facebookincubator / TTPForge

66%

main: 67%

LAST BUILD ON BRANCH export-D78701235

branch: export-D78701235

CHANGE BRANCH

x

Reset

Sync Branches

• export-D78701235
• container
• container-fix
• coverage
• dep-lock
• dependabot/go_modules/golang.org/x/crypto-0.35.0
• doc-pc
• expect
• expected-step-failure
• export-D50618372
• export-D50635423
• export-D50708311
• export-D50892103
• export-D50990440
• export-D51069461
• export-D51070150
• export-D51139869
• export-D51171741
• export-D51180590
• export-D51306975
• export-D51307671
• export-D51407546
• export-D51428503
• export-D51434166
• export-D51434373
• export-D51435517
• export-D51437115
• export-D51439700
• export-D51449622
• export-D51449668
• export-D51451469
• export-D51457037
• export-D51458305
• export-D51459133
• export-D51459399
• export-D51459508
• export-D51459753
• export-D51467408
• export-D51475492
• export-D51482864
• export-D51495585
• export-D51498587
• export-D51520144
• export-D51520434
• export-D59696048
• export-D59864499
• export-D60238880
• export-D60419102
• export-D60423533
• export-D60686691
• export-D61042469
• export-D61387125
• export-D61657101
• export-D61658174
• export-D61662534
• export-D62530409
• export-D63457210
• export-D63702296
• export-D64108097
• export-D65080213
• export-D65831540
• export-D66702400
• export-D68783463
• export-D69546940
• export-D69863376
• export-D69953549
• export-D70136417
• export-D70192169
• export-D70499233
• export-D71635625
• export-D71739496
• export-D71841703
• export-D72669013
• export-D72670580
• export-D73053704
• export-D76082173
• export-D77463007
• export-D77619765
• export-D78497399
• export-D78521586
• export-D78753717
• export-D78761882
• export-D79202811
• export-D79562207
• export-D80822110
• export-D80826527
• export-D81613044
• export-D82462426
• export-D82462427
• export-D82462428
• fix-no-cleanup
• fixup-T168084774-main
• forge-integration-tests
• magefile-updates
• main
• mitre-yaml
• os-and-arch-metadata
• pt-code-owners
• renovate/actions-checkout-3.x
• renovate/actions-checkout-4.x
• renovate/actions-checkout-digest
• renovate/actions-setup-python-digest
• renovate/codespell-project-codespell-2.x
• renovate/docker-build-push-action-5.x
• renovate/docker-build-push-action-digest
• renovate/docker-login-action-3.x
• renovate/docker-setup-buildx-action-3.x
• renovate/docker-setup-buildx-action-digest
• renovate/docker-setup-qemu-action-3.x
• renovate/github-codeql-action-digest
• renovate/github.com-l50-goutils-v2-2.x
• renovate/github.com-spf13-afero-1.x
• renovate/github.com-tidwall-gjson-1.x
• renovate/go.uber.org-zap-1.x
• renovate/golang-1.x
• renovate/goreleaser-goreleaser-action-5.x
• renovate/goreleaser-goreleaser-action-digest
• renovate/pin-dependencies
• renovate/pre-commit-pre-commit-hooks-4.x
• renovate/python-3.x
• renovate/renovatebot-github-action-39.x
• renovate/returntocorp-semgrep-action-digest
• renovate/shogo82148-actions-goveralls-digest
• sfm-create-file-new
• sfm-create-file-step
• sfm-downgrade-afero
• sfm-downgrade-zap
• sfm-dry-run
• sfm-edit-and-create-refactor
• sfm-fix-asdf
• sfm-fix-indirects
• sfm-fix-logs-and-remove-viper
• sfm-fix-template-bug
• sfm-fix-token
• sfm-fix-usage
• sfm-fix-working-directory-handling
• sfm-install-command
• sfm-reduce-minimum-go-version
• sfm-remove-codeowner
• sfm-remove-json-string
• sfm-tmp-remove-vscode
• sfm-update-files-package
• sfm-update-gjson
• sfm-update-zap
• sfm-use-latest-release
• test
• test-refactor

Build # 16530976879

Build Type

Pull #548

github

Committed by facebook-github-bot

Commit Message

Parse YAML TTPs

Summary:
## Parse YAML TTPs

This diff introduces a new utility `parseutils` to TTPForge, which provides functionality to parse YAML TTPs. Using this, we updated the `enum ttps` command functionality.

This diff is a part of the future improvements discussed in the following [diff](https://www.internalfb.com/diff/D77619765).

### Context

Currently commands in TTPForge like Enum use the read file and regex functionalities to find certain data points in the YAML. This is not the most efficient way to extract/filter information from YAML as regex could lead to false positives and negatives.

To solve this problem, this diff implements parsing the YAML file to extract data on the basis of structures and updates the `enum ttps` command to use it as explored in this [document](https://docs.google.com/document/d/1OUihSxvrTHUK24kIH0VE3uHL-l6OBCL6iSPLIXLtx8E/edit?tab=t.0#heading=h.je60o44ihbi0).

### Impact
The added functionality allows **correct and easy data extraction** from TTPs also paving way for us to use this TTP data for other things like dashboard. This also promotes a more structured YAML file creation for TTPs going forward. This is highlighted by [TTPs](https://www.internalfb.com/code/security-ttpcode/ttps/purple-team-engagements/2025-Q2-Purple-Fleece/ttp01-exfil-model-to-s3-from-devserver-awscli/ttp.yaml) that were missed using the regex approach due to inverted commas being using in tactic and technique.

After implementing this diff, while testing we identified some TTPs that had errors. We also noted that when using the [security-ttpcode repo](https://www.internalfb.com/code/security-ttpcode/ttpforge-repo-config.yaml) gives us few redundant TTPs due to misconfiguration.

Following are the diffs created to fix the errors/improvements observed from this updated code while testing:
1) [Updating TTP Repo Config](https://www.internalfb.com/diff/D78836093)
2) [Fixing error in TTP for parsing](https://www.internalfb.com/diff/D78837... (continued)

Pull Request Pull Request #548: Parse YAML TTPs

Run Details

43 of 67 new or added lines in 2 files covered. (64.18%)

2405 of 3631 relevant lines covered (66.24%)

16.28 hits per line