ForgeArmory is a repository of attacker Tactics, Techniques, and Procedures (TTPs) that you can download and run with Meta's TTPForge attack simulation engine. Our catalog presently focuses on macOS and Cloud TTPs.
To get started, install TTPForge and then browse the ForgeArmory TTP catalog to find cyberattacks to simulate.
ForgeArmory TTPs are organized by MITRE ATT&CK tactics, making it easy to find and execute specific attack techniques.
Each TTP is contained in its own directory with a standardized structure:
ttps/<MITRE-TACTIC>/<TTP-NAME>/ βββ ttp.yaml # TTP definition and execution logic βββ README.md # Documentation and usage instructions βββ [helper files] # Supporting scripts, binaries, or resources TTPs should be named according to the action they perform, independent of the platform or operating system they target.
For ease of identification, however, names should be prefixed with the technology they target:
Cloud-based TTPs are prefixed with the cloud service:
- AWS EC2:
aws-ec2-*(instance management, exfiltration) - AWS IAM:
aws-iam-*(user/role manipulation, persistence) - AWS Lambda:
aws-lambda-*(serverless backdoors) - AWS S3:
aws-s3-*(bucket enumeration) - AWS Secrets Manager:
aws-secretsmanager-*(secret extraction)
Similarly, Kubernetes and container-based TTPs are prefixed with k8s-:
k8s-extract-k8s-secrets- Extract secrets from Kubernetes clustersk8s-backdoor-k8s-nodes-authorized-keys- Backdoor cluster nodesk8s-escaper- Container escape techniquesk8s-kubeletmein- Kubelet exploitation
Helper TTPs for use in subTTPs are located in ttps/utils/. Examples include:
- AWS utilities: Environment validation and credential management
- Kubernetes utilities: Cluster configuration and validation
Complex TTPs that span multiple MITRE tactics can be stored in ttps/chains.
You can use the ttpforge enum command to list and filter TTPs by various criteria:
# List all available TTPs ttpforge enum ttps -v # Filter by MITRE technique ttpforge enum ttps --technique T1552 -v # Filter by MITRE subtechnique ttpforge enum ttps --sub-tech T1552.001 -v # Filter by operating system ttpforge enum ttps --platform <platform> -v # Filter by author ttpforge enum ttps --author <author-name> -vFor complete documentation on filtering and enumeration options with enum, see the official TTPForge documentation.
You can add new TTPs to ForgeArmory by forking this repository and adding your TTP YAML files to the appropriate directories in the catalog. Check out the TTPForge documentation to learn the syntax for writing TTPs and all of TTPForge's attack simulation features.
Once your TTPs are ready, feel free to send us a pull request :)
Our automation will run various linters and checks against new pull requests. Several of the linters in this project may be used as pre-commit hooks if desired - you can install and setup pre-commit according to the official instructions.
For quick ad hoc runs, you may wish to run pre-commit in a virtual environment:
python3 -m venv venv . venv/bin/activate pip3 install pre-commit pre-commit run --all-files