Added experiment yaml for FIN7 experiments

3 years ago · a9226eab1f
parent 3a87df3aed
commit a9226eab1f
2 changed files with 171 additions and 0 deletions
--- a/doc/source/usage/caldera_control_cli.rst
+++ b/doc/source/usage/caldera_control_cli.rst
--- a/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml
+++ b/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml
@ -0,0 +1,171 @@
+
+###
+# Caldera configuration
+caldera:
+  ###
+  # API key for caldera. See caldera configuration. Default is ADMIN123
+  apikey: ADMIN123
+
+###
+# Attacks configuration
+attackers:
+  ###
+  # Configuration for the first attacker. One should normally be enough
+  attacker:
+
+    ###
+    # Defining VM controller settings for this machine
+    vm_controller:
+      ###
+      # Type of the VM controller, Options are "vagrant"
+      type: vagrant
+      ###
+      # # path where the vagrantfile is in
+      vagrantfilepath: systems
+
+    ###
+    # Name of machine in Vagrantfile
+    vm_name: attacker
+
+    ###
+    # machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path
+    # and will be mounted internally as /vagrant/<name>
+    # If machinepath is not set PurpleDome will try "vm_name"
+    machinepath: attacker1
+
+    ###
+    # OS of the VM guest. Options are so far "windows", "linux"
+    os: linux
+
+    ###
+    # Do not destroy/create the machine: Set this to "yes".
+    use_existing_machine: yes
+
+###
+# List of targets
+targets:
+
+  target2:
+    #root: systems/target1
+    vm_controller:
+      type: vagrant
+      vagrantfilepath: systems
+
+    ###
+    # simple switch if targets is used in attack simulation. Default is true. If set to false the machine will not be started
+    active: yes
+
+    vm_name: target2
+    os: windows
+    paw: target2w
+    group: red_windows
+
+    machinepath: target2w
+
+    # Do not destroy/create the machine: Set this to "yes".
+    use_existing_machine: yes
+    ###
+    # Optional setting to activate force when halting the machine. Windows guests sometime get stuck
+    halt_needs_force: yes
+
+    ###
+    # If SSH without vagrant support is used (Windows !) we need a user name (uppercase)
+    ssh_user: ATTACKX
+
+    ###
+    # If SSH without vagrant support is used (Windows !) we maybe need a password
+    ssh_password: AttackX
+
+    ###
+    # For non-vagrant ssh connections a ssh keyfile stored in the machinepath is required.
+    ssh_keyfile: systems/target2w/id_rsa.3
+
+    ###
+    # The folder all the implants will be installed into
+    # Windows can only use default playground at the moment !
+    # playground: C:\\Users\\AttackX
+
+    # Sensors to run on this machine
+    sensors:
+      - windows_idp
+
+    vulnerabilities:
+      - weak_user_passwords
+      - rdp_config_vul
+
+
+###
+# General sensor config config
+sensors:
+  ###
+  # Windows IDP plugin configuration
+  windows_idp:
+    ###
+    # Name of the dll to use. Must match AV version
+    # dll_name: aswidptestdll.dll
+    dll_name: aswidptestdll.dll_21_1_B
+
+    ###
+    # Folder where the IDP tool is located
+    idp_tool_folder: C:\\capture
+
+###
+# General attack config
+attacks:
+  ###
+  # configure the seconds the system idles between the attacks. Makes it slower. But attack and defense logs will be simpler to match
+  nap_time: 5
+
+
+###
+# Configuration for caldera
+caldera_conf:
+  ###
+  # The obfuscator to use between the implant and the server. Not all obfuscators are supported by all implants. Existing obfuscators:
+  # plain-text, base64, base64jumble, caesar, base64noPadding, steganography
+  obfuscator: plain-text
+
+  ###
+  # Jitter settings for the implant. it is min/max seconds. The first number has to be smaller. Default is 4/8
+  jitter: 4/8
+
+
+
+###
+# Kali tool based attacks. Will result in kali commandline tools to be called. Currently supported are: "hydra"
+kali_attacks:
+  ###
+  # Linux specific attacks, a list
+  linux:
+  ###
+  # Windows specific attacks, a list
+  windows:
+    - fin7_1
+
+###
+# Configuration for the kali attack tools
+kali_conf:
+  ###
+  # Hydra configuration
+  hydra:
+    ###
+    # A list of protocols to brute force against. Supported: "ssh"
+    protocols:
+      - ssh
+      - rdp
+      #- ftps
+    ###
+    # A file containing potential user names
+    userfile: users.txt
+    ###
+    # A file containing potential passwords
+    pwdfile: passwords.txt
+  nmap:
+
+
+###
+# Settings for the results being harvested
+results:
+  ###
+  # The directory the loot will be in
+  loot_dir: loot