search

alphasoc / flightsim

A utility to safely generate malicious network traffic patterns and evaluate controls.
https://alphasoc.com
Other
1.25k stars 132 forks source link

enumerate c2 families #44

Closed kmroz closed 2 years ago

kmroz commented 2 years ago

Addresses https://github.com/alphasoc/flightsim/issues/26

Setting this as a draft until wisdom work is pushed.

kmroz commented 2 years ago

Totally open to changing the look/feel/syntax of the command (ie. use of terms like element, category, etc). I tried keeping inline with how the run command looks.

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:34:49

usage: flightsim get [flags] element:category

Available elements:

    families

Available categories:

    c2

Available flags: -cols int print elements in number of columns -max int max number of elements returned (default 9223372036854775807)


- basic run

$ ./flightsim get families:c2

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:36:08

12:36:08 [families:c2] Fetching c2 families 12:36:08 [families:c2] 404 Keylogger, AB Stealer, APT29, ARS VBS Loader, ATRAPS, AZORult, AceRAT, Adwind, Agent Tesla, Alien, ...HUGE_SNIP... , ztds 12:36:08 [families:c2] Fetched 214 c2 families

All done!


- limiting number of families returned

$ ./flightsim get -max 5 families:c2

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:37:35

12:37:35 [families:c2] Fetching c2 families 12:37:35 [families:c2] 404 Keylogger, AB Stealer, APT29, ARS VBS Loader, ATRAPS 12:37:35 [families:c2] Fetched 5 c2 families

All done!


- columns

$ ./flightsim get -max 3 -cols 1 families:c2

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:41:28

12:41:28 [families:c2] Fetching c2 families

404 Keylogger AB Stealer APT29

12:41:28 [families:c2] Fetched 3 c2 families

All done! $ ./flightsim get -max 10 -cols 2 families:c2

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:38:13

12:38:13 [families:c2] Fetching c2 families

404 Keylogger AB Stealer APT29 ARS VBS Loader ATRAPS AZORult AceRAT Adwind Agent Tesla Alien

12:38:13 [families:c2] Fetched 10 c2 families

All done! $ ./flightsim get -max 10 -cols 3 families:c2

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:38:17

12:38:17 [families:c2] Fetching c2 families

404 Keylogger AB Stealer APT29 ARS VBS Loader ATRAPS AZORult AceRAT Adwind Agent Tesla Alien

12:38:17 [families:c2] Fetched 10 c2 families

All done!

- some error handling

$ ./flightsim get

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:39:28

nothing to get $ ./flightsim get foo

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:39:32

unable to get 'foo': invalid format $ ./flightsim get foo:

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:39:37

unable to get 'foo:': unsupported element 'foo' $ ./flightsim get families:fsck

AlphaSOC Network Flight Simulator™ (https://github.com/alphasoc/flightsim) The current time is 13-Oct-21 12:39:51

12:39:51 [families:fsck] Fetching fsck families api.open.wisdom.alphasoc.net said: 400: {"reason":"category must be 'c2'"}