In my first post, KC7 – Intrusion Analysis, about KC7 I went over setting up the server to generate your own realistic randomized data and how to upload it into your Azure Data Explorer Cluster. I then introduced the KC7 – Scoreboard and how to set it up so that participants can reach it as well as managing it from an admin perspective and using it from the perspective of a player.
This is a great resource for those wanting to get some hands-on experience in Intrusion Analysis and Threat Intel with realistic data in a tool that actual security professionals would use. I am therefore writing this 3rd blog post to go over how to customize the base config files to generate different randomized data.
The customizations will include:
- Victim company Information (Name, # employees, Employee Titles, Website paths, etc…)
- Threat actors (Name, attacks, email themes, TLDs, filenames, malware, etc..)
- Malware (name, filenames, paths, recon processes, c2 processes)
- Seed Text (For emails)
The game randomly generates realistic data from the data provided once you download the Cyber Challenger git repository. This allows for generating data for multiple games for the same group. The creators of KC7 have also gone to the effort of creating additional KC7 challenge scenarios. Maybe you have gone through all of these options’ multiple times already, need something more customized or just want to give back to the community. We are going to go over how you can do that in the sections below.
Victim Company Information
In order to customize the company information there are two files we need to concern ourselves with. They are:
cyber-challenger/app/game_configs/company.yaml
cyber-challenger/app/game_configs/gameplay/company_website_paths.txt
company.yaml
This is the primary configuration file for the company where most of the configuration will happen. Let’s take a look at the existing one:
name: Envolve Labs
domain: envolvelabs.com
count_employees: 1000
roles:
- title: Chief Executive Officer
limit: 1
- title: Chief Financial Officer
limit: 1
- title: Chief Marketing Officer
limit: 1
- title: Chief Information Security Officer
limit: 1
- title: Vice President
limit: 10
- title: IT associate
limit: 999
- title: Finance associate
limit: 999
- title: Marketing associate
limit: 999
- title: Human Resources associate
limit: 999
- title: Medical Researcher
limit: 499
- title: Lab Technician
limit: 499
- title: Trial Administrator
limit: 100
partners:
- wesellbeakers.com
- pharmasupplies.org
- vaccinedistributors.com
- researchcompliance.com
Let’s go over each category. You can make these whatever you want. They could Harry Potter themed if you were going to run this for a group of high school students. However, if you are using this for training at a company maybe you want it to be your actual company information.
If I am not mistaken these first three are static, meaning that this will be the same every time the game is run.
- name: What you want the name of the company to be.
- domain: What you want the company’s domain to be.
- count_employees: The number of employees you want to be in the company.
I believe these next two categories have some degree of randomness built in. I would have to look at the code further, but I believe all the role titles will exist each game but the number of them will vary if the limit is over 1.
- roles: This section defines the roles and a range for the potential number of employees filling that role. I believe that as long as they are listed here and have a limit of at least 1 they will always be included in the data.
Title: The job title for an employee. Limit: The maximum # of employees that can have this title.
- partners: Partner domains that likely do business with the company.
Once you make your changes do not forget to save the file.
company_website_paths.txt
This is the file that takes the company domain from the previous file and add the paths to make it look like a realistic website. Let’s take a look at the existing one.
home
about
contact
covid19
search?query=
investor-relations
about-us/history
about-us/diversity
faq
about-us/leadership/executives
careers
careers/apply
careers/company-culture
careers/next-steps
careers/internships
careers/
blog
Add, leave, remove or change these to suit the theme of the game you are building. Do not forget to save the file when you are done.
Threat Actors
In order to customize the threat actors, we might face in the game data we need to concern ourselves with their configuration files which are stored in the following directory:
cyber-challenger/app/game_configs/actors/
Listing the contents of this directory we see:
Each threat actor has their own YAML config file. The ones ending with .bak will not be used to generate threat actor activity in the game. To configure a new threat actor, create a YAML config file with the name you want the threat actor to have. So, if we wanted to add the threat group known as “Pink Puppy” to the game we would create a file named “pinkpuppy.yaml”.
Depending on your requirements you can make this a bit silly with something like a Star Wars theme if you are creating this for some students. However, if you are using this to train your security staff you may want to make it more realistic. In this case you could work with your CTI and IR teams to incorporate the actors and malware your company may be facing.
Let’s take a look at the pre-existing actor of “itinium.yaml”.
name : Itinium
effectiveness: 80
count_init_passive_dns: 10
max_wave_size: 3
attacks:
- recon:browsing
- delivery:supply_chain
- email:malware_delivery
domain_themes:
- software
- update
- mobile
- verify
- security
- install
- notice
- scan
- alert
sender_themes:
- helpdesk
- support
- admin
- it
- notifications
- noreply
- info
subjects:
- "IMPORTANT: YOUR PASSWORD IS EXPIRING"
- "RE: Purchase Order 12393"
- "IMPORTANT: VPN UPDATE - INSTALL NOW!!!"
- A suspicious login attempt was observed for your account
- Missed call - New voicemail
- New heldesk procedures - READ NOW
recon_search_terms:
- envolve helpdesk
- how to get it support
- are macros enabled - envolve
- it support process
- helpdesk ticket system
- password expiration policy
- default password EnvolveLabs
file_names:
- Software_Update
- IT_PASSWORD_RESET_TOOL
- Critical_Security_Path
- Patch_instructions
- EnvolveLabs_Research_Tool
- IMPORTANT_INSTRUCTIONS
tlds:
- com
- io
- info
spoof_email: False
malware:
- unhelpfuldesk
All potential fields available as identified in the Actors.py file, located at:
cyber-challenger/app/server/modules/actors
As long as the fields and their values are in the format above (YAML) then the order of them should not matter.
| Field | Data Type | Notes |
| name | String | Name of the threat actor. |
| effectiveness | Integer | Used to help decide email authenticity or generated inbound email. In other words, how convincing the email is. |
| attacks | String | The type of attacks the threat actor can perform. They are of the form: attack_type:attack_name See below for specific examples. |
| domain_themes | String | Themes for actor domains. |
| sender_themes | String | Themes for emails the actor sends. |
| subjects | String | Subjects for the emails the actor can send. |
| file_names | String | File names used by the actor. |
| file_extensions | String | File extensions used by the actor. |
| tlds | String | Top Level Domains such as .com, .io, .info |
| malware | String | Name of the malware used by the actor. For any malware named here it must also have an associated .yaml file. We will go over this in the next section of the blog below. |
| recon_search_terms | String | Recon terms the actor uses. |
| sender_emails | String | Email addresses used by the actor. |
| spoof_email | Boolean | True or False |
| count_init_passive_dns | Integer | Specifies the # of DNS records for the actor. |
| count_init_email | Integer | Specifies the initial # of emails from actors at the initial start of the game. |
| count_init_browsing | Integer | Specifies the # of web requests to actor domains from employees. |
| max_wave_size | Integer | Specifies the number of email waves from the actor as the game progresses. Each wave will have multiple emails. |
Attacks
As of the time of this writing I believe these are the current supported attack types.
- delivery:supply_chain
- email:credential_phishing
- email:malware_delivery
- identity:password_spray
- recon:browsing
- remote_exploitation:proxyshell
Malware
What would threat actors be without the malware they use. Therefore, we likely want to create some malware that suits the actors.
In order to customize the malware the actors may use in the game data we need to concern ourselves with their configuration files which are stored in the following directory:
cyber-challenger/app/game_configs/malware/
Listing the contents of this directory we see:
Each malware has its own YAML config file. To configure a new piece of malware, create a YAML config file with the name you want the malware to have. NOTE: This is the name you will have to place in the malware section of the actor config you want to use it. So, if we wanted to add a piece of malware known as “kitten” to the game we would create a file named “kitten.yaml”.
Just like with the malware you can customize these to the audience for which you are creating the game data.
Let’s take a look at the pre-existing malware of “unhelpfuldesk.yaml”.
name: unhelpfuldesk
filenames:
- updater.dll
- recordsvr.exe
- svhost.exe
- infector.exe
paths:
- C:\ProgramData\Microsoft\Applications\
- C:\Windows\system32\
- C:\ProgramData\USOShared\
recon_processes:
- name: cmd.exe
process: whoami
- name: ping.exe
process: ping 8.8.8.8
- name: cmd.exe
process: net user Administratr
c2_processes:
- name: ligolo.exe
process: ligolo.exe {ip_address}
- name: putty.exe
process: putty.exe -ssh root@{ip_address}
- name: cmd.exe
process: reg add HKLM\SYSTEM\CurrentCOntroLSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
- name: schtasks.exe
process: schtasks /create /sc minute /mo 1 /tn "ttttask" /tr C:\Windows\system32\infector.exe /ru "SYSTEM"
Let’s break these down:
- name: The name of your malware. Should be the same as listed in your actor config that uses this malware.
- filenames: The filenames the malware uses. Depending on your audience you may want to make these more or less obvious.
- paths: The file paths in which the malware can be found on the infected system.
- recon_processes: This field has 2 sub-fields for each process used: name: the executable such as cmd.exe it can use. process: the action the executable takes such as pinging an IP address or running the whoami command.
- c2_processes: This field has 2 sub-fields for each process used: name: the executable such as cmd.exe it can use. process: the action the executable takes such as “reg add HKLM\…….UseLogonCredential /t REG_DWORD /d 1 /f” to modify the registry and create the UseLogonCredential with a value of 1 to allow for storage of plaintext passwords in memory.
But this is just a file name. It won’t have a hash or be able to show up as malicious if it is checked in something like VirusTotal (VT).
Don’t worry. The game developers have you covered. There is a list of known malicious hashes from VT elsewhere in the code that will get assigned to the malware as it is used in the game data. This way, the participants can actually check the hashes on VT and see the results of actual malicious malware without any actual risk.
Seed Text
This is the text the game pulls from to create various themed text you will see throughout the game and should likely reflect the field of the business. For instance, in the training material for this game we see the following:
The seed file is located at “cyber-challenger/app/game_configs/gameplay/seed_text.txt
Here is a snippet of the contents of the file.
This does not have to be something you write yourself. You can find some articles, blogs or news about the industry of the company you are creating and put it in this file. Just make sure it is sufficiently long so there is plenty of text to pull from. This file has 104 blocks of text (including blank lines, according to vim).
In Summary
There is a lot of potential to customize the game data to suit those that will be participating. Yes, it will take a bit of time and effort but doing so will add to learning experience and fun. The great thing about it is that you can run multiple games for the same audience without having to change the config files for the next time. Just reset the game and have it generate new random data using what is in the config files.
There are some additional ways to customize the game data but what I have provided above should be more than enough for most use cases. I will likely cover the other ways in a future post.
I hope some of you find this helpful and that the scenarios you create with this will not only help train our existing cyber defenders but also garner interest from and create future defenders.
Thank you,
Cybersecurity Tid-Bytes 
One thought on “KC7 – Intrusion Analysis – Data Customization”