Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Atomic Red Team support #1

Open
wants to merge 35 commits into
base: main
Choose a base branch
from
Open

Atomic Red Team support #1

wants to merge 35 commits into from

Conversation

inesusvet
Copy link
Owner

@inesusvet inesusvet commented Oct 22, 2024
edited
Loading

Translation of ART tests to TTPForge format guide

  1. Checkout the branch containing the translation script (see the PR in my fork of TTPForge).
  2. Install the Mage build tool for Go in order to run the translation script.
  3. Select a YAML file from the ART library to traslate to TTPForge format.
  4. Run the translation script passing directory containing the ART YAML file.
    For example mage convertYAMLSchema ~/atomic-red-team/atomics/T1003.002
  5. Test the translated YAML file with TTPForge.

See more in docs/TranslationGuide.md

@inesusvet
Copy link
Owner Author

Installing Atomic-red-team invoke to windows laptop wiki

@inesusvet
Copy link
Owner Author

We need to ensure the Mitre Tactic is present as lack of it fails validation

➜  ttpforge git:(art) ✗ go run main.go run --dry-run ./example-ttps/T1113/Screencapture.yaml 
WARN    No config file specified and default configuration file not found!
WARN    You probably want to run `ttpforge init`!
WARN    However, if you know what you are doing, then carry on :)
ERROR   failed to run command:
        could not load TTP at /Users/nesusvet/dev/ttpforge/example-ttps/T1113/Screencapture.yaml:
        TTP 'Screencapture' has a MitreAttackMapping but no Tactic is defined

@inesusvet
Copy link
Owner Author

Parsed all known Mitre tags using script from https://github.com/sduff/mitre_attack_csv/
After some additional data-manipulation it solves the problem of mapping a Technique to the Tactic

@inesusvet inesusvet mentioned this pull request Oct 23, 2024
Open
inesusvet added a commit that referenced this pull request Oct 23, 2024
@inesusvet @facebook-github-bot
Drop non-unique Cleanup logic from expect step (facebookincubator#516)
c789c78 
Summary:
Pull Request resolved: facebookincubator#516

To enable actual clean ups and prevent errors like

```
ERROR   failed to run command:
        could not load TTP at /home/nesusvet/security-ttpcode/ttps/infra/tupperware/ssh-to-container-as-root.yaml:
        could not parse action for step "start-tupperware-container": action fields did not match any valid action type
```

Changes pretty radical but I don't see why we need a custom implementation of cleanup logic for expect step

Consider small change to the [expect.yaml](https://www.internalfb.com/code/fbsource/fbcode/security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml) example TTP
```
hg d
 diff --git a/fbcode/security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml b/fbcode/security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml
 --- a/fbcode/security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml
+++ b/fbcode/security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml
@@ -26,3 +26,4 @@
           response: "John"
         - prompt: "Enter your age:"
           response: "30"
+      cleanup: echo "Done"
```

Try to run it on master and see NO CLEANUP instructions executed:
```
 buck run security/redteam/purple_team/ttpforge:ttpforge -- run security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml
File changed: fbcode//security/redteam/purple_team/ttpforge/example-ttps/actions/expect/expect.yaml
Buck UI: https://www.internalfb.com/buck2/a008be5d-79d8-4591-960a-64fafbc10a44
Network: Up: 0B  Down: 0B
Jobs completed: 4. Time elapsed: 0.0s.
BUILD SUCCEEDED
INFO    RUNNING TTP: Complex Expect Step with Python Script
INFO    ----------------------------------------
INFO    Executing Step #1: "create_python_script"
INFO    ----------------------------------------
INFO    Executing Step facebookincubator#2: "run_expect_script"
Enter your name:
John
Enter your age:
30
Hello John, you are 30 years old!
INFO    ----------------------------------------
INFO    All TTP steps completed successfully!
INFO    ========================================
INFO    CLEANING UP 2 steps of TTP: "Complex Expect Step with Python Script"
INFO    ----------------------------------------
INFO    Cleaning Up Step facebookincubator#2: "run_expect_script"
INFO    No Cleanup Action Defined for Step run_expect_script
INFO    ----------------------------------------
INFO    Cleaning Up Step #1: "create_python_script"
INFO    No Cleanup Action Defined for Step create_python_script
INFO    ----------------------------------------
INFO    Finished Cleanup Successfully
```

Differential Revision: D64108097

fbshipit-source-id: 2ab395b393b88ebfd0f5dd647cd75f34fce52b97
@inesusvet
Copy link
Owner Author

inesusvet commented Oct 24, 2024
edited
Loading

Notable errors parsing all auto-generated YAMLs:

while parsing a block mapping
  in "atomics/T1176/7a714703-9f6b-461c-b06d-e6aeac650f27.yaml", line 23, column 7
expected <block end>, but found '<scalar>'
  in "atomics/T1176/7a714703-9f6b-461c-b06d-e6aeac650f27.yaml", line 26, column 9

Should we prevent empty lines or colons in long description texts? Looks like "References:" in the description text breaks the YAML parser.

l50 and others added 24 commits November 30, 2024 08:04
@l50 @inesusvet
Add PoC ART code
207233d 
Add initial ART parse logic with tests
@inesusvet
Added Mitre field to TTP struct
e83486c
@inesusvet
added dockerfile to build ttpforge binary for windows
4d956b6
@inesusvet
Allow loose Mitre tags
fa858cc
@inesusvet
Adjust struct names and yaml tags to ensure valid serialization
5a2fca6
@inesusvet
Produce many resulting TTPForge files from one Atomic YAML
0938230
@inesusvet
Take care of arguments in clean up instructions; Properly serialize Args
f054c5f
@inesusvet
Convert argument placeholders to TTPForge format
3c29a97
@inesusvet
Added a map of Mitre Techniques to Tactics
4791fa7
@inesusvet
Read Mitre map JSON to enrich Mitre tags, properly build list of resu…
0a23699 
…lting TTPs
@inesusvet
Update the mitre map JSON, populate Mitre tags
c643a5e
@inesusvet
Populate Mitre tags properly, extract GUID per atomic test
c539ba4
@inesusvet
Use UUID as safe target filename
df45242
@inesusvet
Always define API version
d956ca4
@inesusvet
Added todos and Executor to clean up step
1a9d336
@inesusvet
Comma
96fce19
@inesusvet
Populate Mitre Subtechnique when present
5bfd931
@inesusvet
Supported Platforms translates to Requirements
0b0f233
@inesusvet
Added translation of platform names and argument types
c5bf9f2
@inesusvet
Process dependencies as Steps
fd71360
@inesusvet
Add expected super-user flag, ReplaceAll in dependency step formatting
3d4713c
@inesusvet
Added Description field to Argument Specification
3fd9174
@inesusvet
update magefiles reference to [email protected]
890f09f
@inesusvet
Replace argument placeholders in dependency steps; prevent double cur…
6acf7e4 
…ve brackets from appearing in dep steps
@inesusvet
Copy link
Owner Author

Rebased on upstream and force-pushed to reduce the amount of commits in PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@inesusvet @l50