Aller au contenu
1337skills 1337skills - Aide-mémoires

VECTR

VECTR (Vectorized Engagement and Campaign Tracking for Reporting) is SecurityRisk Advisors’ open-source platform for purple team operations, enabling teams to document adversary emulation campaigns, align techniques to MITRE ATT&CK, and measure detection coverage gaps over time. It bridges red and blue teams by tracking both attack execution and detection outcomes in a unified interface.

Installation

Section intitulée « Installation »

Docker Compose Setup

Section intitulée « Docker Compose Setup »

VECTR is deployed via Docker Compose from the official repository:

# Clone VECTR repository
git clone https://github.com/SecurityRiskAdvisors/VECTR.git
cd VECTR

# Start Docker Compose (includes nginx, application, and postgres)
docker-compose up -d

# Verify containers are running
docker-compose ps

Initial Configuration

Section intitulée « Initial Configuration »
# Check logs for startup status
docker-compose logs -f app

# Access web interface
# http://localhost:8080 (default)
# or https://localhost:443 (if TLS enabled)

# Default credentials (CHANGE IMMEDIATELY)
# Username: admin
# Password: admin

Environment Variables

Section intitulée « Environment Variables »
# docker-compose.yml customization
environment:
  - NODE_ENV=production
  - DB_HOST=postgres
  - DB_PORT=5432
  - DB_USER=vectr
  - DB_PASSWORD=change_me
  - REDIS_HOST=redis
  - REDIS_PORT=6379

Quick Start

Section intitulée « Quick Start »

First-Time Setup

Section intitulée « First-Time Setup »

  1. Access Web UI

  2. Create First Assessment

    • Click “New Assessment”
    • Enter assessment name (e.g., “Q2 2026 Purple Team Campaign”)
    • Select MITRE ATT&CK version (default: latest)
    • Define assessment scope and objectives
    • Assign team members

  3. Invite Team Members

    • Navigate to Settings → Users
    • Add user email addresses
    • Assign roles: Admin, Red Team, Blue Team, Analyst
    • Send invitations

Dashboard Overview

Section intitulée « Dashboard Overview »
ComponentPurpose
CampaignsHigh-level purple team exercise containers
AssessmentsSub-campaigns with specific scope and timeline
Test CasesIndividual adversary emulation techniques and detections
ResultsOutcome tracking (detected, alerted, blocked, etc.)
Heat MapsVisual ATT&CK coverage analysis

Core Concepts

Section intitulée « Core Concepts »

Campaigns

Section intitulée « Campaigns »

Campaigns are top-level containers for purple team activities, representing organization-wide adversary emulation programs:

Campaign Structure:
  - Campaign Name: "2026 Annual Purple Team Program"
  - Duration: Start and end dates
  - Objectives: Measurable goals for coverage improvement
  - Phases: Grouped assessments by campaign phase
  - Participants: Cross-functional team roster

Assessments

Section intitulée « Assessments »

Assessments are scoped sub-campaigns with defined target systems, techniques, and timelines:

Assessment Properties:
  - Name: Specific assessment name
  - Campaign: Parent campaign
  - Target Systems: Scope (endpoints, servers, networks)
  - Start/End Date: Assessment window
  - MITRE Version: ATT&CK version used (v13, v14, etc.)
  - Status: Planning, Active, Complete

Test Cases

Section intitulée « Test Cases »

Test cases document individual adversary emulation executions:

  • Technique ID: MITRE ATT&CK technique (e.g., T1566.002)
  • Name: Descriptive test case name
  • Description: Attack scenario details
  • Procedure: Step-by-step execution instructions
  • Tool Used: Red team tool (Mimikatz, certutil, etc.)
  • Execution Date: When test was performed
  • Evidence: Screenshots, logs, artifacts
  • Detection Status: Outcome from blue team perspective

Outcomes

Section intitulée « Outcomes »

Outcomes track both attack execution and detection results:

Red Team OutcomeBlue Team Detection
SuccessDetected / Alerted / Blocked
SuccessNot Detected
FailureN/A (technique didn’t execute)
N/ANot Applicable (not targeted)

ATT&CK Mapping

Section intitulée « ATT&CK Mapping »

Every test case maps to MITRE ATT&CK techniques:

Campaign Heat Map:
  - Reconnaissance: 8/12 techniques covered (67%)
  - Resource Development: 5/10 techniques covered (50%)
  - Initial Access: 6/8 techniques covered (75%)
  - Execution: 12/15 techniques covered (80%)

Campaign Management

Section intitulée « Campaign Management »

Creating a Campaign

Section intitulée « Creating a Campaign »
1. Dashboard → Create Campaign
2. Enter campaign metadata:
   - Campaign Name: "2026 Detection Engineering Program"
   - Campaign Manager: Select lead
   - Objective: "Improve detection coverage in EDR"
   - Start Date: 2026-04-01
   - End Date: 2026-12-31
   - Description: Campaign context and goals
3. Click Create
4. Add phases (e.g., "Phase 1: Initial Access", "Phase 2: Persistence")

Defining Campaign Scope

Section intitulée « Defining Campaign Scope »
# Scope Definition
Target Tactics:
  - Initial Access
  - Execution
  - Persistence
  - Privilege Escalation
  - Defense Evasion

Target Platforms:
  - Windows
  - Linux
  - macOS

Asset Groups:
  - Production Servers
  - Endpoint Devices
  - Network Infrastructure

Selecting ATT&CK Techniques

Section intitulée « Selecting ATT&CK Techniques »
  • Navigate to Campaign → Technique Selection
  • View full ATT&CK matrix
  • Filter by tactic, platform, or sub-technique
  • Select techniques to target in campaign
  • Export technique list for red team planning

Organizing Phases

Section intitulée « Organizing Phases »
Phase Management:
1. Create phase within campaign
   - Name: "Initial Access & Execution"
   - Duration: 2 weeks
   - Focus areas: Phishing, scripting techniques
2. Link assessments to phases
3. Schedule red team operations by phase
4. Track phase completion and coverage

Test Cases

Section intitulée « Test Cases »

Creating Test Cases

Section intitulée « Creating Test Cases »
Assessment → Create Test Case

Required Fields:
  - MITRE Technique ID: T1566.002 (Phishing: Spearphishing Link)
  - Test Case Name: "Phishing Link Campaign to Marketing"
  - Description: Description of attack scenario
  - Attack Procedure: Step-by-step attack execution
  - Tool Used: Browser, domain registrar info
  - Execution Date: When red team executed
  - Red Team Notes: Observations, success/failure details

Mapping to ATT&CK

Section intitulée « Mapping to ATT&CK »
# Example test case structure
Test Case: T1566.002
├── Tactic: Initial Access
├── Name: Spearphishing Link Delivery
├── Sub-techniques: Attached file is not used
├── Platform: Windows
├── Procedure: 
   1. Create malicious URL with payload
   2. Spoof marketing sender email
   3. Send to 100 marketing employees
   4. Track link clicks and execution
└── Evidence: Email logs, URL visit records

Documenting Outcomes

Section intitulée « Documenting Outcomes »
FieldExample
Tool UsedGophish + Custom payload
ProcedureSpearphishing URL in email body
Red Team OutcomeSuccess - 25 clicks, 5 executed
Blue Team DetectionAlerted on phishing link (Proofpoint)
Detection StatusDetected
RemediationUpdated email filter, user training
EvidenceScreenshots, alert logs, forensics

Outcome Tracking

Section intitulée « Outcome Tracking »

Recording Outcomes

Section intitulée « Recording Outcomes »
Test Case → Add Outcome

Red Team Perspective:
  ✓ Success: Attack achieved objective
  ✗ Failure: Attack did not execute
  ⊘ N/A: Not attempted/applicable

Blue Team Perspective:
  ✓ Detected: Security control identified attack
  ✓ Alerted: Alert/notification triggered
  ✓ Blocked: Attack blocked before success
  ✗ Not Detected: Attack completed undetected
  ⊘ Not Applicable: Technique not in scope

Red vs. Blue Scoring

Section intitulée « Red vs. Blue Scoring »

VECTR calculates coverage metrics:

Coverage Calculation:
  - Total Techniques Executed: 45
  - Total Techniques Detected: 38 (84%)
  - Detection Gap: 7 techniques (16%)
  
Trend Analysis:
  - Previous Campaign: 72% detected
  - Current Campaign: 84% detected
  - Improvement: +12 percentage points

Generating Outcome Reports

Section intitulée « Generating Outcome Reports »
Campaign → Reports → Detection Coverage

Output Includes:
- Technique-by-technique detection status
- Detected vs. Not Detected breakdown
- Trend graphs (coverage over time)
- Tactics with highest/lowest detection
- Red team success rate by technique
- Blue team detection speed (time-to-detect)

ATT&CK Integration

Section intitulée « ATT&CK Integration »

Heat Maps

Section intitulée « Heat Maps »
Campaign Dashboard → ATT&CK Heat Map

Color Coding:
  🟢 Green: Technique tested and detected (100%)
  🟡 Yellow: Technique tested, partially detected (50-99%)
  🔴 Red: Technique tested, not detected (0-49%)
  ⚪ Gray: Technique not tested

Coverage Visualization

Section intitulée « Coverage Visualization »
Matrix View:
- X-axis: MITRE ATT&CK Techniques
- Y-axis: Detection Status
- Click technique to view all test cases for that technique
- Export heat map as PNG or JSON for presentations

Technique Selection from ATT&CK Navigator

Section intitulée « Technique Selection from ATT&CK Navigator »
# ATT&CK Navigator Integration
1. Navigate to Campaign Technique Selection
2. Open MITRE ATT&CK Navigator (embedded or external link)
3. Create technique layer in Navigator
4. Import layer into VECTR campaign
5. VECTR auto-populates campaign techniques
Section intitulée « Navigator Layer Export »
Campaign → Export as Navigator Layer

Output:
- JSON format compatible with ATT&CK Navigator
- Includes detection status and metadata
- Share with stakeholders and executives
- Upload to Navigator for visualization

Reporting

Section intitulée « Reporting »

Campaign Reports

Section intitulée « Campaign Reports »
Reports → Generate Campaign Report

Report Sections:
1. Executive Summary
   - Campaign overview and objectives
   - High-level metrics (% coverage, trends)
   - Key findings and recommendations

2. Detailed Findings
   - Technique-by-technique analysis
   - Detection gaps with remediation
   - Red team success rates

3. Appendix
   - Full test case listing
   - Evidence and screenshots
   - Timeline of executions

Detection Gap Analysis

Section intitulée « Detection Gap Analysis »
Gap Analysis Report:
- Not Detected Techniques:
  - T1547.001: Registry Run Keys (no EDR detection)
  - T1574.001: DLL Search Order Hijacking (bypasses defenses)
  - T1562.001: Disable or Modify System Firewall (insufficient logging)

- Recommendations:
  - Implement ETW-based detection for T1547.001
  - Deploy DLL hijacking behavioral detection
  - Enable advanced logging for firewall modifications

Trend Tracking

Section intitulée « Trend Tracking »
Metrics → Trend Analysis

Metrics Tracked:
- Detection coverage over time (%) 
- Techniques tested per month
- Average red team success rate
- Detection speed (TTD in hours)
- Top tactics for improvement
- Year-over-year improvement

PDF/CSV Export

Section intitulée « PDF/CSV Export »
# Export Options
Reports Export

Formats:
- PDF: Full formatted report with branding
- CSV: Technique data for spreadsheet analysis
- JSON: Programmatic export for integrations
- PNG: Heat maps for presentations

Customization:
- Logo and branding
- Include/exclude sections
- Redact sensitive data
- Custom date ranges

Templates

Section intitulée « Templates »

Assessment Templates

Section intitulée « Assessment Templates »
Settings → Templates → Assessment Templates

Pre-built Templates:
- "Initial Access Focus" (phishing, watering hole, supply chain)
- "Persistence & Privilege Escalation" (scheduled tasks, registry, kernel)
- "Defense Evasion" (UAC bypass, AMSI evasion, LOLBins)
- "Lateral Movement" (pass-the-hash, Kerberos, SMB abuse)

Reusable Test Case Libraries

Section intitulée « Reusable Test Case Libraries »
Create from Existing Assessment:
1. Assessment → Save as Template
2. Strip sensitive data (client names, real targets)
3. Generalize procedures for reuse
4. Add tags for searching (phishing, Windows, EDR)
5. Share with team or organization

Use Template:
1. Create Assessment → Select Template
2. Review and customize procedures for target environment
3. Assign to red team
4. Execute and track outcomes

Importing/Exporting Templates

Section intitulée « Importing/Exporting Templates »
# Export template
Settings Templates Export Template
# Generates JSON file with all test cases and configurations

# Import template
Settings Templates Import Template
# Select JSON file
# Creates new assessment from template

# Share templates
# Send JSON file via secure channel
# Import in target VECTR instance

Multi-User Collaboration

Section intitulée « Multi-User Collaboration »

Role-Based Access

Section intitulée « Role-Based Access »
RolePermissions
AdminFull system access, user management, settings
Red Team LeadCreate/edit assessments, manage red team ops
Red TeamExecute test cases, submit outcomes
Blue Team LeadConfigure detections, analyze coverage gaps
Blue TeamView test cases, record detection outcomes
AnalystRead-only access, generate reports

Team Management

Section intitulée « Team Management »
Settings → Team Management

User Invite:
- Email: user@organization.com
- Role: Red Team, Blue Team, or Analyst
- Campaign Access: Specific campaigns or all
- Send invitation → User accepts → Account created

Concurrent Assessments:
- Multiple teams work on different assessments
- Real-time synchronization across users
- Comments and notes on test cases
- Activity log tracks all changes

Concurrent Operations

Section intitulée « Concurrent Operations »
Real-time Collaboration:
- Multiple red teamers execute test cases simultaneously
- Blue team updates detection outcomes in parallel
- Lock test case during active recording to prevent conflicts
- Merge comments and evidence from team members

API Access

Section intitulée « API Access »

REST API for Automation

Section intitulée « REST API for Automation »
# Authentication
curl -X POST http://localhost:8080/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"admin"}'
# Returns: { "token": "eyJhbGciOiJIUzI1NiIsInR5..." }

Creating Assessments Programmatically

Section intitulée « Creating Assessments Programmatically »
# Create assessment via API
curl -X POST http://localhost:8080/api/assessments \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Q2 2026 Initial Access Campaign",
    "campaignId": "camp_abc123",
    "startDate": "2026-04-01",
    "endDate": "2026-06-30",
    "mitre_version": "14"
  }'

Submitting Test Cases via API

Section intitulée « Submitting Test Cases via API »
# Add test case
curl -X POST http://localhost:8080/api/test-cases \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "assessmentId": "assess_xyz789",
    "techniqueId": "T1566.002",
    "name": "Spearphishing Link",
    "procedure": "Send malicious link via email",
    "toolUsed": "Gophish",
    "executionDate": "2026-04-15"
  }'

# Record outcome
curl -X POST http://localhost:8080/api/outcomes \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "testCaseId": "tc_123",
    "redTeamOutcome": "Success",
    "blueTeamDetection": "Detected",
    "notes": "Proofpoint alert triggered"
  }'

Bulk Operations

Section intitulée « Bulk Operations »
# Export all assessments
curl http://localhost:8080/api/assessments \
  -H "Authorization: Bearer YOUR_TOKEN" | jq '.' > assessments.json

# Import test cases from CSV
python3 bulk_import.py \
  --token YOUR_TOKEN \
  --file test_cases.csv \
  --assessment assess_xyz789

Troubleshooting

Section intitulée « Troubleshooting »

Common Issues

Section intitulée « Common Issues »
IssueSolution
Port 8080 already in useChange port in docker-compose.yml, restart containers
Postgres connection errorCheck DB credentials in environment, verify postgres container running
ATT&CK data not loadingRun database migration: docker-compose exec app npm run migrate
Slow heat map generationIncrease container memory, reduce technique count temporarily
Login failuresClear browser cache, reset admin password via postgres CLI

Database Troubleshooting

Section intitulée « Database Troubleshooting »
# Access postgres container
docker-compose exec postgres psql -U vectr

# Check assessment count
SELECT COUNT(*) FROM assessments;

# Reset admin password
UPDATE users SET password=hash('newpassword') WHERE username='admin';

# Backup database
docker-compose exec postgres pg_dump -U vectr > backup.sql

Performance Optimization

Section intitulée « Performance Optimization »
# Increase container resources
# docker-compose.yml
services:
  app:
    mem_limit: 4g
    memswap_limit: 4g
  postgres:
    mem_limit: 2g

# Restart containers
docker-compose down && docker-compose up -d

Best Practices

Section intitulée « Best Practices »

Campaign Planning

Section intitulée « Campaign Planning »
  • Define clear objectives before campaign launch (detection gaps, remediation, training)
  • Map to adversary TTPs relevant to your threat landscape
  • Schedule phases strategically (avoid high-ops periods, coordinate with blue team)
  • Set realistic metrics (coverage targets, detection speed goals)
  • Document assumptions about tooling, network conditions, and defenses

Red Team Execution

Section intitulée « Red Team Execution »
  • Preserve evidence (screenshots, logs, artifacts) for audit trail
  • Document procedures precisely so findings are reproducible
  • Use realistic tools that threat actors employ in your vertical
  • Test detection evasion (UAC bypass, AMSI evasion, LOLBins) alongside technique execution
  • Coordinate with blue team to avoid unplanned business impact

Blue Team Detection

Section intitulée « Blue Team Detection »
  • Record detection method (EDR, IDS, SIEM, manual investigation)
  • Note detection time (immediate vs. delayed detection)
  • Identify false negatives quickly for remediation priority
  • Track false positives from test cases
  • Implement detections incrementally to avoid alert fatigue

Reporting & Remediation

Section intitulée « Reporting & Remediation »
  • Executive summaries focus on coverage improvement and business impact
  • Technical details support remediation prioritization
  • Trend analysis demonstrates program maturity and progress
  • Assign ownership for detection gap remediation
  • Schedule follow-up campaigns to verify detection improvements
Section intitulée « Related Tools »
ToolPurpose
CALDERAAutomated adversary emulation platform (pairs with VECTR)
Atomic Red TeamLibrary of small, testable ATT&CK techniques
AttackIQCommercial continuous red teaming (similar to VECTR)
MITRE ATT&CK NavigatorVisualize and plan ATT&CK-based assessments
PlexTracPurple team reporting and engagement tracking
Incident Response RunbooksProceduralize detection and response
EDR PlatformsEndpoint Detection and Response (primary detection layer)