def dump(self, dump_name):
# download Cloudtrail logs from S3
# export Cloudwatch logs to S3 and then download them
folder = "attack_data/" + dump_name
os.mkdir(folder)
# Cloudtrail
if self.config['dump_cloudtrail_data'] == '1':
self.log.info("Dump Cloudtrail logs. This can take some time.")
aws_service.download_S3_bucket(
'AWSLogs', self.config['cloudtrail_s3_bucket'], folder,
self.config['cloudtrail_data_from_last_x_hours'],
self.config['cloudtrail_data_from_regions'].split(','))
# Cloudwatch
if self.config['dump_aws_eks_data'] == '1':
self.log.info(
"Dump AWS EKS logs from Cloudwatch. This can take some time.")
aws_service.download_cloudwatch_logs(self.config, folder)
# Sync to S3
if self.config['sync_to_s3_bucket'] == '1':
self.log.info(
"upload attack data to S3 bucket. This can take some time")
for file in self.getListOfFiles(folder):
self.log.info("upload file " + file + " to S3 bucket.")
p = pathlib.Path(file)
new_path = str(pathlib.Path(*p.parts[1:]))
aws_service.upload_file_s3_bucket(
self.config['s3_bucket_attack_data'], file, new_path)
def store_attack_data(self, results, test_file):
target_public_ip = aws_service.get_single_instance_public_ip(
test_file['target'], self.config)
if test_file['target'] == 'attack-range-windows-client':
runner = ansible_runner.run(
private_data_dir='.attack_range/',
cmdline=str('-i ' + target_public_ip + ', '),
roles_path="../ansible/roles",
playbook='../ansible/playbooks/attack_data.yml',
extravars={
'ansible_user': '******',
'ansible_password': self.config['win_password'],
'ansible_port': 5985,
'ansible_winrm_scheme': 'http'
},
verbosity=0)
else:
runner = ansible_runner.run(
private_data_dir='.attack_range/',
cmdline=str('-i ' + target_public_ip + ', '),
roles_path="../ansible/roles",
playbook='../ansible/playbooks/attack_data.yml',
extravars={
'ansible_user': '******',
'ansible_password': self.config['win_password']
},
verbosity=0)
aws_service.upload_file_s3_bucket('tmp/attack_data.txt', results,
test_file, False)
with tarfile.open('tmp/attack_data.tar.gz', "w:gz") as tar:
tar.add('tmp/attack_data.txt', arcname="attack_data.txt")
aws_service.upload_file_s3_bucket('tmp/attack_data.tar.gz', results,
test_file, True)
if os.path.exists('tmp/attack_data.tar.gz'):
os.remove('tmp/attack_data.tar.gz')
if os.path.exists('tmp/attack_data.txt'):
os.remove('tmp/attack_data.txt')
if runner.status == "successful":
self.log.info("successfully stored attack data in S3 bucket")
else:
self.log.info("failed to store attack data in S3 bucket")
def dump_attack_data(self, dump_name):
# copy json from nxlog
# copy raw data using powershell
# copy indexes
# packet capture with netsh
# see https://medium.com/threat-hunters-forge/mordor-pcaps-part-1-capturing-network-packets-from-windows-endpoints-with-network-shell-e117b84ec971
self.log.info("Dump log data")
folder = "attack_data/" + dump_name
os.mkdir(folder)
servers = []
if self.config['windows_domain_controller'] == '1':
servers.append('windows_domain_controller')
if self.config['windows_server'] == '1':
servers.append('windows_server')
# dump json and windows event logs from Windows servers
for server in servers:
server_str = ("attack-range-" + server).replace("_", "-")
target_public_ip = aws_service.get_single_instance_public_ip(
server_str, self.config)
if server_str == 'attack-range-windows-client':
runner = ansible_runner.run(
private_data_dir='.attack_range/',
cmdline=str('-i ' + target_public_ip + ', '),
roles_path="../ansible/roles",
playbook='../ansible/playbooks/attack_data.yml',
extravars={
'ansible_user': '******',
'ansible_password': self.config['win_password'],
'ansible_port': 5985,
'ansible_winrm_scheme': 'http',
'hostname': server_str,
'folder': dump_name
},
verbosity=0)
else:
runner = ansible_runner.run(
private_data_dir='.attack_range/',
cmdline=str('-i ' + target_public_ip + ', '),
roles_path="../ansible/roles",
playbook='../ansible/playbooks/attack_data.yml',
extravars={
'ansible_user': '******',
'ansible_password': self.config['win_password'],
'hostname': server_str,
'folder': dump_name
},
verbosity=0)
if self.config['sync_to_s3_bucket'] == '1':
for file in glob.glob(folder + "/*"):
self.log.info(
"upload attack data to S3 bucket. This can take some time")
aws_service.upload_file_s3_bucket(
self.config['s3_bucket_attack_data'], file,
str(dump_name + '/' + os.path.basename(file)))
def dump_attack_data(self, dump_name, last_sim):
self.log.info("Dump log data")
folder = "attack_data/" + dump_name
os.mkdir(os.path.join(os.path.dirname(__file__), '../' + folder))
server_str = ("ar-splunk-" + self.config['range_name'] + "-" +
self.config['key_name'])
if self.config['cloud_provider'] == 'aws':
target_public_ip = aws_service.get_single_instance_public_ip(
server_str, self.config)
ansible_user = '******'
ansible_port = 5986
elif self.config['cloud_provider'] == 'azure':
target_public_ip = azure_service.get_instance(
self.config, server_str, self.log)['public_ip']
ansible_user = '******'
ansible_port = 5985
with open(
os.path.join(os.path.dirname(__file__),
'../attack_data/dumps.yml')) as dumps:
for dump in yaml.full_load(dumps):
if dump['enabled']:
dump_out = dump['dump_parameters']['out']
if last_sim:
# if last_sim is set, then it overrides time in dumps.yml
# and starts dumping from last simulation
with open(
os.path.join(
os.path.dirname(__file__),
"../attack_data/.%s-last-sim.tmp" %
self.config['range_name']), 'r') as ls:
sim_ts = float(ls.readline())
dump['dump_parameters']['time'] = "-%ds" % int(
time.time() - sim_ts)
dump_search = "search %s earliest=%s | sort 0 _time" \
% (dump['dump_parameters']['search'], dump['dump_parameters']['time'])
dump_info = "Dumping Splunk Search to %s " % dump_out
self.log.info(dump_info)
out = open(
os.path.join(
os.path.dirname(__file__),
"../attack_data/" + dump_name + "/" + dump_out),
'wb')
splunk_sdk.export_search(
target_public_ip,
s=dump_search,
password=self.config['attack_range_password'],
out=out)
out.close()
self.log.info("%s [Completed]" % dump_info)
if self.config['sync_to_s3_bucket'] == '1':
for file in glob.glob(
os.path.join(os.path.dirname(__file__),
'../' + folder + '/*')):
self.log.info(
"upload attack data to S3 bucket. This can take some time")
aws_service.upload_file_s3_bucket(
self.config['s3_bucket_attack_data'], file,
str(dump_name + '/' + os.path.basename(file)), self.config)