TTPForge is a cyber attack simulation platform designed and built by Sam Manzer (@d3sch41n), Alek Straumann (@CrimsonK1ng), and Geoff Pamerleau (@Sy14r), and including subsequent contributions from many good folks in Meta’s Red, Blue, and Purple security teams. Jayson Grace (@l50) migrated the project to GitHub and assisted with preparation for the project’s open source release.
This project promotes a Purple Team approach to cybersecurity with the following goals:
- To help blue teams accurately measure their detection and response capabilities through high-fidelity simulations of real attacker activity.
- To help red teams improve the ROI/actionability of their findings by packaging their attacks as automated, repeatable simulations.
TTPForge allows you to automate attacker tactics, techniques, and procedures (TTPs) using a powerful but easy-to-use YAML format. Check out the links below to learn more!
- Installation
- Documentation
- Getting Started - Developer
- Go Package Documentation
- Creating a new release
-
Get latest TTPForge release:
curl \ https://raw.githubusercontent.com/facebookincubator/TTPForge/main/dl-rl.sh \ | bash
At this point, the latest
ttpforge
release should be in$HOME/.local/bin/ttpforge
and subsequently, the$USER
's$PATH
.If running in a stripped down system, you can add TTPForge to your
$PATH
with the following command:export PATH=$HOME/.local/bin:$PATH
-
Initialize TTPForge configuration
This command will place a configuration file at the default location
~/.ttpforge/config.yaml
and configure theexamples
andforgearmory
TTP repositories:ttpforge init
-
List available TTP repositories (should show
examples
andforgearmory
)ttpforge list repos
The
examples
repository contains the TTPForge examples found in this repository. The ForgeArmory repository contains our arsenal of attacker TTPs powered by TTPForge. -
List available TTPs that you can run:
ttpforge list ttps
-
Examine an example TTP:
ttpforge show ttp examples//args/basic.yaml
-
Run the specified example:
ttpforge run examples//args/basic.yaml \ --arg str_to_print=hello \ --arg run_second_step=true