Python Visual Basic
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
docs
LICENSE
README.md
aptc.py
filemonitor.vbs
getpayloads.py
getresults.py
key.py
machinetag.json

README.md

Synopsis

A set of scripts using PyMISP to extend MISP for automated payload testing.

User Documentation, click on the mind-map topics/nodes to explore further.

Demo of CVE2017-0199 payload youtube link

Sh0ut 0utz

Big thank you to the awesome folks @ https://gitter.im/MISP/MISP & Harvard-IT-security

Under-the-hood (TL;DR)

APTC overview

  • Assuming (test-case & targets) events are setup properly, tagging a test-case event with test-start tag will launch getpayloads.py
  • getpayloads.py in turn launches getresults.py to query graylog with pre-defined query statement to find indicator of success
  • It is up to you to decide what you mean by success/hit, typically a Product-under-Test will emit logs when it catches a payload. When the query can't find the indicators after a certain amount of time, it will deemed as 'miss'

Installation steps for MISP host

  1. git clone https://github.com/jymcheong/aptc.git
  2. Edit /Controller/EventsController.php
  3. Find Tag added, you should locate "return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Tag added..."

Add the line below above the return statement

if ($tag['Tag']['name']=="aptc:test-start") shell_exec("python3 /var/www/MISP/tools/aptc/getpayloads.py -id ".$id." > /dev/null 2>/dev/null &");
  1. Create aptc folder under MISP tools directory
  2. Copy all the aptc scripts to that folder & adjust permission accordingly (eg. readable for www-data, chmod +x *.py)
  3. Create aptc folder under /var/www/MISP/app/files/taxonomies/ (or equivalent)
  4. Copy machinetag.json into that folder, update your tags & enable all of them
  5. Edit key.py to set misp_url & key
  6. Create target paths (samba mount point) to write payloads to (give appropriate permissions for read/write)
  7. Install Samba & setup share for targets to mount (by default APTC writes to /opt/aptc/targets/HOSTNAME, ie. share /opt/aptc/targets. You can change it by editing aptc.py. Refer to https://jymcheong.github.io/aptc/ to understand how this whole thing works)

Installation steps for Windows target(s)

  1. Mount the samba shared folder in your Windoze
  2. Copy filemonitor.vbs to the target(s), make it auto-run upon login (target should auto-login)

Useful links

Most convenient way to setup the latest MISP: https://github.com/harvard-itsecurity/docker-misp