search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.34k stars 156 forks source link

Upload Multiple Test Case files - Import Multiple Logs #235

Open mwtilton opened 1 year ago

mwtilton commented 1 year ago

Describe the Feature Request I am attempting to run RedCanary's Atomic RedTeam Tests (ART) and output them to ATTiRE format and import them into Vectr for further analysis and collaboration. The upload option requires that each file be uploaded individually, if you run the suggested method in a foreach loop this can output quite a lot of files.

To Reproduce Based on the instructions in this Repository: https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Local)

I run the suggested foreach loop:

$techniques = gci C:\AtomicRedTeam\atomics\* -Recurse -Include T*.yaml | Get-AtomicTechnique

foreach ($technique in $techniques) {
    foreach ($atomic in $technique.atomic_tests) {
        if ($atomic.supported_platforms.contains("windows") -and ($atomic.executor -ne "manual")) {
            # Get Prereqs for test
            Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid -GetPrereqs
            # Invoke
            Invoke-AtomicTest $technique.attack_technique -TestGuids $atomic.auto_generated_guid
            # Sleep then cleanup
            Start-Sleep 3
            Invoke-AtomicTest  $technique.attack_technique -TestGuids $atomic.auto_generated_guid -Cleanup
        }
    }
}

Based on the GUI interface: It looks like multiple file uploads are possible, but when you click/drag files it only allows one at a time. attire1a.png

Steps to reproduce the behavior:

  1. Go to 'Campaign Dashboard'
  2. Click on 'Assessment Actions'
  3. Scroll down to 'Import Log'
  4. Click on 'Drag & Drop your files or browse'
  5. Attempt to upload more than one file.

Expected behavior I expect to be able to import multiple files directly into the assessment based on the text inside the upload function.

Desktop (please complete the following information):

Additional context n/a

SRAPSpencer commented 1 year ago

This would be a large enhancement given the current functionality. Noted for future consideration.

Retrospected commented 1 year ago

I have written a quick script to merge multiple logs into 1 file for easier upload. This merges the procedures of all files in a directory and will take a predefined execution-data values for all procedures. For more information see the README.

https://github.com/Retrospected/attire-merger

Importing these logs via an API would be very useful as well for automated test environments.

thebleucheese commented 1 year ago

I have written a quick script to merge multiple logs into 1 file for easier upload. This merges the procedures of all files in a directory and will take a predefined execution-data values for all procedures. For more information see the README.

https://github.com/Retrospected/attire-merger

Importing these logs via an API would be very useful as well for automated test environments.

Awesome, thanks for publishing and sharing this! We do plan on allowing ingestion of these logs via API. There are some technical limitations regarding how this log data was stored that we're reworking as part of major backend changes we're addressing now. We expect to expose this functionality via the API sometime soon after that's completed.

renzhexigua commented 1 year ago

take a predefined execution-data values for all procedures

It'll be better if we can record/write multiple <execution-data, procedures[]> items in one AttireLog.json file, but it has to change the attire schema to support this need.

Like,

{
    "$schema": "http://json-schema.org/draft-07/schema",
    ...
    "required": [
        "test-cases"
    ],
    "properties": {
        "test-cases": {
            "type": "array",
            "properties": {
                "execution-data": {
                    "$id": "#/properties/execution-data",
                    "type": "object",
                    ...
                },
                "procedures": {
                    "$id": "#/properties/procedures",
                    "type": "array",
                    ...
                },
                ...
            }
            ...
        }
    }
}
arishwani commented 10 months ago

how do you run the command for the attire-merger.py? is it run like below? python attire-merger.py -json /input/*json

SRAPSpencer commented 10 months ago

how do you run the command for the attire-merger.py? is it run like below? python attire-merger.py -json /input/*json

If you want to ask questions about the python project you should open an issue there.

https://github.com/Retrospected/attire-merger

This issue is for the feature request at hand.