A VST is a production ready TTP. Tests from this repository are automatically loaded into Detect and can be run immediately on any endpoint.
Tests that are safe to execute, run reliably every time, and produce a standardized output are considered production ready.
A VST should:
- Answer a question, exiting with a standard code from the Prelude lookup table
- Have test and clean functions, the latter reversing any effects of the former
- Compile into a standard binary specific to an OS/architecture
The Malicious files are quarantined test verifies if your endpoint defense is responding to a known malicious file.
It does this by first embedding a malicious .xlsm file into the test:
//go:embed malicious.xlsm
var malicious []byteDuring the test it runs the Quarantined check, which writes the file to disk, waits 1s, and evaluates if the file was removed. If the check returns true the test exists with a 105 (good/quarantined) otherwise it exits with a 101 (bad/unexpected).
if Endpoint.Quarantined("malicious.xlsm", malicious) {
println("[+] Malicious file was caught!")
Endpoint.Stop(105)
}
println("[-] Malicious file was not caught")
Endpoint.Stop(101)Finally, the clean function ensures the malicious .xlsm file is removed from the disk, exiting with either a 100 (good/expected) or 105 (file was already removed) status:
if Endpoint.Remove("malicious.xlsm") {
Endpoint.Stop(100)
}
Endpoint.Stop(105)Run any test in this project by first installing the Endpoint module:
go get -u github.com/preludeorg/test/endpointThen compile any test:
go build -o test <UUID>.go
And run the test with ./test and clean up function with ./test cleanup. Evaluate the exit code of each to check passed/failed state.