Attack
======

Boilerplate
-----------

PurpleDome, attack-log version: {{ boilerplate.log_format_major_version }}.{{ boilerplate.log_format_minor_version }}

Systems
-------

{% for s in systems %}
{{ s.role }}:{{ s.name }}
~~~~~~~~~~~~

IP: {{ s.ip }}

OS: {{ s.os }}

Paw: {{ s.paw }}

Group: {{ s.group }}

Sensors:

{% for sensor in s.sensors %}
* {{ sensor }}
{% endfor %}  {# sensors #}

Vulnerabilities:

{% for vulnerability in s.vulnerabilities %}
* {{ vulnerability }}
{% endfor %}  {# vulnerabilities #}

{% endfor %}  {# systems #}

Attack steps
------------

{% for e in events %}
{% if e.event is eq("start") %}
{% if e.type is eq("attack_step") %}


{{ e.text }}
~~~~~~~~~~~~
{% endif %}  {# end attack_step #}
{% if e.type is eq("dropping_file") %}

Dropping file to target
~~~~~~~~~~~~~~~~~~~~~~~

At {{ e.timestamp }}
The file {{ e.file_name }} is dropped to the target {{ e.target }}.
{% endif %}
{% if e.type is eq("execute_payload") %}

Executing payload on target
~~~~~~~~~~~~~~~~~~~~~~~~~~~

At {{ e.timestamp }}
The command {{ e.command }} is used to start a file on the target {{ e.target }}.
{% endif %}
{% if e.type is eq("narration") %}
{{ e.text }}
{% endif %}
{% if e.sub_type is eq("metasploit") %}

Metasploit attack {{ e.name }}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ Tactics: {{ e.tactics }}
+ Tactics ID: {{ e.tactics_id }}
+ Hunting Tag: {{ e.hunting_tag}}
+ At {{ e.timestamp }} a Metasploit command {{ e.name }} was used to attack {{ e.target }} from {{ e.source }}.
+ Description: {{ e.description }}
+ Code in {{ e.sourcefile }} / {{ e.sourceline }}
{% if e.metasploit_command is string() %}
+ Metasploit command: {{ e.metasploit_command }}
{% endif %}
{% if e.situation_description is string() %}
+ Situation: {{ e.situation_description }}
{% endif %}
{% if e.countermeasure is string() %}
+ Countermeasure: {{ e.countermeasure }}
{% endif %}
{% if e.result is string() %}
Attack result::

        {{ e.result }}
{% endif %}
{% if e.result is iterable() %}
Attack result::

{% for item in e.result %}
    {{ item|trim()|indent(4) }}
{% endfor %}
{% endif %}
{% endif %}
{% if e.sub_type is eq("kali") %}

Kali attack {{ e.name }}
~~~~~~~~~~~~~~~~~~~~~~~~

+ Tactics: {{ e.tactics }}
+ Tactics ID: {{ e.tactics_id }}
+ Hunting Tag: {{ e.hunting_tag}}
+ At {{ e.timestamp }} a Kali command {{ e.kali_name }} was used to attack {{ e.target }} from {{ e.source }}.
+ Description: {{ e.description }}
{% if e.kali_command is string() %}
+ Kali command: {{ e.kali_command }}
{% endif %}
{% if e.situation_description is string() %}
+ Situation: {{ e.situation_description }}
{% endif %}
{% if e.countermeasure is string() %}
+ Countermeasure: {{ e.countermeasure }}
{% endif %}
{% if e.result is string() %}
Attack result::

    {{ e.result }}
{% endif %}
{% if e.result is iterable() %}
Attack result::

{% for item in e.result %}
    {{ item|trim()|indent(4) }}
{% endfor %}
{% endif %}
{% endif %}
{% if e.sub_type is eq("caldera") %}

Caldera attack {{ e.name }}
~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ Tactics: {{ e.tactics }}
+ Tactics ID: {{ e.tactics_id }}
+ Hunting Tag: {{ e.hunting_tag}}
+ At {{ e.timestamp }} a Caldera ability {{ e.ability_id }}/"{{ e.name }}" was used to attack the group {{ e.target_group }} from {{ e.source }}.
+ Description: {{ e.description }}
{% if e.situation_description is string() %}
+ Situation: {{ e.situation_description }}
{% endif %}
{% if e.countermeasure is string() %}
+ Countermeasure: {{ e.countermeasure }}
{% endif %}
{% if e.result is string() %}
Attack result::

    {{ e.result }}
{% endif %}
{% if e.result is iterable() %}
Attack result::

{% for item in e.result %}
    {{ item|trim()|indent(4) }}
{% endfor %}
{% endif %}
{% endif %}
{% endif %}  {# event equal start #}
{% endfor %}


Tools
-----

{% for e in events %}
{% if e.event is eq("start") %}
{% if e.type is eq("build") %}

Building tool {{ e.filename }}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The file {{ e.filename }} is built
{% if e.for_step %}
It will be used in Step {{ e.for_step }}
{% endif %}
Build time is between {{ e.timestamp }} and {{ e.timestamp_end }}
{% if e.dl_uri is string() %}
Built from source downloaded from {{ e.dl_uri }}
{% endif %}
{% if e.dl_uris %}
Built from sources downloaded from
{% for i in e.dl_uris %}
* {{ i }}
{% endfor %}
{% endif %}
{% if e.payload is string() %}
The attack tool uses a Meterpreter payload. The payload is {{ e.payload }}. The payload is built for the {{ e.platform }} platform and the {{ e.architecture }} architecture.
The settings for lhost and lport are {{ e.lhost }}/{{ e.lport }}.
{% endif %}
{% if e.encoding is string() %}
The file was encoded using {{ e.encoding }} after compilation.
{% endif %}
{% if e.encoded_filename is string() %}
The encoded version is named {{ e.encoded_filename }}.
{% endif %}
{% if e.SRDI_conversion %}
The attack tool was converted to position independent shellcode. See: https://github.com/monoxgas/sRDI
{% endif %}
{{ e.comment }}
{% endif %}
{% endif %}

{% endfor %}