def test_pathEvaluation(render=True): # TODO: Make this test more useful root = Root("Root") goal = Goal("Goal") brain = Brain() # One path to vicotry (Start->a->b>c->goal) a = root.add(Action("A", pSuccess=100, cost=500)) b = a.add(Action("B", pSuccess=50, cost=500)) c = b.add(Action("C", pSuccess=50, cost=500)) _ = c.add(goal) # Update model with a second path to victory (Start->a->bb->goal) bb = a.add(Action("BB", pSuccess=100, cost=20000)) bb.connectTo(goal) paths = [] _ = Brain().pathsToVictory(root, paths) print(paths) assert len(paths) == 2 res = brain.evaluatePath(paths[1]) # a -> bb -> goal assert res["attackCost"] == 20500 assert res["pSuccess"] == 100 # a * bb if render: Renderer().render(root=root, fname=inspect.currentframe().f_code.co_name)
def test_instertBlockBetweenPatiallySuccessfulActions(render=True): # Prep root = Root("Start") goal = Goal("Finish") a = root.add(Action(label="A", pSuccess=80)) b = a.action("B") c = b.action("C") c.connectTo(goal) # a has an 80percent chance of working. # lets add a blocker that's 20% effective block = Block(label="Test Block", implemented=True, cost=5000, pDefend=50) # The tested function block.insertBetween(a, b) assert (len(a.edges) == 1) assert (a.edges[0].childNode == block) assert (len(block.edges) == 1) assert (block.edges[0].childNode == b) # The tested function: if render: Renderer().render(root=root, fname=inspect.currentframe().f_code.co_name)
def test_double_pathToVictory(render=True): root = Root("Root XX") goal = Goal("Goal") # Test with just one action root.add(Action(label="A")).add(goal) root.add(Action(label="B")).add(goal) brain = Brain() paths = brain.pathsToVictory(root) print(paths) assert len(paths) == 2 assert len(paths[0]) == 3 assert len(paths[1]) == 3 if render: Renderer().render(root=root, fname=inspect.currentframe().f_code.co_name)
def test_pathEvaluationWithBlock(render=True): root = Root("Root") goal = Goal("Goal") brain = Brain() a = root.add(Action("A",pSuccess=100, cost=500)) b = a.add(Action("b",pSuccess=70, cost=500)) b.add(goal) paths = [] _ = brain.pathsToVictory(root, paths) assert(len(paths)==1) res = brain.evaluatePath(paths[0]) # Check results are correct before we add a block assert(res['attackCost']==1000) assert(res['pSuccess']==70) assert(a.pSuccess==100) block = Block(label="FIREWALL",implemented=True,cost=0,pDefend=50) block.insertBetween(a,b) paths = [] _ = brain.pathsToVictory(root, paths) res = brain.evaluatePath(paths[0]) print(res) assert(res['attackCost']==1000) assert(res['pSuccess']==35) if render: Renderer().render( root=root, fname=inspect.currentframe().f_code.co_name )
def test_quad_pathToVictory(render=True): root = Root("Root XXXX") goal = Goal("Goal") # Test with just one action root.add(Action(label="A")).add(goal) root.add(Action(label="B")).add(goal) root.add(Action(label="C")).add(goal) root.add(Action(label="D")).add(goal) brain = Brain() paths = brain.pathsToVictory(root) assert(len(paths) == 4) assert(len(paths[0]) == 3) assert(len(paths[1]) == 3) assert(len(paths[2]) == 3) assert(len(paths[3]) == 3) if render: Renderer().render( root=root, fname=inspect.currentframe().f_code.co_name )
def test_single_pathToVictory(render=False): root = Root("Root") goal = Goal("Goal") # Test with just one action root.add(Action(label="A")).add(goal) brain = Brain() paths = brain.pathsToVictory(root) print(paths) assert(len(paths) == 1) assert(len(paths[0]) == 3) if render: Renderer().render( root=root, fname=inspect.currentframe().f_code.co_name )
def test_multiplePathsToVitory(): root = Root("Root") goal = Goal("Goal") # Test with just one action root.add(Action(label="A")).add(goal) assert len(root.parentEdges) == 0 assert len(goal.parentEdges) == 1 assert goal.parentEdges[0].parentNode.label == "A" brain = Brain() paths = brain.pathsToVictory(root) assert len(paths) == len(goal.parentEdges) brain = Brain() paths = brain.pathsToVictory(root) assert len(paths) == len(goal.parentEdges)
from attacktree.models import Action, Block, Detect, Discovery, Edge from attacktree.renderer import Renderer with Renderer(root="Reality", goal="Attacker gets data from bucket") as graph: apiCache = Action( label="Search API Caches", chain="recon", cost=0, time=3, objective="Discover bucket paths", pSuccess=1.0, ) graph.root.add(apiCache, edge_label="#Yolosec") s3urls = Discovery( label="S3 Urls", description="The URL paths to various S3 buckets", sensitivity=3, value=0, ) apiCache.add(s3urls, edge_label="#Yolosec") downloadFiles = Action( chain="exfiltration", label="Download files from all buckets", cost=0, time=1, objective="Access confidential information stored in S3", pSuccess=1.0, detections=["CloudWatch", "DLP"],
def basicTree(): root = Root("Root") goal = Goal("Systems Access") # Create three top tier actions networkRecon = root.add( Action( label="Network Recon", chain=mitreAttack["recon"], cost=0, time=24, objective="Find network attack surface", pSuccess=100, detections=None, )) dnsEnumeration = root.add( Action( label="DNS Enumeration", chain=mitreAttack["recon"], cost=0, time=4, objective="Identify all subdomains", pSuccess=100, )) linkedInResearch = root.add( Action( label="LinkedIn Research", chain=mitreAttack["recon"], cost=0, time=6, objective= "Identify names and email addresses of current employees and customers", pSuccess=100, )) # Stuff learned from those activities vpnEndpoint = networkRecon.discovery("VPN Endpoints") sshEndpoint = networkRecon.discovery("SSH Endpoints") subdomains = dnsEnumeration.discovery("subdomains") employeeNames = linkedInResearch.discovery("Employee Names") keyCustomerNames = linkedInResearch.discovery("Key Customer Details") # Actions taken based on those discoveries credentialStuffing = Action( label="Credential Stuffing", chain=mitreAttack["credStuffing"], cost=500, time=12, objective="Try known username/password", pSuccess=100, ) _ = sshEndpoint.add(credentialStuffing) _ = vpnEndpoint.add(credentialStuffing) _ = employeeNames.add(credentialStuffing) sqlmap = subdomains.add( Action(label="sqlmap", chain=mitreAttack["execution"], cost=0, time=2, pSuccess=75)) nikto = subdomains.action("nikto") phishing = employeeNames.action("SET Phishing") keyCustomerNames.connectTo(phishing) # Action Results sqli = sqlmap.add( Discovery( label="Blind injection, viable RCE", description="", sensitivity=10, value=1000, )) dbExploit = sqli.add( Action( label="Craft & Deploy RCE", chain=mitreAttack["execution"], cost=0, time=2, pSuccess=75, )) # Action Results that get to the goal credentialStuffing.connectTo(goal, label="Passwords Reused") phishing.connectTo(goal, label="Credentials Stolen") dbExploit.connectTo(goal) return root
from attacktree.models import Action, Block, Detect, Discovery from attacktree.renderer import Renderer with Renderer(root="Reality", goal="Attacker gets data from bucket") as graph: apiCache = Action( label="Search API Caches", chain="recon", cost=0, time=3, objective="Discover bucket paths", pSuccess=1.0, ) siteMapsDisabled = Block( label="Sitemaps disabled", cost=0, description="Ensure sitemaps are disabled", complexity=1, implemented=False, pDefend=1.0, ) awsPublicBucketSearch = Action( label="AWS Public Bucket Search", chain="recon", cost=200, time=1, objective="Discover bucket paths", pSuccess=1.0, )
# ACI Breakout Tree # Based on the unit42 writeup here: from attacktree.models import Action, Block, Detect, Discovery, Edge, Root, Goal from attacktree.renderer import Renderer root = Root("Signed up to Azure") goal = Goal("Access to other tenants data") whoC = root.add(Action("Deploy WhoC container to view runtime")) omgRunC = whoC.discover("OLD runc version 1.0.0-r2") exploit = omgRunC.action("Deploy exploit container for CVE-2019-5736") shell = Root("Reverse shell on worker node") exploit.add(shell) creds = shell.discover("Read kubelet credentials from disk") describePods = creds.action("Call KubeAPI describe pods") pods = describePods.discover( "100+ customer pods on 120 nodes\nEach customer has their own namespace") versions = describePods.discover( "OLD Kubernetes versions v1.8.4, v1.9.10, v1.10.9") anonymousAccess = describePods.discover("Kubelets run with anonymous access") otherKubelet = anonymousAccess.action("Access another customer's kubelet") blockedbyFirewall = otherKubelet.block("Blocked by firewall", implemented=True) cve = versions.discover("CVE-2018-1002102 kube-api follows 302 redirect") exploit2 = cve.action("Attempt to redirect to kube-api pod") fail = exploit2.block( "ACI uses a 'bridge' POD which is not impacted by this issue", implemented=True)
from attacktree.models import Action, Block, Detect, Discovery, Edge from attacktree.renderer import Renderer with Renderer(root="Internet", goal="Launch Containers") as graph: breakApplication = Action(label="RCE in application") graph.root.add(breakApplication) patch = Block(label="Keep containers up to date", implemented=True) breakApplication.add(patch) executeSiloScape = Action(label="Execute Siloscape") breakApplication.add(executeSiloScape) systemPrivileges = Discovery(label="Privileged Access") executeSiloScape.add(systemPrivileges) symLinkDrive = Action(label="SymLink root volume") systemPrivileges.add(symLinkDrive) kubeConfig = Action(label="Find Kubernetes creds on disk") symLinkDrive.add(kubeConfig) deployMalicious = Action(label="Deploy malicious containers") kubeConfig.add(deployMalicious) runWindowsContainersWithLowPrivilege = Block( label="Windows containers have low privilege", implemented=False) deployMalicious.add(runWindowsContainersWithLowPrivilege) deployMalicious.add(graph.goal)