mirror of https://github.com/avast/PurpleDome
Presentation update
parent
40622cbf67
commit
cf50d2b642
@ -0,0 +1,20 @@
|
||||
# Minimal makefile for Sphinx documentation
|
||||
#
|
||||
|
||||
# You can set these variables from the command line, and also
|
||||
# from the environment for the first two.
|
||||
SPHINXOPTS ?=
|
||||
SPHINXBUILD ?= sphinx-build
|
||||
SOURCEDIR = .
|
||||
BUILDDIR = _build
|
||||
|
||||
# Put it first so that "make" without argument is like "make help".
|
||||
help:
|
||||
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
|
||||
|
||||
.PHONY: help Makefile
|
||||
|
||||
# Catch-all target: route all unknown targets to Sphinx using the new
|
||||
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
|
||||
%: Makefile
|
||||
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
|
@ -0,0 +1,104 @@
|
||||
# Configuration file for the Sphinx documentation builder.
|
||||
#
|
||||
# This file only contains a selection of the most common options. For a full
|
||||
# list see the documentation:
|
||||
# https://www.sphinx-doc.org/en/master/usage/configuration.html
|
||||
|
||||
# -- Path setup --------------------------------------------------------------
|
||||
|
||||
# If extensions (or modules to document with autodoc) are in another directory,
|
||||
# add these directories to sys.path here. If the directory is relative to the
|
||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||
#
|
||||
# import os
|
||||
# import sys
|
||||
# sys.path.insert(0, os.path.abspath('.'))
|
||||
|
||||
|
||||
# -- Project information -----------------------------------------------------
|
||||
|
||||
project = 'PurpleDome Intro'
|
||||
copyright = '2022, Thorsten Sick'
|
||||
author = 'Thorsten Sick'
|
||||
|
||||
|
||||
# -- General configuration ---------------------------------------------------
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be
|
||||
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
|
||||
# ones.
|
||||
extensions = [
|
||||
]
|
||||
|
||||
# Reveal JS
|
||||
|
||||
extensions += [
|
||||
"sphinx_revealjs",
|
||||
]
|
||||
|
||||
# Graphviz
|
||||
extensions += [
|
||||
"sphinx.ext.graphviz"
|
||||
]
|
||||
|
||||
# -- Options for Reveal.js output ---------------------------------------------
|
||||
revealjs_static_path = ["_static"]
|
||||
revealjs_google_fonts = ["M PLUS 1p", ]
|
||||
revealjs_style_theme = "black"
|
||||
revealjs_script_conf = {
|
||||
"controls": True,
|
||||
"progress": True,
|
||||
"history": True,
|
||||
"center": True,
|
||||
"transition": "slide",
|
||||
}
|
||||
revealjs_script_plugins = [
|
||||
{
|
||||
"name": "RevealNotes",
|
||||
"src": "revealjs4/plugin/notes/notes.js",
|
||||
},
|
||||
{
|
||||
"name": "RevealHighlight",
|
||||
"src": "revealjs4/plugin/highlight/highlight.js",
|
||||
},
|
||||
{
|
||||
"name": "RevealMath",
|
||||
"src": "revealjs4/plugin/math/math.js",
|
||||
},
|
||||
]
|
||||
revealjs_css_files = [
|
||||
"revealjs4/plugin/highlight/zenburn.css",
|
||||
"custom.css",
|
||||
]
|
||||
|
||||
|
||||
# -- GraphViz configuration ----------------------------------
|
||||
graphviz_output_format = 'svg'
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['_templates']
|
||||
|
||||
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||
# for a list of supported languages.
|
||||
#
|
||||
# This is also used if you do content translation via gettext catalogs.
|
||||
# Usually you set "language" from the command line for these cases.
|
||||
language = 'de'
|
||||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
# This pattern also affects html_static_path and html_extra_path.
|
||||
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
|
||||
|
||||
|
||||
# -- Options for HTML output -------------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
#
|
||||
html_theme = 'alabaster'
|
||||
|
||||
# Add any paths that contain custom static files (such as style sheets) here,
|
||||
# relative to this directory. They are copied after the builtin static files,
|
||||
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||
html_static_path = ['_static']
|
@ -0,0 +1,126 @@
|
||||
=================
|
||||
Purple Dome intro
|
||||
=================
|
||||
|
||||
.. This toctree is only to link examples.
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:hidden:
|
||||
|
||||
|
||||
|
||||
The problem
|
||||
===========
|
||||
|
||||
Complex malware attacks in stages. Especially the last ones can be file-less stages
|
||||
|
||||
Should I be concerned ?
|
||||
-----------------------
|
||||
|
||||
If you are running a company network: yes
|
||||
|
||||
After initial opportunistic infection and system scanning the malware can call an operator
|
||||
|
||||
.. after the operator was called it is fileless
|
||||
|
||||
Will AV protect me?
|
||||
===================
|
||||
|
||||
Modern AV Software does not only do file detection but also behaviour detection
|
||||
|
||||
Sometimes this is advertised. But even if it is not there will be a basic version shipped with your AV
|
||||
|
||||
For advanced attacks this is the module protecting you
|
||||
|
||||
Does this work well ?
|
||||
---------------------
|
||||
|
||||
The behaviour component is a complex beast
|
||||
|
||||
* Different OS versions
|
||||
* Performance
|
||||
* Stability
|
||||
* Lots of different behaviour patterns possible
|
||||
|
||||
|
||||
Is file-less bad ?
|
||||
------------------
|
||||
|
||||
* Dealing with files is simpler
|
||||
* QA and Development is much harder without malware files
|
||||
|
||||
|
||||
Purple Dome makes dealing with file-less malware simpler
|
||||
========================================================
|
||||
|
||||
We need it to...
|
||||
|
||||
* Develop sensors
|
||||
* Create the logic
|
||||
* Test everything
|
||||
|
||||
|
||||
Purple Dome: Internals
|
||||
======================
|
||||
|
||||
Purple Dome is a fully automated simulation environment to experiment with sophisticated attacks
|
||||
|
||||
Spawning targets
|
||||
----------------
|
||||
|
||||
VMS with the selected OS are initialised and started. That way we can experiment with different OS versions
|
||||
|
||||
Spawning the attacker
|
||||
---------------------
|
||||
|
||||
Attacker VM is Kali Linux. It contains
|
||||
|
||||
* Metasploit
|
||||
* Caldera
|
||||
* Command line tools (nmap...)
|
||||
|
||||
Sensoren Setup
|
||||
--------------
|
||||
|
||||
Sensors will be installed on the targets. Now we are recording the events
|
||||
|
||||
Running the attacks
|
||||
--------------------
|
||||
|
||||
Attacks are run based on a script
|
||||
|
||||
Collecting sensor data
|
||||
----------------------
|
||||
|
||||
Data from the sensors and the log of the attack itself are the result of the simulation
|
||||
|
||||
Creating a description
|
||||
----------------------
|
||||
|
||||
For a quick overview it generates a human readable PDF document describing the attack
|
||||
|
||||
Other Purple Dome use cases
|
||||
===========================
|
||||
|
||||
Seminars
|
||||
----------
|
||||
|
||||
We are evaluating how to use PD for university seminars.
|
||||
|
||||
Trainings
|
||||
---------
|
||||
|
||||
Blue vs Red Team trainings and creation of training data
|
||||
|
||||
CTF
|
||||
---
|
||||
|
||||
Capture the Flags games can be based on PD
|
||||
|
||||
Buying Purple Dome
|
||||
==================
|
||||
|
||||
It is not for sale. It is Open Source. Just fork it on Github:
|
||||
|
||||
https://github.com/avast/PurpleDome
|
Loading…
Reference in New Issue