The SafeBreach Hacker's Playbook™ already contains simulations for attacks described in US-CERT Alert (TA18-276B), centered around APT tactics used by attackers who use compromised credentials to infiltrate and move across trusted networks.

Thanks to the depth of the Hacker's Playbook™, the techniques within the described multi-stage attack campaign were simulated based on past campaigns, so existing customers have already been validating their defenses against these attacks. As always, SafeBreach Labs will continue to monitor the situation, and develop new simulations if any become necessary.

This alert is focused around ongoing APT actor activity attempting to infiltrate the networks of global managed service providers (MSPs), in order to perform cyber espionage and intellectual property theft within the trusted networks managed by those MSPs. The tactics used in this alert were first described in US-CERT Alert TA17-117A: Intrusions Affecting Multiple Victims Across Multiple Sectors.


These attacks have targeted multiple industries including Information Technology (IT), Energy, Healthcare and Public Health, Communications, and Critical Manufacturing. SafeBreach recommends all industries and businesses simulate the techniques described in this alert to identify whether or not they are protected against these attack techniques. To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Playbook methods related to TTA18-276B

Playbook #214 - Scheduled Task Creation

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent the creation or execution of malicious scheduled tasks?

Playbook #1220 - Fileless Mimikatz injection using PowerShell

  • Endpoint Controls - Are endpoint security controls or hardening in place to prevent dumping Windows Credentials from memory?

Playbook #1282 - PlugX RAT transfer via HTTP/S

  • Network Controls - Are network security controls in place to prevent the download of the Remote Access Tool executable used this attack?

Playbook #1280 - PlugX Beacon (First Communication)

  • Network Controls - Are network security controls in place to prevent the first communication of the Remote Access Tool used in this attack?

Additional breach methods added recently include:


Subscribe to blog post