Skip to content

jymcheong/aptc

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Synopsis

A set of scripts using PyMISP to extend MISP for automated payload testing.

User Documentation, click on the mind-map topics/nodes to explore further.

Demo of CVE2017-0199 payload youtube link

Sh0ut 0utz

Big thank you to the awesome folks @ https://gitter.im/MISP/MISP & Harvard-IT-security

Under-the-hood (TL;DR)

APTC overview

  • Assuming (test-case & targets) events are setup properly, tagging a test-case event with test-start tag will launch getpayloads.py
  • getpayloads.py in turn launches getresults.py to query graylog with pre-defined query statement to find indicator of success
  • It is up to you to decide what you mean by success/hit, typically a Product-under-Test will emit logs when it catches a payload. When the query can't find the indicators after a certain amount of time, it will deemed as 'miss'

Installation steps for MISP host

  1. git clone https://github.com/jymcheong/aptc.git
  2. Edit /Controller/EventsController.php
  3. Find Tag added, you should locate "return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Tag added..."

Add the line below above the return statement

if ($tag['Tag']['name']=="aptc:test-start") shell_exec("python3 /var/www/MISP/tools/aptc/getpayloads.py -id ".$id." > /dev/null 2>/dev/null &");
  1. Create aptc folder under MISP tools directory
  2. Copy all the aptc scripts to that folder & adjust permission accordingly (eg. readable for www-data, chmod +x *.py)
  3. Create aptc folder under /var/www/MISP/app/files/taxonomies/ (or equivalent)
  4. Copy machinetag.json into that folder, update your tags & enable all of them
  5. Edit key.py to set misp_url & key
  6. Create target paths (samba mount point) to write payloads to (give appropriate permissions for read/write)
  7. Install Samba & setup share for targets to mount (by default APTC writes to /opt/aptc/targets/HOSTNAME, ie. share /opt/aptc/targets. You can change it by editing aptc.py. Refer to https://jymcheong.github.io/aptc/ to understand how this whole thing works)

Installation steps for Windows target(s)

  1. Mount the samba shared folder in your Windoze
  2. Copy filemonitor.vbs to the target(s), make it auto-run upon login (target should auto-login)

Useful links

Most convenient way to setup the latest MISP: https://github.com/harvard-itsecurity/docker-misp

Releases

No releases published

Packages

No packages published