mirror of https://github.com/avast/PurpleDome
Presentation update
parent
40622cbf67
commit
cf50d2b642
@ -0,0 +1,20 @@
|
|||||||
|
# Minimal makefile for Sphinx documentation
|
||||||
|
#
|
||||||
|
|
||||||
|
# You can set these variables from the command line, and also
|
||||||
|
# from the environment for the first two.
|
||||||
|
SPHINXOPTS ?=
|
||||||
|
SPHINXBUILD ?= sphinx-build
|
||||||
|
SOURCEDIR = .
|
||||||
|
BUILDDIR = _build
|
||||||
|
|
||||||
|
# Put it first so that "make" without argument is like "make help".
|
||||||
|
help:
|
||||||
|
@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
|
||||||
|
|
||||||
|
.PHONY: help Makefile
|
||||||
|
|
||||||
|
# Catch-all target: route all unknown targets to Sphinx using the new
|
||||||
|
# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS).
|
||||||
|
%: Makefile
|
||||||
|
@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
|
@ -0,0 +1,104 @@
|
|||||||
|
# Configuration file for the Sphinx documentation builder.
|
||||||
|
#
|
||||||
|
# This file only contains a selection of the most common options. For a full
|
||||||
|
# list see the documentation:
|
||||||
|
# https://www.sphinx-doc.org/en/master/usage/configuration.html
|
||||||
|
|
||||||
|
# -- Path setup --------------------------------------------------------------
|
||||||
|
|
||||||
|
# If extensions (or modules to document with autodoc) are in another directory,
|
||||||
|
# add these directories to sys.path here. If the directory is relative to the
|
||||||
|
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||||
|
#
|
||||||
|
# import os
|
||||||
|
# import sys
|
||||||
|
# sys.path.insert(0, os.path.abspath('.'))
|
||||||
|
|
||||||
|
|
||||||
|
# -- Project information -----------------------------------------------------
|
||||||
|
|
||||||
|
project = 'PurpleDome Intro'
|
||||||
|
copyright = '2022, Thorsten Sick'
|
||||||
|
author = 'Thorsten Sick'
|
||||||
|
|
||||||
|
|
||||||
|
# -- General configuration ---------------------------------------------------
|
||||||
|
|
||||||
|
# Add any Sphinx extension module names here, as strings. They can be
|
||||||
|
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
|
||||||
|
# ones.
|
||||||
|
extensions = [
|
||||||
|
]
|
||||||
|
|
||||||
|
# Reveal JS
|
||||||
|
|
||||||
|
extensions += [
|
||||||
|
"sphinx_revealjs",
|
||||||
|
]
|
||||||
|
|
||||||
|
# Graphviz
|
||||||
|
extensions += [
|
||||||
|
"sphinx.ext.graphviz"
|
||||||
|
]
|
||||||
|
|
||||||
|
# -- Options for Reveal.js output ---------------------------------------------
|
||||||
|
revealjs_static_path = ["_static"]
|
||||||
|
revealjs_google_fonts = ["M PLUS 1p", ]
|
||||||
|
revealjs_style_theme = "black"
|
||||||
|
revealjs_script_conf = {
|
||||||
|
"controls": True,
|
||||||
|
"progress": True,
|
||||||
|
"history": True,
|
||||||
|
"center": True,
|
||||||
|
"transition": "slide",
|
||||||
|
}
|
||||||
|
revealjs_script_plugins = [
|
||||||
|
{
|
||||||
|
"name": "RevealNotes",
|
||||||
|
"src": "revealjs4/plugin/notes/notes.js",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "RevealHighlight",
|
||||||
|
"src": "revealjs4/plugin/highlight/highlight.js",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "RevealMath",
|
||||||
|
"src": "revealjs4/plugin/math/math.js",
|
||||||
|
},
|
||||||
|
]
|
||||||
|
revealjs_css_files = [
|
||||||
|
"revealjs4/plugin/highlight/zenburn.css",
|
||||||
|
"custom.css",
|
||||||
|
]
|
||||||
|
|
||||||
|
|
||||||
|
# -- GraphViz configuration ----------------------------------
|
||||||
|
graphviz_output_format = 'svg'
|
||||||
|
|
||||||
|
# Add any paths that contain templates here, relative to this directory.
|
||||||
|
templates_path = ['_templates']
|
||||||
|
|
||||||
|
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||||
|
# for a list of supported languages.
|
||||||
|
#
|
||||||
|
# This is also used if you do content translation via gettext catalogs.
|
||||||
|
# Usually you set "language" from the command line for these cases.
|
||||||
|
language = 'de'
|
||||||
|
|
||||||
|
# List of patterns, relative to source directory, that match files and
|
||||||
|
# directories to ignore when looking for source files.
|
||||||
|
# This pattern also affects html_static_path and html_extra_path.
|
||||||
|
exclude_patterns = ['_build', 'Thumbs.db', '.DS_Store']
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for HTML output -------------------------------------------------
|
||||||
|
|
||||||
|
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||||
|
# a list of builtin themes.
|
||||||
|
#
|
||||||
|
html_theme = 'alabaster'
|
||||||
|
|
||||||
|
# Add any paths that contain custom static files (such as style sheets) here,
|
||||||
|
# relative to this directory. They are copied after the builtin static files,
|
||||||
|
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||||
|
html_static_path = ['_static']
|
@ -0,0 +1,126 @@
|
|||||||
|
=================
|
||||||
|
Purple Dome intro
|
||||||
|
=================
|
||||||
|
|
||||||
|
.. This toctree is only to link examples.
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:glob:
|
||||||
|
:hidden:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
The problem
|
||||||
|
===========
|
||||||
|
|
||||||
|
Complex malware attacks in stages. Especially the last ones can be file-less stages
|
||||||
|
|
||||||
|
Should I be concerned ?
|
||||||
|
-----------------------
|
||||||
|
|
||||||
|
If you are running a company network: yes
|
||||||
|
|
||||||
|
After initial opportunistic infection and system scanning the malware can call an operator
|
||||||
|
|
||||||
|
.. after the operator was called it is fileless
|
||||||
|
|
||||||
|
Will AV protect me?
|
||||||
|
===================
|
||||||
|
|
||||||
|
Modern AV Software does not only do file detection but also behaviour detection
|
||||||
|
|
||||||
|
Sometimes this is advertised. But even if it is not there will be a basic version shipped with your AV
|
||||||
|
|
||||||
|
For advanced attacks this is the module protecting you
|
||||||
|
|
||||||
|
Does this work well ?
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
The behaviour component is a complex beast
|
||||||
|
|
||||||
|
* Different OS versions
|
||||||
|
* Performance
|
||||||
|
* Stability
|
||||||
|
* Lots of different behaviour patterns possible
|
||||||
|
|
||||||
|
|
||||||
|
Is file-less bad ?
|
||||||
|
------------------
|
||||||
|
|
||||||
|
* Dealing with files is simpler
|
||||||
|
* QA and Development is much harder without malware files
|
||||||
|
|
||||||
|
|
||||||
|
Purple Dome makes dealing with file-less malware simpler
|
||||||
|
========================================================
|
||||||
|
|
||||||
|
We need it to...
|
||||||
|
|
||||||
|
* Develop sensors
|
||||||
|
* Create the logic
|
||||||
|
* Test everything
|
||||||
|
|
||||||
|
|
||||||
|
Purple Dome: Internals
|
||||||
|
======================
|
||||||
|
|
||||||
|
Purple Dome is a fully automated simulation environment to experiment with sophisticated attacks
|
||||||
|
|
||||||
|
Spawning targets
|
||||||
|
----------------
|
||||||
|
|
||||||
|
VMS with the selected OS are initialised and started. That way we can experiment with different OS versions
|
||||||
|
|
||||||
|
Spawning the attacker
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
Attacker VM is Kali Linux. It contains
|
||||||
|
|
||||||
|
* Metasploit
|
||||||
|
* Caldera
|
||||||
|
* Command line tools (nmap...)
|
||||||
|
|
||||||
|
Sensoren Setup
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Sensors will be installed on the targets. Now we are recording the events
|
||||||
|
|
||||||
|
Running the attacks
|
||||||
|
--------------------
|
||||||
|
|
||||||
|
Attacks are run based on a script
|
||||||
|
|
||||||
|
Collecting sensor data
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
Data from the sensors and the log of the attack itself are the result of the simulation
|
||||||
|
|
||||||
|
Creating a description
|
||||||
|
----------------------
|
||||||
|
|
||||||
|
For a quick overview it generates a human readable PDF document describing the attack
|
||||||
|
|
||||||
|
Other Purple Dome use cases
|
||||||
|
===========================
|
||||||
|
|
||||||
|
Seminars
|
||||||
|
----------
|
||||||
|
|
||||||
|
We are evaluating how to use PD for university seminars.
|
||||||
|
|
||||||
|
Trainings
|
||||||
|
---------
|
||||||
|
|
||||||
|
Blue vs Red Team trainings and creation of training data
|
||||||
|
|
||||||
|
CTF
|
||||||
|
---
|
||||||
|
|
||||||
|
Capture the Flags games can be based on PD
|
||||||
|
|
||||||
|
Buying Purple Dome
|
||||||
|
==================
|
||||||
|
|
||||||
|
It is not for sale. It is Open Source. Just fork it on Github:
|
||||||
|
|
||||||
|
https://github.com/avast/PurpleDome
|
Loading…
Reference in New Issue