Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code (or equivalent). So I started to design AutoTTP. This is still very much work in progress. Please use Empire 2.2.

What is TTP?

In my case, the tactics are organized as per my Attack Life Cycle model. There are other models like Lockheed Martin’s Kill-Chain(R), Mandiant Attack Life Cycle & Mitre’s ATT&CK. Whichever model it may be, a “Tactic” essentially groups techniques together, eg. code-execution/run-payload can be achieved with many ways:

I use “Stage” to group relevant “Tactics” together. If you look into the source tree, the folder structure reflects the matrix’s Tactics column. The matrix also mentioned respective controls for each offensive tactic. How did these stages came about?

The venn diagram in the middle of the red cycle is from Dartmouth College’s “Three Tenets for Secure Cyber-Physical System Design and Assessment”. It defines the necessary & sufficient conditions, or simply the requirements of any successful physical/logical attacks. I added the red ring (stages) around the venn diagram to illustrate typical offensive flows which ultimately leads to impact of Information Confidentiality, Integrity, & System Availability or Safety if it is related Cyber-Physical (think Critical Information Infrastructure).

An attacker can start from Stage 1 and get straight into Stage 4 eg. default admin credentials on an publicly exposed admin page. It does not need to be linear (stage 1->2->3->4). After the initial infiltration, s/he could have performed some internal information gathering (reconn) first before escalating privilege on the first machine & then launching a remote command to another target machine within the same network. For the next victim machine, it is a Stage 2; successful payload delivery and execution which allows the attacker to gain command & control over yet another machine.

How does Procedure look like?

The file on the left is a procedure script, the right is a technique script. Notice that procedure scripting is not littered with too many Empire specific details, much of the details are encapsulated in the technique script. Procedure scripting should focus on the sequence of techniques using assets’ information eg. hostname/ip, which email to send payload to, which payload technique & so on.

The example of “is user admin?” actually consists of a few steps since there are at least 3 possibilities as spelt out in the script’s comments. We can of course create custom “macros” in Empire, Metasploit & what not, but it becomes tightly integrated within a particular framework/product. We want to take advantage of the tools out there & organize reusable techniques into modules so as to mix & match at a Procedural level (ie. the automation).

Download AutoTTP