Skip to content

jymcheong/aptc

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits

docs

docs

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

aptc.py

aptc.py

 
 

filemonitor.vbs

filemonitor.vbs

 
 

getpayloads.py

getpayloads.py

 
 

getresults.py

getresults.py

 
 

key.py

key.py

 
 

machinetag.json

machinetag.json

 
 

Repository files navigation

Synopsis

A set of scripts using PyMISP to extend MISP for automated payload testing.

User Documentation, click on the mind-map topics/nodes to explore further.

Demo of CVE2017-0199 payload youtube link

Sh0ut 0utz

Big thank you to the awesome folks @ https://gitter.im/MISP/MISP & Harvard-IT-security

Under-the-hood (TL;DR)

APTC overview

  • Assuming (test-case & targets) events are setup properly, tagging a test-case event with test-start tag will launch getpayloads.py
  • getpayloads.py in turn launches getresults.py to query graylog with pre-defined query statement to find indicator of success
  • It is up to you to decide what you mean by success/hit, typically a Product-under-Test will emit logs when it catches a payload. When the query can't find the indicators after a certain amount of time, it will deemed as 'miss'

Installation steps for MISP host

  1. git clone https://github.com/jymcheong/aptc.git
  2. Edit /Controller/EventsController.php
  3. Find Tag added, you should locate "return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Tag added..."

Add the line below above the return statement

if ($tag['Tag']['name']=="aptc:test-start") shell_exec("python3 /var/www/MISP/tools/aptc/getpayloads.py -id ".$id." > /dev/null 2>/dev/null &");
  1. Create aptc folder under MISP tools directory
  2. Copy all the aptc scripts to that folder & adjust permission accordingly (eg. readable for www-data, chmod +x *.py)
  3. Create aptc folder under /var/www/MISP/app/files/taxonomies/ (or equivalent)
  4. Copy machinetag.json into that folder, update your tags & enable all of them
  5. Edit key.py to set misp_url & key
  6. Create target paths (samba mount point) to write payloads to (give appropriate permissions for read/write)
  7. Install Samba & setup share for targets to mount (by default APTC writes to /opt/aptc/targets/HOSTNAME, ie. share /opt/aptc/targets. You can change it by editing aptc.py. Refer to https://jymcheong.github.io/aptc/ to understand how this whole thing works)

Installation steps for Windows target(s)

  1. Mount the samba shared folder in your Windoze
  2. Copy filemonitor.vbs to the target(s), make it auto-run upon login (target should auto-login)

Useful links

Most convenient way to setup the latest MISP: https://github.com/harvard-itsecurity/docker-misp

About

Automated Payload Test Controller

jymcheong.github.io/aptc/

Topics

testing malware misp lnk

Resources

Readme

License

Unlicense license
Activity

Stars

8 stars

Watchers

4 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages