Creating Ubuntu Malware with Chain Reactor for Threat Modeling

In the last few years I’ve had the opportunity to stand up many small internet facing servers for banks and insurance companies as a contractor. It was interesting to learn about their compliance issues. In particular I enjoyed independent security reviews done on my servers.

After a while it felt like I was testing the testers. What different companies would ask about or scan for. Did they want the WAF off, etc. Defense was interesting but then thought it would be fun to look at options for playing offense and came across interesting work by Red Canary utilizing Mitre’s ATT&CK matrix.

In a nutshell they’ve automated threat modeling with Atomic Red Team. You’re in a space that has a specific threat actor. They can act just like the bad guy. For those with a combative or self defense background, it’s similar scenario training. Tests can be run manually or integrated in a dev tool chain.

They have a project called Chain Reactor that caught my eye. Quote: “Chain Reactor is an open source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints”.

On my Ubuntu laptop there was one dependency to install and then run make. They use python and json configuration text for ELF executable creation. This makes their tools very easy to get up to speed on. I love projects that have good on boarding docs and use standard tooling.

Following the example in and building worked on the first try.

cd <insert_path>/chain-reactor-master

touch reaction.json

    "name": "simple_reaction",
    "atoms": [

touch atoms.json

        "name" : "HIDDEN-PROCESS-EXEC",
        "execve" : [ "mkdir", "-p", "/tmp/.hidden" ],
        "copy" : [ "/proc/self/exe", "/tmp/.hidden/.chain_reactor_hidden" ],
        "execveat" : [ "/tmp/.hidden/.chain_reactor_hidden", "exit" ],
        "remove" : [ "/tmp/.hidden" ]

python3 compose_reaction atoms.json reaction.json <output_name_for_executable>


Terminal will output success or failure of the commands aka quarks. Worth checking out these projects if you haven’t already.

One thought on “Creating Ubuntu Malware with Chain Reactor for Threat Modeling

Comments are closed.