Custom Threat Module Requirements

EVE works by performing attack emulation on physical endpoints or virtual machines (preferred) installed

The Custom Threats Module allows the execution of scripts. To successfully run emulations with this module the user need to meet these requirements:

Interpreter installed. Depending on the language the user will use on the endpoint the interpreter should already be installed.( If the user will use python scripts on the endpoints, python should be already installed)
Libraries installed. All the modules/imports that the script will use should also be already installed on the endpoint before sending the emulation (e.g., if the script needs import socket, the user need to install socket)
Global Path Variables Configured. The scripts run as if the user execute the directly on the endpoint, if the user can run from cmd python script.py , the script the user send will also work as the Global Path Variables are configured, if not, the user will need to configure them.

Scripts should terminate all the operations and exit the interpreter, this means no “infinite” scripts are permitted. If presented, after a time out the script will be terminated, and no information will be presented on the logs.
Scripts should not rely on other script, files, or resources. Unless they are downloaded first in the same script and properly referenced, otherwise the script will fail.
Use exceptions to catch errors, the logs will include the data displayed by the script, if an error is presented by the system, it will not be logged.
If the script performs a request or any other communication to URLs, the user may need to allow the IP addresses related to the URL as well as the IP address of a DNS server to allow the communication, however EVE recommends doing all the references to IP addresses. See View Details and Make Changes to ISOLATION.

PowerShell:
- By default, Windows restricts the execution of PowerShell scripts for security reasons. To enable script execution, the execution policy must be modified using the following command in PowerShell with administrative privileges:
  Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
- Alternatively, if a more permissive configuration is required for testing:
  Set-ExecutionPolicy Unrestricted -Scope CurrentUser
- It is recommended to define appropriate security policies before applying these changes.
Shell and Bash:
- On Linux and macOS, Bash and Shell scripts can run without additional modifications as long as they have the appropriate permissions. To ensure execution, the script file must have execution permissions:
  chmod +x script.sh
- If the system has additional restrictions (e.g., SELinux or AppArmor), specific configurations may be required to allow script execution.

Security Recommendations:

Limit the use of Set-ExecutionPolicy Unrestricted in production environments.
Define whitelists of allowed scripts or use PowerShell script signing to control which scripts can be executed.
On Linux, implement user restrictions or execution policies such as AppArmor or SELinux to prevent unauthorized script execution.

Last updated 23 days ago

EVE works by performing attack emulation on physical endpoints or virtual machines (preferred) installed

The Custom Threats Module allows the execution of scripts. To successfully run emulations with this module the user need to meet these requirements:

Interpreter installed. Depending on the language the user will use on the endpoint the interpreter should already be installed.( If the user will use python scripts on the endpoints, python should be already installed)
Libraries installed. All the modules/imports that the script will use should also be already installed on the endpoint before sending the emulation (e.g., if the script needs import socket, the user need to install socket)
Global Path Variables Configured. The scripts run as if the user execute the directly on the endpoint, if the user can run from cmd python script.py , the script the user send will also work as the Global Path Variables are configured, if not, the user will need to configure them.

Scripts should terminate all the operations and exit the interpreter, this means no “infinite” scripts are permitted. If presented, after a time out the script will be terminated, and no information will be presented on the logs.
Scripts should not rely on other script, files, or resources. Unless they are downloaded first in the same script and properly referenced, otherwise the script will fail.
Use exceptions to catch errors, the logs will include the data displayed by the script, if an error is presented by the system, it will not be logged.
If the script performs a request or any other communication to URLs, the user may need to allow the IP addresses related to the URL as well as the IP address of a DNS server to allow the communication, however EVE recommends doing all the references to IP addresses. See View Details and Make Changes to ISOLATION.

PowerShell:
- By default, Windows restricts the execution of PowerShell scripts for security reasons. To enable script execution, the execution policy must be modified using the following command in PowerShell with administrative privileges:
  Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
- Alternatively, if a more permissive configuration is required for testing:
  Set-ExecutionPolicy Unrestricted -Scope CurrentUser
- It is recommended to define appropriate security policies before applying these changes.
Shell and Bash:
- On Linux and macOS, Bash and Shell scripts can run without additional modifications as long as they have the appropriate permissions. To ensure execution, the script file must have execution permissions:
  chmod +x script.sh
- If the system has additional restrictions (e.g., SELinux or AppArmor), specific configurations may be required to allow script execution.

Security Recommendations:

Limit the use of Set-ExecutionPolicy Unrestricted in production environments.
Define whitelists of allowed scripts or use PowerShell script signing to control which scripts can be executed.
On Linux, implement user restrictions or execution policies such as AppArmor or SELinux to prevent unauthorized script execution.

Last updated 23 days ago