The SafeBreach Hacker's Playbook™ already contains simulations for attacks described in US-CERT Alert (TA18-276A), centered around the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by Advanced Persistent Threat (APT) actors.

Thanks to the depth of the Hacker's Playbook™, the techniques described in the phases of this alert have already been simulated, so existing customers have been validating their defenses against these attacks for some time. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations if any become necessary.

Unlike many US-CERT alerts, which are focused on targeted campaigns, executed by specific actors, this alert highlights general techniques that involve using legitimate credentials to expand unauthorized access, maintain persistence, exfiltrate data, and conduct other operations. It identifies APT actors' tactics, techniques, and procedures (TTPs) and describes the best practices that could be employed to mitigate each of them.

These types of techniques are often at the center of many headline-level attacks across multiple industries —both public and private. SafeBreach recommends all industries and businesses simulate the techniques described in this alert to identify whether or not they are protected against these common attack techniques. To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform contains many simulations, a sampling of which are highlighted below, to test endpoint and network security controls:


The Hacker’s Playbook contains dozens of attacks related to the initial infiltration, including email phishing simulations, as well as simulating both initial malware transfer, and subsequent command and control traffic to malicious domains.

Sample Playbook IDs Include:

Malware transfer and initial communication

  • 1228
  • 1186
  • 1507

Malicious email simulation

  • 1603
  • 1595


The alert describes specific types of attack methods that exploit trusted network communication such as RDP. The Hacker’s Playbook has many methods that simulate exploiting these types of trusted network connections via various tools and protocols.

Sample Playbook IDs include:

Abuse of RDP for lateral movement

  • 192
  • 1309


The TTPs described for establishing presence within a compromised environment include writing to disk and execution of malware and tools on hosts. SafeBreach includes over 100 attacks that simulate the installation and behaviors of various malware and other malicious techniques.

Sample Playbook IDs include:

Drop malware to disk

  • 954
  • 1388
  • 1572

Execute malicious tools

  • 1558
  • 794
  • 1614


Simulating the exfiltration of data is critical to ensuring that defenses are in place across the entire kill chain. SafeBreach simulates exfiltration of various types of data, across ports, protocols, using techniques that range from simple encryption to DNS tunneling.

Sample Playbook IDs include:

Data exfiltration

  • 903
  • 105
  • 1438

Additional breach methods added recently include:

Subscribe to blog post