Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Users can now choose a second report style when outputting operation results. The second format follows event-based logging and returns a JSON list of events, where each event represents a link that was run in the operation chain. Links that were discarded or marked as high visibility are not included, since they were not actually meant to deliver to an agent.
Each event JSON dict contains the following information:
command
: base64-encoded command that was assigned to the agentdelegated_timestamp
: timestamp inYYYY-MM-DD HH:MM:SS
format that indicates when the operation made the link available for collectioncollected_timestamp
: timestamp inYYYY-MM-DD HH:MM:SS
format that indicates when the agent collected the link available for collectionfinished_timestamp
: timestamp inYYYY-MM-DD HH:MM:SS
format that indicates when the agent submitted the link execution results to the C2 server.status
: link execution statusplatform
: target platform for the agent running the link (e.g. "windows")executor
: executor used to run the link command (e.g. "psh" for powershell)pid
: process ID for the linkagent_metadata
: dictionary containing the following information for the agent that ran the link:ability metadata
: dictionary containing the ability ID, name, and description for the link ability.operation_metadata
: dictionary containing the operation name, start timestamp, and adversary name for the overall operation that generated the linkattack_metadata
: dictionary containing the ATT&CK tactic, technique ID, and technique name for the ability associated with the link.output
: if the user selected "include agent output" when downloading the operation event logs, this field will contain the agent-provided output from running the command.Will add a PR for documentation changes in the fieldmanual plugin once this PR is approved.
Type of change
How Has This Been Tested?
Created a test that generates an operation with a fake agent, adversary, abilities, and 3 links (2 of which successfully ran, and the 3rd was discarded). The test makes sure that the generated event logs contain the correct information for the 2 links that successfully ran and ignore the discarded link.
Checklist: