Scenarios

Scenarios

Scenarios are a list of actions FILES you want to run against an external vagrant(s).

Getting started

There is an scenario_example.yml that you can use as a template. It is located here:

https://github.com/uber-common/metta/blob/master/MITRE/Adversarial_Simulation/scenario_example.yml

1  enabled: True
2  meta:
3   author: cg
4   created: 2017-10-10
5   decorations:
6   - Purple Team
7   description: Scenario Examples
8   link: http://carnal0wnage.attackresearch.com
9   mitre_attack_phase: null
10  mitre_attack_technique: null
11  scenario: True
12  scenario_actions:
13    1: MITRE/Discovery/discovery_account.yaml
14    2: MITRE/Credential_Access/credaccess_win_creddump.yml
15    3: MITRE/Execution/execution_regsvr32.yaml
16  name: scenario examples
17  uuid: 7da758ce-7c80-4169-a6ed-27abf3e5978f

Line 1: enabled: true or false (not currently being used -- it's a carry over from our internal implementation)

Line 2: metadata values about the module

Line 3: author field

Line 4: created date

Line 5: decorations field

Line 6: sub-decorations - you can put whatever you want here

Line 7: description of what the actions module does

Line 8: external link about the technique/module/description

Line 9: Mitre ATT&CK phase

Line 10: Mitre ATT&CK technique

Line 11: scenario [enabled] True, metta looks for this reach the run scenario functions

Line 12: scenario_actions, this is a list of actions to take. The name "scenario_actions" is important and what metta uses to find the list of things you want to run. The scenario_actions are a list of actions files to run by path from the metta root.

Line 13-15: Actions FILES you want to run, one per line and they need to be ordered like the example (ex 1: ... 2: ...)

Line 15: name, this is the name of the module and what gets logged to the json log for rule_name

Line 16: uuid, a unique UUID for the module. This isn't strictly enforced but it might in the future. You can use make_uuid.py inside helper_scripts to generate one for you