Attack_range: Feature request: add configurable timeout delays exiting failed atomic red team tests

Created on 5 Feb 2020  ·  5Comments  ·  Source: splunk/attack_range

One of the atomic red team tests seems to take upwards of 30 minutes to terminate in my testing. Not necessarily an issue but just want to make a feature request on maybe being able to configure in attack.conf the length of time we wait until we time out the state of the test (if thats even possible). Timestamps show beginning and end of execution of T1071 in my local testing:

Start: 2020-02-04 14:49:35
Finish: 2020-02-04 15:21:35

python attack_range.py -m terraform -a simulate -st T1071 -t attack-range-windows-domain-controller

`2020-02-04 14:49:35,618 - INFO - attack_range - INIT - attack_range v1

PLAY [all] ***********************

TASK [atomic_red_team : Check we have installed Atomic Red Team] *****
ok: [44.228.118.166]

TASK [atomic_red_team : Copy Atomic Red Team PS module] ********
changed: [44.228.118.166]

TASK [atomic_red_team : Install Atomic Red Team PS Module] *******
changed: [44.228.118.166]

TASK [atomic_red_team : Clean up before execution C:\Windows\Temp] ***
changed: [44.228.118.166]

TASK [atomic_red_team : Recreate C:\Windows\Temp before execution] ***
changed: [44.228.118.166]

TASK [atomic_red_team : set_fact] **************
ok: [44.228.118.166]

TASK [atomic_red_team : Run Techniques] ************
ok: [44.228.118.166] => {
"techniques": [
"T1071"
]
}

TASK [atomic_red_team : Make Atomic Red Team Execution Directory] ****
changed: [44.228.118.166]

TASK [atomic_red_team : Run all Atomic Red Team Tests] *******
skipping: [44.228.118.166]

TASK [atomic_red_team : Run specified Atomic Red Team Technique] *****
changed: [44.228.118.166] => (item=T1071)

TASK [atomic_red_team : Check Execution Log File] **********
ok: [44.228.118.166]

TASK [atomic_red_team : Save Log File] *************
changed: [44.228.118.166]

TASK [atomic_red_team : Clean up processes] ************
changed: [44.228.118.166]

TASK [atomic_red_team : Clean up after execution] **********
changed: [44.228.118.166]

PLAY RECAP ***********************
44.228.118.166 : ok=13 changed=9 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0

2020-02-04 15:21:35,465 - INFO - attack_range - successfully executed technique ID T1071 against target: attack-range-windows-domain-controller`

bug enhancement

Most helpful comment

The new version will have builtin feature for timeouts and other cool stuff.
https://redcanary.com/blog/invoke-atomicredteam-leaves-the-nest/

All 5 comments

@jzsplunk chatted a bit with the atomic red team group and it seems that this might be due to the fact that we do not configure out the box the technique and set a valid domain name instead of example.com: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.yaml#L79 and thus you have 1000 request time out. This is likely what is delaying that test. For now we would have to figure out a way to customize these tests since it is not something we do.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

The new version will have builtin feature for timeouts and other cool stuff.
https://redcanary.com/blog/invoke-atomicredteam-leaves-the-nest/

the following technique currently does not work python attack_range.py -m terraform -a simulate -st T1086 -t attack-range-windows-domain-controller just hangs during execution.

This issue is not present in the latest develop branch after merging changes @P4T12ICK worked on

Was this page helpful?
0 / 5 - 0 ratings

Related issues

julianwieg picture julianwieg  ·  3Comments

LGouellec picture LGouellec  ·  4Comments

chuck-confluent picture chuck-confluent  ·  5Comments

VincentCasse picture VincentCasse  ·  6Comments

a-narenji picture a-narenji  ·  5Comments