Samples

create_deployment_group_with_all_breadcrumb_types

This sample script creates a deployment group with the requested breadcrumb type and downloads the deployment package

create_deployment_group_with_all_breadcrumb_types.create_breadcrumb(client, breadcrumb_type, breadcrumb_data, username, password, group_name)[source]

Create a breadcrumb.

A breadcrumb consists of connection credentials deployed on an endpoint. An attacker will find and use these credentials to connect to a service on a decoy.

Parameters:
  • client – An existing connection (the result of mazerunner.connect).
  • breadcrumb_type – Browser cookie, MySQL connection command, SMB path, etc.
  • breadcrumb_data – Breadcrumb configuration dict.
  • username – The user we would like to create on the service, which the attacker is intended to find and use.
  • password – The password of that user.
  • group_name – A deployment group to which the breadcrumb should belong.
create_deployment_group_with_all_breadcrumb_types.create_decoy_if_needed(client, decoy_key)[source]

Create and power on a decoy, if non exist already.

Decoys are virtual machines, to which we want to attract the attacker.

Parameters:
  • client – An existing connection (the result of mazerunner.connect).
  • decoy_key – The key in the DECOY_DATA hash of the desired decoy.
create_deployment_group_with_all_breadcrumb_types.create_service_if_needed(client, service_data)[source]

Create a service.

Services are applications installed on the decoys, to which we would like the attacker to try to log in.

Parameters:
  • client – An existing connection (the result of mazerunner.connect).
  • service_data – Arguments for the service configuration.
create_deployment_group_with_all_breadcrumb_types.get_args()[source]

Configure command arguments parser.

create_deployment_group_with_all_breadcrumb_types.main()[source]

Here’s the procedure:

  • Parse the command args.
  • Configure connection to MazeRunner; store in the ‘client’ variable.
  • Create a deployment group (which is a logical group of breadcrumbs).
  • Create the breadcrumbs and their required services and decoy (see create_breadcrumb, create_service_if_needed, create_decoy_if_needed).
  • Load the deployment group info from the server; wait for all the info to arrive.
  • Deploy the deployment groups.

create_smb_breadcrumbs

This sample script creates an SMB deception chain with a list of usernames supplied by the user, each having a random password from a passwords file or from a predetermined password pool.

create_smb_breadcrumbs.get_args()[source]

Configure the command arguments parser

create_smb_breadcrumbs.main()[source]

Here is what we do:

  • Parse the command arguments.
  • Create a decoy named “Backup Server Decoy”.
  • Wait until the decoy is created.
  • Create an SMB service.
  • Attach the SMB service to the decoy we previously created.
  • Load users & passwords data file.
  • Create breadcrumbs and attach them to the service we previously created.
  • Start the decoy machine.

At the end of this process, we will have a nested (KVM) decoy. On that decoy, we will have an SMB service installed, which will have several SMB users.

delete_everything

This script will delete all of the entities on your MazeRunner system.

delete_everything.get_args()[source]

Parse command arguments

delete_everything.main()[source]

Here is what we do:

  • Parse command arguments.
  • Create MazeRunner connection.
  • Get a collection of all breadcrumbs.
  • Delete all elements in the collection.
  • Same for deployment groups, decoys, services, endpoints, cidr mappings, background tasks

track_live_alerts

This script will periodically query MazeRunner for new events and print them.

track_live_alerts.get_args()[source]

Parse command arguments

track_live_alerts.main()[source]

Here is what we do:

  • Parse command arguments.
  • Fetch all possible types of alerts.
  • Get an AlertCollection: show/hide muted alerts according to option specified in the command, and show all types of alerts.
  • Check the current amount of alerts.
  • Periodically check for alerts and print the new ones.

deploy_to_linux

This sample script deploys (install/uninstall) a specific Deployment Group on linux endpoint[s] supplied by the user. A unique endpoint can be provided from the command line, or use a csv file to deploy on multiple endpoints.

mazerunner.samples.deploy_to_linux.deploy_zip_on_endpoints(zipfile, endpoints, deploy_type, deployment_group)[source]

Deploy (install/uninstall) the zipfile on each of the endpoints in the list.

Parameters:
  • zipfile – String contains the full local path to the zipfile we need to upload.
  • endpoints – List of the endpoints we need to deploy on.
  • deploy_type – type of deployment - install/uninstall.
  • deployment_group – the name of the deployment group we want to deploy, this param is used only for printing the name.
mazerunner.samples.deploy_to_linux.get_args()[source]

Parse command arguments

mazerunner.samples.deploy_to_linux.init_ssh_client(host, port, user, passwd)[source]

Init the SSClient and the SFTPClient.

Parameters:
  • host – The ip of the endpoint we need to connect.
  • port – The port of the endpoint.
  • user – The user (should be root, or a user who can SUDO without password).
  • passwd – The password for the user to connect to the endpoint.
Returns:

(paramiko.SSHClient, paramiko.SFTPClient).

mazerunner.samples.deploy_to_linux.main()[source]
mazerunner.samples.deploy_to_linux.parse_csv_file(csv_file)[source]

Parse a CSV file to a list of items. Each item is a dict contains an endpoint’s data with the following values: host, port, user, pass.

Parameters:csv_file – Name of the CSV file to parse.
Returns:List
mazerunner.samples.deploy_to_linux.run_cmd(ssh, cmd)[source]

Tun a command on an existing ssh connection.

Parameters:
  • ssh – ssh client.
  • cmd – command to run.

elasticsearch_responder_monitor

This script will allow you to integrate the Responder feature in MazeRunner with ElasticSearch. For usage information, run the script with no params.

syslog_server_active_soc_reporter

This sample script runs a syslog server that will receive CEF messages and send them back to MazeRunner’s ActiveSOC using the API.