search

facebookincubator / TTPForge

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).
MIT License
335 stars 32 forks source link

💡 [REQUEST] - Atomic Red Team Executor #83

Open l50 opened 1 year ago

l50 commented 1 year ago

Implementation PR

No response

Reference Issues

No response

Summary

We need to figure out a way to ingest and use TTPs from Atomic Red Team

Basic Example

ttpforge -c config.yaml run rc atomics/T1003.003/T1003.003.yaml

Drawbacks

Could be complicated.

Unresolved questions

Do we want to create a transform function to consume ART or Nuclei "TTPs" into our YAML format? This could save us a lot of heartburn.

Do we want it to be part of the forge codebase or do we want to figure out a modular attachment for this functionality?

inesusvet commented 6 months ago

I see two ways of implementing this with slight differences. The first one could be done as

  1. Read the Atomic YAML provided
  2. Convert it into TTPForge YAML structure by a new Translator func
  3. Save result in a temp dir
  4. Run the regular TTP from the temp directory

Or another way could be implemented as

  1. Have a separate Loader class to read Atomic TTP YAMLs
  2. Flesh out the TTP structure (which is pretty lightweight) with all the Steps (aka Translator logic)
  3. Execute TTP steps for the structure in memory

Both ways are prone to errors on any ART YAML format changes. Both ways could be unit-tested. Both ways provide seamless UX -- "it just works" with all the TTPs provided by ART. The first way could be implemented as a stand-alone program as well. The second way brings extra responsibility to the TTPForge binary which might be unnecessary.

inesusvet commented 1 month ago

I think we should follow the Technique class to examine how to build parser for Atomic Red Team yaml definitions