{"id":21469945,"url":"https://github.com/dobin/ace-firefist","last_synced_at":"2025-07-15T06:32:30.297Z","repository":{"id":184665588,"uuid":"602987161","full_name":"dobin/ace-firefist","owner":"dobin","description":"Attack chain emulator. Write recipes for initial access easily","archived":false,"fork":false,"pushed_at":"2023-03-25T07:31:27.000Z","size":15278,"stargazers_count":16,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-04-09T16:16:32.094Z","etag":null,"topics":["initial-access","malware","malware-research","redteam"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dobin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-02-17T11:26:57.000Z","updated_at":"2023-10-31T06:09:53.000Z","dependencies_parsed_at":"2023-07-29T15:42:38.778Z","dependency_job_id":null,"html_url":"https://github.com/dobin/ace-firefist","commit_stats":null,"previous_names":["dobin/ace-firefist"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Face-firefist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Face-firefist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Face-firefist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dobin%2Face-firefist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dobin","download_url":"https://codeload.github.com/dobin/ace-firefist/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226023551,"owners_count":17561483,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["initial-access","malware","malware-research","redteam"],"created_at":"2024-11-23T09:19:51.226Z","updated_at":"2024-11-23T09:19:51.930Z","avatar_url":"https://github.com/dobin.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ACE Fire Fist \n\nAttack Chain Emulator. Like pwntools, but for initial access and execution. Like AtomicRedTeam, but the components can be freely combined. \n\nIt can generate artefacts to implement techniques in recipes. \nRecipes use Makers, which can be freely combined to perform complex multi-stage attack chains.\n\nThe following threat actors recipes are available: \n* PY#RATION 1.0\n* PY#RATION 1.6\n* Raspberry Robin\n* Ursnif\n\nThis can be used for PurpleTeaming, EDR Usecase verifications. PoC's and RedTeam attacks development.\nThese can also be used to test your CSIRT or forensic investigation process (CSIRT). \nRecipes are based on real attacks of known threat actors. \n\n![raspberryrobin](https://github.com/dobin/ace-firefist/blob/main/docs/gifs/raspberryrobin.gif?raw=true)\n\n\n# Usage Notes\n\nAll malicious code has been removed, all source code reviewed and tested.\nAll binaries can be recompiled (or the recipe will be marked with `binaries`).\n\nUsage: \n* Disable AV if you want to execute the whole chain (only active EDR)\n* Use it in a VM\n* Most Threat Actor payloads dont have proxy support. A direct connection is prefered\n* Use `cleanup.bat` to remove all artefacts on disk\n* Recipes are tagged `binaries = [Files]` if they have binaries without source available (e.g. copied rundll32.exe)\n\n\n## Further Documentation\n\nIf you want to write code by yourself, be it Recipes or Makers: \n* [How To Use](docs/howtouse.md) ACE for development\n\nMakers overview: \n* [Makers](docs/makers/) list and API\n\nFor an overview and more details about the recipes, see:\n* [Recipe Overview](docs/recipes.md)\n\n\n## Write a Recipe Example \n\nA recipe with uses MSTHA to execute powershell code.\n\nThis recipe \ngenerates a HTA file based on a template which executes powershell code (displaying a messge box),\nand make it available via HTTP at http://localhost:5000/test.hta. Available as recipe 3. \n\nSource:\n```py\n# MSHTA -\u003e Powershell:MessageBox\ndef recipe_3():\n    ps1msgbox: AceStr = makePowershellMessageBox()\n    ps1msgbox: AceStr = makePowershellEncodedCommand(ps1msgbox)\n\n    cmd: AceStr = AceStr(\"powershell.exe -EncodedCommand {}\".format(ps1msgbox))\n    hta: AceStr = makeMshtaJscriptExec(cmd)\n    htaFile: AceFile = makeAceFile(\"test.hta\", hta)\n\n    containerServe: AceRoute = makeAceRoute('/test.hta', hta, download=True, downloadName='test.hta')\n    serve(containerServe)\n```\n\nWhile the packing flows forward, to see what the victim\nis executing, look at it from bottom upwards:\n* Access a URL `/test.hta` with the `test.hta` file and download it\n* Execute the `test.hta` file by double clicking it\n* The HTA file executes powershell code by invoking `powershell -encodedCommand ...`, which shows a message box\n\n\nGenerate the artefacts and start the web server:\n```sh\n$ rm out/*; python3 ace.py --recipe recipe_3\n--[ 00:  makePsScriptMessagebox() -\u003e 1\n--[ 00:    renderTemplate(messagebox.ps1) -\u003e 0\n--[ 02:  makeCmdFromPsScript(1) -\u003e 4\n--[ 02:    makePsCommandFromPsScript(1) -\u003e 2\n--[ 03:    makeCmdFromPsCommand(2) -\u003e 4\n--[ 03:      makePsEncodedCommand(2) -\u003e 3\n--[ 05:  makeHtaFromCmdByJscriptWscript(4) -\u003e 6\n--[ 05:    renderTemplate(hta-jscript-exec.hta) -\u003e 5\n--[ 07:  makeAceFile(6) -\u003e 7\n--[ 08:  makeAceRoute(/test.hta, 6)\n\nRoutes:\n  /                       Recipe overview\n  /out/\u003cfilename\u003e         out/ files\n  /static/\u003cfilename\u003e      static/ files\n  /test.hta          (3)  Download: True test.hta\n\n * Serving Flask app 'web' (lazy loading)\n```\n\nGo to `http://localhost:5000` for a overview page with all above information. Open http://localhost:5000/test.hta to start the attach chain.\n\nGenerated files:\n```\n$ ls -1 out/\nout_00_renderTemplate.txt\nout_01_makePsScriptMessagebox.txt\nout_02_makePsCommandFromPsScript.txt\nout_03_makePsEncodedCommand.txt\nout_04_makeCmdFromPsCommand.txt\nout_04_makeCmdFromPsScript.txt\nout_05_renderTemplate.txt\nout_06_makeHtaFromCmdByJscriptWscript.txt\nout_07_file_test.hta\n```\n\nVideo of Raspberry Robin recipe: \n\n\n## Install ACE\n\n```\n$ pip install -r requirements.txt\n$ sudo apt install rar\n```\n\nIf you dont trust my binaries in `payloads/`:\n```\n$ sudo apt install mingw-w64\n$ cd native\n$ make\n```\n\n\n## Standalone example\n\nSee `example.py` for a standalone script recipe. \n\nGet inspiration from recipes from folder `recipes/`\n\n\n## Directories\n\n* `out/`: generated artefacts\n* `static/`: files served in web server under `static/`\n* `payload/`: files used as payloads (not served via web)\n\n\n## Makers\n\nThe folder `make/` contains directories of python code which\ncreate certain things, be it ZIP files, Onenote phishing file or\npowershell loaders. These makers implement Techniques from TTP.\nSee [How To Use](docs/howtouse.md) on how to develop them.\n\nStructure:\n* make/thing/thing.py: makeTheThing(stuff: AceBytes) -\u003e AceStr\n* make/thing/thing-template.txt\n* make/thing/thing-template.txt.yaml\n\n\n## Libraries\n\n* libs/pylnk3: pylnk3-dev, as it has an important bugfix. No deps. GPL3.\n* libs/librar: librar, with patched for python3 and some smaller things. No deps. No License.\n\n\n## Generate Docs\n\nFor makers: [pdoc3](https://pdoc3.github.io/pdoc/)\n```\n$ cd ace-firefist/\n$ bash makedoc.sh\n```\n\n## Other related projects\n\n* Atomic Redteaming\n* Caldery\n* Scyth\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Face-firefist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdobin%2Face-firefist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdobin%2Face-firefist/lists"}