AtomicThreatProfile is a Python script that creates custom adversary profiles for use in Caldera using json formatted data generated from Control Validation Compass. Caldera is a cyber security framework designed to easily run autonomous breach-and-simulation exercises, this tool provides great funtionality depending on the use case. However, when using this tool I realised that creating custom adversay profiles can be tedious and saw an oppurtuntity to enhance Caldera by automating profile creation underpinned by threat intelligence provided by Control Validation Compass.
- Linux
- Python 3.8+
- Caldera (https://github.com/mitre/caldera)
git clone https://github.com/NerdChip/AtomicThreatProfile
cd AtomicThreatProfile
pip3 install -r requirements.txt
Before executing Atomic threat profile you will need to retrieve data generated by Control Validation Comapass(CVC). CVC is a great resource that has a number of uses but AtomicThreatProfile only uterlises the Threat Model feature which can be used to categrise potential threats based on motive, location and industy(https://controlcompass.github.io/). This data is what will be passed to AtomicThreatProfile to produce the custom adversary profile within Caldera.
Fill in the one or multiple critera and select a single adversary on the right hand side. For the purpose of this example i have choosen Lazarus Group.
After you have chosen an adversary scroll down the page and you will see, Adversary Profile, ATT&CK Navigator Layer (TTPs) and Diamond Model. we will be using the ATT&CK Navigator json data to create the custom adversary profile, click inside the the box and copy the data (ctrl-a & ctrl-c).
Once the data has been copied it will be pasted inside a new json file create on the system where Caldera and AtomicThreatProfile are inlsalled. Please remember to create the file in the same working directory as AtomicThreatProfile - Another tip would be to make sure the filename resembles that of the selected threat group. Dont forget to elevate to root priveleges.
nano LazarusGroup.json
Use -h to invoke help
python3 AtomicThreatProfile.py -h
To run AtomicThreatProfile you will need to pass the prevously create json file (-f) and the threat group name (-t), these areguments are required. You can also specify which operating system you want the techniques to be related to (-p) at the moment only windows is supported, this arguement is optional and the default is "all".
python3 AtomicThreatProfile.py -f LazarusGroup.json -t LazarusGroup
python3 AtomicThreatProfile.py -f LazarusGroup.json -t LazarusGroup -p windows
Once the program has completed some checks the user will be prompted to select which techniques they want to include within the custom adversary profile, to select a technique you use space bar to confirm selection use Enter (you can select multiple under 1 technique)
if a mistake is made during this process you will have to re-execute the program. please remember that these profiles will only be generated based on the techniques that Caldera has within its framework.
Once the selection phase has been completed AtomicThreatProfile will move the generated file into the required folder for Caldera to load. image below shows our custom profile ready for use in Caldera:
Important for me to note, some techniques require additional configurations in order to get them working, i would advise getting familiar with Caldera before using AtomicThreatProfile
if you have any feedback on how I can improve the functionality of AtomicThreatProfile, the code or any feature suggestions please reach out to me.
I would like to continuting improving this tool so here are some ideas I have at time of writing:
- Threading (faster)
- Remove requirement for json file (Automatic generation based on threat group name)
- Develop as app for integration into Caldera