{
	"id": "84bf27dc-c387-444a-a9e9-41730d6b0ab1",
	"created_at": "2026-04-06T00:08:18.872284Z",
	"updated_at": "2026-04-10T03:24:30.21223Z",
	"deleted_at": null,
	"sha1_hash": "371d3812254e338817802dde4756029a1767d694",
	"title": "More on APTSim",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 36287,
	"plain_text": "More on APTSim\r\nBy Ar-themes\r\nArchived: 2026-04-05 17:42:47 UTC\r\nToday I wanted to talk a bit more about APTSim.  We all know by now that the bad guys always get in. Especially\r\ndetermined, well funded and well equipped attackers. We know roughly HOW they are getting in which is usually\r\nvia a targeted Phish, SQLinjection, malicious URL, etc. Things that are hard to defend against because they\r\ndepend on a human element or trust partnerships between organizations.\r\nWhat we don't think about is the fact that our Incident Response and detection teams don't get exercised\r\nsufficiently (or ever) which makes them much less effective than they could be. We also don't think about\r\nmodeling and understanding what real attack traffic looks like so we can tune our defenses against it. REAL\r\ntraffic, not Nessus scans or CoreImpact exploits.\r\nHow can we know that our people and systems are actually able to detect the types of attacks we really care about\r\nif we don't know what each attack looks like in every data source we have. Is there a windows event log entry\r\nreflecting a change in service permissions? Can the timing pattern in the call home beacon be seen in net flow?\r\nWhat does an exfil file hidden in the recycle bin via user SID look like, and is it visible?\r\nIf you know all the malicious inputs to the system ahead of time, then you can determine all the data sources you\r\nhave that show indicators that something has happened, rather than waiting until an attack happens to attempt to\r\ntrack it all back and hope for the best.\r\nThis subject is a bit more tricky so lets approach it first with an example. Using HERMES, we analyzed some\r\nsamples and activity from a group of APT actors that we call \"UPS\". The typical UPS attack performed the\r\nfollowing activities (this information was compiled from IR activity and shared data from other victims):\r\nGenerate a particularly timed beacon that communicates over HTTP\r\nDrop the command line Chinese language version of  winrar on the target\r\nReplace sticky keys with cmd.exe for persistence and access via RDP\r\nTurn on RDP if it's not already enabled\r\nIndex and archive all office documents, compress and encrypt them with RAR and a specific password and\r\nstore them in the recycle bin\r\nEnable the support_388945a0 account and add it to the local admin group\r\nExfiltrate the data encoded over port 443 (but not SSL)\r\nSetup an insecure service for persistence / privilege escalation\r\nThat is a fairly comprehensive list of attacker activity and each action generates either specific network traffic, log\r\nentries, and files on the target. So what we do with APTSim is to take all the above information and create a piece\r\nof pseudo-malware that takes the same actions, except in a safe and controlled manner, and includes cleanup\r\ncomponents so it can be removed when the exercise is complete.\r\nhttp://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html\r\nPage 1 of 2\n\nCustomers have different preferences as to how we take the next step but generally one of a few options is\r\ncommonly used:\r\nAR has VPN access to the customer network\r\nAR has shipped a special box which the customer plugs into their network\r\nAR conducts a physical penetration to launch the APTSim via a malicious USB key, custom developed\r\nTeensy, or other hardware implanted in customer equipment\r\nAR generates a targeted phish mirroring the initial vector used by the original actors whether that's a\r\nmalicious attachment or a URL, etc.\r\nThe customer executes the APTSim model themselves\r\nThe APTSim model then connects back to our command \u0026 control center, takes all the same actions as the real\r\nattacker, exfiltrates data and then the customer is notified of what activity took place. The notification is a short\r\ndocument contains log entry examples, PCAP examples, time and dates, ports used, in short everything that is\r\nneeded to detect the activity as well as track it back post event.\r\nIf the attack simulation is not detected then AR will assist you in tuning your defenses whether that means new\r\nrules for your Cisco ASA's, custom ClamAV or Snort signatures, specialized Splunk apps, etc.\r\nRather than a barely useful once a year event, this process is ongoing, monthly or as new attacks are found and\r\nanalyzed. When one of the organizations in your business sector is hit, within a very short period of time you\r\nknow the crucial details of the attack, are tested to see if it could hit you as well, and finally are ready to defend\r\nbefore the attackers come for you. This is being proactive rather than reactive.\r\nFor more information hit up info [at] attackresearch.com.\r\nV.\r\nSource: http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html\r\nhttp://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html"
	],
	"report_names": [
		"more-on-aptsim.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434098,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/371d3812254e338817802dde4756029a1767d694.pdf",
		"text": "https://archive.orkl.eu/371d3812254e338817802dde4756029a1767d694.txt",
		"img": "https://archive.orkl.eu/371d3812254e338817802dde4756029a1767d694.jpg"
	}
}