Blue Team Training Toolkit (BT3) is software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
BT3 includes the module Maligno, which allows you to simulate malware infections or targeted attacks with specific C&C communications in a safe manner.
This blog post is going to cover the most fundamental aspects of Maligno that will get you started in no time.
The Most Relevant Commands
- Invoking Maligno
The module can be invoked with “use maligno” directly from the BT3 command-line interface. You should note that the BT3 command prompt changes based on the current module in use.
- Module version check
The current module version can be checked with the “version” command.
- Module help overview
Maligno supports a range of general commands, which can be displayed with “help”.
- Module network interfaces overview
Available network interfaces can be displayed with the “show interfaces” command. This is useful for checking the IP address assigned to your computer, without leaving the BT3 console.
- Module option list
Module options and their current values can be listed with “show options”.
- Module option configuration
Module option values can be set with the “set” command, the desired option and its new value.
- Module material list
Available malware indicator profiles can be listed with “show profiles”. If a content subscription account is already authenticated, the command will retrieve available profile information from the online library. More targeted profile listing can be achieved with “show profiles cloud”, “show profiles disk”, “show profiles free” and “show profiles premium”. These commands will present all malware indicator profiles available online, profiles found locally on your computer, profiles which can be downloaded for free, and profiles which can be downloaded with the use of content credits respectively.
- Material search
Malware indicator profiles can be easily found with the “search” command. Searches use the profile name or profile description as criterion.
- Material information
Detailed information about a given malware indicator profile can be shown with the “info” command. The expected command argument is the profile to present. Note that malware indicator profiles downloaded to your local disk will have a “.py” extension, while those online do not.
- Material download
Authenticated content subscription accounts will have access to the Blue Team Training Toolkit online library, with both free and premium training content. Premium training content has a price, which will be deducted from the user’s existing content credit balance. Premium downloads require users to have enough credit balance in order to complete the download. Free online content, on the other hand, can be downloaded without restrictions. Downloading online resources can be done with the “download” command, and the material name provided as an argument.
- Material download history
The training material download history associated with your subscription account can be retrieved with “show downloads”.
- Maligno client generation
Once all required module options have been configured with valid values, it will be possible to generate a Maligno client script. Maligno clients can be generated directly from the BT3 command-line interface with the “genclient” command. The generated client script will be stored in the “clients” folder, and it will be ready for deployment.
- Module execution
Maligno server can be started with the “run” command. All module options are validated during this process.