/TTPForge

The TTPForge is a Cybersecurity Framework for developing, automating, and executing attacker Tactics, Techniques, and Procedures (TTPs).

Primary LanguageGoMIT LicenseMIT

TTPForge

License Tests 🚨 Semgrep Analysis Coverage Status

TTPForge is a cyber attack simulation platform designed and built by Sam Manzer (@d3sch41n), Alek Straumann (@CrimsonK1ng), and Geoff Pamerleau (@Sy14r), and including subsequent contributions from many good folks in Meta’s Red, Blue, and Purple security teams. Jayson Grace (@l50) migrated the project to GitHub and assisted with preparation for the project’s open source release.

This project promotes a Purple Team approach to cybersecurity with the following goals:

  • To help blue teams accurately measure their detection and response capabilities through high-fidelity simulations of real attacker activity.
  • To help red teams improve the ROI/actionability of their findings by packaging their attacks as automated, repeatable simulations.

TTPForge allows you to automate attacker tactics, techniques, and procedures (TTPs) using a powerful but easy-to-use YAML format. Check out the links below to learn more!


Table of Contents


Installation

  1. Get latest TTPForge release:

    curl \
    https://raw.githubusercontent.com/facebookincubator/TTPForge/main/dl-rl.sh \
    | bash

    At this point, the latest ttpforge release should be in $HOME/.local/bin/ttpforge and subsequently, the $USER's $PATH.

    If running in a stripped down system, you can add TTPForge to your $PATH with the following command:

    export PATH=$HOME/.local/bin:$PATH
  2. Initialize TTPForge configuration

    This command will place a configuration file at the default location ~/.ttpforge/config.yaml and configure the examples and forgearmory TTP repositories:

    ttpforge init
  3. List available TTP repositories (should show examples and forgearmory)

    ttpforge list repos

    The examples repository contains the TTPForge examples found in this repository. The ForgeArmory repository contains our arsenal of attacker TTPs powered by TTPForge.

  4. List available TTPs that you can run:

    ttpforge list ttps
  5. Examine an example TTP:

    ttpforge show ttp examples//args/basic.yaml
  6. Run the specified example:

    ttpforge run examples//args/basic.yaml \
      --arg str_to_print=hello \
      --arg run_second_step=true