![[Image: Information-Security-Preparedness-Tool-Metta.jpg]](https://s3.amazonaws.com/cp-s3/wp-content/uploads/2018/03/13154952/Information-Security-Preparedness-Tool-Metta.jpg)
Metta is an open-source information security preparedness tool for adversarial simulation. As an emerging concept, the industry has yet to settle on a definitive definition of adversarial simulation, but it involves simulating [components of] targeted attacks in order to test both an organizations instrumentation stacks and their ability to respond to the attack via their incident response process. This differs from Red Teaming in that adversarial simulation is typically a cooperative activity between the simulation runners and the simulation recipients with an end goal of validating defensive telemetry and testing incident response plans and playbooks.
Metta uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.
Metta parses yaml files with actions and uses celery to queue these actions up and run them one at a time without interaction. This takes away the need for any manual actions across your vagrants and will allow you to programmatically chain together actions into scenarios for detection rule validation, vendor testing, or creating events for your security team to triage.
DOWNLOAD
Running actions
The various actions live in the MITRE folder sorted by MITRE ATT&CK phases and also in Adversarial_Simulation. Just run the python and yaml file of your choice
Code:
[align=center]$ python run_simulation_yaml.py -f MITRE/Discovery/discovery_account.yaml[/align]
[align=center]YAML FILE: MITRE/Discovery/discovery_account.yaml[/align]
[align=center]OS matched windows...sending to the windows vagrant[/align]
[align=center]Running: cmd.exe /c net group \"Domain Admins\" /domain[/align]
[align=center]Running: cmd.exe /c net user /add[/align]
[align=center]Running: cmd.exe /c net user /domain[/align]
[align=center]Running: cmd.exe /c net localgroup administrators[/align]
[align=center]Running: cmd.exe /c net share[/align]
[align=center]Running: cmd.exe /c net use[/align]
[align=center]Running: cmd.exe /c net accounts[/align]
[align=center]Running: cmd.exe /c net config workstation[/align]
[align=center]Running: cmd.exe /c dsquery server[/align]
[align=center]Running: cmd.exe /c dsquery user -name smith* | dsget user -dn -desc[/align]
[align=center]Running: cmd.exe /c wmic useraccount list /format:list[/align]
[align=center]Running: cmd.exe /c wmic ntdomain[/align]
[align=center]Running: cmd.exe /c wmic group list /format:list[/align]
[align=center]Running: cmd.exe /c wmic sysaccount list /format:list[/align]Making actions
The actions and scenarios live in the MITRE folder sorted by MITRE ATT&CK phases and also in Adversarial_Simulation
![[Image: Information-Security-Preparedness-Tool-M...enario.jpg]](https://cdn-cyberpunk.netdna-ssl.com/wp-content/uploads/2018/03/Information-Security-Preparedness-Tool-Metta-scenario.jpg)
The most important parts are the OS field and the purple_actions
- os:will tell the tool which vagrant to send the command to, obviously *nix commands on windows wont work out so well
- purple_actions:an array of commands to run sequentially
Making scenarios
Scenarios are a list of paths to actions. The code will be looking for a scenario: True field and scenario_actions list. Example below:
![[Image: Information-Security-Preparedness-Tool-M...nario2.jpg]](https://s3.amazonaws.com/cp-s3/wp-content/uploads/2018/03/13153947/Information-Security-Preparedness-Tool-Metta-scenario2.jpg)
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)