Home - KC7-Foundation/kc7 GitHub Wiki
Welcome to the cyber-challenger wiki!
This project is written in python and Flask.
The core of the project is a series of modules that are chained together to generate logs that can correlated. That is, events and timing in one log source are consistent and verifiable in other log sources.
Jeremy Wiedner Wrote better documentation than we did! You can check out his blocks below, or continue reading.
https://cybersheepdog.wordpress.com/2023/02/03/kc7-intrusion-analysis/ https://cybersheepdog.wordpress.com/2023/02/06/kc7-scoreboard/ https://cybersheepdog.wordpress.com/2023/02/08/kc7-intrusion-analysis-data-customization/
How Modules are structured
Each modules consists of a data model + controllers that leverage the data model to generate activity.
Example organization module:
├── email.py
└── email_controller.py
In this example, email.py contains the data model -> class Email:
email_controller.py contains functions that build on the Email class. E.g. gen_inbound_mail():
from app.server.modules.email.email import Email
def gen_inbound_mail(recipient: Employee, actor: Actor, time: float) -> None:
email = Email(
time=time,
sender=actor.get_sender_address(),
recipient=recipient.email_addr,
subject=actor.get_email_subject(),
reply_to=reply_to,
link=link,
domain=domain,
actor=actor,
accepted=random.choices([True, False], weights=(80, 20), k=1)[0],
authenticity=actor.effectiveness
)
Curent Modules
| Module Name | Description |
|---|---|
| Clock | Used to compute and manage the "in-game" time. In-game time is an accelerated version of real world time. |
| Organization | Represents employees who work at the company. Also contains functions used to generate employees |
| Represents emails sent to and from company employees. Also contains functions for generating email activity. | |
| OutboundBrowsing | Represents web-browsing egressing from the company network. Also contains functions used to generate web-browsing activity. |
| Endpoint | Represents files and processes running on employee machines. Also contains functions used to generate endpoint activity. |
| Infrastructure | Represents an internally consistent passiveDNS system (e.g. domain to ip mapping). Also contians functions used to generate dns records. |
| Actor | Represents an adversary. Actor functions leverage actor objects/attributes to generate themed "malicious" activity in the various log types. |
| Logging | Used to send logs to the database in Azure Data Explorer |
| Trigger | Functions that chain together modules to produce a sequence of events. E.g. Email -> User clicks link -> Filedownload -> C2 beacon |
| Helpers | Misc helper classes and functions used in the project |
How actors are defined
Actors referent to malicious adversaries. These are modeled in a class within the Actors module. However, users can instantiate actors via yaml files in the actor_configs directory
Name : Flying Purple Vikings
effectiveness: 50
domain_themes:
- vikings
- thor
- hammer
- norse
- mountain
sender_themes:
- oden
- lokif
- asgard
- fenrir
- astrid
- jormungand
- freya
subject_themes:
- security
- alert
- urgent
- grand
- banquet
tlds:
- info
- io
spoof_email: True