Custom Threat Module Requirements
EVE works by performing attack emulation on physical endpoints or virtual machines (preferred) installed
The Custom Threats Module allows the execution of scripts. To successfully run emulations with this module the user need to meet these requirements:
Interpreter installed. Depending on the language the user will use on the endpoint the interpreter should already be installed.( If the user will use python scripts on the endpoints, python should be already installed)
Libraries installed. All the modules/imports that the script will use should also be already installed on the endpoint before sending the emulation (e.g., if the script needs import socket, the user need to install socket)
Global Path Variables Configured. The scripts run as if the user execute the directly on the endpoint, if the user can run from cmd python script.py , the script the user send will also work as the Global Path Variables are configured, if not, the user will need to configure them.
Additionally, there are some considerations that the scripts being used should follow to run successfully using EVE such as (but not limited):
Scripts should terminate all the operations and exit the interpreter, this means no “infinite” scripts are permitted. If presented, after a time out the script will be terminated, and no information will be presented on the logs.
Scripts should not rely on other script, files, or resources. Unless they are downloaded first in the same script and properly referenced, otherwise the script will fail.
Use exceptions to catch errors, the logs will include the data displayed by the script, if an error is presented by the system, it will not be logged.
If the script performs a request or any other communication to URLs, the user may need to allow the IP addresses related to the URL as well as the IP address of a DNS server to allow the communication, however EVE recommends doing all the references to IP addresses. See View Details and Make Changes to ISOLATION.
Last updated