Sherlocked Security – Adversary Simulation (MITRE ATT&CK)
Simulate Real-World Adversaries Based on MITRE ATT&CK for Threat Readiness Validation
1. Statement of Work (SOW)
Service Name: Adversary Simulation (MITRE ATT&CK)
Client Type: Enterprise, SOC Teams, Critical Infrastructure, FinTech, MSSPs
Service Model: Manual + Framework-Mapped Attack Simulation
Compliance Coverage: MITRE ATT&CK, NIST 800-53, ISO 27001, CIS Controls, SOC 2
Simulation Types:
- Full Kill Chain Simulation
- Specific TTP Simulation (Tactic/Technique Focused)
- Industry-Specific Threat Emulation
- ATT&CK Mapping and Heatmap Analysis
2. Our Approach
[Threat Actor Selection] → [TTP Mapping] → [Infrastructure Setup] → [Payload Crafting] → [Kill Chain Simulation] → [Detection/Response Observation] → [Gap Analysis & Mapping] → [Report & Retesting]
3. Methodology
[Kickoff & Threat Model Alignment] → [Adversary Emulation Plan (AEP)] → [Attack Execution Across Tactics] → [Real-Time Monitoring with Client SOC] → [Detection Gap Documentation] → [Post-Engagement Debrief]
4. Deliverables to the Client
- Adversary Emulation Plan (AEP)
- Mapping to MITRE ATT&CK Tactics & Techniques
- Statement of Work (SOW)
- Detection Coverage Heatmap (Before/After)
- Simulation Timeline with Execution Traces
- Detection & Response Gaps Report
- Executive Summary + Technical Findings
- Remediation Plan (Rules, Playbooks, Config Fixes)
- Retesting & Final Threat Readiness Report
5. What We Need from You (Client Requirements)
- Threat model inputs (industry, geography, adversary focus)
- Internal EDR/SIEM architecture overview
- List of deployed security controls
- Access approval for test environments or select production segments
- Point of contact for SOC collaboration
- IP/agent allowlists for simulation infrastructure
- Downtime or containment policy limitations
6. Tools & Technology Stack
- Cobalt Strike / Brute Ratel / Sliver
- Caldera / Atomic Red Team / SCYTHE
- MITRE ATT&CK Navigator
- Sigma Rules + Detection Engineering Tools
- ELK/Splunk/Defender/SentinelOne Integration
- EDR Telemetry Collectors
- Custom Tools / Scripts
7. Engagement Lifecycle
1. Discovery Call → 2. Scope & Adversary Alignment → 3. AEP + SOW + NDA → 4. Simulation Infra Setup → 5. Execution Phase (1–2 weeks) → 6. Draft Report & SOC Workshop → 7. Final Report + Fix Guidance → 8. Retesting & Readiness Certification
8. Why Sherlocked Security?
| Feature | Sherlocked Advantage |
|---|---|
| ATT&CK-Centric Testing | Entire simulation mapped to MITRE TTPs |
| Real-World Adversary Profiles | Emulate APTs, ransomware gangs, and nation-state TTPs |
| Collaborative SOC Engagement | Live mapping of detections and blind spots |
| Framework-Driven Reporting | Executive & technical results aligned to ATT&CK |
| Red/Blue Gap Closure | Rules/playbooks delivered with findings |
| Retesting Included | 1 round free, additional at low cost |
9. Real-World Case Studies
APT29 Simulation for Government Infrastructure
Objective: Emulate advanced persistent threat behavior targeting internal networks.
Outcome: Discovered critical gaps in lateral movement detection.
Fix: Delivered custom Sigma rules and EDR logic; improved SOC time-to-detect by 57%.
Ransomware Threat Simulation for FinTech
Client: Large B2B payments provider
Scenario: Simulated Ryuk-like ransomware TTPs
Findings: SOC failed to detect ransomware staging in memory.
Result: EDR config updated, memory protection enabled, backups segmented.
10. SOP – Standard Operating Procedure
- Kickoff call and threat selection
- Define test boundaries and access approvals
- Create Adversary Emulation Plan (AEP)
- Set up C2 infrastructure and payloads
- Execute kill chain (Initial Access to Impact)
- Monitor SOC detection and alerting
- Identify blind spots and response gaps
- Draft report delivery + SOC debrief
- Final report and retesting
- Threat Readiness Certificate
11. Adversary Simulation Checklist
1. Threat Planning
- Identify top threat actors by industry
- Map real-world TTPs to MITRE ATT&CK
- Build Adversary Emulation Plan (AEP)
- Select initial access vectors and target scope
- Confirm assumptions with client’s threat model
2. Initial Access
- Phishing with malware attachment (T1566.001)
- Fake login portal for credential capture (T1566.002)
- Compromised third-party credentials
- Exploit vulnerable internet-facing service (T1190)
- Supply-chain vector test (optional)
3. Execution
- PowerShell and macro-based payloads
- Dropped malware with LOLBins execution
- HTA files, WMI execution
- C2 beacon injection (in-memory)
4. Persistence
- Scheduled task or service creation
- Registry Run keys
- User-level persistence (Startup folder)
- Remote access tool persistence simulation
5. Privilege Escalation
- Exploit known Windows escalation vectors
- Token theft (Impersonate, DuplicateToken)
- Kerberoasting simulation
- UAC bypass attempt
6. Defense Evasion
- Obfuscation and encoding of payloads
- EDR evasion via process hollowing
- Clear event logs post-activity
- Use of signed binaries for execution (msbuild, rundll32)
7. Credential Access
- Credential dump from LSASS
- NTLM hash extraction
- Steal browser-stored passwords
- Cloud credential theft (if applicable)
8. Lateral Movement
- Pass-the-Hash, Pass-the-Ticket
- Admin shares and PsExec
- WinRM-based pivot
- SSH key-based movement (Linux/macOS infra)
9. C2 & Exfiltration
- HTTP(S), DNS tunneling
- Use of legit cloud services (Dropbox, Slack)
- Simulated data staging and exfil
- Beacon jitter, callback validation
10. Detection Mapping
- Confirm SOC visibility into each TTP
- SIEM alert review for each tactic
- EDR telemetry presence check
- Logging source gaps noted
- Map all activities to MITRE ATT&CK heatmap
11. Response Testing
- Track alert triage time
- Confirm escalation per playbook
- Validate response (containment, isolation)
- Confirm incident ticket creation
- Post-engagement wash-up with SOC