The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.

Home  >  Enterprise APT3  >  Operational Flow


APT3 Operational Flow


The Operational Flow separated technique execution into sequences we referred to as “Steps”. Organizing our execution into Steps ensured that the detection displayed was correctly associated with the technique that was being tested. Each Step corresponded to an adversary’s intended goal during an operation. We performed 20 Steps in total across two scenarios: 10 Steps corresponded to our first scenario (which used Cobalt Strike), and 10 Steps corresponded to our second scenario (which used Empire). We further divided each Step into Sub-Steps that are denoted by letters (e.g. 1A, 1B, etc.). Those Steps, Sub-Steps, and the corresponding techniques are outlined below.

Please note that substep numbers and names have been updated to address changes to ATT&CK and updates to the result data structure. No result data was altered in these changes.


First Scenario

We used Cobalt Strike, a commercially available red team tool, to execute our emulation for the first scenario.


Second Scenario

We used Empire, an open-source red team tool, to execute our emulation for the second scenario.