This project simulates Phase 1 - "Carbon" of the MITRE Turla adversary emulation scenario released in 2023. It replicates a multi-phase cyber espionage campaign conducted by the Turla threat group, targeting high-value government and defense-related entities.
In this phase, the Turla group:
- Initial Access: Gains entry via a spearphishing email delivering a fake software installer.
- Execution: Installs the EPIC backdoor onto the victim machine.
- Persistence & C2: Establishes persistence and command-and-control (C2) channels.
- Discovery: Identifies and accesses the Domain Controller.
- Lateral Movement: Deploys
CARBON-DLLinto the Windows environment. - Linux Compromise: Moves laterally to a Linux Apache web server and installs
PENGUINto create a watering hole.
This section outlines the key phases of the Turla Carbon attack:
- Initial Access: Spearphishing email installs EPIC backdoor.
- Execution: EPIC backdoor establishes C2 communication.
- Privilege Escalation: Misconfigurations allow privilege escalation.
- Lateral Movement: Attacker moves across Windows hosts and the domain controller.
- Credential Access: Mimikatz dumps credentials, followed by keylogging.
- Linux Compromise: Penquin malware is deployed on Apache server.
- Watering Hole: Malicious web page created for later exploitation.
For a detailed attack sequence, refer to the full Carbon Detections Scenario.
The emulation uses the MITRE ATT&CK Evaluations range configuration, requiring specific Windows and Linux operating systems. Provisioning is automated using Ansible.
-
Login to the host:
support-dns-srv1 -
Clone the repo:
git clone https://github.com/scottbrumley/mitre-turla-config.git cd mitre-turla-config -
Initialize Ansible:
./init.sh
-
Run main lab configuration:
ansible-playbook -i inventory runall.yml --ask-pass -u adminuser
git pull origin mainansible-playbook -i inventory pingall.yml --ask-pass -u lab-useransible-playbook -i inventory redirectors.yml --ask-pass -u lab-user --ask-become-passansible-playbook -i inventory disable_defender.yml --ask-pass -u lab-user --ask-become-passCreate:
ansible-playbook create_secrets.ymlEdit:
ansible-playbook edit_secrets.ymlVault content format:
xsiamKEY: <XSIAM API Key>
xsiamID: <XSIAM API ID>
xsiamURL: <XSIAM API URL>
xsiamWINDIST: <Windows Installer Distribution ID>
xsiamWINPACKTYPE: <Package Type (i.e. x64)>
xsiamLINDIST: <Linux Installer Distribution ID>
xsiamLINPACKTYPE: <Package Type (i.e. sh)>
falconCID: <CrowdStrike Falcon Customer ID>-
XSIAM API URL:
Settings โ Integrations โ API Keys โ Copy API URL -
API Key & ID:
- Create key with Standard Security Level
- Role: Instance Administrator or Account Admin
- Copy generated key and ID
-
Installer Distribution IDs:
Endpoints โ Agent Instructions โ โฎ โ Show ID โ Copy Windows and Linux IDs
ansible-playbook -i inventory xdr_agent_install.yml --ask-pass -u lab-user --ask-become-pass --ask-vault-passNavigate to: Endpoints โ All Endpoints
- Servers: bannik, brieftragerin, kagarov
- Workstations: domovoy, khabibulin, hobgoblin
| Script | Description |
|---|---|
runall.yml |
Full environment setup including users, Exchange servers, hostnames, etc. |
pingall.yml |
Pings all inventory hosts to check if they're online |
redirectors.yml |
Restarts HTTP redirectors |
disable_defender.yml |
Disables Windows Defender (irreversible without manual steps) |
xdr_agent_install.yml |
Installs Cortex XDR agents using XSIAM API and Ansible Vault |
create_secrets.yml |
Creates the encrypted Ansible Vault secrets file |
edit_secrets.yml |
Opens existing Vault for editing |
mitre-turla-config/
โโโ README.md
โโโ init.sh
โโโ runall.yml
โโโ inventory/
โโโ pingall.yml
โโโ redirectors.yml
โโโ disable_defender.yml
โโโ xdr_agent_install.yml
โโโ create_secrets.yml
โโโ edit_secrets.yml
โโโ scripts/
โโโ docs/
Disclaimer: This project is for research and educational purposes only. Do not run outside of a secure, isolated lab environment.