New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: c2-event evidence type #1086
base: main
Are you sure you want to change the base?
Conversation
Saw this come in. Should have some time tomorrow to look through the PR. We're happy to adopt the ingestor repo over to the org. I think that makes sense as well. Do you have some samples of logs from brute ratel or cobalt strike so that we can test things end to end? Also, are the ingestors public currently? |
userContext: string,// The user context that the implant/beacon/agent is running under | ||
integrity: string, // "Low", "Medium", "High", "System" | ||
processName: string,// process image file shortname | ||
processID: number, // is 'number' acceptable here? Its a float :/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, number
could be fine here. That corresponds to a double sized float.
But, are you sure this is a number at all? I don't know the format, but usually IDs are strings, even if they're only comprised of numbers. A number implies you can, say, add processIDs. Does it make sense to add these IDs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That being the case, string may be more appropriate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
processID here is the PID of the beacon process - for context.
Just made the ingestors public here. There are some (very succinct) sample logs there for BR and CS (no mythic atm), as well as a python script to simulate log writing to test the ingestors. |
if (props.evidence.contentType === 'codeblock') { | ||
React.useEffect(() => { | ||
getEvidenceAsCodeblock({ | ||
operationSlug: props.operationSlug, | ||
evidenceUuid: props.evidence.uuid, | ||
}).then(codeblockField.onChange) | ||
}, [props.evidence.contentType, codeblockField.onChange, props.operationSlug, props.evidence.uuid]) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's been a bit since I last did regular work in react, but I believe that we still want all of the hooks to always execute -- this shouldn't be in a conditional.
result: c2e.result, | ||
} | ||
|
||
evidence.metadata = {} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason you did this assignment outside of the main evidence creation above? Seems like you could have just done (omitting some lines here):
const evidence: JsonC2Evidence = {
c2: c2e.c2,
//...
result: c2e.result,
metadata: {}, // or c2e.metadata ?? {}
}
// Copyright 2020, Verizon Media | ||
// Licensed under the terms of the MIT. See LICENSE file in project root for terms. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the majority of copyright headers have been removed, and we could probably drop the header. @jrozner or @jkennedyvz can verify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's correct @JoelAtDeluxe we no longer use copyright headers in each file.
const cx = classnames.bind(require('./stylesheet')) | ||
|
||
|
||
export const C2EventTextArea = React.forwardRef((props: SharedProps & { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did you decide to create a text area here, rather than reuse the one from components/input
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall things seem to work. I wasn't able to actually test with real data using the ingestors because the ashirt_worker
import is failing. Is that a separate file that you have created that isn't included within the repo?
<script src="/assets/main.js"></script> | ||
</body> | ||
</html> | ||
<head> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the modified version of the file that is generated by webpack after it generates the css and js. We don't want to include this version in the PR.
I've added the missing |
Adding an evidence type to capture C2 events in ASHIRT.
We have ingestors (python script + systemd service file) for both Cobalt Strike and Brute Ratel, though both have some bugs we are working through squashing. If we like the direction of adding this feature into ASHIRT I'd be partial to the ingestor repo being owned by ashirt-ops so that they can live with the rest of the project.
I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.