anvilogic team.

Sign Up Now