WithSecureLabs/detectree WithSecureLabs/detectree

  • Stars
    star
    122
  • Rank 290,315 (Top 6 %)
  • Language Svelte
  • License
    GNU General Publi...
  • Created over 2 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
WithSecureLabs/detectree
github

WithSecureLabs

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Data visualization for blue teams

Detectree

Detectree is a data visualisation tool for blue teams. It provides a graphical representation of detection data, which allows an analyst generate almost instant opinions about the nature of the underlying activity and to understand complex relationships between the data points. Ultimately, this can help reduce response time, reduce alert fatigue and facilitate communication between analysts within the teams.

Detectree is written in svelte and based on the force-graph javascript library.

Getting Started

In order to use Detectree in your environment the detections need to satisfy a minimum set of properties. In the following table you can see which fields must be included in each detection and which are optional.

Field Required
Endpoint ID yes
Category yes
Severity yes
Detection Name yes
Parent Process Name yes
Parent Process ID yes
Process Name yes
Process ID yes
User no
Command Line no
File Name no
Registry Key no
Network Address no
Target Process Name no
Target Process ID no

The mappings for each field are defined in the schema.yml file, an example file schema.yml.example is provided. This file defines which fields should be extracted from the data in the backend and how they are mapped internally. In particular the mapping part contains the detectree mapping on the left and the backend mapping on the right, you will need to populate the mapping according to your environment.

The schema also contains the backend configuration, for elastic it should be straight forward but the meaning of the various fields is the following:

primaryId is the unique identifier for the endpoint. This is what is used to retireve the detections. timeField is the time field used to restrict the query. source is the field which identifies the detection type, in the example schema this is mapped to NewProcess, RegistryWrite, FileAccess and so on.

Subsequently in the mappings the type field identifies a specific detection, for example if your backend only supports NewProcess detections (or whatever the corresponding name is) you will require only one mapping. Strictly related to this the kind field links the detection type to the detectree one. As an example if kind is file the mapping should provide a filePath which will be used to draw a context node.

Currently the only supported backend is elastic however it should be trivial to build an adapter for any new backend. See the Adding a new backend section for further information.

In order to deploy the application in your environment you need to install the required dependencies with with npm install (or pnpm install or yarn). You will then need to select the right adapter for your environment, follow this guide for the most up to date information.

If for example you want to use node as your backend you need to install @sveltejs/adapter-node add modify your svelte.config.js substituting @sveltejs/adapter-auto with @sveltejs/adapter-node. The project can then be built with the following command, the output will be in the output folder.

npm run build

A development server can be started with, this will allow to serve the application locally.

npm run dev

# or start the server and open the app in a new browser tab
npm run dev -- --open

An example graph can be seen in the following screenshot

example

Adding a new backend

In order to support a new backend you need to create a dedicated TypeScript file in the backend_adapters folder. You can use the elastic one as a template, the new module should expose a query function that should take as input the same parameters as the one in the elastic file. You can then query the chosen backend in the preferred way. The query function should return an object containing the data mapped according to the mapping defined in the schema.yaml file. Finally in order for the backend to be correctly selected you also need to add it in the following object inside draw_tree.ts, the object keys here will also be how the backend is referenced in the schema.yml

const backendTypes = {
	elastic: '../backend_adapters/elastic'
};

More Repositories

1

drozer

The Leading Security Assessment Framework for Android.
Python
3,743
star
2

chainsaw

Rapidly Search and Hunt through Windows Forensic Artefacts
Rust
2,713
star
3

C3

Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
C++
1,478
star
4

needle

The iOS Security Testing Framework
Python
1,322
star
5

doublepulsar-detection-script

A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
Python
1,008
star
6

awspx

A graph-based tool for visualizing effective access and resource relationships in AWS environments.
Python
898
star
7

python-exe-unpacker

A helper script for unpacking and decompiling EXEs compiled from python code.
Python
751
star
8

leonidas

Automated Attack Simulation in the Cloud, complete with detection use cases.
Jupyter Notebook
446
star
9

physmem2profit

Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C#
364
star
10

android-keystore-audit

JavaScript
355
star
11

Jandroid

Python
300
star
12

CallStackSpoofer

A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
C++
294
star
13

bitlocker-spi-toolkit

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.
Python
271
star
14

captcha22

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks.
Python
243
star
15

doublepulsar-c2-traffic-decryptor

A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
Python
224
star
16

snake

snake - a malware storage zoo
Shell
205
star
17

Jamf-Attack-Toolkit

Suite of tools to facilitate attacks against the Jamf macOS management platform.
Python
172
star
18

IAMSpy

Python
169
star
19

LinuxCatScale

Incident Response collection and processing scripts with automated reporting scripts
Shell
165
star
20

IceKube

Python
161
star
21

peas

PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange.
Python
152
star
22

damn-vulnerable-llm-agent

Python
145
star
23

ppid-spoofing

Scripts for performing and detecting parent PID spoofing
PowerShell
127
star
24

GarbageMan

GarbageMan is a set of tools for analyzing .NET binaries through heap analysis.
C++
115
star
25

drozer-agent

The Android Agent for the Mercury Security Assessment Framework.
Java
111
star
26

doublepulsar-usermode-injector

A utility to use the usermode shellcode from the DOUBLEPULSAR payload to reflectively load an arbitrary DLL into another process, for use in testing detection techniques or other security research.
C
104
star
27

TickTock

C++
100
star
28

ModuleStomping

https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
C++
87
star
29

dotnet-gargoyle

A spiritual .NET equivalent to the Gargoyle memory scanning evasion technique
C#
50
star
30

cloud-wiki

A public cloud security knowledgebase - https://www.secwiki.cloud/
CSS
47
star
31

AMSIDetection

AMSI detection PoC
C#
29
star
32

tau-engine

A document tagging library
Rust
29
star
33

radare2-scripts

A collection of useful radare2 scripts!
Python
25
star
34

CVE-2021-25374_Samsung-Account-Access

This script can be used to gain access to a victim's Samsung Account if they have a specific version of Samsung Members installed on their Samsung Device, and if the victim's device is from the US or Korea region.
Python
23
star
35

ESFang

ESF modular ingestion tool for development and research.
Objective-C
18
star
36

macOSTriageCollectionScript

A triage data collection script for macOS
Shell
17
star
37

lazarus-sigma-rules

17
star
38

RemotePSpy

RemotePSpy provides live monitoring of remote PowerShell sessions, which is particularly useful for older (pre-5.0) versions of PowerShell which do not have comprehensive logging facilities built in.
Python
17
star
39

FLAIR

F-Secure Lightweight Acqusition for Incident Response (FLAIR)
Batchfile
16
star
40

mongo-rs

A higher-level wrapper on top of the official bson & mongodb crates.
Rust
15
star
41

volatility-plugins

Python
11
star
42

FixerUpper

A Burp extension to enable modification of FIX messages when relayed from MitM_Relay
Python
11
star
43

snake-core

snake-core - the real snake
Python
11
star
44

jdiesel

jdiesel fuels the drozer
Java
10
star
45

llm-vulnerable-recruitment-app

An example vulnerable app that integrates an LLM
Python
7
star
46

memory-carving-scripts

Scripts for extracting useful information from infected memory dumps
PowerShell
7
star
47

shadowhammer

Tools related to 'shadowhammer' attack, https://securelist.com/operation-shadowhammer/89992
Python
7
star
48

keywe-tooling

Tools that can be used to interact with the KeyWe Smart Lock device.
Python
6
star
49

datamate

Python
6
star
50

deject

Memory dump and Sample analysis tool
Python
6
star
51

usb-ninja-detection-poc

USB Ninja Detection PoC
C++
5
star
52

iocs

YARA
5
star
53

snake-scales

snake-scales - the default repository of snake scales
Python
4
star
54

dreamer

Easier cloud infrastructure with Terraform and Ansible
Python
4
star
55

snake-skin

snake-skin - the web ui for snake
Svelte
2
star
56

boops-boops-android-agent

Java
1
star
57

snake-tail

snake-tail - the command line ui for snake
Python
1
star
58

slide-decks

1
star