{ "id": "fa004d4c-455d-4070-af04-4debb68e666c", "created_at": "2026-04-06T00:08:53.340816Z", "updated_at": "2026-04-10T03:37:36.703116Z", "deleted_at": null, "sha1_hash": "492f1962af225036cd6c910f1d5c5423b9ef10b3", "title": "Introducing the Adversary Playbook: First up, OilRig", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 250746, "plain_text": "Introducing the Adversary Playbook: First up, OilRig\r\nBy Ryan Olson\r\nPublished: 2017-12-15 · Archived: 2026-04-05 16:01:58 UTC\r\nOver the past few years, we’ve been tossing around the idea of an “Adversary Playbook.” The idea is rather\r\nstraightforward: just as we create offensive and defensive playbooks for sports, our adversaries also have\r\noffensive playbooks that they execute to compromise organizations. They may not write them down, but they\r\nexist. This year at Palo Alto Network’s Ignite conference I spoke about how defenders could create a copy of an\r\nadversary’s playbook through observation and data sharing, and then use that playbook to better defend their\r\nnetwork with defensive playbooks.\r\nUnit 42 has been working to refine the concept of the Adversary Playbook over the last few months. In this blog, I\r\nwill explain how we’ve structured the content and will release the Playbook for the OilRig intrusion set.\r\nWhat is a Playbook?\r\nThe goal of the Playbook is to organize the tools, techniques, and procedures that an adversary uses into a\r\nstructured format, which can be shared with others, and built upon. To achieve this goal, we didn’t want to\r\ndevelop a proprietary structure that would be exclusive to Palo Alto Networks. Instead, we identified two\r\nframeworks that would enable us to not only structure our data, but also enable us to share it with others.\r\nFrameworkDescription\r\nSTIX 2.0\r\nStructured Threat Information Expression (STIX™) is a language and serialization format used\r\nto exchange cyber threat intelligence (CTI).\r\nATT\u0026CK\r\nMITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK™) is a curated\r\nknowledge base and model for cyber adversary behavior, reflecting the various phases of an\r\nadversary’s lifecycle and the platforms they are known to target. ATT\u0026CK is useful for\r\nunderstanding security risk against known adversary behavior, for planning security\r\nimprovements, and verifying defenses work as expected.\r\nSTIX 2.0 is the latest iteration of the STIX format. It has been re-designed to simplify the creation of documents\r\nand uses JSON rather than XML. STIX 2.0 provides a list of objects to represent types of information typically\r\ngenerated for cyber threat intelligence (CTI). For instance, STIX includes objects for intrusion sets, malware, and\r\nindicators, among others. STIX standardizes the information and attributes stored within objects based on the\r\nobject type, as well as the relationships available between the various object types. The standardized objects and\r\ntheir relationships between each other allows this intelligence to be sharable and easily consumable without\r\nhaving to write complicated parsing tools.\r\nMITRE’s ATT\u0026CK framework provide names, descriptions, and links to examples of the high-level tactics\r\nadversaries’ use during an operation, as well as the techniques the adversary uses to achieve them. For example,\r\nthe ATT\u0026CK framework has a tactic called ‘Launch’ that refers to an adversary attempting to penetrate a network.\r\nOne technique associated with this tactic is called “Spear phishing messages with malicious attachments”, which\r\nhttps://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/\r\nPage 1 of 4\n\ndescribes how the adversary would launch an attack on the network. This provides common definitions and\r\nunderstandings of how a specific goal is accomplished by attackers.\r\nTo meld these frameworks together, we looked at how Mitre mapped their ATT\u0026CK data to STIX 2.0 and then\r\nchose appropriate objects for additional Playbook components.\r\nSTIX 2.0 Object Playbook Component\r\nIntrusion Set Adversary\r\nReport Playbook\r\nReport Play\r\nCampaign Campaign\r\nKill-Chain-Phase ATT\u0026CK Tactic\r\nAttack-Pattern ATT\u0026CK Technique\r\nIndicator Indicator\r\nMalware Adversary Malware\r\nTool Adversary Tool\r\nAdversary STIX 2.0 to Playbook Object Mapping\r\nWith these mappings defined, we began mapping the activities of a particular adversary into the ATT\u0026CK\r\nframework and storing the data and indicators in STIX JSON.  The first adversary we choose to target is OilRig, a\r\ngroup that we’ve published multiple reports on in the last 18 months.\r\nOverview of OilRig\r\nOilRig is a threat group operating primarily in the Middle East by targeting organizations in this region that are in\r\na variety of different industries; however, this group has occasionally targeted organizations outside of the Middle\r\nEast as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust\r\nrelationship between organizations to attack their primary targets.\r\nOilRig is an active and organized threat group, which is evident based on their systematic targeting of specific\r\norganizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily\r\nrely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this\r\ngroup has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software\r\nvulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in\r\nother aspects of their operations. Such maturities involve:\r\nOrganized evasion testing used during the development of their tools.\r\nUse of custom DNS Tunneling protocols for command and control (C2) and data exfiltration.\r\nCustom web-shells and backdoors used to persistently access servers.\r\nhttps://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/\r\nPage 2 of 4\n\nOilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use\r\ncredential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system.\r\nThe group uses these credentials to access and to move laterally to other systems on the network. After obtaining\r\ncredentials from a system, operators in this group prefer to use tools other than their backdoors to access the\r\ncompromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to\r\nindividuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.\r\nPrevious reports on OilRig\r\nOilRig Performs Tests on the TwoFace Webshell\r\nOilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan\r\nOilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan\r\nStriking Oil: A Closer Look at Adversary Infrastructure\r\nOilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group\r\nOilRig Actors Provide a Glimpse into Development and Testing Efforts\r\nOilRig Malware Campaign Updates Toolset and Expands Targets\r\nThe OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor\r\nThe OilRig Playbook and Viewer\r\nThe OilRig Playbook is available here. It contains data on three campaigns conducted by OilRig spanning from\r\nMay of 2016 to September of 2017. This includes 123 indicators that map to 19 different ATT\u0026CK Techniques.\r\nThis isn’t everything we’ve learned about OilRig, but it’s a starting point that we want to share with other\r\nmembers of the threat intelligence community.\r\nIn an ideal world, readers would download the JSON file and load it into their threat intelligence system.\r\nUnfortunately, there are few tools which can handle STIX 2 content at the moment, and none that would display\r\nthe entire Playbook at once. To help remedy this, we’re also releasing a simple tool to view the Playbook through\r\na web interface. A screenshot of the viewer is below, and you can access the live version of it here: https://pan-unit42.github.io/playbook_viewer/\r\nhttps://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/\r\nPage 3 of 4\n\nOilRig Playbook Viewed through Playbook Viewer\r\nTo start using the viewer, click on a Playbook in the left column. This reads the Playbook STIX JSON out of our\r\nGitHub repository and parses out the dated campaigns. You can then view specific campaigns by clicking on their\r\ndate ranges, which will populate the attack life cycle phases in the bottom section.\r\nIf you click on a specific technique, the viewer displays a dialog (below) that includes a link to the relevant\r\nATT\u0026CK description as well as the STIX indicator patterns that indicate that technique. It’s important to note that\r\nnot every STIX indicator in the Playbook is indicative of malicious activity but simply that the behavior is present.\r\nIndicators of an ATT\u0026CK Technique in the Playbook Viewer\r\nFinal Thoughts\r\nWe believe that publishing Playbooks in this format will enable others to better evaluate how they can defend\r\nagainst a specific adversary. This is a living project, and we\r\nintend to publish Playbooks for many of the adversaries we are currently tracking over the course of 2018, so\r\nplease keep an eye out for updates through our blog.\r\nIf you have feedback on the Adversary Playbook, please leave a comment on this blog.\r\nThanks to the following organizations and individuals for their efforts to enable this project:\r\nRobert Falcone and Bryan Lee (Unit 42) for pulling together the details on OilRig and working on the\r\nPlaybook Viewer\r\nMitre for releasing ATT\u0026CK and expanding its scope.\r\nThe OASIS CTI Committee for all of their work to make STIX 2.0\r\nThe members of the Cyber Threat Alliance for building a community of security vendors who share\r\nintelligence through automated means.\r\nSource: https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/\r\nhttps://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/" ], "report_names": [ "unit42-introducing-the-adversary-playbook-first-up-oilrig" ], "threat_actors": [ { "id": "e58deb93-aff1-4be5-8deb-37fe8af0b7ed", "created_at": "2022-10-25T16:07:23.918534Z", "updated_at": "2026-04-10T02:00:04.789509Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [ "Greenbug", "Volatile Kitten" ], "source_name": "ETDA:Greenbug", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "25896473-161f-411f-b76a-f11bb26c96bd", "created_at": "2023-01-06T13:46:38.75749Z", "updated_at": "2026-04-10T02:00:03.090307Z", "deleted_at": null, "main_name": "CHRYSENE", "aliases": [ "Greenbug" ], "source_name": "MISPGALAXY:CHRYSENE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6bba8e81-73af-4010-86dc-d43c408ca342", "created_at": "2023-01-06T13:46:38.553459Z", "updated_at": "2026-04-10T02:00:03.021597Z", "deleted_at": null, "main_name": "Greenbug", "aliases": [], "source_name": "MISPGALAXY:Greenbug", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434133, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/492f1962af225036cd6c910f1d5c5423b9ef10b3.pdf", "text": "https://archive.orkl.eu/492f1962af225036cd6c910f1d5c5423b9ef10b3.txt", "img": "https://archive.orkl.eu/492f1962af225036cd6c910f1d5c5423b9ef10b3.jpg" } }