A new Tripwire, but in Python
A few months ago, I wrote a PowerShell script called Tripwire, which is a virtual machine orchestration script, designed to supplement red|purple|blue team lab environments.
The overall intent of Tripwire has not changed, and it’s core functionality remains intact with some new additional features. I originally needed a way to easily power on my local VMware virtual machines, and monitor for generated artifacts when testing new tools and techniques. With most tools, new versions result in improvement opportunities and additional features.
https://github.com/gregohmyeggo/Tripwire.py
What’s New?:
- Written in Python
- Security cases
- Auto-closing alerts
- C2 command logging
When you run Tripwire.py with the launch [-l, --launch] flag, a new case is generated in ELK prior to “Red Ranger” monitoring for alerts. The case acts as a container for any alerts data and added comments during the session.
If the user’s activity generates alerts, “Red Ranger” will still prompt the information in the console window, but now the alert is automatically attached to the case. As a red teamer this is helpful when I’m researching techniques and writing detections for the residual artifacts, of which might result in me getting caught by the blue team.
Another new feature added to Tripwire, is the ability to track c2 framework commands (pending the logging capabilities of the desired framework). From the attacking system, I have configured Filebeats to monitor Sliver’s history file (.sliver-client/history), which is being shipped to Kibana.
This process is specific to the c2 framework. For example, Covenant doesn’t log it’s history to a file, but the Grunt taskings can be queried via it’s Swagger API. See my post on Covenant’s API.
The commands are displayed in the console alongside the generated alerts.
These too are attached to the case.
Tracking the executed commands alongside triggered alerts during testing is a convenient way to note OPSEC considerations, but also track how the actions may be detected. All of this information is stored in the session’s case notes view at a later time.
If the returned alert data in the console window is not sufficient, the full alert data can be returned modified as needed.
When finished, the script will close the case and sync the status across all attached alerts and close them.
Tracking each session as it’s own case has been extremely beneficial when applied to my testing methodology. When developing payloads, and applying evasion and obfuscation techniques to tools to bypass Windows Defender and other security products, monitoring file names, hashes, and other indicators can be viewed chronologically along with the alerts to track the success or failures of your testing process.
https://github.com/gregohmyeggo/Tripwire.py
If you have any questions, feel free to comment or send me a message.
