User Documentation, click on the mind-map topics/nodes to explore further.
Big thank you to the awesome folks @ https://gitter.im/MISP/MISP & Harvard-IT-security
- Assuming (test-case & targets) events are setup properly, tagging a test-case event with test-start tag will launch getpayloads.py
- getpayloads.py in turn launches getresults.py to query graylog with pre-defined query statement to find indicator of success
- It is up to you to decide what you mean by success/hit, typically a Product-under-Test will emit logs when it catches a payload. When the query can't find the indicators after a certain amount of time, it will deemed as 'miss'
Installation steps for MISP host
- git clone https://github.com/jymcheong/aptc.git
- Edit /Controller/EventsController.php
- Find Tag added, you should locate "return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Tag added..."
Add the line below above the return statement
if ($tag['Tag']['name']=="aptc:test-start") shell_exec("python3 /var/www/MISP/tools/aptc/getpayloads.py -id ".$id." > /dev/null 2>/dev/null &");
- Create aptc folder under MISP tools directory
- Copy all the aptc scripts to that folder & adjust permission accordingly (eg. readable for www-data, chmod +x *.py)
- Create aptc folder under /var/www/MISP/app/files/taxonomies/ (or equivalent)
- Copy machinetag.json into that folder, update your tags & enable all of them
- Edit key.py to set misp_url & key
- Create target paths (samba mount point) to write payloads to (give appropriate permissions for read/write)
- Install Samba & setup share for targets to mount (by default APTC writes to /opt/aptc/targets/HOSTNAME, ie. share /opt/aptc/targets. You can change it by editing aptc.py. Refer to https://jymcheong.github.io/aptc/ to understand how this whole thing works)
Installation steps for Windows target(s)
- Mount the samba shared folder in your Windoze
- Copy filemonitor.vbs to the target(s), make it auto-run upon login (target should auto-login)
Most convenient way to setup the latest MISP: https://github.com/harvard-itsecurity/docker-misp