Reporting mechanism on the execution of a technique

redcanaryco / atomic-red-team

Small and highly portable detection tests based on MITRE's ATT&CK.

MIT License

9.54k stars 2.76k forks source link

Reporting mechanism on the execution of a technique #1055

Closed shreyamalviya closed 3 years ago

shreyamalviya commented 4 years ago

I'm working on the development of a pen-testing tool and we're planning on integrating ART atomic tests. However, we've run into an issue since after using the python execution framework, the output that is shown after running a technique is not very descriptive.

For example, running this:

import runner
t = runner.AtomicRunner()
t.execute("T1158")  # hidden files and directories

Just gives the output:

Executing T1158/0
------------------------------------------------
(No output)
(No output)

There's no certain way for me to know whether the attack was successful or not since it just returns the output/error (relevant code below). https://github.com/redcanaryco/atomic-red-team/blob/14905c7a1618fe52bc0973ac575949ab4f9c2d67/execution-frameworks/contrib/python/runner.py#L491

It would be extremely useful if there were some sort of reporting mechanism that returned more information about the execution of the technique along with its output/error.

ShayNehmad commented 4 years ago

Would love this (working with @shreyamalviya on the same project, Infection Monkey). If there's any way we can push this forward and help let us know!!!

keithmccammon commented 4 years ago

Howdy, folks! At present, there's no one actively developing the Python framework. If building in reporting is something that you'd like to contribute, we can do our best to help with testing and review. In general, there are two issues with reporting, and I think you've touched on them both at a high level:

Atomic Red Team contains tests, but does not codify what should happen if a test executes, and then if it is successful. The execution signals have been considered for inclusion (i.e., if this test executes, you should see a running calc.exe process). The detection pieces have not.
None of the execution frameworks support reporting, and it would need to be built into each individually.

Again, if you have questions, we're happy to do our best to help!

cnotin commented 4 years ago

I just came to suggest the same thing! First step could be to have just a message like "you should see a notepad/calc opened". I think this step seems reasonable to implement by adding an attribute to each test (lot of work though) and a message print in execution frameworks. Then, for automation purposes, a coded check would be really helpful I think. But it means coding a command to check for successful execution!

PrajwalM2212 commented 4 years ago

@keithmccammon The Infection Monkey developers who opened this issue have decided to continue using their existing architecture and not depend on this issue.

But the issue has been gathering likes and getting comments. It would be a nice feature to add to atomic-red-team. So I would like to implement this. I have a rough idea about which parts of code to change and develop.

If atomic-red-team wants to move ahead with this issue, I would like to discuss my approach here.

clr2of8 commented 3 years ago

Python Execution Framework no longer maintained in this repo.

shreyamalviya commented 2 years ago

Hi @clr2of8, in which repo is the Python Execution Framework now being maintained?

clr2of8 commented 2 years ago

Please reach on to @MSAdministrator who will be releasing that soon. You can reach him most easily on the Slack Atomic Red Team workspace or twitter.