Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💡 [REQUEST] - Atomic Red Team Executor #83

Open
l50 opened this issue May 4, 2023 · 2 comments
Open

💡 [REQUEST] - Atomic Red Team Executor #83

l50 opened this issue May 4, 2023 · 2 comments
Assignees
@l50
Labels
area/go Changes made to go resources question Clarification and/or additional information required to move forward type/major

Comments

@l50
Copy link
Contributor

l50 commented May 4, 2023
edited
Loading

Implementation PR

No response

Reference Issues

No response

Summary

We need to figure out a way to ingest and use TTPs from Atomic Red Team

Basic Example

ttpforge -c config.yaml run rc atomics/T1003.003/T1003.003.yaml

Drawbacks

Could be complicated.

Unresolved questions

Do we want to create a transform function to consume ART or Nuclei "TTPs" into our YAML format? This could save us a lot of heartburn.

Do we want it to be part of the forge codebase or do we want to figure out a modular attachment for this functionality?
@l50 l50 added question Clarification and/or additional information required to move forward DEF CON type/major labels May 4, 2023
@l50 l50 changed the title 💡 [REQUEST] - Red Canary Ingestor 💡 [REQUEST] - Red Canary Executor May 4, 2023
@l50 l50 removed the DEF CON label May 6, 2023
@l50 l50 self-assigned this Jun 19, 2023
@l50 l50 added area/go Changes made to go resources DEF CON labels Jun 19, 2023
@l50 l50 changed the title 💡 [REQUEST] - Red Canary Executor 💡 [REQUEST] - Atomic Red Team Executor Jun 20, 2023
@l50 l50 removed the DEF CON label Aug 1, 2023
@l50 l50 mentioned this issue Sep 7, 2023
Merged
3 tasks
@inesusvet
Copy link
Contributor

I see two ways of implementing this with slight differences. The first one could be done as

  1. Read the Atomic YAML provided
  2. Convert it into TTPForge YAML structure by a new Translator func
  3. Save result in a temp dir
  4. Run the regular TTP from the temp directory

Or another way could be implemented as

  1. Have a separate Loader class to read Atomic TTP YAMLs
  2. Flesh out the TTP structure (which is pretty lightweight) with all the Steps (aka Translator logic)
  3. Execute TTP steps for the structure in memory

Both ways are prone to errors on any ART YAML format changes.
Both ways could be unit-tested.
Both ways provide seamless UX -- "it just works" with all the TTPs provided by ART.
The first way could be implemented as a stand-alone program as well.
The second way brings extra responsibility to the TTPForge binary which might be unnecessary.

@inesusvet
Copy link
Contributor

I think we should follow the Technique class to examine how to build parser for Atomic Red Team yaml definitions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@l50 l50

Labels
area/go Changes made to go resources question Clarification and/or additional information required to move forward type/major
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@inesusvet @l50