Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cleanup Categories #883

Closed
5 of 14 tasks
emtuls opened this issue Feb 1, 2024 · 8 comments
Closed
5 of 14 tasks

Cleanup Categories #883

emtuls opened this issue Feb 1, 2024 · 8 comments
Assignees
Labels
🌀 COMMANDO-VM A package or future to be used by COMMANDO VM 🌀 FLARE-VM A package or feature to be used by FLARE-VM 💎 enhancement It is working, but it could be better ❔ discussion Further discussion is needed

Comments

@emtuls
Copy link
Member

emtuls commented Feb 1, 2024

Details

@mandiant/flare-vm @mandiant/commando-vm
I recently went through all of our tool packages and noticed a few changed that I think could be made.

Unnecessary or Underused Categories

Currently, of the 35 categories we have, 9 of them have no tools associated with them:

  • Active Directory
  • Cloud
  • Evasion
  • Persistence
  • PowerShell
  • Python
  • Text Editors
  • Vulnerability Analysis
  • Web Application

Should we remove these categories or attempt to make use of them?
For instance:

  • Text Editors could likely have notepad++ added to it, and possibly VSCode (not currently a package yet)
  • Web Application could include Burp Suite which is currently listed as a Utility (though it could also go into Networking)

New Categories to Improve Organization and Clarity

Our largest category is Utilities with a total of 38 tools. I think we could possibly introduce a couple more categories to reduce this a little bit. I propose the following new categories (open to suggestions/changes):

  • Shellcode
    • blobrunner
    • blobrunner64
    • scdbg
    • shellcode_launcher
    • eventually whatever shellcode -> PE tool we decide to go with
  • Registry
  • File Information
    • die
    • exeinfope
    • exiftool
    • file
    • floss
    • goresym
    • hashmyfiles
    • resourcehacker
  • Productivity Tools
    • 7zip
    • cygwin
    • googlechrome
    • tor browser
    • visualstudio
    • vcbuildtools
  • Memory
    • PE-Sieve
    • HollowsHunter
    • processdump
@emtuls emtuls added 💎 enhancement It is working, but it could be better ❔ discussion Further discussion is needed 🌀 FLARE-VM A package or feature to be used by FLARE-VM 🌀 COMMANDO-VM A package or future to be used by COMMANDO VM labels Feb 1, 2024
@day1player
Copy link
Contributor

Tagging @nos3curity @geo-lit @Menn1s for commando. We refined all of the Commando categories in August last year I think this mostly aligns with what we had created

@Menn1s
Copy link
Contributor

Menn1s commented Feb 1, 2024

I'm surprised those 9 don't have any tools yet.. I think we will need to circle back and take a look at those and see what can be added (such as notepad++).
It may also give rise to a more fundamental issue of where we're categorizing both "phase of the attack lifecycle" and the "target environment". Seems like there will always be overlap if we do that.

As far as introducing categories to break up utilities, this seems like a great idea for clarity. Will Utilities be removed entirely? I can see Productivity Tools basically taking its place.

@nos3curity
Copy link
Contributor

I agree that most of the mentioned categories either need a revamp or outright deletion, with a few exceptions - cloud, evasion, vuln analysis, and web.

Cloud is necessary, because as common as it is to integrate with AD and traditional environments, it's still a separate beast testing-wise. If we distribute cloud tools among other categories, they will be a pain to find if you are only looking to do cloud testing.

Same thing with evasion. The category is underutilized because it hasn't been a major focus for Commando, considering that our target is penetration testing, not adversary simulation. I think if we scatter the evasive tools across categories, they might be a pain to find as well, but I'm open to hearing what others say about that.

I don't mind vuln analysis getting the boot, but we need to figure out where vulnerability scanning tools should go if it's gone. If memory serves me right, we largely kept that category just because we couldn't figure out what else to classify them as.

And lastly, web is largely a placeholder category at this moment. It's been one of our plans to expand the arsenal of web tooling in Commando, however, we're still getting through other priorities.

@day1player
Copy link
Contributor

@nos3curity could you list all of the categories we know for sure we need for Commando? I think that would help.

@emtuls
Copy link
Member Author

emtuls commented Feb 1, 2024

I'm surprised those 9 don't have any tools yet.. I think we will need to circle back and take a look at those and see what can be added (such as notepad++). It may also give rise to a more fundamental issue of where we're categorizing both "phase of the attack lifecycle" and the "target environment". Seems like there will always be overlap if we do that.

As far as introducing categories to break up utilities, this seems like a great idea for clarity. Will Utilities be removed entirely? I can see Productivity Tools basically taking its place.

notepad++ seems to just be being installed and no shortcut is placed into any category, but I think this should be adjusted. The addition of VSCode which may be considered soon could also have this be added to Text Editors, or we could place both of them into Productivity Tools instead and simply get rid of Text Editors.

I think Utilities should stay for things related to either CommandoVM or FlareVM more directly (i.e., useful tools that directly relate to Malware Analysis or Pentesting), but not abstractable to a general usability level (think, chrome or 7zip type tool).

@Ana06
Copy link
Member

Ana06 commented Feb 19, 2024

@day1player

@nos3curity could you list all of the categories we know for sure we need for Commando? I think that would help.

@nos3curity I think you have missed this comment. Could you please provide the categories you need, so that we can remove the rest?

@day1player
Copy link
Contributor

@Ana06 apologies, here are the categories we need for Commando, might be able to time with the other PR:

  • Payload Development
  • Reconnaissance
  • Exploitation
  • Persistence
  • Command & Control
  • Privilege Escalation
  • Credential Access
  • Lateral Movement
  • Utilities
  • Wordlists

@emtuls
Copy link
Member Author

emtuls commented Feb 29, 2024

@day1player Made that change in #903. Thank you!

@emtuls emtuls closed this as completed Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🌀 COMMANDO-VM A package or future to be used by COMMANDO VM 🌀 FLARE-VM A package or feature to be used by FLARE-VM 💎 enhancement It is working, but it could be better ❔ discussion Further discussion is needed
Projects
None yet
Development

No branches or pull requests

5 participants