search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.34k stars 156 forks source link

Error importing ATTiRE .json file #233

Closed mwtilton closed 1 year ago

mwtilton commented 1 year ago

Describe the bug

I am attempting to run RedCanary's Atomic RedTeam Tests (ART) and output them to ATTiRE format and import them into Vectr for further analysis and collaboration.

To Reproduce

Based on the instructions in this Repository: https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Local)

I run one of these:

($PSDefaultParameterValues are pre-configured, but figured I should place here for reference) Invoke-AtomicTest All -ExecutionLogPath ((Get-Date -UFormat %s) + ".json") -Verbose (Or I can explicitly set the module and Test) Invoke-AtomicTest T1053.003 -LoggingModule "Attire-ExecutionLogger" -ExecutionLogPath ((Get-Date -UFormat %s) + ".json")

Either one of these will output a .json file that contains what looks like valid procedures

{
  "attire-version": "1.1",
  "execution-data": {
    "execution-source": "Invoke-Atomicredteam",
    "execution-id": "ZWM1OWY1N<...>ODBmYjUzZDQx",
    "execution-category": {
      "name": "Atomic Red Team",
      "abbreviation": "ART"
    },
<...>

Based on the screenshots in this Repository:

https://github.com/SecurityRiskAdvisors/ATTiRe I attempt to upload the results from one of these .json files into a campaign. (Please note it is not immediately obvious if these output files are supposed to be imported as an assessment, campaign or a specific test case only.) I presume based on the second screenshot that these are meant for campaign assessment log files. attire1a.png

Steps to reproduce the behavior:

  1. Go to Campaign Dashboard
  2. Click on Assessment Actions
  3. Scroll down to Import Log
  4. Upload completes (No errors yet)
  5. click submit
  6. Big error appears: UNSTRUCTURED LOG IMPORT NOT IMPLEMENTED IN THIS CODEPATH.

On the backend I see these errors:

java.lang.RuntimeException: UNSTRUCTURED LOG IMPORT NOT IMPLEMENTED IN THIS CODEPATH.
    at com.sra.vectr.dataimport.importTools.fileimport.request.ImportJsonRequestResolver.buildRequestResolution(ImportJsonRequestResolver.java:68)
    at com.sra.vectr.rest.service.task.fileimport.ImportFileRequestHandler.buildUploadRequestResolution(ImportFileRequestHandler.java:178)
    at com.sra.vectr.rest.service.task.fileimport.ImportFileRequestHandler.resolve(ImportFileRequestHandler.java:116)
    at com.sra.vectr.rest.service.task.fileimport.LogImportUploadTask.runTask(LogImportUploadTask.java:40)
    at com.sra.vectr.rest.service.task.fileimport.LogImportUploadTask.runTask(LogImportUploadTask.java:22)

I am not a java coder but looks like its either a validation of the file schema version or I am uploading this to the incorrect import log option.

Expected behavior I expect to run the ART and import directly into the assessment.

Desktop Environment:

thebleucheese commented 1 year ago

@mwtilton Thanks so much for the detailed report! We recently noticed the Invoke-AtomicRedTeam project changed its logging mechanism slightly which caused an issue with the ATTiRe logger.

Can you verify in your log file that in the "output" section near the bottom, content is not a boolean value, this should always be some kind of String. Additional target.user and target.host must be plain Strings and not objects. If there's a { 'json': 'object' } inside either of those values instead of something like "testuser" it will cause import errors like you're seeing. This is typically the issue we've been seeing and correcting this should allow you to import your log file.

There's a PR open for the ATTiRe Import logger you could test. https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger/pull/2/commits/4e982e1199bf34c3f2ac9706b80311339e4bbe72 We haven't completely tested it yet, but a fix like this will eventually be needed on the attire logger project to correct this.

mwtilton commented 1 year ago

Ah I saw that but only read it as a MIT license issue for some reason; that is quite the PR from Redcanary. I will download the suggested logger .psm1 update and see if I have any luck there. Should be able to test by early next week.

It looks like the content section was the problem.

"content": true,

target.user/target.host seem to have only string values in them

    "target": {
      "user": "desktop-jeka8ic\\user",
      "host": "DESKTOP-JEKA8IC",
thebleucheese commented 1 year ago

@mwtilton FYI - the last PR I mentioned had a slight bug in it. We've updated the powershell module in https://github.com/SecurityRiskAdvisors/invoke-atomic-attire-logger/ with changes to work with the latest version of Invoke-AtomicRedTeam. Give it a shot and let us know if it's working.

Going to close this since the bug was in another project.

mwtilton commented 1 year ago

@thebleucheese Looks like the latest .psm1 file works! Thanks!