{"id":13482138,"url":"https://github.com/jymcheong/AutoTTP","last_synced_at":"2025-03-27T12:32:23.161Z","repository":{"id":47480080,"uuid":"102699677","full_name":"jymcheong/AutoTTP","owner":"jymcheong","description":"Automated Tactics Techniques \u0026 Procedures","archived":false,"fork":false,"pushed_at":"2023-05-26T14:18:54.000Z","size":9973,"stargazers_count":251,"open_issues_count":0,"forks_count":64,"subscribers_count":24,"default_branch":"master","last_synced_at":"2024-10-30T15:51:17.884Z","etag":null,"topics":["cybersecurity","empire","powershell","procedure","python","tactics"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jymcheong.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2017-09-07T06:25:53.000Z","updated_at":"2024-09-09T02:37:27.000Z","dependencies_parsed_at":"2022-08-25T20:10:24.729Z","dependency_job_id":"96e4ef4a-3613-409b-8386-caaeb5696d6d","html_url":"https://github.com/jymcheong/AutoTTP","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jymcheong%2FAutoTTP","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jymcheong%2FAutoTTP/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jymcheong%2FAutoTTP/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jymcheong%2FAutoTTP/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jymcheong","download_url":"https://codeload.github.com/jymcheong/AutoTTP/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245845287,"owners_count":20681881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","empire","powershell","procedure","python","tactics"],"created_at":"2024-07-31T17:00:59.367Z","updated_at":"2025-03-27T12:32:22.373Z","avatar_url":"https://github.com/jymcheong.png","language":"Python","funding_links":[],"categories":["IR Tools Collection","IR tools Collection","📦 Legacy \u0026 Inactive Projects"],"sub_categories":["Adversary Emulation"],"readme":"# AutoTTP\nAutomated Tactics Techniques \u0026amp; Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers \u0026 so on can be tedious. I toyed with the idea of making it easier to script [Empire](https://github.com/EmpireProject/Empire) (or any frameworks/products/toolkits that provide APIs like Metasploit (RPC), Cobalt-Strike \u0026 so on) using IDE like [Visual Studio Code](https://code.visualstudio.com) (or equivalent). So I started to design AutoTTP. This is still very much work in progress. *Test with Empire 2.2.*\n\n![](https://raw.githubusercontent.com/jymcheong/AutoTTP/master/screenshots/empireScripting.gif)\n\n[Youtube - Overview \u0026 Selected Techniques Deep-Dive](https://www.youtube.com/watch?v=aW_imj75M_A\u0026t=215s)\n\n## What is TTP?\n![](screenshots/ttp.png)\n\nIn my case, the tactics are organized as per my [Attack Life Cycle model](https://attacklifecycle.github.io). There are other models like [Lockheed Martin's Kill-Chain(R)](http://www.lockheedmartin.com/us/what-we-do/aerospace-defense/cyber/cyber-kill-chain.html), [Mandiant Attack Life Cycle](http://www.iacpcybercenter.org/resource-center/what-is-cyber-crime/cyber-attack-lifecycle/) \u0026 [Mitre's ATT\u0026CK](https://attack.mitre.org). Whichever model it may be, *a \"Tactic\" essentially groups techniques together*, eg. code-execution/run-payload can be achieved with many ways:\n\n![](screenshots/ALCmatrix.png)\n\nI use \"Stage\" to group relevant \"Tactics\" together. If you look into the source tree, the folder structure reflects the matrix's Tactics column. The matrix also mentioned respective controls for each offensive tactic. How did these stages came about?\n\n![](screenshots/ALC-3tenetsModel.png)\n\nThe venn diagram in the middle of the red cycle is from Dartmouth College's [\"Three Tenets for Secure Cyber-Physical System Design and Assessment\"](http://www.dartmouth.edu/~gvc/ThreeTenetsSPIE.pdf). It defines the necessary \u0026 sufficient conditions, or simply the requirements of any successful physical/logical attacks. I added the red ring (stages) around the venn diagram to illustrate typical offensive flows which ultimately leads to impact of Information Confidentiality, Integrity, \u0026 System Availability or Safety if it is related Cyber-Physical (think Critical Information Infrastructure).\n\nAn attacker can start from Stage 1 and get straight into Stage 4 eg. default admin credentials on an publicly exposed admin page. It does not need to be linear (stage 1-\u003e2-\u003e3-\u003e4). After the initial infiltration, s/he could have performed some internal information gathering (reconn) first before escalating privilege on the first machine \u0026 then launching a remote command to another target machine within the same network. For the next victim machine, it is a Stage 2; successful payload delivery and execution which allows the attacker to gain command \u0026 control over yet another machine.\n\n## How does Procedure look like?\n\n![](https://raw.githubusercontent.com/jymcheong/AutoTTP/master/screenshots/procedureVStechniques.png)\n\nThe [file on the left](https://github.com/jymcheong/AutoTTP/blob/master/bypassUAC_procedure_example.py) is a procedure script, the right is a [technique script](https://github.com/jymcheong/AutoTTP/blob/master/stage3/internal_reconn/windows/empire_is_user_admin.py). Notice that procedure scripting is not littered with too many Empire specific details, much of the details are encapsulated in the technique script. Procedure scripting should focus on the sequence of techniques using assets' information eg. hostname/ip, which email to send payload to, which payload technique \u0026 so on.\n\nThe example of *\"is user admin?\"* actually consists of a few steps since there are at least 3 possibilities as spelt out in the script's comments. We can of course create custom \"macros\" in Empire, Metasploit \u0026 what not, but it becomes tightly integrated within a particular framework/product. We want to take advantage of the tools out there \u0026 organize reusable techniques into modules so as to mix \u0026 match at a Procedural level (ie. the automation).\n\n## How to make it easier?\n![](screenshots/autocomplete.png)\n\nI took advantage of the well-structured modules in Empire to create a auto-complete python class. Instead of typing the full module name (eg. powershell/situational_awareness....), just use IDE's autocomplete capabilities.\n\n![](screenshots/requiredoptions.png)\n\nFor each module, there are options (for most if not all frameworks). The thing with Empire is once you run it as rest/headless (will touch on this later), there is NO console to look at the module options. In the autocomplete-helper class, each module has a *options* sub-class. The required options are prefix as shown above, so we can populate those options with values first before calling a module. \n\n![](screenshots/moduledesc.png)\n\nThe description of each module is also included as part of the python class documentation \u0026 will display on hover over the class. Since there are 276 modules (as of Empire 2.1), this helper class will need some scripting to create! Source: [https://gist.github.com/jymcheong/22c2eede978c8eb694945e3347c20c6b](https://gist.github.com/jymcheong/22c2eede978c8eb694945e3347c20c6b)\n\nWith IDEs like Visual Studio Code (or equivalent), one can take advantage of debug variable watch, step through the script or even modify the script *while debugging/stepping* after knowing the return values structure. The REST APIs docs are there for Empire, but sometimes we don't exactly know the return values until we run the module. For that reason, it leads to the next topic.\n\n## Empire with RESTful API listener \u0026 Console\nAs much we want to do everything in IDE, you will need console. The author of [DeathStar](https://github.com/byt3bl33d3r/DeathStar), already knew that while developing that script that automates the 0wning of Domain Admin using Empire. I borrowed his idea but adapted his threading approach for Empire 2.1 since his approach won't work for the refactored start restful api function. Source: [https://gist.github.com/jymcheong/6a7668ecf73c29dd1d234d1c76ef438c](https://gist.github.com/jymcheong/6a7668ecf73c29dd1d234d1c76ef438c)\n\nThere is NO need to hack empire script since Empire 2.2 has the command loop handler while running REST mode. *However DO NOT interact with agent while using API to get agent result.*\n\n## Credits\nShout outz to @radioboyQ for his EmpireAPIWrapper, @allfro \u0026 @Mikaayenson for pymetasploit, \u0026 to @byt3bl33d3r, MTFBWU. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjymcheong%2FAutoTTP","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjymcheong%2FAutoTTP","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjymcheong%2FAutoTTP/lists"}