-
Notifications
You must be signed in to change notification settings - Fork 151
Actions
Actions are a list of 'actions' you want to run against an external vagrant. These are sorted by MITRE ATT&CK phase and further by Operating System.
There is an actions_example.yml that you can use as a template. It is located here:
https://github.com/uber-common/metta/blob/master/MITRE/Adversarial_Simulation/actions_example.yml
1 enabled: true
2 meta:
3 author: cg
4 created: 2017-11-04
5 decorations:
6 - Purple Team
7 description: Actions example yaml file
8 link: https://carnal0wnage.attackresearch.com
9 mitre_attack_phase: Discovery
10 mitre_attack_technique: Account Discovery
11 purple_actions:
12 1: cmd.exe /c net user
13 2: cmd.exe /c net user /domain
14 os: windows
15 name: Actions Example
16 uuid: 66a63b5f-268f-42cc-9e67-1518a4b01326
Line 1: enabled: true or false (not currently being used -- it's a carry over from our internal implementation)
Line 2: metadata values about the module
Line 3: author field
Line 4: created date
Line 5: decorations field
Line 6: sub-decorations - you can put whatever you want here
Line 7: description of what the actions module does
Line 8: external link about the technique/module/description
Line 9: Mitre ATT&CK phase
Line 10: Mitre ATT&CK technique
Line 11: purple_actions, this is a list of actions to take. The name "purple_actions" is important and what metta uses to find the list of things you want to run
Line 12/13: Actions you want to run, one per line and they need to be ordered like the example (ex 1: ... 2: ...)
Line 14: os, important as this will tell metta what vagrant to run the action against
Line 14: name, this is the name of the module and what gets logged to the json log for rule_name
Line 15: uuid, a unique UUID for the module. This isn't strictly enforced but it might in the future. You can use make_uuid.py inside helper_scripts to generate one for you