Merge pull request #1163 from splunk/cap_attack

CapAttack integration

Author: P4T12ICK

attack_range.py

@@ -137,6 +137,16 @@ def init_remote_backend(args):
     controller.init_remote_backend(args.backend_name)
 
 
+def cap_attack(args):
+    controller = init(args)
+    if args.start:
+        controller.start_cap_attack(args.target)
+    elif args.stop:
+        controller.stop_cap_attack(args.target)
+    else:
+        print("Please specify either --start or --stop")
+
+
 def main(args):
     """
     main function parses the arguments passed to the script and calls the respctive method.
@@ -167,6 +177,9 @@ def main(args):
     simulate_parser = actions_parser.add_parser(
         "simulate", help="simulates attack techniques"
     )
+    cap_attack_parser = actions_parser.add_parser(
+        "cap_attack", help="starts and stops CAP Attack"
+    )
     destroy_parser = actions_parser.add_parser(
         "destroy", help="destroy attack range instances"
     )
@@ -261,6 +274,20 @@ def main(args):
 
     simulate_parser.set_defaults(func=simulate)
 
+    cap_attack_parser.add_argument(
+        "-t",
+        "--target",
+        required=True,
+        help="target for CAP Attack. Use the name of the Windows instance",
+    )
+    cap_attack_parser.add_argument(
+        "--start", action="store_true", help="start CAP Attack threat capture"
+    )
+    cap_attack_parser.add_argument(
+        "--stop", action="store_true", help="stop CAP Attack threat capture"
+    )
+    cap_attack_parser.set_defaults(func=cap_attack)
+
     # Dump  Arguments
     dump_parser.add_argument(
         "-fn", "--file_name", required=True, help="file name of the attack_data"

configs/attack_range_default.yml

@@ -112,10 +112,6 @@ gcp:
   use_static_ip: "0"
   # Enable/disable usage of static IP by setting this to 1 or 0.
 
-local:
-  provider: "Virtual Box"
-# Attack Range Local used Virtualbox and Vagrant to build the Attack Range.
-
 splunk_server:
 
   install_es: "0"
@@ -339,4 +335,13 @@ simulation:
   # Specify the repository owner for Atomic Red Team.
 
   atomic_red_team_branch: master
-  # Specify the branch for Atomic Red Team.
+  # Specify the branch for Atomic Red Team.
+
+  cap_attack: "0"
+  # Enable/Disable CAP Attack by setting this to 1 or 0.
+
+  cap_attack_upload_threat_capture: "0"
+  # Enable/Disable CAP Attack upload of threat capture by setting this to 1 or 0.
+
+  snapattack_api_key: ""
+  # Specify the API key for SnapAttack.

docs/source/Cap_Attack.md

@@ -0,0 +1,25 @@
+# CapAttack
+CapAttack is a client capture agent for Windows, Mac and Linux developed by SnapAttack. It captures logs, network traffic and other information from the machine. Additionally, it can record the screen of the machine.
+
+## CapAttack during attack simulation
+CapAttack can be enabled by setting the parameter `cap_attack` to 1 in the `attack_range.yml` file.
+```yml
+simulation:
+  cap_attack: "1"
+```
+This will start the CapAttack agent before the attack simulation is started and capture the logs, network traffic and screen. At the end of the attack simulation, the CapAttack agent will be stopped.
+
+When you want to upload the CapAttack capture to SnapAttack, you need to set the parameters `cap_attack_upload_threat_capture` and `snapattack_api_key` in the `attack_range.yml` file.
+```yml
+simulation:
+  cap_attack: "1"
+  cap_attack_upload_threat_capture: "1"
+  snapattack_api_key: "your_snapattack_api_key"
+```
+
+## Manually start and stop CapAttack
+You can manually start and stop CapAttack by using the following commands:
+```bash
+python attack_range.py cap_attack start --target <target>
+python attack_range.py cap_attack stop --target <target>
+```

docs/source/index.md

@@ -20,6 +20,7 @@ Attack Range Config <Attack_Range_Config>
 Attack Simulation <Attack_Simulation>
 Attack Data <Attack_Data>
 Attack Range Features <Attack_Range_Features>
+CapAttack <Cap_Attack>
 Cost Explorer <Cost_Explorer>
 
 ```

modules/ansible/cap_attack.yml

@@ -0,0 +1,6 @@
+---
+- name: CAP Attack
+  hosts: all
+  gather_facts: True
+  roles:
+    - cap_attack

modules/ansible/roles/atomic_red_team/tasks/install_art_linux.yml

@@ -0,0 +1,53 @@
+---
+
+- name: Update apt repositories
+  apt:
+    update_cache: yes
+  when: ansible_distribution == "Ubuntu" or ansible_distribution == "Debian"
+
+- name: Update yum repositories
+  yum:
+    update_cache: yes
+  when: ansible_os_family == "RedHat"
+
+- name: Install x11-xserver-utils (Debian/Ubuntu)
+  apt:
+    name: x11-xserver-utils
+    state: present
+  when: ansible_distribution == "Ubuntu" or ansible_distribution == "Debian"
+
+- name: Install xorg-x11-server-utils (RedHat)
+  yum:
+    name: xorg-x11-server-utils
+    state: present
+  when: ansible_os_family == "RedHat"
+
+- name: Install PowerShell on Debian-based systems
+  shell: |
+    # Download the Microsoft repository GPG keys
+    wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packages-microsoft-prod.deb
+    # Register the Microsoft repository GPG keys
+    dpkg -i packages-microsoft-prod.deb
+    # Update the list of products
+    apt-get update
+    # Install PowerShell
+    apt-get install -y powershell
+  when: ansible_distribution == "Ubuntu" or ansible_distribution == "Debian"
+  args:
+    creates: /usr/bin/pwsh
+
+- name: Install PowerShell on RedHat-based systems
+  shell: |
+    # Register the Microsoft RedHat repository
+    curl https://packages.microsoft.com/config/rhel/$(rpm -E %{rhel})/prod.repo | tee /etc/yum.repos.d/microsoft.repo
+    # Install PowerShell
+    yum install -y powershell
+  when: ansible_os_family == "RedHat"
+  args:
+    creates: /usr/bin/pwsh
+
+- name: Install Atomic Red Team
+  shell: |
+    pwsh -Command "IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam -getAtomics"
+  args:
+    creates: ~/.atomics 

modules/ansible/roles/atomic_red_team/tasks/install_art_windows.yml

@@ -3,6 +3,14 @@
 - set_fact:
     technique: "{{ item }}"
 
+- name: Start threat capture with CAP Attack
+  become: true
+  shell: |
+    pwsh -Command 'Import-Module "/root/capattack/capattack-ps/capattack.psd1" -Force;
+    CapAttack-Start'
+  when: cap_attack == "1"
+  ignore_errors: True
+
 - name: Run Atomic Red Team
   become: true
   shell: |
@@ -11,5 +19,19 @@
     Invoke-AtomicTest "{{ technique }}" -Cleanup'
   register: output_art
 
+- name: Stop threat capture with CAP Attack and upload
+  become: true
+  shell: |
+    pwsh -Command 'Import-Module "/root/capattack/capattack-ps/capattack.psd1" -Force;
+    CapAttack-Stop -Headless -Upload'
+  when: cap_attack == "1" and cap_attack_upload_threat_capture == "1"
+
+- name: Stop threat capture with CAP Attack
+  become: true
+  shell: |
+    pwsh -Command 'Import-Module "/root/capattack/capattack-ps/capattack.psd1" -Force;
+    CapAttack-Stop -Headless'
+  when: cap_attack == "1" and cap_attack_upload_threat_capture == "0"
+
 - debug:
     var: output_art.stdout_lines

modules/ansible/roles/atomic_red_team/tasks/run_art_linux.yml

@@ -4,51 +4,46 @@
 - debug:
     var: technique
 
-# - name: List available Atomic Red Team Techniques
-#   ansible.windows.win_find:
-#     paths: C:\AtomicRedTeam\atomics
-#     file_type: directory
-#     patterns: T*
-#   register: available_techniques
-
-# - set_fact:
-#     available_techniques: "{{ available_techniques | json_query('files[].filename') }}"
-#     main_technique:            "{{ technique | regex_replace('(-.)','') }}"
-
-# - name: Check requested Technique is valid
-#   fail:
-#     msg: "The {{ main_technique }} selected technique has no atomic tests. Please ensure it it correct and that tests exist for it. See https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/Indexes/Indexes-CSV/windows-index.csv. {{ available_techniques }} "
-#   when: "main_technique not in available_techniques"
-  
+- name: Start threat capture with CAP Attack
+  win_shell: |
+    Import-Module "C:\Program Files\ansible\capattack\capattack-ps\capattack.psd1" -Force
+    CapAttack-Start
+  when: cap_attack == "1"
+  ignore_errors: True
+
 - name: Get requirements for Atomic Red Team Technique
   win_shell: |
     Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
     Invoke-AtomicTest "{{ technique }}" -GetPrereqs
   register: requirements
   ignore_errors: True
 
-# - debug:
-#     var: requirements
-
 - name:  Run specified Atomic Red Team Technique
   win_shell: |
+    Set-ExecutionPolicy bypass
     Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
     Invoke-AtomicTest "{{ technique }}" -Confirm:$false -TimeoutSeconds 300 -ExecutionLogPath C:\AtomicRedTeam\atc_execution.csv
   register: output_art
-
-# - name: Save output atomic red team
-#   set_fact:
-#     output_art: "{{ output_art }}"
-#     cacheable: yes
+  ignore_errors: True
 
 - debug:
     var: output_art.stdout_lines
 
+- name: Stop threat capture with CAP Attack and upload
+  win_shell: |
+    Import-Module "C:\Program Files\ansible\capattack\capattack-ps\capattack.psd1" -Force
+    CapAttack-Stop -Headless -Upload 
+  when: cap_attack == "1" and cap_attack_upload_threat_capture == "1"
+
+- name: Stop threat capture with CAP Attack
+  win_shell: |
+    Import-Module "C:\Program Files\ansible\capattack\capattack-ps\capattack.psd1" -Force
+    CapAttack-Stop -Headless 
+  when: cap_attack == "1" and cap_attack_upload_threat_capture == "0"
+
 - name: Cleanup after execution
   win_shell: |
     Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force
     Invoke-AtomicTest "{{ technique }}" -Cleanup
   register: cleanup
 
-# - debug:
-#     var: cleanup

modules/ansible/roles/atomic_red_team/tasks/run_art_test_windows.yml

@@ -0,0 +1,10 @@
+---
+# Default values for CAP Attack
+cap_attack_action: "start"              # Options: start, stop
+cap_attack_upload_threat_capture: "0"   # Options: 0 (don't upload), 1 (upload)
+
+# Windows-specific defaults
+windows_cap_attack_path: "C:\\Program Files\\ansible\\capattack"
+
+# Linux-specific defaults
+linux_cap_attack_path: "/root/capattack"