Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers & so on can be tedious. I toyed with the idea of making it easier to script Empire
(or any frameworks/products/toolkits that provide APIs like Metasploit
(RPC), Cobalt-Strike & so on) using IDE like Visual Studio Code
(or equivalent). So I started to design AutoTTP. This is still very much work in progress. Please use Empire 2.2.
What is TTP?
Has been used “Stage” to group relevant “Tactics” together. If you look into the source tree, the folder structure reflects the matrix’s Tactics column. The matrix also mentioned respective controls for each offensive tactic. How did these stages came about?
The venn diagram in the middle of the red cycle is from Dartmouth College’s “Three Tenets for Secure Cyber-Physical System Design and Assessment”
. It defines the necessary & sufficient conditions, or simply the requirements of any successful physical/logical attacks. I added the red ring (stages) around the venn diagram to illustrate typical offensive flows which ultimately leads to impact of Information Confidentiality, Integrity, & System Availability or Safety if it is related Cyber-Physical (think Critical Information Infrastructure).
An attacker can start from Stage 1 and get straight into Stage 4 eg. default admin credentials on an publicly exposed admin page. It does not need to be linear (stage 1->2->3->4). After the initial infiltration, s/he could have performed some internal information gathering
(reconn) first before escalating privilege on the first machine & then launching a remote command to another target machine within the same network. For the next victim machine, it is a Stage 2; successful payload
delivery and execution which allows the attacker to gain command & control over yet another machine.