Mordor – Re-play Adversarial Techniques

The Mordor project provides pre-recorded security events generated by simulated adversarial techniques in the form of JavaScript Object Notation (JSON) files for easy consumption. The pre-recorded data is categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework.

The pre-recorded data represents not only specific known malicious events but additional context/events that occur around it. This is done on purpose so that you can test creative correlations across diverse data sources, enhancing your detection strategy and potentially reducing the number of false positives in your own environment.

Mordor - Re-play Adversarial Techniques
Mordor – Re-play Adversarial Techniques

The goal of this project is to:

  • Provide free portable malicious datasets to expedite the development of data analytics.
  • Facilitate adversarial techniques simulation and output consumption.
  • Allow security analysts to test their skills with real known bad data.
  • Improve the testing of hunting use cases and data analytics in an easier and more affordable way.
  • Enable data scientists to have semi-labeled data for initial research.
  • Map threat hunter playbooks to their respective pre-recorded data for validation purposes.
  • Contribute to the ATT&CK framework Data Sources section of each technique and sub-technique.
  • Ingest known bad data samples for training and capture the flag (CTF) events.
  • Learn more about red team simulation exercises and technology such as Kafkacat, Kafka and Jupyter Notebooks.

The dataset include several APT emulation attack for testing credential access , defense evasion, discovery, execution , lateral movement, persistence and privilege escalation.

That’s beside APT3 dataset which is a China-based threat group that researchers have attributed to China’s Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye).

You can read more and download the scripts over here:

Notify of
Inline Feedbacks
View all comments