search

facebookincubator / TTPForge

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
MIT License
337 stars 33 forks source link

💡 [REQUEST] - Marking a TTP as requiring superuser privileges #405

Closed d3sch41n closed 12 months ago

d3sch41n commented 1 year ago

Implementation PR

No response

Reference Issues

No response

Summary

We should support the following syntax:

name: my_ttp
requirements:
  superuser: true
steps:
   ...

This should cause the ttpforge run command (cmd/run.go) to check if superuser: true was specified and if so check user is root/sudo based on EUID (can add windows equivalent support later) - if the user isn't a superuser, error out early before running the TTP.

Basic Example

See above

Drawbacks

You could just hardcode sudo into the TTP, but that's suboptimal - the TTP might run several steps and put the system into a dirty state, before prompting you for a sudo password that you don't have, forcing you to CTRL-C out. Or you might not want to use sudo at all for telemetry reasons - maybe sudo is loud on the surface you are targeting, but you have the capability to run a TTP as root via other means. Having sudo hardcoded in your script would be a negative in that case.

Using superuser: true will force ALL the steps of your TTP to run as root, but that's probably ok - you can always just not use this feature and fall back to using sudo explicitly if you want different steps to happen at different privilege levels.

Unresolved questions

No response

inesusvet commented 12 months ago

Resolved in https://github.com/facebookincubator/TTPForge/pull/410