activecm/threat-tools activecm/threat-tools

  • Stars
    star
    166
  • Rank 227,748 (Top 5 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created over 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
activecm/threat-tools
github

activecm

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Tools for simulating threats

threat-tools

Tools for simulating threats

beacon-simulator permits you to mimic a compromised system calling home to a command and control (C2) server. This tool will not exfiltrate any data, but is designed to test an environment's ability to detect a wide range of C2 channels. It should be pointed at an Internet IP address that you control (like a cloud instance).

Some command examples:

./beacon-simulator.sh 192.168.0.1 443 150 12
./beacon-simulator.sh 192.168.0.7 53 200 10 udp

Run the script without switches to access the online help.
Note: the standard netcat/nc tools included with Linux do not always handle timeouts well, expecially with UDP. Please install ncat (commonly found in a package called "ncat", or if not, as part of the "nmap" package). beacon-simulator will prefer to use this if it's installed.

python3 ./beacon_simulator.py -ip 192.168.0.5 -p 2000 -i 10 -j 3 -m 1024
python3 ./beacon_simulator.py -ip 192.168.0.5 -p 2000 --interval 120 --jitter 12 --max_payload 1024 --tcp
On your client device: python3 ./tcp_client.py
On your mock C2 server device: python3 ./tcp_server.py

For using the client/server python scripts they work in pairs. The UDP Client script works with the UDP Server script and the TCP Client script works with the TCP Server script. The client/server scripts require some manual configuration within the scripts. You will have to put the destination IP(s) at โ€œserver = [your.server.goes.here]โ€. The port that the scripts are running on by default is 9000 but it can be changed at the line with โ€œPORT = 9000โ€ or โ€œSERVER_PORT = 9000โ€. This script should scale to as many destinations as you would like to have. Each script has a printout of each message that is sent, received, and counts the number of beacons that have currently been sent out. By default the number of bytes sent for each beacon is a random number between 0 and 1200. This can be changed at the line with โ€œm = random.randint(0,1200)โ€. By default the beaconing interval is between 30 and 60 seconds. This can be changed at the line with โ€œrsleep = random.randint(30,60)โ€. The client/server scripts have a comment on most of the lines with a brief description of its purpose if you are unsure of it.

More Repositories

1

rita-legacy

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Go
2,500
star
2

BeaKer

Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana
Shell
281
star
3

passer

Passive service locator, a python sniffer that identifies servers, clients, names and much more
Python
240
star
4

rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Go
97
star
5

threat-hunting-labs

Collection of walkthroughs on various threat hunting techniques
HTML
73
star
6

espy

Endpoint detection for remote hosts for consumption by RITA and Elasticsearch
Go
66
star
7

docker-zeek

Run zeek with zeekctl in docker
Shell
44
star
8

smudge

Passive OS detection based on SYN packets without Transmitting any Data
Python
42
star
9

pcap-stats

Learn about a network from a pcap file or reading from an interface
Python
25
star
10

bro-install

An Installation Script for Bro IDS on Debian Based Systems
Shell
19
star
11

zcutter

Extracts fields from zeek logs, compatible with zeek-cut
Python
17
star
12

devprof

Device profile: Define acceptable amounts of traffic for your devices and see a report of outliers.
Python
16
star
13

sniffer-template

Template for building a packet sniffer
Python
15
star
14

zeek-open-connections

Zeek
12
star
15

ipfix-rita

Collect IPFIX / Netflow v9 Records and Ship them to RITA for Analysis
Go
10
star
16

rita-bl

Real Intelligence Threat Analytics -- Blacklist Database
Go
8
star
17

mongo-diff

A Python script for diff'ing mongo databases
Python
8
star
18

zeekcfg

A node.cfg generator for zeekctl
Go
6
star
19

zeek-log-transport

This script ships logs from Zeek to AC-Hunter
Shell
5
star
20

pi_show

Python script/library for displaying text and graphics on Raspberry Pi PiOled Hat
Python
5
star
21

shell-lib

Shell Scripts Used Across ActiveCM Projects
Shell
5
star
22

certificate-issues

Identifies certificate problems from Zeek ssl log files
Shell
5
star
23

pi_project_installer

A support library and set of scripts to simplify installing software on the Raspberry Pi/Raspbian
Shell
5
star
24

rita-blacklist

Real Intelligence Threat Analytics -- Blacklist Database
Go
5
star
25

mgosec

A Small Helper Library For Securing MongoDB Connections with Golang
Go
4
star
26

bro-rita

A bro plugin for writing log data to MongoDB for use with RITA
C++
3
star
27

safelist-tools

Tools for working with the safelist (formerly whitelist)
Go
3
star
28

docker-ca

A Docker Image For OpenSSL Certificate Authorities (For Testing)
Shell
2
star
29

pcap-resources

Support files and tools for pcap analysis and packet capture
2
star
30

zeek-log-clean

Delete Zeek log files until disk usage is under a given threshold
Shell
2
star
31

save_json_stream

JSON TCP stream importer for RITA and AC-Hunter
Python
1
star
32

DBTest

Managed Integration Testing Dependencies via Docker for Go
Go
1
star
33

bro-rita-test

Compares bro-rita against rita's built in parsing
Shell
1
star
34

bro-mongodb

C++
1
star