SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.39k stars 164 forks source link

"Evidence Files" for Red Team #71

Open initstring opened 4 years ago

initstring commented 4 years ago

Hi SRA!

Thanks for your great work on a great product.

We often conduct our purple assessments asynchronously, meaning that a red team attacker may perform a test case while no blue team members are actively participating. For this reason, we like to include screenshots for important events, such as catching a reverse shell or escalating privileges on a host.

These screenshots also help drive-home the impact of a test case.

It would be great if there was something on the Red Team side of the test case editor where we could put these, pretty much identical to the "Evidence Files" that is already on the Blue Team side.

Just a suggestion of course, thanks for reading!

thebleucheese commented 4 years ago

This is great feedback, thanks. In an upcoming release we have a feature built for capturing structured log output (CSVs, and a JSON format we've created that's tentatively titled 'Attack Tool Timing and Reporting' or 'ATTiRe') that when uploaded will automatically fill out some of the Red Team details in the VECTR test case panel as well as capturing output. This is meant to be used for translating the output of attack tools for the Red Team so that getting data into VECTR is much more swift. Additionally, we'll be adding the ability to attach unstructured logs just in case you want to upload log files from Red Team tools that aren't in a structured format that VECTR can understand. A good example of this is Cobalt Strike logs. Right now this is all primarily for text data, but it incidentally covers some of the use case here.

I've attached a screenshot of the unstructured log view.
sampleNmapLogView

This is only showing the most boring part of this upcoming set of features. The rest of it should be a lot more interesting both visually and in practice, but we don't want to give too much away while it's still in testing. 😄

We'll track the request for Red Team attachments like screenshots and other data as well, that's a good idea.

initstring commented 4 years ago

These new features sound great, and that screenshot looks really sharp! Nice work, I look forward to seeing it in action.