facebookincubator / TTPForge

66%

main: 67%

LAST BUILD ON BRANCH export-D76082173

branch: export-D76082173

CHANGE BRANCH

x

Reset

Sync Branches

• export-D76082173
• container
• container-fix
• coverage
• dep-lock
• dependabot/go_modules/golang.org/x/crypto-0.35.0
• doc-pc
• expect
• expected-step-failure
• export-D50618372
• export-D50635423
• export-D50708311
• export-D50892103
• export-D50990440
• export-D51069461
• export-D51070150
• export-D51139869
• export-D51171741
• export-D51180590
• export-D51306975
• export-D51307671
• export-D51407546
• export-D51428503
• export-D51434166
• export-D51434373
• export-D51435517
• export-D51437115
• export-D51439700
• export-D51449622
• export-D51449668
• export-D51451469
• export-D51457037
• export-D51458305
• export-D51459133
• export-D51459399
• export-D51459508
• export-D51459753
• export-D51467408
• export-D51475492
• export-D51482864
• export-D51495585
• export-D51498587
• export-D51520144
• export-D51520434
• export-D59696048
• export-D59864499
• export-D60238880
• export-D60419102
• export-D60423533
• export-D60686691
• export-D61042469
• export-D61387125
• export-D61657101
• export-D61658174
• export-D61662534
• export-D62530409
• export-D63457210
• export-D63702296
• export-D64108097
• export-D65080213
• export-D65831540
• export-D66702400
• export-D68783463
• export-D69546940
• export-D69863376
• export-D69953549
• export-D70136417
• export-D70192169
• export-D70499233
• export-D71635625
• export-D71739496
• export-D71841703
• export-D72669013
• export-D72670580
• export-D73053704
• export-D77463007
• export-D77619765
• export-D78497399
• export-D78521586
• export-D78701235
• export-D78753717
• export-D78761882
• export-D79202811
• export-D79562207
• export-D80822110
• export-D80826527
• export-D81613044
• export-D82462426
• export-D82462427
• export-D82462428
• fix-no-cleanup
• fixup-T168084774-main
• forge-integration-tests
• magefile-updates
• main
• mitre-yaml
• os-and-arch-metadata
• pt-code-owners
• renovate/actions-checkout-3.x
• renovate/actions-checkout-4.x
• renovate/actions-checkout-digest
• renovate/actions-setup-python-digest
• renovate/codespell-project-codespell-2.x
• renovate/docker-build-push-action-5.x
• renovate/docker-build-push-action-digest
• renovate/docker-login-action-3.x
• renovate/docker-setup-buildx-action-3.x
• renovate/docker-setup-buildx-action-digest
• renovate/docker-setup-qemu-action-3.x
• renovate/github-codeql-action-digest
• renovate/github.com-l50-goutils-v2-2.x
• renovate/github.com-spf13-afero-1.x
• renovate/github.com-tidwall-gjson-1.x
• renovate/go.uber.org-zap-1.x
• renovate/golang-1.x
• renovate/goreleaser-goreleaser-action-5.x
• renovate/goreleaser-goreleaser-action-digest
• renovate/pin-dependencies
• renovate/pre-commit-pre-commit-hooks-4.x
• renovate/python-3.x
• renovate/renovatebot-github-action-39.x
• renovate/returntocorp-semgrep-action-digest
• renovate/shogo82148-actions-goveralls-digest
• sfm-create-file-new
• sfm-create-file-step
• sfm-downgrade-afero
• sfm-downgrade-zap
• sfm-dry-run
• sfm-edit-and-create-refactor
• sfm-fix-asdf
• sfm-fix-indirects
• sfm-fix-logs-and-remove-viper
• sfm-fix-template-bug
• sfm-fix-token
• sfm-fix-usage
• sfm-fix-working-directory-handling
• sfm-install-command
• sfm-reduce-minimum-go-version
• sfm-remove-codeowner
• sfm-remove-json-string
• sfm-tmp-remove-vscode
• sfm-update-files-package
• sfm-update-gjson
• sfm-update-zap
• sfm-use-latest-release
• test
• test-refactor

Build # 15936554947

Build Type

Pull #541

github

Committed by facebook-github-bot

Commit Message

Adding Kill Action to TTPForge (#541)

Summary:

# Adding Kill Action to TTPForge
## Summary
This diff introduces a new feature to the TTPForge framework, enabling the simulation of process killing on various operating systems, including Linux, MacOS, and Windows. This feature allows for more realistic and complex attack scenarios. The implementation includes action code, unit tests, utility functions & their tests, and example TTPs for Unix and Windows systems.

## Context
Many malware variants employ process killing as a tactic to create fake processes, facilitate DLL hijacking, and achieve other malicious objectives. Currently, TTPForge developers must manually rewrite the process killing code for each new implementation, which can be time-consuming and inefficient. With this update, we aim to streamline the development process by providing a reusable framework for process killing, thereby empowering developers to focus on creating more complex and realistic TTPs. 

## Impact
The added functionality allows for more realistic attack simulations, ultimately enhancing the security posture of organizations using the framework.

## Fields
You can specify the following YAML fields for the `kill_process:` action:
- `kill_process_id:` (type: `string`) the process ID of the process that you wish to kill
- `kill_process_name:` (type: `string`) the process name of the processes that you wish to kill

## Note
* If both `kill_process_id` and `kill_process_name` are specified, the action will only consider terminate the process with the specified process ID.

## References
* [TTPForge](https://github.com/facebookincubator/TTPForge/)
* [TTPForge Wiki](https://www.internalfb.com/wiki/Offensive_Security_Group/Projects/TTPForge_0/) 
* [TTPForge Developer Guide](https://www.internalfb.com/wiki/Offensive_Security_Group/Projects/TTPForge_0/Developer_Guide/)
* [Guide to Creating New TTPs in TTPForge](https://docs.google.com/document/d/1jJdg1A-SdlyKH_t3MLK5Vjh5LveGUTCujX... (continued)

Pull Request Pull Request #541: Adding Kill Action to TTPForge

Run Details

89 of 105 new or added lines in 3 files covered. (84.76%)

2198 of 3334 relevant lines covered (65.93%)

17.23 hits per line