OWASP, Application Security Verification Standard, ASVS, 3.0, OWASP ASVS

Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.

BT3 includes the module Maligno, which allows you to simulate malware infections or targeted attacks with specific C&C communications in a safe manner.

This blog post is going to cover the most fundamental aspects of Maligno that will get you started in no time.

The Most Relevant Commands

  • Invoking Maligno
    The module can be invoked with “use maligno” directly from the BT3 command-line interface. You should note that the BT3 command prompt changes based on the current module in use.

Maligno module ready for use after invocation

  • Module version check
    The current module version can be checked with the “version” command.

Maligno version command output

  • Module help overview
    Maligno supports a range of general commands, which can be displayed with “help”.

List of commands supported by the module

  • Module network interfaces overview
    Available network interfaces can be displayed with the “show interfaces” command. This is useful for checking the IP address assigned to your computer, without leaving the BT3 console.

Listing available network interfaces

  • Module option list
    Module options and their current values can be listed with “show options”.

Module options and their current values

  • Module option configuration
    Module option values can be set with the “set” command, the desired option and its new value.

Setting a new option value

  • Module material list
    Available malware indicator profiles can be listed with “show profiles”. If a content subscription account is already authenticated, the command will retrieve available profile information from the online library. More targeted profile listing can be achieved with “show profiles cloud”, “show profiles disk”, “show profiles free” and “show profiles premium”. These commands will present all malware indicator profiles available online, profiles found locally on your computer, profiles which can be downloaded for free, and profiles which can be downloaded with the use of content credits respectively.

Example with a few Maligno malware indicator profiles ready for use on disk

Fragment of the online profile library

  • Material search
    Malware indicator profiles can be easily found with the “search” command. Searches use the profile name or profile description as criterion.

Search results presented by the module

  • Material information
    Detailed information about a given malware indicator profile can be shown with the “info” command. The expected command argument is the profile to present. Note that malware indicator profiles downloaded to your local disk will have a “.py” extension, while those online do not.

Details about a malware indicator profile found on disk

  • Material download
    Authenticated content subscription accounts will have access to the Blue Team Training Toolkit online library, with both free and premium training content. Premium training content has a price, which will be deducted from the user’s existing content credit balance. Premium downloads require users to have enough credit balance in order to complete the download. Free online content, on the other hand, can be downloaded without restrictions. Downloading online resources can be done with the “download” command, and the material name provided as an argument.

Successful material download

  • Material download history
    The training material download history associated with your subscription account can be retrieved with “show downloads”.

Material download history

  • Maligno client generation
    Once all required module options have been configured with valid values, it will be possible to generate a Maligno client script. Maligno clients can be generated directly from the BT3 command-line interface with the “genclient” command. The generated client script will be stored in the “clients” folder, and it will be ready for deployment.

Successful Maligno client generation

Generated clients are placed in a specific location

  • Module execution
    Maligno server can be started with the “run” command. All module options are validated during this process.

Maligno server is running and waiting for connections

Check out the BT3 user guide, or the Blue Team Training Toolkit Video Series for practical examples.

You can also download the Blue Team Training Toolkit and test it for yourself!