Skip to content

Latest commit

 

History

History
56 lines (42 loc) · 2.43 KB

chaining.md

File metadata and controls

56 lines (42 loc) · 2.43 KB

Chaining TTPs Together

TTPForge provides users with the ability to chain multiple existing TTPs together to form new composite TTPs. This is useful for two primary reasons:

  1. Users can simulate complex multi-stage cyberattacks.
  2. Duplication of code is avoided because steps that are shared across multiple TTPs can be combined together.

Syntax for Chaining TTPs

To chain multiple TTPs together, use the ttp: action, as shown in the example below:

TTPForge/example-ttps/chaining/basic.yaml

Lines 1 to 21 in 7634dc6

---
name: Basic TTP Chaining
description: |
You can chain existing TTPs together to make larger
and more complex TTPs by using the Sub-TTP action type
signified by the `ttp:` syntax
tests:
- name: default
steps:
- name: first_sub_ttp
description: this step invokes another TTP file
ttp: //actions/inline/basic.yaml
- name: second_sub_ttp
description: |
you can pass arguments to sub-TTPs using
the `args:` field of the sub-TTP action
ttp: //args/basic.yaml
args:
str_to_print: "this came from the parent TTP"
int_arg: 31337
run_second_step: true

Run this example TTP by executing the following command:

ttpforge run examples//chaining/basic.yaml

Notice that the steps of each sub-TTP referenced via the ttp: action are executed in sequence - our example has therefore combined two smaller TTPs into a single larger one. TTP chains may consist of as many TTPs as desired.

The ttp: action accepts a TTP reference as its argument. The // prefix indicates that the provided TTP path is relative to root of the current repository's TTP Search Path. Therefore, in the case of this repository, the provided path is rooted in the example-ttps directory. Consult the TTP Repositories documentation for further details about how TTP references are resolved.

Note: for legacy reasons, TTPForge also supports omitting the // prefix in ttp: actions. Paths provided without the // prefix are still resolved relative to the TTP search path root, just as if the // was present. This compatibility may be removed in a later version of TTPForge; therefore, new TTPs should always use the //.

Passing Arguments to Sub-TTPs

The example above also showcases the args: syntax that is used to pass arguments to sub-TTPs. The specified argument values are mapped directly to the command-line arguments that are declared in the YAML file of the sub-TTP.

Cleaning Up TTP Chains

The TTPForge cleanup feature works somewhat differently than usual for TTP chains. TTPForge automatically adds a special cleanup action to each ttp: step. This cleanup action runs the cleanup actions defined in the referenced sub-TTP file. If a step from the sub-TTP fails, this cleanup action will begin sub-TTP cleanup execution from the last successful step of the sub-TTP.