feat: c2-event evidence type #1086
Conversation
nbaertsch
requested review from
jkennedyvz,
jrozner and
JoelAtDeluxe
as code owners
|
Saw this come in. Should have some time tomorrow to look through the PR. We're happy to adopt the ingestor repo over to the org. I think that makes sense as well. Do you have some samples of logs from brute ratel or cobalt strike so that we can test things end to end? Also, are the ingestors public currently? |
| userContext: string,// The user context that the implant/beacon/agent is running under | ||
| integrity: string, // "Low", "Medium", "High", "System" | ||
| processName: string,// process image file shortname | ||
| processID: number, // is 'number' acceptable here? Its a float :/ |
There was a problem hiding this comment.
Yeah, number could be fine here. That corresponds to a double sized float.
But, are you sure this is a number at all? I don't know the format, but usually IDs are strings, even if they're only comprised of numbers. A number implies you can, say, add processIDs. Does it make sense to add these IDs?
There was a problem hiding this comment.
That being the case, string may be more appropriate.
There was a problem hiding this comment.
processID here is the PID of the beacon process - for context.
Just made the ingestors public here. There are some (very succinct) sample logs there for BR and CS (no mythic atm), as well as a python script to simulate log writing to test the ingestors. |
| if (props.evidence.contentType === 'codeblock') { | ||
| React.useEffect(() => { | ||
| getEvidenceAsCodeblock({ | ||
| operationSlug: props.operationSlug, | ||
| evidenceUuid: props.evidence.uuid, | ||
| }).then(codeblockField.onChange) | ||
| }, [props.evidence.contentType, codeblockField.onChange, props.operationSlug, props.evidence.uuid]) |
There was a problem hiding this comment.
It's been a bit since I last did regular work in react, but I believe that we still want all of the hooks to always execute -- this shouldn't be in a conditional.
| result: c2e.result, | ||
| } | ||
|
|
||
| evidence.metadata = {} |
There was a problem hiding this comment.
Is there any reason you did this assignment outside of the main evidence creation above? Seems like you could have just done (omitting some lines here):
const evidence: JsonC2Evidence = {
c2: c2e.c2,
//...
result: c2e.result,
metadata: {}, // or c2e.metadata ?? {}
}| // Copyright 2020, Verizon Media | ||
| // Licensed under the terms of the MIT. See LICENSE file in project root for terms. |
There was a problem hiding this comment.
I think the majority of copyright headers have been removed, and we could probably drop the header. @jrozner or @jkennedyvz can verify.
There was a problem hiding this comment.
That's correct @JoelAtDeluxe we no longer use copyright headers in each file.
| const cx = classnames.bind(require('./stylesheet')) | ||
|
|
||
|
|
||
| export const C2EventTextArea = React.forwardRef((props: SharedProps & { |
There was a problem hiding this comment.
Why did you decide to create a text area here, rather than reuse the one from components/input ?
| <script src="/assets/main.js"></script> | ||
| </body> | ||
| </html> | ||
| <head> |
There was a problem hiding this comment.
This is the modified version of the file that is generated by webpack after it generates the css and js. We don't want to include this version in the PR.
|
I've added the missing |
Adding an evidence type to capture C2 events in ASHIRT.
We have ingestors (python script + systemd service file) for both Cobalt Strike and Brute Ratel, though both have some bugs we are working through squashing. If we like the direction of adding this feature into ASHIRT I'd be partial to the ingestor repo being owned by ashirt-ops so that they can live with the rest of the project.
I confirm that this contribution is made under the terms of the license found in the root directory of this repository's source tree and that I have the authority necessary to make this contribution on behalf of its copyright owner.