In the last few years I’ve had the opportunity to stand up many small web and email servers for banks and insurance companies as a contractor. It was interesting to learn about their particular compliance issues. In particular I enjoyed independent security reviews done on my servers!

After playing defense for a while I thought it would be fun to look at options for playing offense and came across interesting work by Red Canary utilizing Mitre’s ATT&CK matrix.

In a nutshell they’ve automated threat modeling with Atomic Red Team. You’re in a space that has a specific threat actor. They can act just like the bad guy. For those with a combative or self defense background, it’s similar scenario training. Tests can be run manually or integrated in a dev tool chain.

They have a project called Chain Reactor that caught my eye. Quote: “Chain Reactor is an open source framework for composing executables that can simulate adversary behaviors and techniques on Linux endpoints”.

On my Ubuntu laptop there was one dependency to install and then run make. They use python and json configuration text for ELF executable creation. This makes their tools very easy to get up to speed on. I love projects that have good on boarding docs and use standard tooling.

Following the example in README.md and building worked on the first try.

cd <insert_path>/chain-reactor-master

touch reaction.json

{
    "name": "simple_reaction",
    "atoms": [
        "HIDDEN-PROCESS-EXEC"
    ]
}

touch atoms.json

[
    {
        "name" : "HIDDEN-PROCESS-EXEC",
        "execve" : [ "mkdir", "-p", "/tmp/.hidden" ],
        "copy" : [ "/proc/self/exe", "/tmp/.hidden/.chain_reactor_hidden" ],
        "execveat" : [ "/tmp/.hidden/.chain_reactor_hidden", "exit" ],
        "remove" : [ "/tmp/.hidden" ]
    }
]

python3 compose_reaction atoms.json reaction.json <output_name_for_executable>

./<output_name_for_executable>

Terminal will output success or failure of the commands aka quarks. Worth checking out these projects if you haven’t already.