APT29 (Cozy Bear) Adversary Emulation Profile

What it does

This SKILL provides a comprehensive adversary-emulation profile for APT29 (Cozy Bear / Midnight Blizzard), translating MITRE ATT&CK techniques into runnable guidance for the Decepticon red-team framework. It documents targeting, notable campaigns, detailed TTP mappings across the attack lifecycle (initial access, credential access, lateral movement, C2, exfiltration), recommended tooling analogues, and explicit emulation guidance emphasizing cloud/identity-first techniques (Golden SAML, OAuth abuse, password spraying, supply-chain compromise). The profile includes operational advice on stealth, egress rotation, and cleanup — suitable for authorized, scope-limited exercises.

When to use it

Use this skill when running authorized red-team or purple-team engagements that need to emulate a patient, identity-centric nation-state espionage actor. It's appropriate for cloud-focused threat simulation (Microsoft 365/Entra flows), supply-chain scenario drills, and testing detection/response for OAuth/federation abuses. Only use inside approved scopes and with signed authorization.

What's included

• Scripts: none shipped with the SKILL (has_scripts=false) — the body references Decepticon tooling (bash, cloud, lateral-movement, defense-evasion) to run emulations.
• References: rich inline references to MITRE, CISA, Microsoft, and vendor advisories (has_references=false in fetch output but many links present in body).
• Instructions: detailed procedural guidance for emulating APT29 behaviors — e.g., low-and-slow password spray patterns, OAuth app registration emulation, token-forging labs, supply-chain marker exercises, and C2/exfil patterns.

Compatible agents

Best used with agent runtimes that expose shell/CI and cloud tooling (Decepticon/Red-team agents, shell-enabled Claude/Copilot-style agents able to run bash/CI steps).