The 2021 ATT&CK Evaluations for Enterprise Call for Participation is now open. Click here to learn how to participate.

Home  >  Enterprise APT29  >  Operational Flow


APT29 Evaluation: Operational Flow


The Operational Flow separated technique execution into sequences we referred to as “Steps”. Organizing our execution into Steps ensured that the detection displayed was correctly associated with the technique that was being tested. Each Step corresponded to an adversary’s intended goal during an operation. We performed 20 Steps in total across two scenarios: 10 Steps corresponded to our first scenario (which used Pupy, Meterpreter, and custom tooling), and 10 Steps corresponded to our second scenario (which used PoshC2 and custom tooling). We further divided each Step into Sub-Steps that are denoted by letters (e.g. 1A, 1B, etc.). Those Steps and the corresponding techniques are outlined below.

This information is also available in a single, downloadable PDF document.

First Scenario

The content to execute this scenario was tested and developed using Pupy, Meterpreter, and other custom/modified scripts and payloads. Pupy and Meterpreter were chosen based on their available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. More information, including the required resources, setup instructions, and step by step instructions on how to execute the Day 1 scenario, is available at ATT&CK Arsenal.


Second Scenario

The content to execute this scenario was tested and developed using PoshC2 and other custom/modified scripts and payloads. PoshC2 was chosen based on its available functionality and similarities to the adversary's malware within the context of this scenario, but alternative red team tooling could be used to accurately execute these and other APT29 behaviors. More information, including the required resources, setup instructions, and step by step instructions on how to execute the Day 2 scenario, is available at ATT&CK Arsenal.