invoke-ir / ace Goto Github PK

Automated, Collection, and Enrichment Platform

License: Apache License 2.0

PowerShell 88.50% C# 8.83% HTML 0.59% Shell 1.09% Python 1.00%

ace's Introduction

Automated Collection and Enrichment

The Automated Collection and Enrichment (ACE) platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports collecting from Windows, macOS, and Linux hosts.

ACE is meant to simplify the process of remotely collecting data across an environment by offering credential management, scheduling, centralized script management, and remote file downloading. ACE is designed to complement a SIEM by collecting data and enriching data; final analysis is best suited for SIEM tools such as Splunk, ELK, or the tools the analyst prefers.

Why use ACE?

ACE grew out of the need to perform Compromise Assessments in places with common restrictions:

A dedicated software agent can’t be installed on the target hosts.
Copying and running executables (such as Sysinternals tools) is not feasible.
The customer cannot enable Windows Remoting (WinRM).
The customer’s visibility into macOS/Linux hosts is limited or nonexistent.
New scripts/tools must be created for customer-specific data.
Network segmentation requires multiple credentials to access all machines in the environment.

Installation/What is the architecture of ACE?

ACE has four components: the ACE Web Service, the ACE Nginx web proxy, the ACE SQL database, and the ACE RabbitMQ message queue. The Web Service is a RESTful API that takes requests from clients to schedule and manage scans. The SQL database stores the configuration and data from scans. The RabbitMQ service handles automated enrichment of data.

Identify the IP Address of both your Linux Docker host and your Windows host.

ACE Docker Images

ACEWebService

Download the Configure-AceWebService.ps1 script from the Release page

Usage/How do I use ACE?

The ACE repository includes a collection of PowerShell scripts to interact with the ACE Web Service, including adding users, managing credentials, uploading collection scripts, and scheduling scans.

After deploying the ACE servers, use New-AceUser to create a new ACE user.

Remove the default “Admin” user with Remove-AceUser.

Use New-AceCredential to enter a set of credentials.

Run Start-AceDiscovery to automatically find computers on the Windows domain.

Run Start-AceSweep to start a sweep to run the selected scripts across the discovered endpoints.

More Resources

Contributing

Contributions to ACE are always welcome.

ace's People

Contributors

Stargazers

Watchers

Forkers

methos2016 chubbymaggie sudowright sqldbawithabeard leechristensen vector-sec s4yhell0 h0k5 techlord-rce av1080p jack51706 lamkeysing92 jajp777 rabitw b1gw00d mehrdad-shokri awesome-security bijaye bigrayhicks losiry johnjohnsp1 minkione ch4p34un0ir xuezs csned 18nvaz sawwinnnaung randy-ran robwinchester3 jaredcatkinson joshday11 opt9 intmaxmood olgermolla davehull mmg1 superf0sh ajmartel sasqwatch insystemsco rahmiy superuser5 niranjanbabumv nsdown justuni gingerknight jorson-chen mikekmiller danar8004 cybert3ch bcp-infosec-repo iaji 5l1v3r1 morebettersecurity sea-cpu akinswin johann-smith macdaliot

ace's Issues

Start-AceDiscovery Error - Windows domain discovery failed

Start-AceDiscovery fails to discover Windows computers for a given Windows domain. Start-AceDiscovery produces a 404 error on ACEWebService - $(URI)$/ace/discover/domain. Same error can be produced using FQDN of the Windows domain.

Start-AceDiscovery Output:

ACEWebService Output:

Overview of how the pieces fit together

Hey thanks for making this tool. I have the basic setup up and running. I can add new users to my ACE instance via the PS scripts. I'm looking to do some minimal development on the web service side if I can get everything figured out, and I'm having some trouble fitting all the pieces together. I finally got a dev copy of the WS running with the Visual Studio plugin Conveyer and IIS Express. This way I should be able to debug, and I can get to it via network IPs which was initially difficult to setup.

I think there are a few fundamentals I'm missing that have made this tricky to get started:

Does the web service need to be on the AD domain?
Does the user/machine running the ACE management scripts need to be on the AD domain?
I noticed a lot of code commented out of some of the Services - some of the Active Directory functionality. Is this not working currently?
I saw in another issue there's a video posted, but I can't quite follow the end of it without narration. Is there any plan for a quick runthrough of what you can do against machines on the domain?

ASP Web Service Error (DLL Reference unavailable)

Hi ,

I am facing errors in ASP web service code while publishing it. i am attaching the screenshot for your reference.

start.sh not building the dockerfiles

Hi,
I'm testing ACE on a CentOS7 VM hosted on ESXi. I deployed ACE with the following process:

Install docker and necessary dependencies with yum install
Install docker-compose and run docker
Install nginx
Install ACE:
In ace.env: change WEBSERVER_IP with the ip of my CentOS VM
./start.sh

I've encountered a connection problem when trying to access ACE web interface from my windows PC which is in the same subnetwork with CentOS. By browsering to https://IP_OF_CentOS, I'm getting the error 113: no route to host in "docker-compose logs".
I've added a firewall rule in CentOS "

", bus it wasn't of help.

Another issue I found is that line 203 in start.sh (docker-compose build) is not building dockerfiles in containers, for example it cannot copy nginx.conf to the nginx directory as supposed. A not-so-good solution I found is to launch docker build for every dockerfile. I believe it is a issue of docker itself, please refer to: docker/compose#3148

Please tell me if I've missed some important deploying step, because there are things that I'm not sure about, such as the right WEBSERVICE_IP and the subnet docker0.

Thanks in advance,

start.sh failing

the script is failing as some directories and files are missing like
ace-app
ace-web
ace-mssql-linux/ace.Template.sql
ace-app/appsettings.Template.json

MS-SQL Error in ACE Docker

HI,

i am facing this error when i am installing ACE Docker.

in short i am getting error related to MS-SQL.

SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online..

Error: The evaluation period has expired.
This program has encountered a fatal error and cannot continue running.
The following diagnostic information is available:

   Reason: 0x00000001
   Signal: SIGSEGV - Segmentation fault (11)

Stacktrace: 000056441d52fce7 00007fd80764b390 000056441d53ef52
000056441d5286db 000056441d527e59
Process: 6 - sqlservr
Thread: 18 (application thread 0x1028)
Instance Id: e623d85c-8194-4f4a-8c4e-fba2871e25e4
Crash Id:
Build stamp: a37664e45e4156e76a53fa282fd694cb49f70c2037515f5684e3ce6dfa7549bc
/usr/src/ace/import-data.sh: line 4: 6 Aborted (core dumped) /opt/mssql/bin/sqlservr > /dev/null
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login timeout expired.
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : TCP Provider: Error code 0x2749.
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online..

"ConnectionStrings": {
Error: The evaluation period has expired.
This program has encountered a fatal error and cannot continue running.
The following diagnostic information is available:

   Reason: 0x00000001
   Signal: SIGSEGV - Segmentation fault (11)

}
}

==========================================================

===============================================================
| Thank you for provisioning ACE with Docker!! |
| Please use the following information to interact with ACE |

$settings = @{
Uri = 'https://192.168.28.131'
Error: The evaluation period has expired.
This program has encountered a fatal error and cannot continue running.
The following diagnostic information is available:

   Reason: 0x00000001
   Signal: SIGSEGV - Segmentation fault (11)

PS: if i do netstat -antp for active connections and open ports i can see port number 1433 is open but when i do telnet or nc to check the connectivity it shows Connection Refused.