flightsim
flightsim copied to clipboard
alphasoc
A utility to safely generate malicious network traffic patterns and evaluate controls.
There was a request for configurable delay between modules, so it's easier to identify results in the SIEM. Sounds as simple as adding a sleep in the loop.
Makes use of https://metrics.torproject.org/onionoo.html to obtain active Tor relays. Underlying simulation is carried out by TCPConnectSimulator.
Sister commit to https://github.com/alphasoc/open-wisdom/pull/31
An increasing amount of malware is using non-ICANN domains (e.g. `.bazar` as used by [Team9](https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/)) for C2, which are resolved via OpenNIC servers that we mark within Wisdom as `alt_dns`....
Something along these lines: ``` $ ./flightsim run imposter [...] 05:54:16 [imposter] Done (5/5) All done! Check your SIEM for alerts using the timestamps and details above. $ echo $?...
We should somehow document each module so users know what they're for and why they're important. I had a will of describing new modules during the release notes, but these...
Add some concept of pre-checks. If interfaces are invalid, etc, die before running any simulations. Allow an override for this though (ie. --nochecks) or something along those lines.