Skip to content

2.5.0
Compare
Choose a tag to compare
released this 17 Jan 13:56
· 3256 commits to master since this release
2.5.0
db7ea85

Big features

  • Potential links is a new functionality which allows you to view all the commands from the entire TTP database that each agent could run. You can filter these by tactic and technique. At any point during a running operation, you can now add these potential links, one-by-one, to the operation. This is our second way of allowing “human in the loop” behavior.
  • Groups and Adversary profiles are now optional when running an operation. You can instead (or in addition) add a max operation time - which is 300 seconds by default - which will stop an operation automatically after it has been open for that duration. This means you can run an operation with no adversary but add potential links until the max operation time is hit. If you want to run an adversary-less operation you should select the operation option to keep open for max time.
  • We now have automated and versioned documentation - which is now available when you click the “Docs” tab in the navigation bar.

Smaller items

  • A new YouTube video tutorial has been created. It is now linked from the project README.
  • The base_world class was given two new static functions: “generate_number” and “is_base64”
  • Several new libraries were added to the requirements.txt
  • The operation modal was given several new additions to show more information when running an operation. This modal also swallowed up the reports modal, as they were duplicating much of the functionality. Downloading reports can now be done through the operation modal.

Rest API changes:

  • New endpoints have been created:
    • /plugin/chain/potential-links (PUT): Adds potential links to an operation
    • /plugin/chain/potential-links (POST): Returns all potential links for an operation
    • /internals (*): Designed to return the properties of a given c_link object.

Plugin changes:

Compass

  • A new plugin which allows you to view and add new adversaries from the ATT&CK matrix directly. This plugin utilizes the ATT&CK Navigator.

Mock

  • This plugin was rewritten to drop scenarios (which had hard-coded results for simulated agents) and instead programmatically create random output to be used for the results. This ensures mock operations are now non-deterministic.

Sandcat

  • A new C2 option was added. This new option allows you to run the same operations as before - but instead of traffic going over HTTP, it can go over GitHub private Gists. The server will add commands to a new Gist file, each agent will pick up the Gist files execute the command(s) and place the results in a new Gist file for the server to pick up and save. This way, the agents and server never directly communicate.

Stockpile

  • Many new abilities (TTPs) have been added, as well as a new "Super Spy" adversary profile, which performs basic surveillance techniques.
  • Two new obfuscators were added:
    • Base64: encodes all commands in base64 and executes them as such, to hide the commands from the defense.
    • Base64Jumble: encodes all commands in base64 - then adds some padding to make it invalid base64 text - and executes them as such. This should bypass any detection of base64 commands.

Breaking changes:

We expect plugin developers to only interact with the core system (and other plugins) through the list of services passed to their plugin and through importing the c_[object] modules in the core code. As such, each release we will highlight the changes in these two areas, as they could introduce breaking changes to a plugin.

Services

app_svc

  • A new check_authorization decorator was added, which ensures any function in the code base that uses it checks if the user is logged in.

planning_svc

  • The “generate_and_trim_links” function was made public (it was private previously).
  • Several new functions were added: “update_planner”, “get_potential_links”, “apply_potential_links”, “change_operation_state” and “get_link_pin”

Objects

c_agent:

  • an optional parameter “timeout” was added, which will allow you to customize the timeout period per ability. Abilities previously all used a 60 second timeout without a way to modify it.

c_adversary:

  • a new function “has_ability” was added, which returns True/False whether the adversary contains a specific ability

c_fact:

  • an optional parameter “collected_by” was added, which will show you which agent collected the given fact.

c_link:

  • an optional parameter “pin” was added, which will allow you to add a special string on the object for custom use. This is intended to serve as an encryption key per link - but it is currently not hooked up to anything.
  • an optional parameter “id” was added, which allows you to create a link object with a specific ID instead of the link creating its own one.

c_obfuscator:

  • A new required parameter “description” was added

c_operation:

  • A new function “redacted_report” allows you to see a version of the report function but with sensitive data redacted.
  • A new status was added to the available operation states, “OUT_OF_TIME”
  • Several operation object parameters were made optional instead of required, with natural default values: obfuscator and phases_enabled.
  • Two new optional parameters were added: auto_close and max_time. Each have reasonable default values.
  • A new function “is_closeable” will determine if an operation should be closed or remain open.
  • The “active_agents” function was made public (it was previously private)

c_planner:

  • A new required parameter “planner_id” was added
Assets 2
Loading