> For the complete documentation index, see [llms.txt](https://docs.reveald.com/technical-documentation/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.reveald.com/technical-documentation/admin-guides/epiphany-validation-engine-users-guide/chapter-2-eve-endpoint/custom-threat-module-requirements.md). # Custom Threat Module Requirements EVE works by performing attack emulation on physical endpoints or virtual machines (preferred) installed The Custom Threats Module allows the execution of scripts. To successfully run emulations with this module the user need to meet these requirements: 1. Interpreter installed. Depending on the language the user will use on the endpoint the interpreter should already be installed.( If the user will use python scripts on the endpoints, python should be already installed) 2. Libraries installed. All the modules/imports that the script will use should also be already installed on the endpoint before sending the emulation (e.g., if the script needs import socket, the user need to install socket) 3. Global Path Variables Configured. The scripts run as if the user execute the directly on the endpoint, if the user can run from cmd python script.py , the script the user send will also work as the Global Path Variables are configured, if not, the user will need to configure them. ### **Script Execution in the Custom Threats Module** * Scripts should terminate all the operations and exit the interpreter, this means no “infinite” scripts are permitted. If presented, after a time out the script will be terminated, and no information will be presented on the logs. * Scripts should not rely on other script, files, or resources. Unless they are downloaded first in the same script and properly referenced, otherwise the script will fail. * Use exceptions to catch errors, the logs will include the data displayed by the script, if an error is presented by the system, it will not be logged. * If the script performs a request or any other communication to URLs, the user may need to allow the IP addresses related to the URL as well as the IP address of a DNS server to allow the communication, however EVE recommends doing all the references to IP addresses. See View Details and Make Changes to ISOLATION. ### **Technical Implications:** 1. **PowerShell:** * By default, Windows restricts the execution of PowerShell scripts for security reasons. To enable script execution, the execution policy must be modified using the following command in PowerShell with administrative privileges: ```powershell Set-ExecutionPolicy RemoteSigned -Scope CurrentUser ``` * Alternatively, if a more permissive configuration is required for testing: ```powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser ``` * It is recommended to define appropriate security policies before applying these changes. 2. **Shell and Bash:** * On **Linux**, Bash and Shell scripts can run without additional modifications as long as they have the appropriate permissions. To ensure execution, the script file must have execution permissions: ```bash chmod +x script.sh ``` * If the system has additional restrictions (e.g., SELinux or AppArmor), specific configurations may be required to allow script execution. **Security Recommendations:** * Limit the use of **Set-ExecutionPolicy Unrestricted** in production environments. * Define whitelists of allowed scripts or use PowerShell script signing to control which scripts can be executed. * On Linux, implement user restrictions or execution policies such as AppArmor or SELinux to prevent unauthorized script execution. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.reveald.com/technical-documentation/admin-guides/epiphany-validation-engine-users-guide/chapter-2-eve-endpoint/custom-threat-module-requirements.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.