archive
/
PurpleDome
mirror of https://github.com/avast/PurpleDome
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Cleanup and adding a starter pack (hello_world, license, readme)

Browse Source
pull/18/head
Thorsten Sick 2 years ago
parent cacaa1e221
commit e7a3c3596f
12 changed files with 232 additions and 93 deletions
Show Stats Download Patch File Download Diff File

21
LICENSE.txt
Unescape Escape View File

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2021 Avast Software
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.UT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

28
README.md
Unescape Escape View File

@ -109,3 +109,31 @@ Development happens in *feature branches* branched of from *develop* branch. And
The branch *release* is a temporary branch from *develop* and will be used for bug fixing before a PR to *main* creates a new release. Commits in main will be marked with tags and the *changelog.txt* file in human readable form describe the new features.
https://nvie.com/posts/a-successful-git-branching-model/
Short:
* As a user, the *main* branch is relevant for you
* Start a feature branch from *develop*
* When doing a hotfix, branch from *main*
### GIT
Branching your own feature branch
$ git checkout development
$ git pull --rebase=preserve
$ git checkout -b my_feature
Do some coding, commit.
Rebase before pushing
$ git checkout development
$ git pull --rebase=preserve
$ git checkout my_feature
$ git rebase development
Code review will be happening on github. If everything is nice, you should squash the several commits you made into one (so one commit = one feature). This will make code management and debugging a lot simpler when you commit is added to develop and main branches
.. TODO: git rebase --interactive
git push --force

2
doc/source/basics/background.rst
Unescape Escape View File

@ -69,7 +69,7 @@ TODO: Add Mac Server
Data aggregator
---------------
We currently can use IDP and logstash
We currently can use logstash
There are several options for data aggregators:

168
hello_world.yaml
Unescape Escape View File

@ -0,0 +1,168 @@
# A basic example config file running just one Caldera and one kali attack vs an Ubuntu target.
#
###
# Caldera configuration
caldera:
###
# API key for caldera. See caldera configuration. Default is ADMIN123
apikey: ADMIN123
###
# Attacks configuration
attackers:
###
# Configuration for the first attacker. One should normally be enough
- name: attacker
###
# Defining VM controller settings for this machine
vm_controller:
###
# Type of the VM controller, Options are "vagrant"
vm_type: vagrant
###
# # path where the vagrantfile is in
vagrantfilepath: systems
###
# Name of machine in Vagrantfile
vm_name: attacker
nicknames:
###
# machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path
# and will be mounted internally as /vagrant/<name>
# If machinepath is not set PurpleDome will try "vm_name"
machinepath: attacker1
###
# OS of the VM guest. Options are so far "windows", "linux"
os: linux
###
# Do not destroy/create the machine: Set this to "yes".
use_existing_machine: yes
###
# List of targets
targets:
# Ubuntu 20.10 (Groovy)
- name: target3
vm_controller:
vm_type: vagrant
vagrantfilepath: systems
###
# simple switch if targets is used in attack simulation. Default is true. If set to false the machine will not be started
active: yes
vm_name: target3
nicknames:
os: linux
###
# Targets need a unique PAW name for caldera
paw: target3
###
# Targets need to be in a group for caldera
group: red_linux
machinepath: target3
# Do not destroy/create the machine: Set this to "yes".
use_existing_machine: no
###
# The folder all the implants will be installed into
playground: /home/vagrant
# Sensors to run on this machine
sensors:
# - linux_idp # it had issues. Fix them
- linux_filebeat
vulnerabilities:
- sshd_config_vul
- weak_user_passwords
###
# General sensor config config
sensor_conf:
###
# General attack config
attacks:
###
# configure the seconds the system idles between the attacks. Makes it slower. But attack and defense logs will be simpler to match
nap_time: 5
###
# The obfuscator to use between the implant and the server. Not all obfuscators are supported by all implants. Existing obfuscators:
# plain-text, base64, base64jumble, caesar, base64noPadding, steganography
caldera_obfuscator: plain-text
###
# Jitter settings for the implant. it is min/max seconds. The first number has to be smaller. Default is 4/8
caldera_jitter: 4/8
###
# A list of caldera attacks to run against the targets.
caldera_attacks:
###
# Linux specific attacks. A list of caldera ability IDs
linux:
# Name: Current User
# Technique name: System Owner/User Discovery
# Tactic: discovery
# Description: Obtain user from current session
# ID: T1033
- "bd527b63-9f9e-46e0-9816-b8434d2b8989"
###
# Windows specific attacks. A list of caldera ability IDs
windows:
###
# Plugin based attacks. Will result in plugins being called
plugin_based_attacks:
###
# Linux specific attacks, a list
linux:
- hydra
###
# Windows specific attacks, a list
windows:
###
# Configuration for the plugin based attack tools
attack_conf:
###
# Hydra configuration
hydra:
###
# A list of protocols to brute force against. Supported: "ssh"
protocols:
- ssh
###
# A file containing potential user names
userfile: users.txt
###
# A file containing potential passwords
pwdfile: passwords.txt
nmap:
###
# Settings for the results being harvested
results:
###
# The directory the loot will be in
loot_dir: loot

13
plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml
Unescape Escape View File

@ -96,7 +96,7 @@ targets:
# Sensors to run on this machine
sensors:
- windows_idp
- osquery
vulnerabilities:
- weak_user_passwords
@ -167,15 +167,8 @@ attack_conf:
sensor_conf:
###
# Windows IDP plugin configuration
windows_idp:
###
# Name of the dll to use. Must match AV version
# dll_name: aswidptestdll.dll
dll_name: aswidptestdll.dll_21_1_B
###
# Folder where the IDP tool is located
idp_tool_folder: C:\\capture
osquery:
foo: bar
###
# Settings for the results being harvested

13
plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py
Unescape Escape View File

@ -38,19 +38,6 @@ class LinuxFilebeatPlugin(SensorPlugin):
def prime(self):
""" Hard-core install. Requires a reboot """
# For reference: This is the core config we will need. In addition there are two reg files to apply to the registry
# sc control aswbidsagent 255
# timeout /t 5
# 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"'
# reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f
# timeout /t 2
# sc start aswbidsagent
# Important: AV must be 21.2
# dll_name = self.conf["dll_name"]
# idp_tool_folder = self.conf["idp_tool_folder"]
pg = self.get_playground()
self.vprint("Installing Linux filebeat sensor", 3)

18
template.yaml
Unescape Escape View File

@ -104,7 +104,7 @@ targets:
###
# List of sensors to run on this machine. They are implemented as plugins and have a unique name
sensors:
# - linux_idp
# - osquery
- name: target2
###
@ -179,7 +179,7 @@ targets:
###
# Sensors to run on this machine
sensors:
- windows_idp
- osquery
###
# Vulnerabilities to pre-install. They are implemented as plugins
@ -245,7 +245,7 @@ targets:
# Sensors to run on this machine
sensors:
- linux_idp
- osquery
###
# Vulnerabilities to pre-install. They are implemented as plugins
@ -319,15 +319,9 @@ attack_conf:
# General sensor config config
sensor_conf:
###
# Windows IDP plugin configuration
windows_idp:
###
# Name of the dll to use. Must match AV version
dll_name: aswidptestdll.dll
###
# Folder where the IDP tool is located
idp_tool_folder: C:\\capture
# Osqueryplugin configuration
osquery:
foo: bar
###

13
tests/plugins/sensor/missing_collect/sensor_missing_collect.py
Unescape Escape View File

@ -38,19 +38,6 @@ class SensorMissingCollectPlugin(SensorPlugin):
def prime(self):
""" Hard-core install. Requires a reboot """
# For reference: This is the core config we will need. In addition there are two reg files to apply to the registry
# sc control aswbidsagent 255
# timeout /t 5
# 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"'
# reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f
# timeout /t 2
# sc start aswbidsagent
# Important: AV must be 21.2
# dll_name = self.conf["dll_name"]
# idp_tool_folder = self.conf["idp_tool_folder"]
pg = self.get_playground()
self.vprint("Installing Linux filebeat sensor", 3)

13
tests/plugins/sensor/sensor_ok/sensor_ok.py
Unescape Escape View File

@ -38,19 +38,6 @@ class SensorOkPlugin(SensorPlugin):
def prime(self):
""" Hard-core install. Requires a reboot """
# For reference: This is the core config we will need. In addition there are two reg files to apply to the registry
# sc control aswbidsagent 255
# timeout /t 5
# 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"'
# reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f
# timeout /t 2
# sc start aswbidsagent
# Important: AV must be 21.2
# dll_name = self.conf["dll_name"]
# idp_tool_folder = self.conf["idp_tool_folder"]
pg = self.get_playground()
self.vprint("Installing Linux filebeat sensor", 3)

13
tests/plugins/sensor/two_sensors/sensor_1/sensor_1.py
Unescape Escape View File

@ -38,19 +38,6 @@ class SensorIgnoreMePlugin(SensorPlugin):
def prime(self):
""" Hard-core install. Requires a reboot """
# For reference: This is the core config we will need. In addition there are two reg files to apply to the registry
# sc control aswbidsagent 255
# timeout /t 5
# 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"'
# reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f
# timeout /t 2
# sc start aswbidsagent
# Important: AV must be 21.2
# dll_name = self.conf["dll_name"]
# idp_tool_folder = self.conf["idp_tool_folder"]
pg = self.get_playground()
self.vprint("Installing Linux filebeat sensor", 3)

13
tests/plugins/sensor/two_sensors/sensor_2/sensor_2.py
Unescape Escape View File

@ -38,19 +38,6 @@ class SensorPickMePlugin(SensorPlugin):
def prime(self):
""" Hard-core install. Requires a reboot """
# For reference: This is the core config we will need. In addition there are two reg files to apply to the registry
# sc control aswbidsagent 255
# timeout /t 5
# 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"'
# reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f
# timeout /t 2
# sc start aswbidsagent
# Important: AV must be 21.2
# dll_name = self.conf["dll_name"]
# idp_tool_folder = self.conf["idp_tool_folder"]
pg = self.get_playground()
self.vprint("Installing Linux filebeat sensor", 3)

10
tests/test_config.py
Unescape Escape View File

@ -373,8 +373,8 @@ class TestMachineConfig(unittest.TestCase):
},
"vm_name": "target1",
"use_existing_machine": False,
"sensors": ["linux_idp", "test_sensor"]}))
self.assertEqual(mc.sensors(), ["linux_idp", "test_sensor"])
"sensors": ["linux_foo", "test_sensor"]}))
self.assertEqual(mc.sensors(), ["linux_foo", "test_sensor"])
def test_vulnerabilities_empty(self):
""" Testing empty vulnerabilities config """
@ -414,7 +414,7 @@ class TestMachineConfig(unittest.TestCase):
},
"vm_name": "target1",
"use_existing_machine": False,
"sensors": ["linux_idp", "test_sensor"]}))
"sensors": ["linux_foo", "test_sensor"]}))
self.assertEqual(mc.is_active(), True)
def test_active_is_false(self):
@ -429,7 +429,7 @@ class TestMachineConfig(unittest.TestCase):
"vm_name": "target1",
"use_existing_machine": False,
"active": False,
"sensors": ["linux_idp", "test_sensor"]}))
"sensors": ["linux_foo", "test_sensor"]}))
self.assertEqual(mc.is_active(), False)
def test_active_is_true(self):
@ -444,7 +444,7 @@ class TestMachineConfig(unittest.TestCase):
"vm_name": "target1",
"use_existing_machine": False,
"active": True,
"sensors": ["linux_idp", "test_sensor"]}))
"sensors": ["linux_foo", "test_sensor"]}))
self.assertEqual(mc.is_active(), True)

Write Preview
Loading…
Cancel
Save