From e7a3c3596f6ee1edda27def777844a8ab0f24973 Mon Sep 17 00:00:00 2001 From: Thorsten Sick Date: Mon, 29 Nov 2021 12:08:17 +0100 Subject: [PATCH] Cleanup and adding a starter pack (hello_world, license, readme) --- LICENSE.txt | 21 +++ README.md | 28 +++ doc/source/basics/background.rst | 2 +- hello_world.yaml | 168 ++++++++++++++++++ .../FIN7/local_experiment_config.yaml | 13 +- .../linux_filebeat/linux_filebeat_plugin.py | 13 -- template.yaml | 18 +- .../missing_collect/sensor_missing_collect.py | 13 -- tests/plugins/sensor/sensor_ok/sensor_ok.py | 13 -- .../sensor/two_sensors/sensor_1/sensor_1.py | 13 -- .../sensor/two_sensors/sensor_2/sensor_2.py | 13 -- tests/test_config.py | 10 +- 12 files changed, 232 insertions(+), 93 deletions(-) create mode 100644 LICENSE.txt create mode 100644 hello_world.yaml diff --git a/LICENSE.txt b/LICENSE.txt new file mode 100644 index 0000000..83ca562 --- /dev/null +++ b/LICENSE.txt @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2021 Avast Software + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE.UT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md index fcff350..e72f067 100644 --- a/README.md +++ b/README.md @@ -109,3 +109,31 @@ Development happens in *feature branches* branched of from *develop* branch. And The branch *release* is a temporary branch from *develop* and will be used for bug fixing before a PR to *main* creates a new release. Commits in main will be marked with tags and the *changelog.txt* file in human readable form describe the new features. https://nvie.com/posts/a-successful-git-branching-model/ + +Short: + +* As a user, the *main* branch is relevant for you +* Start a feature branch from *develop* +* When doing a hotfix, branch from *main* + +### GIT + +Branching your own feature branch + +$ git checkout development +$ git pull --rebase=preserve +$ git checkout -b my_feature + +Do some coding, commit. + +Rebase before pushing + +$ git checkout development +$ git pull --rebase=preserve +$ git checkout my_feature +$ git rebase development + +Code review will be happening on github. If everything is nice, you should squash the several commits you made into one (so one commit = one feature). This will make code management and debugging a lot simpler when you commit is added to develop and main branches + +.. TODO: git rebase --interactive +git push --force \ No newline at end of file diff --git a/doc/source/basics/background.rst b/doc/source/basics/background.rst index 8c4098c..e28d0d3 100644 --- a/doc/source/basics/background.rst +++ b/doc/source/basics/background.rst @@ -69,7 +69,7 @@ TODO: Add Mac Server Data aggregator --------------- -We currently can use IDP and logstash +We currently can use logstash There are several options for data aggregators: diff --git a/hello_world.yaml b/hello_world.yaml new file mode 100644 index 0000000..52c3521 --- /dev/null +++ b/hello_world.yaml @@ -0,0 +1,168 @@ +# A basic example config file running just one Caldera and one kali attack vs an Ubuntu target. +# + + +### +# Caldera configuration +caldera: + ### + # API key for caldera. See caldera configuration. Default is ADMIN123 + apikey: ADMIN123 + +### +# Attacks configuration +attackers: + ### + # Configuration for the first attacker. One should normally be enough + - name: attacker + + ### + # Defining VM controller settings for this machine + vm_controller: + ### + # Type of the VM controller, Options are "vagrant" + vm_type: vagrant + ### + # # path where the vagrantfile is in + vagrantfilepath: systems + + ### + # Name of machine in Vagrantfile + vm_name: attacker + + nicknames: + + ### + # machinepath is a path where the machine specific files and logs are stored. Relative to the Vagrantfile path + # and will be mounted internally as /vagrant/ + # If machinepath is not set PurpleDome will try "vm_name" + machinepath: attacker1 + + ### + # OS of the VM guest. Options are so far "windows", "linux" + os: linux + + ### + # Do not destroy/create the machine: Set this to "yes". + use_existing_machine: yes + +### +# List of targets +targets: + # Ubuntu 20.10 (Groovy) + - name: target3 + vm_controller: + vm_type: vagrant + vagrantfilepath: systems + + ### + # simple switch if targets is used in attack simulation. Default is true. If set to false the machine will not be started + active: yes + + vm_name: target3 + + nicknames: + + os: linux + ### + # Targets need a unique PAW name for caldera + paw: target3 + ### + # Targets need to be in a group for caldera + group: red_linux + + machinepath: target3 + # Do not destroy/create the machine: Set this to "yes". + use_existing_machine: no + + ### + # The folder all the implants will be installed into + playground: /home/vagrant + + # Sensors to run on this machine + sensors: + # - linux_idp # it had issues. Fix them + - linux_filebeat + + vulnerabilities: + - sshd_config_vul + - weak_user_passwords + +### +# General sensor config config +sensor_conf: + +### +# General attack config +attacks: + ### + # configure the seconds the system idles between the attacks. Makes it slower. But attack and defense logs will be simpler to match + nap_time: 5 + + ### + # The obfuscator to use between the implant and the server. Not all obfuscators are supported by all implants. Existing obfuscators: + # plain-text, base64, base64jumble, caesar, base64noPadding, steganography + caldera_obfuscator: plain-text + + ### + # Jitter settings for the implant. it is min/max seconds. The first number has to be smaller. Default is 4/8 + caldera_jitter: 4/8 + + +### +# A list of caldera attacks to run against the targets. +caldera_attacks: + ### + # Linux specific attacks. A list of caldera ability IDs + linux: + # Name: Current User + # Technique name: System Owner/User Discovery + # Tactic: discovery + # Description: Obtain user from current session + # ID: T1033 + - "bd527b63-9f9e-46e0-9816-b8434d2b8989" + + + ### + # Windows specific attacks. A list of caldera ability IDs + windows: + + +### +# Plugin based attacks. Will result in plugins being called +plugin_based_attacks: + ### + # Linux specific attacks, a list + linux: + - hydra + + ### + # Windows specific attacks, a list + windows: + +### +# Configuration for the plugin based attack tools +attack_conf: + ### + # Hydra configuration + hydra: + ### + # A list of protocols to brute force against. Supported: "ssh" + protocols: + - ssh + + ### + # A file containing potential user names + userfile: users.txt + ### + # A file containing potential passwords + pwdfile: passwords.txt + nmap: + + +### +# Settings for the results being harvested +results: + ### + # The directory the loot will be in + loot_dir: loot diff --git a/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml b/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml index 8ddff78..3d18ba8 100644 --- a/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml +++ b/plugins/default/adversary_emulations/FIN7/local_experiment_config.yaml @@ -96,7 +96,7 @@ targets: # Sensors to run on this machine sensors: - - windows_idp + - osquery vulnerabilities: - weak_user_passwords @@ -167,15 +167,8 @@ attack_conf: sensor_conf: ### # Windows IDP plugin configuration - windows_idp: - ### - # Name of the dll to use. Must match AV version - # dll_name: aswidptestdll.dll - dll_name: aswidptestdll.dll_21_1_B - - ### - # Folder where the IDP tool is located - idp_tool_folder: C:\\capture + osquery: + foo: bar ### # Settings for the results being harvested diff --git a/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py b/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py index 6a4d6ba..83f3cb6 100644 --- a/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py +++ b/plugins/default/sensors/linux_filebeat/linux_filebeat_plugin.py @@ -38,19 +38,6 @@ class LinuxFilebeatPlugin(SensorPlugin): def prime(self): """ Hard-core install. Requires a reboot """ - # For reference: This is the core config we will need. In addition there are two reg files to apply to the registry - # sc control aswbidsagent 255 - # timeout /t 5 - # 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"' - # reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f - # timeout /t 2 - # sc start aswbidsagent - - # Important: AV must be 21.2 - # dll_name = self.conf["dll_name"] - - # idp_tool_folder = self.conf["idp_tool_folder"] - pg = self.get_playground() self.vprint("Installing Linux filebeat sensor", 3) diff --git a/template.yaml b/template.yaml index c859126..225b904 100644 --- a/template.yaml +++ b/template.yaml @@ -104,7 +104,7 @@ targets: ### # List of sensors to run on this machine. They are implemented as plugins and have a unique name sensors: - # - linux_idp + # - osquery - name: target2 ### @@ -179,7 +179,7 @@ targets: ### # Sensors to run on this machine sensors: - - windows_idp + - osquery ### # Vulnerabilities to pre-install. They are implemented as plugins @@ -245,7 +245,7 @@ targets: # Sensors to run on this machine sensors: - - linux_idp + - osquery ### # Vulnerabilities to pre-install. They are implemented as plugins @@ -319,15 +319,9 @@ attack_conf: # General sensor config config sensor_conf: ### - # Windows IDP plugin configuration - windows_idp: - ### - # Name of the dll to use. Must match AV version - dll_name: aswidptestdll.dll - - ### - # Folder where the IDP tool is located - idp_tool_folder: C:\\capture + # Osqueryplugin configuration + osquery: + foo: bar ### diff --git a/tests/plugins/sensor/missing_collect/sensor_missing_collect.py b/tests/plugins/sensor/missing_collect/sensor_missing_collect.py index d642da1..d102e52 100644 --- a/tests/plugins/sensor/missing_collect/sensor_missing_collect.py +++ b/tests/plugins/sensor/missing_collect/sensor_missing_collect.py @@ -38,19 +38,6 @@ class SensorMissingCollectPlugin(SensorPlugin): def prime(self): """ Hard-core install. Requires a reboot """ - # For reference: This is the core config we will need. In addition there are two reg files to apply to the registry - # sc control aswbidsagent 255 - # timeout /t 5 - # 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"' - # reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f - # timeout /t 2 - # sc start aswbidsagent - - # Important: AV must be 21.2 - # dll_name = self.conf["dll_name"] - - # idp_tool_folder = self.conf["idp_tool_folder"] - pg = self.get_playground() self.vprint("Installing Linux filebeat sensor", 3) diff --git a/tests/plugins/sensor/sensor_ok/sensor_ok.py b/tests/plugins/sensor/sensor_ok/sensor_ok.py index 5d9bd90..031ffd4 100644 --- a/tests/plugins/sensor/sensor_ok/sensor_ok.py +++ b/tests/plugins/sensor/sensor_ok/sensor_ok.py @@ -38,19 +38,6 @@ class SensorOkPlugin(SensorPlugin): def prime(self): """ Hard-core install. Requires a reboot """ - # For reference: This is the core config we will need. In addition there are two reg files to apply to the registry - # sc control aswbidsagent 255 - # timeout /t 5 - # 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"' - # reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f - # timeout /t 2 - # sc start aswbidsagent - - # Important: AV must be 21.2 - # dll_name = self.conf["dll_name"] - - # idp_tool_folder = self.conf["idp_tool_folder"] - pg = self.get_playground() self.vprint("Installing Linux filebeat sensor", 3) diff --git a/tests/plugins/sensor/two_sensors/sensor_1/sensor_1.py b/tests/plugins/sensor/two_sensors/sensor_1/sensor_1.py index a27ae1b..475dfd3 100644 --- a/tests/plugins/sensor/two_sensors/sensor_1/sensor_1.py +++ b/tests/plugins/sensor/two_sensors/sensor_1/sensor_1.py @@ -38,19 +38,6 @@ class SensorIgnoreMePlugin(SensorPlugin): def prime(self): """ Hard-core install. Requires a reboot """ - # For reference: This is the core config we will need. In addition there are two reg files to apply to the registry - # sc control aswbidsagent 255 - # timeout /t 5 - # 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"' - # reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f - # timeout /t 2 - # sc start aswbidsagent - - # Important: AV must be 21.2 - # dll_name = self.conf["dll_name"] - - # idp_tool_folder = self.conf["idp_tool_folder"] - pg = self.get_playground() self.vprint("Installing Linux filebeat sensor", 3) diff --git a/tests/plugins/sensor/two_sensors/sensor_2/sensor_2.py b/tests/plugins/sensor/two_sensors/sensor_2/sensor_2.py index cb2b596..4e966fd 100644 --- a/tests/plugins/sensor/two_sensors/sensor_2/sensor_2.py +++ b/tests/plugins/sensor/two_sensors/sensor_2/sensor_2.py @@ -38,19 +38,6 @@ class SensorPickMePlugin(SensorPlugin): def prime(self): """ Hard-core install. Requires a reboot """ - # For reference: This is the core config we will need. In addition there are two reg files to apply to the registry - # sc control aswbidsagent 255 - # timeout /t 5 - # 'copy /y "cd %userprofile% & aswidptestdll.dll" "c:\Program Files\Avast Software\Avast\"' - # reg.exe add "HKLM\SOFTWARE\Avast Software\Avast\properties\IDP\Setting" /v debug_channel.enabled /t REG_DWORD /d 1 /f - # timeout /t 2 - # sc start aswbidsagent - - # Important: AV must be 21.2 - # dll_name = self.conf["dll_name"] - - # idp_tool_folder = self.conf["idp_tool_folder"] - pg = self.get_playground() self.vprint("Installing Linux filebeat sensor", 3) diff --git a/tests/test_config.py b/tests/test_config.py index f1cd69f..cc31b4b 100644 --- a/tests/test_config.py +++ b/tests/test_config.py @@ -373,8 +373,8 @@ class TestMachineConfig(unittest.TestCase): }, "vm_name": "target1", "use_existing_machine": False, - "sensors": ["linux_idp", "test_sensor"]})) - self.assertEqual(mc.sensors(), ["linux_idp", "test_sensor"]) + "sensors": ["linux_foo", "test_sensor"]})) + self.assertEqual(mc.sensors(), ["linux_foo", "test_sensor"]) def test_vulnerabilities_empty(self): """ Testing empty vulnerabilities config """ @@ -414,7 +414,7 @@ class TestMachineConfig(unittest.TestCase): }, "vm_name": "target1", "use_existing_machine": False, - "sensors": ["linux_idp", "test_sensor"]})) + "sensors": ["linux_foo", "test_sensor"]})) self.assertEqual(mc.is_active(), True) def test_active_is_false(self): @@ -429,7 +429,7 @@ class TestMachineConfig(unittest.TestCase): "vm_name": "target1", "use_existing_machine": False, "active": False, - "sensors": ["linux_idp", "test_sensor"]})) + "sensors": ["linux_foo", "test_sensor"]})) self.assertEqual(mc.is_active(), False) def test_active_is_true(self): @@ -444,7 +444,7 @@ class TestMachineConfig(unittest.TestCase): "vm_name": "target1", "use_existing_machine": False, "active": True, - "sensors": ["linux_idp", "test_sensor"]})) + "sensors": ["linux_foo", "test_sensor"]})) self.assertEqual(mc.is_active(), True)