mirror of https://github.com/avast/PurpleDome
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
126 lines
2.5 KiB
ReStructuredText
126 lines
2.5 KiB
ReStructuredText
=================
|
|
Purple Dome intro
|
|
=================
|
|
|
|
.. This toctree is only to link examples.
|
|
|
|
.. toctree::
|
|
:glob:
|
|
:hidden:
|
|
|
|
|
|
|
|
The problem
|
|
===========
|
|
|
|
Complex malware attacks in stages. Especially the last ones can be file-less stages
|
|
|
|
Should I be concerned ?
|
|
-----------------------
|
|
|
|
If you are running a company network: yes
|
|
|
|
After initial opportunistic infection and system scanning the malware can call an operator
|
|
|
|
.. after the operator was called it is fileless
|
|
|
|
Will AV protect me?
|
|
===================
|
|
|
|
Modern AV Software does not only do file detection but also behaviour detection
|
|
|
|
Sometimes this is advertised. But even if it is not there will be a basic version shipped with your AV
|
|
|
|
For advanced attacks this is the module protecting you
|
|
|
|
Does this work well ?
|
|
---------------------
|
|
|
|
The behaviour component is a complex beast
|
|
|
|
* Different OS versions
|
|
* Performance
|
|
* Stability
|
|
* Lots of different behaviour patterns possible
|
|
|
|
|
|
Is file-less bad ?
|
|
------------------
|
|
|
|
* Dealing with files is simpler
|
|
* QA and Development is much harder without malware files
|
|
|
|
|
|
Purple Dome makes dealing with file-less malware simpler
|
|
========================================================
|
|
|
|
We need it to...
|
|
|
|
* Develop sensors
|
|
* Create the logic
|
|
* Test everything
|
|
|
|
|
|
Purple Dome: Internals
|
|
======================
|
|
|
|
Purple Dome is a fully automated simulation environment to experiment with sophisticated attacks
|
|
|
|
Spawning targets
|
|
----------------
|
|
|
|
VMS with the selected OS are initialised and started. That way we can experiment with different OS versions
|
|
|
|
Spawning the attacker
|
|
---------------------
|
|
|
|
Attacker VM is Kali Linux. It contains
|
|
|
|
* Metasploit
|
|
* Caldera
|
|
* Command line tools (nmap...)
|
|
|
|
Sensoren Setup
|
|
--------------
|
|
|
|
Sensors will be installed on the targets. Now we are recording the events
|
|
|
|
Running the attacks
|
|
--------------------
|
|
|
|
Attacks are run based on a script
|
|
|
|
Collecting sensor data
|
|
----------------------
|
|
|
|
Data from the sensors and the log of the attack itself are the result of the simulation
|
|
|
|
Creating a description
|
|
----------------------
|
|
|
|
For a quick overview it generates a human readable PDF document describing the attack
|
|
|
|
Other Purple Dome use cases
|
|
===========================
|
|
|
|
Seminars
|
|
----------
|
|
|
|
We are evaluating how to use PD for university seminars.
|
|
|
|
Trainings
|
|
---------
|
|
|
|
Blue vs Red Team trainings and creation of training data
|
|
|
|
CTF
|
|
---
|
|
|
|
Capture the Flags games can be based on PD
|
|
|
|
Buying Purple Dome
|
|
==================
|
|
|
|
It is not for sale. It is Open Source. Just fork it on Github:
|
|
|
|
https://github.com/avast/PurpleDome |